A few links.
I've got a few things I wanted to touch on today....
First, a friend of mine, Max ( J_K9 ) is in Seattle... From the UK. He gave details on why he's going, which includes visiting Microsoft and presenting to the board of directors, on his blog. While he's there, he's writing entries on what's going on and so forth. While the first one only covers the traveling, I'm sure the upcoming posts will be very interesting. You can read them all on his blog.
Up next is a blog post from F-Secure... As most know, I don't always trust competitors when they discuss their competition... Given that F-Secure is now in competition with Microsoft on the AV front, I'd expect them to be attacking MS for AV related issues but apparently they've decided to take a different approach. They're discussing the fact that in Vista file extensions are still hidden by default. I think it's a very minor issue to take exception to and bring up. When you think that both home and business users run Vista... technical and computer illiterate alike... I think it makes sense. A technical user can easily enable this setting should they want to view extensions... The computer illiterate user will have a harder time disabling it. Does it allow certain malicious files to be executed... yes. However, I'd ask how they got the file. Internet Explorer, Firefox, Outlook, MSN... These programs show the complete file name and people generally launch their files right from the download dialogs. They don't go into Explorer and track them down and run them... that's a computer geek thing. So even if the default action were changed, I don't think it would affect the end user.
These next two are related to WebAppSec. The first is a post by Jeremiah Grossman on Jikto. He makes some interesting points and I'd have to say I agree... I don't know if the release of such a powerful utility, which no "good" purpose is such a good idea.. Read his post for more details.. I may discuss this in the future but not now.
Lastly, a brief write-up on Web Security Auditing from SANS. It's fairly basic... nothing of interest but still a handy reference link.
Enjoy!
I agree with you and Jeremiah on the risks posed by the release of a tool like Jikto into the wild. It is a purely black-hat tool; unlike other security tools which may be used for both bad and good causes, it is difficult to imagine a situation in which Jikto could be used to prove a point which existing solutions could do using far less destructive methods.