Is it just my old age or is the IT industry paradoxically getting less worried about password security these days? Back in the day we used to jump through hoops to not reveal cleartext passwords. Today: my hosting provider prints the password out in cleartext in form responses and email. Various online sites (blogs and such) email you the password in cleartext (even if you didnt ask for it!). Even the MySQL command to change the password (mysqladmin password) accepts the new password only on the command line!!

What the hell?!

Phil Zimmerman (of PGP fame) has the following notice from a week ago:

Secure Voice over IP: Zfone

I’ve just released Zfone, a new product that takes a new approach to make a secure telephone for the Internet.

I think it’s better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. It interoperates with any standard SIP phone, but naturally only encrypts the call if you are calling another Zfone client. This new protocol has been submitted to the IETF as a proposal for a public standard, to enable interoperability of SIP endpoints from different vendors.

[…]

Seems interesting!