Telecom Informer
by The Prophet
Hello, and greetings from the Central Office!
Another quarter brings another continent and I have now, in addition to visiting all seven continents, circumnavigated the globe counterclockwise. After a brief stop in the U.S. where I spoke at the BSides Las Vegas conference, I am writing to you from the Central Valley of Costa Rica. This is where I will call home through Christmas. My yearlong experiment in preparing for senior management has reached the two-thirds mark. When the opportunity to study somewhere with better weather than the Netherlands for the final months of my degree program arose, I jumped at the opportunity! The curriculum may be equally soul-draining here, but at least the food is better.
I have been staying in hotels a lot lately - in Brussels when visiting the European Commission, in Dusseldorf prior to catching my flight to the U.S., and in Las Vegas attending BSides and DEFCON. Even my new student housing is like a hotel. The campus where I am studying was built as a resort property, but the resort failed. The student houses were originally constructed as resort villas, and there was even a hotel switchboard. This means that every student house is equipped with a phone similar to a hotel phone, in my case a Siemens Euroset 3005.
This got me thinking a lot about PBXs, and the current massive shift away from them. Have you ever noticed that phones in offices, hotels, and other institutions look different from ordinary telephones, and have features that aren't available on ordinary telephones? This is because they aren't ordinary phones. Institutions will typically install a phone system called a PBX, or Private Branch Exchange. These can provide a large number of extra features that you won't find on a regular telephone, and the list of features has grown a great deal since I last wrote about PBXs in the Autumn 2007 issue. Back then, we were starting to see VoIP based PBXs and "unified communications" entering the mainstream, but it was all very cutting edge at the time and not widely adopted. In that column, I mostly looked at the past of PBXs. This time, I'll look into the present and future.
Historically, PBXs have been sold as integrated, proprietary solutions. You would buy the PBX itself from a vendor such as Nortel, Siemens, or Alcatel-Lucent, load it up with the appropriate modules and cards providing the features you want (enabling services such as voicemail and connectivity to the phone company), run ordinary internal telephone wiring, and hook up proprietary telephone sets. These sets could run on up to three pairs each (although typically two pairs) and proprietary digital signaling would provide features such as message waiting indicators, Caller ID, and so forth. These kind of PBXs are still around, and you can still buy them. Just about the only thing that has changed is that instead of leasing a circuit from the phone company, you'll hook up your PBX to a fast Internet connection and route calls via a VoIP provider.
These days, a PBX is just as likely to be an ordinary computer as a machine that you buy from a vendor. Proprietary handsets are still around, but these have rapidly gone by the wayside in favor of SIP phones, which you can buy from any vendor because these operate according to a published standard and provide all of the functionality that most users could possibly want. Telephone wiring has yielded to Ethernet cable, and even Wi-Fi in some hard-to-reach locations. Even extensions - the tried-and-true way for decades to reach people in the bowels of corporate cubicle farms - have yielded to Direct Inward Dials. When you can give every employee their own phone number for less than $1 per month, what's the incentive not to do it?
It's easy to wrap your head around a PBX (or any telephony solution) at the size of one site, especially if it's small to mid-sized and you don't have to worry about trunks or tie lines. Now consider the problem of large multinational corporations (such as banks) with tens or hundreds of thousands of employees and offices all over the world. Linking enterprises of this size in a secure and reliable way, while avoiding being eaten alive by circuit charges and toll charges, has always been an intractable problem.
In the past, you couldn't realistically keep everyone in a company in the same telephone system or directory. Dedicated circuits to places like India and China weren't necessarily even possible to purchase (let alone cost-effective). Making matters worse, the architecture of PBX systems was generally hub-to-node rather than peer-to-peer (meaning that one site calling another site would have to route through headquarters, even if this wasn't the most efficient or cost-effective thing to do). Additionally, with very large corporations, finding PBX systems that could scale to the number of sites and employees involved could be exceptionally challenging - in many cases, impossible. Most companies ended up with a mix of different systems that varied depending upon the site, resulting in big integration headaches for telecom managers.
Meanwhile, the Internet solved most of these problems a long time ago for corporate enterprises, leaving the IT guys smugly rolling their eyes at those old crusty telecom guys who "just didn't get it." However, their smug attitudes were quickly corrected by rolling out "VoIP pilots" and making IT departments be early adopters. Until recently, the technology just wasn't good enough. VoIP was immature, not user-friendly, and didn't integrate well into existing environments (with the exception of long distance and wireless carriers, who have quietly replaced circuit switched trunks with much cheaper VoIP while raising prices in the process). Microsoft, for its part, has quietly gotten into the telecommunications business in a very big way. They have achieved a surprising degree of success selling Lync, its unified communications play (formerly known as Office Communicator) and it's becoming more and more common to see it deployed in corporate environments. Companies running Microsoft Office, Exchange, and Outlook can now add a Lync server which (more or less) seamlessly integrates with the rest of the environment. This can entirely replace an office's existing telephone system with a SIP-based solution and integrates with the existing corporate email and directory services solution (so, for example, users receive their voicemail as a transcribed email). While Lync is compatible (for now) with SIP-based phones, most users run the Lync client on a PC and talk using either the PC microphone and speaker or a headset. Proprietary handsets that break often and cost a fortune to replace are now a thing of the past.
The Lync feature set is incredibly rich, much more so than I'll detail here. These days we expect voicemail to arrive in email already transcribed and, of course, Lync does this. Sure, you can dial in to a Lync system to listen to your voicemail, but Lync can also read messages from the associated email account over the phone. Lync users calling one another (obviously) don't incur any telephone charges, because calls are routed over the Internet (or corporate WAN). Conference calls can take place over VoIP, but a Direct Inward Dialing (DID) trunk can be assigned to the conferencing system allowing conferences to be accessed via a PIN using a regular telephone. Users (provided the administrator allows it) can very easily configure their number to simultaneously ring a variety of devices, both traditional telephone and Lync VoIP, and located anywhere in the world - making it easily possible to be reached no matter where you happen to be in the world. Administrators can select from any SIP-compatible VoIP provider and (with some help from their SIP providers) can configure preferential routes based on cost, quality, or a combination of these. Private routes can even be configured via a corporate WAN; after all, it's not technically necessary to drop off calls to the telephone system in the same country where they originated. The solution is fully video-enabled and, most interestingly, allows for remote desktop sharing.
By default, Lync users can contact one another even if they do not work for the same company - the directory is open and connected to the Internet. In fact, if a Lync user accepts your directory request, you will appear in their directory alongside all of their other contacts and Lync won't effectively flag or differentiate you as a user that definitely shouldn't be trusted. The Lync user will see all the same warnings associated with your requests as they will for anyone else. Other "stupid user tricks?" Many Lync users never dial in to listen to their voicemail (since they listen to voicemail through their email account), so they never reset the default passcode assigned by their administrator - potentially leaving the tremendous power of Lync in the hands of adept phreaks. Typically, Lync is integrated with a corporate email system and will use an email address as the contact, so a curious phreak might go "Lync scanning" for contacts. Social engineering takes on an entirely new meaning when it can include video, multinational corporations with hundreds of thousands of users, and - with the right user at the other end - taking direct control of computers (with all accompanying phun).
Microsoft, for its part, has never cared much for open standards and recently bought Skype, which is based on proprietary (but admittedly superior) technology. I expect that over time, Lync and Skype may eventually merge into a single "cloud hosted" product, which gets even more interesting. Many companies are offering "cloud VoIP" products where IT departments can outsource their entire corporate phone systems along with other IT infrastructure. For those systems hackers who have never gotten into phreaking because it's just too different, we're starting to see a convergence that might be really exciting. It's not just non-critical (or too often critical) data moving into the "cloud" (whatever that is). Entire corporate phone systems are migrating too! The opportunities for phun and mischief and exploration are already incredible and it's only just beginning.
I write a lot about older systems and how things worked in the past, in part because I think that telecommunications history is interesting and surprisingly often still relevant today, but also because engineers always seem to repeat the same mistakes in implementation. PBXs are still being produced, used, and sold more or less in the same way they always have (and they have all of the same problems), but the market is shifting rapidly (in telecommunications terms) to solutions that look more like Lync. Google isn't doing Google Voice and Google Chat for fun; I expect they have very big plans in the enterprise space and are still working to get the technology right.
And with that, it's time to enjoy some beer and tacos. Mexican food is popular in Central America too. Get out and explore - the world becomes a lot more interesting when you truly become a part of it!