By Kevin M. Nixon, Information-Security-Resources.

com Security Editor

I recently had the opportunity to talk to some of best known innovators of our
time, including Steve Wozniak, John McAfee, Alex Fielding, Phil Zimmermann, Jon
Callas and Marc Hodosh. They discuss the fatal flaw in VoIP which create the
ability to perform warrantless wiretaps and what they have done to lead the
industry toward more trusted and secure Cyberspace.

Can VoIP Really Be Encrypted? No, or at least not until now.

Forrester Consulting fielded an online survey of email decision makers at large

US, UK, German, French and Australian companies. Respondents were asked about
their concerns, priorities and plans related to the content of email leaving their
organizations, as well as related concerns about the risks associated with mobile
devices, blogs and message boards, media sharing sites and other electronic
communications technologies.

Forrester gathered a total of 424 responses from companies with 1,000 or more
employees, including 301 US, 32 UK, 30 German, 31 French and 30 Australian
companies. The findings of the 2008 study are published in the report “Outbound
Email and Data Loss Prevention in Today’s Enterprise, 2008”

The greatest interest by survey respondents was in having the ability to make
phone calls from a laptop computer, in allowing employees to make phone calls from
a PDA, and in unified messaging, which allows (among other things) users to access
e-mail messages from their voice mail boxes.

The number of cellular/WLAN subscribers will reach over 256 million worldwide by
2009, or roughly 12% of all cellular subscribers. By 2009, the numbers of
subscribers using WLAN for voice is expected to exceed those using WLAN for data
only.

Overall, about 60% of decision-maker respondents believed that it would be

beneficial to have a solution that integrates the WWAN with the WLAN.

The number of voice over IP (VoIP) users in Europe has quadrupled in two years,
driven by aggressive pricing for bundled communications services, says
telecommunications analyst Telegeography.

The firm reported that at year-end 2007, 25.3 million consumer VoIP lines were in
service in Western Europe.

This was up from 15 million in 2006, and nearly four times the 6.5 million VoIP
subscribers in 2005.

Costs of Data Compromises Rising – Data Thieves Becoming More Aggressive

The Ponemon Institute in a study of 43 companies, sponsored by PGP, found the

total cost of coping with the consequences data compromise events rose to $6.6
million per breach, up from $6.3 million in 2007 and $4.7 million in 2006.

There are some distinct consequences of a data breach, especially in healthcare

and financial services, Ponemon notes. In these two industries more than others,
customers notified of a data breach are more likely to discontinue association
with companies that failed to secure sensitive data about them.

In other findings, the Ponemon study said 88% of all the cases for 2008 were
traced back to insider negligence.
The survey also showed that 44% of data breaches occurred due to external causes
involving third parties, an increase from 40% in 2007 and 29% in 2006, the Ponemon
report states. A third-party breach is defined as third-party professional
services, outsourcers, vendors and business partners that were in possession of
the data and responsible for holding it.

Costs for a data breach mount up because of lost business and legal defense, which
grew in 2008, while costs of customer support, notification and free services such
as credit monitoring decreased, according to the study.

Legal Impact – VoIP Can Compromise Client – Attorney Privilege

Cynthia Stamer, Partner, Curran, Tomko and Tarski and Board Certified in Labor &
Employment Law by Texas Board of Legal Specialization Corporations, verified that
the Ponemon reports aligns exactly with her client’s issues and concern:

Cynthia: Board Members, Directors, Officers, Executive Management and employees

must operate with a heightened awareness to insure that they are using encrypted
voice over ISP or any other technology, businesses and their leaders must
constantly consider the potential implications that the use of any technology on
the records and evidence created and retained. Too often the accessibility of
technology and accompanying lack of awareness of when they preserve data that
could be evidence lures business leaders and others to stay and do things with
inadequate caution. Because of the way equipment and its technology have evolved,
some record or other evidence almost always is created and retained when
businesses use even basic technology including a pencil, a tape recording, text
message or e-mail, telephone conference call, computer note or otherwise. Failing
to recognize and properly manage the information across of these technologies can
create unnecessary risks. Concurrently, however, businesses also need to remember
that the management, retention and destruction of this information in itself may
be used as evidence. Business leaders always must plan for the potential need to
prove that they are doing the right thing and communicate and act accordingly.

Now What?

Ok recap time: We now know that VoIP is taking over the world. Data thieves in
these hare economic times are drilling faster and deeper.

The most respected researcher in data security and protection warns the industry
that the costs to recover from a data compromise have risen by almost $2 Million
in the last 24 months.

Then to top things off, the telephone call I make to my attorney for help and
advice may be used as evidence against me unless I find a hacker proof way to keep
employees, vendors and my biggest competitor from listening in and recording my
VoIP calls.

The Perfect Solution: Ripcord Networks and the IT Industry Icons Who Are Involved

Lucky for me, my internet search of the Internet Engineering Task Force (IETF)
database provides the answer to my first question: Is there a best practice or
standard for encrypting VoIP connections to prevent Man in the Middle attacks?

Yes, it’s called “ZRTP: Media Path Key Agreement for Secure RTP”.

My second question: Who sells products or software that use the protocol?
The answer: Ripcord Network.

A Company With Credentials

When I research a company, I usually start with “Who Runs the Company” and much to
my surprise I discovered where all of the IT Industry Icons and Einsteins have all
been planning their next show stopper.

I picked up the phone (land line) and called the CEO of Ripcord, Alex Fielding and
arranged to interview him and the members of the Board of Directors.

Over a period of time each Board Member graciously answered questions for the
interview. Only after I had talked to everyone did I discover that, Ripcord has
never issued a press release and has only been briefly mentioned in three
articles.

The best “Easter Egg” appears on the company’s Investor Relations page. See for
yourself.

I sat down with Alex Fielding, the CEO of Ripcord networks and we began our chat:

KMN: Alex I can’t tell you how great it is to have a chance to talk to you today.
Let’s start with some background. What does Ripcord do?

Alex: No matter where you are in the world, no matter what handset you are using,
we enable secure-encrypted private voice and video conversations across a wide
variety of popular off the shelf devices including: mobile phone, desk phone, PC
software, Instant Message, teleconference, and Conference Bridge.

(Basically we provide the encryption software and protocols that are leading the
charge in secure interoperable IP voice and video communications.)

Alex: Steve Wozniak (co-founder Apple), John McAfee (founder McAfee Associates),
and I are on the Board of Directors of Ripcord Networks. Additionally we have the
best employees and advisors in this space. Ellen Hancock is Chair of our Board of
Advisors (former company affiliations include: IBM, Apple, Exodus, Aetna, Colgate/
Palmolive, EDS). The Board of Advisors includes: Jon Callas (CTO & CST of PGP),
Phil Zimmermann (PGP founder, ZRTP author, and privacy advocate), Marc Hodosh
(President, TEDMED, Archon XPrize Genome Project), Dan Pitt, and others.

Alex: Everything is moving to real-time IP based communications. The latest

release covers IP based communications, specifically: all voice and video
communications, Desk Phones, Wi-Fi, Chat- Video-Voice, Laptops, eBooks, and
Tablets. The next release will include: Conference Bridging, Voice over Satellite,
Remote Sensors, Mobile Phones, and Tactical Radios. Securing these devices has
unique and specialized challenges that Ripcord's product offerings are well suited
to solve. There was no previously elegant or easy way to secure these IP based
devices and we have a solution to the problem that is unified.

(At this point Alex introduced me to Steve Wozniak. (What a nice guy! Our Q&A
session had been rescheduled several times due to his participation on “Dancing
with the Stars” and so we got right down to business.)

KMN: Steve I am really glad to have this chance to get to know more about your
vision for Ripcord. Do you mind if I use your nickname in the article?

WOZ: No problem whatever works best.

KMN: There are other companies in the secure communications space for voice
communications; what makes Ripcord different?

WOZ: Ripcord is a 100% US operation when it comes to code development and R&D. We
write all the code here in the states and our employee base is very specialized
and suited to the needs of very discerning customers. We offer a level of
security, NSA Suite B with elliptic curve mathematics, and provide the best key
generation and exchange available to non-classified personnel and projects for
non-type 1 communications.

KMN: Why did you select ZRTP?

WOZ: Simple. ZRTP was developed by the finest minds in the encryption business and
Ripcord has the finest minds implementing their hardware and software in the most
secure and easy to use ways.

KMN: How can you be sure that your technology isn't breakable or able to be
cracked?

WOZ: We open a flavor of our Secure Ripcord API, our key generation, mathematics,
and exchange under GPL to the open source community.Zimmermann does the same with
a flavor of his ZRTP protocol. However, we don't open all our code but we do open
the relevant parts so that developers can scrutinize what we're doing openly and
provide harsh criticism of our technology and of our code. We really take this
feedback to heart and a lot of the ideas and suggestions end up making it into our
code- base through our own developers writing code that meets the need and matches
the desire of the community at large. There are some really smart people out in
the secure communications community and we figure that there are more of them than
there are of us inside the company, so it's like having a huge Quality Assurance
developer community working to benefit our products. There aren't too many
companies in the secure products space in the World that can say they have as many
people scrutinizing their source code and methods as we do. We are very proud of
that. We hope others in this space will someday follow suit.

KMN: What would you say makes Ripcord different from General Dynamics or L-3 in
the hardcore crypto space?

WOZ: First of all, we're a lot smaller so we can adapt very quickly to our
customers’ needs. Secondly, GD and L-3 both specialize in Type 1 secure
communications products. This is commonly referred to as NSA Suite A and could be
thought of as security for classified government communications. Those guys focus
on providing secure devices and specialized hardware that enables Type 1 secure
communications for classified communications on custom hardware. We are a COTS
(commercial off the shelf) company. We build very secure hardware and software for
the commercial market. Our technology works on a ton of handsets that are popular
everyday devices. We build very little custom hardware and the hardware we do
build is designed for commercial markets; the fact that government can use it and
loves it is just a nice bonus. If you were looking for a secure mobile phone for
instance, GD or L-3 would sell you a SME PED (aka “The Crypto-Brick) that is a
custom designed Type 1 secure communications device. We'd give you a BlackBerry,
iPhone 3G, or G1 with our software running on it. We really are focused on IP
based communications while the other guys are focused on migrating from circuit-
switched. We are very different companies in too many ways to list.

KMN: Alex, you told me that your software secures instant messenger; which ones?

Alex: AOL Instant Messenger, Google Talk, Gizmo, SJ Phone, MSN Messenger, iChatAV,
etc. Basically we operate with everything except Skype, and that was a very
specific business decision of ours. Skype elected to provide China with all of
their encryption specs, and we operate with a philosophy of “Made in America”. We
provide software that has an incredible RTP detection heuristic that is very
accurate and secures voice and video sessions on these instant messenger
platforms. Not only do we operate with various IM applications we are also
interoperable with Mac OS X, Windows Vista (32-bit and 64-bit) as well as Linux.

(WOZ is on his iPhone so Alex and I continue.)

KMN: You have a hardware product, Ripcord Secure Appliance, what does that do?

Alex: Ripcord Secure Appliance is an inline encryption device. Basically you just
plug it into your VoIP desktop phone, and plug it into the network and it does the
rest. No configuration required. This box securely encrypts and decrypts your
calls without any chance for human error in the configuration. It's centrally
manageable for large organizations and stand-alone capable for smaller ones. It
also has a feature where if your PBX fails, it will allow you to continue to do ad
hoc calling for a number of VoIP desktop phones. We have a number of these
deployed now and our customers love them.

KMN: Tell me a little bit about your customers?

Alex: We get a lot of people coming to us with real problems that have substantial
impact to their businesses and need solutions today. We have customers that are
multi-national medical companies, banks, insurance, petroleum, aerospace companies
and defense contractors.

(WOZ is off the phone and ready for a philosophical question.)

KMN: How do you keep bad people from doing bad things with your technology?

WOZ: While we can't and won't police our potential customers, we all know when
something just doesn't smell right. We are cautious about who we partner with, who
we hire, who our investors are, and who our customers are. Our employees go
through a very detailed background investigation before ever working on code. Our
employees, if required, could all pass a rigorous background check required to
have a level of security clearance that is well above that which is required. We
have a strict ethical compass and mantra to "Do Some Good". We turn down a lot of
opportunities for development because the proposals sometimes don't fit the bill
for the standard that we hold ourselves to. We have turned down prospective
employees and investors for very similar reasons. We want to always be on the
right side of the line more often than anyone else in this space.

Alex adds: It's a lot like being in the data center business, a business from my
past, where we made a decision that we wouldn't seek out certain types of
customers that were doing things that didn't improve life for anyone, even if it
was legal for them to operate, just because we didn't think they added value to
our makeup as a company. We didn't think that certain customers fit the type of
customer we could be proud of having. We didn’t do it in the data center space and
the same is true at Ripcord.

KMN: What do you see the biggest challenge in secure communications?

Alex: There are a number of huge challenges in secure communications. One area
that we are working on is securely connecting first responders like EMTs, police,
sheriffs, troopers, border and customs agents to DHS and FEMA and up the food
chain of government securely with some base level of communications tools so that
the off the shelf devices these guys use in the field work together and enable
secure communications without any specialized hardware or any private network. We
have solutions in this space that are very attractive for this. Just imagine being
President Obama and being given a “Crypto-Brick” and glancing back and forth
between that device and your BlackBerry...Which one would you want to use?

KMN: Does your encryption have any effect on communications during pandemics?

Alex: The obvious answer is that during a pandemic, many employees will be asked
to work from home and telecommute to avoid infection. When you are in certain
regulated industries or really any business where you don't want your information
being sent over the internet in the clear, you will see value in securing your
conversations and video conferences. We enable both. Other companies, like Sun
with Sun Ray, are offering great solutions for authentication and login so that
employees working at home can really validate and certify their identities and
access levels. Without technology like ours and like Suns, having employees
working at home and talking on their phones about confidential customer or patient
records is just not a smart idea and is unlawful in certain cases.

KMN: What about regulatory compliance?

Alex: There are some call recording requirements now on VoIP calls because VoIP is
seen as data in the eyes of certain regulatory bodies. This is becoming true for
SAS-70 and HIPAA now and in the near future. Imagine being a hospital or bank and
having to record, transcribe, and securely store call recordings of all your phone
calls that were VoIP... That costs a lot of money and takes a lot of resources.
The regulations on encrypted data are much less severe and in many cases the
recording and storage requirements don't exist for encrypted communications. So,
just install Ripcord solutions and save yourself millions of dollars. There are a
lot of other regulatory compliance issues sprouting up around encrypted voice
communications and it just means that the market is really maturing and
understanding the threat level.

KMN: Why do you think that Ripcord is gaining traction in this space?

Alex: We are getting some recognition as a brand and a technology that provides a
great level of encryption for voice and video communications. We partner with
companies in the data encryption space that specialize in stuff like email
encryption and whole disk encryption but we know where our core competency is. We
are great at voice and video for IP based communications. I think the reason we
are succeeding here is that we are one of the only companies in the United States
in this field and we're doing some of the most innovative stuff. Also, because
we're not bogged down by circuit switched integration projects, we're just looking
forward and not looking behind. We learned our history quite well and now is the
time to lead and innovate.

(WOZ is back on the phone again so Alex and I wrap for the day. The continuation
of my discussions with the other Board Members will continue in Part 2.)

Kevin M. Nixon, MSA, CISSP®, CISM®, CGEIT®, has testified as an expert witness
before the Congressional High Tech Task Force, the Chairman of the Senate Armed
Services Committee, and the Chairman of the House Ways and Means Committee. He has
also served on infrastructure security boards and committees including the
Disaster Recovery Workgroup for the Office of Homeland Security, and as a
consultant to the Federal Trade Commission.

The Author gives permission to link, post, distribute, or reference this article
for any lawful purpose, provided attribution is made to the author and to
Information-Security-Resources.com