Red Herring Misses the Mark on SPIT
I have to speak up and say something. There's been a lot of press hype about SPAM over IP Telephony or SPIT. The latest I've seen is Spam’s New Target: VoIP from Red Herring.
First they lead with - Beware of the new scourge that won’t go away. as a subheading. Then the story begins:
As more businesses switch over to cheaper VoIP systems for their phone networks, they’ll have to contend with a growing nuisance—SPIT, or Spam over Internet Telephony. If the phone is ringing off the hook, it may not be customers calling, but recorded ads for Viagra and printer ink.
“As VoIP numbers become more publicly available, it will be easy to dial a massive amount of phone numbers and play ads and solicitations,” says Kenneth Kuenzel, founder of Covergence, a startup that makes a VoIP security appliance. This Maynard, Massachusetts-based outfit recently introduced a VoIP security product for consumers.
And my reaction is that this article, no author attributed, just plain misses the mark. I do have to question whether perhaps the article is written by Seshu Madhavapeddy from Sipera whose picture accompanies it. Possibly.
The article adds fuel to a common misconception that SPIT presents a big problem. My reaction is ptooey. I won't say it's entireyl hogwash, but they paint a picture of impending doom that isn't justified and isn't being seen in real-world VoIP deployments. Period. It just isn't happening today.
The article goes on to describe Sipera's raising $13.2 million in funding to "fightt VoIP spam." Read articles like thiese with a keen eye and an open mind. Too many of these types of articles are thinly veiled sales pitches to drive a vedonr's credibility up as they press their own businesses. Is this a real problem or a marketing ploy?
Yes, SPIT potentially could raise it's ugly head in the future as a problem. It's not a real problem today. I don't lend too much credibiltiy to a vendor study that isn't incredibly well substantiated by outside, unbiased reviewers. Every study I've seen on SPIT that's accurate says maybe someday it will be a problem.
The article further describes Phil Zimmerman's recent VoIP encryption efforts as being driven by this problem. That's just not the case. VoIP encryption and Zimmerman's efforts point to privacy concerns. And yes, user authentication to protect privacy does have the ancillary impact of minimizing SPIT's dangers. But SPIT isn't a driver for secure VoIP.
I welcome comments here from folks at either RedHerring or Sipera. If someone from Sipera would like to do an interview here to openly discuss their views on the subject of VoIP security, they're invited to contact me. There's a range of contact options posted on the left sidebar of the blog.
Technorati Tags: Red Herring, Sipera, SPIT, VoIP Spam, VoIP Security
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
We need to be proactive now when it comes to VoIP spam and not wait until it becomes a problem. If we had been proactive as an Internet community in the mid 90's when email and the Internet were becoming popular, we probably wouldn't have many of the email spam problems we have today. I applaud any effort by individuals or companies to make people more aware of VoIP spam issues.
Posted by: anon | April 7, 2006 5:16 AM
I'm not sure being proactive with market solutions combating a non-proven proble, is the right approach. I absolutely agree we need to be forward-thinking and mindful of future risks. Protecting against fantasy problems that have not yet materialized, yet been hyped as major problems by all the companies selling the protection, sounds like sounds more like leveraging the FUD factor (fear, uncertainty and doubt) than truly innovating and marketing to real business needs.
Opnions do vary, but after 30 years in the industry, many in sales and marketing, I'm not real supportive of companies selling questionable solutions without strong market drivers.
Posted by: Ken Camp | April 7, 2006 7:28 AM
Ken,
Great post - and I definitely agree that the threat of SPIT is definitely over-hyped in today's market. Jonathan Zar and I expressed a similar point of view on a recent Blue Box podcast ( http://www.blueboxpodcast.com/2006/03/blue_box_podcas_1.html ) and Irwin Lazar ( http://www.irwinlazar.com/ )has also been stating a similar view as well. Essentially, our point is that SPIT has the potential to be a threat as we move to interconnected (ex. by SIP trunking) networks, but right now with the PSTN acting as the interconnection between networks, the threat of SPIT is not really that large. It's definitely something we have to be aware of and look at how to combat as we move to interconnection - but it's not something to stop (or slow) deployment of VoIP today.
FYI, we did just recently post a podcast episode with Sipera where we got their point-of-view. ( http://www.blueboxpodcast.com/2006/03/blue_box_podcas_7.html )
Regards,
Dan York
Producer and co-host, Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com/
P.S. We'll have to have you on the show sometime!
Posted by: Dan York | April 7, 2006 8:20 AM
The threat of VoIP related attacks is a BIG HOAX. Such threats only exist in environment where users can sniff others traffic. However, in todays enterprise world, all the networks are switched networks, and sniffing is impossible. Yeah, someone can argue that by performing MAC flooding you can overflow the CAM tables in a switch, but that can be easily stopped by configuring the "storm controls" on a switch. Moreover, if you have a properly configured firewall and a call server using TCP for SIP communication, you can easily tackle the DoS/DDoS floods. And as far as SPIT goes, it reallly requires a lot of reconnaissance on part of the attacker to perform that kinda of attack, which can be prevented by having good security policies.
Comapnies like Sipera and Convergence are just trying to sell their products by this marketing ploy, but in reality there is no threat like this.
VoIP is already secure - be happy and feel safe!
Posted by: Amir Valaani | September 7, 2006 6:44 AM
Amir,
Since I've written this I've seen real-life examples of SPIT and the like. I wouldn't characterize it as a hoax, but the problem has been vastly overstated by people looking for attention. It's a potential problem, but not yet anything that's become a tangible reality.
I do agree with you that in many cases the gloom and doom scenarios are fabricated to the worse possible angle by vendors looking to seel product by creating FUD (fear, uncertainty and doubt). A tried amd true sales strategy for many companies I'm sad to say.
Posted by: Ken | September 11, 2006 6:54 PM
> “As VoIP numbers become more publicly available, it will be easy
> to dial a massive amount of phone numbers and play ads and
> solicitations,” says Kenneth Kuenzel, founder of Covergence, a
> startup that makes a VoIP security appliance.
That may be true, however standard phone numbers are just as easy to pull out of an online business directory, and much, much more plentiful. The spammers (spitters?) can target these phones just as easily, if not more easily than VoIP users, except for those who registered with the National Do Not Call Registry. The solution isn't "a VoIP security appliance", it's a DNCR for VoIP.
Posted by: Zack | November 7, 2006 8:12 PM
Great point Zack. I'ev got good relationships with people in companies making all sorts of appliances and solutions in this space, but the problem isn't a technology one. And it can't be solved by technology.
Posted by: Ken Camp | November 8, 2006 4:36 PM