[paulryanrogers]

Listen to the "Security Now" podcast. He explains how SpinRite works every 3rd or 4th episode, with testimonials on every show.

He seems open minded and mostly harmless, both in his tool (which I find works better than free alternatives), and in his armchair security analysis. Sometimes though he oddly contradicts his own best practices, like nearly blind faith in LastPass for years based on (IIRC) a white paper and the early execs being very chummy and accessible. Thankfully the audience calls out the questionable stuff.

[naikrovek]

The podcast is called “Security Now” but what it should be called is “privacy now” because Mr. Gibson fails to understand a lot of contemporary security problems yet is quite sure that Windows collecting telemetry is the most severe problem on the planet today.

unless you use his software to fix it, that is.

Every episode having a 15-minute commercial for spinrite (via testimonials which all sound like they were written by the exact same person) should be more than enough for anyone to start to question the guy.

[TeeMassive]

I didn't listen to that show for a while now; but it seemed that it was the only show out there that explained in details computer security news. I remember him explaining the speculative execution exploits when they first appeared really well when they first appeared. Does the people I know who works on blue and red teams listen to him? No, they already know that stuff, and yeah he could be more up to date, but he does his researc, does his homework and is a great pedagogue.

[naikrovek]

> he does his research, does his homework

Is that why he ran Windows XP unpatched as his primary computer because “it’s fine, this is all I need; I have a firewall, nothing can get in.”

That is not the behavior of a security expert.

If you don’t know why that is bad, you do not understand entire classes of attack, today.

[Gormo]

If he has implemented mitigations for all of the applicable risks of the software he's using, how is that "not the behavior of a security expert".

To my mind, a security expert is someone who understands the functional details of specific vulnerabilities, and explains how to mitigate them, not someone who makes vague, cargo-culty judgments about entire applications or OSes.

[paulryanrogers]

He was browsing the web, that's pretty high risk. And sticking to reputable sites isn't enough when their ads could contain malware. While it sounds like he doesn't use XP anymore, (IIRC) he was using it for the Internet well beyond its EOL.

He also admitted to having trouble getting his dev environment working on newer OS's. My guess is he was rationalizing the choice to stick with XP to avoid the friction of upgrading development tools. Which is odd since he's not afraid to delay things for years and ultimately has upgraded his environments anyway.

[wolpoli]

Steve Gibsons was always a bit of a laggard in adopting things through. He was writing pages about how assembly languages create small programs in the late 90s when that advantage was no longer relevant, running a newsgroup server and hooking up a web UI as a web forum, and so on.

[userbinator]

That is the behaviour of a security expert who isn't afraid to challenge the dogma perpetuated by Big Tech.

[LeoNatan25]

To all the downvoters, this is sarcasm.

[TeeMassive]

And yet AFAIK he seems to be doing fine. If you run the same stuff, only allow and visit the same addresses, and disable ECMAScript and in addition to other mitigation measures such as 2FA then I don't really see the problem.

> That is not the behavior of a security expert.

Your image of "security experts" must come from movies. I know security experts IRL. Their security at home amounts to not use their work computer for personal stuff and 2FA.

[naikrovek]

You’ve never had an ad on a webpage serve you malware via a browser exploit that does not require JavaScript, I see. Nor ever used a compromised supply chain. You think that luck will hold out forever? It won’t.

Turing off JavaScript and using 2FA everywhere are good steps, but like using a firewall and saying “I have a firewall, I’m completely safe” is myopic, saying “disabling JavaScript and using 2FA make me secure” is just as myopic.

You must apply security fixes. Sticking to Windows XP because you prefer it over newer operating systems is absolutely foolish if you connect it to the Internet in any way.

If Steve Gibson were a security expert, Windows XP would simply not have been an option the instant it went out of support.

[TeeMassive]

Expertise simply means having a deep understanding in a field of knowledge. Running Windows XP is irrelevant.

[pcdoodle]

He has had some very fun episodes over the years. Blue pill back in the Vista days blew my mind.

Another episode: "Blue Keep", had me calling everyone I knew in charge of Windows Domains, with many thanks coming back my way because it was a pretty big deal to get patched on unsupported systems.

I highly recommend the weekly podcast.

[8372049]

If you think of Steve Gibson as more of a technical minded journalist and less of a "security expert", then the show is very enjoyable. There's a lot less grave errors now than there used to be, his voice is pleasant and he usually covers relevant and interesting news.