Here's a first for the TaoSecurity Blog. As mentioned in a pre-review, I planned to read Practical VoIP Security and then write a Amazon.com review. I'd had a bad experience reading VoIP Security, so I hoped this new book would be better. Wrong.
My policy for writing Amazon.com reviews is that I read either the whole book, or the vast majority of it. With Practical VoIP Security, I couldn't make it past the first chapter. In fact, by page 4 -- the third page of text -- I was frustrated. In three pages the author (who was the lead author and technical editor) had mentioned terms like PBX, SS7, H.323, SIP, SNMP, VoIP, and SIGTRAN (which never appears again in this book!) without explaining any of them. I am familiar with all except the last, but I should not have to rely on past knowledge when reading the introductory pages of a "practical" book. The first chapter, overall, is a rambling collection of ideas that do nothing to prepare the reader for what follows.
If you want more details, I found Rob Slade's review to be good.
On a note related to Intruders Selling Security Software, I found this interview with the lead author of Practical VoIP Security to be a sign of foolish boasting or outright deception:
CSOonline: What is your background, and why are you called a hacker?
-name omitted-: I’m a hacker in the more traditional sense. Old-school hackers want to learn how things work and try to take it apart or gain access out of curiosity. Getting into networks and systems is good or bad based on your vantage point. Most traditional hackers do it just to see if they can, but they’re not there to steal information or destroy the integrity of a system. (emphasis added)
I'm setting you up for material to follow. You might guess the "vantage point" comment doesn't sit well with me. The interview continues.
Can you mention some of your notorious hacks?
Nothing that I’ve done has made public news, and there are some things I’d rather not mention. I did raise the interest of the Defense Department once, but I’ve never been involved in any criminal activity. At one point in my career, I was interested in finding proof of alien life, so I did access the network at China Lake, also known as Area 51 in Roswell, New Mexico. (emphasis added)
Oh, you mean the super-secret Naval Air Weapons Station China Lake, home of the MAJIC Morale, Welfare and Recreation office? I think this hax0r was trying to find Groom Lake, and if that were the case we wouldn't be hearing from him.
The interview continues:
How does a hacker disclose his or her credentials?
There are two kinds of hackers. Those who do it to impress their friends or become famous, and those that you don’t know about. The really good, and smart, hackers won’t tell you that they are hackers. Many of them are also not very sociable--they keep what they do on the QT, and if they have real credentials or experience, they don’t say anything about it. (emphasis added)
Now you see why I added emphasis to the first paragraph. Sigh. Why are people like this getting attention from the media?
I guess I'm going to have to wait for Hacking Exposed: VoIP in December. For general books on VoIP, Switching to VoIP and VoIP Hacks by Ted Wallingford look good.