Security is an Industry Problem


The information published in this post is now out-of-date and one or more links are invalid.

—IEBlog Editor, 21 August 2012

I’ve received enough questions in email from different people about a recent vulnerability in another browser that I wanted to post something here.

I think the best place for the facts is with the people responsible for the browser. I say this based on the number of articles I read that misrepresent issues in Windows and IE.

I also think that security is an industry-wide problem. It’s not limited or unique to operating systems or applications, or client or server software. It’s not limited or unique to commercial software or open source.

The only us versus them distinction I want to make around security is to put responsible software developers, security researchers, and customers together as “us” and malicious (whether it’s intentionally or not) software developers, security researchers, and their customers together as “them.”

Today, I see a tremendous amount of talent and intelligence applied to breaking or repurposing software. Some of that is positive and responsible. I’ve listened to and worked with security researchers I would describe as brilliant with no mitigating clauses. They are also responsible. They’ve worked with us to point out how we can build better software.

I don’t know what to say or do about “them.” I think some of what we can do is help legislators and law enforcement understand what’s at stake in a constructive way. I want to know what else you think we can do about the malicious behavior we find on the Internet.

Dean

Comments (57)

  1. Anonymous says:

    As you are no doubt aware, a couple of pretty nasty security defects have been found in the latest FireFox…

  2. Anonymous says:

    duck!

  3. Anonymous says:

    It’s nice to see such a balanced comment on the Mozilla bug on a day when fanboys of and all browsers are (as ever) at each other’s throats. I fear I wont have finished writing my comment before the first of it arrives here.

    Anyone who downloads a web browser expecting it to be invinciable is kidding themselves and always has been. Short term we’re going to see a glut of holes in Firefox because the product is new and despite the age of the Gecko core, the codebase hasn’t been stress tested. With Firefox’s sucess it will be and holes will be found and fixed.

    I imagine that 12 or 18 months down the line we’ll see fairer assessments of different browsers’ security records.

    On a more general note, fighting security holes of the net needs to come down in fairly equal part to education, notification and support from software vendors.

    There is a pretence held by some in the industry that the computer can be made completely ‘idiot-proof’, dressed in rainbow colours and allow users and their grandparents to browse the web without a care for security. The key words ‘idiot-proof’ and ‘free’ are the conflict. As such, user’s shouldn’t be given ammunition to plead ignorance when they’re computer is compromised.

    Information and Education generally need to be combined I think. The notification bar in IE and Firefox is a good example: Allowing for subtle but informative plain English messages to be passed to users when potentially dangerous events occur. It needs to be used more and we maybe need to move towards giving more plain English information about the web and it’s threats as users browse. If it means hiding an OK button for 20 seconds to ensure that the user reads understands then so be it.

    The other Vendor support side is where, to be honest, Microsoft have very publically fallen down in recent years. "Them" will never go away so the vendor has an undeniable responsibility to fix problems on the products they support. I think you let a lot of people down with SP2: If Windows 2000 is really a supported platform then the SP2 IE changes should have been there.

    IE7 is a tad more controvertial in that case, since it’s only going to be out on XP, but it would it not be a very good time for Microsoft to clarify their position of patching any future Internet Explorer 7 bugs on XP and also legacy supprot for IE6 bugs in 2000?

  4. Maurits says:

    > I want to know what else you think we can do about the malicious behavior we find on the Internet.

    First: distribute Windows Update. That is, have clients check various download locations NOT ALL ON THE SAME DOMAIN and only install updates whose CRC’s match on all locations.

    Second: STOP DEVELOPING PROPRIETARY FEATURES.

    This may seem extreme but here’s my reasoning.

    Remember img dynsrc= ? This was a way for malicious HTML-email authors to get around the <object> block in Microsoft Outlook. It has since been fixed.

    But learn a lesson from this. Stick to standard features. It will improve interoperability. Not just with products of your competitors, but also with products of other Microsoft teams.

  5. Anonymous says:

    now this one is an interesting one as the bug itself was reported by very responsible people, yet leaked throught very unresponsible ones. I don’t laugh when IE has some new flaw (in fact I suspect that IE has, as of now, far less significant surprises up its sleeve than Firefox due to its longer being aroundness; Firefox will probably yield some even nastier surprises as more eyes start to pour into it), yet I feel a bit more safer with fox, due to its lesser popularity (lesser targeting) and also its speedier response to such events. on the other hand, you would be faster in fixing the holes if you could – nothing has to break; double check everything, many versions etc.

  6. Dave says:

    Yes, browser exploits are a problem and should be fixed. But the majority of problems with viruses and spyware are from users that are tricked into downloading evil files through P2P/web sites or opening evil attachments through their email client–predominantly Outlook/98/2000/2002/2003/Express.

    It makes good Internet drama to pit IE against Firefox and compare their shortfalls, but to improve user protection we need to deal with the most common vectors, and it ain’t browser exploits.

  7. Anonymous says:

    The critical issue that should push lawmakers is the fact that if I realize I have something I do not want, I should be able to remove it without having to re-install Windows. However surreptitious these EULA’s for spyware are, I doubt they can go as far as:

    If you realize our software is installed, the only way to remove it is by reformatting. Try anything else, and we will simply re-install our spyware.

    Can’t BHO’s be added to Add/Remove Programs?

  8. Anonymous says:

    "but to improve user protection we need to deal with the most common vectors, and it ain’t browser exploits."

    This is true now at least. Pre-SP2 it probably wasn’t.

  9. Anonymous says:

    I wonder if you’d be interested in creating something like what I’ve suggested for Mozilla in a security related bug in Mozilla’s bug tracker.

    The basic idea is to add a tool (as seen by devs, feature as seen by users) to the browser (that is based on standards please – I don’t want to have to code once for IE and then code again for everyone else, surely we’re past that at this stage) that will give site operators a place to display information about the site they are visiting when a secure connection is operational. This feature would display the information in a small popup that is located next to the system tray, perhaps attatched to a system tray icon (like the yellow Windows XP update sheild, or something similar), and would contain whatever relevant information about the site.

    Once that tool/feature is available to web developers to take advantage of, they could alert users of the site to be on the lookout for it. This would effectively shift the responsibility of anti-sphoofing/anti-phishing to the individual site developers and operators, where it belongs.

    It is the job of Browser developers to develop tools. Why not provide a tool to help the development community to combat the phishing and security issues that face their users. The current model is to continue to modify the browsers in a way that will cripple their features and dull the tools. Surely there’s a better way.

    You can read what I posted on Mozilla’s Bugzilla here:

    https://bugzilla.mozilla.org/show_bug.cgi?id=22183#c235

  10. EricLippert says:

    I strongly agree Dean that this is an industry-wide problem; no business model makes software magically immune to error.

    However, there’s something I don’t understand about your post — what do you mean by malice without intention?

    Surely malice is _by definition_ intentional.

  11. LarryOsterman says:

    Eric,

    I believe that Dean was discussing the people who disclose vulnerabilities.

    Maybe a better choice of words was "harmful" instead of "malicious"? Using "harmful" removes the intent – things can be harmful without intent, while I don’t believe it’s possible to be malicious without intent.

  12. Anonymous says:

    Please please please make IE 7 compliant with CSS 2.1.

  13. Anonymous says:

    > However, there’s something I don’t understand >about your post — what do you mean by malice >without intention?

    > Surely malice is _by definition_ intentional.

    I think Dean ment such security researchers as securityfocus.com and others. They tracks bugs and makes exploits available download for public. Public exploits and explanation how to avoid security rules and violait them compromises lots of systems and doesn’t not do any good.

    In my opinion, if you are security researcher, you must first contact software vendor, make them aware of problem, and post only information how to avoid the problem on your site.

    P.S. sorry for pure english.

  14. Anonymous says:

    > I want to know what else you think we can do about the malicious behavior we find on the Internet.

    Sure you know what is software testing? When you put some user to use your software and see which buttons he will pust. And if it push some buttons which crash you software you could scream – "Hey you idiot, why you do that wrong push!" πŸ™‚ Still that whould be a bug in software and you should fix it.

    Same here – "them" discover bugs in your software and you just fix it. πŸ™‚

    You write software to make some usefull things. You document all your software is do. You learn which thins your software must not do. You document this also for user to be aware of all features (+ and -) of product he buys. If you will not document some issue (intensionally or you just do not know of it becouse it is bug πŸ™‚ – it is your fault as a develper – you have creat a software which you have no thought what do – something like a Frankenstein πŸ˜‰

    If you do this – you should think is your dev tools is OK if you can’t know what action your software will produce πŸ™‚ Why you code is buggy…. Just almost every code in industry is buggy.

  15. Anonymous says:

    Some potentially nasty browser security vulnerabilities found this weekend in Mozilla and in Safari. Both involve software update mechanisms. The Firefox one tricks the browser into thinking it&amp;#8217;s installing from a trusted update site (the main…

  16. Anonymous says:

    MS’ track record isn’t very shiny either so basically Dean, you have nothing to say when your own house isn’t in order.

    http://secunia.com/product/11/

    19 unpatched security issues. Not to mention lack of web standards support.

  17. Anonymous says:

    You need to read better, specifically go learn what "Reading comprehension" is…

  18. Anonymous says:

    @FireFox

    Dean wasn’t saying that IE was better than FF or vice versa. He was saying that just because FF is Open Source it doesn’t mean it has no security vulnerabilities, as some FF advocates preach.

    I use FF and love it, but I have heard so much hype about it that is just plain untrue.

    @Dean,

    From what I understand this exploit is only available on Windows systems. So I would question one part of your statement, where you say "It’s not limited or unique to operating systems…" From what I can find out (I have not researched extensively) Window’s may be the major culprit and FF only the channel.

    I was wondering what you think.

    Thanks

  19. ptorr says:

    One of the benefits of a cross-platform technology such as XUL and JavaScript is that it runs… uh… cross platform πŸ™‚

    That means the bugs are cross-platform, too. To the best of my knowledge, the PoC that leaked was for Windows, but the attack would work anywhere.

    That’s based on reading posts on slashdot, so I could be talking complete gibberish…

  20. Anonymous says:

    Security is certainly an Industry problem and it is certainly no help when security gets co-opted into the platform wars. I remember when the case against Unix in the 80s was its cronic lack of security.

    The underlying problem here is that none of the ‘security’ architectures in use today was designed for ordinary people and none was designed for Internet commerce. The security architecture of Windows NT was pretty much a state of the art implementation of orange book which does not consider networking at all, let alone social engineering attacks against the consumer whether directly or indirectly through a trojan.

    We still act as if the problem was providing security for the military or for highly motivate technical experts. Its security for geeks, not security for real people.

    The current SSL interface has serious usability problems. Most users are not even aware it exists. Only a tiny number know that the padlock icon alone does not mean you are secure and of those the number who could decipher an X.509 cert chain is miniscule.

    The reason I have been promoting Secure Internet Letterhead is that we have to start giving the user security information using cues that are already familiar and understood. That means brand logos, every form of atom based communication from the bank, every letter, leaflet, branch, ATM etc. carries the logo.

  21. Anonymous says:

    Re: Anonymous To Anonymous on Reading Comprehension. Look more closely and you’ll see that the "As you are no doubt aware…" post is actually an excerpt from a blog entry linking to this one, embedded via trackback.

    Unfortunately the display of Trackbacks on this blog does not make it clear that they are merely excerpts. Labeling them as Anonymous only muddies the issue.

    It seems to me a better solution would be to display them as "Trackback from [link]Site Name[/link]" or perhaps a less implementation-specific note like "Excerpt from [link]Site Name[/link]"

  22. Anonymous says:

    > He was saying that just because FF is Open Source it doesn’t mean it has no security vulnerabilities, as some FF advocates preach.

    Which FF advocates would these be? I’ve never seen somebody claim something so stupid. Sounds like straw men to me.

  23. Anonymous says:

    @Jim: read firefox’s post some posts before yours "you have nothing to say when your own house isn’t in order" – this is so typical for FF admirers. There is a joke in my coutry:

    Once upon a time, during the cold war, american and rusian computers engaged in question-fight.

    – Why do your people starve when gov-leaders have far to much money – asked american computer. Rusian replied:

    – And you discriminate afroamericans!

    It’s sad, that Dean said nothing bad about FF and then some FF-troll came out with rude reply.

  24. Anonymous says:

    Yes, indeed security is an industry problem. However, both the number and frequency of critical security flaws leading to practical remote system compromise are stacked solidly in favor of IE. (Just ask anyone in the malware and spyware production industries.) This news regarding Mozilla Firefox 1.0.3 is newsworthy only because of the frequency of flaws discovered in Firefox (meaning "rare").

    The rarity of flaws in Firefox can’t be exclusively because of its small marketshare (by even the most pro-IE estimates, 5% and growing rapidly), but has to be at least in part because of a more *pro*active approach to Internet security. In fact, one of the flaws afflicting all browsers on Windows (Firefox included) is that a java applet can be presented to an unsuspecting user which, if activated, installs dozens of spyware and malware programs by starting up dozens of IE windows and pointing IE at malware/spyware ActiveX sites.

    In other words, the spyware and malware industries have both caught on to the fact that the only practical way to zombie a PC is through IE no matter how popular Firefox eventually becomes.

    By the way, as of yesterday (5/11) Firefox found 53 million converts since it went 1.0, and as of today (5/12) Firefox 1.0.4, which fixed this flaw less than a week after the announcement in the original post, is out.

  25. Anonymous says:

    I’m weighing into this post a little late, but I didn’t notice the point being made. Dean, you’re right. Security is an industry-wide problem, and I’m sure other web browsers than IE have some holes that haven’t been filled yet. The issue with Security holes, however, is not whether they exist, but how quickly they vendor responds to the problem and fixes the hole.

    Mozilla responded to their problems, IIRC, within 48 hours, they also posted several pages in the interim that described the problem in detail and provided temporary solutions to solve it.

    Apple has yet to release an updated Safari, and, based on the Secunia document referenced above, Microsoft has yet to respond to 19 different, published security flaws.

    Also, passing the problem off–even in part–to legislators and law enforcement officials is an irresponsible solution. The law cannot reach everywhere. Nor will all security problems be discovered by security firms before they are taken advantage of by the malicious. The only true option is to do the opposite, and potentially use legislators to force vendors to fix their problems, much in the same way that automobile manufacturers recall their vehicles.

    It truly comes down to being responsible, admitting you’re human, and doing your best. I think that’s well with in Microsoft’s and the IE Teams ability.

  26. Anonymous says:

    Roc,

    > read firefox’s post some posts before yours

    I have. He doesn’t claim that Firefox has no security vulnerabilities. I haven’t seen anybody do that.

    Dean,

    > I want to know what else you think we can do about the malicious behavior we find on the Internet.

    Mozilla have offered bounties on finding security holes.

    Microsoft have offered bounties for leads on virus writers.

    While these seem like comparable activities, they are not. The former raises the quality of the software. The latter makes the web safer for crappy software.

    As we all know, Microsoft have a lot of money. I’d like to see that money used to improve the quality of your software, instead of hiding its problems.

  27. Anonymous says:

    <I>They’ve worked with us to point out how we can build better software.</I><P>

    Surely Microsoft, with all its finances, should know how to build better software, without relying on third parties to volunteer information under an effective NDA to Microsoft.<P>

    Microsoft have the resources to employ anybody they want to improve their software, so the problem can only be that the people who can improve it, choose not to work for Microsoft – many of them are instead working on Free alternatives.

    One can only infer that these people are put off working for the largest software house in history because of Microsoft’s business practices.<BR>

    Surely this is a major embarrasment for Microsoft? That the people who can write the code, and Microsoft can afford to hire, are repelled by the company’s image?<P>

    Even if FF was, say, twice as vulnerable as IE (an impossible statement to quantify, for either package), Microsoft must be humiliated by the fact that such a high quality browser has been produced by a team who feel that the best way to improve Microsoft software is to replace it

  28. Anonymous says:

    How can you improve security in IE?

    Simple. Though clearly the current processes at Microsoft limit options on this approach, namely, getting things out faster – I know Microsoft at least claim to make sure things are well tested, but it seems to me things get tested until they are dead.. What exactly is the point in testing something for 6 months that’s an immediate problem, this minute.. Obviously just throwing crap out the door isn’t healthy either, but something needs to be done with regards to faster patch release.

    Slightly off topic, but has anybody ever given thought at Microsoft to making IE open source? Bear with me on this, because it does kind of affect this discussion – IE could be released as open source software, even under a strict licence, say where you can’t redistribute *any* derivative works, or use the code for commercial gain etc, but for security this could be a very good thing, *because* what will happen is people will find bugs in the software, at first they will come rolling in from everywhere, and the IE team will wish they didn’t do it, but after a time they will slow down, now, you ask why Microsoft would dream of doing this? Trust. IE source code is currently closed source, thus removing trust, people are probably reverse engineering IE anyways, they must be, so people having the code isn’t such a big issue. It could help Microsoft in other ways too. Learning from lessons such a project might give you could seriously help in future projects, with regards how you go about developing security practices and other stuff, it might even help you change how you do business in the future. I’m not suggesting you do this for IE 7 or something (though that would be really useful) but say you move on to IE 8, I would suggest you consider the open source option.. IE is free anyway, and it could open up a whole can of worms for Microsoft, I say give it a try, the worst that can happen is people find security flaws, and that’s happening anyways..

  29. Anonymous says:

    > IE could be released as open source software, even under a strict licence, say where you can’t redistribute *any* derivative works, or use the code for commercial gain

    That’s not open source. See the open source definition:

    http://www.opensource.org/docs/definition.php

    > for security this could be a very good thing

    Actually, I doubt it. The security benefit of open-source is not simply "people can see the code therefore they will fix it". It’s more like "everybody owns and uses the code, therefore everybody pitches in".

    When you take away the community ownership, a la "shared source", a.k.a. "look but don’t touch", you lose the incentive people have to work on it and improve it, and you don’t get the security benefit. You still might get a few interested parties fixing bugs (e.g. web developers who also develop Windows applications), but I doubt it will be enough to "break even" in the security stakes.

    It’s common but naive to think "if we let people look at our source code then we automatically get people working for us for free". It doesn’t work like that.

    Obviously this is just a summary, but I believe you can get a better picture by reading Eric S. Raymond’s essays on the subject.

  30. Anonymous says:

    If only everyone would fix their security as fast as the Mozilla Foundation does the world would be a better place.

  31. Anonymous says:

    Don’t call Firefox "another browser". Call it by its name; no one is putting a gun against your head to not call FF its full name.

    Take the Mozilla approach: Get a rapid reponse team to security bugs and make IE more standards compliant; a lot of web developers are ditching IE because of Trident’s sketchy rendering. IE just dies on the Acid2 test. And no, don’t make it more "consistent" (an IE developer said this before), make it compliant to W3C standards.

    And here’s a quote I found in the comments: "Firefox will probably yield some even nastier surprises as more eyes start to pour into it), yet I feel a bit more safer with fox, due to its lesser popularity (lesser targeting)…"

    Alright, let’s get one thing straight here: more popular does not mean less secure. Proof? Try Apache vs. Microsoft IIS. Apache holds roughly 60%+ of the web server market share, yet holds up better to attacks than IIS.

  32. Anonymous says:

    The difference, here, is that Mozilla Foundation are much more compromissed with the FF community then MS with IE community.

    The two security vulnerabilities on FF (wich was really dangerous), was there for just 2 days. On third, Mozilla release the version 1.0.4, wich corrected the problems. Even before the release of the patch, Mozilla has taken some providences to avoid attacks (like changing the url of update.mozilla). MS has a lot of unpatched bugs, and that makes the whole difference.

  33. Anonymous says:

    @Jim: unfortunatelly I have. I could point you to some discussions about it but they are in Polish. There is one more thing: there is no program without any hole (Hello World doesn’t count ;]). Personally I use ‘no hole’ in exchange of ‘secure’. FF just got on popularity and some major security issues came up. Is it secure now? Maybe, we can’t be sure until 1.0.5. ;] Is it bad that some things were fixed? No, but people tend to claim that MSB’s are bad and they show MS products’ vulnerabilities. This very argument is no argument to me. Fixes were, are and will be.

  34. Anonymous says:

    @ jim – there is a difference between "open source" and Open Source, but yeah, your point is valid, I just wanted to see the code πŸ˜‰ lol, nah, but I do still think some of the arguments hold true, but maybe if Microsoft ever wanted to go the Open Source way, sure, that would be better, but "open source" still would be a big adventure for them, who knows what BG and Chums is thinking these days πŸ™‚

  35. Anonymous says:

    I know it does not belong here, but I found no better place for it:

    will IE7 have the possibility to put a site into ‘trusted sites’ for a short time? I rather often want to put a site into the trusted sites to give more rights, but I dont want it to stay there, but usually forget to erase it from the trusted sites.

    Will there be a way to add a site to the trusted sites for this session only? Would help me a lot since I surf using the high-restriction setup of IE on Server 2003.

    Sam

  36. Anonymous says:

    I know it does not belong here, but I found no better place for it:

    will IE7 have the possibility to put a site into ‘trusted sites’ for a short time? I rather often want to put a site into the trusted sites to give more rights, but I dont want it to stay there, but usually forget to erase it from the trusted sites.

    Will there be a way to add a site to the trusted sites for this session only? Would help me a lot since I surf using the high-restriction setup of IE on Server 2003.

    Sam

  37. Anonymous says:

    Dean: The only us versus them distinction I want to make around security is to put responsible software developers, security researchers, and customers together as "us" and malicious (whether it’s intentionally or not) software developers, security researchers, and their customers together as "them."

    There already is an "us" vs. "them" in that regard but then it breaks down further and "us" vs. "them" becomes "this commercial product" vs. "that commercial product" AND "commercial" vs. "open source".

    Anonymous: As you are no doubt aware, a couple of pretty nasty security defects have been found in the latest FireFox…

    More to come. Stay tuned.

    lynn: duck!

    I have never heard of a security defect called a duck. The only bad duck is lame duck, a congressional session. Perhaps a rogue session variable could be a duck but I just don’t know.

    Maurits: First: distribute Windows Update.

    see SUS.

    Maurits: That is, have clients check various download locations NOT ALL ON THE SAME DOMAIN and only install updates whose CRC’s match on all locations.

    Which is better? One domain that is one target or multiple domains which leads to confusion, additional support issues and then adds more on the user end of wondering if they’re actually at THE MS update site or have been redirected to something rogue?!

    Dave: But the majority of problems with viruses and spyware are from users that are tricked into downloading evil files through P2P/web sites or opening evil attachments through their email client–predominantly Outlook/98/2000/2002/2003/Express.

    I’m wondering how an attachment, opened by a user, renders the software unsecure? I have yet to be compromised by anything I’ve gotten from the net via IE, OE or Outlook. It’s a fact that more savvy users who act responsibly will have a better chance of security in the wild, wild net than novice users. The same is true when buying a car. Apply this to any industry.

    Since when did my browser become a security app? That’s like relating it to a castle made out of straw with no moat, no walls and no army to protect it.

    What if there was no police force and you were responsible for your own security without any hope of support from others? If you’re relying on your browser as your first line of defense against a rogue element, a look at you’re security model may warrant consideration.

    Dave: It makes good Internet drama to pit IE against Firefox and compare their shortfalls, but to improve user protection we need to deal with the most common vectors, and it ain’t browser exploits.

    True enough but a browser should look at itself first, before others. Let he without sin cast the first stone. It would be a stone free environment.

    Irve: the bug itself was reported by very responsible people, yet leaked throught very unresponsible ones.

    Just what is a responsible leak method?

    EricLippert: no business model makes software magically immune to error.

    Exactly. Even if it was possible to produce an error free, safe browser, the user is still a variable that can break the security model.

    We all know a lawnmower is not a hedge trimmer but it doesn’t keep those from using it as one.

    oh please: Please please please make IE 7 compliant with CSS 2.1.

    How about just make it fully standards compliant when a strict doctype is used to remove the ammunition from the OSS boys so they can then concentrate no their product rather than the constant whine against their competition?

    If you build it, they will come. If you just bitch and moan about them, you’ll reap the same.

    Vilius: In my opinion, if you are security researcher, you must first contact software vendor, make them aware of problem, and post only information how to avoid the problem on your site.

    And if you don’t know how to work around the issue? Not telling others that may be able to come up with a work-around will leave it to just you, the vendor and the attacker. Not very good odds for the sitting ducks. (Note to lynn, I was able to use it after all.)

    Firefox: (probably a handle) MS’ track record isn’t very shiny either so basically …

    So basically you’re redirecting the argument away from your issues to that of your competitor. What happened to, "Even if Firefox is compromised, the underlying OS is safe since we’re not tied to it." Ya’, what I thought, marketing, a.k.a. coffee-house crap. It reads like a feature comparison by a vendor with a dog in the hunt. "Our software will give it to you even if your wife won’t." And, if you ARE the wife?

    Phillip Hallam-Baker: The reason I have been promoting Secure Internet Letterhead is that we have to start giving the user security information using cues that are already familiar and understood. That means brand logos, every form of atom based communication from the bank, every letter, leaflet, branch, ATM etc. carries the logo.

    That’s great Phil and I’m not up on it but if it’s purely visual, it can be compromised. The laws in the US state, ignorance is not an excuse. How does it then apply to online commerce? We trust when a law enforcement officer flashes a badge or when we accept money from a bank because we know neither are ever fraudulent. (O;=

    The user is going to have to get involved. I’m tired of hearing, "Oh, I don’t know what all that means…". Well, then educate yourself. How did you get your license to drive and how do you read the road signs so you can find your way to work each day? I’m sure it wasn’t divine intervention but then… anything is possible.

    Jim: Which FF advocates would these be? I’ve never seen somebody claim something so stupid. Sounds like straw men to me.

    You need to get out more. If you’re implying there is a 100% concensus between all FF advocates that it is 100% secure [just] because it is open source, then you’re either lying, high, full of it or living on another planet.

    Roc: It’s sad, that Dean said nothing bad about FF and then some FF-troll came out with rude reply.

    It is and it’s also typical. It’s called professionalism. Dean has it.

    ArielMT: By the way, as of yesterday (5/11) Firefox found 53 million converts since it went 1.0

    53 million downloads != 53 million converts. How many times have you downloaded it? I’ve downloaded it twice and I’m not a convert. So, if everyone has downloaded it at least twice, then the number is 1/2 posted. This just may be for the ones who have not converted. Perhaps MSFT should start posting downloads of it’s products?!

    Jim: Mozilla have offered bounties on finding security holes.

    Microsoft have offered bounties for leads on virus writers.

    While these seem like comparable activities, they are not. The former raises the quality of the software. The latter makes the web safer for crappy software.

    Let’s take that analogy and apply it to the war on terrorism. Let’s stop putting bounties on suspected and known terrorists and just build up our defenses. After all, if we’re more secure, we have nothing to worry about.

    Steve Parker: One can only infer that these people are put off working for the largest software house in history because of Microsoft’s business practices.

    Really? You came to that conclusion just because someone may find a vulnerability in a software package? The two just found in FF means they’re not the best on the planet either, using your analogy, which means there is still more to come. How comforting that thought is.

    streaky: Slightly off topic, but has anybody ever given thought at Microsoft to making IE open source?

    Considering it’s tied to the OS, which is not open source, do you really think that or Hell freezing over will occur first?

    ant: If only everyone would fix their security as fast as the Mozilla Foundation does the world would be a better place.

    Passing your thoughts on to the leader of the free world.

  38. Anonymous says:

    good related article

  39. Anonymous says:

    Valium without prescription. Valium 10. Valium.

  40. Anonymous says:

    Ultracet. Ultracet medication.