Microsoft’s bug bounty is a step in the right direction

Last week, Microsoft announced it’s offering a bug bounty program. Find a working exploit in Windows 8.1/blue/whatever it’s called this week, and Microsoft will hand over $100,000. Find a mitigation for that exploit, and Microsoft will pony up for that to, up to $50,000.

I think I know what they’re up to. Read more

Windows vs. Linux kernel performance

An anonymous Microsoft developer spilled some juicy opinions about why Windows kernel performance isn’t all it could be and answered some longstanding questions about Windows vs. Linux kernel performance in the process. Although he has recanted much of what he said, some of his insights make a ton of sense.

Read more

The ethics of writing nefarious security instructions

This week I posted a link to a video showing how to crack a WPS-enabled wifi network, and this week, Ars Technica wrote a firsthand account of cracking a password list. I’m sure this raises questions of ethics in some people’s minds. To be honest, spreading this kind of information makes me a little uncomfortable too, but I also think it’s necessary.

Read more

Mark Hurd doesn’t sound like he’s just what Dell needed

Word on the street is that Blackstone Group has a plan for turning around Dell: Buy the company, take it private, and install Mark Hurd as CEO. The thinking is that he’s available, has experience, and would have baggage keeping him from being the CEO of a public company.

I just see one glitch. Available != good fit.

Read more

And the most security-riddled program of 2012 was….

Secunia released its annual vulnerability review, a study of the 50 most vulnerable pieces of software in 2012. It was a fairly tight-three way race at the top, and the distance between #3 and #4 was huge.

I was actually surprised at who the top three were. They weren’t the three usual suspects. But in the case of the top two, they did, to their credit, roll out fixes within 30 days of disclosure.

So now that I’m killing you with suspense….
Read more

We don’t need more H1-Bs, we need more immigrants

H1-Bs are a popular topic in Washington. Tech companies want them, since it lets them get the benefits of offshoring without actually offshoring, and politicians want them because companies want them, and they talk about luring the best minds to the United States as a side benefit. It’s such a great deal, they say, they want to bring in five times as many of them as they used to.

The problem is, they don’t stay. H1Bs aren’t about immigration–3% of H1B workers stay in the United States.

Read more

Java is patched now, but still not very safe

Rapid7’s Chief Security Officer, HD Moore, estimated it will take two years for Oracle to fix all of the current issues with Java, not counting anything new that happens in that timeframe.

Futhermore, Kaspersky states that 50% of cyberattacks in 2012 utilized a Java exploit. Among those is the newly discovered Red October.

Think for a minute. Antivirus software is anywhere from 75 to 90% effective. Assuming the worst, that means the simple process of removing Java from your computer does 2/3 as much good as running antivirus software. Of course, you shouldn’t do one or the other; you should do both.

If you have a legitimate need for Java in your web browser, such as commercial intranet applications built with Java, enable Java in one and only one browser, then use that browser solely for accessing those Java-powered web sites.

But the best thing to do is just get rid of Java. And if you have something that uses Java, find something else to use.

It took Microsoft about two weeks to fix a critical vulnerability in Internet Explorer. It took Oracle five months. I never thought I’d say this, but Oracle needs to be more like Microsoft.

Yeah, you can quote me on that if you want.

But until Oracle gets religion on security like Microsoft did around 2002, we really have two choices: Avoid Oracle products whenever practical, or keep getting hacked. I’d rather you not choose the latter option.

Oracle (and Java) delenda est

In case you haven’t seen, there’s a terrible unpatched vulnerability in Java right now that baddies are using to install randomware on PCs. Then, this morning, I saw that Oracle has known about this vulnerability since August, and hasn’t bothered to fix it properly yet. That should be criminal negligence, but the rules are different for billionaires.

Of course, I’ve been saying for ages that we’d all be better off if we just uninstalled Java completely, but I know very few people who’ve done it, out of fear they’ll break something. (Those same people often refuse to patch Java, out of the same fear.) I was trying to figure out why anyone would want to run Java these days anyway, and then I saw this quote, via David Huff:

“Given a choice between dancing pigs and security, users will pick dancing pigs every time.”  –Edward Felten and Gary McGraw

That explains everything. Java is exceptionally good at making animated dancing pigs.

All of the major sites are recommending that you disable Java in your web browser. I continue to recommend just uninstalling it entirely, since Oracle is more interested in dancing pigs than in security.

Oracle finally does the right thing

So if you didn’t drop everything and uninstall Java last week, I need another favor. Oracle released a patch for Java, so go patch it.

Sometimes community outcry and pressure works. It looks like this time it did. I just wish Oracle had made a bigger deal about it. Yes, you’re eating crow, but people need to know that this is something they need to do. One of the most frequent questions I get is whether it’s really necessary to patch Java. The answer is yes, it’s just as important as the monthly Microsoft patches. But nobody seems to know or care. They’re afraid they might break something, so they don’t do it.