conjuro:

Voice over IP is widely seen as one of the next killer applications, integrating data and voice networks as well as applications. However, proprietary voice networks and components also offer good degree of separation and segmentation, increasing confidentiality, integrity and availability of telephony services versus data networks. When these two services are integrated (and in many places they are already), new threats arise and additional risks have to be mitigated. There is no doubt that also the PSTN has seen its share of attacks (war dialing, phreaking, fraud). Migration to VOIP on a large scale will see similar and new types of attacks to the combined infrastructure. It is recommended to separate the two networks logically (or even physically) and conduct an in-depth review of the threats to VOIP and implement effective countermeasures to ensure availability of voice services. The cost savings achieved by using VOIP will mostly be used to implement security.

The general agreement was that it will get much worse than today, before it gets any better. How it will improve is much disputed: One side argues that government should intervene and hold software vendors liable for damages that are incurred due to faulty software. The other side refers to examples like US Sarbanes-Oxley Act of 2002 (SOX), where a few who misbehave draw a massive legislative backlash that has uncertain (and sometimes even unwanted) consequences. One example mentioned was the fact that parts of the widely agreed SOX-compliance implementation steps (whistleblower procedures) interfere with data protection laws in other countries (like France) or where the pressure of the public leads to laws that do not solve the problem, like the CAN-SPAM act. Industry representatives fear legislation as restrictions for innovation. Generally, the technology to make IT more secure is available, but there seems to be a market failure in allocating the costs to the entities that can actu

Second report from RSA Conference Europe 2005 in Vienna. This morning I attended the keynote sessions which were again opened by David Taylor. He praised the speech of Arthur Coviello - to which I do not agree. Then Jayshree Ullal of Cisco introduced their Self-defending networks idea. I was rather disappointed by the lack of actual vision. She also confused in one slide the time to fix a vulnerability with the time a vulnerability is exploited in large scale (with regards to sober and nimda). The methods how Cisco wants to defend networks seem very similar to the not very successful methods we use today. They do have some vision regarding management of policies and networks, but integrating this into one common platform will yet create another new risk. Some of the stuff Jayshree talked about were mere buzzwords without further meaning: "http or https based attacks" or "XML applications" - what is that supposed to mean? Any application using XML? The best part was

Today, I'm following up on the first day of the RSA Conference Europe 2005 in Vienna. After a good night sleep I arrived at about 9.30h at the Austria Center in Vienna (on the Donauinsel near UNO-City). The long line of attendees registering was a bit discouraging, but after 45 Minutes I got bag and badge. I then attended the "special session created especially for first-time RSA Conference attendees" - and I felt really special. The information given was quite useful, however. The best thing was the introduction with my neighbor on the next seat. What I find confusing is the different tracks and tutorials that were held the first day: There is are "Professional Development" Class Tracks as well as a Developer and Enterprise Tutorials being held. I know, that the Tutorials cost extra money (€ 295) - but it was not clear if the Class Tracks are charged in addition. Finally at 4.30h the Keynote sessions started with David Taylor as Moderator. He did a good job o