Friday, September 26, 2008

Lies, Damn Lies, and Vendor Lies

Most of us need to work for a living, and no matter what we do, everyone is in sales.  Selling your product, selling your ideas, selling yourself, you are selling something.  And, there's nothing wrong with that.  Marketing and PR are a part of sales, getting the right message out to the right audience.  The right message highlights the strengths of your product, service, idea, or yourself.  That's OK, too- as long as you are honest about it.

Today I had the misfortune of enduring a webinar by some people who were either ignorant or dishonest.  Probably a bit of both.  [It is sad when giving someone the benefit of the doubt means you assume they are ignorant].  This vendor sells network security hardware and software, so you might expect them to have some understanding of layer 2.  Imagine my amazement when I heard them say that ARP cache poisoning could only be used to  sniff traffic, not to reroute traffic or for man-in-the-middle attacks.  Please don't tell the people who wrote Dsniff, Cain and Abel, or many other ARP spoofing tools, they would be disappointed to hear that.  That statement shows either an alarming ignorance of ARP spoofing and layer 2 networking or it is a blatant lie.

They also made other "inaccurate" statements in the presentation, like calling their product something it isn't and ignoring the lack of key components- and they have some really hair-brained ideas about virtualizing network security devices in a small business environment, but other than that...

Now here's the real problem, people were listening to them and believing this nonsense.  And the folks who believe this vendor are less secure because of it.

Sure, we are all responsible for validating what we hear, especially from folks trying to sell us something- but the fact that you are selling something does not make it OK to spread misinformation.

Buyer beware, indeed.