How To Provide Software Downloads

2012-11-27 07:20:21 by chort

Today I tried to download some anti-virus software from the manufacturer's site. When I clicked the Download button embedded in their site, it sent me to a CNET download page, which I assume would have downloaded one of those special CNET installers. I say assume, because I didn't actually bother to download it once I realized I had been redirected to CNET.

That was an example of a wrong way to provide a software download, but what is the correct way to do it?

Read the rest of this story...

The Farce of Hardening Guides

2012-11-05 07:37:35 by chort

Today I was directed to a blog post from VMware that discloses a leak of ESX source code. What struck me wasn't the leak itself, but the mention of security hardening guides. This isn't unique to VMware. Just about every enterprise IT vendor has hardening guides or knowledge base articles for how to take the default configuration, apply a bunch of changes, and make it more secure. This prompted me to muse about some ideal future where vendors instead post "softening guides" for the rare customer who wants to downgrade the default, highly-secure configuration.

Isn't that just wishful thinking on my part? Isn't it a good thing that vendors make the effort to create and publish hardening guides? I'll tell you why I think hardening guides are fundamentally dishonest and customers should demand better.

Read the rest of this story...