Slashdot Mirror

A few years ago someone won over $600,000 from a machine at the Montreal Casino by analyzing patterns in the numbers that came up. The sequence repeated because the machine wasn't seeding the pseudo-random number generator properly. More info in Risks Digest.

IMHO any information security professional needs to develop a professional paranoia, being thoughtful of potential risks and failures, and understand what might go wrong.

Reading Bruce Schneier's Secrets and Lies is a really good start in this area. It is a not very technical book, written at the level suitable for an IT manager. This is also useful to help explains risks, vulnerabilities, and failures to IT Management.

The ever so ugly covered Hacking Exposed, which explains the basics of what criminals (or attackers) do commonly to gain unauthorized access to (networked) computer systems. This is so you a) know how easy it is, and b) are familiar with an overview of the basic steps and techniques to gain illicit access.

For online resources, RISKS digest (not focused on malicious activities, but how systems fail - very insightful and low volume), and Bugtraq a full disclosure mailing list will show you recent exploits, and vuln notices, but it is fairly lacking in actual educational content, and there are several other mailing lists at SecurityFocus that could also be useful to developing professional paranoia.

Next you need the language and basics of information/computer security. For this textbooks like Computer Security by Dieter Gollmann, Information Security Management Handbook by Tipton and Krause, Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz, and Security in Computing by Pfleeger and Pfleeger.

For procedures look at CISSP study material, BS 7799 / ISO 17799, and security auditing and incident handling materials. Some knowledge of risk management can also be useful.

From these basics, of the right mindset, the common language of infosec, and procedures and policy you can get into the low-level details of firewalls, VPNs, IDS, and network design. For this you should have a good network/internetworking basics, a very detailed understanding of TCP/IP, and understand firewalls, VPNs, and IPsec.

Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin is a great place to start, and Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman is a great follow-up. An alternative book on firewalls and VPNs is Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems by Stephen Northcutt, Karen Frederick, Scott Winters, Lenny Zeltser, Ronald W. Ritchey (crowd from SANS).

For networking basics, a Cisco certification like CCNA could useful in providing knowledge about internetworking and Cisco router's IOS. For the gory details of TCP/IP either TCP/IP Illustrated: Volume 1: The Protocols by Richard Stevens or Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 4th edition by Douglas Comer.

For IDS - Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt and Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper are the best IMHO.

I am not sure what to recommend for VPNs, other than you need to know about IPsec.

It covers various ethical dilemmas (as I imagine Engineers do), and as someone else mentioned, goes over some of the more disastrous software creations. If you're interested, such lists usually include the Therac 25 (rollover bug, improper software re-use), the London Ambulance Service (Their newly-ordered, lowest-bidder Computer Aided Dispatch system caused massive problems), and the Ariane 5 rocket (overflow/improper error handling).

OTOH, I agree with you that people should know the conseqences (and likelyhood) of failure, as they clearly don't. There are loads examples on RISKS of people having laser surgery, needing some computerized medical device, and seeing gross examples that those using them have literally no idea the devices are misconfigured, warning of possible malfuctions, etc.

If you're interested in the hazards of software in the real world check out the risks forum.
They take submissions from people about faults and errors in software (and related meatware) that put lives at risk.A weekly digest can be found here.

It's a good read, especially browsing through the archives. eg:

"A woman drowned during a flood when the elevator she was riding in incorrectly sensed a fire alarm and went to the ground floor which was underwater."

"Three people killed when a computer glitch caused a 16-inch pipeline to rupture, dumping 237,000 gallons of petrol."

and so on. Makes you a little paranoid. Now I know why indemnity insurance is so high these days.

The parent is not flamebait. It's a a well known fact that ESR is proud to be a homo. He has written about it many times. The man has no shame. He takes other mens' penises in his mouth and anus whilst defiling the good name of Open Sores.

For shame, ESR, for shame.

For many megs of answers about why software isn't 100% reliable, read Risks Digest.

There is indeed hardware out there with this level of reliability (like an AT&T 5ESS/Lucent 7R/E phone switch) however it is highly expensive and very unflexable.

I don't mean to bash AT&T. In fact, the very infrequency of this sort of problem is a strong argument for their reliability. I had to go back to the pre-Lucent days for this one, folks. However, they do have some occasional bugs in their software. And it makes the news when they do:

Risks Digest, Volume 9: Issue 69, Tuesday 20 February 1990

For many megs of answers about why software isn't 100% reliable, read Risks Digest.

There is indeed hardware out there with this level of reliability (like an AT&T 5ESS/Lucent 7R/E phone switch) however it is highly expensive and very unflexable.

I don't mean to bash AT&T. In fact, the very infrequency of this sort of problem is a strong argument for their reliability. I had to go back to the pre-Lucent days for this one, folks. However, they do have some occasional bugs in their software. And it makes the news when they do:

Risks Digest, Volume 9: Issue 69, Tuesday 20 February 1990

Somebody mod this up...

Also reported in the RISKS digest.

That was a poor link to the IBM paper, but here is a good link to a fairly reliable source. (editor of the PRIVACY FORUM digest, a cousin to the RISKS FORUM digest which everybody on slashdot OUGHT to read regularly.)

Summary quote pulled from the body of the article:

In fact, rumors about this, often chalked up as an "urban legend," have been
circulating for a long time. This is a bit ironic, given that in the
copier/printer industry it's been well known for years--no secret--that
"invisible" IDs are imprinted on virtually all color xerographic output,
from (apparently) all of the manufacturers. But for persons outside of
"the trade," this hasn't been as widely known (even though the issue goes
back to the early 90's, and the topic has appeared in publications such as
the Wall Street Journal).

So if we disect this Thomas Anderson.

Tho - Though

Mas: Oncogene from brain that encodes a receptor coupled to a G-protein and to PIP2 turnover.

We can now come to the conclusion that Thomas Anderson means Though Oncogene-from-brain Man Son

coincident I think not!

Or any software. You might want to consider the software all the weapons systems that actually exist first, or anything in a safety-related environment. Take a look at Risks Digest.

There have been cases where software bugs in medical equipment killed people. In those cases, there would be strong precedent for product liability lawsuits.

Suppliers to the military are harder to sue, which is probably good news to the folks whose bugs killed soldiers when their mortar targeting software made incorrect assumptions about target altitude or when a Patriot missile targeting system's clock overflowed after 8 hours.

For further reading on software liability issues, see this Business Week article, which was discussed on /. and badsoftware.com, which surveys software liability issues from a consumer's perspective.

Word format isn't even a reliable way to send documents between people who use Word. If they use different versions, or different fonts installed, then the formatting can go wrong, sometimes resulting in serious problems. (Actually, that link refers to use of RTF, but I think Word's RTF files are equivalent to Word's binary files.)

Christ almighty. An april's dupe. This is beyond me. By the way, the Risks list does this RFC thing really well.

virve
--

If this gets fielded, I suspect we'll be seeing it crop up in the RISKS Newsletter more than once.

This issue has been mentioned several times in the RISKS Digest:

• http://catless.ncl.ac.uk/Risks/16.34.html#subj1
• http://catless.ncl.ac.uk/Risks/16.36.html#subj5
• http://catless.ncl.ac.uk/Risks/21.69.html#subj5

There have been issues with Word going back to 1994: The more things change....

Perhaps it was on a humor site because Mr. Bill made a fool of himself in front of the world.

Someone managed to find a source I would consider authoritative, a major academic journal. Here's the post:

http://slashdot.org/comments.pl?sid=54440&threshol d=-1&commentsort=3&tid=109&mode=thread&pid=5342140 #5342157

and here's the journal article:

http://catless.ncl.ac.uk/Risks/17.44.html#subj11

It was interesting to learn that the 640k comment is an urban legend. I'll have to remember to tell people that.

But, it's also too bad that your love for a meglomaniac renders you unable to see the truth about his character. Someone managed to find a source I would consider authoritative, a major academic journal. Here's the post:

http://slashdot.org/comments.pl?sid=54440&threshol d=-1&commentsort=3&tid=109&mode=thread&pid=5342140 #5342157

and here's the journal article:

http://catless.ncl.ac.uk/Risks/17.44.html#subj11

The interview is real... but it is also from 1995...

And it turns out that it _is_ the same Wired article!

The RISKS forum/digest has had many, many articles on the potential and actual snafus of electronic voting; I thing the topic is a special interest of the digest's editor. Although the contributors are very much a part of the technology world, the mood there is pretty virulently anti-electronic voting unless there are old-school audit features such as paper trails. Closed source software is regarded very skeptically.

The most persuasive evidence is the actual experiences coming in from the field, around the planet. Many local governments are buying expensive new systems on surprisingly little information, and we may face problems like Florida's in no time -- but not actually realize it, for lack of auditing. I highly recommend flipping through the archive.

I realize you are just a little troll who was modded up by a confused moderator, but your post did fill me with a bit of nostalgia which, in turn, inspired me to do a little searching. So, here we are:

Can you imagine how much more vehemently people would jump on Microsoft if they said something like that?

Unfortunately, I can't find much info about how Microsoft responded to their first vulnerability, but, if this account of their reaction to a subsequent problem (from the RISKS-FORUM Digest Saturday, 7 Dec 1985 Volume 1: Issue 27) is any indication, I'd have to assume that it was at least as bad as Epic's first response was. You are probably right: if /. had been around back then, Microsoft would have been in for yet-another-undeserved tongue-lashing over this!

A COMMERCIAL WORM

Just a few days after I wrote "Electronic AIDS, Part I," I read a column in the WASHINGTON TIMES, the conservative (Moonie-owed) daily newspaper. One of the reporters has a computer. He had purchased a newly released program from Microsoft Co., called "Access." Understand that Microsoft supplies the disk operating system which is used by the IBM PC, the most popular microcomputer. In other words, this is no backyard company. It is one of the two or three software giants in the U.S. (Its owner is under age 30, which tells you something about who is pinoeering the microcomputer revolution.)

As he was setting up his computer to take advantage of this telecommunications program, a warning flashed on his screen: "The weed of crime bears bitter fruit. Now trashing your program disk." Wham! He lost all his files -- probably a couple of year's worth of work. Sure, he was probably smart enough to have made back-up copies, but think of the risk. And what if it had been a worm that kept silent for a few years, infecting all of his back-up disks?

He called Microsoft, and they gave him the runaround. They told him that they were not responsible. Some programmer had put in the worm in order to zap program pirates, but the journalist insisted that he was an original buyer. Tough luck, they told him. Obviously, they didn't know that he was a reporter.

Then he published his article. All of a sudden, the victim was not some average buyer. He was big trouble. Things started moving. INFOWORLD (Oct. 28) reports that Microsoft has admitted that a programmer put in the worm, but without permission. The offending text has now been removed, we are assured. But what if it had sat in the master for three years? HERE IS THE PREMIER FIRM IN THE SOFTWARE BUSINESS, AND IT HAD AN UNAUTHORIZED PROGRAMMER INSERT A WORM. This is not idle speculation. It has already happened, verfiying my hypothetical scenario within a few days after I published it.

Can you imagine the absolute havoc that a dormant worm or virus could create if it were imbedded in all updates of Microsoft's masters of PC DOS and MS DOS, the operating systems for all IBM microcomputers and IBM compatible microcomputers? It could cost the U.S. economy billions, and some microcomputer-dependent firms wouldn't survive. Any Microsoft spokesman who says, "it's impossible; it could never happen" has to explain how it already did happen to "Access."

[BTW, I dunno why the author went on about worms and viruses in connection with nonreplicating malicious code... I guess it was in the spirit of their special "worms and viruses issue"? True, the whole purpose of the risks forum was to discuss risks, and the current problem was being used to illustrate the potential for worse problems. But, still, to call it a worm in all caps...]

Here's a post that included the original Washington Times column, for anyone else who found the hyperbole of the above article a bit too much.

For NASDAQ that is, they have been hit twice by those cute furry things. Once in 1987 and then again in 1994.

In the UK office we still joke about it, much to the annoyance of the management :)

But my biometric identity is part of my keypair, and if the keypair is validated with each transaction, how does he fake my biometric identity?

The attacker doesn't fake your biometrics. He bribes a government clerk to produce a genuine government card with your stolen details such as SSN, bank accounts, credit card numbers, medical records, etc. and his fingerprint or retinal print. Similar to current credit card cloning, jus t a different procedure to produce the cloned card.

BTW using your biometrics as the actual public/private key data is very bad, and hopefully no system uses it. Because nearly every biometrics system is thought of as producing a small amount of random data, ie. a shared secret, which cannot withstand attacks if the validation system is compromised. A organized crime owned storefront could gather biometric data/keys as well as legimate banking details for the valid customer transaction.

More common designs involve the biometrics info as a symmetric (key-wrapping) key to protect the private key as it is stored on the smartcard. This means the biometrics never leave the smartcard if the smartcard can collect the biometrics directly itself.

There is also the issue that biometrics are harder (and limited) to revoke in the event of a compromise. You have a very small finite number of fingers and eyes.

If your argument is based on the fact that the computer system is compromisable and my entire identity record (public keys) is replaced with a fake identity record, I'll notice within the day and/or hour that this has taken place and can quickly stop it. Plus I don't believe that a public keyserver that stores biometrically authenticated data would necessarily be so easily compromisable. Not impossible, but very difficult.

The forged card is an duplicate, not a replacement. Your card is still valid, and you will be able to withdraw from the ATM as long as there is still money in your bank account / credit limit. Like a forged plastic credit card with magstrip, your card is still accepted as long as your account is less than your credit limit.

This is where I get lost in all this. The system is always attackable, always will be, but shouldn't the parts of the system make those attacks far more expensive, complicated and difficult?

Give the professional criminal some credit, they will use the path of least resistance, and often of least sophistication.

It doesn't matter if the front side of your house has reinforced armoured doors and windows, if the burgular can simply go in the unlocked patio door in the backyard. So why expect any less of the forger / identity thief?

This is covered in the archives if RISKS digest, Secrets and Lies, and Security Engineering.

No only is it calling ketchup a vegetable, it's a vegetable made out of recycled newspaper. This is yet another step in Clear Channel's goal to cut out DJ's entirely to stream the music that they get the most payola for without and local resistance.

Does anyone know how much it would take to write a simple wireless receiver that can grab any free wireless network and tune up a streaming music site? Slap an Airport on, and we may have the killer app for the Linux iPod.

Does that mean someone's going to release a patch for it then?

Following the Challenger disaster 17 years ago, Richard Feynmann came to the conclusion that catastrophic shuttle disaster had odds off approximately 1 in 100 (See RISKS Digest 18.09) based on the fact that 4% of unmanned space shots go bad - and presumably manned flight gets that 'extra' attention that would reduce their rate a bit.

Challenger was flight STS-51L - this was flight STS-107. I'd say even Feynmann may have been somewhat optimistic (although 2 failures is a thin data set - anyone want to figure a chi-square on it?).

At my uni there is a sysadmin course for the information systems studends taught in a special lab cut off from the rest of the network as that the students. Looks like a fun course but its not available to the CS guys which is a shame.

Does anybody else have this sort of course available to them as part of their degrees>

At my uni there is a sysadmin course for the information systems studends taught in a special lab cut off from the rest of the network as that the students. Looks like a fun course but its not available to the CS guys which is a shame.

Does anybody else have this sort of course available to them as part of their degrees>

You may laugh, but RISKS digest reported a computer that drove a laser for correcting shortsighedness by gently vapourising a shallow layer of the surface of the victi^h^h patient's eyeball was running Windows... Windows 95 at that! What's worse the technician casually hit ESCAPE toi clear the screen whenever a warning dialog popped up, without bothering to read what it said. I'm damn glad I've got 20/20 vision!

Friends don't let friends have their eyeballs vapourised by lasers driven by Windows 95...

Hmm, I've seen them almost universally described as Jr. and sr., such in dissection of the crisis. (Risks Digest also carried Cornell's self-absolution -- I had no idea "damage estimates" ran as high as $96 million! That's criminal exaggeration, if there is such a thing.)

But the press screwing up names -- it's going to take me some time to readjust. :) (I checking NSA really quick -- did you know they have a secure Linux project? Something about them using Linux surprises me.)

Mr. Morris reminds me of Mrs. O'Leary's cow. (Actually, the cow was recently absolved; a vagrant started the fire. :) It was a mistake to play with the fire, but should the fire have been so scucessful? What kind of system gives a single individual that much power?

Anyone who follows Morris, however, cannot plausibly argue they had no idea of the potential risk. The Melissa author got 20 months for causing (supposedly) $80 million in losses (should that be offset by the extra money made by the media overhyping it?). That idiot in the Philipines who wrote iloveyou -- alleged to have got $10 billion in damages The incident caught the Philippines flat-footed to the point that they ask the U.S. to prosecute. De Guzman had a great thesis proposal ("the Internet should be free"). I don't think he or anyone else was ever punished, because of the inadequacy of then-existing law.

Hmm, I've seen them almost universally described as Jr. and sr., such in dissection of the crisis. (Risks Digest also carried Cornell's self-absolution -- I had no idea "damage estimates" ran as high as $96 million! That's criminal exaggeration, if there is such a thing.)

But the press screwing up names -- it's going to take me some time to readjust. :) (I checking NSA really quick -- did you know they have a secure Linux project? Something about them using Linux surprises me.)

Mr. Morris reminds me of Mrs. O'Leary's cow. (Actually, the cow was recently absolved; a vagrant started the fire. :) It was a mistake to play with the fire, but should the fire have been so scucessful? What kind of system gives a single individual that much power?

Anyone who follows Morris, however, cannot plausibly argue they had no idea of the potential risk. The Melissa author got 20 months for causing (supposedly) $80 million in losses (should that be offset by the extra money made by the media overhyping it?). That idiot in the Philipines who wrote iloveyou -- alleged to have got $10 billion in damages The incident caught the Philippines flat-footed to the point that they ask the U.S. to prosecute. De Guzman had a great thesis proposal ("the Internet should be free"). I don't think he or anyone else was ever punished, because of the inadequacy of then-existing law.

There were recently 2 reviews of this book on the Risks mailing list: a positive one, a not so poitive one, and a reply to the not-so-positive one.

There were recently 2 reviews of this book on the Risks mailing list: a positive one, a not so poitive one, and a reply to the not-so-positive one.

There were recently 2 reviews of this book on the Risks mailing list: a positive one, a not so poitive one, and a reply to the not-so-positive one.

There were recently 2 reviews of this book on the Risks mailing list: a positive one, a not so poitive one, and a reply to the not-so-positive one.

Don Norman's praise,
Rob Slade's review (same issue), and
Don Norman's response to Slade's review

Don Norman's praise,
Rob Slade's review (same issue), and
Don Norman's response to Slade's review

Don Norman's praise,
Rob Slade's review (same issue), and
Don Norman's response to Slade's review

Crighton's character explained the process of deriving potable hooch from the magenta glob, and referred to the product as 'squeeze.'
Here's a recipe I found via a cursory googling:

Sterno [is] warmed over a fire of newspapers preparatory to squeezing it through a sock to make a drink called "Pink Lady."

EE majors: could the bar-monkeys control a sock with a solenoid, or something?

1. Terrorists and other street criminals don't use public telephones -- mostly they don't work, it's inconvenient and there's no privacy.

2. Criminals use stolen cell phones to make their calls and throw them away every couple of days.

This is why...

Ouch. An airline once tried to stop me from boarding because of confusion over the time zones, claiming I'd missed my flight by 24 hours. Fortunately it was their mistake and I caught it. It would help if we not only adopted 24-hour time but also a universal time standard (old-fashioned "Greenwich time" has a fancier name now, Coordinated Universal Time?).

I guess here the Ann Arbor moviegoers are technically at fault, though you'd expect the theater to realize a problem was brewing. On the other hand, this way they maybe sold more tickets. But hey, standing out in the cold is more fun than the movie, isn't it? The theater should charge them for letting them do it twice. :)

Have you heard of the Risks Digest? They accumulate and comment on tech snafus like this, and I'm *sure* they must have more than a few AM/PM. I subscribe to their digest, very educational.

I will avoid the Ann Arbor Showcase Cinemas.

Actually, all death can be attributed to lack of oxygen to the brain...

...so you won't mind if I pour this liquid oxygen up your nose.

No, seriously, too much oxygen is just as fatal as too little. Ask a diver.

For starters, the space shuttle was originally intended for a lot more military-related missions. The risks being balanced by its original designers weren't just the loss of a few passengers. This craft was ferrying plutonium-laden cargo in the 80s for secret military projects. The wrong mishap on one of those missions could have left millions of people dying of cancer.

It is easy to romanticize the gamble of life for the conquest of some goal... but it's morally suspect to really sit down and construct an organizational plan that prioritizes progress over human life. Your reference to the risks taken by the moonwalkers of the late sixties ignores the propagandization of the space race. At the time, it seemed as though getting to the moon was going to save the earth from communism, which was very motivational for Americans to want to sit in a potentially sketchy rocket. We don't have that motivation now.

Can you imagine having to deliver this speech to your team: "Men. This is going to be a risky mission. Our taxpayers don't want to pay a lot these days, so we've ignored some safety precautions. But nothing's going to stop us from getting up there to fix that satellite so cellphone users won't be inconvenienced by network outages!" Imagine having to tell the daughter and wife of a dead astronaut that you appreciate their father's / husband's contributions. Getting that girder up to the space station wasn't going to be cheap, but the death of this astronaut enabled them to bring it up under budget.

The family of a dead person doesn't get too excited about the nebulous value of "move beyond this gigantic blue marble of ours".

I once saw an awesome documentary about the Russian space program called "Whispers from Space". It details precisely the approach you're advocating. After seeing the torturous conditions those cosmonauts suffer through training in order to get the chance to visit space, you could hardly be proud of having a similar program in the US. Seriously, some of them end up in mental institutions. With such a process of weeding out anyone sane, I suspect that the Mir wasn't far from being an orbiting nuthouse.

Slap a "tsarkon" on it and call it done...

As did Opera. And Opera runs on FreeBSD, Linux, BeOS, Mac OS and WinALL.

Opera routinely crashes on every non-Win OS I've run it on.

I'm not filing a bug. I don't care. I don't care at all, because I usually start each build of Mozilla I try a few times, and uninstall it, and go back to using other things. If a project with the resources of AOL/TW can't do QA, fuck them. You just called me a liar, and I can produce this bug on my own computer every time. You must be omniscient - you can see that I lie? [I am not, and you are no omniscient]

I'm on my gf's family's WinMe machine right now, and I just saw that message that you refer to. When the modem connection died, Mozilla complained that the source file could not be read. Makes perfect sense to me. As I said, I've never seen or heard of this problem. Maybe you should consider filing a report, as it seems you're the only one with this issue. I don't see how you can complain when you don't even take the most basic steps to even issue a public flame for this defect, instead bringing it up casually only as ancillary evidence in a 3rd-rate flamewar on a 4th-rate discussion site. Perhaps your machine is misconfigured.

I thought that if I were going to use a Gecko based browser I would stick with Mozilla. It's the one whose feature set is at close parity with IE and Opera, Phoenix isn't in the same league. If I have to strip functionality to gain speed and light weightiness, then forget it. Also, Phoenix's existence proves to me much of my complaints about Mozilla is true.

But wait, I don't want a platform, which sounds like PHB crap speak. I want an end user browser. My needs are met better by both IE and Opera. Don't rant about how platformish things are to avoid talking of shortcomings as a simple browser.

What on mis-configured Win95/98/ME boxes with 9000 adware, activex and other malware polluting the shit out of the system? You tell me that loser's computer have "bad Internet Explorer" functionality. Opera protects the idiot user from craptiveX junk. Your experience sounds anecdotal . You call me a liar on a machine I have mastered and use every day, but you use random fool computers full of junk, viruses and OEM installs of Windows and judge me, call me a liar, throw me in the trash?

Pathetic. You know that I am adamant about running Ad-Aware, F-Prot, msconfig, etc and cleaning out all the Gator BonziBuddy CometCursor Klez monopoly on CPU hogging. I also run Windows Update to install IE 6 and update system libs (pathetic that all important system libs are embedded in the browser and not distinguishable and that I have to move past v5.5 to finally get systems to stop hanging for 10s every minute...). Besides, basic logic should imply that if the system is as waterlogged as you insinuate, Mozilla would suffer equal performance degradation. More, in fact, because of the abstraction layers involved in Mozilla XPCOM.

I am on a garbage HP Pavilion with 128MB right now, stock WinMe install, but all MS critical updates installed. IE6 and Moz1.2b. I visited http://candlemart.com/, a random site from the bookmarks here. Load time is about equal, but IE takes slightly longer than Mozilla to redraw the window with opaque resizing, does it slightly more choppily and actually causes the hard drive to start thrashing. Mozilla, "bloat king", doesn't. Remember that Mozilla should be slower because of its abstraction.

I don't denigrate your experience. It's entirely possible that on your system IE is speed king and Mozilla is O(n^1e6) for length of pages and etc. But on every system I have seen, multiple computers and on multiple OSes, Mozilla wins. And browsing functionality is superior enough to make me willing to take a speed hit if it existed. Use what works for you. But for the rest of the world, it seems Mozilla doesn't cause the problems you have.

I doubt you have used IE much on Windows 2000 or NT.

This is a blatant lie. I've used Windows 2000 extensively at a previous job, to gain experience. I'm not impressed with it. It's certainly superior to the DOS garbage, but when it can't load drivers for a simple USB Mass Storage device without hanging the system, hard, I'm not impressed. And this was on a system set up by an expert MCSE, you know.

Opera doesn't ask me to QA the browser. Oh, how is the pay scale for beta testing Mozilla?

I don't "beta test" Mozilla. I use it. It's the only browser I've found to be reasonable. Konqueror doesn't impress me, Opera doesn't, IE certainly doesn't impress. Like you, I'm too lazy to file reports obsessively -- I just wait for the next version and miraculously most seem to sort themselves out -- but unlike you I put up, help out, or shut up. If I have a problem, at least I have the option of inserting a record into a public database rather than spending hours on hold waiting for moron to tell me to go jump in a lake (and scroll up for an example of MS quality control) and read incomprehensible URLs-always-changing-search-references-dead-404-li nks Knowledge Base.

Back and forth you go, Opera to IE to Opera. You defend IE and throw in Opera as a strawman, when we all know IE is your primary browser and you'll complain about "onerous licensing" or "annoying MDI" or some such to keep from using Opera so you can keep other technologies around and claim a hatred of Microsoft while at the same time sucking off their teat and continuing to fester in the pit of 1995 hypertext viewer technologies. We've moved on.

Fortunately, if anything goes wrong with the robot, the human surgeons can jump right in and pick up where the robot has stopped.

Yeah... assuming the doctors notice that anything is wrong. As pointed out in the Risks Digest recently, a surgeon-controlled robotic surgery in Tampa went terribly wrong in October; while attempting to remove a patient's cancerous kidney, the surgeon (or robot - the root cause hasn't been identified) cut the patient's aorta, an accident which went unnoticed until an hour and a half later! The man died two days later from complications related to the surgery; no mention of whether the complications are a result of the accident. But if they were, would the hospital or doctor admit it?

--Jim

You don't know the half of it. Peruse this article in a recent Risks Digest.

For those who are unaware of the Risks Digest it is not your typical consipiracy theory discussion list - excerpts are regularly published by the ACM. They've had regular coverage of problems with electronic voting systems since before the Gush & Bore debacle, but each new item on the topic seems to be scarier than the last. We potentially have HUGE problems with our electronic voting systems -- if policies are not changed soon we will (if we haven't already) end up with a situation far more serious than watergate ever was.

we shouldn't put something as fragile as our democracy in the hands of open source, either.

We shouldn't be putting our democracy into the hands of software, period. Electronic voting systems are a bad idea. Check out the past few isues of the RISKS digest for discussion.

we shouldn't put something as fragile as our democracy in the hands of open source, either.

We shouldn't be putting our democracy into the hands of software, period. Electronic voting systems are a bad idea. Check out the past few isues of the RISKS digest for discussion.