What’s really set me off this morning is the back and forth on the flight time. I know that there are many things that can cause a flight delay, but to move the departure time, in both directions, four times within one hour, how is that possible? I can only imagine the reaction of ScienceLogic customers if we announced the release date for the next version of the product and then proceeded to change it four times that week. There really isn’t another business in the world, other than the airlines, that could get away with this.

Assuming I eventually get to Interop NY, I will be on the look out for vendors that are working on ways to send me to my next meeting over Gigabit Ethernet!

Synopsis:  Blue Box #78: Cisco IP phone vulnerabilties, WiFi handset insecurity, IETF security-related news, VoIP security news, listener comments and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 40-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on February 25, 2008. Yes, that was two months ago... we know!

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• Special Edition #23 with Sonus Networks
• Squawk Box podcast about voice phishing ??? also this article Vishing: The Latest, and Greatest, Security Concern
• Cisco: Cisco Unified IP Phone Overflow and DoS Vulnerabilities and Dustin Trammell???s coverage
• ZDNet: Design flaw in wireless VoIP handsets endanger the enterprise followed by Cisco confirms vulnerability in 7921 WiFi IP phone
• Voice of VOIPSA: Slides about P2PSIP security new available
• Voice of VOIPSA: RUCUS mailing list & BOF
• Voice of VOIPSA: End-to-end VoIP security using DTLS-SRTP
• Also a whole bunch on SIP Identity
• SIP Torture Tests for IPv6 now out in RFC 5118
• SIP Usage Scenarios Similar to SPIT
• SPEERMINT Security BCPs
• SIP Identity Baiting Attack
• Concerns around Applicability of RFC 4474
• VoIP Hopper 0.9.9 released (site ) ??? Thanks to Frank Leonhardt for the info.
• VoIP News: Is Someone Listening to Your VoIP Calls? (linked to from ZDNet )
• ZDNet: Cracking GSM
• TMCnet- Practicing Safe OCS
• TMCnet- Security Attack of the Day (Tom Cross starts blogging for TMCnet)
• Speaking of Tom, Techtionary.com Releases SIP Security Checklist
• Voice of VOIPSA: SIPTap Author forms VoIP Security Company (by Craig Bowser!)
• Voice of VOIPSA: Underpowered Hardware
• Project Spider ??? about SPIT
• CBC: Bell recovers stolen data on 3.4 million customers
• Comment (email) from Larry Farmer
• Comment (email) from Shlomo Dubrowin
• Comment (email) about SE #23
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 40:01 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:  Blue Box #78: Cisco IP phone vulnerabilties, WiFi handset insecurity, IETF security-related news, VoIP security news, listener comments and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 40-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on February 25, 2008. Yes, that was two months ago... we know!

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• Special Edition #23 with Sonus Networks
• Squawk Box podcast about voice phishing – also this article Vishing: The Latest, and Greatest, Security Concern
• Cisco: Cisco Unified IP Phone Overflow and DoS Vulnerabilities and Dustin Trammell’s coverage
• ZDNet: Design flaw in wireless VoIP handsets endanger the enterprise followed by Cisco confirms vulnerability in 7921 WiFi IP phone
• Voice of VOIPSA: Slides about P2PSIP security new available
• Voice of VOIPSA: RUCUS mailing list & BOF
• Voice of VOIPSA: End-to-end VoIP security using DTLS-SRTP
• Also a whole bunch on SIP Identity
• SIP Torture Tests for IPv6 now out in RFC 5118
• SIP Usage Scenarios Similar to SPIT
• SPEERMINT Security BCPs
• SIP Identity Baiting Attack
• Concerns around Applicability of RFC 4474
• VoIP Hopper 0.9.9 released (site ) – Thanks to Frank Leonhardt for the info.
• VoIP News: Is Someone Listening to Your VoIP Calls? (linked to from ZDNet )
• ZDNet: Cracking GSM
• TMCnet- Practicing Safe OCS
• TMCnet- Security Attack of the Day (Tom Cross starts blogging for TMCnet)
• Speaking of Tom, Techtionary.com Releases SIP Security Checklist
• Voice of VOIPSA: SIPTap Author forms VoIP Security Company (by Craig Bowser!)
• Voice of VOIPSA: Underpowered Hardware
• Project Spider – about SPIT
• CBC: Bell recovers stolen data on 3.4 million customers
• Comment (email) from Larry Farmer
• Comment (email) from Shlomo Dubrowin
• Comment (email) about SE #23
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 40:01 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Thursday was a little different, I got up early and got a few ‘real’ work things done (you know, those things) before heading off to meet Mike Fratto for a project he’s working on. More on that later.

I made it back to the show around lunch-ish but didn’t stop for lunch yet, since the show floor was closing at 4:00pm- I still had some browsing and chatting to do. Starting around 3:45, I took a ‘Last 15 on the Floor’ series of shots from the expo floor.

At some point Thursday or Wednesday, I did stop by the Security Smackdown challenge they had running- pretty neato- bunch of hackers beatin’ each other down for the ultimate Smackdown Title. WWCF: World Wide Crypto Fighting…. or… something like that. There was a guy sporting an overtly over-sized gold WWF-style belt… hence the joke… nevermind.

Anyway, I also stopped by the ‘official’ RSA Bookstore and picked up a little book on 802.1X. When I say little, I mean little… and it was $60. Yes, seriously. To top it off, it’s probably the most poorly-written book I’ve ever read. You’ll see a book review on that later. I want to give it a fair shake and read the whole thing, but I’m not entirely sure I can submit myself to much more of the torture… we’ll see.

Thursday evening was the big RSA Codebreakers Bash and they really did it up right! There were several rooms full of fun, regardless of your taste. One room had a really good cover band and lots of music and dancing, another room had a huge bar area and light display I could have watched for hours. In one area, they had Guitar Hero full band playoffs, and in another yet bubble-head karaoke. Across the hall was a little more subdued, with more quiet sitting areas, perfect for chatting over a glass of wine. They also had crazy looking costumed ladies applying barcode tattoos to whomever was drunk enough to let them paste them on their forehead or face…. yeah… I have no clue about that one. I stopped in for about an hour before calling it a night. Thursday was day 6 in San Fran for me and I was exhausted. I did get some photos for you to try and capture the chaos. View photos from the Bash.

That pretty much sums up my day, and I left the hooplah on a Friday morning flight back to the East Coast. That’s about all I have from RSA 2008, but you’ll be hearing about some fun new projects and events that have grown out of this trip.

Next stop: Interop Las Vegas (yee-haw!)

# # #

This post was originally going to be a wrap up on RSA. In thinking about that, the current overcrowded state of the security industry came to mind.  This is a topic I have thought about before but in a AHA moment, I wanted to publish instead my own theory of security company relativity or why there are so damn many security companies. Like Einstein before me I have reduced relativity (OK not exactly the same kind of relativity and I ain't no Einstein) to a simple formula.  He had E=mc2, my formula is:

Where "A" equals the acquisition price of a security company, "R" equals the revenue of the company and "V" is the amount of venture money raised. The tilde squiggly line and the greater than sign are made up by me not to have a specific mathematical function but indicate that the amount of money raised is in relation to the revenue of the company  and is the exponential factor involved in finding the acquisition price.  I use squared in deference and in honor of Einstein's theory, but it actually means some exponent of the R and V, not necessarily the square of them. 

So what do I mean by this?  Let me explain.  It is no secret that there are too many security companies. In fact there are something like 800 in a space that would be challenged to support half that number.  Looking around the RSA show floor with some 350 companies or so represented, it is obvious that there is a lot of overlap and not very obvious what some of these companies do.  However, there is a very small number of security companies that are public and have revenue of over lets say 100 million dollars.  Of those the overwhelming majority are in the AV and firewall business.  In fact the smallest AV guys probably dwarf the revenue of most of the other security companies on the floor (Mike Rothman confirms this also).

In the past we have seen consolidation where the big fish eat the little fish. Everyone says we are going to see more consolidation and acquisitions in the time ahead. However, I would say recently that consolidation via acquisition is slowing down and many of those acquisitions are in fact at fire sale prices.  Too many companies are stuck in a purgatory of a slow death by a thousand little cuts or Chinese water torture as they fade into obscurity or irrelevance. As a result my prediction is we are going to see more companies go out of business ala Lockdown Networks, rather than see successful exits by many companies. Yes there will always be some that do well and using my formula will have a great exit, but too many are going to be forced to fire sale or go out of business. 

Why? The overwhelming majority of companies at RSA are stuck at a revenue level of somewhere between 5 and 20 million dollars. I would bet that covers 80% of the companies exhibiting at RSA.  Now 5 to 20 million is nothing to sneeze at.  But on top of this, they are not seeing their year to year growth rate break out substantially beyond that level.  Additionally, in order to grow the business to a sufficient level to support that type of revenue, they have probably raised anywhere from 25 to 40 million dollars over the years it takes to build to that revenue rate.  At those revenue levels and to support the base and modest growth, most of these companies are borderline profitable at best. In order to substantially grow the business would require even more capital.  That means raising more money, which in turns means having to sell for more to get a great return. There is the rub and where my formula comes into play. 

At these revenue levels, they cannot justify an acquisition price that returns a decent return to the investors.  Simply put they are hosed.  Lets say you have 10 million in revenue.  What can you hope to sell for?  A good number could be 40 to 80 million.  If you are 35 million in on VC money, you need every penny of that to return a profit and frankly the way VC's work, that doesn't leave a lot for the employees, founders, etc because of preferential positions and preferred stock. 

The simple answer is to raise the revenue number.  But most of these companies are growing at modest levels. On top of this, it is easy to go from 1 to 2, 2 to 4, 4 to 8.  You start going from 8 to 16 and 16 to 32, that gets tough.  Most of these companies can't do it.  The only way to do so, as I said is to raise more venture money, which means they need a higher acquisition price. They are stuck in security vendor purgatory. 

What is the way out for them or are they doomed?  My next post will talk about the answer.

This post was originally going to be a wrap up on RSA. In thinking about that, the current overcrowded state of the security industry came to mind.  This is a topic I have thought about before but in a AHA moment, I wanted to publish instead my own theory of security company relativity or why there are so damn many security companies. Like Einstein before me I have reduced relativity (OK not exactly the same kind of relativity and I ain't no Einstein) to a simple formula.  He had E=mc2, my formula is:

Where "A" equals the acquisition price of a security company, "R" equals the revenue of the company and "V" is the amount of venture money raised. The tilde squiggly line and the greater than sign are made up by me not to have a specific mathematical function but indicate that the amount of money raised is in relation to the revenue of the company  and is the exponential factor involved in finding the acquisition price.  I use squared in deference and in honor of Einstein's theory, but it actually means some exponent of the R and V, not necessarily the square of them. 

So what do I mean by this?  Let me explain.  It is no secret that there are too many security companies. In fact there are something like 800 in a space that would be challenged to support half that number.  Looking around the RSA show floor with some 350 companies or so represented, it is obvious that there is a lot of overlap and not very obvious what some of these companies do.  However, there is a very small number of security companies that are public and have revenue of over lets say 100 million dollars.  Of those the overwhelming majority are in the AV and firewall business.  In fact the smallest AV guys probably dwarf the revenue of most of the other security companies on the floor (Mike Rothman confirms this also).

In the past we have seen consolidation where the big fish eat the little fish. Everyone says we are going to see more consolidation and acquisitions in the time ahead. However, I would say recently that consolidation via acquisition is slowing down and many of those acquisitions are in fact at fire sale prices.  Too many companies are stuck in a purgatory of a slow death by a thousand little cuts or Chinese water torture as they fade into obscurity or irrelevance. As a result my prediction is we are going to see more companies go out of business ala Lockdown Networks, rather than see successful exits by many companies. Yes there will always be some that do well and using my formula will have a great exit, but too many are going to be forced to fire sale or go out of business. 

Why? The overwhelming majority of companies at RSA are stuck at a revenue level of somewhere between 5 and 20 million dollars. I would bet that covers 80% of the companies exhibiting at RSA.  Now 5 to 20 million is nothing to sneeze at.  But on top of this, they are not seeing their year to year growth rate break out substantially beyond that level.  Additionally, in order to grow the business to a sufficient level to support that type of revenue, they have probably raised anywhere from 25 to 40 million dollars over the years it takes to build to that revenue rate.  At those revenue levels and to support the base and modest growth, most of these companies are borderline profitable at best. In order to substantially grow the business would require even more capital.  That means raising more money, which in turns means having to sell for more to get a great return. There is the rub and where my formula comes into play. 

At these revenue levels, they cannot justify an acquisition price that returns a decent return to the investors.  Simply put they are hosed.  Lets say you have 10 million in revenue.  What can you hope to sell for?  A good number could be 40 to 80 million.  If you are 35 million in on VC money, you need every penny of that to return a profit and frankly the way VC's work, that doesn't leave a lot for the employees, founders, etc because of preferential positions and preferred stock. 

The simple answer is to raise the revenue number.  But most of these companies are growing at modest levels. On top of this, it is easy to go from 1 to 2, 2 to 4, 4 to 8.  You start going from 8 to 16 and 16 to 32, that gets tough.  Most of these companies can't do it.  The only way to do so, as I said is to raise more venture money, which means they need a higher acquisition price. They are stuck in security vendor purgatory. 

What is the way out for them or are they doomed?  My next post will talk about the answer.