Moving beyond movies and TV shows (and their DVDs), Netflix announced on Tuesday Stethoscope, its "first project following a User Focused Security approach." From a company's blog post: The notion of "User Focused Security" acknowledges that attacks against corporate users (e.g., phishing, malware) are the primary mechanism leading to security incidents and data breaches, and it's one of the core principles driving our approach to corporate information security. [...] Stethoscope is a web application that collects information for a given user's devices and gives them clear and specific recommendations for securing their systems. If we provide employees with focused, actionable information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement. The company says Stethoscope tracks disk encryption, firewall, automatic updates, up-to-date OS/software, screen lock, jailbroken/rooted status, security software stack configurations of the device.

  • Wow - this is some pretty cool stuff and I commend Netflix for doing it, but really? Netflix?

  • How is this fundamentally different than using SCAP or OVAL content to do a STIG check against a host and then apply remediations against findings? Other than it will hopefully allow "normal" users to understand what the problem is and what to do about it. But normal users probably aren't going to grab an open source security scanner and then follow the recommendations. They would then be abnormal users, by definition.

  • I see three things that are properly called "press releases" in the headlines of Slashdot this morning. It's a typical beginner mistake. Please stop.

  • Upon seeing that it's open source, I'm already starting to brainstorm how to help local schools and libraries set this thing up. Neat!

  • I couldn't find a public "check my phone" link, or I'd've tried it.

    But two of the "practices" listed in Netflix's blog post [netflix.com] appear to conflict. One is "Up-to-date OS/software", an the other is "Not jailbroken/rooted". What does it say when the latest official system software image for a particular device is no longer supported? Does it recommend that the user trade off the "not rooted" practice to obtain "up-to-date OS" by flashing the LineageOS distribution of Android?

