So "the talk" finished around 11:15am this morning... I've just been straight out and unable to blog until now. The "Black Bag Security Review" was fun to do and I've been receiving a great amount of positive feedback and kind words from folks here. As you'll see below, I'm going to include the slides here in Flash (I finally get a reason to experiment with SlideShare!). I'll put a PDF up here as well once I get back to Vermont. It seems that after my laptop was reformatted, I never re-installed Acrobat to do PDF exports.
However, the slides aren't really that much use without the audio, but I'll be putting the audio up on Blue Box sometime in the next week or so and will post an update here with a link.
Had a couple of interesting questions and points of feedback about the talk (and things I noticed):
- Yes, there were actually 243 slides and yet it came in a hair under 15 minutes. This is a very different way of presenting than a "traditional" deadly PowerPoint presentation. More slides... minimal text... fast transitions. The point is to accent your story and leave the focus on you and what you are saying. Keep people focused on you and the story you are telling... not getting them lost in reading a slide full of text. One or two words maximum on a slide.
- Someone commented that the preso was like something from Lawrence Lessig. Indeed, he was definitely someone whose style I have always deeply appreciated and yes, my style was similar to some of his presos. I've been integrating "story" elements into presentations for a good number of years whenever I can and every once in a while I get to do a preso like this one today that is entirely in a minimalist style focused on a story. Similarly I've always appreciated Cliff Atkinson's work with "Beyond Bullets" encouraging people to focus on a story versus bullets. Lawrence Lessig is definitely a master of the style and I admire what he does. When I first saw him at one of the Open Source conferences, it really showed to me the power of the delivery form - and I knew I was in the presence of a masterful presenter. If you want to see him in action, check out his "<free culture>
" presentation available from EFF. (It is also well worth a listen for the subject matter as well.) So yes, there was a definite similarity... I like learning from the masters, and he's definitely one in this style of presentation. Personally, I wish more people would present this way.
- On technical issues, someone pointed out to me that SysAdmin Steve's VoIP system would have been secure "out of the box" with any of today's enterprise IP-PBXs. He stated that any of the recent enterprise systems from my own employer, Mitel, or from Cisco, Avaya, Nortel or others would provide most all of the security Steve needed.
He's right to a degree... with any of those enterprise IP-PBXs the system could have been secured right away. But the question is whether or not they are secured by default. In my story, the IT staff who implemented the VoIP system (and subsequently quit) installed it without any security. Perhaps they installed it and didn't enable required security options. Perhaps they turned the security features off. Perhaps the IP-PBX didn't have it in the first place. I didn't get into naming vendors... I was really painting a worst case. Now I know that in Mitel's case, encryption of both voice and call control is enabled by default and you actually have to work at it to turn it off - and while encryption doesn't solve all the problems, it solves many and makes others harder. I don't actually know about the default posture of recent Cisco, Avaya and Nortel switches, but if things like encryption are not on by default, there are definitely options to turn them on. All of the major venders in the enterprise IP-PBX space have the capability - TODAY - to provide secure VoIP. We have to, because enterprises demand it.
That was really part of the point that I was trying to make - you can implement secure VoIP in the enterprise today (at least up to the SIP trunk space). You'll note that SysAdmin Steve did enable all those features in whatever IP-PBX he had. So in the end, he did have secure VoIP.
It was good feedback, though, and should I do another talk like this, I might consider adding a slide that explicitly mentions that enterprise IP-PBXs today can address these issues.
- Another person asked about why I focused only on SIP. Well, the answer is pretty much... 15 minutes. That's the amount of time I had to do this talk. In the 90 minute session that Jonathan, Shawn and I did back on Tuesday, we discussed how while these tools focus on SIP, there are others for the other protocols, and some like the RTP attacks are rather independent of the signalling protocol.
- One thing I noticed... in an effort to get done in my allotted time, I did not have an introductory slide about me. I thought about it, and actually had one in one rev of the deck, but then killed it to just jump right into the story. While this worked great for the flow of the story and also for keeping on time, it had the unintended effect of causing at least one writer to assign me an affiliation. VoIP News was doing live blogging of the show and wrote this: "Dan York of CIISP is talking about the security challenges in VoIP..." Welllll... not quite. CISSP is really the premier security certification... but hey, I give VoIP News a lot of credit for doing "live blogging"... tough to do. And my mistake... another time I'll put in an affiliation slide at the beginning.
- Speaking of affiliations, I was a bit disappointed that at the very end, the AV guys killed off my almost-final slide and put the ETel transition slides up there before people could really see my slide title and the URLs (shown on right). I thought it was just a great little nod to the Canadian heritage of my employer! (And I was hoping people could see the URLs for more than 2 seconds...) Ah, well!
- And yes, this is "Part 1" of "The Story of SysAdmin Steve"... "Part 2" will have to wait for another conference! ;-)
With that, I'll end the commentary and just try out the embedding of the SlideShare object. Like I said, it doesn't really do a whole lot without the audio... but I'll put it up here for folks who want to check it out:
Comments, feedback and opinions are definitely all welcome.