I love that: There is finally software that is free of bugs and completely secure. Hmm, this kind of reminds me of the world-famous marketing campaign of a big software company which called itself "unbreakable". However, let's be fair:

There is an article out there called 11 open-source projects certified as secure. I quote from there "Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects." This is nonsense and we all know it. This is for different reasons: Static source code analysis will never ever be able to find all vulnerabilities. Additionally the threat landscape changes. Even if we would be able to say "the software is secure" (which we will never be), this will be different tomorrow. Criminals are probably among the cleverest people when it comes to finding new ways of attacking our systems. Ways, we have never thought of when we planned for the system.

So, I tried to confirm the above statement on the websites of Coverty: http://www.coverity.com/index.html and http://scan.coverity.com/index.html and could not find the same statement, which I think is not bad – otherwise I would have doubted their capacity.

Actually, Michael Howard commented on that as well: "Open-source projects certified as secure" – huh?

So, to summarize: I am not in the position to assess the quality of Coverty's capabilities and the quality of their tools and processes. The only think I know for sure is that this article is crap

Roger

BTW: Stop looking for the Security Silver Bullet – I do not want to lose my job J J

This is basically a very interesting and pretty fundamental question for the society. After 9/11 the US changed the way they work significantly. Just as an example: Airlines had to give the US government information about passengers flying to the US that actually violate the privacy laws in Europe. So, the decision had to be made: Either you violate the laws or you do not fly to the US anymore… What do you do now? Well, the Data Protection Officers actually had to give in.

So, if you look at it from a broader perspective: It is pretty natural that National Intelligence as well as Law Enforcement is looking for as much information as possible to fight crime. And I guess, that successful Law Enforcement and Intelligence Services is something we all would like to have – we want them to protect us. But what are we willing to pay? How far are we letting them invade our privacy? This is the key question and something there is no one answer for.

If you look at this article US spy chief puts security over privacy compared to the comment I made in 2-year old terrorist, it really scares me. I see the dilemma we are in – no doubt. And to be completely honest: I am not sure how far I want to let my privacy go for the sake of my security. I am living in a very safe and secure country – in Switzerland. However I know that the National Police has to work hard to keep it that way. So probably it is as always: As long as nothing happens to me personally, I fight for Privacy. As soon as something happens, I want as much Security as possible.

A problem we all know, don't we: Nobody wants to pay for security but as soon as something happens…

Your view?

Roger

At the moment we are tracking a Trojan that is spreading through Messenger and AIM. It is called Win32/Pushbot.BD and you can find additional information on our Malware Protection Center.

This just give me the opportunity to remind you that you definitely should make sure that files that are downloaded via IM are scanned by your AV-engine. How to do that? Well, it is described here.

Roger

I think that there is a very good example of how a platform could be offered for victims of cyber crime. There are often questions around: What are my rights? What can I do if something bad happens? Who is here to help?...

www.e-victims-org offers answers to a lot of questions like those and offers help. Ed Gibson, my CSA mate in the UK, is actually on the Advisory Council.

Roger

You remember my post on The Economy of Cyber-Crime? One of my claims was, that you need to work with Law Enforcement in order to increase the cost for the criminals – and here we have one of the outcomes: Norcross hacker sent to prison

I quote:

William Bryant, 38, was sentenced Thursday, Jan. 10 by U.S. District Judge Thomas W. Thrash on a charge of hacking-knowingly causing the transmission of information to a computer used in interstate commerce, and, as a result, intentionally and without authorization causing damage to that computer.

<…>

In addition to his prison term and home confinement, Bryant must spend two years in supervised release, perform 200 hours of community service and pay restitution of $15,470.

I like that

Roger