Slashdot Mirror
Firefox 2.0 Wins Phishfight Against IE7
An anonymous reader writes "A new study that pitted the anti-phishing technology in Firefox 2.0 against that of IE7 generated some interesting results. From the Washingtonpost.com story: 'Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 locked 117 sites that Firefox did not.' Microsoft responded by pointing to its own supposed comparison study that put it in front of Mozilla and others in phish fighting, but the story notes: '3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."'"
that most phising sites are designed to circumvent Internet Explorer, since it is the most common internet browser, and practically the only browser for 'clueless' users, especially the ones that would be victims to a phishing site.
In a world of acronyms, the words are the real victims.
I thought the two teams were friends now, with the whole 'here have some cake to celebrate your new release and lets come to my place to discuss a 12x12 icon' thing? Seems kinda weird for Microsoft to start spreading fud again. No?
The risk of litigation inspired by false positives means they will always have to be a little more circumspect with who they classify as a phisher.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
That 3Sharp site look a lot like huhcorp.
On the subject of phishing, I have not come across one, so my request is for a slashdotter to point me to an example so that I can check out one of Firefox's much hyped goodies. Thanks.
/slap Microsoft
* Anonymous Coward slaps Microsoft around a bit with a large trout.
I win, I win!
Firefox, or IE7?
Which way finds one
The phish-free heaven?
Let browser, like foam
Be lynx: sans leaven
Burma Shave
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
It's really Google vs. Microsoft because Firefox 2 essentially integrated Google's Safe Browsing extension into the core browser. And while Firefox has the ability to change phishing-list providers (Tools -> Options -> Security), the only one it ships with is from Google.
Get Firefox!
can't they be shut down? Can law enforcement make the ISPs shut down known phishing sites?
Sig pending an original thought...
I'm glad they got the phishing filter right over less important things like not crashing all the time.
I'll take Firefox 1.5 without the phishing filter, thank you.
Mmmm.. Donuts
The author of the piece suggests a whitelist must be more practical.
Hmm , so that would mean checking against a list of a few billion web
pages as opposed to a few hundred for the scam pages. Anyone spot the
teensy problem? I do wish that just occasionally journos would have a
small amount of knowledge in the area they're writing about.
I didn't RTA, nor do I have OPera's 9.1TP installed with fraud protection, but I'd be interested in how it fares.
16:57 * Firefox2 slaps IE7 around a bit with a large trout
How do you figure FireFox as a 'name brand' and Opera not, last time I checked the Mozilla Foundation was a non-profit organization, and until recently Opera was not free, it was pay-license or ad-supported.
In a world of acronyms, the words are the real victims.
And I thought a Phishfight is what happens after you criticize Trey for falling off his trampoline during a 'smokin' rendition of 'You Enjoy Myself'
He who knows best knows how little he knows. - Thomas Jefferson
Thank you! You see, I had never hit a suspected phishing site before! Thanks once again.
...I've honestly ever seen the words "robust," and "Microsoft," in the same sentence.
I believe the main goal of this "phishing protection" effort is to spy on users. Even if you limit "protection" to downloaded blacklists only, still some personal information can be harvested, for example, how much time a particular user spends online.
If you disagree, tell me, why can't I disable this "phishing protection" completely?
So clearly the best idea is to visit each site you visit using BOTH browsers so one will likely catch the phishing mechanism! Ah, safety has never been so simple!
It is pitch black. You are likely to be eaten by a grue.
...at least until they fix bug #356355 , which "jumps" the antiphising filter
fe, if you go to http://200.119.135.99/ebay/login5878/ the pishing filter will warn you
but if you encode the IP with a unusual encoding
http://0xc8.0x77.0x87.0x63/ebay/login5878/
the phising filter will not kick in
Microsoft + Firefox = Awesomeness (for Windows only)
http://www.msfirefox.com/
I guess you haven't checked very recently because there has been a Mozilla Corporation for quite some time (about a month before Opera became free).
Microsoft Firefox http://www.theregister.co.uk/2006/11/14/ms_firefox /
Fish fight? Would that be something like this?
...The SmartWare site isn't much better. (SmartWare is the company that did the study the WP article is based on)
See for yourself: http://www.smartware.com/
IE7 is also incompatable with quickbooks 2004 and above. With the other problems I've heard of I have to ask why in the world is this POS being forced on users as a high priority security update?
Intuit recommends uninstall. Just got that notice when I installed the latest QB update. Will Intuit learn from this? I've been reporting the bug of unable to run without power user (or higher user rights) in Betas for years.
Who will guard the guards?
This seems to me like another bonus for Google and Microsoft in tracking users browsing habits. If every time someone visit a site using FF2.0 or IE7 it 'phones home' to find out of the page is a phishing site or not, won't these companies be able to build a more concise and accurate profile of web users? Just a thought...
I'm no expert and well I'm also a Firefox (FF) lover and IE hater. Mainly cuz its CSS support sucks but that might be changing.
Anyways.. I would guess that FF has a small advantage here cuz its been out in users hands longer thus has had time to let its anti-fishing rules evolve somewhat. IE7 is still new and has some learning to do =)
My 1.5 cents.
Change is certain; progress is not obligatory.
As the article points out, false positives were not addressed at all in this study. Without testing for false positives, those numbers are useless. If Firefox listed 100% of websites as phishing sites, the fact that it caught more than IE7 isn't all that impressive.
FF 2 wins phishfight vs. IE 7.
And in a related sports story, the Arizona Cardinals battle the Oakland Raiders in another epic struggle of 2 last place teams.
...they won't be held liable for fraudulent chaaaarges!
And the experiance of having to file the forms to cancel their current credit card and get a new one will teach them something about being careful.
I teach a college course for teaching majors. Each year I do a phishing demonstration where I post a bunch of links on my blog, including one to the university's intranet. The links are all full paths (http://...), but the href in the intranet link points to a different server. When the students try to login, they get a message about phishing.
This semester I was a bit worried because I had heard IE 7 had new "anti-phishing technology." I thought IE would obviously check the text of the link against the target address, but that didn't happen. FireFox 2 doesn't either.
How hard would it be to check the text of a link against a regex for urls, then, if it is a url, check that the target is the same?
I'd rather have someone respond than be modded up.
I imagine you'll see a browser sync that is integrated with the my.opera domain that also integrates the mobile web environment, which will be a nice step forward in sync (Reference CNet news: For Opera, smaller really is better)
A phishfight is ..
...
- When two philosophers fight each other with fishing rods
- A trout slapping competition in Greece
- What happens when a dolphin with a slight identity crisis gets fed-up with hearing the other dolphins sing Batman
- A form of violence between spelling-challenged fishmongers in an open air market.
"3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was 'to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers.'"
This statement seems to imply that the study might not be impartial.
Other than the fact that these guys get paid by Microsoft on a regular basis to create product demos of MS products, I don't see any conflict of interest.
See:t m
http://www.3sharp.com
and
http://www.3sharp.com/notable_accomplishments.h
I don't like the phone-home phishing extentions, since they are a breach of privacy. There fore a good old hosts file based block list is better IMHO.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Which browser to use
Red fox globe or big blue E
so long thanks for all the phish
The only change I can believe in is what I find in my couch cushions.
I have just completed a highly sophisticatedd and truly indepandant phishing study, in my native Nigeria. The results promise to cause wide swings in the prices of numirous equities listed on the NYSE, London Exchange, Hong K0ng, etc. I require the assistance of a foreign party so I may trade such equities using my sizable fundage. You will of course be handsomly reworded for your most benificient efforts. Please contact me at once through the embassy web page: http://123.232.53.257/index.html
Does anyone even use the "anti-phishing" mode? I've turned it off on both browsers. Who needs this except for complete internet n00bs? Is there any such thing as a complete internet n00b anymore? Even my 71 yr. old mother knows enough not to fall for phishing.
Terrible karma and aiming lower, which in this environment of one-sided reason, is higher.
their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."'"
So let me get this right, the company is bad because they use MS products while testing MS products? Hmm...
So how does SlashDot suggest a company test MS products without using them?
Ok, just because a company USES MS products does not mean they are biased. They could be, but they also could not be.
Our company uses Linux and OSX, so if we write a review comparing the two products, are we to be automatically discredited by both Apple and Open Source users then? Or could maybe we have a good understanding of each and write a complete review because we aren't idiots that don't know how to use the other OSes?
(Sorry for the sarcasm, but Geesh...)
I hardly get spam in my hotmail either. To my memory I've only gotten nigerian 401 scams. I don't consider them spam. I consider them entertainment.
Spammer: "A relative of yours has died in Sinapore we need can help you release the funds."
Me: "Your spam bot is an idiot. Look at my email address. (XXXXXXXXvandebunte@hotmail.com) Does it look like i could remotely have a relative in singapore with an obviously dutch last name?"
Spammer: "We are looking for a God fearing man to help us release the funds."
Me: "I worship the dark lord Satan is that ok?"
Oddly enough they never replied...
Hee Hee The drinking bird does all the work!
Really? Tell that to all the critics raving about Firefox, Amarok, and OpenOffice.org, among others. I don't have to list my satisfaction points with these products here because they'd only be repeats of what others have said. If you're curious, look up the testimonials. The devs of these projects are fighting fire with fire. They're releasing a technologically superior (arguable for OO.o, I know) product for free. What's not fiery about that?
As for gaming, plenty of us don't use Windows because we don't use our computers for gaming. There are plenty of fun games that are native to the Linux platform, but I rarely play them because my computer is for getting things done, not putting off the things that need to get done. I have a PS2 for games. For everything else, including the simpler install (Ubuntu install is 300x easier than Windows to install) and the simpler, more intuitive UI (I didn't much care for GNOME until I actually tried using it - It really rocks) Linux is more than sufficient, and has become the only OS on my desktop and the "98% of the time" OS on my dual-booted lappy.
But above all, use what works for you. If you don't like Linux, don't use it. But I will warn you: *nix is becoming more and more prevalent. Just this year, my school replaced all its public terminals with Sun workstations. You can complain about lack of support for games all you want, but you'll eventually be forced to use something other than Windows.
Microsoft maintains there on database of phishing sites and they are focused on reducing False Positives. It is still relativly new.
If a bank is falsely blocked by Firefox they will simply tell users to use IE.
If IE falsely blocks a bank site they would simply sue Microsoft.
Both browser still have a margin of error of 20-40%. While IE blocks some that FireFox misses, FireFox blocks some that IE misses. Firefox is doing better, but I wouldn't say they are winning yet.
Half of writing history is hiding the truth.
With IE7, the user is asked upon installation whether he wants to allow the browser to auto-check all Web sites against a Microsoft database.
Firefox's default setting, in contrast, uses a blacklist of known phishing sites that is stored on the user's computer...
To me sending all my URLs to google or microsoft is equally problematic. I do see usual yeda yeda on M$ blog but its not thrilling to know that -- We use the data to make the Phishing Filter service better and constantly improve the level of accuracy in our result...
If you assume that IE7 and Firefox assembled their phishing lists independently (maybe that's a bad assumption), the fact that one misses 117 and the other misses 243 can be used to estimate the total number of phishing sites out there. You need to know the total number listed by each browser first though; I didn't RTFA so I can't calculate it for you, but I leave it as an exercise for the ambitious \.er
David W. Hogg -- assoc prof, NYU Physics
Since when does being a non-profit organization prevent something from being "name brand"? The Red Cross is as high up on brand recognition as you can get, and its an NPO. Firefox has more name recognition than Opera, thus it is a name brand. Opera is a well recognized name in web tech circles, but you have a lower chance of finding a random Joe Shmo on the street that recognizes that name vs. Firefox. This is not a bash on Opera by any means, I am more often turned off by brand name hype.
Clones are people two.
You know, when I hear "wailing fanboys", I don't think FF or IE. Those people are fairly composed and sane.
The proponents of certain other browsers, however...
the phishing detection was the first thing i turned OFF in _both_ browsers.
You neglect the primary reason for this phenomenon; the Open Source community actually listens to the users when a new version is released.
Cutler Beckett: I'm listening...
[Elizabeth aims a flintlock pistol at Cutler's head and pulls the hammer.]
Cutler Beckett: I'm listening intently.
And now for something completely different.
Hours and hours of Armagetron, Nethack, Linux Racer and Abuse, eh? The story goes that Linux will become a gaming platform when the Linux community actually starts paying for the games. Pity that Loki isn't still around; alas, they were before their time. I wonder who takes-up the baton now? Transgaming? Their support is laughable (by comparison) and many simple questions go completely ignored. Unlike Loki, they only support a platform of compatibility, not a movement of straight-porting to Linux-kernel architecture.
Still, plenty have made the jump and are doing best they can with compatibility.
Well said. So very freedom-of-choice of you. But then...
Ha ha! Irony!
Many in this community would be quick to point-out that we are a "nation" who believes in the choice of the individual. That is the primary reason any form of Linux is in the home and not locked-away in large, expensive schools and research corporations.
Appreciate the reason that people use Window$; it comes ready-to-go. Despite the fact that it only remains in that state for a few days, the "out of box experience" can not be denied.
Nobody is really forced to use Windows, likewise, nobody will ever be "forced to use something [else]". Our choices are guided by the Market, and the Market favors M$. It's a plain truth in business, but it's also a plain truth that no, one power in the Market can withstand the attention forever. Goliath will fall.
IE7 has already pissed me off to no end. I have customers who benefit from my web design. The measures of "protection" and "security" in IE7 have kept me from presenting updated content, or previewing new drafts, because the page is not "aged enough" or is "untrusted". Why would we want a product that treats the world as suspect but is ready to consider it's "home" domain a trustable resource? Call it what it is! It's a "blacklisting" product, and it doesn't even follow "whitelisting" protocols; for sites that are entered as trustworthy are still denied due to some black-box programming that is "included for our safety." FUD Indeed! Feh!
This post © Copyrite Duggeek, all rights reversed.
...how about letting people use their fucking 1500 g of gray stuffing located about an inch below their hair ?
--
I know, I know... I'll be flambaited from here to eternity for telling the bloody truth.
I did my own small experiment with a phishing email that came my way. You can see the results here:
FireFox 2.0, IE7 both fail phishing test
plus linked posts. FireFox was better than IE (but not much better on its default settings); but in both cases there was a delay of several hours before the filter worked. I imagine the effectiveness of a phishing attempt tails off rapidly after its first appearance, so the delay is critical.
I also worry about the false reasurrance folk may get from a site appearing to check out OK in this phish-sensitive browsers.
Tim
You do realise that by not using linux, and not paying for games on linux, you are helping the situation perpetuate itself. There are few games for linux because there are few gamers running linux. Anyhow, back to a round of Nexuiz.
Why not let a scientific security reseach group like ISECOM (www.isecom.org) who is completely impartial review the test case and the result data before publishing such stuff? As it is now, you can't really know who's test to believe.
It has always been suspected from Firefox to outrun IE7 in the anti-phishing department. If IE7 delivered so many false positives at a certain point you can only imagine how many false negatives it delivers. Anti-phishing filters are only for ignorant people and only ignorant people use IE. IE is actually insulting its users with the huge scene they are making with their anti-phishing scanner. It's effectively telling the user: "Don't worry I know you are stupid, so I will protect you against phishing attacks, because I know you can't use common sense, people with common sense never use me" In Firefox it is a complete different case. You don't even know about the filter working in the background. I bet IE makes browsing slow with their anti-phishing filter. http://cybertopcops.blogspot.com/2006/10/internet- explorer-7-rc1-flagging-sites.html
http://cybertopcops.blogspot.com/2006/07/smelling- hoax-mile-away-by-using.html
www.cybertopcops.com
I find this incredibly hard to believe. In my experience IE7 has always been better at detecting (and blocking) Phishing Sites. Then again, that's just me.
http://sohilsblog.blogspot.com
Some other thoughts:
/dev/random existed for a long time, and when someone actually wanted to analize it (horribly written), he got no help at all from the developers. After managing to determine what it was doing, and seeing that it relied on security through obscurity, it's possible to understand that open source does not mean "many pairs of eyes are looking for flaws".
/usr/bin/strings -- isn't installed. And the package system there stinks. I had no idea what package provides stuff like strings, and there's no way to say "Here's a filename, which package owns it".
1. Flaws in
2. Just because something is open source doesn't mean it's fixable. The flaws/bugs in open office are huge. To try to fix them? First I'd have to learn a brand-new windowing system (I've never written a line of X in my life). Second, I'd have to learn the inside guts of a major big programming environment that has probably been repatched repeatedly through many different versions and could use a big re-write. Third, I'd have to say that spending however many hours this would take was more valuable to me than X, Y or Z -- the things I'd have to give up.
Fixing bugs occurs when the cost of those bugs, compared to the value of the time it would take to fix them, falls within a favorable range compared to purchasing a bug-free product off the marketplace. That's a very narrow range -- too much of my time, and I either purchase (if I have a good income/my time is valuable), or do without (if I have to give up many other things).
Who finds it cheap to fix these things? The developers.
3. Open source people listen? I'm sorry, how often do you find a "submit idea to developers" link in a program? Bug tracking? Firefox, as an example, wants me to download and test the latest nightly build of Mozilla, and only submit the bug report if it's not in Mozilla, but only in the firefox user interface system. That's easy? That's friendly?
4. Ubuntu being easier to install than windows? Err, you must have installed a different version of ubuntu than I did. I installed the june 06 release of the server system -- I took the LAMP option because my client needed a web server.
I had to go back and install, and manually configure, with no aid of any kind, **everything** -- the multiple ethernet connections, time server, DHCP server, samba, etc -- EVERYTHING defaults to not installed. Worse, even some things that I consider basic stuff --
Easy to use? The command line package installer doesn't install recommended packages, at all. The graphical one will default to installing them, but won't tell you why a given package is being installed, and the install for samba turned out to be horrendously huge -- it turns out that besides required, and recommended, there's "suggested", which was a no-no, that defaulted true.
Easy to use? There's no good way to find out what isn't installed. There's no tool for automatically updating the init.d script links, at least not that I could find (probably in some package that didn't install). The last time I installed from scratch, redhat 7 had a nice configuration tool for controlling all the main parts of the system -- kinda like windows control panel. Granted, it was a first version -- it didn't work properly if a panel was larger than the screen (no scroll bars), but it was a mostly functional, working system.
5. Games? Give me a Qemu system configured so I can easily load either a free dos (for older dos games), or install my windows CD (for windows games). Configure it to run as an unprivileged user (since windows is so inherently unsecure), etc.
Or heck, just make it easy to install that on my own. Can I get a copy of Qemu for my system? Sure -- there's a native port for Mac Os X. But there's a huge difference between "This will work, if stuff is installed", and "Here's a step-by-step of how to install Nextstep", but no where is "Here's how to run your old dos games"; no where is "This is what you do to install windows".