The Security Kitchen

(this post was about a GPL tool that was recently (Aug ’09) commercialized at which point in time it’s GPL license was revoked. I feel I can no longer support this product.)

Michelle Dickman over at TriGeo has an interesting story .

Apparently her company was in a bid that was eventually won by a competitor ‘High Tower Software’ because they lowballed. The customer took the risk to buy from High Tower and eventually High Tower went out of business in November 08. Good times. There you are with a great (?) product.

There is something you can do against this type of risk and it’s called source code escrow. Basically it is an agreement to have the source code stored at a third party escrow agent which will release the source code when and if the licensor goes out of business. More info here .

Escrow Europe is one of the companies that provides these services in Europe (and in the US too ?). If you know any other companies that do the same, let me know, I’ll add them to the list.

When buying in economically tough times like these or when buying from great startups, it’s an option you have to consider. It’s a risk you can now easily mitigate !

Brenno De Winter touched upon the (in)security of DECT in one of his recent (Dutch) podcasts, the same exact ‘vulnerability’ was also revealed in a talk last December at 25C3 (more info regarding DECT and security here : https://dedected.org/trac).

First, Brenno makes a great podcast, I am a regular listener and I think a lot of podcasters can learn from him but this post is not about making Brenno happy. I also respect Security researchers very much, let there be no doubt about that.

Now seriously … What(‘s) the hack ? You can listen in on conversations over DECT phones because encryption is not enabled. That is hardly a problem with the technology now is it ?

Was it a slow week ?

I do get the fact that the encryption algorithm seems to be weak. Once you figure that out, you might have something to talk about. The fact that some manufacturers choose to disable encryption in low-cost handsets because, you know, we want cheap phones, is mere human stupidity and we all know that there’s no patch for that.

Good, apart from that, what did we learn :
1) if you need to procure a DECT phone system, take a good look at how encryption is handled in your system of choice if your environment requires this. Trust, but verify.
2) people choose profit over security. Nothing new, it’s a sad world.
3) the DECT encryption adheres to the old adage ‘Security through obscurity’. I’m looking forward to the real hack, maybe somewhere at a security conference near you in 2009. Now that will be news !

Welcome to ‘The Security Kitchen’.

While I would want to say that this is my first blogpost, it isn’t. I’ve started blogging somewhere in 2007, 1st on a privately hosted blog. I switched to http://www.blogspot.com in September 2008 because I didn’t like the software (Drupal) that I was using and I was up for a new start anyway.  Still it didn’t went where I wanted it to go.  Now, after some new years resolutions, I’m back and I feel this can be the beginning of something grand, first and foremost for me (I’m self-centric like that) but hopefully also for you, as a reader.

Obviously, a blog needs a purpose. I learned that the hard way.  There’s plenty of blogs out there and I was wondering where I can be different. The most important thing about this blog is that it is certainly not about ME.  This blog will be about things you as a security professional can use on a day to day basis, mainly tools, techniques and loads of interesting information.

These are the plans for 2009 :

a) regular posts about tools, techniques, methodologies, technology in general.

b) regular posts about important events in the security realm.

c) random posts voicing my opinion on events, evolution, people and discussions in the security realm.

Last, but to me a very important part of what I want to achieve with this blog, I invite everybody in the security space to contribute.  I will try to conduct interviews (mainly through Skype) with people in the community and post them here. Ad hoc (non-scripted) confcalls are an option too, I will just see what is possible there and look how it goes. No promises.

I also invite guest posts, if you feel like cooking in our kitchen, let me know. As long as it is information security related, I’m game.

For now : Welcome to The Kitchen, let’s dig in.

you can reach me on twitter @ http://www.twitter.com/domdingelom or through e-mail @ wim|at|remes_dash_it|dot|be

PS : I’ve got nothing against Drupal, it’s great software. It just wasn’t for me, mainly because it wasn’t blog focused. Blogging was just a part of it and all the other stuff made it too complicated to manage for simple, old, me.