 So we're talking about free communications and messaging. Today's session, I'm going to quickly go through some slides and some pictures. I'm going to show how they relate to the Debian project. Particularly the next release, Weezy has some new features for voiceover IP. And then it's going to open up a little bit for some discussion and questions as well. Voiceover IP goes beyond Debian itself. Obviously you have to inter-operate with other systems. I'm keen on things like soft phones on Android. I've worked on things that work on Windows as well. But the focus of most of what you're going to see is on Debian. So this is an outline of the session. So just looking at where we are today and how we got there. Email has become tremendously successful. Everyone's using it. It's based on open standards like SMTP. You can see that in the heading. Mail servers are installed by default in most Linux systems. In Debian you get Exim or you might swap that for PostFix. It used to be SendMail. But you'd always end up with one of them when you install a Linux system. That's probably been one of the reasons why email has taken hold. It's because it's always been on systems from the beginning. The trivial amount of effort is necessary. You need a static IP address, an MX record. You can change maybe two or three lines of config file and start filling up your mailbox with spam that you never wanted. VoIP servers have not been deployed by default. Typically they're not nearly as easy to configure either. So distributions that offer packages like Debian offers asterisk and still leaves a lot of setting up as well. So it's not installed by default. And if you go and get it with apt-get, you have to do a lot of the effort to set it up. It does come with a default configuration for a demo, but that has to be adapted. You can't just go live with that. The bottom line is that the free software and open standards have not become entrenched. We don't have an open source equivalent to Firefox in the VoIP world. Asterisk takes a lot of setup effort. I've got Asterisk systems with dozens of config files for every protocol, for different classes of user and gateway connection. It's a real pain. I haven't seen any voice-over IP system that automatically gives VoIP to all the Unix users on a machine. Once again, email servers will typically turn your Unix users into mailboxes, just out of the box. It's all automatic. But none of the voice-over IP products have tried to do that. There have been a number of legacy traditions, like telephone numbering. These are important. On many devices, you don't have a full keyboard, so you do need to preserve these traditions. But they have slowed down the adoption of new techniques. Another one is emergency dialing. Depending on which country you're in, whether it be 9-11 or 9-9-9 or 1-1-2 in Europe, these things have all been factors in the slow deployment of a universal VoIP infrastructure. Email never had to deal with things like this. There's no emergency fax number in most countries that email never had to compete with something like that. The two major protocols to choose from right at this moment, SIP and JABBA, and even that is a dilemma for people. Like Google has gone with JABBA, Microsoft has gone with SIP for some of their products. A lot of the physical desk phones are based on SIP without JABBA support, but Google is huge in their JABBA. So both protocols are very relevant right now. There's no definite winner. And that has been a huge headache, but people have often embarked on a VoIP project and ended up pulling their hair out because someone will take a VoIP phone into their house and their router will mangle the signalling packets or it will lose the audio in one direction. It's caused a lot of frustration. Google doesn't have those sort of headaches with NAT. So SIP, and now more recently we've seen Viber have seized the day. They've become very prominent. If you ask people about voiceover IP, they will talk to you about SIP. Is there anyone here who has not used SIP? Yep. Okay. Let me see your hand up. If no one has ever asked you to talk to them on Skype. Okay. So we've all come across this, and we're going to touch on this again later, but there's a certain amount of peer pressure in communications that doesn't exist with other open source endeavours. With free software, people won't worry about whether you're using Linux, but when you actually need to talk to them, it's a very common platform. In the corporate world, Microsoft Link is gaining traction. In many of the big corporates that I've been working with, I've seen Link projects getting underway. I haven't seen one that has been successful yet, but that doesn't mean they've failed. It just means that they're taking their time. And that at some point, a lot of them are going to be stuck on this, and people are going to see this as the default in the corporate world, like Outlook. Just wait. We need to get you the microphone. Is Microsoft Link, is that OCC? Is that another name? So just hold the microphone. Is Link Office Communicator? Yes, it's had various names. So you will notice that there are products like SIP phones that have been made for earlier versions of Link when it operated under another name. And most of the SIP phones offer compatibility features, which are necessary because Microsoft makes extensions to the protocol. Another point to think about is who has seen the recent Facebook attack on email addresses? Does everyone know what I'm talking about? In contact lists, people typically have their friends' email addresses on Facebook, and they have their own email address. Facebook is trying to get people to use their Facebook ID as an email address at facebook.com. And at some point recently, they somehow switched off or hid the non-Facebook email addresses so that if you look at a profile, you see the Facebook email address that you never knew you wanted, but you've got it. And you have to go in there manually and put back your own email address if you are a Facebook user. On top of that, I've read that the people who are running the Facebook app which integrates on their handheld devices got so excited about this that it actually modified their contact list outside of Facebook, but their phone contact list actually started picking up the Facebook email addresses and losing the other email addresses, which caused a lot of frustration. But you could see where these big companies are going with this. They want to standardize the user on a particular ID and then they want to bring all the communications through that single ID for their various reasons and we'll look at those reasons in a moment. But this is scary stuff and that Facebook example gives you a very... it's a wake-up call about the lengths that they will go to to get hold of your communications. So real-world examples in other domains in technology. You've got this encryption of DVDs. You've got HDMI using DRM to protect media to stop duplication of media. You've got secure boot coming to the PC to stop you running other software. I mean, what can we anticipate next? In voice-over IP, with Skype so widely deployed and with Link getting a foothold in the corporate market, could we see a similar trend that DRM could come to voice-over IP? And how would that look if that happened? Is it already the case with Skype? Not quite. It is a proprietary and encrypted system, but it doesn't really link out to other systems very effectively. They haven't so tightly bound it with Link. But if Link becomes established in, say, your Fortune 500 companies and they can all call each other through Link, and the member of the public wants to call a big corporate call centre or something and they can do that for free through Skype. Or maybe they will have to go to their traditional phone company and pay for that and there'll be no other option. That's the type of thing that we should be concerned about is that the market will be steered in this direction. Another way that they could steer the market is with things like emergency calling, which is currently a bit difficult over the internet, that each country has got to a different stage in trying to support emergency calls over voice-over IP. But if you look at the relationships of governments and big companies, Microsoft or another vendor may try to propose a proprietary protocol to solve that problem. That could be very dangerous to open and free protocols. DRM-like mechanisms may extend the barriers that already exist with Skype. So you may see a few big companies that agree to work together even more than they do now. At the moment they're like islands, like Viber and Skype are separate, but if a few of these companies stitch something up together using some sort of a DRM mechanism, then it becomes a lot more dangerous. Just about that, we have seen things, a proposal like that to prioritize certain types of internet content to others with regards to others. Videos should have higher priorities than text-based things, and if we see some stuff like Skype should be more prioritized than the rest, we are also in the same type of situation. Yes, there's a real risk that when you combine technologies like deep packet inspection and so on, then an ISP could recognize Skype packets and they could offer Microsoft a deal to prioritize their traffic on the network, which is another attack on freedom and choice of what product you use. This list could go on and on in all the different ways that open and free solutions could be put in danger. Advertising has come up recently. There's some talk about Skype displaying advertisements during audio calls, so you would see an advertisement in the video window if you were not using video. I don't know if it's already switched on, but it has been discussed publicly, but it may not be in your face like that. They may actually use more sophisticated mechanisms, and I'm going to touch on those in a moment. Corporates may be able to opt out of having advertising for their callers, so if you call your bank, you might not see advertising. You get the free call with a proprietary VoIP system, but the bank might have a deal with the vendor to exclude advertising on those calls. And calls between corporates, we don't know which way this is going to go now because it hasn't really taken off yet. But there's a real danger that that could also depend heavily on Link, that if a lot of them start using Link and a lot of governments as well, then people will not be able to make a credible case to use something else. So if other solutions don't actually get in there first and if these big boys get established, then it becomes a lot more dangerous. They can't do that retrospectively with email now. I mean, we've had some fears about domain keys and other techniques that some companies have tried to introduce to email, but they haven't completely stopped open source and free solutions. Here, we're at a different point because the open and free solutions don't have a strong foothold yet. I'm not sure if you can see this. Can everyone read that at the back? No? Okay. So what you can see here, down the bottom, that big bar basically represents your single sign-on, say your Microsoft passport or your Facebook login, your cookies that follow you everywhere. And what you've got in the big box on the left is your soft phone, whatever that may be, your non-free product. And then these two little arrows, in the top arrow, we've got a system analysing your speech to extract the words. And these systems already exist. So they're extracting what you say in whatever language you choose to speak. And the other arrow is analysing your emotions and other context. And they can do this as well. They can detect whether you're happy or sad. If you're happy, they want to sell you a holiday. If you're afraid, they'll try and sell you car insurance or something. And this all goes into a data warehouse somewhere. This then drives some logic for positioning advertisements. And on the right, you've got your web browsing and your other online activities, not just during the time that you're on a phone call, but maybe for the rest of the day or the rest of the week. So they build up a picture of your state during a phone call, and then they can use that to influence what advertising you'll see. They can link all of that together using a single sign-on and other mechanisms that track you. So this is serious stuff because it allows advertisers to target things much more closely than ever before. Just to break out of that for a moment. So in the browser here, this is a publication from the IEEE from 2006. It's been around for about six years. But this basically concerns analyzing emotions in speech to understand how you react to different brands. So you can imagine that this is not the only application of this technology, but if you type this into Google recognition of emotions in speech, you'll find a lot of stuff has been done over quite a few years now. So communications, it's very pervasive. Every person in every business has some sort of communication system, a technological solution, whether it's their mobile phone, their email, maybe a combination of things. Not only that, they get a lot more angry if it's not working compared to just an outage of their internet browsing. As I mentioned before with the operating system, you don't have so much pressure from other people. I've worked in offices where I could use Linux even though the guy sitting next to me was running Windows. I've been able to use Thunderbird or iStuff to connect to the exchange server even when the guy next to me is using Outlook. But with communications, you have a bit more pressure to use something that's compatible. That's why we all get these requests to use Skype or it's typically Skype that people mention. And it's just a very dangerous area that if we fail to address the concerns about the quality of the service or if we fail to attack the peer pressure issue and to provide solutions that can be widespread, then open source and free solutions just won't get a foot in the door. So what can we do? So here I've got a list of some suggestions and I've mentioned some packages that already exist in Weezy. Supporting both protocols, the SIP and Java. I think that if you choose one or the other, then you won't have 100% coverage. Do we have some questions? A microphone. I'd like to add something before you go further. I've missed the first slide but I think you didn't talk about also the issue of the lack of encryption or at least end to an encryption that could guarantee that your communication is protected and confidential which I think is much more worse than advertisement. Yeah, encryption is an issue. It's not the fundamental issue of the talk today but a lot of what we're going to go through does actually support it and it is on this slide as well. It's further than you'll see TLS. It's grayed out at the moment. But we'll get to the encryption there's a little demo coming as well. It is very relevant but it's not fundamental to having a free solution. Okay, I mentioned this because recently I heard about Skype integrating some technology to be able to make possible and easy to governments to wiretap calls. Yes, well they already do that with GSM networks. I mean most people have the perception that when they take out their mobile phone and they call their friend if I call Hector I might believe that my call is encrypted all the way to his phone. Is that true? No, it's encrypted to the tower and then the tower decrypts it listens to it if necessary and then encrypts it again and sends it out to his phone. So most people have the perception that it's encrypted from their phone to the phone that they're calling that there's nothing in the middle. It's not true. So just going back to the slide SIP and JABA in parallel another question? Microphone? You didn't mention Mumble's protocols is that not relevant here as something that is in use and isn't either SIP or JABA as I understand it? It's not as widespread but it is relevant. But what we'll do I'll go through or do you want me to stop for a minute and you can tell us it? We can go through a bit more detail for those who don't know I'll explain. Go ahead. The other issue to maximize the chance that two people can speak to each other is to have as many codecs as possible that if you have different codecs and this is common with open source solutions is many of them have the 64 kilobit codec but they all have different low bit rate codecs some have GSM, some have Speaks you actually need to have as many of them as possible to have success. Plug and play solutions I mentioned before you don't have that with Asterisk but now we have packages like Repro which is for SIP and each ABBA D has been around for a while it's web based, it's easy you just install the package do a few settings and you have something you can use. NAT, there is a solution now that the only requirement for ICE and TURN to work is that all your devices need to support it so as long as you can use modern SIP phones or Java devices or soft phones this will work it seems to be the only strong way to deal with the NAT issue and the package for that is this reciprocate TURN server phone spam I mean if you imagine all the spam you get in email who gets more than 10 spam messages in a day? Can you imagine if those were phone calls? Yeah, okay this is a real issue and it's another reason that voice over IP has been held back is this fear of spam, impersonation as well as the interception of calls TLS with mutual authentication can address a lot of those problems because you know who's calling you because it's signed by a certificate and not only that but you can implement access controls and other mechanisms you can use statistical methods to identify patterns from spammers because they need to have some certificate to get on the network you can recognise when they're using that certificate and legacy traditions like phone numbers so ENUM is one way to address the requirement to keep using phone numbers or to support them this package, the DLZ LDAP ENUM if you have phone numbers in a LDAP directory it exposes them all over ENUM instantly so any other voice over IP application that can use ENUM can use your LDAP directory for routing so that's a very quick win installing that package this is just a quick diagram the main thing to notice here is that the two phones at the bottom right calling each other on the local network the RTP stream is going within the network between them for the phone on the left the one that's out on the internet somewhere his RTP stream goes through that turn server at the top and that's how we deal with the NAT issue and you notice in this case if you can read the IP addresses that the guy on the left actually has the same IP address on some other NAT as one of the phones in the office but for the turn server that's no problem but it would be a problem with some older SIP solutions so if we go back and forth you can see the JABBA solution is very very similar but the JABBA system can also use the same turn server to handle the connection of NAT users so that's another victory for open standards you don't have to deploy two of these things one of them is enough and this is putting them all together you'll notice that the SIP server and the JABBA server they can both use the same certificate as well so you don't have to buy different certificates for each server and that's working with the single turn server for both of them you have a soft phone using JABBA on the top left through the top right and on the bottom right you have a desk phone using SIP and you have various users out in the wild so free software and free communications they go together the DRM like things that they're a real threat so we've already gone through half an hour so what I'm going to do is I'm going to skip over some of this and just go over here to do two quick demonstrations this is the JABBA D server so it's a nice web interface after you install the package you just go in and you add your users you need to set up a certificate and start adding your users and then you've got a JABBA system and that's federated so when you add your friend on Google Talk they see your full domain with your email address rather than a Google Talk user ID the other demonstration is re-pro the SIP proxy which is very similar but for SIP that's not installed and so we don't see anything here so we're going to see if it actually installs in the middle of giving a presentation without breaking something so install the... yes I can do that is that better? is that better? okay so we've just installed the library package this lib reciprocate and we install the... let's install that turn server package that's installed in the latest version of the package is their config files moved a little bit but they're largely like this so we just set up our IP address here and then we have that turn server you'll notice the default password here I'd recommend changing that so this one I'm actually going to remove that now so you can all see my host name there what was that package name? it's return the actual package is not named return anymore it wasn't appropriate for the archive so it's now reciprocate turn server but the other one is the repro proxy this one also has a config file you get to see some more passwords here just admin is the default and the port is 5080 so if we're lucky you can log in as admin you can add some users you should add some domains first mydomain.com we just put that on the default port add a user so we put Daniel and there it is and if I successfully configure my phone then it will appear on this list so those are some of the quickest ways to get started with SIP and Java on Debian so those packages should be there in Weezy very much in the form that you've just seen just to look at it from another angle this is the Bloomy call dialer for Android and you can see here a demonstration of dialing with enum so I've selected a contact and the dialer has actually found an enum record for Bob's phone number so that's the first record you see with enum is via SIP5060.net so it can place the call for free using that the next option is it's found Bob's email address which you see there and it's realized that he has a SIP server for loomycall.org so it offers you the option of calling that email address as if it's a SIP address so it just works that out if the domain doesn't have the SIP address it won't show up as an option so the user should not be confused and then it can dial through the mobile network and you pay for the call just let it continue so I've chosen the enum route it dials the number and in this case it's doing it's warning us the call is not secure there it is it's done the ZRTP setup and it's now secured those two words you see there both users on each end of the call should see the same two words the security of ZRTP is based on two things that you should both see the same words and that you should recognize the other person's voice so it doesn't work if you call the airline and you get someone in a call center who you've never spoken to before because you don't have any way to recognize their voice so ZRTP gives you these two words and if you hear the voice and you recognize it and they read out those two words to you then you know you have a secure line it's based on a Diffie-Hellman key exchange so that's Lumicall so that's the end of the presentation so I'd like to have questions Yes By security here you mean security as in I'm talking to who I would like to be talking to? Yes, using the voice authentication you're verifying the identity of the person and on top of that it's also encrypting the call with AES so all the packets are signed with a digest so that there's no impersonation and they're all encrypted with AES so it's encrypted I'd like to point out a couple of things about the whole topic but first of all here I would say immediately that I don't think anybody will ever read those two words to anybody who they're calling I don't think that's possible for real users I think any solution that tries to do something like that will fail to be honest but independently of that you seem to be making the point that the problem we have currently with communications is based only on the difficulty of creating a SIP server configuring it, etc but I don't agree with that I think the biggest problem we have is first of all that soft phones are in general not very good that when people try a free soft phone it will not work well even though there is plenty of SIP providers that give decent products no sorry, decent services so I think the biggest issue to overcome is having really well-working soft phones and then also another thing as I said before the security concern I think is growing and many people that is not technically oriented especially after what happened with Facebook and other stuff so that I think is something to concentrate on if we want to make those people switch to free software but if we are not bringing the security and confidentiality as top priorities I think you're not getting these people and I've seen your graphs your RTP connections were not secure they were only caring about authentication and I don't care about authentication I care about encryption okay, the diagrams that we looked at before were very simple so I didn't go into the S-RTP simply because we don't have a lot of time to do that if you look at the opentelecoms.org website you'll see it's covered in more depth the ZRTP itself, these two words they come from Phil Zimmerman the guy behind PGP so it is popular this is just one implementation it's not something I created and I don't take any credit for that protocol but does anyone else have anything? I remember reading once something that was saying that when you use Skype you are actually going through somebody who is running a Windows version of Skype and having set up his computer well so it's not nothing I mean it just has no firewall on their house and so in a sense you get a good quality phone call because you are running in some sort of zombie network of Windows users so any thoughts on that? Yes, this turn server does the same thing, it relays the packets for people who do not have real internet connectivity themselves who don't have a static IP address they are behind a NAT they cannot directly communicate with someone behind another NAT so they need to relay their media somehow Skype solved that problem by as you describe acting like a Trojan if it discovered that some machine is open to the internet it would turn that machine into a relay you have various consequences if the user switches off their machine or if they are downloading something quality suffers that's why deploying the return server package here builds much more solid solutions I've been using a hard SIP phone for the last 7 years or something and that works pretty well with an external SIP provider but I could never get the soft phone stuff to work on my laptop until I got an N900 which actually makes phone calls that work so I found the usual problem that you only got one way comms or you couldn't get through the NAT thing and you end up using Skype to actually talk to somebody and now you are saying that basically you reckon that is all now fixed and it really will just work and also the second part if I am running your eJabbaD service stuff does that mean I don't now need an external SIP provider except for the connecting to the PSTN part that's correct just to focus on that first because that relates to the previous question about SIP providers as well is that in the world of email we don't rely on external email providers we don't have a system of widespread use of email to fax gateways I mean they do exist but they are not representing more than 1% of today's emails so in voice over IP we still have a lot of reliance on SIP providers their business models vary, their quality varies most of them aim at a low cost market and that has consequences for customer support it causes a lot of frustration for users who are very technical who want to discuss a problem with an engineer because the SIP provider has a call centre in the Philippines or something like that so there's a lot of frustrations there the way around it is to build federated systems to just work around them I mean you still need to have some connectivity to the PSTN just a comment from IC apparently Skype no longer proxies through users, computers and this is a recent change apparently there's Skype there is a similar thing in Jabba as well called jingle nodes that attempts to do the same thing in an open way I won't go into that now I have a couple questions first of all do you have any opinions about free switch there is a now obsolete ITP which has been closed it hasn't been worked on any thoughts about that? maybe I open that up to someone else okay, I've been failing to package free switch for a very long time I'm currently collaborating with someone that's one of the free switch developers who has done most of the work that I did and a load of other work in parallel and a much better job because he understands the build system for free switch which is a bit twisted to say the least it includes things like W getting libraries in the middle of the build which is deeply beautiful so I think there's a reasonable chance of it getting packaged once we've done an audit of the copyright of the 150 odd libraries that they include they seem to have a tendency to whenever they see anything that could conceivably link against free switch some cheerful person goes off and does it they're starting to understand that that means that you end up with a lot of libraries that are three years out of date because I haven't got the manpower to keep on updating things maybe we will be able to get that as a Debian package probably not with all those libraries intact there is an instance of free switch which is something on void.debian.net at the moment which we're also trying to get to the point where we can give all DDs an account normally I set that up as the way that you can make calls out of DebConf this year I ended up not having an operational hard phone so that didn't happen but hopefully this time round we'll actually go into LDAP at the moment so that you can select a password for your login should be ready really soon the server is running the new packages now the new packages have some sort of sanity to them hopefully that will all work well I'm going to say something that people that like asterisk are going to get upset about now but I would say that free switch is to asterisk post fixes to send mail we have to wrap up now but I have actually addressed this in detail on the open telecom store dog website and so you can read this and find all the answers here so thanks thanks for all the questions