Slashdot Mirror
Firefox Security Head Says Microsoft Obscures OS Holes
theranjan writes "When a Security Strategy Director at Microsoft decided to compare Internet Explorer security vulnerabilities with those of Mozilla Firefox, he may have forgotten that the Head Security Strategist of Mozilla was a former MS employee. In a rebuttal of the study, which finds IE more secure than Firefox, Mozilla said that the number of vulnerabilities publicly acknowledged was just a 'small subset' of all vulnerabilities fixed internally. The vulnerabilities found internally are fixed in service packs and major updates without public knowledge. 'For Microsoft this makes sense because these fixes get the benefit of a full test pass which is much more robust for a service pack or major release than it is for a security update. Unfortunately for Microsoft's users this means they have to wait sometimes a year or more to get the benefit of this work. That's a lot of time for an attacker to identify the same issue and exploit it to hurt users.'"
I mean come on, if they said they had no security holes, nobody would believe them. If they released too many security holes, their stock would go down. So they have to find a happy medium.
It's just me, or microsoft report (pdf available in the article) just says "Firefox fixes more problems than we do, so that must mean their software has more errors". That just a piece of crap. That only means that Firefox makes their vulnerabilities public or, worse for MS, that Mozilla team fixes things while MS just keeps IE vulnerable. Counting bugs means nothing. It's the overall quality and how fast those critical bugs get fixed what counts. And IMHO firefox still has a nice edge over MS.
Microsoft have frequently used biased methods for "security comparisons"...
They have compared the published vulnerabilities between windows and various linux distributions, when the same applies as discussed in this article - issues found internally may or may not be fixed, but are not disclosed to the public.
Also many linux distributions typically include a massively larger set of packages than windows does, a distribution such as debian or gentoo supports more packages than microsoft do across their entire product line.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I'm surprised that Snyder ignored a crucial argument in the PDF: that Microsoft supports their products for a lot longer than Firefox. He didn't rebut that point, which was actually pretty reasonable. I'd be interested to see what he has to say about that. In this regard, Microsoft seems far ahead of Mozilla.
XML is like violence. If it doesn't solve the problem, use more.
I'd accept this from anyone but a Firefox security head. Firefox is well-known for not fixing long standing bugs and issues (including some security holes) for years. Don't believe me? Just check Bugzilla.
Prior to MS, there were several flavors of DOS, preventing different brands of computer from talking. There were 10 or so major players in the word processing market, preventing organizations from sharing documents from one sector to another, not to mention different companies. They, and other companies, ripped of visi-calc and the desk-top graphical user interface, but none were compatible with other brands.
MS came along and everyone could talk, and thanks to IBM, run the same programs on any brand of computer.
I think MS modeled itself after McDonald's. Want a good hamburger go to a good restaurant. Want a hamburger that will satisfy your hunger, taste ok at best, but most important, be exactly the same all over the world, go to McDonald's.
So, you've been modded +3 Informative for what is obviously a joke on the first reading, and is even more obviously a joke on closer examination. How's that feel?
No kidding!!! What do you say at this point?
The people and companies who actually purchase software are just revenue units. Their real customers are the stockholders. That's who they're beholden to. The folks who buy software have been commoditized. We haven't been the customer for some time, and this inevitably leads to crass disregard of the purchaser of the good or service of a company in favor of the stockholder. This is a fundamental economic shift -- commoditization of purchasers and re-identification of "the customer" as the stockholder, and it has predictable consequences in the attitude of a publicly traded company toward the people who spend money for whatever they sell. It's also one reason why many publicly traded companies, M$ among them, may well be dinosaurs.
"Prior to MS, there were several flavors of DOS, preventing different brands of computer from talking."
.txt mode. Formatting was for when you printed the document, not for just reading it as it has become today.
No, there wasnt prior to MS. The several flavours came about after MS started selling DOS. Most of the other flavours was much better than MS Dos. NCR Dos 3.2 was the best DOS version of them all because of all the bughunt NCR did on it. MS-DOS was a dead dog in comparison, funny thing was all MS apps ran much better on other DOS versions than their own. Hence the need for artificially make win not work on any other DOS than MS-Dos wich sucked big from day one up until it was dropped.
Sharing documents was no problem, anything external was sent in
MS came along and anyone who had MS-DOS, Microsoft Word (the same version as the one communicating with had) could communicate. Thats not an improvement, its just a defacto standard.
Its a big insult to McDonalds to compare them with Microsoft. Should McDonalds be anything like MS i wouldnt dare to eat there ever. Actually McDonalds has very strict Q&A and an extremely well functioning organization.
HTTP/1.1 400
Central to any theory of efficient markets is the assumption that both consumers and producers can make informed decisions free of coercion. If the consumers do not have information, they cannot make an informed decision. Companies are not generally obliged to share all information about their products, but they are prohibited from intentionally deceiving customers. Cigarette makers were not sued because cigarettes cause cancers, but because they had determined internally that cigarettes caused cancers and they then made claims to the contrary. That is, they intentionally deceived both the consumer and the regularly agencies.
By analogy, Microsoft can say 'we build secure software' all day long. But if they claim, 'we develop more secure software than our competitors' they open themselves up for liability IF it is determined that they are making claims that they know to be false. In this case this seems to be hypothetical. But it is a testable hypothesis. And after reading the internal memos made public in Combs v. Microsoft, it is a quite plausible hypothesis.
Think global, act loco
True or not, this is the reputation the Texas Department of Science Education has given itself.
Yes, as long as it is the Adam Smith variety of free market. Once you get monopolies, the invisible hand goes *poof* and you no longer have a free market.
Also once this happens it is difficult for a free market to re-assert itself.
I personally believe we could throw out 999 out of 1000 laws and regulations and have a happier healthier economy and society. For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants; that's how much I distrust regulation and how it distorts the free market.
Sometimes such regulation is actually used to protect the interests of established businesses in a market, far more than any intent of protecting customers.
The free market model operates on several key principles:
It's not difficult to demonstrate that in the real world, these things don't happen.
You have monopoly or monopsony (look it up) situations; Very rarely the buyers are informed; cartels and herd-like behaviours further alter the model.
In the end, the free-market model, which is based on the supply-demand equilibrium, is all fine and dandy on paper. In reality, a completely deregulated market is an utopia, just like the communist ideal was an utopia.
I know there are many libertarians on Slash, which is mostly an American thing; not being an American, my view may seem unpopular...
He offers no evidence to back up his claims.
Attacks on other software packages, including Office and Firefox, have risen dramatically. If Windows and IE were still so easy to exploit, why would that be the case?
What this suggests is that hackers are having a harder and harder time exploiting these more traditional attack vectors. If there was such a huge library of holes that Microsoft patches silently, one would think that those would continue to be a great attack vector, and hackers wouldn't bother researching other vectors.
One could surmise that the bad guys just don't happen to know about these stealth-patched holes, and that's why they're turning to other attack vectors.
But guess what: if the bad guys don't know about them, they do no damage. Security through obscurity works great if the holes stay hidden. And, as I mentioned before, it appears that they are staying hidden, if they exist it all.
This guy has great motivation to make shit up, as does Microsoft. I know virtually everybody here will assume he is telling the truth, but that's an assumption. There is no evidence to back it up.
For instance, I would throw out all business licenses and the associated regulation, such as health inspections for restaurants;
I work in the food industry, as a manager (one of two lines of work I do). I do not want an unregulated food industry. Do you have any idea how many people would get sick and/or die form bad food products or unsafe environments? Do you have any idea how many have in the past? I also have worked closely with the health care side in many projects involving pathogens. Do you remember the issue with China sending us poisonous toothpaste? Do you remember the problems with tainted beef, or vegetables just this year? Do you know how fast bacteria grow in food? Have you ever inspected a small upstart's kitchen who does not understand food safety - a vast majority of people do not!
Do you know why it is not safe to drink the water in many countries? Or eat the food? Do you know why so many countries without regulations have so many health issues relating to flu-like symptoms, diarrhea, and other issues relating to food born illness?
Do you realize how little the average person knows about food safety, and communicable disease? Read this link to learn more different potential diseases, pathogens and toxins in food.
Even if disease were not a problem, the nature of people to do things (like toxic toothpaste because it is cheaper) still should be a gigantic red flag. Maybe the inspectors are a little overzealous at times (I have dealt with those), but I would prefer an overzealous inspector to a lax one anytime. BTW, I have never had a red and only a couple of yellows on an inspection - both yellows were quickly corrected and never repeated. Almost nothing but greens, even from the most picky of inspectors I have had to deal with. The people who work for me may think I am demanding, but we are not just talking about food quality, we are talking about food safety and the health and lives of people who probably do not want to run a risk of kidney failure, liver damage or worse because some uncaring twit decided their laziness or comfort was more important than the safety and quality of the food and environment we serve it in. I have often read about how doctors are the first line of exposure in an epidemic. I disagree, restaurants and food providers. Why? because we are exposed to the public and all it has to offer every day many hundreds of times to thousands of times more than a doctor is. A doctor only sees a patient when they are aware of the symptoms they will have. We see them in our restaurants and stores first. We touch the surfaces they have touched, the money they have handled, and get sneezed at, coughed on and believe it or not sprayed with their saliva (ever taken an order form a sprayer?) If we do not practice the best of health care and food care, we become the carriers and the source of diseases. We (food industry) have to know what is out their and what to look for. We have to be aware of our hand washing, surface cleaning (de-contaminating) and food safety. If we let a situation develop, then you wind up with an outbreak. It has happened many times. It might be flu, or a new Legionnaires Disease. It might be indigestion or a trip to the emergency room. So few people I have met in the food industry are actually aware of the realities that they do things that are unsafe and spread disease. Lets face it, the average person in the food industry is not a doctor. Most barely have a high school education and many are more worried about their next house payment than washing their hands. Some out and out just do not care. I have caught people in restaurants picking their nose, using the restroom, coughing and sneezing into their hands and then not washing their hands. I have caught people leaving meat out on the counter to thaw (very dangerous), trying to serve unwashed vegetables, not keeping counter food up to temperature - sometimes as low as 110 degrees - perfect
Freud might say that Intelligent Design is religion's ID.
As the post above you, thank you for pointing out the overlooked/ignored obvious realities of capitalism.
I am an American (USA variety), and I get sick and tired of the ignorance espoused by people who think the system will just work. It is so much like listening to some gibbering idiot go on about their perpetual motion device, or unlimited free energy device (or to date, flying cars). People seem to want to totally gloss over the greed, corruption, collusion, laziness, theft, graft, bribery and other broken aspects for the system we currently live in. It is as if they believe that their own faults do not exist (let alone the faults of others). All of us are fallible, greedy, etc to some extent. Unbridled free market is just an excuse to be allowed to do anything you want without repercussions, or at least an answer that can never be dealt with directly, as society would break down long before you achieved the model they offer up.
InnerWeb
Freud might say that Intelligent Design is religion's ID.
How many of those problems you cite were caught by the regulators you espouse?
I would estimate about 100,000 presenting cases of gastic distress per 6 million people, because that's how many the laissez-faire Hong Kong government does not catch per year through their non-intervention.
Here's an example of how things would work if inspections were voluntary and run by businesses: right now inspections are done by guys with clipboards, thermometers, and subjective opinions, right? If the inspectors cared about profit, I believe that by now we would have automated real time inspection systems possible, where sensors in kitchens would monitor for rats, roaches, warm refrigerators, cold meat, etc. That would be a much better health regulator than unannounced once a year inspections by inspectors susceptible to bribes and favoritism.
Great, you just raised the barrier to entry for the restaurant business by 50K. Well done genius, now only large corporations can supply food service. Or were you suggesting that the taxpayer pick up the bill for all your sensors?
No government bureaucrat would ever put up with such a system, as it would reduce the size of his empire. Profit driven businesses would, for it would reduce their employee count, increase their profits, lower their prices, enhance their reputation with the public, and grow their business.
Bollocks. Employees are cheap, capital is expensive. How would taking on another 50K of debt per restaurant increase profits? Or lower prices? How would the public know what goes on in the kitchen? They don't now.
All those laid off inspectors would now be available for productive work.
Maybe they could go and work in the hospitals dispensing treatments for diarrhea, gastroenteritis and food poisoning. Or working for the pharmaceautical companies that make these treatments?
Do me a favour pal, keep your fucking stupid ideas out of my city OK? I like eating out at restaurants.