SN 843: Trojan Source

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Man… at some point in time, TWiT needs t-shirts with the very best of Steve’s Microsoft rants. I was standing in the ranks and applauding. He just puts it right like it is. It would be fun to have Steve periodically join all of the other shows and do a sizable bit of security and quality ranting. By now, Gibson is not merely a person, it’s a tech attitude. To be gibson should implicitly mean secure, robust quality, and not afraid to mince words. :slight_smile:

I try to make my systems run gibson, but then again - that’s more of a prime directive than an actually achievable state. Even though Steve would disagree. He reminds me of the drill sergeant in Full Metal Jacket, but running a data center.

1 Like

I haven’t heard this weeks rant yet - it is next up on my playlist.

But sometimes he does go OTT with the Microsoft thing. They deserve a lot of bashing and the recent printer stuff is just diabolical. But his Exchange rant earlier this year was off base, which made me sad.

It took Microsoft 3 months to get the Exchange patches out and he compared it to Chrome zero-days, which were patched within a few days. On the other hand, the open source mail system Exim was told of a serious bug in October 2020, they released their patch a week or so after Microsoft released their Exchange patch. That was like for like, and a similar time-frame.

Comparing fixing Exchange with Chrome is like saying you managed to change the clutch on your Ford Fiesta in an afternoon, why does it take Meyer Werft months to refurbish the engines on an ocean liner.

I really respect Steve, but his experience of major (hundreds of developers working on a single product) projects is limited and the amount of testing, especially regression testing of changes is a huge job, which usually takes most of the time, when fixing such systems. We used to calculate something like 25-30% for analysis and design, 10-15% for development and 60% for testing.

Don’t get me wrong, what Steve has achieved and his stories from the fireside chat recently are amazing and, to be honest, Microsoft deserves a big kicking for their security woes and their decisions recently. (I say that as someone who has stopped using Windows at home and has switched to Linux.)


The blast against Microsoft was spot on this time.

But he struggled with Google’s Chrome zero-day update. Some things are a little deeper integrated than others and a couple of keystrokes and a re-compile just don’t cut it… Without knowing exactly where the problem was, what they needed to do to fix it and what other things it broke that then also needed fixing, you can’t say whether they were dragging their toes or working their butts off.

Edit: with regard to Trojan Source, VIM displays the LRI and RLI as inverse video and doesn’t interpret them.


To be honest, I’m getting very tired of RANT!! shows. I’ve been listening since the single digit days, loved the explanations of how the internet worked, crypto and today’s Trojan Source. But I really don’t need to listen to rant after rant for a 3rd of the show, week after week.


Agree, I’m beginning to tire of these rants too.

Plus Steve seems to be reading all of his content these days so that along with the ranting is putting me off listening to the show :frowning:

1 Like

I don’t even remember him to do another type of show than ranting. Thought it was his thing? Then again, being the security guy, doesn’t that kind of come with the territory?

I get that it can get old, but… it sounds like calling chocolate sweet or the sun too bright. Which happens, but…