Beware the software security scare silly season The software risk silly season is upon us again. Every so often a big trend washes over the industry, and soon afterwards well-intentioned people start telling us why we should be afraid to dip our toes into the water. Or perhaps they are not so well-intentioned... Even as cloud computing takes off in the enterprise and …
Yes, but even then there's the rather annoying fact The Register has been perhaps the Internet's biggest headline gabbing drama queen, continually bigging up "security weaknesses" that, on closer inspection turn out to be no more than theoretical concerns, seeking to find any possible angle to turn a story regardless of the facts of the case. What makes this worse is that every now and then they report real security threats and the layreader, used to the melodramatics, has no idea if they are crying wolf.
It's /always/ silly season in the IT security scare industry. Then again, there's few industries that can match the wider IT industry for waves and waves of hype. It's a veritable sea, every tide something new. And let's face it, sloppy coding and vendors unwilling to fess up to the mess they've sold(sometimes for more than a decade) did create a fertile ground for the scaremongers and snake oil salesmen to work on, and sow we did and reap they do. The poor code quality has been noted literally decades ago (EW Dijkstra for one, just to drop a name), and with the commodisation of computing the industrialisation of "securing" it (by preference heroically failing to, for extra profit) was sure to follow.
Nothing against Matt's scribblings here, really. The really sad thing is that it still needs to be said.
When 2 days ago two news stream aggregators ran with a headline from the telegraph online, (vaguely about a computer security flaw being used for snooping) strangely the actual article on the telegraph website was nowhere to be seen....for around twelve hours. There are several possibilities of course, from a digital D-notice descending, to someone having tripped over a server ethernet cable, taking down a single, factual article. The fact that the articles' re-appearence happened after exactly the right amount of time required to ask thousands of remote access technology 'infected' PC's to deliver their final payloads, update their c&c server channel then tidy-up afterthemselves, deleting the fake iTunes evidences, makes you think, dunnit? But yeah, silly season!?
I keep getting phone calls from people with thick Indian accents claiming to be from "The Windows 7 Helpdesk" and who say that they've detected a virus on my PC. Then they tell me that I'll need to buy some software from them to remove it...
I know it's a scam since I don't have Windows on my computer...
Any time there's a new way of doing things (Twitter, YouTube), some people, in business particularly, get all excited about it, and don't look for or don't see problems, mostly because up to now, somebody else has been responsible for security or compliance policy. So a company gets fined for something that a company officer Tweeted... or your cute new phone or tablet ravages the company network. Because you didn't think about that happening.
And nowadays cybercrime is a ruthless an efficient business: ripping you off happens at the speed of light.
If I ran a business, employee Android devices would run only apps and updates that I personally approve - or none at all - and Internet access will be limited similarly to a short whitelist of work-related sites, unless I can get an extremely secure browser, too: maybe Opera Mini.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
