Signal Quality

Skype recently created a pretty flimsy excuse for their outage last Thursday, blaming the outage on a statistically unlikely massive reboot of Windows systems after a Windows Update. While several blogs have their own take on the explanation, with some picking apart the explanation, to some coming up with possible, but elaborate ideas for what might have ‘really’ happened, the overall concensus is that no matter what actually happened, Skype really let people down.

The basic problem for this comes down to a desire on the part of Skype to control every aspect of their service from the basics, down to how every end user is allowed to connect. The Skype communications protocol, the basic way that Skype’s network works, is kept a complete secret, allowing them to charge licensing fees to anyone who wants to make hardware or software that runs on the network.  As opposed to an open communications protocol like SIP, however, this means that you rely on the Skype developers when it comes to choices about security, stability, and user-experience.

With SIP, if there were a major bug in the backbone of the system, as there was in Skype, the fact that everyone can see the SIP protocol and how it works lets far more people find solutions to potential problems long before they become an issue for millions of helpless subscribers.

This reliance on obscurity for the sake of security and control is Skype’s biggest achilles heel, and is what makes use of their protocol a danger to anyone relying on them for business or essential communications. While one can hope that they might learn something from this lesson, or that users might realise that perhaps Skype is not all it’s hyped up to be, only time will tell for sure.

I was noticing something earlier today when reading the USAC’s (Universal Service Administrative Company) interpretation of who must contribute to the USF (Universal Service Fund) according to FCC 06-94. The FCC 06-94 order specifically states that interconnected VoIP providers must pay into the USF, and they go on to define an interconnected VoIP provider as a service that: “(1) Enables real-time, two-way voice communications; (2) Requires a broadband connection from the user’s location; (3) Requires Internet protocol-compatible customer premises equipment (CPE); and (4) Permits users generally to receive calls that originate on the public switched telephone network and to terminate calls to the public switched telephone network.”

Note the use of ‘and’ in that statement to imply that in order to be considered interconnected, you must meet all the four criteria.

The USAC’s interpretation of this regulation, however, is vastly different from everyone else’s interpretation. According to the USAC, “The obligations established by the FCC apply to all VoIP communications made using an interconnected VoIP service, even those that do not involve the PSTN…” which reads as though they think that an interconnected VoIP provider is not necessarily one which connects to the PSTN.

This seems to be a somewhat radical interpretation of what an ‘interconnected’ VoIP provider is, expanding their interpretation to even directly VoIP to VoIP services that never touch the PSTN such as FWD or even MSN to MSN calls.

I note that their site was updated as of the 17th of July, 2007, and that the site archive doesn’t mention this interpretation prior to this date, so I’m wondering if this means they’re going to start to pressure VoIP providers that don’t actually provide connection with the PSTN to pay into the USF.

Always pushing the boundaries, I often wonder how long it will be before we see the USAC and the FCC attempting to charge users who send instant messages back and forth across states ‘interstate communications’ fees, or requiring companies such as AOL, MSN, and Google to pay into the USF for their AIM, MSN, and Gtalk IM services.

Telephone conversations, while these days often taking place on mobile phones in public places, have often been considered to be, by many people, private conversations. Even when one person (or a whole crowded room) can hear half of a conversation, it’s not always readily apparent what the entire discourse is about.

This false sense of security has been the focal point of many a Hollywood film, often with the police, the government, or even the villains listening in and recording phone conversations through various methods. Traditional telephones are, after all, very easy to listen in on, as the technology behind them is exceedingly simple.

When cordless and early mobile phones became popular, this sort of listening in became even easier. Anyone with $30USD and a nearby Radio Shack could buy all the equipment he needed to hear the intimate conversations of his neighbors. A famous incident involving someone listening into phone conversations was one in which Prince Charles was overheard telling his mistress at the time, Camilla Parker Bowles, that he wished to be her tampon. The ease with which the conversation was overheard helped more people become aware of the inherent insecurity in phone conversations.

Since then, many mobile phones have gone digital and implemented several methods to help protect their users’ conversations from anyone trying to listen in. Conversations on mobile networks are interleaved and portions of the conversation are carried out on different, random channels to make it difficult to intercept any whole conversation as it flies through the air. They use this method of encryption to secure their calls.

There is an inherent flaw in these methods work, however: All data is disassembled and reassembled via a ‘trusted’ party (in this case, the mobile phone company). This is for the dual purpose of centralised management and ease of governmental wire-tapping. The phone company, then, is the ‘man in the middle’ who facilitates the security of the conversation. At any time, the phone company could choose to share the secure conversation with another third party, and in cases of police wire tapping, that’s exactly what’s done.

Enter into the equation VoIP (Voice over Internet Protocol). VoIP conversations, by their very nature, are more difficult for the layman to intercept, as they’re sent over the Internet as opposed to floating through the air or winding along wires as raw, unencrypted audio signals. It takes a little more expertise to tap into an Internet conversation and convert the data back into audio, but there is plenty of computer software available that takes the expertise out of the equation, allowing anyone to tap in and record if he can somehow find his way into the data stream. With Wi-Fi networks, this is quite easy, as all the data is just bouncing through the air.

It makes reasonable sense that VoIP, with its modern, technological origin, would have some sort of encryption built in that would make listening in on conversations more difficult, but in truth, encryption is still not always readily available in the VoIP world.

In VoIP, there are several issues to worry about. For one, if you’re using a VoIP phone to talk to a regular old landline or mobile phone, you run into the inherent limitations of both the traditional telephone network or the mobile phone network (as mentioned above). For another, while there are encryption methods available for VoIP calls, not many phones readily support them, and they each have their own flaws as well.

The major method of encrypting a VoIP conversation is called SRTP. The audio part of a VoIP phone call gets passed through the Internet using something called the RTP protocol (Real Time Transport). The S in SRTP stands for ’secure.’ SRTP works a lot like a secure web page works. A centralised authority hands the digital equivalent of a code word out to each phone, allowing the phones to encrypt their conversations back and forth. The centralised authority, often the VoIP provider itself, is considered to be a ‘trusted’ authority. However, there is still concern that such an authority could allow back-door access to a conversation to other people — governments or other authorities. It’s also possible that a particularly unscrupulous trusted authority could faciliate access to anyone it chooses.

This brings us to a different kind of encryption, ZRTP. ZRTP, created by Phil Zimmermann, the man who almost went to jail in the US for writing and openly sharing the high-powered encryption software, PGP, is a method of handling VoIP encryption without relying on a trusted authority in the middle. The phones themselves negotiate a secret code pair and share them with each other in a secure way, creating an encrypted conversation between the two phones. ZRTP uses a method of encryption called Diffie-Hellmann, which uses a public and private key encryption scheme. Each phone has a private code key and a public code key, and the only key ever shared is the public key. One end uses the public key to encrypt the conversation, and the other end uses its private key (unknown to anyone but him) to decrypt the conversation.

Diffie-Hellmann is an incredibly secure method of communication, that suffers only one weakness — a ‘man in the middle’ attack. The idea of a man in the middle attack is that someone COULD be in the middle of a conversation, intercepting all the calls and all the keys. He passes out his own keys to both sides, pretending to be the other person. He is able to decrypt and re-encrypt the conversation in both directions, thereby listening in to the entire conversation.

A man in the middle attack is a difficult thing to accomplish, but it’s possible, so one usually takes precautions such as sharing code words decided in advance, to ensure that the person you’re talking to is REALLY the person you expect to talk to on the other end.

The ZRTP code is freely available for anyone to use in his own software, and Zimmermann has also created ZFone, a program which encrypts the conversations from most popular VoIP softphones.

Unfortunately, VoIP hardware phones and PBX switches have yet to implement any form of ZRTP, so in order to use this newer, more secure communication method, you’re limited to VoIP to VoIP calls (remember, the limitations of traditional and mobile phone networks don’t allow for the same type of encryption yet) between other ZFone users on compatible VoIP networks (IdeaSIP, FWD, Gizmo Project, etc.)

There is simple no such thing as an unbreakable method of securing a phone call. Given enough time and enough resources, any encryption scheme could be broken. Strong encryption, however, is often impractical to break, and it’s usually much easier to rely on people and their misunderstanding of the privacy of their calls as the weak link in any security scheme. While, in this modern age of VoIP, one can still have a reasonably private conversation, secure in the knowledge that his intimate discussions won’t make it to the media, the best way to keep a secret is, and always will be, never to tell it to anyone.

Stanaphone, one of the better consumer-targeted VoIP companies, shut down its consumer operations at the beginning of this month. It had been a holdout for quite some time, and I’m honestly surprised they lasted as long as they did. They were one of those companies that offered free DIDs to attract customers, but they still offered excellent calling rates to global locations.

The problem, of course, with that business plan is that you have to ensure that the people who use your service are on the phone long enough to recoup your substantial losses for the free DIDs. That’s a huge gamble, and with their dial-out pricing, it was more of a pipe dream than anything else. On average, with Internet businesses, you can assume that, if you offer a free service, then 1-2% of your users will ever actually pay for any additional services you may offer. That’s a good average.

Let’s assume they were able to get DIDs for some outrageously inexpensive price of $3.00 per DID (with unlimited incoming minutes, which is pretty unusual for a DID of that price). That means if you offer a free DID, you have to make at least $3.00 in profit every month from other pay services to cover your basic costs. That’s per user. Now, Stanaphone was charging $0.016US per minute for US-Canada calls. We’ll assume they were making a pretty heft profit of about $0.007US per minute — $0.009/minute is a very good price, so that’s a high estimate. That would mean that, just to make up the costs for the free DID, each user would have to be spending more than 430 minutes per month dialing out.

That’s totally unrealistic.

As I say, I’m honestly surprised Stanaphone lasted as long as it did in that arena.

The VoIP market is, today, flooded with providers all offering their own take on what customers want. Open VoIP networks are becoming increasingly rare, as more companies try and close their services to keep users from being able to easily switch to other networks. The free DIDs are getting harder and harder to find from providers, as more and more providers either go out of business or simply realise that the usage they expected from customers is far more limited than they’d anticipated. More and more companies, like Stanaphone, are deciding that business VoIP is where all the money is, and are closing up shop in the consumer market. And many companies are simply discovering that the VoIP market is not the gold mine everyone thought it would be a couple of years ago, and have closed down after losing all their capital.

Some companies are doing well for publicity — Vonage and Skype being the top two known brand names in VoIP. Others, such as Gizmo Project are poised on the brink of being the next big name by offering flashy and full-featured software phones and becoming less a VoIP company and more an IM/VoIP offering. Some, such as IdeaSIP, are relying on a careful and close customer service focus that is unusual if not unheard of in the VoIP world. But the gold mine simply isn’t there. Vonage has been fraught with money problems even before the latest Verizon suit brought them to the edge of bankruptcy. Skype, backed by eBay, has been able to leverage its massive funding to attempt to gain customers by offering calls for free or close to it, but it’s simply losing money hand over fist to increase its customer base. Gizmo Project gained an influx of capital funding about a year ago that allowed them to create a new client and gain a large user surge, but their offerings of free calling to anyone else using Gizmo Project has the ring of a Skype-like attempt to burn capital in exchange for a larger user base.

Every day, there are more obstacles to avoid and more hurdles to jump. Legislation pushed by the telecom lobby creates an anti-competitive market. The sheer number of VoIP companies springing up out of the woodwork creates tough competition. The number of VoIP companies that go out of business every month frightens consumers away from adopting the technology, worried that their provider may suddenly vanish. The technology itself has yet to become transparent enough for many users to understand it enough to be able to use it. And marketing VoIP services is still an obstacle that no one has quite figured out how to overcome.

In the end, the products that survive will either have the capital required to survive the lean times, such as the ones already run by the large telecom companies or cable companies, or will somehow find a way to gain the appropriate grass roots momentum to carry them into the future.

It is with great trepidation and no small amount of morbid curiosity that I wander through sites like the VoIP Graveyard, wherein lie the brands that have already fallen. May they rest in peace.

In my last post, I talked about the disappointing performance of embedded Asterisk on a mini router.

Today, I’m going to discuss Trixbox (formerly Asterisk@home). Trixbox is a handy little open-source software package containing a combination ready-to-go linux install combined with an install of Asterisk with all the bells and whistles. It makes installing an Asterisk PBX as simple as it possibly can be. You take your Trixbox CD, drop it into the CD Rom drive of a machine, boot off the CD, and off goes the install.

After answering a couple of questions about a password and the timezone I’m in, the install adds all the necessary packages, reboots a few times while it does its work, and comes up running Asterisk. At this point, you can either log in via the console or, preferably, open up a web browser and point it at the newly-installed machine.

Coming from a background of installing Asterisk by hand and hand-editing the configuration files to do what I wanted and how I wanted, I’ll admit that the web-based interface was a little confusing. Documentation can be found online (and is extensive) , although there’s a trick to finding it from the interface which I found a little odd. You have to click on ‘Forums’ and it brings up an online page which includes a tab for documentation. That could have been labeled a little better (or had a direct link), but overall, I found the layout to be pretty good.

I would not, however, call the interface transparent. While there are several different interfaces combined into one (system configuration, recording management, etc), they all assume some Asterisk and phone knowledge, as the terms, layout, and configuration options are all Asterisk-specific. One couldn’t, for example, with no prior knowledge, load up Trixbox and have a phone system running in a matter of hours. It’s just not that simple.

With some careful reading, however, and if one uses all the resources of the internet available, it’s very easy to set up a basic running system to the point that you could then easily add or remove additional phones and users, work with voicemail, and configure some important features one would expect from a full phone system: conference calling and conference bridges, call waiting, call forwarding, do not disturb, call transfers, etc.

For those with Asterisk experience already, however, the experience can be frustrating. I’ll admit, I had to avoid the urge to uninstall the whole thing and just go back to my old ways of manually editing the config files. It would have been easier for me, but I was determined to understand the Trixbox solution, so I often forced myself to plod ahead.

As an install for a newer user, however, Trixbox comes wholly recommended. It takes the guesswork out of setting up a PBX either for home or at the office. Supporting large numbers of users would be a breeze with the web-based interface, and managing all the system files and configurations could be done by practically anyone with only a little bit of training.

I installed Trixbox at home, hooked it up to my IdeaSIP account using the instructions on the Asterisk@home wiki, and connected a device with an FXO port so that all my incoming PSTN calls go straight to my Asterisk box. From there, it determines whether or not I’m home or at the office by ringing first my local extensions, and then my remote extensions. If I’m nowhere to be found, and it’s during the day, it will forward off to my cell phone using my IdeasOUT minutes. If it’s night-time (sleep time), it just goes straight into voicemail.

And since I’ve become somewhat of a VoIP aficionado, and have many different VoIP-capable phones around the home, from the Snom phone to the wi-fi SIP phone to the ATA connected to my Uniden phones, I’m able to easily manage them all graphically with the Trixbox suite of interfaces. It’s quite effective.

The only real disappointment from Trixbox isn’t a Trixbox problem at all, really. It’s just that it requires a separate computer to use, and that means power, noise, space, and heat — something I’d been trying to avoid with the embedded asterisk install.

However, I can say that the whole suite works effectively enough that it’s worth investing in a small, shoebox-sized computer with a fanless power supply so at the very least I can keep space and noise down to a minimum.

If you’ve been thrilled with your VoIP account, but had been wondering what the next step might be in its evolution, I urge you to give Trixbox a try — for work or for home.

The government has, for a long time now, been trying to force Internet Service Providers to keep track of the online habits of their customers and provide access to this information for the FBI and other government agencies. It has never flown so well, as it’s an obvious breach of fourth amendment improper search procedures.

Yet again, however, they’re trying to do the same thing, but this time, it has the spin of ‘Protecting the Children’ on it. Alberto Gonzales has attached an amendment to the Children’s Safety and Violent Crime Reduction Act that’s sitting in the US Senate right now that would require Internet Service Providers to allow the government access to their users’ online usage data, as well as having hefty fines for any ISPs who failed to report a user suspected of trafficking in child pornography.

The problem with this, is that not only does it violate privacy, but it’s a clear ploy to just use the safety of children as an excuse to pass legislation that’s failed to pass before. If it gets attached as an amendment to the bill, what senator in his right mind would vote against this bill with election time right around the corner?

The Telecommunications and Internet Subcommittee, a subcommmittee formed from the House Energy and Commerce Committee, rejected a net neutrality admendment in a bill that was designed to create a national Internet video franchise. Large telecommunications companies have been strongly lobbying against Congress creating any provisions for net neutrality, as the telecommunications companies feel they should have the right to have a multi-tiered network of services, offering their own services at maximum speed, and charging others service providers to travel over their networks.

With the way the Internet works, a company pays to be connected to the Internet, much the way a consumer does. The telecom proposals, however, would then charge additional money every time a consumer wanted to access the company’s servers — the servers they’re already paying to have connected to the Internet. This is a rather veiled attempt at punishing competitors who have no alternative for Internet connectivity to the consumer. It allows the already deregulated telecom and cable companies to create a wall from which the consumer has no real recourse but to use only the telecom or cable companies’ services, as any competitors would suffer from substandard service or be priced out of business.

What will happen is that more and more service providers such as Google, Microsoft, AOL, Vonage, and anyone with a new and innovative service, will move to another country where the ability to access consumers is not hampered by such stringently anticompetitive regulations. The US consumer will suffer, but as most US consumers don’t fully understand how the Internet works, and how the telecom and cable companies’ service offerings differ from their competitors’, there’s not liable to be a public outcry.

On the bright side, there are other net neutrality bills and amendments up in Congress this session, and there’s still the chance that one will survive, but with the massive lobbying power of the telecom companies and the cable companies, the chances are very slim.

CNN Money reported today that Streamcast Networks, the people who make the Morpheus peer-to-peer file-sharing application, is suing Skype, claiming that Skype uses their technology illegally. I was expecting this, to be honest, when Skype added file-sharing to their ever-so-popular VoIP application.

Skype’s software v2.0 took their sort of walkie-talkie-style IM/VoIP application and added other things like file-sharing, still using the Skype peer-to-peer communications protocol. I expected backlash from that, but I honestly expected it to come in the form of a lawsuit from the RIAA or the MPAA before Streamcast.

I’m eager to see how it plays out. This really underscores the way Skype works by utilising a peer-to-peer framework to pass voice calls, unlike a lot of other VoIP technology, which is direct client to client. This could be a reaction to Skype entering the file-sharing arena or it could be a prelude to Streamcast entering the VoIP arena.

I was reading an article by CBC news in Canada this morning that struck a rather prophetic chord. Vonage is protesting an additional fee that Shaw Communications has stated it will start charging any customers who use VoIP over one of the Shaw networks. The $10 additional fee for ‘quality of service’ would, Vonage states, amount to a tax on VoIP and would amost certainly pave the way for Shaw Communications to offer its own VoIP services to consumers at more attractive rates.

This is very similar to a hypothetical situation being argued about in the US Congress right now, with the fear that if some sort of net neutrality is not ensured, ISPs would begin to charge competitors to use their services, thereby effectively blocking out competition.  With lines in the US recently deregulated, allowing the big Telcos to charge whatever they want to ISPs who want to have direct access to the consumer, this would create a market in which the Telcos and Cable companies would be the only ISPs able to effectively compete in the market.

AT&Ts recent acquisition of Bellsouth leaves only 2 actual Telcos left in the US with direct access to consumers — AT&T and Verizon. Anyone else who wants to have access to the consumer at home must pay trillions of dollars to create an infrastructure (which, in many states, is not allowed), or has to pay whatever the Telcos want to charge in order to rent access to the lines already in place.

If you add, on top of that, additional charges to run services over those lines to ensure a ‘quality of service’ for the consumer, then it means that one way or another, the consumer is going to have to pay a lot more either to the Telcos or to the service providers, and the number of companies able to compete in such a hostile market will dwindle to almost nothing.

It shall be interesting to see which direction this argument goes in Canada, as it may affect the outcome of the US Congressional hearings.

ZDNet recently published an article which discusses how Windows has bumped Unix off the top spot for the most-used OS for servers in 2005. What they fail to mention is that their semantics are completely misleading. They state that Linux ranks third in the list, and that Unix ranks second in the list, with Windows being in the top spot, but what the writer apparently fails to understand is that Linux IS Unix.

This has been similarly misreported throughout, as the IDC report on which it’s based is inherently flawed in that it doesn’t recognise that Linux is actually a Unix variant.

Total Windows revenues were $17.7 billion, whereas total Unix (non-Linux) revenues were $17.5 billion. If you calculate actual revenues of all unix, though (including Linux), it comes to $24.2 billion — far outpacing server revenues from Windows machines.

The original IDC report can be found here.