Slashdot Mirror
BBC says "Avoid Explorer"
twitter writes "Citing security flaws that lead to ads and spys on Microsoft infested computers the BBC in this article recomends avoiding Internet Explorer." Ain't it the truth? Mostly its about adware & spyware and other wretched bits of software that make the internet suck a little
more each day.
It would be one step in the right direction...
Still too many webdesigners want to make sites that look flashy and work only in Explorer...
They never figured out they can make the same stuff work in many browsers if they would only try and learn something about web design itself instead of designer tools...
So till that's solved a lot of people will use Explorer because their favorite site is badly designed.
Well, no it isn't actually. The BBC is reporting what Mr Clover said. Not at all the same thing as "the BBC recommends".
Sigh.
"Avoid the BBC"
The easiest way to avoid parasite programs, he says, is to stop using Internet Explorer because it is targeted by many of the adware and spyware companies.
I've never ran accross a site that "forced" its software on me. I've ran accross "gator" a few times which tries to install without my permission, but I still have to hit OK. This article has a hint of FUD.
As with anything, if people used common sense probably 95% of problems could be avoided. By common sense I mean NOT going to suspicious sites (you can usually tell by the URL.. something that has "geocities" or ends with ".cz" is probably going to be more dangerous than amazon.com for instance). Let's face it, there is always going to be some security holes in the most popular and widely used browser. Even if that browser ever becomes Mozilla (which I doubt will happen any time soon- I run Mozilla but speed wise it just doesn't compare with IE).
Unfortunately, we can't rely on common sense because it really isn't all that common. It would be nice to have a "sandbox browser setting" for people who don't trust themselves to practice safe browsing. Here's an idea- they could click on a little icon of ralph wiggam playing in his sandbox (remember, he doesn't go into the deep end). This automatically forces the most stringent security settings (disabling activeX, scripting, etc.) and double prompts each time you go to download something "Are you sure? Are you really sure?". This probably wouldn't be too hard to add to IE.
instead of abandoning IE, which is a decent web browser, be careful (not paranoid, but like anyone who's been on /. for more than ...5 minutes won't click on a goatse.cx link) about where you actually browse.
Because downloading Phoenix takes all of five minute, and you've then got happy pop-up free browsing for as long as you want? Rather than, as you say, being 'careful about where you browse'. Shouldn't a browser be your friend, not your adversary?
___
Cogito cogito, ergo cogito sum.
Some people decide they'll be on the safe side by "Condoming Up" and turning security all the way up.
But when they get rashes of popup ads, and sore security holes, they realize that IE is a tired lay that not only lacks the finesse and technique of younger variants, but leaves you wanting your money back.
Even though you didn't pay anything... Bastards. You just wanted to surf the net with IE, and BANG!!! Next thing you know you have a Windows infection.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
I understand that this security/usability patch will correct virtually all the problems with IE to which the BBS objects. Of course, it's a pretty complete patch...
Requesting that a user update their browser merely to view your site is bad coding.
A pet peeve of mine is when a site says you need to be in a certain resolution to use their site.
What happened to designing your site for the widest possible group of users?
-- El Sacarino tiene gusto de la chocha
So people stop using IE, then another browser (say, opera) takes over as the dominant browser, so spy/adware starts to be targetted at opera users.
Do we then avoid opera?
The problem is that there are morons out there developing spy / ad / malware, not which browser someone happens to use.
Sometimes they come attached to software you download from the web - the details are often included in the license agreement small print that most users click through without reading.
Which means you caused the problem not IE or windows.
And sometimes they don't even need your permission to download, but just hop on your hard drive, totally unannounced, because you are browsing the wrong webpage.
Too bad they don't go into more detail here about whether this is a general issue with malicious websites for most browsers, or actually expoloiting some hole in IE.
A few companies are now exploiting holes in Windows messenger to sneak adverts on to the screens of unsuspecting users.
Windows messenger _IS NOT_ part of IE. It is a seperate component that is unfortunatly automatically turned on. I do wish MS was better about what services were on by default, though I usually go in and turn off most services when I install windows, which I recommend. This is not a "hole" in the sense of a bug though, you _CAN_ turn it off.
While this article may have some basis, it really seems to be pointing at user stupidity. Don't browse some site, Read the EULA's and don't just click OK on a popup.
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
Cheers,
Ian
The unknown issues.
The internal copyright to do so expired, ending the trial.
Then in September, they sorted this out. Ogg streaming is due to re-start, Real Soon Now(tm). As it has been since September... See Here for more details....
--
I'd rather have a bottle in front of me than a frontal lobotomy
The thing is, Explorer's no "worse" than anything else out there. It's just incredibly more popular, and not just because it comes with Windows, as IE is the leader on the Mac as well. It's the same phenomenon we see with Windows virii: people who write spyware and virii target the most popular platforms. If >90% of Internet users ran Mozilla then we'd see the same things written for that browser. It's not due to any special vulnerability in the browser. Getting people to switch to something else is only a temporary solution, a band-aid that doesn't treat the underlying illness. The BBC should instead be educating people as to what is safe web behavior, as that transcends issues of operating system and browser.
Karma: Good (despite my invention of the Karma: sig)
ok, I'll bite.
> Apart from the known issues with IE, outlook, and IIS, what is insecure in Windows?
The "known issues" are numerous and quite serious, and just thinking about what might be lurking in the depths of Windows & Co. makes me feel queasy. The Microsoft empire was built on stacking new features on existing code, with little or no regard to security issues, and it shows. Judging from their mid- to long-term solution (Palladium), they have all but given up on ever delivering an acceptably secure implementation based on their current designs (not that I think for a second that Palladium will be significantly more secure, mind you).
> And as far as IIS goes, Apache hasn't had a spotless security record.
This is true, but unfortunately doesn't make your argument valid. It's a well known logical fallacy ("Ad Hominem / Tu Quoque"). Basically it's like saying "OK, I stole the cookies from the kitchen jar, but so did my brother last week!" - true, but irrelevant, and it won't deter your mother from giving you a good whack.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
``Apart from the known issues with IE, outlook, and IIS, what is insecure in Windows?
The unknown issues.''
While obviously true, it doesn't really help to talk about unknown issues when assessing the security of a system. It's a safe bet that there are unknown issues with any piece of software, especially a complex one. The argument that closed-source software isn't open to as much peer review as is open-source software doesn't really hold ground. It's perfectly possible for closed-source software to be more extensively audited than an open-source alternative.
What does make Windows insecure is it's single-user nature. Even the NT-based systems running on many desktops these days, while technically capable of using a good security model, are often run in single-user mode, meaning that if that user's account is broken into, there are virtually no restrictions on what harm (or good?) can be done.
Many software from the Big Satan of Redmond suffers from inherently insecure design. Windows (not NT)'s single-user nature, weak protection of address spaces (know those little programs that can be used to read other program's text fields, indeed even password fields?), a web browser that doubles as a full-access file manager with the ability to run programs, a mail client that can and will automagically open (or even run) attachments, a scripting language so powerful that a component as central the registry can be modified with it that can be used in officially non-executable things as office documents and webpages, the list goes on. This is something MicroSoft can be blamed for, should be blamed for, and should be ashamed of. This is what makes a system with pretty much any MicroSoft software on it insecure. And the best thing is that others are trying hard to copy some of these `features'.
Please correct me if I got my facts wrong.
---
Thank you for your e-mail. In reply to your queries both Mygo and go mobile's website are designed for IE5 and upwards and this is Company policy.
We are aware that not everyone uses IE. However, IE offers certain features which other browsers do not. Using these, we are able to use a greater array of features which allow us to design better interfaces. 84.3 per cent of the internet population uses Internet Explorer. More than 98 percent of the hits on go mobile's website originate from IE.
---
I mailed them again telling them it's nonsense (browsers reporting themselves as being IE etc) and that there are alternatives to make it work for both but surprise surprise! no reply. Bugzilla contains a number of other websites suffering from this condition (inc. Microsoft, no surprises here).
Therefore Mozilla follow standards so page X won't work and page X authors follow market so they won't fix it. What does BBC recommend I do in this case?
---
The only way Linux is more secure is if you spend several hours every day downloading and installing the latest security patches.
OK, I'll bite.
Several hours? I don't know what distribution you run, but remind me to avoid it! I've run both Debian and RedHat - neither require several hours of daily patching.
With Debian, you only install the services you intend to use, then keep an eye out for security issues with those services (which isn't hard, and takes 15 minutes at most per day, usually less). When there is a vulnerability found that affects you, all that's generally required is an 'apt-get update && apt-get -u dist-upgrade', which may take a bit of time if you're on a slow link, or have a lot to update, but generally is pretty darn quick (again, for me it's generally less than 15 minutes). If they haven't managed to roll an "official" patch in yet, you can either wait for it (generally less than 24 hours for most), or compile it yourself. Turnaround time for security patching on Debian is excellent, though, and you generally won't find yourself needing to compile things yourself if you don't want to.
RedHat is a little different in that (at least prior to 7.3 - the last one I installed was 7.2, and things may have changed with 7.3 or 8.0) it installs everything but the kitchen sink by default - and you have to go around turning off what you don't need. Once you've got the "undesirables" turned off, security updates really aren't much different from Debian (especially if you're using apt for RPM). Again, for major vulnerabilities, patch turnaround time is excellent (generally 24 hours or less) and you won't have to recompile things you don't want to. Because RedHat is a bit more widespread than Debian, there are a few more exploits to watch out for, but hitting a few security sites during your daily web browsing should alert you to anything you might need to know. Definitely not "several hours every day".
Unfortunately a lot of people don't actually read the EULA. They just click through until the software is installed. Even if you do read it it's full of dense obscure legal language that mostly doesn't apply to you. Advertising software if implemented correctly can allow developers to make money from their software without requiring the end user to pay.
The problem is it's often not done properly. There are spyware apps like aureate that operate in stealth mode by passing themselves off as Windows system processes and making sure that they don't even show up the task list or binding themselves to winsock so that you delete or uninstall them your Internet connection stops working. Microsoft should be made to fix these holes in IE but I think some pressure should also be applied to the people that write these programs.
Still too many webdesigners want to make sites that look flashy and work only in Explorer...
I know a lot of people say this, but is it actually true. I use both Mozilla and IE and very rarely notice any differences.
It's a case of "if it aint broke, don't fix it". From Joe's point of view, it isn't broke - so he won't do anything about it. He's not experienced all this stuff that people talk about, so why change?
Until something nasty comes along, wipes his "My Documents" folder and then totals his operating system - he'll happily use Internet Explorer.
People don't protect their home until they've been burgled, the don't protect their car until it's been stolen. It's all reactive - not proactive.
Until these 1001 security issues stop becoming potential exploits and become actual exploits hitting hundreds and thousands of users a day - then no-one is going to change.
(disclaimer: I know Code Red could be put into this category, but then again, it didn't wipe anyones personal files did it?)
(another disclaimer: This is a combination of mine and other comments from my original thread here ... ignoring the AC who obviously didn't get my point)
Avantslash - View Slashdot cleanly on your mobile phone.
Considering the BBCs site doesn't or didn't display right in Netscape how can they recommend avoiding IE?
If you're using NS4 then personally I believe you should expect problems. I'm all for cross-browser compliance, but there really is no reason to be using a 5-6 year old browser with substandard (to put it mildly) CSS support.
I design for standards compliant browsers, NS4 is not, therefore visitors who insist upon using this take their chances. Even Redhat have removed it now, which is a good thing - if only Netscape would remove the download link...
Code, Hardware, stuff like that.
I'm using mozilla with the internet explorer skin. It works great, though there's a little hack you have to do to get the home button back into the main toolbar.
:-).
Mozilla is a better browser than i.e. in a lot of ways (tabs, standards compliance, etc.), but the big one for me is that i.e. is essentially an ad delivery systerm. So there's not much we can do to selectively block cookies, or graphics from specific servers, or pop-ups, etc. And I don't like the prospect of being at the mercy of unscrupulous companies who wish to make changes without my knowledge or consent. (Actually, what I'd really like is a way to get rid of i.e. entirely on w2k/xp.)
That explains mozilla, but why the i.e. skin? Well, the default mozilla skins are not exactly beautiful. And my wife is highly resistant to change of any kind when it comes to her computer, and with the i.e. skin I was able to switch her w2k machine to mozilla without even a word of protest. Of course, at this point she's so used to tabbed browsing and the pop-up blocker that she wouldn't switch back anyway. And me, I don't have to worry about some exploit using i.e. to take her computer down.
Actually, I even use the i.e. skin on my linux box. Just for the perverse fun of it, I guess. I also have a nice wallpaper from w2k of a diver against a blue sky. It's very spiffy, though naturally I GIMPed out the little windows logo first
Hmmm, that's an expert opinion and it was strong. The author, Mark Ward, quoted Mr. Clover as a computer expert, someone who knows what they are talking about. The overall opinion was that Windoze was an easy to take over piece of junk and IE should be avoided. Note the lack of comforting words from M$ shills and other whores who would simply blame the user. The article concludes:
Fears about adware and spyware are not just for privacy fetishists and cyber-libertarians. Much of this surreptitious software is badly written and can crash your computer, others simply slow down your machine and make web use a chore. But the real danger is the fact that many of the loopholes in Windows that these programs exploit are being increasingly used by virus writers. If you do nothing to close these holes then one day you may lose much more than information about your online habits.
Can there be a stronger general denunciation than that? It ammounts to, "keep using this slow painful junk with and you will lose your work." That's an amazing article to see in the mainstream press.
Friends don't help friends install M$ junk.
While obviously true, it doesn't really help to talk about unknown issues when assessing the security of a system. It's a safe bet that there are unknown issues with any piece of software, especially a complex one. The argument that closed-source software isn't open to as much peer review as is open-source software doesn't really hold ground. It's perfectly possible for closed-source software to be more extensively audited than an open-source alternative.
:)
The minor difference that you fail to mention is that for open source the possible ways to assess the security are two: 1) rely on the quality of the auditing and testing from the creator or other third party 2) test and audit the code yourself or by a contracted (by you) party. For closed source you only have 1 and so you have to trust the creator & his friends. Now, a lot of people is very good at producing secure software and as you say it's perfectly possible for closed-source to be more extensively tested and audited, but what Microsoft has shown up to now is a complete disregard of the problem. So, the "unknown issues" cannot be dismissed that easily. If we talk about Swiss cheese, you'll agree with me that there are lots of holes, even without looking at the piece I have in my mouth
(for the single-user thing: Apple has done a better job in much less time with OSX)
Of course, most of them were fixed before the article on The Register was even written.
Well, seeing as this has been modded up to +5 funny, I guess I should take the plunge:
Reg; People are always complaining about the security in windows, but come on, Windows is great. All my friends use it!
Loretta; Yes, and my friends friends.
Reg: Yeah.
Loretta: And my friends friends friends.
Reg: Yeah, all right. Don't labor the point. And tell me, what is insecure in Windows?
Rebel2: Outlook?
Reg: What?
Rebel2: Microsoft Outlook.
Reg: Oh yeah, yeah. That's insecure. That's true, yeah.
Rebel3: And Internet Explorer.
Loretta: Oh yeah, Internet Explorer, Reg. Remember all the security holes that's had?
Reg: Yeah, all right, I'll grant you Outlook and Internet Explorer are two things are insecure...
Mathias: And IIS.
Reg: Well, yeah. Obviously IIS, I mean IIS goes without saying, doesn't it? But apart from the Outlook, Internet Explorer, and IIS...
Rebel4: Word Macros.
Rebel2: Passport.
Rebel5: Hotmail.
Reg: Yeah, yeah, all right. Fair enough...
Rebel1: And Active-X.
Rebels: Oh, yeah
Francis: Yeah. Yeah, That's a really bad one isn't it? Active-X.
Rebel6: The Windows kernel itself.
Loretta: Yes, remember when they found that NSA key Reg?
Francis: Yeah, well, that's certainly a bit worrying, isn't it?
Everyone: Huhuhuh. Huhuhuhuhuh.
Reg: All right. But apart from the Outlook, Internet Explorer, IIS, Word Macros, Passport, Hotmail, Active-X and the Windows kernel itself, what is insecure in Windows?
Rebel2: SQL server?
Reg: Oh, fuck off.
And that elitist attitude is exactly why Windows has the market share it does. You guys expect everyone to know how to change their own oil, tune-up their car, adjust the timing belt, and balace the tires.
The computer is a tool. My mom (and millions of others) knows how to drive a car and she knows how to drive a computer. They don't know how it operates, and they shouldn't have to. They aren't experts in computers, and they aren't experts in cars.
The idea that somebody has to have advanced knowledge of computers to use them is absurd. The fact that somebody thinks they should have to treat their use of the computer like navigating a minefield is even more absurd.
Nobody is entitled to security. But what they are entitled to is reasonably secure software, not a gaping sieve of a security nightmare, such as IE.