Sometimes the security blogosphere is more entertaining than daytime television…
1. Hoff calls Joanna sensationalist and claims she is irresponsibly spreading FUD for her own gain (here), she retorts (here), he fires back (here) – of course Hoff has nothing to gain from any of this and is just doing his civic duty 😉
Bottom line: Cute fight, but if you are trying to make heads or tails of the importance of the blue pill to your environment, well the answer is almost none, or maybe it is 42.
Update: Rich from NAMHLA (the North American Mogull Hoff Love Association) publicly declares his feelings for Chris (here)…ahhh young love 😉
2. Thomas is in love, or at least very, very deep like, of Mark Dowd (here), and (here) and his recent flash vulnerability findings (here) which, Tom states “Combined with any DNS vulnerability or any high-profile cross-site scripting vulnerability, the weaponized version of this attack would probably clock in at tens of thousands of compromised browsers per minute.” Holy Mother of God is a reasonable first reaction and everyone should be scrambling to disable/unregister/uninstall flash everywhere on every machine and every browser – right? Well, no, not really.
Bottom Line: This is an extremely sophisticated example of how, even in 2008, we are still no more and no less secure than we were when Orson Wells first spoke about the intentions of an advancing martian army, and then within a decade it was the intentions of an advancing German army. But if you are wondering if you need to now add flash to your list of “things that shalt not run” and rush to craft some snort rules, well you are probably better off making sure you can manage your firewalls and your patch management process is functioning.
3. Jeff Jones of Microsoft recently released some vulnerability statistics around Microsoft Vista (here), which was followed by Michael Howard suggesting that this was due to the SDL process institutionalized by MSFT, and largely driven by Howard, over the past so many years (here). Pete Spire (here) called BS on Howard’s assertion, Maynor called Pete names (here), Spire made fun of Maynor (here), and then Maynor made more fun of Pete (here) – it was all very professional and mature though.
Bottom Line: Who gives a crap! Of all the ridiculous things Microsoft could assert, none is more ridiculous than this internal video (here) – now that is embarassing.