Slashdot Mirror
BBC says "Avoid Explorer"
twitter writes "Citing security flaws that lead to ads and spys on Microsoft infested computers the BBC in this article recomends avoiding Internet Explorer." Ain't it the truth? Mostly its about adware & spyware and other wretched bits of software that make the internet suck a little
more each day.
It would be one step in the right direction...
Still too many webdesigners want to make sites that look flashy and work only in Explorer...
They never figured out they can make the same stuff work in many browsers if they would only try and learn something about web design itself instead of designer tools...
So till that's solved a lot of people will use Explorer because their favorite site is badly designed.
its a known fact. They're also trying to do with the customer's knowledge with messenger version 5. hell.. users are calling it a "downgrade". when is microsoft gonna learn that its all about empowering the user... not crippling him i don't say their products aren't good.. after all u can;t survive with 100% marketing, 0% product. what are they gonna lose if they declare Internet Explorer as an open source project? They aren't selling it as a seperate product anyways
|/________
|\A|ALYS|
instead of abandoning IE, which is a decent web browser, be careful (not paranoid, but like anyone who's been on /. for more than ...5 minutes won't click on a goatse.cx link) about where you actually browse.
Looking for people to chat about multicopters, coding, music. skype: gtsiros
Rubbish. The Internet is getting better everyday. Pop-ups are becoming less common (especially using Moz), businesses are using better business models and delivering things on time, email filters are working more effectively, and the world is speeding towards most home users having broadband (and therefore more sites providing more content).
Life is good as a netizen.
--------
where is the beef? its mouldy at the bottom of the fridge. mmmmmmmmm beef mould
The easiest way to avoid parasite programs, he says, is to stop using Internet Explorer because it is targeted by many of the adware and spyware companies.
I've never ran accross a site that "forced" its software on me. I've ran accross "gator" a few times which tries to install without my permission, but I still have to hit OK. This article has a hint of FUD.
As with anything, if people used common sense probably 95% of problems could be avoided. By common sense I mean NOT going to suspicious sites (you can usually tell by the URL.. something that has "geocities" or ends with ".cz" is probably going to be more dangerous than amazon.com for instance). Let's face it, there is always going to be some security holes in the most popular and widely used browser. Even if that browser ever becomes Mozilla (which I doubt will happen any time soon- I run Mozilla but speed wise it just doesn't compare with IE).
Unfortunately, we can't rely on common sense because it really isn't all that common. It would be nice to have a "sandbox browser setting" for people who don't trust themselves to practice safe browsing. Here's an idea- they could click on a little icon of ralph wiggam playing in his sandbox (remember, he doesn't go into the deep end). This automatically forces the most stringent security settings (disabling activeX, scripting, etc.) and double prompts each time you go to download something "Are you sure? Are you really sure?". This probably wouldn't be too hard to add to IE.
Requesting that a user update their browser merely to view your site is bad coding.
A pet peeve of mine is when a site says you need to be in a certain resolution to use their site.
What happened to designing your site for the widest possible group of users?
-- El Sacarino tiene gusto de la chocha
Are we calling for a return to Lynx? Or should we grow up and learn to live peacefully?
So people stop using IE, then another browser (say, opera) takes over as the dominant browser, so spy/adware starts to be targetted at opera users.
Do we then avoid opera?
The problem is that there are morons out there developing spy / ad / malware, not which browser someone happens to use.
Sometimes they come attached to software you download from the web - the details are often included in the license agreement small print that most users click through without reading.
Which means you caused the problem not IE or windows.
And sometimes they don't even need your permission to download, but just hop on your hard drive, totally unannounced, because you are browsing the wrong webpage.
Too bad they don't go into more detail here about whether this is a general issue with malicious websites for most browsers, or actually expoloiting some hole in IE.
A few companies are now exploiting holes in Windows messenger to sneak adverts on to the screens of unsuspecting users.
Windows messenger _IS NOT_ part of IE. It is a seperate component that is unfortunatly automatically turned on. I do wish MS was better about what services were on by default, though I usually go in and turn off most services when I install windows, which I recommend. This is not a "hole" in the sense of a bug though, you _CAN_ turn it off.
While this article may have some basis, it really seems to be pointing at user stupidity. Don't browse some site, Read the EULA's and don't just click OK on a popup.
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
i was about to say the same thing... slashdot is getting a bit rediculous in the last few days. What with posting stories about strange quarks 3 times a day, putting BeOS stuff in the BSD section and now they are not even reading the things they link to. They must be using the blind monkey method of approving stories lately.
The unknown issues.
and rightfully so.
Active X was pegged from the start as the dangerious hole that it is, and now IE is so tied in with the base OS that people like my mother are screwed over time and time again by these people and programs[1].
MS in make our lives so much easier has forgotten that not everyone is altruistic as they are. Or maybe everyone is....
[1]Don't say give her Linux. Trust me, if I could I would have already, just not practial for her or me.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
The thing is, Explorer's no "worse" than anything else out there. It's just incredibly more popular, and not just because it comes with Windows, as IE is the leader on the Mac as well. It's the same phenomenon we see with Windows virii: people who write spyware and virii target the most popular platforms. If >90% of Internet users ran Mozilla then we'd see the same things written for that browser. It's not due to any special vulnerability in the browser. Getting people to switch to something else is only a temporary solution, a band-aid that doesn't treat the underlying illness. The BBC should instead be educating people as to what is safe web behavior, as that transcends issues of operating system and browser.
Karma: Good (despite my invention of the Karma: sig)
ok, I'll bite.
> Apart from the known issues with IE, outlook, and IIS, what is insecure in Windows?
The "known issues" are numerous and quite serious, and just thinking about what might be lurking in the depths of Windows & Co. makes me feel queasy. The Microsoft empire was built on stacking new features on existing code, with little or no regard to security issues, and it shows. Judging from their mid- to long-term solution (Palladium), they have all but given up on ever delivering an acceptably secure implementation based on their current designs (not that I think for a second that Palladium will be significantly more secure, mind you).
> And as far as IIS goes, Apache hasn't had a spotless security record.
This is true, but unfortunately doesn't make your argument valid. It's a well known logical fallacy ("Ad Hominem / Tu Quoque"). Basically it's like saying "OK, I stole the cookies from the kitchen jar, but so did my brother last week!" - true, but irrelevant, and it won't deter your mother from giving you a good whack.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
Criticising the BBCs use of Real is actually bad for their use of Ogg. Within the BBC, using Real is a 'Not Microsoft' option. They don't want to be forced to use WM[A|V] and all the Microsoft streaming software. Management feel more comfortable with a commercial offering at the moment. If it comes to their attention that there are many complaints about Real, they will try to replace it with Microsoft. Ogg needs to prove itself alongside Real first.
Very true. The important thing is that the information on your site is displayed, regardless of the browser. Whether it looks good or not is inconsequential when compared to getting your information across.
;P
Now, if the page looks good in a "current" browser, it's a plus. If it doesn't render *quite* right under something old, like IE3/NS3/NS4, it's not generally a big deal, unless the content can't be accessed, or the navigation can't be used. Sticking to standards will (generally) ensure that the content and navigation will be accessible to everyone, regardless of platform or browser.
That having been said, I don't keep NS4 around to check my pages. I probably *should*, but, if they will render legibly in w3m and/or lynx/links, then I figure NS4 can't mangle them too bad
For anyone who remembers, the internet used to be about content and freedom of information. Now it is about serving up some ads for wallstreet. The hope for an uncluttered, uncommercial internet is more than likely lost forever.
It's a case of "if it aint broke, don't fix it". From Joe's point of view, it isn't broke - so he won't do anything about it. He's not experienced all this stuff that people talk about, so why change?
Until something nasty comes along, wipes his "My Documents" folder and then totals his operating system - he'll happily use Internet Explorer.
People don't protect their home until they've been burgled, the don't protect their car until it's been stolen. It's all reactive - not proactive.
Until these 1001 security issues stop becoming potential exploits and become actual exploits hitting hundreds and thousands of users a day - then no-one is going to change.
(disclaimer: I know Code Red could be put into this category, but then again, it didn't wipe anyones personal files did it?)
(another disclaimer: This is a combination of mine and other comments from my original thread here ... ignoring the AC who obviously didn't get my point)
Avantslash - View Slashdot cleanly on your mobile phone.
As long as Internet Exploder is the ONLY browser to come with that shiney new PC everyones getting, then recommending that people DON'T use it is a total waste of time. People look at the prospect of tying up their modem for a 8-10MB file, and they basically think 'It won't effect me'.
I have enough trouble convincing my Mom and sister to update their AV software weekly, and that's only a few hundred kbytes.
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Considering the BBCs site doesn't or didn't display right in Netscape how can they recommend avoiding IE?
If you're using NS4 then personally I believe you should expect problems. I'm all for cross-browser compliance, but there really is no reason to be using a 5-6 year old browser with substandard (to put it mildly) CSS support.
I design for standards compliant browsers, NS4 is not, therefore visitors who insist upon using this take their chances. Even Redhat have removed it now, which is a good thing - if only Netscape would remove the download link...
Code, Hardware, stuff like that.
Hmmm, that's an expert opinion and it was strong. The author, Mark Ward, quoted Mr. Clover as a computer expert, someone who knows what they are talking about. The overall opinion was that Windoze was an easy to take over piece of junk and IE should be avoided. Note the lack of comforting words from M$ shills and other whores who would simply blame the user. The article concludes:
Fears about adware and spyware are not just for privacy fetishists and cyber-libertarians. Much of this surreptitious software is badly written and can crash your computer, others simply slow down your machine and make web use a chore. But the real danger is the fact that many of the loopholes in Windows that these programs exploit are being increasingly used by virus writers. If you do nothing to close these holes then one day you may lose much more than information about your online habits.
Can there be a stronger general denunciation than that? It ammounts to, "keep using this slow painful junk with and you will lose your work." That's an amazing article to see in the mainstream press.
Friends don't help friends install M$ junk.
While obviously true, it doesn't really help to talk about unknown issues when assessing the security of a system. It's a safe bet that there are unknown issues with any piece of software, especially a complex one. The argument that closed-source software isn't open to as much peer review as is open-source software doesn't really hold ground. It's perfectly possible for closed-source software to be more extensively audited than an open-source alternative.
:)
The minor difference that you fail to mention is that for open source the possible ways to assess the security are two: 1) rely on the quality of the auditing and testing from the creator or other third party 2) test and audit the code yourself or by a contracted (by you) party. For closed source you only have 1 and so you have to trust the creator & his friends. Now, a lot of people is very good at producing secure software and as you say it's perfectly possible for closed-source to be more extensively tested and audited, but what Microsoft has shown up to now is a complete disregard of the problem. So, the "unknown issues" cannot be dismissed that easily. If we talk about Swiss cheese, you'll agree with me that there are lots of holes, even without looking at the piece I have in my mouth
(for the single-user thing: Apple has done a better job in much less time with OSX)
Actually, if you want to ensure you're being safe, you have to educate yourself. This goes with all things in life, not just computers. Expecting someone to do the work for you leaves you open to exploitation. I absolutely abhor this attitude:
"I don't know much about computers, but I don't want to get a virus or have something bad happen to me, EVER. And if something does, well, it's YOUR fault, because you didn't make it safe enough."
Tough shit. Anyone who's been using computers since before the 90's usually has an inherit, built-in mistrust of them. They've dealt with system crashes, computer viruses, and the like, and know the reality is that you're dealing with a very complicated machine, and there are a hundred things that could go wrong at any moment. It's this new-fangled entitlement that the Internet-age has brought upon us that really pisses me off. Entitlement without responsibility.
To use your analogy, if your Mom never learned how to drive, or was a bad driver, she should probably avoid roads at the very least, avoiding cars altogether might be better. Yes, Internet Explorer has loads of security holes. And some cars are more dangerous than others. Not everyone on the road is your friend. Make system backups. At least we have that luxury in the computer world.
What really amazes me is all the intelligent people who overlook the fact that if people started moving in large numbers to other platforms (Mozilla, Linux, Mac, BeOS) that a new hoarde of crappy insecure programs wouldn't spring up overnight. Are the makers of adware, spyware, and viruses going to say, "Well, looks like the market has shifted away from IE and Windows, I guess I'll have to take up golf instead"? I think not.
You're really only relatively safe and secure as long as you're in the minority. Security through obscurity.
bance.net
I've been building pcs for many people on the side, and here's the biggest complaint i get when i try to push mozilla on them:
"Why doesn't the back button on my intellimouse work with it? It works with explorer."
And just like that, 20 or 30 people have turned off mozilla for just THAT reason. To them, it's just some browser that takes longer to load, puts an icon in the taskbar, and in which the back and forward buttons don't work. And it's no use trying to convince them of all the benefits.
In actual use, Microsoft has a long history of sitting on serious security bugs, or using their PR department to deal with them, or attacking the people who report bugs. When you have a long tradition of being the least secure operating system in wide use, then imho yes you can reliably extrapolate as to the likely security of their future products. Which is to say, very poor.
But yes, I do agree with you that the pervasive use of single user mode in Windows is very bad, especially considering the deep integration of i.e. Deep integration is an effective strategy from an anti-trust fighting perspective, but auto-executing all these activex controls and mime attachments is a disaster for ordinary computer users. I do not think windows will ever be secure until they completely redesign it with a more unix-like philosophy of least privelege.
But single user mode can be avoided if you are aware of the dangers. More serious are design decisions that we can't change. Sticking the graphics layer in ring 0 is another fatal flaw, since now buggy video drivers can now crash the os. Not what you want in a supposedly stable and secure server.
Bad coding? Huh! Why bother crippling your web site for the small minority of people who for whatever reasons aren't keeping up with the Jones? It seems to me that of that minority there are a lot of very loud stuck-in-the-muds who obtusely refuse to move on as they like the attention they get by protesting and inventing non-issues. Sorry, but I'm not going to pander to these people. The cost of supporting them isn't worth it.
Well, you know what brand of oil to use in your chainsaw, or what sae blend to use in your car, or how to make an addition to your house - by yourself? I bet now.
Common sense is ONLY COMMON to people who use the technology constantly and tinker with it. so called "Hicks" know more about mechanics than most of us.. and guess which ones get raped when the go to the mechanic for a repair? It'd be like having us go inside a small local computer store complaining about "it crashes or something".......
To the users of BBC - average man, this isn't common at all. as a perspective of the user, " It's there, why NOT use it?"
biological systems point the way here...monoculture, not morons, is the problem
monoculture of any crop (be it corn, pigs, or internet browsers) leads to a situation in which disease can easily propagate across the entire population.
One of the fundamental principles of organic farming is to cultivate a genetically diverse population, thereby limiting the scope and potential damage of any particular disease vector. Consumers of software would be well advised to practice the same concept
a web browser that doubles as a full-access file manager with the ability to run programs
/etc using something such as Perl? There is an analog to everything you state.
Like Konqueror and Eazel's Nautilus?
a mail client that can and will automagically open (or even run) attachments
This was true in, like, 1999. Outlook doesn't do this anymore.
a scripting language so powerful that a component as central the registry can be modified with it that can be used in officially non-executable things as office documents and webpages
So you're saying you can't modify something in
This is what makes a system with pretty much any MicroSoft software on it insecure.
What falls prey to all these worms, et al that are going around are the people that are still running Windows 98 first edition with Outlook Express 4 that never bother to upgrade anything. All it takes is something as simple as going to Windows Update to fix all this. Then Microsoft comes along and tries to remedy this problem with the Automatic Updates feature to try and remove the middleman (read: uninformed/apathetic user) and what response does that receive from the Slashdot community? "No! Kill the bastards! They're spies! Seize them!"
There's no winning.
Let's say everyone stops using IE and starts using another browser. What do you think the bad guys are going to do, find another hobby? No, they'll target that browser. Just as nobody burglarizes an empty house, no one targets a browser with miniscule market share. Increasing the market share of another browser will just turn attention to that browser.
The other question is this: is IE inherently insecure? More than Lynx, yes. But users want features (yes, it's true...not all the bells and whistles in a "modern" browser are forced upon us) and features add complexity which increases the potential for holes.
For true security, just telnet to port 80.
I've been a web developer and designer for over 5 years, and I code and test for nothing but Internet Explorer. To code for other browsers as well would take at least 2-3 times as long. My clients generally are willing to accept the tradeoff that 1% of the web population will be unable to see their site, and most of those users are using IE3.
It's simply a matter of maximizing their investment.
$50k for 99% of the users
$100k for 99.7% of the users
You pick.
Lots of people have access to the Windows source code, albeit under non-disclosure. See the various licenses at http://www.microsoft.com/licensing/sharedsource/
/. seems to be filled with people that LOVE to bash Microsoft and harp on how *nix and it supporting software is so much more secure. What you fail to take into account is that these &^%$^#$ writing ad-ware and spy-ware are going to target the community with the largest user base. Are you surprised to hear that it is Microsoft??? Hence the largest amount of time in the hacker community is spent on Windows, Explorer and Office. If even HALF the amount of time was spent on hacks for your beloved *nix systems and supporting software that is spent hacking MS your glass walls would come crashing down because MAJOR security holes would be found and exploited. I need only point to recent hacks in Apache.... So BEWARE your tower is not quite as secure as you think it is. You are simply being ignored.
This article basically says to avoid spyware and adware in general. No shit. This isn't news.
They recommended that you don't use IE because that's what most of this nasty software is targeting, not because it's a buggy piece of MS shit. It stands to reason that the most popular browser is going to attract the most amount of attacks. Again. No shit. This isn't news.
Enough of the anti-MS propaganda, it's truly getting ridiculous.
scripsit 1010011010:
Mozilla should support this, as it is valid CSS2 (see the CSS2 spec). Have you filed a bug against it?
In principio creauit Linus Linucem.
Overall, in terms of smoothness and trouble-free browsing, Internet Explorer is the best option there is. Having to switch to Mozilla or Opera is just painful.
(BTW, the proper name of the browser is "Internet Explorer." "Explorer" is the name of the Windows file manager.)
Given that IE is part of the corporate desktop build of the whole of the BBC I find the impllied advocation of IE is bad lacking, though we all know its true. Also a good proxy config and firewall and registry settings makes for a good stable productive product - like all software the devil is in the detail.
Likewise, if you're a normal logged-in user under an NT environment, you can't modify the Registry either.
That's all very true, except when presented to the real world of Windows software.
Although what I'm about to say is slowly changing, it's still true today. Trying to run Windows as a non-admin user is extremely difficult to setup. Many applications are designed with the notion that it can write to anywhere on the drive or registry. For each of these an admin must take into account what holes to punch through the security model so apps can actually run.
On a Unix based machine even the simplest of applications understands that it lives in a sort of sandbox. Running the system as a normal user is trivial to set up and actually have it run all the available software.
This concept really hit home with me when I attempted to setup a friend's PC so that he could use his Win2k system as just a normal user. There were so many exceptions due to the software that he just runs as admin. Even if I could manage to work through punching the security holes, he sure couldn't.
This is where the notion of patching security on top of an insecure system really starts to expose the flaw in the logic. Probably also why Mundie is now threatening to break older apps through patches. So much for building a castle in a swamp.
The line must be drawn here. This far. No further.
Unix have firewalls to prevent programs getting into the system.
Windows have firewalls to prevent programs getting out of the system.
Ciryon
There *is* a difference. ALT tags are a boon to making websites ready for Lynx and text-only browsers for the disabled. So if you have a graphic button that says "Home", consider these two variants:
<img src="home.png" width="100" height="20" border="0" alt="This button takes you to the homepage">
and
<img src="home.png" width="100" height="20" border="0" alt="Home">
and
<img src="home.png" width="100" height="20" border="0" alt="Home" title="This button takes you to the homepage">
The first tag (which is what you suggest) would be a little awkward in a text browser, since "This button takes you to the homepage" would show up (when "Home" would do).
The second would look idiotic in Mozilla, since the tooltip would just say "Home" (well, duh), but it would work in Lynx and other text browsers.
The third is ideal, because everyone gets what they need -- Mozilla's tooltip would say "This button takes you to the homepage", but the text browsers see just "Home".
Cheers,
Ethelred
Everyone wants to be Ethelred. Even I want to be Ethelred.
And I pick a competent web designer, which clearly excludes you.
To code for other browsers as well would take at least 2-3 times as long.
What a load of crap! I can only hope that making such an idiotic claim leads you to a job more suited to your talents, such as one that involves asking your clients, "would you like fries with that?"