Today I got my September paper copy of CSO magazine. The cover story article by Scott Berinato is When Voice Becomes Data, and it's an interesting exploration of migration from the PSTN to VOIP. Most often, I catch CSOOnline stories from the news feeds I read. This was a rare occasion when I went from paper, to the web site to find ths story online in order to point it out to you.

When Voice Becomes Data
With voice over IP picking up speed, CSOs face the challenge of navigating an entirely new threat landscape for the phone system
To understand the significance of voice over IP (VoIP), it's useful to travel back in time. Specifically,
go to 4:45 a.m. on Sunday, Sept. 3, 1967. If you happened to be in a car in Sweden at that moment, you had to stop the car and do nothing for five minutes. Then at 4:50 you had to move your car from the
left side of the road to the right, and then stop again. Finally, at 5 a.m., you could proceed, on the
right. In those 15 minutes, the entire country changed a 300-year-old custom of Vänstertrafik,
left-side driving, to Högertrafik, right-side driving.

Ok, I have to say the Swedish traffic analogy is hogwash and doesn't work well for me, or for the topic. But the article makes some great points, and other than a couple of visuals, is fully available at the online link above. And it makes the key point, the climax, early on -

As voice over IP and voice over the Internet grow, telecom will change to become open and
extensible, capable of supporting limitless new applications, often traversing an insecure and unstable public network and connected to complex and vulnerable multitasking end points called computers. An
enterprise.

Some of it's way off base. I won't agree with the author, or with Bruce Schneier, who's quoted as saying "Once telephony goes over IP, it's no longer eavesdropping on voice, it's eavesdropping on data, and that's so much easier. It's like the difference between intercepting a handwritten note versus an SMS message. It's the difference between a letter and an e-mail."

Eavesdropping on data is doable. So is eavesdropping on the PSTN. Neither is particularlty easy. I'll argue extracting anything usable from a data stream is actually harder, but that's a philosophical debate with hundreds of variables. It's a what-if game that anyone can play and win. Any argument is a winnable argument given the right twists and turns. Pay attention to the response comments from Andrew Graydon with the VoIP Security Alliance. They're on the money.

There's lots of fodder for future posts and discussion topics in this well done article. I encourage you to read it.

Technorati Tags: VoIP security, VoIP, CSO Magazine, Scott Berinato