McAfee isn't "McAfee Secure" or "Hacker Safe"
Summary: In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it'd be interesting to see an XSS or SQL Injection on McAfee's site, see if they are indeed "McAfee Secure". Well, I guess you get what you ask for...
In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it'd be interesting to see an XSS or SQL Injection on McAfee's site, see if they are indeed "McAfee Secure". Well, I guess you get what you ask for...
Russ McRee on his Hollistic InfoSec Blog posted the following:
"A challenge was put forth on Zero Day, and it has been answered. Apparently, McAfee doesn't care about XSS on their own sites either. I'll let the video speak for itself.
For the love of all things good and proper, McAfee, please address this issue...for yourselves and the consumers who look to you to do the right thing.
Sincerely, Russ McRee"
Yess, that is what you think it is, it's video of an XSS exposure on one of McAfee's sites. I'm not sure what to think about this... clearly, from some of McAfee's previous comments, we can reasonably assume that they don't truly understand how big of an issue XSS is; further, I find it a bit disturbing that they aren't running McAfee Secure on their own sites if it is in fact a product that they are confident in selling off to customers. So I think we have one of two possibilities here:
1.) McAfee is not using their own security tool on their own sites... hmm, that really spells brand confidence, doesn't it? 2.) McAfee is using the tool, but the tool doesn't do an adequate job of reporting security issues.
Now, I'm not one to say that I'm free of XSS... I'm fairly positive that ZDNet has XSS issues, but that's not the point. The point is, I don't try to sell a tool that is the magic silver bullet for protecting web applications, nor do I certify any of those applications by saying they are "Hacker Safe" or "Nate McFeters Secure".
I think it is time that McAfee change its stance about XSS... it is a major issue and it deserves attention, certainly from a tool that certifies an application as being "Hacker Safe". I think it's also time they change their stance about their certification tool altogether... a simple scan will never be able to catch all the issues a web application faces.
-Nate
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
McAfee not a security company
Though still an unpopular idea, the concept of antivirus does not comply with standard, universal security principles.
As a result, most AV vendors - Symantec, McAfee, etc - still have not accepted those principles which are commonly accepted outside of the AV world... These companies simply DO NOT GET IT.
Time to throw them out of the halls of security companies - stop calling them that!
You are correct.
NMF Secure - consider the revenues...
Surely if you build it, they will come, right? Consider the revenue stream.
Seriously, though, it is hard to think of a company which sells AV + other system protection tools which itself is not secure, or at least their websites.
Then again, I'm sure many people have been disconnected while on hold to complain ro ask for help fromt he telephone company, yet they keep going back. This is the definition of irony.
Some will say that they are not a security company. While they may specialize in certain aspects of security, I think it is inaccurate to say that they are not a security company. Run Windows without antivirus and surf the web for an hour and see how secure your computer remains.
For the record, I have avoided McAfee for years as I have felt that other products were superior. On my Windows boxes now I use Trend Micro, and have had great results.
RE: McAfee isn't
"I wouldn't eat at an 5-star rated restaurant if the chef, waiter people or management doesn't eat there" Walter E. Williams, PhD.
Most wise people would look if the company that sells the product uses the product itself before they will buy it.
Unfortunately McAfee's management does feel that way and the people who buy their products don't care long they have an "badge" on their website so they can show that the users are "protected". As we, the tech community, is showing that the "King has no clothes" and now McAfee is back peddling and re-badging this solution but not wanted to put true effort into fixing the problem which would eventually pay more rewards.However with McAfee's management fixing the real problem is too expensive so re-badging is quick and cheap solution and those who are not tech savvy will be duped into buying the "re-clothed" solution.
New cert: "Nate McFeters Safe"
-Nate
did they fix them?
RE: McAfee isn't
McAfee's SiteAdvisor has falsely tagged our website and
many other innocent websites as sources of "unsolicited
emails" which is reported on Yahoo's search engine. All
three companies have been non-responsive, arrogant and
accept no responsibility when these errors are pointed out
- preferring instead to blame us victims. Lots of details
and links to blogs and other victims at http://www.rumford.com/YahooMcafeeSiteAdvisor.html