Slashdot Mirror
State of Colorado Calls Firefox Insecure, IE6 Safe
linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"
The Education Property has been increased to 128 characters due to popular demand.
That is all.
I'd be writing a nasty email right now.
Give me Classic Slashdot or give me death!
something i made back in middle school with Frontpage. Credible sources spouting uneducated banter about things they SHOULD know about and having a website look like THAT? they should be ashamed
Well, I'm impressed. I tried to send them a message telling them that they're morons. (Though in a more polite manner.) They got right back to me with this message:
I love how the site is:
A) Being run off of someone's desktop. Out of their My Documents folder, no less.
B) Gives up the username of the machine without so much as a "how do you do"
C) Shows the world that our amazing admin can't even hack it at C#
I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks at the site. :-/
Javascript + Nintendo DSi = DSiCade
I'm from Colorado. Most of the time I feel the State Government here is on crack. If I write them an email using Thunderbird, I wonder if it would be rejected because it didn't come via Outlook?
They would say that, the site is written in ASP.NET.
What do you expect from a state who uses 128 characters to describe a perspective hire's education.
The Education Property has been increased to 128 characters due to popular demand. Thanks for your patience.
It seems that the OIT can't even get a .Net application to properly handle feedback. Upon submitting, I get "Server Error in '/SKILLS' Application. Object reference not set to an instance of an object."
That really instills confidence in their 'decision'!
If not, then I'd be a little annoyed if I had to use the site. If it does, then what's the problem? Just ignore the notice and go about your business.
Seriously, is this the kind of "news" that passes as a slashdot article now?
It has been decided
I wonder who decided that? Does their name start with 'Micro' and end with 'Soft'?
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
... has an answer to "Why is the sky blue?". It's mostly right, without being informative at all. Of course, I saw that with Firefox, so maybe it'd have been a lot better of an answer if I'd used IE 6+.
Must use IE. Windows is unsafe. FF is not.
Head asplodes.
Absolute power corrupts absolutely. indymedia
And while you're there, don't use OS X, Linux, iPhone or anything other than windows to access this site, because they're all unsafe because they don't use IE6.
For all we know, there's been a piece of malware in a Firefox add-in or something and their concern is valid. Benefit of the doubt.
Comment of the year
He decided.
From their FAQ: "Can I use Firefox or another Browser? No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later." I suspect the processing issues are the real reasons and they are trying to scare people into not using Firefox so they don't get the phone calls about their site not working.
Email:
oit@state.co.us
Phone:
303-866-6060
Fax:
303-866-6454
US Mail:
Governor's Office of Information Technology
1580 Logan St., Suite 200
Denver,CO 80203
Well, they're mostly wrong, but partially right. All things considered, the biggest security risk isn't the web browser used, it's the incompetent organic mass between the keyboard and the chair.
It still amazes me how many people really think they're the 1,000,000th visitor to a site, and that they've actually won something because of it.
I'm the Devil the Windows users warned you about.
I love seeing statements like this from nominal authority figures.
'Look on my works, ye Mighty, and despair!'
http://www.colorado.gov/cs/Satellite?c=Page&cid=1165692953912&pagename=OIT-New%2FOITXLayout
oit@state.co.us
-- There is no truth. There is only Perception. To Percieve is to Exist.
"Questions and Answers"
"Can I use Firefox or another Browser?"
"No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later."
"What if I have a Skill that isn't listed?"
"The "Suggestion" tool enables you to communicate directly with the Administrators. We will research your proposed Skill with your input and agreement."
I'd like to learn how to make web pages. Think I might see if I can tap these guys expertise. Anyone else fancy coming along?
Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.
So IE was the more secure browser all along! Why didn't I see this twist coming?! Everyone stop using Firefox NOW! Mozilla are lulling us into a false sense of security!
Come back IE, all is forgiven...
For all we know, there's been a piece of malware in a Firefox add-in or something and their concern is valid. Benefit of the doubt.
Except of course Microsoft would not even try to claim IE6 is more secure than Firefox. Heck for all you know someone has a piece of Malware in an Active-X plugin . (Which is a lot more likely than your scenario)
So now Colorado thinks they're smarter than the feds?
Not long ago the DHS said to avoid IE and use firefox for security reasons.
http://www.google.com/search?q=dhs+avoid+ie
Isn't it a little early for an April Fool's joke? If they're serious, then they must have been smoking something really good.
me like hockey
I'm not crazy. I prefer the term "alternatively sane".
So perhaps there is an issue with Firefox vs the known issues with IE6.
That seems like some crappy logic there slick.
It's almost inevitable that the private sector is going to get better (read: more qualified, more motivated) employees than public agencies. There are any number of reasons for this, but here are a couple, in no particular order:
Lack of positive motivation. Government employees are not driven to innovate or excel, in fact quite the opposite. Usually any "boat rocking" is severely frowned upon and "not invented here" syndrome was indeed invented there. When the excellence is recognized and rewarded the same as the mediocrity, eventually everyone sinks to the LCD.
Lack of negative motivation. Basically, a government employee is on the dole. Because of union protections and government policies, these people cannot be fired, even for cause, without jumping through a series of hoops that only a lawyer could love. (See California's recent budget crisis as an example: even when the State COULD NOT PAY they were not allowed to lay anyone off) When someone can sit around and screw off without worrying about consequences, all too often they will.
Mindset. People who take government positions tend to value stability over all. This is the type of job where you won't get rich or become well known, but you'll also never get laid off or have to take risks.
You can almost see the little wheels turning inside a State employee's/sys admin's head: "Nobody ever got a promotion for choosing something new and better--Nobody ever got fired for choosing IE--Firefox is 'risky' "
Nothing to see here. Move along.
http://www.coworkforce.com/Skills/faq.aspx
one of the FAQ's is why is the sky blue
also note the radio buttons for the questions.
Based on the look-and-feel of the site, and the great error message (already posted by someone else) if you try to send them feedback- I'd say they are completely uneducated.
It honestly looks like the site was done using the first version of FrontPage, on a very-poorly configured IIS that appears to be running on someone's desktop.
The really sad thing this is supposed to be for the Colorado State "Office of Information Technology". I live in Colorado, and this is REALLY embarrassing.
Altitude sickness.
and will be voting out Ritter as long as the neo-cons are not ran again.
I prefer the "u" in honour as it seems to be missing these days.
http://oitplaza.colorado.gov:8080/oitplaza is unresponsive. (link taken from their "Home" link...)
Seems they don't know how to layout it for firefox ..
MUST.. not.. RESET.. everyones PASSWORD for.. THEIR.. EID..
Hey don't blame me, IANAB
This does kinda seem obvious since they have "Why is the Sky Blue" listed as a FAQ question of all things.
"Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
While it doesn't look like this is why Colorado is trying to discourage people form using FF, there are some big reasons why its difficult to securely deploy FF in organizations.
Namely, the fact that Mozilla *still*, for some amazing reason, refuses to release an official MSI version of Firefox. Even though its one of the most requested features/changes. Yes, I'm aware that there are a few third parties that repackage Firefox as an MSI. But if they ever want Firefox to be adopted by larger organizations they have to make it easy to deploy and administer an official version of Firefox. Without an MSI, there is no easy way to update Firefox on a large number of computers without going from computer to computer and logging in as an administrator. That's an unacceptable solution in most organizations (at least ones that have a clue and don't give all users local admin rights).
Every time you post an article on Slashdot, I kill a server. Think of the servers!
What's bad is that you managed to single-handledly introduce the amazing admin to the slashdot effect.
Because several million compared to several million isn't 'tested and tried'
have an aura of being more secure than ie or microsoft, simply because they have been tested less than ie or microsoft, simply because they have less market penetration, and therefore less hackers aim their minds at firefox or mac than at ie or microsoft. in other words, ie and microsoft are more "battlehardened" than firefox or mac
if you were a general in a war, and you had to choose between two guns, and
gun #1: backfires and kills the gunman every 1,000 rounds, as proven by solid combat use
gun #2: backfires and kills the gunman every unknown number of rounds, unproven in combat use
you tend to choose gun #1. because you are a GENERAL, which is a type of bureaucrat, which is a person who is extremely conservative and careful. you are not the r&d department
this is the thinking of the bureaucrats in colorado, who, like all government figureheads, are extremely conservative careful and slow on the uptake. as they SHOULD be. it is not the job of government to suggest the less battle tested. that is your job
just make sure you have enough wisdom that you don't expect a bureaucrat to act like a progressive. sorry, not in the job description. you will nowhere on the face of this earth find a government mandarin who is risk taking and countercultural and daring in their thinking
therefore, the error is not in the official word of the state of colorado. the error is yours: expecting a government figurehead to be a progressive influence
Mod Parent up +1 insightful
"The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." -Thomas Szasz
Part of my day job consists of administering a small Active Directory domain (25 nodes). And of course I can craft all sorts of nifty GPOs to control the behavior of IE on the clients within the domain. So, from that point of view, one might be able to argue that IE is in fact "more secure". Or, more controllable, perhaps.
Now, I'd personally prefer to have FF on all the clients and have FF controlled via a GPO, but to my knowledge that is not possible. If it is, someone please point me in that direction.
The correct comparison would be this.
Gun #1: Kills each and every gunman when they don't expect it. You are not even pressing the trigger. But you sure as hell do know they kill the gunman.
Gun #2: You know that a gunman can be killed once in a while, but when it happens somebody will deliver you with upgraded guns preventing it from happening again in a small amount of time.
TY, I'll keep FF
Not only is the site horrible broken, poorly designed, etc. The home link goes somewhere that doesn't exist.
The feedback form is broken and there isn't a working email address anywhere to be found on the site.
EPIC FAIL!
The only hope would be that it hasn't really gone live yet and that looks like the most probable explanation. Strip away the URL to the main server and there isn't an obvious link to /Skills/* to be found.
Democrat delenda est
Ok, so explain why apache is less exploited than IIS. It is used far more.
Your little idea is cute and has been proposed by many before, and just like then it is wrong.
Also you should investigate your keyboard it seems to be broken.
"Gentlemen, congratulations. You're everything we've come to expect from years of government training. ..." (Zed, "Men in Black")
The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.
I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".
If I have been able to see further than others, it is because I bought a pair of binoculars.
I can just drive down there and slap them in person...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Dear Microserf,
Stop smoking the shredded Vista cases and step away from the keyboard.
Because gun #1 uses non-standard ammo and parts ... so the General would say "F#%K that! I'm giving my soldiers a standardized weapon that is unproven in combat but has had great field trials and responses from combat troops in live fire exercises."
But then, anyone who does know would not entrust any kind of data to someone's unguarded desktop workstation (as opposed to, say, a firewalled server). It doesn't speak well, not just to the IE fan but also to the State of Colorado for being so cheap as to hire him in the first place and make him use his workstation as a OIT server.
Looks like they just took the Firefox derision off the page. Way to go Slashdot!
you tend to choose gun #1.
No, you requisition some guns, get manufacturers to submit bids and test their samples. Then you screw it up anyhow by not shipping cleaning kits with the version 1 of whatever you choose.
ie and microsoft are more "battlehardened" than firefox or mac
Yeah right. IE is swiss cheese and I won't use it period. FF leaks memory, but it doesn't have any serious exploits that I've run into, despite being at a probable 10-20% marketshare.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
No, no, no, you guys are getting it all wrong. Firefox does not pose a security risk, Firefox IS the security risk, you see? This setup is so screwed that a Firefox 2 browser with a handful of plugins could probably bring it down.
THAT is what they fear and warn against.
In the meantime, please feel free to use the rather benign (and broken) IE6 to your hearts content. After all, Windows products can't hack Windows servers, right?
Uh, right?
... the entire State of Colorado's network shutdown today when every machine became infected with Trojan.BHO. When asked what was the source of the rampant spread of the trojan, the network administrator was at a loss because the state only allows Internet Explorer.
In related news, Colorado has begun issuing IOUs for state income tax refunds because the entire treasure was transferred to Nigeria in what the Office of Technology has determined is a sound investment.
Don't rush me, Sonny. You rush a miracle man, you get rotten miracles.
Honestly, IE 7 is not much less safe then Firefox, and can be locked down via Windows group policy. I can understand how Firefox can be considered a security risk, as this sort of group settings changing is more difficult.
IE 6 is another story, and should be put out to pasture as soon as possible.
I'm no lover of Microsoft or IE in particular, but I can understand this decision. But please, really, let IE 6 die...
Blessed are the pessimists, for they have made backups.
The real choice is, do you adjust your battle plans to include all of your troops, or cut your force by one third?
Given what I've heard about this state from people who live there, thus isn't nearly as insane as a lot of what the CO government does. Which is one reason I hope never to live there.
Message from the State Chief Information Officer
Michael Locatis, State CIO
"As the Chief Information Officer for the State of Colorado, my role is to provide the momentum and strategy for wide-ranging activities from promoting high end research and development of cutting edge technologies to creating strategies for service delivery supporting the day to day operations for the State of Colorado - thereby making a difference in the lives of the people of Colorado and delivering Governor Ritter's 'Colorado Promise'."
http://www.govtech.com/pcio/articles/386146
Colorado Gov. Bill Ritter and CIO Mike Locatis Launch IT Consolidation
Aug 21, 2008
Before his Cabinet appointment in Colorado, he was CIO of Denver, where he showed his centralization skills (and caught Ritter's attention) by consolidating 20 separate municipal and county departments into a single, citywide IT agency. It's also where Locatis learned how fragmented the state's IT systems were.
"It was while I was working in local government that the issues surrounding state IT were immediately apparent because they impacted how services were delivered at the local level," he said.
Before becoming a public-sector CIO, Locatis was the senior director of enterprise technology strategy for Time Warner Cable Inc., part of Time Warner Inc., a Fortune 50 company and the country's largest entertainment firm. Locatis honed his skills at aligning customer-service delivery systems, standardizing desktop capabilities and managing tech and support teams for huge enterprise resource planning applications.
Despite Locatis' knowledge of the state's IT systems' problems, he wasn't expecting the mammoth job he faced. "It was significantly siloed and fragmented IT delivery, which was a root cause of a lot of the issues - including inefficiencies, a lack of leveraging an enterprise approach and just about every [IT] department in the state doing its own thing," he said.
The state of colorado made attempts to be "ahead" of the curve when it came to an online presence (see also denvergov.com and the atrocity that is netfile; we were one of the first states to have online tax filing). Unfortunately they hired people who knew ass all about javascript (or proper DB handling) and no one knew enough to stop it in it's infancy. Now it has snowballed into something too costly to replace and too borked to simply repair.
I imagine someone told some user that ff was a security risk, rather than go into the technical details of why the site falls to crap on browser it was never tested for. Eventually, through what I like to call "the wiki effect" that same information got passed back as fact to the current web coders who promptly put up a notice to inform their end users.
Even still, fail.
Sometimes, life itself is sarcasm...
Email template http://www.coworkforce.com/skills/emails/email1.htm Some kind of a translation look-up table: http://www.coworkforce.com/skills/data/wipxls.txt Set of skills: http://www.coworkforce.com/skills/data/skills.txt
That site looks horrible. Ironically, according to the W3C's "Markup Validation Service" it has 21 errors with it's HTML. Less than Google's homepage.
First, to suggest that Firefox is "unproven" is a bit disingenuous. According to http://marketshare.hitslink.com/firefox-market-share.aspx?qprid=0&sample=28, Firefox's market share is now over 20% (compared with IE's 67%). That's far from a trivial number of users, and I'm sure there are plenty of bad guys out there taking aim at Firefox. But that's all flame war garbage and irrelevant to the current discussion.
The problem is that you have a governmental organization making a vague, unqualified statement that is completely unnecessary. The site's policy should state, "At this time, we only support IE version 6 and above." There is absolutely no justification for stating that, "Mozilla based, non-IE browsers pose a security risk." (What about non-Mozilla-based non-IE browsers?) The fact of the matter is that any piece of software that interfaces with untrusted servers (that includes ALL web browsers) is bound to pose a security risk. To suggest that IE does not propose a security risk (which is implied by the FAQ statement) is intentionally misleading. And THAT is the cause for the uproar.
If I were that general, I would make sure that gun #2 was tested. Anyhow, Firefox is very well tested, and even better than IE, it is possible to see a list of every bug ever reported, which are fixed, and which are not. If I were a general, I would also know how to capitalise my sentences properly.
The Unicode standard is over 20 years old. Why does Slashdot not support it?
I meant, "To suggest that IE does not POSE a security risk is intentionally misleading." Dang typos...
I just looked at the site and I see nothing indicating that FF is insecure. In the FAQ, it does say the IE6 and later are the only supported browsers ("for proper operation"), but "unsupported" is not the smae as "insecure".
The real "Libtards" are the Libertarians!
What are they basing these claims on? The number of bugs FOUND or the number of bugs FIXED? If it is the former then I can see how they may have been misled
I work in state government and this is pretty typical. Most machines are locked down to IE only. Firefox or any other browser is not allowed, and websites are designed ONLY for IE. Add in the fact that most of the people involved with IT in this state are overpaid idiots, many pages (and all web apps) won't even render in a functional way in other browsers.
Adding the parent, Firefox has something like 21% market-share in the browsing world, at least according to Wikipedia, security through obscurity might be a factor when you've got *really* low market-share, but once you get above the 10% level, if Firefox really *were* less secure, you would see more exploits directed at it. By the GP's logic, you might as well stick to using Windows 95, since most of the security flaws that exist have already been well documented, while people continue to discover new security flaws in Vista.
from the looks of it, it appears as though the State of Colorado's IT department is run by Gengis Khan....no...I don't mean the descendants of Gengis Khan....I mean Gengis Khan himself...in the flesh....or what's left of his flesh
either that or the Spartans.
The cavemen were smart enough to leave the state and do GEICO commercials.
This is same argument I made about the MS Internet Explorer issue with the European Union. Some person at State of Colorado must be paid off my MS or has a nice cushy job at MS after his or her stint in the State of Colorado.
That person wrote the website for MS IIS so that you must use Internet Explorer and this person is spewing the "virtues" of Microsoft.
As I said before, all public websites should be written so that ALL browsers should work with it so that ALL people can participate in the digital age.
This is just another form digital discrimination.
>>simply because they have been tested less than ie or microsof
Wrong, ActiveX is an abomination when it comes to security.
I've sent a polite email stating what was wrong with the site. Hopefully it'll be looked at.
The home link is broke among many other serious problems.
It would appear the messages about firefox being more insecure have been modified though so I guess they're either reading people's emails or they've seen this.
One of them is a statement of fact that they do nothing to back up, the other one is an opinion...
...stated as fact.
These can be insecure. In fact, some were designed as trojans. See the Vladuz saga, who cracked eBay site admin accounts - in part through a Firefox plugin designed to this purpose, and hosted on the firefox plugin site!
When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk. We won't touch FF privacy concerns with the Google relationship, and how hard it is to keep FF from reporting to GOOG as a default. IE is as bad with their parent.
I do think the warning about FF IS misplaced. Our biggest current risk is simply the Adobe PDF file-format. You don't even need to OPEN the file to execute code! Whee!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
There is a possible explanation that, while stupid, makes sense here, people. If they are using Windows Authentication, which isn't supported by anything other than I.E., then using anything but I.E. poses a security risk. Why, you might ask? Because you can use Windows Authentication on I.E. and have the username/password sent over to the webserver without having to have an SSL certificate to encrypt the transmission. In Firefox, it asks for the username and password, and sends in clear text. There, problem solved. Still not smart, but at least accurate.
hahaha: http://www.colorado.gov/cs/Satellite?c=Page&cid=1165692953912&pagename=OIT-New%2FOITXLayout "One goal of the OIT is to create an Enterpise Architecture that improves service to citizens while lowering costs." If they were running firefox they would of seen "Enterpise" is not how you spell Enterprise ;)
protip: Linux
The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...)
http://www.coworkforce.com/Skills/
Well now it seems the whole site is down. If you go up one directory level you get this message:
"The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...) "
If you're in a corporate environment where intelligent administrators are pushing security policy and are able to manage IE updates easier than Firefox (think WSUS), and you are running something like McAfee's VirusScan which offers buffer overflow protection for IE...it is certain better than someone running Firefox 1.5 and never thinking to upgrade it.
Questions and Answers
.NET 2.0. Scrolling position is easily maintained, but it either causes page failures or decreases response time by 300%. A solution is being explored. In the meantine, the Skills widget enables you to be highly selective in list formation for Skills pinning. We recommend that you use this facility.
Why isn't my scrolling location saved?
This is a known issue related to a facility called AJAX within Microsoft
Oh, that pesky AJAX facility! There's a lot of info on performance issues using the ASP.NET AJAX. A quick read of the forums on asp.net suggests that this is only an issue if you don't actually think about the use and placement of controls while designing your page(s). In short, like anything else, if you use the wrong tool, and then use it excessively, load will be an issue in production. Too much to ask, I guess.
http://forums.asp.net/p/1296488/2518160.aspx#2518160
Shouldn't this be on idle.slashdot.org?
[17] Leary, T., White, C., Wood, P. R., Bhabha, W. D., and Wirth, N. Lambda calculus considered harmful. In Proceedings
The Dept. has updated their page. The page linked to in the summary now gives a 404, and going to /Skills gives you the text in this post's parent.
I must say that's an awesome response, and it looks like there might be some real change ahead.
Now the site is down and says:
"The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...) "
http://www.coworkforce.com/Skills/
I can't do it right now, but someone with Safari or Firefox, etc. ought to change their user agent to IE6 and see how broken it really is. Aside from how broken it is with IE6, of course.
Brett
Now they removed "(We like Firefox too...and safari.....and chrome...)"
Microsoft must have wanted their money back.
The site looks o.k in chrome, but the link does not work any more. I guess it got slashdotted.
Either the site got Slashdotted, or they discovered the error of their ways:
/Skills/myskills.aspx
Server Error in '/SKILLS' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL:
This might come in handy for those of you that would like to do something about those id10ts:
"I have come across a statement on Your website, stating:
"DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."
Here's the thing:
Development of Internet Explorer has been absolutely stagnant for a decade, to a point where it actually became a synonym for "insecure". But don't take my word for it, let's have a look at Secunia (a great website, tracking bugs in popular software).
Internet Explorer 6:
unpatched : 16% (22 of 135 advisories);
highest rated : moderately critical;
http://secunia.com/advisories/product/11/
Internet Explorer 7:
unpatched : 26% (9 of 34 advisories);
highest rated : moderately critical;
http://secunia.com/advisories/product/12366/
Mozilla Firefox 2.0.x:
unpatched : 10% (3 of 29 advisories);
highest rated : less critical;
http://secunia.com/advisories/product/12434/
Mozilla Firefox 3.x:
unpatched : 9% (1 of 11 advisories);
highest rated : less critical;
http://secunia.com/advisories/product/19089/
So:
1. every single version of Firefox has less unpatched advisories than
every single version of IE;
2. every single version of Firefox has less overall advisories than every
single version of IE;
3. every single version of Firefox has less (percent-wise) unpatched
advisories than every single version of IE;
4. every single version of Firefox has a less critical rating than every
single version of IE;
Hence - how exactly have you come to the conclusion that Firefox is less secure? It's IE that poses security risks, and its worse than Firefox by leaps and bounds!
I must consider dispersing such information about browsers as you do as utterly irresponsible."
Until a couple of years ago, this was a "red state". Unfortunately, enough sheeple moved here for the jobs our intelligent government attracted, so now we're a blue state, so that type of government is gone.
Oh yay, another great example of providing a technically correct, but thoroughly misleading answer. "To answer these questions, we must learn about light, and the Earth's atmosphere." No, you mustn't. Ok, you need to learn one thing: "the sky is blue because air is blue" (from Recurring Science Misconceptions in K-6 Textbooks). All that crap about Rayleigh scattering and frequencies of light is...well, it's true but it's generally beside the point.
Q. Why is my shirt red?
A1. (bad) To answer these questions, we must learn about light, and how photons are absorbed or reflected by different materials, and how the cones of the eye convert photons into neural impulses....
A2. (good) because it was dyed red.
Granted, all that other stuff can be interesting too, but to claim that you're providing the simple explanation is just ridiculous.
(At least it's not as bad as the standard explanation of an airfoil, which is simply wrong.)
Uh, why? I mean, it's not a car analogy or even A GOOD one.
The website is saying Mozilla is a risk to your computer. Why do they care? IE can be a risk to your computer. Computer illiterates are a risk to computers.
But there they say (specifically, according TFS), "...Mozilla based, non-IE browsers pose a security risk." No ifs, ands, or buts about it.
This seems more like an excuse to use whatever easily implemented MS tricks they can without worrying about compatability.
Server Error in '/SKILLS' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /Skills/myskills.aspx
So... do they admit not having any Skills ????
1. Make a web site. ...
2. Claim Firefox is insecure while IE is.
3. Get yourself noticed on Slashdot.
4
5. Profit?
Love many, trust a few, do harm to none.
You are a cell of the cancer that's killing the internet.
They're not the only ones... I was working for the Treasury Board of Canada last June when we got a similar message:
"Public Safety Canada has informed departments of vulnerabilities with Mozilla Firefox software. Recent security scans revealed Mozilla Firefox may currently be installed on your workstation...
To mitigate the risks, on Monday, June 30th, access to Mozilla Firefox will be blocked by the Desktop Firewall."
The weirdest thing is that the security publications on the Public Safety website has never listed FireFox, but does list IE a couple times!
They are used and exploited about the same amount actually. If you ask me for a source, I will demand to see yours.
Let them try! I don't think it would be hard at all to find at least *one million people* who have had their machines compromised over really insecure IE code, and maybe even lost money and had to go through and repair their credit when their logins or CC details were compromised.
Besides, that isn't the issue here, this is a set of state flunkies who are labeling a corporation's products as insecure, so bad that they dont allow access for official purposes from tax paying citizens of that state, and saying this other corporations products are secure, or secure enough to use, and their choice of what is or isn't "secure enough" is freaking LAUGHABLE. I mean, WTF?? It is bogus on so many levels it ain't funny.
about:config
network.automatic-ntlm-auth.trusted-uris
Yup, firefox supports NTLM authentication, and has for a long time, and it works for me.
The real problem is that we have an Office of Information Technology at all. The entire department shouldn't exist. Complaining that they've done something stupid on their website is missing the forest for the trees.
Maybe not
I literally laughed out loud at this!!! This is very very ignorant and stupid to say the least when we all know the reverse is true!
Server Error in '/SKILLS' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /Skills/myskills.aspx
$ nikto --host http://www.coworkforce.com/
- Nikto 2.02/2.03 - cirt.net
+ Target IP: 165.127.91.10
+ Target Hostname: www.coworkforce.com
+ Target Port: 80
+ Start Time: 2009-03-06 19:37:46
+ Server: Microsoft-IIS/6.0 /images directory. The value is "http://10.25.30.30/images/". /robots.txt - contains 3 'disallow' entries which should be manually viewed. (GET) //_vti_bin/shtml.exe : Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted. //?Open : This displays a list of all databases on the server. Disable this capability via server options. //postinfo.html : Microsoft FrontPage default file found. //_vti_inf.html : FrontPage is installed and reveals its version number (check HTML source for more information). //_vti_bin/fpcount.exe : Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. CAN-1999-1376. BID-2252.
- Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
- Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ OSVDB-877: HTTP method ('Public' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-0: Retrieved X-Powered-By header: ASP.NET
+ OSVDB-630: IIS may reveal its internal IP in the Location header via a request to the
-
+ OSVDB-396: GET
+ OSVDB-0: GET
+ OSVDB-3233: GET
+ OSVDB-3233: GET
+ OSVDB-3500: GET
It's still running, but I've been at work long enough for one day. Someone else can finish this.
We had a working computer system, and then owens brought in his friends to do a 6 year makeover of it. When he left is STILL had major issues, and the dems brought in THEIR ppl. The problem is that the head of OIT is as inept as Ritter is. From some of my friends at TWI, they tell me that he was a total idiot, but a politician. WHile Colorado had a great infrastructure in place at one time, between Owens and now ritter it is being gutted fast. TOO FAST.
I prefer the "u" in honour as it seems to be missing these days.
Neither Texas nor Mississippi care. Nobody can read the reports that indicate that they are tied at 50th.
I prefer the "u" in honour as it seems to be missing these days.
Fascinating! I always wanted a down-to-Earth explanation of air foils. I never really bought that low pressure air sucks the plane up. Mod up!
A fool and his lamb are worth two in the bush.
I have lived here since 79, and I HAVE seen those stickers. And it was a big issue around 2002-3. Owens was trying to cut the education spending.
I prefer the "u" in honour as it seems to be missing these days.
Fixed!
Need an automatic screenshot taker? Try here.
... wh0z t3h n3w 0wn3r of d31r w36 5173? 5um 1 h3r3z?
now we need to go OSS in diesel cars
Whew, that's a relief! I was afraid that Jerry Taylor moved from Tuttle and got a job in Denver.
I think this proclamation was more about keeping dumb Users from clogging the Help Desk, veiled behind some bogus security claim (large # of pop-ups alone should prove IE6 to be less secure!).
Remember: IE6 got changed so much (after being ubiquitous for a good long time and mastered by the droves of id10t users out ther) going to IE7, and Firefox is also very different looking, especially to average to below average people. The added User confusion and calls to the Help Desk created by making a browser change might influence some, especially for very large offices, to force IE6 being kept.
I bet the guy that wrote it is an id10t though.
The more people that use IE, the more work there is for the support tech industry. This is Colorado's contribution to the American stimulus package. :)
The stack trace doesn't prove it's running from a desktop. The path and line numbers indicate that the debug symbols were created in that path. Even if you move the debug symbols to a different machine, those values will persist.
Still, I can add to your list:
D) The person either pushed debug symbols out OR they put raw source on the machine and left debug=true .NET, at least use C#.
E) It's written in VB. If you're going to use
F) Originally left custom errors mode set to Off
G) Changed custom errors mode but still has unformatted error pages
H) Doesn't have error handlers (even a global one to catch all unhandled errors)
Currently (as I have not heard of a new procedure), the CDC [Center for Disease Control] employs a "quaint" little system for the distribution of SSL certificates for their secure websites. They are deployed via an active-x control. Now here's the rub. The AX control does not isntall/run correctly under IE7. The solution is to use IE6. Oh and it takes an administrator to install this control. So the users who have been given permission, (but of course not windows admin priv, thats *bad* for security), need assistance of a computer admin to install it.
Thats right, in order to use their secure network, you have to install their cert into a known insecure browser.
So if you keep your facility up to date with all of MS' updates you have (had?) no supported method for accessing a secure network.
Once installed you are free to export it out to a file and import it into the browser of your choice.
ANY browser that allows unprotected javascript access, ActiveX access, COM access, JAVA access is a security risk. Browsers are not the problem. Firefox, Internet Explorer, Chrome, Safari, Opera, etc, that allow anything other then HTML run on the local machine is a ruse for problems. Because WEBx.0 wants all this external functionality, people blame the browser, when the browser itself has no control over what 3rd party plugin DOES.
Google Firefox hacks, IE hacks, etc etc, you will find many ways to break thru a unsecure system.
Who takes advice from these people? :)
I know what you said is correct, but I want to point out to anyone that reads your post that you in NO way mean that they are right in air being blue. The link you provided is a must-read for anyone who seriously doesn't understand the science, instead of just skimming and saying "oh, okay air is blue, thats why." through your message :) (those people don't read quotes right, and such)
No offense to you, xtifr. You did a good job with your post and you are correct.
-- This space for lease, low setup fee, inquire within!
If any corporation made unsubstantiated claims such as that, they would be sued.
If open source is to survive, it must protect itself.
BrendaEM
https://www.youtube.com/c/BrendaEM
That would depend on where you are in Colorado. I don't believe that too many would drive from Durango (SW part of the state) just to slap people.
They're gub'ment workers, whadya expect? They've been trained since kindergarten to never question authority. But unlike the rest of us who went on to productive pursuits after graduating from the indoctrination centers they call public schools, they stayed in the system. Many of them have never learned to think for themselves. Their job is not to help people, but to punch in daily until they can retire on public pension.
All it takes is one supervisor reading an astroturfed rant on the web, and the entire department will take up the faith that Firefox is unsafe.
Don't blame me, I didn't vote for either of them!
Speaking as someone with first hand experience with Time Warner Cable's "customer-service delivery systems", this whole story does not surprise me in the least.
Strictly speaking, "non-IE browsers pose a security risk" does not purport to claim IE does NOT pose a security risk, even a much bigger risk! We just happily elect not to open up THAT subject :D
The doctrine of "pregnant negative" would be quite an uncharitable way of construing.
Rocky Mountain Hiiiigh... Colorado.
In related news, Colorado reports epic crop of hallucinogenic mushrooms.
It took two years of meetings, executive staff luncheons, and similar BS; someone got a nice raise...
Then one of the the IT guys was told "have a web page up by monday." (for nothing extra.) So he hacks it out in 10 minutes with frontpage; We are talking MS types, after all.
THAT's how it usually goes.
Wonder who gets reamed after the slashdotting fried their server? (It's currently choking on any browser I use)
Truth isn't Truth - Guliani
That's asking for a "harassment" lawsuit of a kind like I've been prosecuted over. Just helping them will get you into court. Leave those motherfuckers alone and hope they catch on fire the same month you didn't pay the water bill. Better yet, disconnect from all public utilities so you have no reason to even talk to those bastards. Let the fine men of Shanghai deal with their network problems; Ping Pong and Sum Slung Dung can do no wrong to "government" in the depths of their Shemite minds. waaah
The environment that this was targeted at is a Windows domain(s), subject to group policy and other restrictions. This extends well past software issues. IE is the ONLY browser I would use in such an environment. Other browsers may beat IE in certain categories, but with the size and complexity of this network, why would you add variables? IE is easily controlled via group policy. You can force and control updates in the same manner that Windows is updated. There are numerous advantages. The thing is, this is a GOVERNMENT network. Ok... so you allow FireFox... Suddenly, users want Opera... ok... Now they want Chrome... Where do you draw the line? The Slashdot community is giving the users WAY too much credit. I work in a federal government IT department. I have watched highly educated (doctors and nurses) destroy ToughBooks. I have sat back and watched them not be able to load paper in a printer, one of them even asked me to change their printer setting so that faxes come out of their scanner. It never ends. I have tried educating them, it does not work.
sir, I like your style.
what ever.
Last I heard, the House of Commons IT services had the same policy. IE6 is secure, Firefox is not. Everyone just runs Firefox from a thumbdrive because they'd die without tabs.
"Perhaps the webmaster didn't know anything about web programming?"
But just enough to get the job and show a demo.
There is a guy I know who "wrote software" for a living "for the government".
He put up a personal website to sell some stuff and like this site, it had the same warnings about only using IE.
When I could not access his site, I called him and asked him what the problem was and he bemoaned about how he wishes there was only One Browser to write for and how he is used to making "secure" sites for places like 4H or something because "kids" are involved. (gotta keep 'em safe!)
I think it basically boiled down to he just took what he knew from programming something for a closed environment and thought it would work on the web. It doesn't.
His PERSONAL SITE also has INSTRUCTIONS on the main page of HOW TO USE THE WEBSITE.
How to use the xxxxxxx Web Site...
1) Press the F11 key (top row of keyboard) to view site full screen.
2) Do NOT use you browser 'Back' button - always use the various navigation buttons or links on the screen (Return, etc).
3) Always wait for any images to completely resolve or fill before taking the your next step.
4) Exit the site via the 'Goodbye' link, NOT the browser 'X' button.
5) All of these procedures will speed and improve your access to the xxxxxx xxxxx site.
I would post the URL to his site but I hate to see his server get trashed, I'm sure it is out of his home. If you don't make it onto the site, you get this error screen that asks you if you want to Restart The Application.
And he wonders why no one is buying stuff from him.
I like microcars
Also you should investigate your keyboard it seems to be broken.
Nah ... it's a mouse driver problem.
The higher the technology, the sharper that two-edged sword.
The really sad thing this is supposed to be for the Colorado State "Office of Information Technology". I live in Colorado, and this is REALLY embarrassing.
I work for the State, and sadly this is typical for the morons at OIT.
Unfortunately, all of the individual Departments' IT programs are being consolidated under OIT, so things will only get worse.
...now you know where all the 'D' students went.
The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.
I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".
...and I just automatically assumed they meant JOB security.
While we laugh at him some poor dumb web admin in Colorado is working through the night to fix this. The pages are changing while we comment on them.
At this point I actually think he's using this page for tips on how to fix this.
It's sad and funny on so... many levels.
Help stamp out iliturcy.
I love how everyone is slamming the web-related expertise of these guys on a site run by geeks and "experts" that constantly has display issues. Every thread has at least one thing overlapping the text of someone's comments and has for a long time. How long should that take to fix?
Maybe the mouse has a button shortage. It's not politically correct to make fun of the button deficient.
Help stamp out iliturcy.
right now (gmt 06:15) their site is down it was obviously hacked by some ff user that makes their statement quite true :)
Holy crap, you guys are hilarious. I love what a good slashdotting does to sites.
Heh. Now see here, watch carefully. IE does have more general users. However if something goes wrong, the average user restarts the entire machine again. If it happens again, the average user says something like ... the internet is broken *Again*. They go do something else.
Now you may consider that testing, but I don't. If there is a similar crash in Firefox or OSS in general, then the same users whinge, loud long and to everyone.
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Gah, Boss came through! Must have press submit absentmindedly.
While neither is testing per se, the latter makes it easier (well to some degree) for debuggers know where to test.
I'd hazard that there are more casual developers & debuggers working on Mozilla stuff than on IE, ergo more likely to be tested properly. Not just the "works for me" kind.
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
People like these bozos can insult our intelligence and we all are supposed to act politely and rationally.
I say that a few hundreds or thousands rabid replies from aggravated individuals would do wonders.
Sometimes politeness is seriously overrated...
IANAL but write like a drunk one.
Nice to know that it does not matter to know where the source code is....
IANAL but write like a drunk one.
The words "SQL injection attacks" are a link to a humorous depiction of such a situation.
Th GP clearly meant that in jest.
IANAL but write like a drunk one.
'nuf said...
Why is my shirt red?
May I have the password to your /. account? I am pretty sure you aren't going to be needing it much longer.
Dear Colorado People,
Now you are MS's bitches.
Yours
Colorado's CIO
IANAL but write like a drunk one.
If someone would say so 5 years ago some could believe him. It's too late today. Is that guy got stuck in time or just stupid?
Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/
While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/
Bzzt. Thanks for playing
On your way out go re-read those "moderate" problems on MSIE and compare them to "severe" bugs on other products. Yeah, the MSIE bugs are frequently downplayed in severity.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Being able to point them to an unbiased, reliable source to back up the "Firefox is safer" claim would help.
Unfortunately the facts are "biased" against MS products. It doesn't matter anyway, since if they're running Windows, then they're not likely to be influenced (or not allowed to be influenced) by troublesome things like empirical studies.
The problem is getting enough mainstream recognition that maybe something might actually be done about it. For now, though, we have the junk science, post-modern business, everything-is-an-opinion legacy to contend with.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Y'know, I looked ALL OVER the M$ website and couldn't find one copy of IE that worked with linux! Whatever am I to do now???
~Just as a thing fails if it lacks a kernel, so too it fails if it lacks a skin. ~ Rumi, Discourses
Given that their site is down at the moment, rendering their explanation unavailable, I'd like to point out that there is a rational argument to be made for the notion that using preinstalled and patched IE installs instead of a third party browser can increase security. I disagree with it (based on a number of factors expressed elsewhere in this thread), but it's a good argument:
You increase the number of potential security holes on a workstation by increasing the number of installed applications. Your sysadmin is responsible for both maintaining and securing IE and Firefox, and is unable to uninstall the former. This, thank God, goes away in Windows 7. In the meantime, however, you can still disable and cripple IE in a way that limits its exposure - It's just more work than most Windows-heavy, Microsoft-ceritified admins are willing to do as doing so often strips them of their preferred choice, and the tools that they've been heavily trained in locking down and adapting to their local networks. If understaffed and underfunded, forcing IE usage may actually be the right call for some agencies and offices.
Still no excuse for any IE6 or earlier builds being used in the wild.
Shine a green light on your red shirt.
Why isn't it red any more?
And as to the original point, if "because the air is blue" is your answer, why is the evening and morning red?
Better simple answer to the shirt: it's red because it is absorbing all light that isn't red. And answers the "shine a green light on it" query.
...made you look, didn't you?
Not even Ballmer would have said that...
I've heard the same sorts of things said in my organization. I don't think it comes from a true belief that IE is the more secure browser (as the network manager has indicated it isn't) but a lack of willingness to install Firefox on a few hundred machines, and learn how to use it.
Searching Securityfocus for "Firefox patches" returns only four pages. Searching for "'Internet Explorer' patches" returns 31 pages. More patches for IE means it must be more secure, right?!
Comment removed based on user account deletion
As someone that works and lives in Colorado, I find this truly embarassing.
The indian programmers have to be able to see their nonstop errors they create on a live system, with no shadow dev inhouse system.
Liberty freedom are no1, not dicks in suits.
Server Error in '/SKILLS' Application. Runtime Error Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine
I would guess that it's not so much the relative security of the two browsers, as it is the IT group's ability/willingness to vet another browser for security purposes.
They don't understand FF, and they don't want to take the time to learn all its ins & outs. So they declare it a "security risk" simply because they don't *know* what security holes might lurk there. In that sense it *is* a security risk for them, since it has not been tested for secure interaction with their site.
They undoubtedly know that IE has security holes, but they know what most of them are and feel comfortable with the countermeasures they've taken for those specific flaws. Whether their confidence is justified is another matter, of course...
Everbody know Redmon is in Colorado :)))
Colorado has finally become californicated. Too many people from L.A. moved here and imposed their whacked-out thinking and lifestyle on the laid-back Western ethos that Colorado used to be famous for.
I'm not sure it's possible to recover from being californicated, but, as a citizen of Colorado, I do hope so.
The IPCC has purposely engineered a massive scientific fraud.
The programmer's running production code in a globally accessible server with DEBUG turned on?
I know a 12 year old who is more competent than that. Really, I'm not kidding here.
Do you think they are paying this guy, or it's just some student intern?
The sky is blue because nitrogen is blue, and its air is mostly nitrogen. If its air was mostly chlorene the sky would be green.
Free Martian Whores!
I love all the critique of what is obviously a pitiful attempt to produce one of them fancy web application things. I unfortunately can't add to the list here... being a late-comer to the discussion, the site is already offline.
But a lot of folks are missing the obvious opportunity here: government jobs are, frankly, the best thing going right now given the current state of the economy. How many Slashdotters have sent their resume to the Colorado DOL? They clearly need the help!
That makes a lot of sense. For a group that clearly doesn't understand security, they use obscurity! : )
Actually, now it says: "The Colorado Department of Labor and Employment regrets that this service is not avaialble at this time. " Note the spelling error... I guess that's forgivable.
I am currently a student and my "tech" online classes pull this same crap. I have since found my workaround, the IEtab. It has all of the benefits of FF, while allowing me to view shabbily designed IE only sites. I recently found a web designers site that wasn't compatible with FF. I sent him a nice e-mail stating that his site doesn't render properly if FF, Safari for win, Opera, etc. I could only read half the text as the other half was off the page (on the left no less) and couldn't be scrolled to. He sent me a reply saying to get fucked and learn the "standards" of web design.
Does Bill G design sites? Maybe he has an illegitimate son that does.
Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".
<input type="hidden"...
Wow, that was hard...
Windows authentication (ie NTLM) is a server option...
Firefox does support it, but doesn't send it automatically like IE does (IE will send your credentials automatically to a remote box that requests them which can be abused)..
NTLM is little better than sending basic auth over plain text, it does a challenge handshake but is weaker than md5 digest auth and can be cracked... basic auth over SSL is actually stronger than ntlm over http... and if using http md5 digest is still stronger.
also ntlm auth breaks the way http works since it requires you to send, receive, respond, receive in a single http connection when http is supposed to be request/receive, this makes it very difficult to use with a proxy.
all in all, ntlm over http is a horrible hack and is typical ms arrogance - create something new, proprietary and inferior, instead of using the existing standard digest auth.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Secunia states that Firefox3 has less critical issues: http://secunia.com/advisories/product/19089/
While IE6 and IE7 have moderate problems. Making IE less secure: http://secunia.com/advisories/product/11/ http://secunia.com/advisories/product/12366/
Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.
Good. I hit a nerve. Don't fall for Secunia's misleading descriptions and understate the risk significantly. Qo re-read those "moderate" problems on MSIE and compare them to "severe" bugs on other products. Yeah, the MSIE bugs are frequently downplayed in severity.
The advisories are also hidden away for some products and lifted to the start page for others. Just try to find the MSIE advisories in the by product listing. Can't easily do it. Also notice that in the scope notes, most of the MSIE vulnerabilities expand out to include all applications which can inadvertently call MSIE through hard-coded options, such as WMP. That works out to a very large base of vulnerable applications.
Secunia's not the only one obfuscating the unsuitability of MS products. Even the US NVD is affected. None of them mention avoiding the defective product (Windows) or problem tool (MSIE). It wasn't too many years ago that mainstream magazines were talking about banning MS Outlook for the sake of security. Now even "security" specialists are changing the subject or mumbling when asked if the emperor is really wearing any clothes.
There's just not a business case to stay on the autoflagellation combination, Windows+MSIE
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
% wget -S -O /dev/null http://www.coworkforce.com/
--10:24:49-- http://www.coworkforce.com/
Resolving www.coworkforce.com... 165.127.91.10
Connecting to www.coworkforce.com|165.127.91.10|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Connection: keep-alive
Date: Fri, 06 Mar 2009 17:24:49 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 26447
Content-Type: text/html
Set-Cookie: ASPSESSIONIDASBTDDQQ=NIFBMIKAFMPHFLDLIKBAMPBD; path=/
Cache-control: private
Looking for work?
http://en.ganji.com/jobs/part-time/3-25-19020-1-PART-TIME-JOBS-AVAIALBLE-AT-www-homejobsinuk-com.html
In GOD we trust, all others we monitor.
Seems to me that slashdotting an internal link is a fine way of letting your employer know that keeping you on is a far bigger security risk than either firefox or evil internet.
--
emphasis added
Reality is a slackware box running on a 386 tucked away in god's sock drawer.
Here's scary: CO Workforce has an IT dept of less than 5 techs for the entire state.
They have open wireless routers half the time because the end user gets a Netgear or Linksys from Walmart rather than wait for their overworked IT folks to get around to it.
They often share hardware with other agencies without locking them down or performing an inspection prior to returning them to a State network.
Training and keeping up with advances? With this much of an overworked and underappreciated IT dept, the last training they got was when they were in school.
My point? It's not the IT weenie's fault. If you want to yell at someone, make sure it gives the IT department more funding for more positions. Consider:
If work remains constant, more bodies = problems solved quicker.
Problem solved quicker = more time.
More time = more time for training and learning.
More time for training and learning = less inaccurate statements and stupid decisions.
Used Konqueror and got:
The Colorado Department of Labor and Employment regrets that this service is not avaialble at this time.
Spell check is good to use on a public site.
"If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"
I'm in Colorado, and I assure you, we should worry about every decision made by anyone in the State Government. These people are idiots. (In my opinion of course, since I don't want to be targeted as a slanderous, libelous, insulting anonymous coward.)
I thought it was the oxygen. I had heard that the sky was not-so-blue before life started releasing free oxygen into the atmosphere. But I don't have a definitive reference either way, so I suppose you could be right. Got a cite?
(Posted w/o karma bonus since this is starting to drift off-topic.)
Considering we have 35MPH sustained winds, gusting to 50, I thought your username somewhat ironic.
. . . given both IBM and Sun Microsystems have a different view of IE vs. Mozilla and they employ a lot more people and pay a lot more taxes in the state of Colorado than M$FT.
Agreed.
I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".
This all goes in much the same vein as a failure notice email I got from ebay the other day, telling me that my PGP-signed email had been blocked for 'security reasons', in order to prevent identity theft. As far as I can see this is complete crap, and what they really mean to say is "we can't read emails which aren't sent in cleartext, thus PGP is bad". Basically what it comes down to is relying on the average user's general ignorance, and the terror associated with the repeatedly-drummed-in phrase "security risk"...
The Colorado Department of Labor and Employment regrets that this service is not avaialble at this time.
^^^^ Sounds like while they are running around like a chicken with it's head cutoff they couldn't stop to spell available correctly.
A3: Because you're about to go on an away mission with a bunch of main cast members and get killed.
Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".
It is too late for this to get modded up, but you should know that this concern would never arise. Input tags have to have a type set. There are ten types that are both part of the standard and supported by every single browser. Every web developer on the planet knows two of them: text and hidden.
So, if you want to keep an input hidden, you just slap a type="hidden" on it. Alternatively, you could also give it a style="display:none". But what you describe would never happen.
Maybe the mouse has a button shortage. It's not politically correct to make fun of the button deficient.
Actually, I was poking fun at the individual driving the mouse.
The higher the technology, the sharper that two-edged sword.
If this isn't an argument for Libertarianism, I don't know what is.
To
State of Colorado:
Please DO NOT buy software from Closed source software vendors.
Because you don't OWN a product unless you can MODIFY it.
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
Colorado's OIT used to be the technology leaders of the state. When it was first started it was a great really smart team.
Lately it seems like they are just power grabbers and wannabe geeks. This is just plain embarrassing.
While agreeing with the earlier post it probably took at least several reviews to just publish that.
The skills and knowledge needed to run the State OIT computer systems are greatly lacking. Although they seem to deserve the criticism here.
Please do not cross the line by intentionally hurting the computer systems. the poor little computers are already experiencing loss of good leadership and planning and it seems security knowledge. Besides most of us we have ethics even if they dont.
OIT in the last year has decided to be the lead agency for all state computer systems. See the following plan.
http://www.colorado.gov/cs/Satellite?c=Page&cid=1165692953863&pagename=OIT-New%2FOITXLayout
CAN YOU SAY SINGLE POINT OF FAILURE ?
Below you will find all the state OIT officers. If you do browser searches on them it should turn up some amazing
info. Enjoy!
Governor's Office of Information Technology
1580 Logan St., Suite 200
Denver, CO, 80203
URL: www.colorado.gov/oit
Michael Locatis(303) 866-6060 Chief Information Officer
Dara Hessee (303) 866-6060 Senior Business Analyst
Gene McGahey (303) 866-6060 Statewide Interoperabiliity Coordinator
Heather Perdue (303) 866-6060 Human Resources Director
John D. Conley (303) 866-6060 Deputy Chief Information Officer
Kent Smiley (303) 866-6060 COOP COG Director
Micheline Casey (303) 866-6060 Director Of IdentityManagement
Ron Huston (303) 866-6060 Statewide Enterprise Architect
Todd Olson (303) 866-6060 Chief Operating Officer
"Processing issues" = "Our site is not standards compliant and will show incorrectly on all standard-compliant browsers"
I am not devoid of humor.