Howdie guys,

I’ve had the thumbs up for an idea i had for HPR (hackerpublicradio.org). Basically i’m taking over for a week, well sort of.

I’m doing 4 shows, Monday to Thursday then i’m gonna do a live Phone-in/feedback show.

The shows i’m doing are;

SSLSniff & SSLStrip.

The why’s, the what’s and the how’s. A show about why you would want to use these tools, how to install them and how you can deploy them on your test network.

TorTunnel

The why’s, the what’s and the how’s. Tortunnel is a tool used for making tor a one hop proxy, this doesn’t do much for annonymity but it does allow you to jump out of network segments, with out the three hop over head standard tor gives you. The show will look at how to install and get it up and running.

Kismet

Forget what finux has said in the past, they’ve changed Kismet. Kismet is in the process of a massive overhaul and everything from the UI to how it is configured is changed. The show will look at what kismet is, why you would use kismet and get it up and running.

Social Engineers Toolkit (SET)

The social engineers toolkit isn’t a fake telco’s engineers uniform and a doddgy fake mustache, it is however a collection of tools that can make social engineering a breeze, very good for testing companies readiness for these sort of attacks. The show will look at what SET is and what tools you can find in there, and of course how to get it up and running.

Friday Night HPR Live

So you’ve played with the tools from the past four episodes, they all worked no problems great. What happens if they didn’t, does it go on the back burner list until you find the time to make it work? No join us live to Friday night of the week for the phone-in/feedback show. Get some support, ask some questions, get them tools working. Got a good story about one of the tools then join us and share it.

Now the dates for the week long HPR series is penciled in form the 27th September till the 1st October (The 1st would be the Live show)

For the live show we’ll be using a mix of things i would imagine, TalkShoe.com, Skype and the likes, and of course IRC chat for the geekness.

I’d love to get people ideas, thoughts and feedback on the above.  It should be a real blast and if we can get the message out i’m sure the live show will be awesome.

Soon as its official i’ll let everyone know

Thought that I would write a very quick and dirty write up of an issue that I had when I upgraded Kubuntu 9.10 to 10.04. Normally my upgrades within the Ubuntu family fall into two categories, dead laptops and working desktops.

This fall into the dead laptops group, for most parts the upgrade worked fine apart from when it loaded up to KDM (Login Screen), an error was thrown about some theme not being there. Instead of doing something remotely useful it just crashed out and did nothing. I didn’t have any virtual terminals either (due to some pain in the arse Via graphics card hack i’ve had to do). I have also noticed that GRUB is pretty buggered too, but that’s another story when I have time and have got to the bottom of it.

Net result was, boot the system up on a independent media, mount the file-system. Look for the KDM config file, and edit it to point to a theme that was there. Not too much hard work if i’m honest.

Question I was left asking, if your going to remove a theme during an upgrade maybe a warning would have been nice, and why isn’t there a fall back in case something gets corrupted.

All in all nice upgrade, apart from some daft little things. Does seem to boot a lot faster, and a couple of little glitches fixed. As upgrades have gone, I have survived, each upgrade makes me a little wiser.

Hi Guys,

Thought i would post my submission to the he BruCON Security Conference.  As anyone that follows either of the Podcasts i’m involved in you’ll know that i have great affinity with the conference.  Tickets are available, if you book them now you’ll benefit from the early bird prices, their available from here.

Abstract Bellow

Free software and security – Defending on a budget

Talk submission BruCON

Arron “finux” Finnon

Talk is proposed and has not been given to any conference or user group before.  It will be in English.

I have given a number of talks on both security related topics and free and open source software.

http://finux.co.uk ||  http://tracsec.com ||  http://hackerpublicradio.org

From Personal Computers to Corporate infrastructure, times have required an attitude of evolution and change to defend against the many threats and challenges faced by users.  All though no one really likes to admit it, all users have to become defenders.  From “Harry Home Owner” to System Admins, educated informed decisions should always take precedence.

Free Software has the ability to stand at least ’shoulder-to-shoulder’ with its commercial counterparts, yet it faces attacks from groups that have a vested interested in seeing ‘commercial licensing’ prevail over ‘free and open licensing’ model, not all of these groups are in the ’security software’ sphere.

Legions of defenders work relentlessly on writing code that  not only competes in the real world, but enables its users freedom.  Its this very freedom that these relentless developers use to produce code, applications, and software used in defending against many threats, and attacks.

The talks aim is to look at some commonly used software that all users share and how Free Software can fit into that space.  It will cover some aspects of software used in commercial/corporate environment and how free software can liberate those users to evolve their software to fit their needs in defending against constantly changing threats and demands they face.

All though Free Software doesn’t mean that it comes without cost, in most cases it doesn’t have a price tag attached.  Its about freedom.  The talk will look at some of the Free Software that has little or no cost.  Security, defence, protection on a budget with Free Software.

The speaker hopes this talk will act as an ‘Anti-FUD’ (Fear Uncertainty Doubt) talk on free software and security.

Someone listening to talk can expect to leave knowing;

An understanding of what free software is, and how it differs from other types of software.  Some examples of flagship free software used in security, that has little or no cost.  How the ‘Free Software’ ethos can benefit those trying to defend themselves or assets against threats.  How people who wish to help and support free software projects can.  How people can promote and encourage free software within their organisations, and what ‘to do’ and ‘not to do’ when it comes to selling the concept of free software in the workplace.

Speakers Bio

Arron M Finnon (aka finux), has been involved in Free and Open Source software for over four years.  Whilst studying a hacking degree in Scotland’s technology hub Dundee, he was one of the founding officers of ‘The University of Abertay Dundee Linux Society’ and president for over three years, later  receiving the SCISA (Scottish Informatics and Computer Science Alliance) Open Source Award for exemplary Advocacy for his activities in promoting Free and Open Source Software.

Working with Local User Groups and communities members throughout United Kingdom to promote, encourage, and facilitate ‘Free and Open Source Software’ at a grass roots level has given Arron a unique and passionate view of ‘how’ and ‘where’ Free Software fits in the demanding real world.

As the ‘Team Leader’ and main organiser for the successful ‘Software Freedom Day Dundee’ events, in 2009 and 2010 he was able to engage with a large number of people who may never have experienced or engaged with Free Software ideals, and promote debate, discussion, and adoption with these people.

Gaining experience at public speaking about free software has enabled Arron to talk to people about many threats faced by users in the computing world, and he has spoken at a number of User Groups in the UK, as well as guest lecturing back at his old university on security related topics.

Arron has always managed to blend his love for ‘Free and Open Source software’ and ‘Computer Security’, and this has been expressed in many formats such has podcasting and public speaking.

A sample of some of Arron’s recorded talks can be found at http://www.hackerpublicradio.org/correspondents.php?hostid=85

Arron is also co-host on http://www.tracsec.com –A monthly security podcast

Arron now is an independent security researcher, consultant, and blogger.  You can find him at www.finux.co.uk and www.twitter.com/f1nux

END of ABSTRACT SUBMISSION

Remember you can get a great rate on the tickets if you book early, so be a good sport and get your ticket brought.  They are available from here.

PS all please cross your fingers for my talk to be accepted

finux

Sorry guys for the long delay in posting anything. As some of you may know I’ve had a pretty hectic life at the moment with out sign of it calming down.

I split up with the mother of my youngest child Ava over two or so months ago. Since then I’ve had my contact with my daughter constantly threatened by my ex. It will seem once more I have to step into fray and fight for my rights as a father. Those that have known me for a couple of years know that I had to do a similar thing over three years ago. I have a great affinity with fathers rights, due to finding myself in this very position and I have seen many friends in similar situation, and not just in the United Kingdom.

I am lucky that my children where all born after 2006 and there for I have some legal cover under the guise of Family Scotland act 2006. However this act is not retrospective meaning for those poor fathers and children who where born before 2006 are not afforded the same rights.

So long story short, the situation is as follows;

I split from my ex, we previously had split up and got back together. It was agreed at the minimum that I would have 2 nights a week with my daughter. All though I asked and had been denied 2 nights one week and 3 nights the following week, which would account for 10 nights out of 28. I have for the past 8 weeks looked after my daughter every weekend. During this time I have started seeing a friend of mine who I have known for over 7 years, she has been of great support to me over the past couple of years through various ups and downs. She has a daughter of similar age to my eldest and they have play together. However long story short two old friends have moved on to something deeper.

It is this issue that my ex is sighting as a reason that I should no longer be allowed contact with my youngest daughter. It is also fair to point out here that my ex has new lad in her life and I have made no mention or commit about this.

She now demands that my new girlfriend and her daughter not be present at any time during Ava’s time with her father. This all arose from a chance meeting at a bus stop when I was looking after my girlfriends daughter whilst she sat an exam, Ava wasn’t in my care that day she was with her mum. My girlfriends daughter innocently asked the women pushing Ava’s pram if she was “Ava’s mummy?”. From this day forward my ex has made a number of assumptions. That my girlfriend and her daughter are with me always and that Ava in fact isn’t be looked after by me, but by my girlfriend. Which I have on numerous occasions said isn’t the case. Her additional premise is that I’m dragging someone into her life to drag them back out in a couple of months, well none of us have a crystal ball. Ava only spends her time with me.

Two days after the chance meeting at the bus stop, I got a text asking if I could pick Ava up early. Which I agreed then she started to send aggressive texts about me having a girlfriend. When she picked up Ava after her last visit she started arguing with me again which I just walked away from. On the 27^th of April she told me that I would no longer get my daughter for two days and that I would only get her for the one day. On the 30^th of April she told me that I could have my daughter for two days as long as I had her on my own and with no one else with her (which I do). I told her that she doesn’t have any superior rights over me, so she then said that I was unable to have my daughter at all if I have my girlfriend around, and if it was found out that I had she would stop me from seeing my daughter and take me to court.

I have been left with a tough decision, I could agree to a lot of unreasonable demands, however in the past eight weeks I have had my contact threatened at every opportunity by my ex. All though its tough for me, I think that I have to now stand strong and say no. I do have rights, if it goes to court I will get contact, however my poor little baby will spend the next two to three years with her life in a court room. She is just over 14 months old at the present. The question is if I agree to this now, what an earth to I agree for me and my daughter in the future.

My eldest daughter is missing her young sister and that hurts very much, and Ava is too young to express missing either her father or her sister.

Before we split my ex made numerous comments about how she would never stop the father of her child from seeing them, which to this date she has done three times. When ever she is angry she uses my contact with my daughter as a weapon. We see this commonly throughout the developed world.

All though nothing is guanteed in a court, the fact of it is that she no longer makes the self-appointed choices for Ava, and that a third party namely a Sheriff (yes they’re called that in Scotland) will. I have been a single father for quite bit, I have already been awarded joint custody of my eldest.

So in short this post is more about getting this off my chest then anything else. If you know anyone else going through a similar situation, do me a favour. Drop them an email, give them a call and just remind them to remain strong.

TRACsec Episode 2 – The Famous Pete Wood “better late than never” Episode

Firstly sorry for the delays in getting the show out. However it is here and ready for you download. With new host Robert “Swifty” Ladyman from http://file-away.co.uk

Robert takes over from Ryan Dewhurst who we would all like to thank for his input and wish him the best of success in the future

The show is 2 hrs and 7 minutes long.

Pete Wood joins us for this months interview. With many, many years of experience in ethical hacking and penetration testing, everyone is bound to find something in this interview to relate too

http://peterwood.com

http://www.facebook.com/PeterWoodx

Pete Wood is the founder and Chief of Operations at First Base Technologies, and is also involved in the running of the UK White-Hats group

http://firstbase.co.uk/

http://white-hats.co.uk/

This months tech segment is a gentle debate on on Professional Qualifications Vs Academic Hacking Degree’s Vs Self Taught.

The show is available for download from http://www.tracsec.com/shows/Episode2-TRACsec-Podcast.mp3

--------------------------------------------------------------------------------
TracSEC -  Episode One – Hackerspaces, War Robots, and (Ab)using Facebook API's
--------------------------------------------------------------------------------

Tom Mackenzie, Ryan Dewhurst, Arron Finnon, Chris John Riley

Show length 1.37:28
--------------------------------------------------------------------------------

In the first episode of the tracSEC podcast, the boys talk to Esther
Schneeweisz (aka Astera) about hackerspaces and her forth coming talk at
26C3, entitled 'A Discourse On Robotic Warfare'.

The interview starts off with speaking to Astera about the global
hackerspace scene and what a hackerspace is.  Full of information about
the dynamics and logistics of hackerspaces, and how people can get
involved and how they may go about setting their own spaces.  The
interview finishes with Astera discussing her Robotic Warefare talk.

- http://twitter.com/astera
- http://astera.soup.io/
- http://hackerspaces.org
- http://events.ccc.de/congress/2009/wiki/Welcome

In the shows technical segment, the boys look at how Facebook can be
used as a valuable resource of data when attacking an organisation.
Focusing on using Facebook's own API to retrieve data on people who are
connected to a Facebook group.

Notes can be found here http://www.finux.co.uk/blog/?p=78

Other links .:

http://www.lightbluetouchpaper.org/2009/05/20/attack-of-the-zombie-photos/
http://theharmonyguy.com/

--------------------------------------------------------------------------------

To finish off the boys talk about a couple of news stories out on the wire.

http://www.wpacracker.com/

Moxie launches cloud WPA Cracking site.  He's just a fucking legend, but
don't use paypal to pay him in dough (great write up by finux)

BruCON dates annouced:

http://blog.brucon.org/2009/12/brucon-2010-save-date-24-25-sept.html

Mark it in your calendar: BruCON 2010 will be on 24 & 25 September
2010!! Pass the word!!

Children in the UK to be compulsory taught Internet safety within
primary school:

http://news.bbc.co.uk/1/hi/technology/8398763.stm

Lessons in using the internet safely are set to become a compulsory part
of the curriculum for primary schoolchildren in England from 2011. The
lessons are one element of a new government strategy being unveiled
called "Click Clever, Click Safe".  Children will also be encouraged to
follow an online "Green Cross Code" and block and report inappropriate
content.

http://praetorianprefect.com/archives/2009/12/unu-gets-kaspersky-again/

Unu, a Romanian hacker (one who may enjoy the challenge of breaking into
other computers but does no harm) who we've talked about on the site
before has been busy with his fifth demonstrated SQL Injection
vulnerability on the web site of a well known company in the last 30
days. This time he has again targeted Kaspersky Labs, the anti-virus
vendor that he previously demonstrated web site vulnerabilities for back
on February 7th of this year. The sites affected this time around are
the Kaspersky Lab sites in Malaysia http://www.kaspersky.com.my and
Singapore http://www.kaspersky.com.sg. On both sites it is a news
section, news.php, that is vulnerable, leading to the same MySQL
database backend, and exposing customer and employee access credentials
as well as what appear to be activation keys for Kaspersky Internet
Security 2010.

http://www.theregister.co.uk/2009/12/14/microsoft_cofee_vs_decaf/

Hackers have released software they say sabotages a suite of forensics
utilities Microsoft provides for free to hundreds of law enforcement
agencies across the globe.

Decaf is a light-weight application that monitors Windows systems for
the presence of COFEE, a bundle of some 150 point-and-click tools used
by police to collect digital evidence at crime scenes. When a USB stick
containing the Microsoft software is attached to a protected PC, Decaf
automatically executes a variety of countermeasures.

** This episode was recorded prior to the self-destruct mechanism of
DECAF being activated **

Show can be downloaded from here

Facebook – Hype about privacy, its a little late

I had my interest in data held by Facebook heightened with the constant media attention that the much publicised changes to Facebook’s privacy policy brought. Which is the reason for this blog post (and @tracsec tech segment). There is no doubt in my mind that Facebook faces challenges with data that most governments do not have to consider, I suppose the only other companies that spring to mind is the giants of Google, and the makers of Windows Everest, err sorry I mean Microsoft.

Information is a truly wondrous thing, however it being held in the wrong hands can spell certain disaster. I was once asked what business Google was in, to which I answered Advertising, to my dismay I was informed I was wrong, my error was corrected. Google is a company that specialise in ways to make you give them data, they then use that data to make money. Information is power and that is no more aptly proved than how Google matches Microsoft in the brand awareness stakes, but also managing in the process to become a byword for searching the internet.

I think it fair I should mention, that I am dyslexic and 7 Windmills was my idea. All joking aside Facebook is know playing with vast quantities of personal data, and a strong unique understanding of how we interact with each other.

It seems to have worried a large section of the media, but I’m left asking really what is the difference now, to last month for a hacker. Social engineering is an emerging art, but lets face it, its a renaissance its nothing new and hacking has been as much about the person as it is about the system.

Having someone’s credentials starts to aid in targeted attacks, it seems logical to target the individuals themselves.

Impersonation isn’t easy when you know nothing about someone, taking a wild guess at someone’s date of birth, or which school they went to isn’t easy. Which is why they where for a long time important details, used to verify you you identity. Lets think here though we give these away everyday, its part of most registration processes for services, and to most people represents little or no value.

I set this scenario; A malicious attacker wishing to cause havoc, they decide that a university would be a good target. It as a target has some great reasons for it to be chosen. It has a lot of public (internet) facing resources, a lot of users, from those users there is a mix of privileges, from information to technical resources, they tend to have good bandwidth and lots of storage just to name a few reasons. They key aspect here is that there is a abundance of users, in reality playing the numbers game. It seems kind of stupid to jump straight in and randomly guess usernames.

We as individuals are social beings for most parts, and one of the key factors in Facebook success is its ability to connect us to networks, networks like where we went to school, who has employed us, and where we went to university, where we work, what our hobbies are. In some extents to actually how we’re feeling on a particular day Most universities have Facebook group, and I think it fair to suggest most people part of that group either are or have gone to that university or worked there in some capacity. It seems a good starting point, however we are all lazy people at heart and no one wants to go through every single member of a group one by one and copying the data out by hand. We could look at using screen scrapers however its not as simple to achieve as you may think, Facebook requires you to have an account, you do need to be logged in and have a session, and using tools like wget or curl require you to do this as well. However Facebook is also famous for its applications, and of course everyone loves them (or not). They can be made for lots of things and this is to do with Facebook’s API (application programming interface). In short Facebook’s API are really just a set of instructions that can be used to interact with users. Of course interacting means getting a certain amount of information between the parties involved.

A simpler process for our potential attacker is to use Facebook API to get information about their target, an example of one of their API calls is groups_getMembers(GROUPID). This requests from Facebook all those who are members of a particular group. It will give you a list users unique Facebook ID, who are members of a particular group. Another example API call is users_getInfo(FacebookID,’first_name, last_name, name, timezone, birthday, sex, locale, profile_url, proxied_email’) I think you can probably see where I’m going with this, we can start to build a very detailed list of current people who are connected to a group or organisation. Its also worth mentioning at this point, that yes you do need a Facebook account to use Facebook’s API, however the people returned back from the API calls neither installed an application or visited a site we controlled, this information was gained completely legally, this was all information that the user willingly gave to Facebook and then in turn they gave us permission to retrieve. As long as we don’t store the data for more than 24 hours.

That’s right if I follow the word of the agreement, I’ll need to delete the data with 24 hours. Bearing in mind that so far I have not interacted with anyone. I have for most part been able to get the name, an organisation they are connected to, and dependant on their exact privacy settings a wealth of personal information. The benefit of API’s is it is easy to write a applications or a scripts, and Facebook supports a number of programming languages, there is an number of languages that have unofficial support such as Python.

Its not a particular stretch for an attacker to write a script that gets all the members of a university or company group and build a list of first and last names, where possible their sex, date of birth, location, their Facebook webpage, where they are currently located and store that in a database. A little more internet searching and we may discover a companies naming convention for company emails. The attacker has very simply gained an advantage without the threat of triggering alarms and remaining mostly passive. This list then could be used with tools such as Maltego to further build a complete understanding of that person. Once a individual has been targeted to try and use to gain entry the attacker could start to make a bespoke list of words and terms they use, by downloading pages from Facebook or by simple Google hacking and pulling posts from forums, mailing lists and striping out all the HTML code and common words (such as the, and, a, it, so on and so forth). Of course the list generated gives the attacker an advantage at brute forcing passwords, its likely to have things such as children names, partners names, dates of birth specific to the target. Tools such as Cewl make the process of crawling a site and generating the list a relative simple task.

It also seems logical that other social networking sites could be attacked for lots of various other information about potential targets. It maybe possible to obtain every tweet if potential target has a Twitter account, using Twitter’s API obtaining a list of a targets Twitter history. This could be a good resources for further expanding the everyday words and terms that a potential target may use. Its fair to say that no one Twit may cause concern about privacy, however the full list of them may add to yet another great resource of information. However I believe that you would have to allow your Twitter account to be public, and this information could be obtained using tailored Google searches, however as previously stated it makes a lot more sense to take the data supplied.

A potential indicator to this sort of social inspired attack, could be to seed the group with a number of dummy user accounts. Using passwords generated out of web pages for that dummy user. We could watch the dummy user accounts for access, and all though not fool proof, if this account starts to generate unwelcome attention then someone may have tried to profile our organisation and careful vigilance should be applied.

I discussed my ideas and thoughts on this subject with Chris John Riley, Ryan Dewhurst and Tom Mackenzie on the tracSEC podcast technical segment which should be available for public release when this post hits the blog. It was an interesting chat and very enlightening for everyone involved. I learned a great deal of stuff when discussing this with them, and in this case four heads are better than one.

In closing I think to be worried about how third parties may abuse changes in Facebook’s privacy policy is warranted, I would urge you to think what a bad guy could do without the limitations of regulations of business. Some information can’t be put back into the bottle. We as a community need to accept a certain level of information about us is in the public domain, and mitigate that accordingly. However asking questions of how much data about us is being held by one commercial organisation and how other people assimilate that data is critical.

http://wiki.developers.facebook.com/index.php/How-to_Guides

http://developers.facebook.com/tools.php

http://en.wikipedia.org/wiki/Api

http://www.willmcgugan.com/2008/02/09/writing-a-facebook-application-with-python-pt-i/

http://arstechnica.com/open-source/news/2009/04/how-to-using-the-new-facebook-stream-api-in-a-desktop-app.ars

http://wiki.developers.facebook.com/index.php/User:PyFacebook_Tutorial

http://www.digininja.org/projects/cewl.php

http://www.theregister.co.uk/2009/12/14/facebook_photo_privacy_snafu/

http://voices.washingtonpost.com/securityfix/2009/12/check_your_facebook_privacy_se.html

http://www.scribd.com/doc/2458/Facebook-Threats-to-Privacy

http://tmacuk.co.uk/?p=76

http://www.spylogic.net/2009/12/new-facebook-privacy-settings-for-better-or-for-worse/

The tracSEC podcast can be downloaded from here

Hi Guys,

Well i thought that i would write this blog post on something that i played about with recently.  As some of you know i’m a little bit of an Asterisk junkie, and love playing with it.  I have to be honest as a geek its a pretty awesome tool to have.

If your unsure what Asterisk is, basically put its a telephone systems that you may have seen in your work place, its able to handle internal calls like extension to extension, and external calls.  It uses SIP (VoIP) to handle incoming and outgoing calls.  The really awesome thing is lots of companies will give you local land-line numbers for free, that regular telephones on PSTN (Public Switched Telephone Network) can call.

Now this post isn’t about installing and setting up Asterisk , they are plenty of resources on the Internet for that.  However what i do want to talk about is Google Voice and Asterisk.  Now if you are in the states the first part of this is useless to you, however getting it integrated into Asterisk maybe still something of interest.  Now really i want this to be just a collection of resources i found and my thoughts on them.

Google Voice is a nice service really, it gives you free calls in the US and Canada and a Universal number that you can assign to any of your phones.  There is a web interface for it.  So basically you can give this one number out and then you can decide which one of your phones it rings (Mobile Phone, House Phone, Work Phone, your mum and dad’s house that your visiting for the week).  It enables you to send SMS’s and it will take voice-mails and send them to you email inbox.  I probably not doing Google Voice much justice, but you get the idea.

You maybe wondering why a dude from the UK would want this, the short answer is; why not.  The long answer is, i have some friends and contacts in the states.  I have interviewed a few people from the states for podcasts and now i have a US number that rings to UK phones (doesn’t cost me a penny/cent either).

There is an important thing to point out here, that the service is only available to those in the states.  You need a US number to register for Google Voice and you need an invitation to the service as well.  Now at this point you start to worry that all of this sounds like a little bit of a pain in the arse, and having a US friend to register your number is the best you could hope for.  Wrong.  In fact i actually have the feeling that you maybe able to get this to work without using an Asterisk server, however i haven’t tried it so i’m hoping someone who reads this can confirm it.  I’ll make special note of the idea in this post

Firstly i’m going to list some resources and then i’m going to talk about them in stages.

tortunnel – One hop proxy for Tor by Moxie Marlinspike
FoxyProxy – Firefox add on for using proxies
IPKall/Sipgate – Free SIP providers that give you numbers, such as a free Seattle number.
PBXinAFlash – A CentOS distro designed to be a full Asterisk/FreePBX

Okay, so you have your Google Voice invite, your not in the states and every time you click the link Google tells you the service is not available in your country.  Which is an obvious problem and the beginning part of our problems.  I mentioned tortunnel by Moxie Marlinspike.

The answer to this problem is that we need to have a US IP address, now they are lots of proxy services on the web you could use and i would suggest that you go for that.  Personally i like tortunnel but that’s as a security bod i like that.  Tor is known for being slow, but its very good for getting out of your network segment.  Moxie wrote a program that instead of using the three hops Tor uses to make it hard for you to be tracked, it just uses one.  We choose the exit node that tortunnel uses.  So lets say that Boston University has a Tor exit node, and we use it for tortunnel, we go and check our IP on the one of those numerous sites and hey presto where in Boston.  So we go to our Google Voice invite and accept all the terms and conditions

The next problem is we need to have a US number to register for Google Voice, i know it sounds a little crazy at first, you need a US number to register for a US number however this is really the key concept behind Google Voice, it points to a number rather than being a ringing number.

So as i have an Asterisk install, i have what is termed as SIP Proxy which is an electronic address that VoIP clients can call, its basically an email address for VoIP.  so you could have fin...@voip.finux.co.uk and the lines would ring (however the new version of FreePBX there is an option when setting up a extension to give it URI).  Now a company called IPKall in the states will give you a free Washington state number and forward it to a SIP URI, i already had these setup in the past.

Now i know that Sipgate, who i have a few UK numbers with (www.sipgate.co.uk) also offer US numbers.  Now as i have said i haven’t tried this but my idea to do this without Asterisk and still have a ringing phone (well client or VoIP hardware phone) is to register a US number with Sipgate, you should be able to find on their site or with a little Google kung-fu how to configure that service for a SIP client like Ekiga or if your lucky enough to have a VoIP hardware phone then setup the details for Sipgate in that.

Once you have your US number its time to pop back to Google Voice and give it the US number you got from either IPKall or Sipgate, it will give you an Authorization code which you input.  Hey presto you have registered for Google Voice and you have your Google Voice number that should ring your IPKall/Sipgate US number.

Its also worth noting that once you have registered with Google Voice and the phone number has been activated you no longer need tortunnel or you American proxy to go to the web interface.

Now as an Asterisk user i want to be able to pick up the phone dial a special outward call code which will use the Google Voice line and make the US call for free.  Thankfully the leg work on this is done, thanks to the legend at Nerd Vittles (Very handy site, here is the specific guide http://nerdvittles.com/?p=635).  Now if you don’t use FreePBX then it shouldn’t be too difficult to reverse engineer what he is doing.

So in summary, if your outside the US then your going to need to get a US IP address, if you fancy the challenge then try and compile and install tortunnel (might be a bit much if your a windows user i’m not sure if it has been ported, i also found the apt-file command available on Debian Linux distro’s very useful, and have used it a lot since.  Its basically a tool, that you can query the apt source list for a specific dependency).  I managed to get it installed on Ubuntu 9.04 and 9.10, a little Google kung-fu and you should be able to find some how-to guides.

As i said this is more a collection of ideas about ways that you can get Google Voice outside the US and the process for getting it integrated into a Asterisk server.  Like i say if anyone tries the Sipgate process let me know, be pretty awesome if people could use Ekiga on their computers and make and receive Free US calls.