Well, not exactly, though actually a top ten of top tens isn't a bad idea: apparently, top tens usually attract plenty of readers. As do top fives. twenties etc, though probably not top thirteens.
(On the topic of Securit Memetics: Kurt, thank you for posting one or two of my cartoons, and the kind words – it has been a while since I did any, but I'm encouraged to do one or two more.)
Talking of Kurt's post… Yes, I do have a floppy drive. In fact, it's a USB floppy drive, which might put it in the same class as some of the other threats Kurt mentions – but no-one said there couldn't be an overlap in top ten items, at any rate if they're supposed to mirror the real world. Unfortunately, it's a 3 1/4" drive, so I can't use it for my treasured original AIDS Trojan 5.25" floppy.
(Did you know that in South Africa 3.25" diskettes tend to be referred to as "stiffies"? I'm trying to think of a way to expand on that point that won't get me into trouble, or, even worse, inspire a mass chorus of vuvuzela horn jokes. Let's just move swiftly on…)
Kurt's item #5, by the way, was web sites ("yes, all of them"): if you think that's an exaggeration, read here how a first-rate security company was stung by an XSS vulnerability. There's no sensational security breach here: just a neat illustration of a minor slip-up dealt with promptly and responsibly before it could escalate into something worse. It's the sort of thing that can and does happen to anyone. Tip of the hat to Mikko for turning a potential problem into an object lesson in responsible disclosure.
Anyway, back at the plot… Kurt paraphrased an observation by Dave Lewis as "top ten lists are infectious". Lewis's blog in turn led me to Richard Stiennon's piece at Network World on "the Top Ten List of Worst Uses for Windows". This is a slightly disquieting list of examples of Windows used in contexts where less complex and arguably more stable solutions might be more appropriate. Though I share Lewis's bewilderment at the mention of SCADA as a "protocol". Still, it will ring bells with anyone who's found himself or herself looking at a Blue Screen of Death where they were hoping for the next train from platform 4 or their own bank balance.
And finally, thanks to Kevin Townsend, who posed some very interesting questions about AMTSO (the Anti-Malware Testing Standards Organization) in a blog article here. As well as giving me lots of space to respond to his questions and concerns, he cited a press release from 2009 that quoted my "Top Ten Mistakes Made When Evaluating Anti-Malware Software". As it's listed in full, both in the press release and in Kev's blog, it seems superfluous to quote it here as well, but I think I might revisit it soon. After all, there are enough poor tests around to make a Top 100 perfectly feasible… ;-)
This surely breaks some sort of record for the most topics in a single blog article? Maybe I should have gone for ten…
David Harley CITP FBCS CISSP
ESET Research Fellow
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
Author David Harley, ESET