The Windows Vista Security Blog had a post today about vulnerability theater:

If the vulnerability requires that a user ignore numerous warnings and carries on regardless then the O/S is doing what it’s told to do! Let’s be reasonable: If a user is warned by Outlook that the email looks like spam but clicks on the link anyway, then is warned by IE that the website looks suspicious but continues to navigate to it anyway, if they then ignore the Defender warning that the mortgage calculator they just downloaded is spyware, then, frankly, the O/S is doing what the user intends that it do!

Personally, I don’t think too many people get too excited about the Windows vulnerabilities that are reported by third parties without patches or workarounds. This is a decent quote which reflects how I feel Vista’s security:

Of course vulnerabilities do exist; none of the security features in Windows Vista, either individually or collectively, are intended as a “Silver Bullet” solution to the problem of computer security. Instead, a defense in depth approach makes Windows Vista far more difficult to attack than any previous version of Windows, thus making it more secure.

I hope everyone remembers the TJX compromise in January Well, I received a letter from my bank yesterday telling me that my debit card was one of the numbers compromised.

Let’s see the general timeline here:
July 2005-December 2006: compromised time (estimated)
December 2006: I buy some Christmas gifts at TJ Maxx using my debit card (as a credit card)
January 2007: First public notification that something’s wrong
January 2007: Some consumers are notified
February 2007: Public notification that the compromise might include more cards than initially thought
March 2007: TJX releases more details
June 21, 2007: I’m notified of the potential compromise of my data

My bank took 6 months to notify me that my information was compromised.

I received a letter in the mail telling me that my number was compromised as a part of the TJX compromise, and that the bank had been monitoring it, and there were no fraudulent activities, but could I change my pin number just in case?

So, I’m thinking here, that 1) I know I didn’t use the card as a debit card (I only do that at the grocery when I need cash), and 2) WTH didn’t they tell me back in January or even February?!?!?

I called up the bank, changed my pin, and demanded that a new card be issued. They really didn’t want to issue me a new card at first. I explained to them that I know I didn’t use my pin for the purchase, and I was more concerned about the card number than the pin number. They finally agreed to issue me a new card, but didn’t cancel my old one until I activate the new one (WTF?).

I gave an earful to the rep about why wasn’t I notified back in January or February. I was polite, but definitely forceful, and I think I made the poor guy feel bad. He started to say “sorry, we should have”, but then interrupted himself and issued my new card.

Normally, I’m very happy with my bank from a security perspective, but this really upset me. Not enough to consider moving elsewhere, but enough that I composed and sent a polite “nastygram” to their security and privacy departments.

I’m skeptical that this is the whole story.

Few details were released about the attack, which happened Wednesday, but Defense Secretary Robert Gates said the computer systems would be working again soon.

The best quote of the article:

When asked if his own e-mail account was affected, Gates revealed, “I don’t do e-mail. I’m a very low-tech person.”

Geeks shudder everywhere…

Or, well, “Gabriel” is claiming he broke into the publishers computer systems and heisted the novel.

A computer hacker has posted on a website what he says is the ending of the final Harry Potter novel.

...

Once the recipient activated the threat by opening the email, the hacker professes to have been able to lift a draft copy of the highly anticipated book.

The book is currently making the Internet rounds. I’m not sure why this is making such headlines – it could be a false story. So far, the publisher has remained quiet, making me wonder…

At the 2007 WWDC, Steve Jobs announced the immediate availability of Beta 3 of Apple’s web browser, Safari on Windows as well as Mac.

David Maynor from Errata Security posted the first vulnerability found in Safari before it was even mentioned in Jobs’ keynote.

BetaNews has a good article entitled ‘Day One’ for Safari for Windows Becomes Zero-Day Nightmare.

Apple’s Web site touts, “Apple engineers designed Safari to be secure from day one.” As Larholm explained on his blog, that may very well be correct: Its engineers obviously designed Safari to take advantage of security protocols in the OS X operating system, as evidenced by function calls to those protocols Larholm located inside the source code for the Windows version – calls which would obviously go unfulfilled.

I think I’ll hold off on Safari for now…

This is interesting:

The launch of music tracks free of digital locks on iTunes has been overshadowed by the discovery that they contain data about who bought them.

Some fear this data could be used to identify the owner of the tracks, if they turn up on file-sharing sites.

Apple so far has denied comment but it seems a good guess that the information could/is being used to find pirates.