Episode 20, for your perusal. I had an interesting talk with Mike Rothman and Alan Shimel about the recent demise of the Sourcefire – Check Point merger. Mark had some idea’s I hadn’t considered before. I also take some time to answer some listener feedback and my PCI segment is a comment on the value of information. I really learned a lot about the quirks of both my sound editors, Propaganda and Audacity. I also have an interview with Alex Neihaus of Astaro Internet Security coming up, but I have to retrieve a copy from the iRiver. Never open a sound file in both versions 1.2 and 1.3 of Audacity at the same time; the results are not pretty.
Tonight’s music is Blue Bird Tattoo by Circe Link
Network Security Podcast, episode 20, March 28, 2006
Thanks for listening, and thanks once again to Alan and Mike for joining me.
Technorati Tags: security, PCI, Sourcefire, Check Point
My friend, Alan Shimel, asks the question, “3rd Party Patches – Should you use them?“ And I have to answer with a resounding ‘NO’. The first third-party patch out there was the WMF vulnerability patch from Ilfak Guilfanov, and while I appriecated the fact that he made it available and it worked well, I didn’t install it because I don’t know Ilfak or anything about him. I know who Microsoft, and while I don’t always like or trust the patches they come out with, I always know who to call if their patches break something.
I also know, barring some catastrophic compromise, any patch I download from Microsoft will not have a trojan built into software. I’m sure Ilfak’s patch didn’t and I feel reasonably sure the patch being offered by eEye will also be safe. But if we start getting in the habit of using third-party patches, we run the risk becoming complacent and opening ourselves to additional vulnerabilities or hidden capabilities in the patch. It’s a question of trust and accountability for the patch and it’s repercussions. I feel I can hold Microsoft fully accountable, while I’m not sure I could hold a third party equally accountable.
I’m not saying there’s never going to be a reason to use a third-party patch. But it’s not something we should make a habit of. Microsoft sometimes moves slowly, but there hasn’t been a vulnerability that was so critical I couldn’t find some other way to mitigate the vulnerability. By your milage may vary. If a vulnerability comes out that you can’t mitigate against, you may have to use someone else’s patch to protect yourself. Just make absolutely sure you know what your getting yourself into ahead of time.
Technorati Tags: security, patching, microsoft
Here it is, episode 19! New toys, a lot of privacy concerns, and Google won their court case. I also had some more to say on the still emerging debit card compromise. I finished up with my review of the PCI requirements tonight and I’m looking for something PCI related to talk about from now on. If you have any thoughts or questions, please drop me a line at 916-231-9479 or email me at firstname.lastname@example.org.
Tonights music is Another Round by Enter the Haggis
Network Security Podcast, Episode 19, March 21, 2006
Thanks for taking the time to listen
Technorati Tags: security, podcast, PCI, privacy