Listen to the "Security Now" podcast. He explains how SpinRite works every 3rd or 4th episode, with testimonials on every show.
He seems open minded and mostly harmless, both in his tool (which I find works better than free alternatives), and in his armchair security analysis. Sometimes though he oddly contradicts his own best practices, like nearly blind faith in LastPass for years based on (IIRC) a white paper and the early execs being very chummy and accessible. Thankfully the audience calls out the questionable stuff.
The podcast is called “Security Now” but what it should be called is “privacy now” because Mr. Gibson fails to understand a lot of contemporary security problems yet is quite sure that Windows collecting telemetry is the most severe problem on the planet today.
unless you use his software to fix it, that is.
Every episode having a 15-minute commercial for spinrite (via testimonials which all sound like they were written by the exact same person) should be more than enough for anyone to start to question the guy.
I didn't listen to that show for a while now; but it seemed that it was the only show out there that explained in details computer security news. I remember him explaining the speculative execution exploits when they first appeared really well when they first appeared. Does the people I know who works on blue and red teams listen to him? No, they already know that stuff, and yeah he could be more up to date, but he does his researc, does his homework and is a great pedagogue.
If he has implemented mitigations for all of the applicable risks of the software he's using, how is that "not the behavior of a security expert".
To my mind, a security expert is someone who understands the functional details of specific vulnerabilities, and explains how to mitigate them, not someone who makes vague, cargo-culty judgments about entire applications or OSes.
He was browsing the web, that's pretty high risk. And sticking to reputable sites isn't enough when their ads could contain malware. While it sounds like he doesn't use XP anymore, (IIRC) he was using it for the Internet well beyond its EOL.
He also admitted to having trouble getting his dev environment working on newer OS's. My guess is he was rationalizing the choice to stick with XP to avoid the friction of upgrading development tools. Which is odd since he's not afraid to delay things for years and ultimately has upgraded his environments anyway.
Steve Gibsons was always a bit of a laggard in adopting things through. He was writing pages about how assembly languages create small programs in the late 90s when that advantage was no longer relevant, running a newsgroup server and hooking up a web UI as a web forum, and so on.
Considering final application size as well as CPU and RAM usage will always be important, whether people believe them to be or not.
I won’t ever go so far as to recommend that others write stuff in Assembly, but I’d love to be able to do that.
CPU and RAM will matter so long as users are billed by those metrics. More RAM will always be more expensive than less RAM, and faster CPUs will always be more expensive than slower CPUs. If you write software that is used as scale, I would consider it a moral failing if you do not consider how many resources your application uses at scale and you do not make some effort to increase the efficiency of your application in some way.
Accordingly, I have almost zero respect for JavaScript developers, especially server-side JavaScript developers. Server-side JavaScript developers know that JS is inefficient and they choose to use it, anyway. How much coal has been burned exclusively to allow JavaScript developers to run Node on the server, instead of some other, more efficient language? A LOT, I guarantee it.
Performance and efficiency matter a lot at scale. At the small scale, no user has ever complained that their application was too fast or that it didn’t use enough RAM.
When you invoke a Lambda trillions of times per year, every last byte of RAM and every millisecond of CPU time matters. My employer has a few Lambdas which are invoked tens of trillions of times per year, and we saved a lot of money moving from Python to compiled languages. We’d save a lot more if we knew how to write assembly.
> especially server-side JavaScript developers. Server-side JavaScript developers know that JS is inefficient and they choose to use it
I'm in no way a JS fan, but this take is wrong. The main reason JS is on the server side is because it makes the transition between server side and client side trivial. Not everyone runs SAAS with billions of requests every seconds.
In terms of not only money and time, but also resources and energy spent, this increase in software productivity it is worth it in most cases.
The advantage of writing code in assembly was relevant then, and remains relevant now.
Given the vast regressions in usability and compatibility of software generally that we've seen in the past 10-15 years, someone maintaining and extending the functionality of superior older technology is doing something unequivocally useful.
And yet AFAIK he seems to be doing fine.
If you run the same stuff, only allow and visit the same addresses, and disable ECMAScript and in addition to other mitigation measures such as 2FA then I don't really see the problem.
> That is not the behavior of a security expert.
Your image of "security experts" must come from movies. I know security experts IRL. Their security at home amounts to not use their work computer for personal stuff and 2FA.
You’ve never had an ad on a webpage serve you malware via a browser exploit that does not require JavaScript, I see. Nor ever used a compromised supply chain. You think that luck will hold out forever? It won’t.
Turing off JavaScript and using 2FA everywhere are good steps, but like using a firewall and saying “I have a firewall, I’m completely safe” is myopic, saying “disabling JavaScript and using 2FA make me secure” is just as myopic.
You must apply security fixes. Sticking to Windows XP because you prefer it over newer operating systems is absolutely foolish if you connect it to the Internet in any way.
If Steve Gibson were a security expert, Windows XP would simply not have been an option the instant it went out of support.
He has had some very fun episodes over the years. Blue pill back in the Vista days blew my mind.
Another episode: "Blue Keep", had me calling everyone I knew in charge of Windows Domains, with many thanks coming back my way because it was a pretty big deal to get patched on unsupported systems.
If you think of Steve Gibson as more of a technical minded journalist and less of a "security expert", then the show is very enjoyable. There's a lot less grave errors now than there used to be, his voice is pleasant and he usually covers relevant and interesting news.
He seems open minded and mostly harmless, both in his tool (which I find works better than free alternatives), and in his armchair security analysis. Sometimes though he oddly contradicts his own best practices, like nearly blind faith in LastPass for years based on (IIRC) a white paper and the early execs being very chummy and accessible. Thankfully the audience calls out the questionable stuff.