Monday, October 6, 2008

Well, that's awkward.

So, yeah- for years I have recommended Security Now to people interested in network security.  I did put an asterisk next to the podcast the last time I ran down my podcast list, but I still recommended it.  I may scream at the dashboard of my faithful Jetta when Steve Gibson's voice comes out of the speakers saying things like cross-site request forgery is the same thing as cross-site scripting, but I get that to his target audience, both fall into the broad category of "scripting in browsers can do bad stuff"- so even though it infuriates me, I get over it.  Overall, the show gets generally accurate information out to an audience in need of education.

[NOTE: Steve corrected himself about CSRF in SN Episode 166]

But now, I have a problem.  You know where I work and that my employer and Security Now have the longest running advertising relationship in podcasting.  It is a good relationship for both Astaro and Security Now, but I'm in an uncomfortable spot now because Steve Gibson screwed up royally, and Leo LaPorte let it stand.

In the latest episode, Steve talked about the Latest Thing to Break the InternetTM, the Louis/Lee Sockstress TCP DoS attacks- and got some things wrong and slighted the journalist who had the scoop on the story, Brenno deWinter.  I was lucky enough to meet Brenno at DefCon this year after one of his great presentations, and we have stayed in touch since then (primarily via the magic of Twitter). 

I listened to Brenno's podcast as soon as I found out about it (via Twitter, of course), then listened to Security Now a couple of days later.  I had to go back and listen to Brenno's  podcast again, because Steve and I seemed to have heard similar, but significantly differing things.  I don't pretend to know much of anything, certainly nowhere near as much about TCP/IP and network-based attacks as Steve Gibson- but I really think he got a few things wrong.  I'll ask you to listen to both shows if you are interested in judging for yourself, but I think the one thing that both Steve and Leo got completely wrong was not crediting Brenno for his work in the interview and podcast (or CIO article, or the research that went into everything).  That is just not right, especially from Leo, who has been such a driving force in podcasting and knows about the world of journalism.

The show notes at GRC now reflect a little more complete and accurate version of things, and credit Brenno- but the podcast is all that most people get, so I hope Steve "tidies up" a few things at the beginning of the next show.

So, yeah- listen to Security Now, just make sure you apply the appropriate filters for your own knowledge level, and do a little follow up yourself when it seems appropriate.  And roll up the windows in your car before you yell at Steve and Leo, your fellow commuters do not take kindly to being stuck in traffic next to raving lunatics. Or so I have heard.