Columnist’s corner: The notion that vulnerability metrics are useless is mere technological mythology. “The ultimate truth is that unless you, or someone else, with good experience in security code review examines all the involved source code, you really don’t know how secure something is or isn’t,” Roger Grimes argues in Vulnerability counts do matter. Just look at the numbers associated with IE and Firefox. Platforms: While Matt Asay doesn’t think upgrading to Vista will be as bad as some others seem to, he does write that “what you after upgrading is performance poverty unless you have a new machine.” Not really Microsoft’s fault, but that and the recent chest-pounding by Gates in Newsweek have Asay contemplating in Bill Gates: we are first, we are best, we are more secure. “I’m not sure what planet Gates lives on.” Best of the blogs: Before the Internet spawned the current crap, (oh, sorry, I mean crop) of marketing scammers, there were folks who push magazine subscriptions. “What’s really scary is that they now have the Internet as a tool to use in tracking down more unwitting victims,” reports Ed Foster in Invoices designed to deceive. One such trick: sending the freshly-duped subscriber to what one reader calls ‘voice jail.’ From the feature well: With all the corporate information breaches these days, it has become clear that the data thief is likely to come from within. A paid employee, that is, rather than a hacker. That’s where information leak prevention, a.k.a. ILP, strategies come into play. Roger Grimes and Richard Gincel outline just such a plan in Enemy inside the firewall. One of the fundamental problems, according to a CSO at a Fortune 1000 company, is simply keeping aware of the geographical location of information. “If you don’t know where the data is, how can you even begin to protect it?” Security