eCSI security expert Márton Illés, Product Evangelist, BalaBit writes: "The security versus usability debates continues: the LogJam bug underscores the dilemma of vendors on fixing the problem without breaking access to thousands of websites. There are some interesting lessons to be learned from this:
"How long would it take to fix a known security issue from a vulnerable site? We'd hope that after publishing Freak and Heartbleed bugs, most sites would not be vulnerable, but interestingly even top websites struggle with applying fixes for months. Site owners and companies need to understand their responsibility to patch vulnerabilities, just like they must fix other technical issues. Of course, fixing a problem that would take a site down is always more important and more visible then fixing a security problem - but this attitude creates problems when a data breach comes, always a very real but unwanted possibility.
"Security vs. usability is a debate raging on, and LogJam informs it. Security people must understand that security isn't the ultimate goal of an company, but businesses must also understand that security is essential. Implementing a new security rule that limits the usability of the system is a hard decision, but sometimes trade offs must be made - it's a choice to find the right balance. It is a very interesting situation when applying a security fix results in a serious usability, accessibility issue because someone else - in this case, our website owners - did not do their homework. Should we put ourselves in jeopardy because another party is too lazy?
"In one way, it's great that this increases awareness of the need to continually maintain and apply fixes. LogJam is a strong message: what if updated browsers refuse to communicate with non-updated, vulnerable sites? What would a site owner do to keep their sites updated? The separate security and availability issues become one, and one that must be addressed.
"Physical borders - can there be government control in the age of Internet? The most important lesson to be learned (again!) is how governments were/are trying to control the Internet and the technology behind it. Officials speak of export control on encryption software - and many security experts see this as a stupid joke. After all, how can you stop a piece of software from being exported? Software is not a 50-ton armored tank that is easy to control on a country's borders! Policy makers need to understand the technology they want to control - and few do today. Fortunately or unfortunately, on the Internet, physical borders and individual countries do not truly exist. Cryptography export control was a policy that did not achieve it's goal, because it was so easy to "workaround" it, and such policies caused serious harm all over the world, and especially inside the US. Maybe it is time for governments to stop spying their own citizens and rather start protecting their privacy."
Balabit Product Manager Csaba Krasznay, PhD on Telstra breach: "The Telstra breach notifies us how serious an APT attack can be. Pacman operated with a serious malware in its network for months or years, and this attack was discovered just after their merge with Telstra. We shouldn't forget that telco companies are high profile targets and they should pay extreme attention to the detection of such targeted attacks and have solutions for forensics analysis and eCSI. It's critical to their business and their customers."