Security hype “stifling new technologies”

It seems that security concerns are preventing us making progress. Robert Jaques has an interesting piece in the September 2005 issue of PCW (UK). Yes, I know August has just descended upon us, however PCW does seem to be published some two months ahead of the actual month it represents!

Whilst the rest of the world are making progress with IP telephony/VOIP and wireless networking and wireless hotspots, etc. it would appear that there are some folks who are thwarting progress by following the maxim “if it ain’t broke, don’t fix it”. Well, in this situation, that maxim doesn’t hold true. For example, I’ve just returned from Microsoft TechEd in Amsterdam, where Microsoft was kind enough to provide [potentially] 6,500 of us with wireless access to the Internet. It was a remarkably liberating experience. I was able to check my e-mail whilst attending sessions, blog “live”, provide session feedback within minutes of the session finishing, etc. It was truly amazing.

How did we ever live without wireless? I can’t imagine the Internet without it now, never mind the connectivity gains that I’ve acquired after pushing the wired LAN into the dark and distant past (OK, so I’ve a wireless ‘bridge converting the wireless into wired for use in the study…it still means that I don’t have wires running all over the house, much to my wife’s delight!)

Life without wireless/VOIP might not be secure according to the hype mongers; however, can we believe them? True, wireless networks do open themselves up to a wider range of potential attacker – the attack surface extends itself to the far reaches of the wireless broadcast. And yes, early wireless kit was delivered (out of the box) with all the security options turned off or disabled…but I seem to recall that some operating systems were delivered in a similar fashion. Nowadays of course, virtually all wireless kit (and the aforementioned operating systems too) arrive with all the security bells and whistles enabled so much so it’s sometimes difficult to miss. With a little care, it is possible to secure a wireless network and/or VOIP such that there is considerable business benefit.

Life without wireless/VOIP means a mess of cables. It means a laptop, a rucksack and a bag full of various network cables and adaptors – I carry five RJ45 cables of various lengths and an RJ45-to-RJ45 extender that allows me to daisy-chain two RJ45 cables together if required. I didn’t carry such excess baggage to Microsoft TechEd…the only wires I saw there were those leading to from laptops to power sockets and from the VOIP handsets to the controlling PC.

Life without wireless/VOIP means having to find landlines or worse, mobile ‘phones. It means having to stretch a fixed line ‘phone across tables/desks to get it close to your laptop which is plugged in to the network and the mains – and because neither the network provider or the electrician spoke to each other, they both kept their infrastructure as far apart as possible. If you’re lucky enough to have a network provider and an electrician who speak the same language, the floor sockets that house their respective outlets/sockets, and this is especially true of electrical outlets, are sunk into the floor, hidden underneath a tightly fitting lid that soon comes away in your hand the minute you lift it open. And if that wasn’t bad enough, you try to plug your laptop’s power adaptor in, oh, the huge transformer prevents you from plugging it in…or, worse, you have a regular-sized plug fitted with a less than flexible cable…the power outlet’s live/neutral plugs so close to the edge of the housing that you can’t even bend the cable to fit.

And just think of the triangulation involved in plugging a laptop into the mains at point A, the telephone at point B and the network at point C. The resulting mesh is a potential safety hazard.

Just in case you had forgotten what life without wireless looks like, here’s a very tame reminder:

not wireless

2 thoughts on “Security hype “stifling new technologies””

  1. Let’s look at the main points:

    1. IP telephony is unsafe
    Yes, it doesn’t contain any real security. Nor does it contain any mechanisms for quality of service (QOS).
    Personally, I’d rather use Skype, which use AES for encryption purposes.

    2. Mobile malware will cause widespread damage
    This is going to be a real growth area for malware, especially in light of the lack of malware countermeasures deployed in the field.

    3. ‘Warhol’ worms will make the internet unreliable for business traffic and VPNs
    There are many dangers to the internet. Take Cisco routers, the IOS running on them has a major vulnerability that has caused quite a stir in the recent press as Michael Lynn resigns from his employers to give a presentation to Blackhat 2005 on the vulnerability. Now he is being sued and attacked on all fronts by Cisco and IIS lawyers. Potentially, this vulnerability could bring down large portions of the internet if a tool is written to find and exploit vulnerably routers!

    4. Regulatory compliance equals security
    Compliance will indeed drive organisations to think about securing their systems.
    However, many small business don’t have a clue that they will be affected and thus security won’t even come onto the radar.

    5. Wireless hotspots are unsafe
    WEP can now be cracked in 10 mins. WPA-PSK is vulnerable to dictionary attacks.
    Open access points are the new proxy servers for hackers.

    As someone who works in the small business sector, I’m well aware that customers don’t take security seriously. Many of them have inadequate protection and procedures. On occasions they need to be scared into action or else they won’t pay for the work to get done.

    Business will introduce new technology if it can find a good business case for doing so: security should be part of that consideration.

    In my experience, many small businesses won’t even think about security if they want some new technology. Now the cost of implementing it … that will be a major consideration!

    The view expressed in this article are those of someone who is only looking at the Enterprise market!

  2. Security, especially of wireless hotspots, should also be considered in conjunction with the value of what can be intercepted, stolen, hijacked, etc.

    The “data” that we in the “Enterprise” market (although I starting to have doubts about using that as a description, but that’s another story) isn’t actually all that valuable and frankly anybody who wants our data has already got it…

    …the point my rant is endeavouring to make is the lack of action *anybody* is making with regard to:

    a) improving the security: if it’s such a problem, we, as an industry should be doing something about it.

    b) trialing and investigating the said technologies is something that should be done – instead, and this is a point Robert makes, folks
    are reading about security problems with “wireless” in general (from newspapers/magazines that are years old) and are *just* saying no to trials, etc. The same organisations are probably skipping rolling out Windows XP too: on a separate note, Microsoft advises those organisations to start preparing for Windows Vista “now!”

    c) I’m just waiting to see the effect of mobile malware – desktop malware really has caught some places off guard…

    d) business should consider new techology if all of its competitors are looking at/rolling out new technology and/or if a large chunk of their
    employee-base request it be investigated – and if there is a business case, it should be writen by those most qualified to write it such that
    those who may not understand the technology, but must make the decision, can actually understand it.

    Besides, don’t our friends over at Oracle use VOIP? Even if it’s just for internal calls, the cost savings are significant.

    (I must fix this comments box – it’s way too wide)

Comments are closed.