An Information Security Place

Here is another guest post by WiFi Jedi

————————————————————————————

Can IT Vendors truly be objective? Or does everything they say have to be viewed through a lens of “they are trying to sell me something”?

Join me while I rant…

Personally, I think IT vendors can be objective.

Sure, we manufacture and sell things…

*Gasp* – We even profit from selling.

But that doesn’t mean we can’t be objective.

i.e. – I try to provide solid vendor-neutral information to the wireless community through my blog, http://wifijeidi.com.

(In fact, only 2 of the nearly 40 blog posts I have completed to-date have been about my employer, Xirrus.)

However, not everyone sees it that way.

Let me give you an example…

I requested press access to an industry event as a blogger.

However, I was told that I can’t get a pass of this nature because I work for a vendor.

Furthermore, I was told that bloggers of major publications (ComputerWorld, Network World, ZDNet, etc.) would qualify.

So I went out seeking a spot with one of these publications as one of their bloggers.

(I even had a solid lead directly to an editor with a reference from another well know blogger at one of these publications.)

However, I was turned down again. Because I work for a vendor.

My “commentary”…

Presumably, working for a vendor means that I can’t be objective. Which I personally think is %^&$*&!

Let’s take a look at some profiles of bloggers who have been picked up by these publications. I would like to take a closer look at two common blogger profiles: Value Added Resellers (VARs) and Independent Consultants.

I have noticed that if you work for a VAR, you can blog for major publications. Correct me if I am wrong – as a VAR, don’t you sell some vendor’s equipment, but not others? It would seem to me, in that position, it is possible to have nuances or conflicting agendas. At least working for a manufacturer, you know where my “official” loyalties are.

Other common profile for bloggers on these publications is that of an “independent” consultant. I would think a large portion of their livelihood depends on their ability to provide consulting services. If that’s the case, don’t you think they would blog about things that (at least indirectly) drive their own business? After all, their financial success is directly tied to the success of a single person - themselves. Working for a manufacturer (or any large organization) mitigates this factor because my financial situation is determined by the success of the group, and not by what I do or say to drive my own consulting business.

This isn’t intended as an attack on publications or their bloggers, just an honest discussion of how they can be objective, but somehow it is perceived that I can’t. What about my credentials?!?

Besides working for a vendor (for several months), I have also worked as a consultant and auditor (for many years). I hold over a dozen IT certifications, ALL of which are vendor-neutral. On my LinkedIn profile, I have the coveted “500+ connections”, many of who are employed by my competition – Aruba, Meru, Motorola, etc. I started my blog to serve as a thought leader and I am a frequent speaker at industry events, professional organization meetings, and universities.

If you know someone at an IT publication that is willing to have me as a wireless networking and security blogger, have them contact me at douglas.haider@xirrus.com

Wait, I had better not use my corporate email address. That might signal I can’t be objective. 

Instead, have them contact me at douglashaider@hotmail.com

Vet

Link to MP3

Episode 16 is up and running. Jim and I cover a lot of news again in this episode. Also, Jim goes a little crazy with the geek toys, but it is all really cool stuff and good info. We get into some PCI futures, playing off of Rich Mogull’s ideas on the subject. And we have a good cert discussion as well.

Show notes:

InfoSec News Update:

• Another Payment Processor Has Been Hacked

• Follow Up from last podcast – Chris Pagets ShmooCon session video is up

• Reported raids on federal computer data soar

• Backtrack 4 Beta Released

• FaceBook Privacy Changes

• Acrobat 0-Day running Wild

• XSS Stealing Data without a trace -”Our goal was to retrieve Web content anonymously,” says Matthew Flick, principal with FYRM Associates, who, along with fellow researcher Jeff Yestrumskas, demonstrated the XSS Anonymous Browser (XAB) framework at Black Hat DC yesterday. “We [said], ‘Why don’t we volunteer people for our network?’…Cross-site scripting can make people do things we want.

• Weaponizing Cyberspace

• Threats the Smart Phones Increase

• Intel’s new Bios Gets Slapped

• Researcher demonstrates SSL attack

• GNU Radio Kit – Universal Software Radio Peripheral
• Netbooks A Plenty – MSI Wind and Lenovo S Series
• Tmobile @home Service

Consultants Corner: Top three security certifications (uhhh, yeah…)

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Electric Touch – “Sounds From the Underground”
• Segway 2 – Junkyard Groove – “Thank You”
• Segway 3 – InnerLogics – “Bam’s GirlFriend”

I just got an eval PacketShaper 2500 for a few days from my local Bluecoat SE (Bluecoat bought them a few months ago).  I actually used to work with these boxes just about everyday a few years back.  I worked for a company that built apartment complexes for college students at a lot of major universities across the country.  We acted as the ISP for the students, and these complexes would house 500-1000 students.  These kids went EVERYWHERE on the Internet.  There were so many different types of traffic flowing around on those networks, and there was A LOT of it.  Students were constantly complaining about the slowness of there Internet connection.  Every day I was getting calls with someone griping.  So the company would spend a little more money and I would bond another T-1 to the two or three we had.  We would see improvement for MAYBE a day (two if we were lucky), then that pipe would fill up.

So we decided to bust out with the Packeteer boxes.  I would put in a box, and we would see every type of traffic imaginable within about an hour.  Back then Napster and Kazaa were the big bad boys.  These kids would kick off 10-20 downloads before they went to class and just let them run all day.  Multiply that by at least 100 students, and that traffic would just consume the pipe completely.  When that happened, the poor students just trying to surf the web for actual schoolwork would suffer horribly.

So when we started cutting that traffic off at the knees (either killing it entirely or making the bandwidth limit so low that it wasn’t worth it), things changed dramatically.  All of a sudden people were able to surf the web.  They could still download their music, but it would take a little longer (who cares if it is downloading while you are in class).  Everything just improved, and the calls almost completely stopped.  Of course, you always had the spoiled brat who complained because his DSL or cable at home was always fast and his online game never suffered there.  It was always fun trying to explain to some punk getting a degree in underwater basket weaving that he didn’t have 900 other people trying to download porn and music on his DSL at home.  What was more fun was explaining that I didn’t give a crap if Elf Quest was fast or slow and that he should probably be doing homework instead of screwing around with games.  But I digress…

Anyway, good stuff.  Click on the picture below to see some of the traffic on my little network (some purposefully generated by me). 

Vet

Yesterday was one of the few days that I bought a hard copy of the USA Today newspaper.  I get the Arizona Republic paper delivered to the house daily. I even get six copies of the Sunday paper  (don’t ask…)  I bought it because one headline on the cover page of the USA Today caught my attention.  It was “Who Might Rise From the Wreckage” with a subtitle of “It’s happened before – Cisco and MySpace emerged in tough times.  Tech can bloom again“.

The headline and subtitle brought up a good point.   In the economic crash of the late 1980’s, Cisco began it’s rise as one of the large tech companies.  The article mentions Facebook and MySpace as companies who had a similar rise after the dot-com crash.  Personally, I remember two *other* (more relevant to networking) companies who accomplished a similar jump in market share in the wake of the dot-com crash – Foundry Networks and Extreme Networks.

This economic downturn presents the same opportunity for tech companies to rise out of the aftermath stronger than when they entered.  Who are likely candidates this go-around?   I would suggest that the opportunity is particularly ripe for Wireless LAN vendors.

Why?  There are several reasons WLAN manufacturers have an opportunity to grab market share in this economy, especially compared to their wired counterparts.  Most reasons point back to the fact that organizations are now forced to do more with less.

During these times companies…

• …need to get more out of their employees – WLANs enable their employees to be connected everywhere in their enterprise all the time

• …will not want to invest in permanent infrastructure - WLANs can easily be moved from location to location vs. desktop switches / cabling

• …will want even tighter security because of dismissed employees and competitive pressures – WLANs allow for easy deployment of 802.1X port based authentication and can execute rapid adds and deletes

Which WLAN vendor is poised to take advantage of such a situation?  Aerohive? Bluesocket? Meru? Rukus? Xirrus?  Let me know what you think in the comments section!  Be sure to state specific reasons that you think one vendor will be able to gain more market share than another.  Also, if you like this post, check out my blog for related info such as 50 Questions K-12 School Districts Should Ask WLAN Vendors.

- WiFi Jedi

I had an interesting phone discussion a couple days ago with Veriwave’s CTO, Tom Alexander and VP of Marketing, Eran Karoly.  We were talking about field tools for testing the quality of installed wireless LANs.  At a high level, we all agreed that much of the field testing and verification for WLANs today have centered around data related to site surveys, such as signal strength, RF interference, and the coverage “footprint”.

There are many existing tools for testing wireless coverage ranging from embedded supplicant software & Netstumbler to more complex commercial tools such AirMagnet Site Surveyor or Motorola’s LANPlanner.  Check out my blog for more information about site surveys, including the difference between active and passive site surveys.  More sophisticated wireless engineers might also gather data regarding RF interference with a spectrum analyzer, such as the WiSpy DBx, or AirMagnet Spectrum Analyzer.

However, our conversation highlighted the need to expand WLAN installation and verification tools beyond the focus on complete WiFi coverage with low interference.  How do wireless vendors and/or VARs ensure that an organization’s business and technical requirements have been met?   A focus on signal strength neglects other critical areas such as roaming, quality of service, and security.  Additionally, there is often no verification of the proper configuration of the *wired* network.

We discussed how many of the testing tools available today focus on the wireless infrastructure (the APs, arrays, WLAN controllers) and lacked visibility into the client side of the equation.  Most testing seems to concentrate on laptops – but what about wireless VOIP phones, hand-held scanners, printers, and RFID?

The three of us on the phone, as well as everyone I have discussed this with since, seems to understand the inherent value of a more robust way to validate WLAN installations.  However, what are the costs?  Personally, I don’t see a good cost model for a product of this nature.  It seems that a system that tests both the infrastructure and clients across many functional boundaries would be extremely expensive, especially for a field testing unit (where vendors or VARs might need more than one kit as they are running multiple projects).

Many wireless LAN vendors can justify the capital expenditure of Veriwave’s existing test beds, because they are involved with testing new product lines, etc.   However, many vendors seem to have a bare bones professional services group and turn over that work to VARs.  I also can’t see many VARs purchase uber expensive field testing tools – many are too small to afford tools like the AirMagnet suite, let alone something more costly.  If VARs do purchase, they will inevitably have to pass along the cost to their customers. Is this viable either?  Why would a customer pay a higher cost to insure themselves against a WLAN that wasn’t properly field verified?  Customers should be able to do this by properly scoping their projects and enforcing the terms of their contract.

What do you think?  Do you see the value of such a tool?  Do you see an appropriate cost model?  Sound off in the comments below!

- WiFi Jedi

I wanted to take a second to introduce a good friend of mine who has recently started blogging and will also be guest blogging here from time to time.  This friend of mine is Douglas Haider.  He is a former coworker at Accuvant and is now working for Xirrus, a Wi-Fi company.

I have pimped Douglas’ SANS classes in the past on my blog before.  I have also worked on some gigs with him as well as attended some of his speaking engagements.  He has been around and has seen it all.  Basically, Douglas has some serious Wi-Fi and security chops.  I welcome him to the blogging ranks, and I am honored that he wants to guest blog here.

Here are some links so you can learn more about Douglas and read his stuff:

• Blog
• LinkedIn
• Twitter – @wifijedi

Vet

Link to MP3

Here is episode 15. There was a lot to cover in this episode. Jim and I were in discussion mode, so be prepared to sit down for a while longer than normal this time. Jim and I were also in a joking mood and consequently cracked ourselves up on this episode, so enjoy the laughter and comedy at a fellow human’s expense.

BTW, I am a milestone guy, and any time a “0″ or a “5″ is at the end of the episode number, I think it is cool. So 15 is a cool number to me. On to the show notes.

Show notes:

InfoSec News Update: whole lot of crap!

• FAA Security Breach Exposes 45K Employees
• AV makers Hacked – BitDefender and Kaspersky, More: Full Info on hackers Blog
• Electronics Firm Faces FTC Lawsuit Following Multiple Hacks – “The complaint alleges that until at least December 2007, Compgeeks (geeks.com) routinely stored this sensitive information in unencrypted text on its corporate computer network, among other security failures. The complaint also charges that the respondents did not adequately assess whether its Web application and network were vulnerable to commonly known or reasonably foreseeable attacks, such as SQL injection.”
• Identity thieves beat Obama to stimulus package punch
• Obama’s new CyberSec Chief Named
• Federal Workers Warned Of Potential Data Compromise At SRA
• Jailed SF network admin files $3M claim – Looks like the S.F. Mayor has some l33t admin skills because “Childs, formerly a network administrator with the city’s Telecommunications and Information Services (DTIS), had argued that the department’s staff was incompetent and that the mayor was the only person qualified to handle the passwords.”
• Heartland Breach Follow up – 157 institutions claiming issues – includes Bermuda, Canada, and Guam
• War cloning, the “new hacker sport”
• The latest MS Patches – One is for MS SQL, and there is exploit code out there

Discussion: File Under DUH! Unauthorized Web Use On The Rise

Consultants Corner: How does “Compliant” equal Owned?

Music Notes:

• Intro/Outro – Digital Breaks – “Therapy”
• Segway 1 – Munk – “DirtyWork”
• Segway 2 – Patent Pending – “Cheer up Emo Kid”
• Segway 3 – Fabienne Delson – “I’m Gonna Catch Me a Rat”

Most people probably would read the title of this blog post and think, “another idiot hit ‘Reply All’” and pissed a bunch of people off and Michael thinks it is funny”.  Well, you would right on two and three quarters of those points because the person who hit Reply All is not an idiot.  In fact, though it was accidental, it actually served a great purpose and hopefully taught someone a lesson.  So after that cryptic intro, here’s the story:

A client of mine (I have his permission to write this, even though I am not mentioning his name or his company’s name) is looking for a specific security product to cure a compliance pain they are currently having.  We work with a few companies that sell the type of product he is looking for, but we recommended the one of those that we think has the best answer for the problem our client is trying to solve.  Since that company came back with some fairly high prices, the client asked us to contact some of the competing vendors and setup some meetings.

Well, one of those competing companies we contacted immediately decided to sic their inside sales person on our client.  This inside sales guy was calling our client at least 3-4 times a day (if not more) and was sending multiple meeting requests and emails, even after we asked him to back off.  He then started calling from other numbers when the client started screening his calls.  It got to the point where our client was getting pretty upset and was asking us to make some further demands that the guy back off.  The client seriously had no desire to be mean to the inside sales person, and we certainly did not want to cause bad relations between our company and the vendor, but the customer obviously comes first.

So after a few days of this going on, our client decided to forward one of the vendor’s emails to our sales person.  Our client was nearing the end of his rope, so the email was frustrated in tone.  It pointed out that the inside sales person was making his company seem cheap and desperate, and it was written with some fairly strong language.  But of course, as you have probably guessed by now, the client accidentally hit reply all when he was trying to forward, causing the vendor to receive a copy of the email.  Our client says that he received cancellation notices for the multiple meeting requests that he had received from the vendor within about 5 minutes after his email went out, and he has yet to hear back from that inside sales person.

So, while all of this is funny and falls right in there with a lot of these types of stories, it really serves a purpose beyond the “be careful with email” lesson.  Though our client swears it was accidental, the “accident” actually served the purpose of which I spoke in the introduction paragraph (it got the client some peace), and it hopefully taught that inside sales person a few lessons, which are these: persistence does not mean annoyance, listen to your clients and partners, and, for goodness’ sake, BE SELF AWARE.  Think about what you are doing.  And if you ARE self aware and you are being forced to make all these calls by your management, you might want to ask yourself why they are making you do this.  Is your company about to tank?  Do you need to start looking for a job?  Are you going to give yourself a bad reputation in the industry by making these calls and pissing people off?  Think about what you are doing and how you can do it better.

And another lesson: if you persist in pissing off my client, I have no qualms in calling in some favors from some friends of mine named Vito and Santino.

Vet