[posperson]

Cisco Unified Call Manager almost certainly has vulnerabilities, as does Metaswitch which has shambled along in network cores after Microsoft publicly murdered it, Oracle SBC is often wonky just doing the basics, whatever shambling mess Teams is shipping this week for their TRouter implementation definitely has Denial of Service bugs that I can't properly isolate.

Lets not even talk about the mess of MF Tandems or almost every carrier barebacking the web by slinging raw unencrypted UDP SIP traffic over the internet...

It is possible to build secure systems in this space, but instead we have almost every major telecom carrier running proprietary unmodifiable platforms from long dead companies or projects (Nortel, Metaswitch,etc) and piles of technical debt that are generally worse than the horribly dated and unpatched equipment that comprises their networks.

[tjohns]

I find it absolutely insane that the industry standard for SIP trunks is unencrypted UDP, usually using IP-based authentication.

When I asked a popular VoIP carrier about this a while back, they argued that unencrypted connections were fine because the PSTN doesn't offer any encryption and they didn't want to give their customers a false sense of security. While technically true, this doesn't mean we shouldn't at least try to implement basic security where we can - especially for traffic sent over the public Internet.

[jvdvegt]

PSTN starts at the home router these days, I don't think I can get an actual analog line in my house.

[supertrope]

My DOCSIS service provider turned off encryption. That's likely due to the certificate expiring on a popular modem brand. Key management is hard, certificate management is hard. Especially when they don't care about security. The encryption was only DES to begin with instead of AES which is supported in DOCSIS but few service providers bother. Anyone who has the tools to sniff DOCSIS can eavesdrop on my provider's nodes and hear the incoming leg of phone calls.

[ngneer]

Great example. Anyone who cavalierly states "let's do PKI!" has not done PKI.

[jauntywundrkind]

Painting a dire picture here!

It'd be lovely to see some nations of the world pour some serious money into the various Linux Foundation (or other open source) telco & cellular projects.

[surajrmal]

Pouring money is not how you get good quality software. You need a company driving product quality. Most Linux foundation projects have companies heavily invested in productionizing the projects and that leads to them contributing to them to ensure high quality code. Code without a driving product tends to wander aimlessly.

[jauntywundrkind]

That's, like, your opinion man.

Maybe the money should have more strings attached, be attached to grant proposals, whatever.

I don't see that that is an important or clarifying distinction. Governments should be directly helping, with money, somehow. Collectivizing the investment is better returns and far better outcomes, open source is the only way you're going to avoid risking your investment in a single company that may over time fail. Having your nation take its infrastructure seriously should be obvious, and this is how. And I disagree that good things only happen at companies. The post I was responding to stands as incredibly broadscale evidence that that often doesn't happen.

[surajrmal]

Contract work is tricky because individuals who own a particular project may be full time employed already and not capable of taking on contract work. Not every project is capable of generating enough contract work to make it sustainable to do it full time and not everyone wants that level of instability on their income.

Hiring an outside company to do contract work leads to longer term maintenance issues where they disappear after the contract completes. It would be better to have individuals from a distributed set of organizations all collectively pitch in to do maintenance. This is how the Linux project is organized and it's very successful. While this is understandably unlikely to happen for smaller projects I think that just means it's important for projects to be created and maintained by larger collectives. Again, this is a common trend you see occur.

[immibis]

Governments are often the ones the encryption is protecting us from - they're not going to fund better encryption.

[1oooqooq]

Linux foundation is the thing financing backdoors. do not confuse it with Linux. the only money from the foundation that goes to actual Linux are a couple build servers. and one event sponsorship. absolutely nothing else.

[heraldgeezer]

>Cisco Unified Call Manager

Is that not a kind of business/enterprise thing?

"Telecom" to me is like a network core equipment and radio towers - https://www.cisco.com/c/en/us/products/wireless/pgw-packet-d...

[foobiekr]

Call Manager etc have zero to do with SP networks.