Dan York, who manages the excellent Bluebox Podcast blog, reviewed our book and passed on the following comments:
On my flight out to SF for O'Reilly's Emerging Telephony 2007 conference, I finally got a chance to do a cover-to-cover read of Hacking Exposed VoIP. Given that it's fresh on my mind, I thought I'd pass along some higher-level feedback and then a bunch of nit-picky editor type of comments that I found in reading the book. Hopefully at least the the nitpicky advice may be useful should you do a second edition. As to the rest... well, just remember that this feedback combined with $5 will get you a coffee at your local Starbucks. :-)
First, I should say that I really did enjoy reading the whole book and have to say that I do stand by my quote. It *is* a dangerous book! I particularly liked your case studies where you told a story about how the tools could actually be used. I think we need *more* of that... explaining to people how real damage can be done in simple practical terms. Well done.
I made copious notes to ask our (Mitel) SIP designers and QA team... and I'm also going to have to drop Ed Mier a note to find out about where he's at with his 2007 set security report (well, after I ask our folks internally). The book is really quite excellent.
Dan pointed out that he wished we had discussed SIP trunks. I agree. We chose not to, because our focus was on enterprise issues and as of now, SIP trunks, at least to public networks, are uncommon in large enterprises. This would be a great topic for version 2.
Dan also thought that Asterisk did support encryption of the IAX protocol. We reported that when we tested Asterisk, it did not provide built-in support. It is possible to "layer it in", but it isn't built in.
Dan also had a lot of good minor editing feedback.