[...]... wouldn’t be bothered by the status quo They would claim that they don’t browse to any risky sites, they either don’t need security software or only run software from reputable vendors, and they run “personal firewalls” that are designed to make sure their machines don’t accept unsolicited traffic, even if the software services they’re running are infected They also don’t expect that they would fall... also install malware There have also been prominent security holes in Microsoft services (programs that run even when the user isn’t in front of the computer; usually, they allow programs on other machines to connect and talk to the machine on which they run) and other important third-party software where the service is sitting on your machine waiting for other people to connect to it The bad guys just... look at the bedrock of the computer security industry, the piece that more or less everybody feels they need to have: AV Most normal people think that AV solutions don’t work very well And, for the most part, that’s right (even though AV vendors are continually trying to improve their products) These solutions are often 15 years old, and address the problems of that time, not this one Most of the major... risk when they shouldn’t be While the security industry points the finger at the bad guys, or even computer users, John rightfully points the finger at the security industry There’s lots of biting criticism here that hopefully will make the industry examine itself, and lead to some positive change It would be great to see a world where security vendors aren’t feeding hackers all the ammo they need... straight face) After a couple of years of doing a lot of merger and acquisitions work, plus managing the engineering of most of the core technologies that are shared across McAfee’s products, such as the antivirus (AV) engine, I left to do another startup, and was back at McAfee within a year, this time as CTO of the Software-as-a-Service business unit Ten years later, the security world doesn’t seem... executing on your computer The typical consumer will never see the AV software working, and won’t give it any credit The consequences haven’t been too bad A lot of consumers expected an Internet apocalypse, where some large chunk of the people they knew would have their bank accounts drained and their identities stolen For a while, people were afraid of doing commerce on the Net The people who were most... computer security field in general, which is what he’s done with The Myths of Security I just hope that the rest of the field sees this book in the same light I have, and uses it as constructive criticism to build better security for everyone Given my extensive experience in this field over the past 15 years, there are few books that I would put into this category When I talk with people about the computer... look with some explanation of why they don’t care Like, “I own a Mac,” or “I let my kids worry about that for me.” • They ask something like, “What should I be doing to keep myself safe?”, and when I give them the answer, they change the subject, because they have gotten all the information they ever wanted to know about Internet security • They relate some “horror show” about their computer malfunctions... And, people assume their antivirus software is protecting them, but it’s worth being skeptical about that People in the industry have their misconceptions, too Everybody seems to think that the vulnerability research community is helping improve security But it’s not; it’s feeding the bad guys I’ll also discuss some of my solutions to these problems We’ve come to think that many of these problems are... to keep security bugs out of software, Building Secure Software (Addison-Wesley; we are finally looking at doing a long-overdue revision), and a few others— I’m particularly proud of the Secure Programming Cookbook (O’Reilly; http://oreilly.com/catalog/9780596003944/) Then I The Security Industry Is Broken 3 started a company called Secure Software, which built tools to automatically find security . alt="" The Myths of Security What the Computer Security Industry Doesn’t Want You to Know