This was an interview episode, so there is not much I can comment on. SpinRite appears again to save the day, again without the notification that backups are important and that a hard-drive which had a physical failure is very probable to fail completely in the short term and get in a state where no software can do anything with it.
Steve again rants about how browser scripting is enabling
your client, your browser client, to run code from any site you visit. However what he fails to realize or to say that in the big picture any communication with an untrusted (and possible malicious) remote host can be dangerous, and that in the big picture scripting is not the problem. Admitedly scripting can be used to obfuscate these exploits and do other neat (from the attackers point of view) things, like tailoring the exploit to the exact platform the user is running, but in the end many exploits (like the ANI one for example) can just as well run without scripting as with it.
One reader asked my opinion about the Blink product they talked about in the podcast. (Disclaimer: this is my personal opinion, I doesn’t necessarily reflect the opinion of any of my past or current employers, blah, blah). I didn’t actually try Blink, but generally speaking if you have an environment which is different enough from the mainstream (like running as a limited user), you will be protected against 99.99% of the generic malware out there. Of course this probably will not protect you against targeted attacks, because that can be tailored to your exact environment. However this is only an issue if you are a company. So using something like Blink together with other good security practices will make your computer withstand 99.99% of the attacks. Additionally it might protect you against some exploits of the automatic kind (meaning where you don’t have to do anything specific to get exploited), which is definitely a good thing. Also, I will have to check out its user interface to get a feel about how difficult it would be for an average user to make sense of it. In the end however it can’t prevent the
dancing bunnies problem, where the user is social engineered into making some actions (like downloading an executable and explicitly enabling it to bypass the security measures), out of which we see more and more.
In conclusion: it’s probably a good product, especially given its price (free!), however it’s not a silver bullet and caution still needs to be exercised even with this product installed.