I’ll be writing a daily blog from Black Hat and Defcon for the next five days for the Register (Dan Goodin is also writing security news pieces, so I’m not sure what else there’ll be.) This morning I talked to a guy from the Firefox security team. He made the (I thought interesting) point that what concerns the team most (ensuring that updates don’t break anything, so that users don’t turn them off) is not the biggest problem users have, which he says is typically old copies of Java lying around on their machines that they don’t know where they got them. JREs are often installed by software or OEMs; often you have no idea how old they are. Users don’t think to clean them out and you don’t update what you don’t know is there. And they pose significant security risks.

wg