Re: [VoiceOps] Unsecured conference lines

2016-06-02 Thread Paul Timmins 
Does it expose you to anything? If not shrug and shut it off. If so, 
offer it with something that passes the exposure on instead, explaining 
your costs change. No need to lecture them on their own laws or protect 
them from themselves. They need a service provider, not a parent. :)


On 06/02/2016 03:33 PM, Carlos Alvarez wrote:
Believe me, I've covered that and several other regulatory matters, 
they maintain they don't care.  The directive I got was from the 
second from the top, and he claims the CEO is behind him.  Right now 
the stale-mate is at "we can have a conference call to discuss it with 
the CEO, but I won't do it without that."  If they call me on it, well 
then...I'm just not sure.


As to what type of "medical" company, I would like to keep the 
customer info very anonymous, but I'll say that it's way more than 
uniforms but not quite discussing a specific patient's ED 
prescription.  There's probably not any specific patient data on a 
call, or maybe just very rarely.


On Thu, Jun 2, 2016 at 12:27 PM, Anthony Orlando > wrote:


Carlos
Just mention HIPAA.  You might also have some HIPAA compliance
issues as well.



> On Jun 2, 2016, at 1:54 PM, Carlos Alvarez > wrote:
>
> We have a customer who has been nagging us to remove the PIN
from their conference lines.  They are getting more insistent. 
We've said no, for the obvious security reasons, and explained

them all clearly.  On top of it, this is a medical-related company
having sensitive conversations on conferences.  They keep pushing
us.  What would you do?  On the one hand I think we have no
liability in the matter, but on the other, we're more of a
consulting ITSP than just a generic service provider.  We
specialize in helping people not do stupid things with their phone
system.  There's also the matter of just eating up a bunch of
channels by people using it as their own conference.
>
> ___
> VoiceOps mailing list
> VoiceOps@voiceops.org 
> https://puck.nether.net/mailman/listinfo/voiceops




___
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops


___
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

Re: [VoiceOps] Unsecured conference lines

2016-06-02 Thread Aryn Nakaoka 808.356.2901 
Would you be OK with 100 channels incoming used 24/7 ? Do you have a soft
cap?

If not, how much do you charge per channel ;)







Aryn H. K. Nakaoka
anaka...@trinet-hi.com

Direct: 808.356.2901
Fax : 808.356.2919

Tri-net Solutions
733 Bishop St. #1170
Honolulu, HI 96813
http://www.trinet-hi.com

https://twitter.com/AlohaTone

Aloha Tone PBX 
https://www.youtube.com/watch?v=96YWPY9wCeU 

Aloha Tone (HA) High Availability 
http://youtu.be/rJsr4k0RBH8

CONFIDENTIALITY NOTICE:  The information contained in this email and any
attachments may be privileged, confidential and protected from disclosure.
Any disclosure, distribution or copying of this email or any attachments by
persons or entities other than the intended recipient is prohibited. If you
have received this email in error, please notify the sender immediately by
replying to the message and deleting this email and any attachments from
your system. Thank you for your cooperation.







On Thu, Jun 2, 2016 at 9:13 AM, Carlos Alvarez  wrote:

> We have outbound conferencing also, they don't want that.  They already do
> have HD conferencing and some web control of conferences.  This is purely
> about their standard inbound conferencing not having a PIN.  Alex's
> suggestion about ANI made me think of a compromise where their internal
> callers (80% of callers) would have no PIN.  This still exposes their board
> conversation to random peons in the company, but at least it doesn't affect
> our side of it and stops the random outside users.
>
> There would be no exorbitant billing opportunity here, since they are
> locked to 100 channels and pay a flat usage fee for them.
>
>
>
> On Thu, Jun 2, 2016 at 12:01 PM, Garrett Smith 
> wrote:
>
>> Hi Carlos,
>>
>> Check out ZipDX - they have a patented identity based conferencing that
>> eliminates the need for pins by calling out to the meeting attendees. The
>> system is used primarily for sensitive calls - investors, market research,
>> executives and was developed to stop the inconveniences of pins and
>> unsecured conference calls.
>>
>> Can be customized to needs and they've also got a partner program.
>>
>> You can learn more here: www.ZipDX.info or I'd be happy to put you in
>> touch with someone their.
>>
>> Garrett
>>
>> *Garrett Smith*
>> Founder
>>
>> *Pitch + Pivot, LLC*
>> Website: PitchPivot.com
>> Email: garr...@pitchpivot.com
>> Office: 716-322-3101
>> Cell: 716-903-9495
>> LinkedIn: /in/garrettsmith 
>> Twitter: @garrettsmith 
>>
>> On Thu, Jun 2, 2016 at 2:54 PM, Carlos Alvarez 
>> wrote:
>>
>>> We have a customer who has been nagging us to remove the PIN from their
>>> conference lines.  They are getting more insistent.  We've said no, for the
>>> obvious security reasons, and explained them all clearly.  On top of it,
>>> this is a medical-related company having sensitive conversations on
>>> conferences.  They keep pushing us.  What would you do?  On the one hand I
>>> think we have no liability in the matter, but on the other, we're more of a
>>> consulting ITSP than just a generic service provider.  We specialize in
>>> helping people not do stupid things with their phone system.  There's also
>>> the matter of just eating up a bunch of channels by people using it as
>>> their own conference.
>>>
>>>
>>> ___
>>> VoiceOps mailing list
>>> VoiceOps@voiceops.org
>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>
>>>
>>
>
> ___
> VoiceOps mailing list
> VoiceOps@voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
___
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

Re: [VoiceOps] Unsecured conference lines

2016-06-02 Thread Aryn Nakaoka 808.356.2901 
you can fake ANI ... of course they'd have to guess / known the number..
which would lean towards inside job.
Just make sure they sign off on usage charges and any spying liability.

Or email them every time someone goes into the conference bridge, live
monitoring, so they will be alerted if someone that shouldn't be in there
is.

Or email them a recording of the call after each time its used,so they know
who was in there.








Aryn H. K. Nakaoka
anaka...@trinet-hi.com

Direct: 808.356.2901
Fax : 808.356.2919

Tri-net Solutions
733 Bishop St. #1170
Honolulu, HI 96813
http://www.trinet-hi.com

https://twitter.com/AlohaTone

Aloha Tone PBX 
https://www.youtube.com/watch?v=96YWPY9wCeU 

Aloha Tone (HA) High Availability 
http://youtu.be/rJsr4k0RBH8

CONFIDENTIALITY NOTICE:  The information contained in this email and any
attachments may be privileged, confidential and protected from disclosure.
Any disclosure, distribution or copying of this email or any attachments by
persons or entities other than the intended recipient is prohibited. If you
have received this email in error, please notify the sender immediately by
replying to the message and deleting this email and any attachments from
your system. Thank you for your cooperation.







On Thu, Jun 2, 2016 at 9:13 AM, Carlos Alvarez  wrote:

> We have outbound conferencing also, they don't want that.  They already do
> have HD conferencing and some web control of conferences.  This is purely
> about their standard inbound conferencing not having a PIN.  Alex's
> suggestion about ANI made me think of a compromise where their internal
> callers (80% of callers) would have no PIN.  This still exposes their board
> conversation to random peons in the company, but at least it doesn't affect
> our side of it and stops the random outside users.
>
> There would be no exorbitant billing opportunity here, since they are
> locked to 100 channels and pay a flat usage fee for them.
>
>
>
> On Thu, Jun 2, 2016 at 12:01 PM, Garrett Smith 
> wrote:
>
>> Hi Carlos,
>>
>> Check out ZipDX - they have a patented identity based conferencing that
>> eliminates the need for pins by calling out to the meeting attendees. The
>> system is used primarily for sensitive calls - investors, market research,
>> executives and was developed to stop the inconveniences of pins and
>> unsecured conference calls.
>>
>> Can be customized to needs and they've also got a partner program.
>>
>> You can learn more here: www.ZipDX.info or I'd be happy to put you in
>> touch with someone their.
>>
>> Garrett
>>
>> *Garrett Smith*
>> Founder
>>
>> *Pitch + Pivot, LLC*
>> Website: PitchPivot.com
>> Email: garr...@pitchpivot.com
>> Office: 716-322-3101
>> Cell: 716-903-9495
>> LinkedIn: /in/garrettsmith 
>> Twitter: @garrettsmith 
>>
>> On Thu, Jun 2, 2016 at 2:54 PM, Carlos Alvarez 
>> wrote:
>>
>>> We have a customer who has been nagging us to remove the PIN from their
>>> conference lines.  They are getting more insistent.  We've said no, for the
>>> obvious security reasons, and explained them all clearly.  On top of it,
>>> this is a medical-related company having sensitive conversations on
>>> conferences.  They keep pushing us.  What would you do?  On the one hand I
>>> think we have no liability in the matter, but on the other, we're more of a
>>> consulting ITSP than just a generic service provider.  We specialize in
>>> helping people not do stupid things with their phone system.  There's also
>>> the matter of just eating up a bunch of channels by people using it as
>>> their own conference.
>>>
>>>
>>> ___
>>> VoiceOps mailing list
>>> VoiceOps@voiceops.org
>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>
>>>
>>
>
> ___
> VoiceOps mailing list
> VoiceOps@voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
___
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

Re: [VoiceOps] Unsecured conference lines

2016-06-02 Thread Alex Balashov 

On 06/02/2016 03:13 PM, Carlos Alvarez wrote:


There would be no exorbitant billing opportunity here, since they are
 locked to 100 channels and pay a flat usage fee for them.


Well, in that case, all the risk is on you, and you're effectively being 
asked to bear it.


--
Alex Balashov | Principal | Evariste Systems LLC
1447 Peachtree Street NE, Suite 700
Atlanta, GA 30309
United States

Tel: +1-800-250-5920 (toll-free) / +1-678-954-0671 (direct)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
___
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

Re: [VoiceOps] Unsecured conference lines

2016-06-02 Thread Carlos Alvarez 
We have outbound conferencing also, they don't want that.  They already do
have HD conferencing and some web control of conferences.  This is purely
about their standard inbound conferencing not having a PIN.  Alex's
suggestion about ANI made me think of a compromise where their internal
callers (80% of callers) would have no PIN.  This still exposes their board
conversation to random peons in the company, but at least it doesn't affect
our side of it and stops the random outside users.

There would be no exorbitant billing opportunity here, since they are
locked to 100 channels and pay a flat usage fee for them.



On Thu, Jun 2, 2016 at 12:01 PM, Garrett Smith 
wrote:

> Hi Carlos,
>
> Check out ZipDX - they have a patented identity based conferencing that
> eliminates the need for pins by calling out to the meeting attendees. The
> system is used primarily for sensitive calls - investors, market research,
> executives and was developed to stop the inconveniences of pins and
> unsecured conference calls.
>
> Can be customized to needs and they've also got a partner program.
>
> You can learn more here: www.ZipDX.info or I'd be happy to put you in
> touch with someone their.
>
> Garrett
>
> *Garrett Smith*
> Founder
>
> *Pitch + Pivot, LLC*
> Website: PitchPivot.com
> Email: garr...@pitchpivot.com
> Office: 716-322-3101
> Cell: 716-903-9495
> LinkedIn: /in/garrettsmith 
> Twitter: @garrettsmith 
>
> On Thu, Jun 2, 2016 at 2:54 PM, Carlos Alvarez 
> wrote:
>
>> We have a customer who has been nagging us to remove the PIN from their
>> conference lines.  They are getting more insistent.  We've said no, for the
>> obvious security reasons, and explained them all clearly.  On top of it,
>> this is a medical-related company having sensitive conversations on
>> conferences.  They keep pushing us.  What would you do?  On the one hand I
>> think we have no liability in the matter, but on the other, we're more of a
>> consulting ITSP than just a generic service provider.  We specialize in
>> helping people not do stupid things with their phone system.  There's also
>> the matter of just eating up a bunch of channels by people using it as
>> their own conference.
>>
>>
>> ___
>> VoiceOps mailing list
>> VoiceOps@voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
>>
>>
>
___
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

Re: [VoiceOps] Unsecured conference lines

2016-06-02 Thread Alex Balashov 

No way.

Offer them options, as for example a whitelist of ANIs that are 
automatically dumped into a conference room, or a "smart conference" 
application where the conference bridge calls the participants instead 
of the other way around. They might like that.


But no completely wide-open bridge, no way.

--
Alex Balashov | Principal | Evariste Systems LLC
1447 Peachtree Street NE, Suite 700
Atlanta, GA 30309
United States

Tel: +1-800-250-5920 (toll-free) / +1-678-954-0671 (direct)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
___
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

Re: [VoiceOps] Unsecured conference lines

2016-06-02 Thread J. Oquendo 
On Thu, 02 Jun 2016, Carlos Alvarez wrote:

> We have a customer who has been nagging us to remove the PIN from their
> conference lines.  They are getting more insistent.  We've said no, for the
> obvious security reasons, and explained them all clearly.  On top of it,
> this is a medical-related company having sensitive conversations on
> conferences.  They keep pushing us.  What would you do?  On the one hand I
> think we have no liability in the matter, but on the other, we're more of a
> consulting ITSP than just a generic service provider.  We specialize in
> helping people not do stupid things with their phone system.  There's also
> the matter of just eating up a bunch of channels by people using it as
> their own conference.

THe honest answer would be for you to look over your
terms of services agreement. What was it you told them that
your organization would be responsible for. Now to the
technical slash security answer:

Who manages/maintains the network? This is important for
various reasons. If the network is segregated (voice and
data), it makes things easier to deal with from the
technical perspective. You could implement an ACL that
states something to the tune of: "This IP (conf phone)
should ONLY talk to the registrar, and no one else" but
this would remove any HTTP like functionality.

When you say: "Medical related company" it means little
without context. E.g.: "A company that delivers uniforms"
has less to worry about than a "A company that delivers
EMR data on their conferences." You are just an ITSP,
not a standards organization. 

The ultimate reality is, while you are an ITSP, they
paid for whatever it is they are paying for. This is
where you need to bring senior management into the
discussion to discuss AUP, TOS and other annoying
acronyms that we (technie folks) love to hate.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get=0xFC837AF59D8A4463
___
VoiceOps mailing list
VoiceOps@voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops