Dmarti's blog over on LinuxWorld has an article up titled "Dumbest networking vendor idea since Network Access Control", which talks about what a dumb idea it is for Cisco to allow Linux apps to run on their ISR routers. Besides the fact that the title of the article alone is enough to make me want to tear this one apart, the underlying logic of the authors argument is just weak.

On one hand he talks about why would someone want to run Linux apps on a router, it is potentially bad design. On the other hand he says it is better to run them on a cheaper router alternative like Vyatta and than spouts some PR by Vyatta about their price/performance advantage over Cisco.  They back up this advantage with "3rd party testing".  Turns out the testing is by Tolly Group.  Oh, now that changes everything.  Have any of you ever had a Tolly evaluation done? Anytime you submit a form that contains what you would like to see the testing show in the final report and the final report shows it, well you know what I am saying. But seriously if it is good for Vyatta, why would it not be also good for Cisco?

Here is the real issue though that the author misses.  We live in an age of convergence!  The idea of having a stand alone box that only does routing is history and when Cisco themselves acknowledge it, you know it is fact.  People want more functionality out of their hardware.  Now that is not to say that your router should be your database server or mail server.  But there are certainly network functions that make sense to put on a router. Security is a no brainer to start. IPS, VPN, firewall, gateway AV- easy.  What about network functionality like DHCP, DNS, Radius, etc.  How about some next gen network stuff like WAP and VOIP?  That would make sense. By embracing Linux on the router all of these things and more are possible.  By the way you can do all of this now with our own Cobia platform.

That's right, we had this idea 2 years ago and have been working on it since.  With the convergence of networking, security, VOIP and wireless technologies, why wouldn't you want a multi-use box that can deliver all of this.

Dmarti's blog over on LinuxWorld has an article up titled "Dumbest networking vendor idea since Network Access Control", which talks about what a dumb idea it is for Cisco to allow Linux apps to run on their ISR routers. Besides the fact that the title of the article alone is enough to make me want to tear this one apart, the underlying logic of the authors argument is just weak.

On one hand he talks about why would someone want to run Linux apps on a router, it is potentially bad design. On the other hand he says it is better to run them on a cheaper router alternative like Vyatta and than spouts some PR by Vyatta about their price/performance advantage over Cisco.  They back up this advantage with "3rd party testing".  Turns out the testing is by Tolly Group.  Oh, now that changes everything.  Have any of you ever had a Tolly evaluation done? Anytime you submit a form that contains what you would like to see the testing show in the final report and the final report shows it, well you know what I am saying. But seriously if it is good for Vyatta, why would it not be also good for Cisco?

Here is the real issue though that the author misses.  We live in an age of convergence!  The idea of having a stand alone box that only does routing is history and when Cisco themselves acknowledge it, you know it is fact.  People want more functionality out of their hardware.  Now that is not to say that your router should be your database server or mail server.  But there are certainly network functions that make sense to put on a router. Security is a no brainer to start. IPS, VPN, firewall, gateway AV- easy.  What about network functionality like DHCP, DNS, Radius, etc.  How about some next gen network stuff like WAP and VOIP?  That would make sense. By embracing Linux on the router all of these things and more are possible.  By the way you can do all of this now with our own Cobia platform.

That's right, we had this idea 2 years ago and have been working on it since.  With the convergence of networking, security, VOIP and wireless technologies, why wouldn't you want a multi-use box that can deliver all of this.

Last week I came down pretty hard on Air Defense (here and here) for phishing WAPs at the InfoSecWorld trade show. Well just to show you that sometimes people make mistakes and if you blog it, you may get it addressed, I wanted to share the following email that I received today. I have redacted out the names to protect the innocent and the guilty.

Alan,

Let me start by first apologizing for any inconvenience I might have caused you or any other vendor at InfoSec World. You can be assured that next time I will collect alarms in the privacy of my own home prior to going to a convention.  I setup a test box during the vendor setup on Monday, this is a tool we use to show some wireless attacks.  After about an hour I shut it off, I was using it to gather some historical data to show in Advance Forensic.  If I recall correctly it did run it for about 5-10 minutes the 2^nd day after the demo crashed and we lost the data I collected on Monday (plug was kicked out).  This was very brief and not intended to be harmful. 

The intent behind using the page with AirDefense was in case anyone who saw the page could at least ask us why it happened and we could apologize and explain that it was just temporary.  JOHN DOE, the gentlemen you spoke with, was not aware of my actions nor was anyone else from AirDefense. I did ask him to point you out so I could apologies and let you know it should no longer be a problem but he didn???t see you.   I unplugged the test box just in case it was still doing something behind the scenes.  Once again I do apologize for any issues I may have caused.  If you have any questions or comments please feel free to call.  Also thanks for making us aware that it may have still been phishing people off their APs.

Thanks,

So to this Air Defense engineer, I take you at your word and apology accepted.  I am glad to hear that Air Defense does not condone this as a legitimate trade show tactic. Go in peace and sin no more ;-)

Last week I came down pretty hard on Air Defense (here and here) for phishing WAPs at the InfoSecWorld trade show. Well just to show you that sometimes people make mistakes and if you blog it, you may get it addressed, I wanted to share the following email that I received today. I have redacted out the names to protect the innocent and the guilty.

Alan,

Let me start by first apologizing for any inconvenience I might have caused you or any other vendor at InfoSec World. You can be assured that next time I will collect alarms in the privacy of my own home prior to going to a convention.  I setup a test box during the vendor setup on Monday, this is a tool we use to show some wireless attacks.  After about an hour I shut it off, I was using it to gather some historical data to show in Advance Forensic.  If I recall correctly it did run it for about 5-10 minutes the 2^nd day after the demo crashed and we lost the data I collected on Monday (plug was kicked out).  This was very brief and not intended to be harmful. 

The intent behind using the page with AirDefense was in case anyone who saw the page could at least ask us why it happened and we could apologize and explain that it was just temporary.  JOHN DOE, the gentlemen you spoke with, was not aware of my actions nor was anyone else from AirDefense. I did ask him to point you out so I could apologies and let you know it should no longer be a problem but he didn’t see you.   I unplugged the test box just in case it was still doing something behind the scenes.  Once again I do apologize for any issues I may have caused.  If you have any questions or comments please feel free to call.  Also thanks for making us aware that it may have still been phishing people off their APs.

Thanks,

So to this Air Defense engineer, I take you at your word and apology accepted.  I am glad to hear that Air Defense does not condone this as a legitimate trade show tactic. Go in peace and sin no more ;-)

OK I am out of Orlando and Infosec World and now in DC for some meetings in this week's version of the Shimel world tour.  I wanted to put some finishing touches on the trade show though and some previous posts. 

First on the issue of Air Defense spoofing SSIDs to direct people to their site which I wrote about yesterday. Several people wrote to me privately and confirmed that indeed this is something that the Air Defense people have been doing for several years evidently at trade shows. They also agreed that while showing what their product can do, it is a pretty sleazy way of doing business and they are turning off more people than they win over doing it.  Real life example is someone tried to show someone a web site and were unable to do so initially because their machine would automatically log into the spoofed SSID of the Air Defense WAP. I have someone sending me a picture showing the spoofing in action in case anyone disputes that Air Defense actually stooped this low.  In fact let me tell you what I did on this one.

I went over to the Air Defense booth when there was no one else around.  I pulled the guy over and told him that I know what they were doing and I think it is pretty sleazy and they should stop spoofing SSIDs as it made them look sleazy.  At first the Air Defense dude played dumb and said he was not aware they were doing that.  Than I pointed out to him that the laptops they had set up right next to their WAP at the booth were showing the same Air Defense we have hijacked your wireless page that others were getting. I asked him to show me what SSIDs they were attaching to, to get to that page. He realized at that point that I had called BS on his story and said he would correct it. 

Now my young friend from Air Defense did not realize that when I walked away from his booth, I stopped just a both or two down and watched.  I saw him go over and tell his other booth buddy about what I said, they laughed like they were quite the hot stuff and didn't do a darn thing about it, as I checked the SSIDs a few minutes later.  That is OK a word to the show organizers about other exhibitors having problems with connectivity due to Air Defense's sleazy ways will put an end to them doing that in the future.  In fact I encourage my many security vendor readers to make sure and make show organizers aware of what Air Defense does at these shows and put an end to it once and for all. If they can't police themselves and act in a decent manner, I guess we will have to do it for them.

Other shows news - We had a booth next to Ken Belva launching his new info sec blog magazine which I wrote about they other day. I never met Ken in person before, it was good to meet both him and his dad. Always fun to spend some time with fellow NY'ers. Also, it always amazes me at the end of shows when the "adult trick or treaters" come out with their shopping bags looking to load up on chachkis.  Whether it be a foam little computer, StillSecure branded chap stick (that was a big hit this show) or anything else not nailed down, these people have no interest in your products or anything, they just want to know what they can bring home for free.  There is always a big competition for our fit balls which have become a trademark of ours over the years.  We are the company with big (fit) balls.

All in all, it was a great show.  Good catching up with folks, meeting new ones and keeping abreast of security news. Not sure why they "pit bull of self help" was a key note speaker but he was interesting if not security related per se.  This show has me really looking forward to RSA!

OK I am out of Orlando and Infosec World and now in DC for some meetings in this week's version of the Shimel world tour.  I wanted to put some finishing touches on the trade show though and some previous posts. 

First on the issue of Air Defense spoofing SSIDs to direct people to their site which I wrote about yesterday. Several people wrote to me privately and confirmed that indeed this is something that the Air Defense people have been doing for several years evidently at trade shows. They also agreed that while showing what their product can do, it is a pretty sleazy way of doing business and they are turning off more people than they win over doing it.  Real life example is someone tried to show someone a web site and were unable to do so initially because their machine would automatically log into the spoofed SSID of the Air Defense WAP. I have someone sending me a picture showing the spoofing in action in case anyone disputes that Air Defense actually stooped this low.  In fact let me tell you what I did on this one.

I went over to the Air Defense booth when there was no one else around.  I pulled the guy over and told him that I know what they were doing and I think it is pretty sleazy and they should stop spoofing SSIDs as it made them look sleazy.  At first the Air Defense dude played dumb and said he was not aware they were doing that.  Than I pointed out to him that the laptops they had set up right next to their WAP at the booth were showing the same Air Defense we have hijacked your wireless page that others were getting. I asked him to show me what SSIDs they were attaching to, to get to that page. He realized at that point that I had called BS on his story and said he would correct it. 

Now my young friend from Air Defense did not realize that when I walked away from his booth, I stopped just a both or two down and watched.  I saw him go over and tell his other booth buddy about what I said, they laughed like they were quite the hot stuff and didn't do a darn thing about it, as I checked the SSIDs a few minutes later.  That is OK a word to the show organizers about other exhibitors having problems with connectivity due to Air Defense's sleazy ways will put an end to them doing that in the future.  In fact I encourage my many security vendor readers to make sure and make show organizers aware of what Air Defense does at these shows and put an end to it once and for all. If they can't police themselves and act in a decent manner, I guess we will have to do it for them.

Other shows news - We had a booth next to Ken Belva launching his new info sec blog magazine which I wrote about they other day. I never met Ken in person before, it was good to meet both him and his dad. Always fun to spend some time with fellow NY'ers. Also, it always amazes me at the end of shows when the "adult trick or treaters" come out with their shopping bags looking to load up on chachkis.  Whether it be a foam little computer, StillSecure branded chap stick (that was a big hit this show) or anything else not nailed down, these people have no interest in your products or anything, they just want to know what they can bring home for free.  There is always a big competition for our fit balls which have become a trademark of ours over the years.  We are the company with big (fit) balls.

All in all, it was a great show.  Good catching up with folks, meeting new ones and keeping abreast of security news. Not sure why they "pit bull of self help" was a key note speaker but he was interesting if not security related per se.  This show has me really looking forward to RSA!

I have nothing against marketing but think that is pretty sleazy. If they have their WAP SSID labeled correctly and you want to connect to it fine. But hijacking other SSIDs is wrong. Shame on Air Defense.

So then I start messing around with it, and I narrow it down to one of the things that’s more legacy than anything, the now fixed, MS mhtml bug. Uh oh. Yup, the mhtml bug appears to crash mobile Opera instantly. So back to keeping JS turned off, I guess (I haven’t tested if there is another way to cause the crash using a redirection or an iframe, but it takes a long time to test, so I’ll leave that to another day).

Then I start messing with the other options, like the “Identify as” function. With it turned to “handheld device” the user agent reads, “MOT-Q9/01.04.35R Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; Smartphone; 320×240) Opera 8.65 UP.Link/6.3.1.17.0″. Eesh! It gives my actual device type! So then I turn the setting to “desktop computer” it turns to “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Opera 8.65 [en] UP.Link/6.3.1.17.0″. Okay, fair enough, that appears to be the more secure setting as at least it doesn’t say the revision and model number of the phone.

That is, of course, until you look at the rest of the headers:

HTTP_ACCEPT = application/xhtml+xml, application/vnd.wap.xhtml+xml, text/html, text/vnd.wap.wml, application/vnd.wap.wmlc, */*,text/x-hdml,image/mng,image/x-mng,video/mng,video/x-mng,image/bmp,text/html
HTTP_ACCEPT_CHARSET = iso-8859-1, utf-8, utf-16, *;q=0.1,*
HTTP_ACCEPT_ENCODING = deflate, gzip
HTTP_ACCEPT_LANGUAGE = en
HTTP_CACHE_CONTROL = no-cache
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Opera 8.65 [en] UP.Link/6.3.1.17.0
HTTP_VIA = 1.1 alnmagr1fe09WAP2-mbl
HTTP_X_UP_DEVCAP_ACCEPT_LANGUAGE = en
HTTP_X_UP_DEVCAP_CHARSET = utf-8,ISO-8859-1,US-ASCII,UTF-16,GB2312,BIG5
HTTP_X_UP_DEVCAP_ISCOLOR = 1
HTTP_X_UP_DEVCAP_NUMSOFTKEYS = 2
HTTP_X_UP_DEVCAP_SCREENDEPTH = 16
HTTP_X_UP_DEVCAP_SCREENPIXELS = 320,240
HTTP_X_UP_DEVCAP_SMARTDIALING = 1
HTTP_X_UP_SUBNO = ppu_105cb54061e_vmag.mycingular.net
HTTP_X_WAP_PROFILE = “http://uaprof.motorola.com/phoneconfig/q-umts/Profile/mot-q9.rdf

Okay, so now we know my provider how big my screen is, that it’s a mobile device of course (the reference to wap), but more importantly we get the actual profile of the phone in the RDF file with all the settings, so you know exactly what may or may not work against the phone! Geez! Talk about giving up too much info! I hardly consider myself a cell phone hacker (for that you’ll need to talk with the Flexillis guys) but in 5 minutes I found all that - that’s not a good start. Whelp, so much for surfing from my phone!