[Asterisk-Dev] OMG THE SKY IS FALLING!! NOT!!!

[Rich Adamson]

> Sadly, the article reads as more bogus than it really is. SIP really is 
> weak. RTP stream are almost universally unencrypted right now. Listening 
> in to a VoIP within your company is generally much easier than snooping 
> on a traditional call. I wonder how long it will take before encryption, 
> solid authentication, and other good stuff becomes widely deployed for VoIP?

I don't disagree with the above at all, however as one person that does
security assessments, I've got to wonder how many sip/iax/h323/xxx implementations
are actually exposed to the Internet with unreasonable configuration settings.
I'd have to guess that something on the order of 70% of the exposed 
implementations (or more) are left after the person 'finally got something
to work', and few have a clue how to secure those exposures. (I know, has 
nothing to do with encryption, etc.)

It wouldn't take a lot of effort to scan IP addresses looking for two specific
udp port numbers (and a little password guessing in some cases) to find 
open machines to make long distance calls from.

Its my opinion (for whatever that might be worth) that some additional 
focus (and documentation) should be completed that would help newbies 
and others secure there existing exposures way before worrying about
encryption, DoS, conversation monitoring, etc.