Comments on: “Sun’s JRE has a security flaw, so turn off Javascript” says the security expert

By: Oded

Oded — Tue, 01 Dec 2009 12:34:01 +0000

I’ve been listening to some more Security Now lately and Gibson is good about explaining security issues for the (almost) layman, but:
- He talks very very very very slow to the point that I would have pulled my hair out had I had hair to pull out. Explaining out a simple concept like a client connecting to a server to send HTTP requests can take about 5 minutes.
- Even when talking about general security problems, like the recent SSL renegotiation attack, he is still very Microsoft oriented: “I’m pretty sure Microsoft will issue an update for that this month”. Its not like he isn’t acknowledging the fact that there are other systems, its just that his primary concern is always that Microsoft will issue an update and its never was my concern.

All in all, I think I will unsubscribe.

By: Oded

Oded — Mon, 23 Nov 2009 08:15:46 +0000

Regarding the mistake, well obviously everyone knows that Javascript and Java are the same. Hmm..

I also saw one security comparison where MS-Windows was the only operating system complying with the requirements because only it has a login screen that is only accessible by pressing CTRL+ALT+DELETE. This is apparently a security measure.

I believe the above mentioned security show is geared towards average people and aims to raise their awareness of security, though it may do a piss poor job of that. I’ve eventually heard it all the way to the end and they did discuss some more interesting things like the jailbroken iPhone SSH issue (default password that everyone knows), port knocking (also regarding SSH) and the reuse of key-pairs in SSL certificate requests.

I’m not sure why they start the show by listing “security updates” and discussing them – it may be similar to the reason why Linux Outlaws start the show by listing new Linux releases of obscure distros and making fun of them: its something that you can do in the context of the show and it kills time. But at least with Linux Outlaws its often funny.

By: Yaniv

Yaniv — Sun, 22 Nov 2009 08:29:02 +0000

He may still be a security expert, but not-so-expert in logic deductions.

When evaluating the security of a system/framework, one item in the “checklist” is checking for the existence of periodical software/security updates.
I’ve always argued against such ultimate “checklists”, or even close to them. All these attempts to associate some ISO-like security tags with a system are flawed in their basis and make me sick. It’s like summarizing the entire contents of a religion X in a few bullets and claiming that they are the entire X.
I vaguely remember some old comparison of the security various systems, in which Microsoft Windows won one of the top places, mostly due to that weird item — they maintain periodical (weekly!) updates to their software.