So it looks my hot topic this week is how full of beans most vendors are and how it is making life difficult for security admins looking to choose the right product.  I already wrote about how some vendors claim customers use their products for functions that they do not. I wrote about how customers are hounded by sales people calling and writing, blowing smoke about products and solutions they don't want.  BTW, on a comment to that one, Greg Ness writes a very insightful piece that I want to paste in here:

I think we're seeing the tale end of the era of "entrapment marketing" whereby someone downloads a white paper or watches a webcast and then gets swamped with calls from salespeople. As a marketing VP I get about 5-6 calls a day. They're so disruptive that I've turned my ring off and batch process the calls once a week.

I think the quantity and quality of the traditional downloads has declined since the early 2000s, so that real people get even more calls than they used to. I've become a big believer in social media (no registration required) and inbound registration/interest.

I have a netsec blog at: www.archimedius.net where I talk about issues. I launched it last year after seeing our google analytics scores register large social media inbound traffic to our website. Three top blogs were generating equivalent visitor eyeball minutes on our website to leading pubs.

Social media is less disruptive, usually is part of a broader, real-time technology conversation and helps you to establish better relationships with prospects, all in exchange for sharing your view of the world.

Now I was reading a recent analyst report on NAC and almost choked when I saw some of the data passing for information in this report. To be fair the analyst does preface their report by saying they can't vouch for any of the factual information supplied by vendors,  But my God does anyone tell the truth anymore?  Funny thing is it is the usual suspects up to their same old, same old fudging their numbers. 

So not only do we have misleading press releases talking about customers who don't really use the products as announced, we have analyst reports that have glaring factual errors that are not checked and people rely on and customers who are swamped with slick sales people.  What can we do as an industry to bring sanity to all of this?  Am interested in what your take on all of this? Is security marketing worth the paper it is written on anymore?

So it looks my hot topic this week is how full of beans most vendors are and how it is making life difficult for security admins looking to choose the right product.  I already wrote about how some vendors claim customers use their products for functions that they do not. I wrote about how customers are hounded by sales people calling and writing, blowing smoke about products and solutions they don't want.  BTW, on a comment to that one, Greg Ness writes a very insightful piece that I want to paste in here:

I think we're seeing the tale end of the era of "entrapment marketing" whereby someone downloads a white paper or watches a webcast and then gets swamped with calls from salespeople. As a marketing VP I get about 5-6 calls a day. They're so disruptive that I've turned my ring off and batch process the calls once a week.

I think the quantity and quality of the traditional downloads has declined since the early 2000s, so that real people get even more calls than they used to. I've become a big believer in social media (no registration required) and inbound registration/interest.

I have a netsec blog at: www.archimedius.net where I talk about issues. I launched it last year after seeing our google analytics scores register large social media inbound traffic to our website. Three top blogs were generating equivalent visitor eyeball minutes on our website to leading pubs.

Social media is less disruptive, usually is part of a broader, real-time technology conversation and helps you to establish better relationships with prospects, all in exchange for sharing your view of the world.

Now I was reading a recent analyst report on NAC and almost choked when I saw some of the data passing for information in this report. To be fair the analyst does preface their report by saying they can't vouch for any of the factual information supplied by vendors,  But my God does anyone tell the truth anymore?  Funny thing is it is the usual suspects up to their same old, same old fudging their numbers. 

So not only do we have misleading press releases talking about customers who don't really use the products as announced, we have analyst reports that have glaring factual errors that are not checked and people rely on and customers who are swamped with slick sales people.  What can we do as an industry to bring sanity to all of this?  Am interested in what your take on all of this? Is security marketing worth the paper it is written on anymore?

What fresh hell is this? Monday morning and the coffee machine decides to tangle with me. The missus saves the day and potentially my sanity.

So, will the iPhone (officially) come to Canada in the WWDC keynote this morning? What say you Vegas?

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. Security firm asks for help cracking ransomware key | Computer World
2. Revisiting the Safari Vulnerability on Windows | Washington Post
3. A rallying cry against cyberbullying | CNET
4. HP secures data center assets with RFID tags | Network World
5. Hans Reiser Offers To Lead Cops to Nina’s Body | OS News
6. Full-featured IE 8 beta announced (smashy, smashy) | NZ Herald
7. Fraudsters hack into Home Office website | Telegraph
8. IBM sings a Symphony to rival Office | Silicon
9. Military Supercomputer Sets Record | NY Times

Tags: News, Daily Links, Security Blog, Information Security, Security News

Since 9/11, there has been an increasing war on photography. Photographers have been harrassed, questioned, detained, arrested or worse, and declared to be unwelcome. We've been repeatedly told to watch out for photographers, especially suspicious ones. Clearly any terrorist is going to first photograph his target, so vigilance is required.

Except that it's nonsense. The 9/11 terrorists didn't photograph anything. Nor did the London transport bombers, the Madrid subway bombers, or the liquid bombers arrested in 2006. Timothy McVeigh didn't photograph the Oklahoma City Federal Building. The Unabomber didn't photograph anything; neither did shoe-bomber Richard Reid. Photographs aren't being found amongst the papers of Palestinian suicide bombers. The IRA wasn't known for its photography. Even those manufactured terrorist plots that the US government likes to talk about -- the Ft. Dix terrorists, the JFK airport bombers, the Miami 7, the Lackawanna 6 -- no photography.

Given that real terrorists, and even wannabe terrorists, don't seem to photograph anything, why is it such pervasive conventional wisdom that terrorists photograph their targets? Why are our fears so great that we have no choice but to be suspicious of any photographer?

Because it's a movie-plot threat.

A movie-plot threat is a specific threat, vivid in our minds like the plot of a movie. You remember them from the months after the 9/11 attacks: anthrax spread from crop dusters, a contaminated milk supply, terrorist scuba divers armed with almanacs. Our imaginations run wild with detailed and specific threats, from the news, and from actual movies and television shows. These movie plots resonate in our minds and in the minds of others we talk to. And many of us get scared.

Terrorists taking pictures is a quintessential detail in any good movie. Of course it makes sense that terrorists will take pictures of their targets. They have to do reconnaissance, don't they? We need 45 minutes of television action before the actual terrorist attack -- 90 minutes if it's a movie -- and a photography scene is just perfect. It's our movie-plot terrorists that are photographers, even if the real-world ones are not.

The problem with movie-plot security is it only works if we guess the plot correctly. If we spend a zillion dollars defending Wimbledon and terrorists blow up a different sporting event, that's money wasted. If we post guards all over the Underground and terrorists bomb a crowded shopping area, that's also a waste. If we teach everyone to be alert for photographers, and terrorists don't take photographs, we've wasted money and effort, and taught people to fear something they shouldn't.

And even if terrorists did photograph their targets, the math doesn't make sense. Billions of photographs are taken by honest people every year, 50 billion by amateurs alone in the US And the national monuments you imagine terrorists taking photographs of are the same ones tourists like to take pictures of. If you see someone taking one of those photographs, the odds are infinitesimal that he's a terrorist.

Of course, it's far easier to explain the problem than it is to fix it. Because we're a species of storytellers, we find movie-plot threats uniquely compelling. A single vivid scenario will do more to convince people that photographers might be terrorists than all the data I can muster to demonstrate that they're not.

Fear aside, there aren't many legal restrictions on what you can photograph from a public place that's already in public view. If you're harassed, it's almost certainly a law enforcement official, public or private, acting way beyond his authority. There's nothing in any post-9/11 law that restricts your right to photograph.

This is worth fighting. Search "photographer rights" on Google and download one of the several wallet documents that can help you if you get harassed; I found one for the UK, US, and Australia. Don't cede your right to photograph in public. Don't propagate the terrorist photographer story. Remind them that prohibiting photography was something we used to ridicule about the USSR. Eventually sanity will be restored, but it may take a while.

This essay originally appeared in The Guardian.

Forgive me for going totally off topic (hey its my blog I write what I want) but it is Sunday and not much news on security.  I wanted to write about an article I saw in the NY Times today called "Even the Insured Feel the Strain of Health Costs". The article details that with the hard economic times even people who have health insurance are being bitten by the ever rising costs of health care.  Rising premiums, covering less procedures and care and charging more for prescriptions and medical care combine to put the bite on everyone.  From my own experience here are 4 examples of how even with health insurance, medical care costs are taking a bite:

1. My wife had minor surgery in September.  It was ambulatory surgery where she went in the morning and went home that afternoon/evening.  Even though we have full PPO coverage and it was participating doctors, hospital, etc. my out-of-pocket costs after insurance were almost $3000! The surgeon received a whopping $472 from the insurance company for the operation and the hospital billed like 17k!  When I called the hospital they said they did not expect to get paid that much, but had to bill it so they could get as much as they could.  I than had to negotiate what I would pay out of pocket beyond that. I also had to pay the anesthesia, the prescriptions, etc.

2. Here at StillSecure we had to switch providers again this year because United Health Care wanted another 15 to 20% raise in premiums. In fact that is about normal for health insurance, way above the cost of living and inflation.  We pay a good chunk of our employees insurance premiums, but even so the 20% or so that we have the employee pick up gets bigger and bigger.  Plus the insurance company covers less and less.  This squeeze is frankly baffling. How can you pay more and get less.

3. I had a dental implant a few months back.  Though we pay for dental coverage, our insurance would cover a bridge or cap, but they don't consider implants necessary and would not cover any of it. I had to lay 2k out of pocket. On top of this the panoramic x-ray the oral surgeon took (which again was not covered, another 100 bucks) showed I had an impacted wisdom tooth with a cyst around it.  My dental insurance covered the wisdom tooth, but the cyst removal would be considered under my regular insurance and my dentist was not participating. In fact I could not find a participating oral surgeon in the area.  So I had to an extra $600 dollars out of pocket and of course my out-of-network deductible was $750, so I ate it again.

4. The orthodontist.  This one is perhaps the worst of all and really gets my goat.  My oldest son went for an orthodontic exam. The doctor told my wife that he would probably need braces when he gets older and that current best practices in orthodontics is to put braces on now in a phase 1 and than if necessary they put other braces on later when more of his adult teeth come in. Putting braces on now would lesson the severity of what he would need later.  OK, great lets do it, right?  Wrong!  Our insurance covers a one time payment of $1200. The dentist said if we use it now, the cost for phase 1 would be $3600.  That leaves a balance of $2400 that I have to pay.  However, if I do it without insurance he would charge me $2400 and than I could use the $1200 towards the phase 2 braces my son may need which could be up to 10k. So if we went through insurance the cost was $3600 with $2400 out of pocket or no insurance $2400 out of pocket.  What is wrong with that picture. Whether I have insurance or not, it still costs me $2400!  This is fundamentally what is wrong with our health care system.  The dentist is willing to accept $2400.  He should take the $1200 from my insurance and I should pay him another $1200.  Anything else is ludicrous and in my mind borders on criminal insurance fraud.

We need to restore sanity to the whole system. It is not just the 48 million people in this country that don't have insurance, it is also the costs of the people who do have insurance. Don't tell me that giving us greater limits to put in tax deferred health savings plan are the answer either.  Fundamentally we need the insurance companies to stop sucking the blood of the premium payers. We need the health industry to bill for what the do and what it is worth, not how to maximize what the insurance company pays and most of all we need to make sure that people can afford and receive decent health care!

BTW, if you want to read an excellent blog on this subject, Dr. Stanley Feld, Brad's dad writes a great blog on it.

A huge chunk of why I started this site was for my own testing. I wanted to learn on a site that I controlled completely. That works great if you’re a guy like me, who’s already been in the web space for well over a decade. But for people who are either new, or are shifting their interests from some other area of security, the web space is highly complex and deep. So herein lies the second reason I started this site. I wanted a place where I could teach people what I know. Call it altruism, call it wanting a sanity check on my own thoughts, but here we are, 2 years and 20,000 visitors a day later and things have changed.

I’m ultimately troubled by the fact that there are so many people out there who are in every way smart but are only in web application security because they have fallen into it, for whatever reason, and now are trying to play catch up with guys like us. I feel like there is a huge gap of knowledge out there, and I feel like there is a lot that I could share with people given enough time. A one hour speech isn’t enough time. It’s barely enough time to gloss over a topic, let alone go down to any level of detail that would allow someone to think they are proficient in a topic. I really feel like I could share a lot more of what I know to a willing participant if we made it a week long course. So that’s what I did.

I’m going to be offering a week long course that I am dubbing The Austin Project. The goal of the project is to get a group of likeminded people who are interested in talking about and learning more about web application security from yours truly. Honestly, I just feel like there’s a lot more I can talk about in a week’s time than I could ever cover in a series of blog posts, especially because in an intimate class it is far easier to communicate.

So I will be inviting five people to fly in and stay for five days. No cell phones, no computers, no distractions - just talking webappsec. I attended an invite only conference of this format before and it worked great, where the only open computer was the one operating the projector. Being off the grid really helps people focus. Everyone will sign non disclosure agreements so people can talk freely about problems they are concerned with without having to worry about it getting out. There will be eventual outputs from the classes, but they will be discussed only with people who attend. Days will be spent talking about webappsec, nights will be spent with me in downtown Austin, visiting the local nightlife and probably talking about webappsec some more. My goal is not to make myself the grand leader of a group of five people who are webappsec gods, but rather, build a collaborative group of people who change their way of thinking and come out of it with the knowledge on how to fix their little slice of the Internet.

I’m just not scalable, and while the blog has been a great conduit for sharing some of my ideas, it’s clear to me that people just aren’t getting the value out of it that they could in another format (I guess you get what you pay for, as this site is free!). It turns out I just have a lot more to say than I put on this site. That became apparent today when I started chatting with someone about a specific web application flow. It took me ten minutes to explain some of the esoteric nuances to watch out for and I suddenly realized I had never talked about it before on the site, and I probably never would have because I ultimately consider a lot of that stuff to be “the basics” (even though apparently not a lot of people know about it). I usually try to skirt around the basics as to avoid alienating the experts who frequent this site. How would anyone know about the esoteric gotchas if I didn’t talk about it? Well, now is your chance to come ask me. Not that I will just be covering basics - oh no, why come to me for the basics? But this will be your chance to get me to slow down and explain things to you in a virtually one on one environment.

My goal isn’t to get the best of the best and put them in a room together (although if I wind up with a bunch of people who are experts I will build a class specifically for them). The main goal of The Austin Project is to get people who want to learn but are otherwise starved for information. I want to help those people and bring them to the next level, so that they go off and eventually help others and so on. I firmly believe education at this level will help our industry, help us start developing better applications, better strategies, and ultimately will make all our lives better.

This isn’t like most training. There will be no CPE credits (although I’m sure you could convince someone it should count), no class of 40 people, no canned demonstrations. This is just a chance for you to sit with me for a week and talk about whatever it is you want to talk about in an collaborative environment. I don’t want five people from the same company showing up. That’s not the goal here. The goal is for you to meet other people with other problems and work through them together as much as it is to hear from me. Why? Because other people have interesting problems that relate to our industry that you should think about too! I want to facilitate the correct thought process, which is so much more important than me just solving your problems for you. I want to make people into the big thinkers (not just technologists) that this industry needs. I want the participants to build relationships that they can use to better themselves and their careers. Big goals for such a little class!

Anyway, if we wind up with way more than five people who are interested, we can separate the classes into groups, but I have no idea how many people will be interested. I don’t want to go over five people and I don’t want it smaller than that or it would defeat the goal of building a team, so I may actually turn people away if we don’t hit a critical mass. This is just as much an experiment for me as it is for anyone who would attend. I also may turn people away if I think they couldn’t benefit from this - which is why I’ll be asking for a resume from each of the people who are interested. If you have no experience, this isn’t the class for you. If you have been doing this longer than I have, this isn’t the class for you. If you just want to come to the class to heckle me, well, it’s an expensive prank, but it’s your money. So if you are at all interested, check out The Austin Project web-page for the specifics and send your contact information through the form.

Synopsis:Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #70, a 51-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on October 25, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• Programming notes:
• Dan???s new employment with Voxeo
• Dan at VON next week ??? Dean Elwood is doing a VoIPUser dinner ??? perhaps a Blue Box dinner as well?
• We hope you enjoyed Blue Box SE 21 with Phil Zimmermann ??? many thanks to Martyn Davies for helping with that.
• Reporters for some of the spring shows?  (we can probably get you press credentials??? if you are there)
• XSS attack and SQL injection via SIP against Asterisk
• The XSS attack against Linksys SPA-941 we discussed last week was picked up by Secure Computing which resulted in this SearchSecurity.com article: New Attack Methods Target Web 2.0, VoIP (last link sent to us by Rhodri Davies)
• Sipera released a range of vulnerabilities related to Vonage, Grandstream and more ??? note that the Vonage thread has been picked up by ZDNet???s Russell Shaw
• Wired: Phones Aren???t Safe Either, Hackers Say ??? also discussed in Network World and Russell Shaw We???ve toasted so many of these (VoIP) networks??? and Dustin Trammell???s blog (in the list of sessions he attended)
• SANS: Vishing, Skype, and VoIP-Based Fraud (sent in by Craig Bowser)
• CXO Today: The Phishing Epidemic
• PCWorld.CA: The eight most dangerous consumer technologies (Skype and consumer VoIP are #6 on page 2 )
• TMC Net: VoIP Peering in Search of a Viable Interconnect Business Model (note the comments about security toward the bottom)
• Cisco TechWise podcasts Session Initiation Protocol and Security (it???s on the page??? came out 10/18/07 )
• TechRepublic: Sanity check: Will Microsoft be your next phone company? (nice roundup of the MS announcements??? some of the comments are also interesting)
• Comcast
• AP: Comcast blocks some Internet traffic
• Ed Brill notes the impact on Notes/Domino traffic
• cnet post
• TorrentFreak: Comcast Throttles BitTorrent Traffic, Seeding Impossible
• P2PNet: Comcast impedes hi-speed file sharing
• Carnegie Mellon???s CyLab and Nortel Combine Efforts to Research Leading Security Technologies
• SearchVoIP.au: Avaya white paper: VoIP Security for Dummies
• - Upcoming shows:
  
  
  
  • Oct 24-25, New York, USA, Interop
    
  • Oct 29-Nov 1, Boston, USA, Fall 2007 VON
• Comment (email) from Dan Wing about episode 69 and the potential DDoS attack
• Comment (email) from Raul Siles about episode 66
• Comment (email) from Raul Siles about SANS VoIP Security course
• Two-year-anniversary:
  • Comment (audio) from Martyn Davies
  • Comment (audio) from Dean Elwood
  • Comment (audio) from Mike Wallace
  • Comment (audio) from Raul Siles (with Matrix inclusion)
  • Comment (audio) from Carsten Helmuth (cut off)
  • Comment (email) from Scott Tanner
  • Comment (email) from Shlomo Dubrowin
• - Drawing for the book
• - Review of the last week's traffic on the VOIPSEC public mailing list 


• - Wrap-up of the show


• 51:14 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.