Slashdot Mirror
Mozilla Hits Back at Browser Security Claim
UltimaGuy writes "Mozilla has reacted to the Symantec report issued on Monday which said serious vulnerabilities were being found in Mozilla's browsers faster than in Microsoft's Internet Explorer. Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's 'ability to react, find a solution and put it into the user's hands is better than Microsoft.'"
Open-source Full disclosure vs Close-source Please-wait-for-us-to-fix-the-vulnerability-before -publishing-it-else-we-sue
Bias is inescapable. You mean to tell me Symantec's stance on browser security reinforces the need for their solutions?
As a corporation, they have a sharp sense of self preservation. Shocking, I say. Dammit, just shocking.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
IMO, all this bandying about with numbers is next to pointless. All I know is that in my experience:
1. When I used IE, I got infected out the wazoo; colleagues I know using IE still have problems.
2. After switching to Firefox while still running Windows, I had zero infections. ZERO. Nothing else on the system changed.
3. Now I use Linux exclusively (unless doing work on a client's computer on their behalf), and I sure am not using IE.
On the one hand, it's nice to see Moz hitting back with the PR. But, I wonder if this will ultimately hurt migration away from IE. That is, I can just about hear folks saying "MS says one thing, Mozilla says another...who to believe?"
To the non-techie, MS is a known quantity and The Mozilla Foundation is not (I'm thinking along similar lines to name-recognition at the polls). At the very least, a I-say, they-say approach seems to muddle the issue more than clarify it for those not willing to do their own research.
Computational Chemistry products and services.
Don't reporters do research any more? This article does nothing more than parrot what Mozilla has to say about the matter. I wonder if it would be possible for a company to completely forgo a PR departmet and just use the news media directly.
This was zdnet's first article on the recent situation, "Symantec: Mozilla browsers more vulnerable than IE". Basically, "This is what Symantec said about Mozilla". And now this article is titled, "Mozilla hits back at browser security claim". Which translates to "This is what Mozilla said back".
You could probably just take a few +5 rated comments from the first slashdot discussion about this and come up with a better article... In fact that might be a good business plan: write a script to automatically grab the highest rated comments from each story, splice them together into an article and then put on a website as original content, <msb>your articles might even be posted back to slashdot from time to time</msb>.
(msb = mandatory slashdot bashing).We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
until some hacker exploits it
not until someone exploits them, but until:
-- someone exploits it
-- it's discovered (it's not immediate, right?)
-- it finds its way to MS staff
-- it goes through the whole beaurocratic monster at MS all the way from a person who receives a bug report, through god knows how many decision makers to coders.(I guess that's not so quick)
Hackers have a lot of time to play around with those vulnerabilities...
Plus, I bet that in case of proprietary soft more (percentage wise) holes are discovered by those who are ill-minded (why in the world would you look for holes in IE? I don't know how does that look in FF's case, but I can imagine people looking for such stuff because they're doing a Good Thing).
"""The study was conducted over the first six months of 2005."""
... the Microsoft vulnerabilities were more critical,"""
When did the litmus test for long term security become the short term?
""" by claiming """
"""Nitot said that Mozilla's reaction"""
"""according to Nitot."""
"""He also argued that
All these quotes are from the article and in a place where they implicitly put into question what Mr. Nitot is trying to say.
But, when Mr. Whitehouse speaks even "IE is closed source, and so it's more difficult to access the code." Which implicitly says that closed source is more secure (security through obscurity - provably false). This "journalist" doesn't call him on it.
And this "journalist" continues to let this guy speak implicitly calling into question the security of and wisdom of using Firefox without making him justify the claims.
So, all in all, we have Mr. Nitot arguing a point and bringing facts to the table that support his claims and Mr. Whitehouse bringing implications and conjecture almost completely unsupported. Also, in the middle is this "journalist" who phrases things in a way that supports Mr. Whitehouse.
What happened to all the real journalists? You know, the ones that get as close to unbiased reporting as possible; the ones that report only facts leaving out editorials marked as fact.
*sigh*
For that matter, who gets to decide what a bug is, rather than a "feature"? The DRM in the current version of the Acrobat format allows you to run embedded Javascript with no access controls. This is arguably an exploit, but Adobe would doubtless classify it as a feature, as it means you cannot circumvent DRM by turning the Javascript off.
Secondly, the numbers are not directly comparable, as Mozilla is standalone whereas IE is built into the OS. (This is important, as integration means that bugs that are strictly in the OS could be exploited through the web browser, without it being a web browser bug.)
Thirdly, there are deals over the reporting of security holes in software, whereby a report can be held back until a patch has been readied. This means that even "unconfirmed" (but reported) bugs by security vendors may be capped by the manufacturer. (Not always, even with those manufacturers who do this, but it does introduce uncertainty.)
Finally, Mozilla is cross-platform but bugs may not always be. Any buggy code that is OS-specific, for example, or any bug which relies on some OS-specific or library-specific bug in order to be exploitable, may only affect certain platforms as a result.
There is a second part to this one! It is also possible to have one bug that appears in multiple forms, but only one form per OS (due to OS-specific characteristics). Does it count as one bug or as many? (Remember, it still only takes one form in a given OS, but because of dependencies, changes in some way between different operating systems.)
Now, you can argue that many of the above are very hypothetical and do not apply in this specific study. Perhaps that is true, but the point is that unless you have rigorous controls on how you produce the statistics, the uncertainties are bound to be comparable to the number of incidents, making the statistics worthless.
And that is my point. If the possible variance in the number of actual bugs (reported or otherwise) gets to be comparable to the number of bugs reported, then the reports mean nothing. The actual number of bugs encountered could range from zero to infinity and the stats would still be "correct".
Ideally, the security companies would produce sufficient additional information to demonstrate the confidence they have in the values produced as opposed to simply citing the numbers but not really backing them up with anything concrete.
Where uncertainty is required by the vendor, then publish a range or some other indicator of how many unpublishable but reported bugs are believed to exist. (Since there is no guarantee that the unpublishable data is circulated with security vendors, an accurate figure may not be producable at all.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Companies such as Symantec are interested in blurring the line between 'faults found' and 'security'. An unfound and easily exploitable fault can make a product more prone to attack, i.e more insecure. Which is opposite to found flaws that are fixed.
So if a less skilled programmer is looking for faults, they are going to find less of them. So pretend we have two equally insecure products, by Symantec's paradigm one product would appear more secure than the other merely because less faults have been discovered. I'd trust a product created by many, rather than a product created by a recycled team.
To combat the same paradigm which Symantec promotes (i.e more flaws found = bad, instead of good.) companies such as Microsoft bundle multiple updates together(such as monthly updates) such that numerous groups of security flaws can be perceived as a lesser quantity of issues(Or in MS's case "one critical update"). The reality though is that security is based entirely on your track record, and not by how many faults you've discovered in your code. So we all know what the track record for MS products are versus Firefox.