Be on the wave or under it
The News – 03/03/06
VoIP Security Is Horrible
Sure, the CTO of BorderWare was trying to scare us. After all, his company makes security equipment. But Andrew Graydon made a lot of sense and had me shaking my head in sadness when he presented at the second VoIP Consortium event in February.
According to Graydon, Voice over Internet Protocol (VoIP), and especially related technology called Session Initiation Protocol (SIP), combines the security flaws of two very insecure Internet protocols: HTTP, which is what transports Webpages, and SMTP, which is what transports email, and, unfortunately, spam, which is now 67 percent of all email.
VoIP is the process of sending telephone calls over an IP network such as the Internet. VoIP equipment digitizes callers’ voices and turns them into a data stream. Unfortunately, much of the information used to establish and maintain a VoIP call via SIP is transported in clear text and it easy to spoof, fake, or alter.
One of the simplest vulnerabilities concerns caller ID. In a SIP session, the caller ID comes from the From field, just like in an email. You probably have spam sitting in your spam filter or your email box right now that purports to be from PayPal or your bank or some other reputable person or business. That’s possible because SMTP headers, which contain information about the email message such as whom it’s from, are transported in the clear, and thus can be hacked. It’s not even that hard to do.
So when you get a phone call on your POTS (Plain Old Telephone Service) phone purporting to be from, say, Bill Gates, it ain’t necessarily so. On most VoIP/SIP equipment, you input the From information yourself. Unbelievable.
There is already a big problem with miscreants who prey on elderly or vulnerable adults, pretending to be from the bank or the mortgage company and needing confidential information such as passwords or Social Security numbers. Imagine how much easier that will become if the bad guys simply buy VoIP phones! The caller ID would say “Wells Fargo” or “PayPal” or whatever the crook wanted.
Another vulnerability concerns what are known as Denial of Service (DoS) attacks. No, this isn’t a flashback from the bad old days of DOS-based PCs; DoS attacks attempt to bring down a server or a service by pelting it with repeated or malformed requests. Eventually the service becomes so busy dealing with the bogus requests that it denies service to legitimate users, and may ultimately crash, or worse, fail in a way that allows entry to a hacker.
It is trivially easy to flood a VoIP system with SIP requests for service, Graydon said. In fact, it happens inadvertently on a regular basis on large VoIP-based networks. All it takes is an interruption in VoIP service, like when the VoIP server goes down. When the system comes back on line, every VoIP device peppers the server with SIP registration requests so that they can resume service. Unless the equipment or network is architected correctly, the server can go right back down again, smothered by thousands of simultaneous requests.
Luckily, Graydon’s company sells SIPAssure SIP Firewall, a device that takes care of these and other security threats (whew!). There are others in the market as well, and we’ll be hearing more about this topic for sure as VoIP becomes more widespread. You can hear Graydon discuss VoIP security threats on this podcast.
Lest we think this is the only emerging threat to our communications capabilities, Graydon also mentioned two new acronyms that represent new classes of threats:
SPIM – Spam over Instant Messaging
SPIT – Spam over Internet Telephony
So now you have two new things to worry about!
- Shameless Self-Promotion Dept.: I was interviewed for ManagementFirst’s Feature of the Month and got to toot my horn for a bit.
The WiMAX Guys’ main business is new installs for people who want to set up wireless hotspots such as hotels, warehouses, apartment buildings, and office buildings or hotzones that cover cities. We also sell a knowledge-based Web portal called the MAX K-Base. Check out our main Website at www.TheWiMAXGuys.com.
The first chapter of my wife’s novel, Knowing What You Know Today is up on her Website. The rest of the books costs money – now at a new lower price! – but it’s well worth it, believe you me. Check it out at www.debellsworth.com.
Many issues ago I debuted SNS Begware, an opportunity for you, gentle reader, to express your appreciation by tipping your server via PayPal. See the sidebar for more info. Total in the kitty so far: $111.48.
And now that I’m partnered with one of the largest advertisers on the planet, Google, that should be kicking in serious coin to the StratVantage coffers. Let’s see. The current total is: $48.07. Great. BTW, I am informed that I can’t ask you to read this issue on the Web and click on the ads due to Google’s terms of service. So don’t. You can, however, shop at Amazon, pay nothing additional, and send a spiff to me.
- Top 10 Funny Spammer Names – I recently received spam from the following preposterously named individuals:
10. Boxcar E. Horsewhip
9. Regretfully K. Vortex
8. Hormones A. Ceiling
7. Inamorata U. Laughed
6. Cusp B. Calories
5. Supplanted S. Neptunium
4. Subjectivity F. Lemoning
3. Reincarnates K. Overruled
2. Biweeklies T. Parabola
And the number 1 Top Funny Spammer Name:
1. Paddle P. Spitefullest
- FISH of the Day: Alert SNS Reader Seth Freeman sent along this Forwarded Serial Internet Humor:
A girl came skipping home from school one day. "Mommy, Mommy,” she
yelled, "We were counting today, and all the other kids could only
count to four, but I counted to 10. See? 1,2,3,4,5,6,7,8,9,10!"
"Very good," said her mother.
"Is it because I'm blonde?" the girl asked.
"Yes, it's because you’re blonde."
The next day the girl came skipping home from school. "Mommy,
Mommy," she yelled, "We were saying the alphabet today, and all the other kids said up to D, but I said it up to G. See? A,B,C,D,E,F,G!"
"Very good," said her mother.
"Is it because I'm blonde, Mommy?"
"Yes, it's because you’re blonde."
The next day the girl came skipping home from school. "Mommy, Mommy!" she yelled, "We were in gym class today, and when we were showering, all the other girls had flat chests, but I have these!" She lifted up her tank top to reveal a well-developed bosom.
"Very good," said her embarrassed mother.
”Is it because I'm Blonde, Mommy?" "No, Honey, it’s because you're 24.”
- Sixty Years of Computing – ENIAC, the first computer, turned 60 in February and it reminded me of the proposal in 1931 to turn off all electricity to honor Thomas Edison’s death. Barely 50 years after Edison built the first power station for consumers in New York City, the world was already so dependent on his inventions that the idea was immediately discarded. Today, the idea of turning off all our computers, even for a nanosecond, strikes one as even more unthinkable.
Electronic Numerical Integrator and Computer (ENIAC) booted up on February 14, 1946, at the University of Pennsylvania's Moore School of Electronics. The two men most responsible for its development, J. Presper Eckert and John W. Mauchly, went on to build the Univac and also founded a precursor to Unisys Corp.
According to a Computerworld interview with Eckert, the idea that ENIAC was a glorified calculator is rubbish. “ENIAC could do three-dimensional, second-order differential equations. We were calculating [artillery] trajectory tables for the war effort. The trajectory tables were calculated by hundreds of people operating desk calculators -- people who were called ‘computers.’ So the machine that does that work was called a computer.” The machine did all this with 200 bits of memory.
Eckert died in 1995, and I don’t remember any particular fanfare at his passing. So as you use your modern personal computer, most likely equipped with megabytes (with each megabyte equal to 8,388,608 bits) of memory and gigabytes of disk (8,589,934,592 bits each), to send an email or browse a Webpage or play Solitaire, take a break and consider how far we’ve come and how much we owe to ENIAC and its creators.
- The Ultimate Gaming Machine – OK, I know I’m not the demographic for this product, being a crusty old boomer, but I just don’t know what these guys were thinking. Nissan is readying the Nissan URGE Concept Car that features a built-in Xbox gaming machine. Well, that’s bad enough, as far as I’m concerned, but the screen faces the driver! It doubles as the rear view mirror, for pity’s sake!
Calm down, calm down, the Xbox only works when the car is in park and certainly no Gen X or Y gamer is likely to be able to circumvent that little inconvenience.
But wait; it gets better. You use the car’s steering wheel and gas and brake pedals to play the game, PGR 3, “which allows drivers to control a breathtaking trip through the streets of five photo-realistic locations: New York City, London, Las Vegas, Tokyo and the Nurburgring test track in Germany,” according to Microsoft. What, no gear shift involvement? Oh, right. Gotta stay in Park.
Microsoft’s last breathless claim pretty much says it all. The URGE/Xbox melding “blur[s] fantasy and reality in a way that the automotive world has never before seen.”
- BMW Gets Google Death Penalty – In a move reminiscent of Seinfeld’s Soup Nazi, search engine giant Google has given BMW the death penalty for trying to game Google’s relevancy ratings system. “No ads for you! Come back, one year!” said Google to two German companies, BMW and Ricoh.
These big companies were caught doing what many search engine optimization (SEO) companies do for their clients. The black art of improving search engine rankings by necessity involves doing things Google and the other search engines don’t like. So if you’re contemplating using an SEO firm, make sure you know what their methods are, and how “out-there” they are before signing up.
‘Course you could always use me, and you’d be just fine. ;=}
- It’s Good to be King? – Howard “King of All Media” Stern is involved in a $500 million lawsuit by CBS Radio, his old radio home. Seems he was repeatedly ordered to not promote his impending move to Sirius satellite radio and yet still spent lots of time – at least 40 straight minutes in one show – beating the drum for his new show. He substituted the phrase “uh-uh” for the word “Sirius,” which of course fooled no one. Ad Age estimated the 40-minute rant alone was equivalent to $1.2 million in free advertising.
As much as I despise Howard’s taste, there will always be a soft spot in my heart for a long-ago bit about a guy who used logging equipment to dispose of the body of his wife. The bit features a song parody sung by Felix Cavaliere of the Young Rascals. The title? Why, “Chippin’ (On a Sunday Afternoon)” of course.
- Minorities Excluded from Government Grant System! – Shocking, isn’t it?! In this day and age, it’s just hard to believe the federal government has the temerity to exclude minorities from the bidding process for $400 billion in grants! Fully two percent of the population is excluded from participating in this potentially lucrative process. The minorities involved? Mac users.
The new "Grants.gov" system, a revamping of the government’s granting process that will cost $22 billion, aims to replace paper applications with electronic forms. It is being phased in at the first of 26 government agencies, including the National Institutes of Health and the Department of Housing and Urban Development. But, oops, the Web-based process doesn’t run on Macs.
Grants.gov gets more than a million hits every day and accepted more than 16,000 grant applications last year and even more in the last month. Now, of course, it would be easy for Mac users to participate. All they have to do is truck down to their local library, or across campus to the PC lab, with their thumb drive full of the supporting documentation for their grant applications.
As I often tell Alert SNS Reader Peter Ellsworth, Ph.D., who passed along this item, that’s what you get for using a minority operating system. I mean, the Mac mouse still has only a single button, for crying out loud! Mine’s got five!
Washington Post (registration required)
- English v. Angel: In a previous SNS I ran a small item about a site run by Paul English that contains the steps necessary to bypass those annoying Interactive Voice Response (IVR) phone menus you get when calling big companies.
After English was interviewed by major television and print media reports, he came to the attention of Angel.com, a maker of IVR systems. Angel created a cheat sheet of its own called “The IVR Cheat Sheet for Businesses,” which is fine, and an interesting response from an IVR vendor. What isn’t so fine is an additional step the company took: It bought the Google keyword “Paul English” so that anyone using the search engine to find English’s list will see a featured link to Angel’s Website. Kinda sleazy.
In a possibly related development, the company is apparently using a technique that I’m surprised is not more widespread: having a fabricated person post on blogs and other high profile sites waxing rhapsodic about the wonders of Angel.com’s IVR services. “Kate Robins” made a comment, for example, on Wall Street Journal columnist Jeremy Wagstaff’s blog. He tried to contact her to do an interview, but the email bounced. He tracked her IP address to the Washington, DC area, not far from Angel.com’s McLean, VA headquarters. Wagstaff said, “I wish I could say my sleuthing took me further. But I could find no Kate Robins in the phone book, no sign of someone with that Yahoo address on Google, or anyone on eBay who might be her dad (not that surprising; it’s a big place).”
An old boss of mine used to use this masquerade technique to pump the company’s stock on Yahoo Finance. It was and is sleazy, way worse than purchasing Google keywords to capitalize on someone else’s fame.
Angel.com IVR Cheat Sheet for Businesses
- If You’ve Made it This Far: Alert SNS Reader Ken Florian was the winner of our first Obscure Reference Contest and now Alert SNS Reader Derek Dysart has picked up the coveted SNS Obscure Reference Useless Memory Trophy.
Derek correctly identified the Obscure Reference – I’m Riding on Sunshine, Waa-ooh! – from a previous SNS as referring “to ‘Walking on Sunshine’ originally released by Katrina and the Waves.” Derek had no chance on getting the second part of the question, which was to identify my favorite cover of the chorus. You pretty much would have to be related to me to get it.
My brother Jeff taught my then-3-year-old oldest son, Zack, to respond, “Waa-Ohh” whenever anyone said, “I’m walking on sunshine . . .” Zack is now 23 and 6-foot-four.
The last one was an easy one, but I guess the current contest has got you all flummoxed. Wimps! I expect better of Alert SNS Readers, but not a one of you has hazarded a guess.
I’m looking for the name of the album that featured an encounter between Johnny Pissoff and a guy with smooth hands as well as a Grateful Dead jam, and an ode to Captain Beefheart’s shoes. Extra points for including a link to the MP3 of the J. Pissoff epic, and, of course, for identifying the cover of “Walking on Sunshine” that I heard once.
Because it makes such a cool trophy, the prize is now two sticks of completely useless memory.
Return to Mike’s
Copyright © 2000-2008, StratVantage Consulting, LLC. All rights
Please send all comments to
Looking to light up your office, your business, or your city?
The WiMAX Guys™ can help you easily provide secure wireless Internet to your customers.
The WiMAX Guys specialize in designing and running wireless networks. We're experienced, we're quick, and we won't cost you an arm and a leg. Give us a call today provide your users a wireless Internet experience tomorrow.
Alert SNS Reader Hall of Fame
About The Author
a New Service from StratVantage
Can’t Get Enough of ME?
In the unlikely event
that you want more of my opinions, I’ve started a Weblog. It’s the fashionable
thing for pundits to do, and I’m doing it too. A Weblog is a datestamped
collection of somewhat random thoughts and ideas assembled on a Web
page. If you’d like to subject the world to your thoughts, as I do,
you can create your own Weblog. You need to have a Web site that allows
you FTP access, and the free software from www.blogger.com.
This allows you to right click on a Web page and append your pithy thoughts
to your Weblog.
I’ve dubbed my Weblog
entries “Stratlets”, and they are available at www.stratvantage.com/stratlets/.
Let me know what you think.
Also check out the TrendSpot for ranking of
the latest emerging trends.
14, 1928 - July 5, 2003
Jane C. Ellsworth
20, 1928 - July 20, 2003