Monday, August 28, 2006

Non-Review: Practical VoIP Security

Here's a first for the TaoSecurity Blog. As mentioned in a pre-review, I planned to read Practical VoIP Security and then write a Amazon.com review. I'd had a bad experience reading VoIP Security, so I hoped this new book would be better. Wrong.

My policy for writing Amazon.com reviews is that I read either the whole book, or the vast majority of it. With Practical VoIP Security, I couldn't make it past the first chapter. In fact, by page 4 -- the third page of text -- I was frustrated. In three pages the author (who was the lead author and technical editor) had mentioned terms like PBX, SS7, H.323, SIP, SNMP, VoIP, and SIGTRAN (which never appears again in this book!) without explaining any of them. I am familiar with all except the last, but I should not have to rely on past knowledge when reading the introductory pages of a "practical" book. The first chapter, overall, is a rambling collection of ideas that do nothing to prepare the reader for what follows.

If you want more details, I found Rob Slade's review to be good.

On a note related to Intruders Selling Security Software, I found this interview with the lead author of Practical VoIP Security to be a sign of foolish boasting or outright deception:

CSOonline: What is your background, and why are you called a hacker?

-name omitted-: I’m a hacker in the more traditional sense. Old-school hackers want to learn how things work and try to take it apart or gain access out of curiosity. Getting into networks and systems is good or bad based on your vantage point. Most traditional hackers do it just to see if they can, but they’re not there to steal information or destroy the integrity of a system.
(emphasis added)

I'm setting you up for material to follow. You might guess the "vantage point" comment doesn't sit well with me. The interview continues.

Can you mention some of your notorious hacks?

Nothing that I’ve done has made public news, and there are some things I’d rather not mention. I did raise the interest of the Defense Department once, but I’ve never been involved in any criminal activity. At one point in my career, I was interested in finding proof of alien life, so I did access the network at China Lake, also known as Area 51 in Roswell, New Mexico.
(emphasis added)

Oh, you mean the super-secret Naval Air Weapons Station China Lake, home of the MAJIC Morale, Welfare and Recreation office? I think this hax0r was trying to find Groom Lake, and if that were the case we wouldn't be hearing from him.

The interview continues:

How does a hacker disclose his or her credentials?

There are two kinds of hackers. Those who do it to impress their friends or become famous, and those that you don’t know about. The really good, and smart, hackers won’t tell you that they are hackers. Many of them are also not very sociable--they keep what they do on the QT, and if they have real credentials or experience, they don’t say anything about it.
(emphasis added)

Now you see why I added emphasis to the first paragraph. Sigh. Why are people like this getting attention from the media?

I guess I'm going to have to wait for Hacking Exposed: VoIP in December. For general books on VoIP, Switching to VoIP and VoIP Hacks by Ted Wallingford look good.

5 comments:

Anonymous said...

Wow, you're getting grumpy in your old age. I rarely see you tear apart someone's efforts like this, it's nice to see the "dark side" once in a while.

This book does make one wonder... can anybody can just slap together some blog entries and get it published by Syngress.

Da Kahuna said...

My first duty station out of Class "A" school was at Naval Air Facility China Lake which was a tennat command of the Naval Weapons Center China Lake. Home of the Sidewinder missile.

Funny thing is, back then it was in California and not New Mexico.

David said...

Ah, good ole Dr. Tom and his "innocent" military hacks.

As an aside: Maybe, he could have shared his expertise with this fellow ET traveler http://news.bbc.co.uk/2/hi/technology/4715612.stm.

It would be interesting if someone was ever charged for breaking into one of Dr. Tom's networks. The defense could call him as an character witness considering the crime only depends on your point-of-view.

Further to da kahuna's and Richard's comments: Area 51, aka Groom Lake, is in Nevada; not Roswell, New Mexico. http://en.wikipedia.org/wiki/Area_51

Nice to see that Dr. Tom's recall of simple facts is as sound as his reasoning. Pathetic.

Regards,
David

John Ward said...

Rich,

I have to agree with anonymous, you are getting grumpy. Until you write a book that.... oh wait you already have... never mind :)

Anonymous said...
This comment has been removed by a blog administrator.