BP's Weblog

Before I go on, let me say that this disection of their somewhat untruthful document is going to involve excerpts. They claim a lot of copyrights on the thing, but, given that it's freely available on the web, and that I am going to excerpt for the purposes of discussing their facts, I believe this to be fair use. For the record, I hereby place this screed under a Creative Commons 2.0 Attribution License

First of all, the factual and logical errors in this document are pretty abhorrent. Take, for instance, this paragraph on page 9, about an operating system called “Lunix”

There are also illegal hacker operating systems made available. A Russian computer hacker named Lynos Torovoltos invented operating systems such as BSD, Lunix, Debian, and Mandrake. These operating systems are based on a program called “xenix” which was written by Microsoft for the US government. Hackers sell these programs so that they can break into other people's computers and steal credit card numbers, passwords, birth dates, social security numbers, etc. They are also used to steal music using the “MP3” program.

Where do I begin? It's spelled Linux. Linus Torvalds created it. He's Finnish, not Russian. It's not illegal. BSD is a different operating system, Debian and Mandrake are distributions of Linux. None of the above were based on (or, to my understanding, the basis of) Xenix. They aren't programs to break into anyone's anything, they're operating systems, just like Windows XP or Mac OS X.

MP3 is a codec (boy, for folks who later claim that the only safe way to do VoIP is via a proprietary codec, they're really not demonstrating a whole lot of knowledge, are they?), not a program. It doesn't make it easier or harder to steal anything - it's merely a representation of audio that a computer can use to store or regenerate audio. In fact, it would be possible to use mp3 for VoIP. Many radio stations have used mp3 for encoding audio that they use for remote guests in remote studios.

With me so far? These people don't have much clue.

Peer-to-peer services, as well as over 90% of all VoIP computer phone services, operate on industry standard codec and industry standard protocols. In other words, their lines are not secure.

And how, pray tell, do these guys propose to “secure your lines”? Proprietary codecs are not any more secure than open ones. To make matters worse, standards now include how to encrypt voice on the fly. It's called S-RTP, it uses AES, the current defacto “strong security standard” (ie, it's open and we understand it, and no known strong attacks exist). And a lot of vendors support it. There's hardware support for it in the Sipura SPA line, and there will hopefully be software support for it enough places to make it default to “on” soon.

Well, alright, there's no point in ripping them to shreds on every single paragraph, though I don't doubt it could be done. It can be attempted at some later point, for sport, perhaps. I'll stick to the gross issues:

• Hacker motiviation: Yes, hackers like to steal/screw with you. They can do that a lot of ways. One of them is to install software on your machine that interacts with the legit software that's already there. The proposed solution to all these problems, use http://www.whypayforcalls.com's software, doesn't really solve that. A hacker can just as easily find another way into your system and intercept/interject audio. A “secure server” behind a “highly secure firewall” might help protect your credit card information, but it does little to protect your voice, in and of itself.

• P2P is bad: Let's see. These folks would like you to have to pay them to send all of your voice data to them. In fact, it seems to answer the question in their website: Why Pay For Calls? Because we want your money! P2P networks allow you to send your data directly to the person who you want to communicate with. This saves money, often makes call quality better (because the speaker-to-speaker latency is less). It might even make it slightly harder to intercept your call audio data, by sending it through the shortest route, rather than always the same one (making route targeting harder).

Further, why is being a supernode necessarily bad? Well, presumably you're going to be spending some of your own bandwidth to maintain the network. It doesn't make you any more susceptible to attacks, really. You're just as identifiable as anyone else in the network. It probably doesn't use disk space, or wrack up other real losses - such would be against the interests of the P2P network design, because it would make being a supernode a bad thing, and the network would suffer. So, designs tend to account for that, and make supernodes a light-enough-to-bear node.

• Industry Standards are Bad: Ok, this is, actually, the biggest problem with the whole diatribe. Let's just say this concept has been thoroughly debunked. A whole book which covers this very well is called Secrets and Lies, by Bruce Schneier. In a nutshell: open standards mean they've been better evaluated for security and design issues, and that you can find competitive vendors who can interoperate. Any surprise that a small company writing FUD would want to avoid having their system be well enough understood to find problems with it, and lock-in their customers to their technology?