State of Colorado Calls Firefox Insecure, IE6 Safe

linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"

Attention all personnel

The Education Property has been increased to 128 characters due to popular demand.

That is all.

Re:Attention all personnel

[PIBM]

I tried to leave a comment :

Server Error in '/SKILLS' Application.
Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[NullReferenceException: Object reference not set to an instance of an object.]
      Skills.Suggestion.doTheSend() in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:137
      Skills.Suggestion.sendEmailLink_Click(Object sender, EventArgs e) in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:127
      System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
      System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +76
      System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
      System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
      System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
      System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746

Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433

LOL ?!?

Re:Attention all personnel

[Jogar+the+Barbarian]

EDUCATION:
I got a B.S. in computer science at Crazy Go Nuts University, and learned about security, including browsers. And let me tell y

Re:Attention all personnel

[amclay]

I just tried in all sections. I ended up leaving a message with the Gov. Perhaps the webmaster didn't know anything about web programming?

Re:Attention all personnel

He at least knew enough to be dangerous and change the default of hiding stack trace information when an unhandled exception occurs.

Re:Attention all personnel

[Shatrat]

Skills.Suggestion.doTheSend()

Priceless. 'send()' would have been a boring name for that function.

First Hosea wins Top Chef instead of an actual chef, and now this.
I hate Colorado now.

Re:Attention all personnel

Fighting
And sometimes striving
Wondering
What the dumple is
Excellence
And what is valor?
And The Cheat
Will hit stuff with a golf club
C-G-N-U!

Re:Attention all personnel

[cromar]

Whadya wanna bet it's in VB, too. Backwards institutions seem to love VB.NET!

Re:Attention all personnel

[PotatoFarmer]

Priceless. 'send()' would have been a boring name for that function.

Look on the bright side, at least it's spelled right. I'd rather have doTheSend() than excetute(), which some kind soul helpfully made an abstract in one of our base classes, and that has since been propagated across a few hundred other classes that I'm not allowed to refactor. A little piece of me dies every time I see it.

At least I sort of know who did it, thanks to cvs history. And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted. Bastard.

Re:Attention all personnel

[rachit]

Interesting... stack trace displays are turned off by default from remote sites when using ASP.NET for security reasons. They had to explicitly turn them on to display this.

I doubt they are the best people to tell others about security...

Re:Attention all personnel

[bishiraver]

Well, seeing as its stack trace says *vb instead of *cs, I'm guessing it's VB.

Re:Attention all personnel

[jgarra23]

Yea, their site is FAIL on so many levels. The least of which is their lack of a custom error page...

Re:Attention all personnel

[Zumbs]

Skills.Suggestion.doTheSend()

Priceless. 'send()' would have been a boring name for that function.

This is because it's already in use. Just like 'doSend()'. And what do you do when you just happen to need a third 'send()' function?

Re:Attention all personnel

[jasen666]

.SendThatBitch() /*if only my bosses ever bothered to read my code comments! They wouldn't be able to keep a straight face while firing me*/

Re:Attention all personnel

[GooberToo]

The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...)

Its pretty funny what a good slashdotting will do.

Re:Attention all personnel

[dingen]

I wanted to know more about doing the send, so I tried searching for "doTheSend()", but unfortunately this results in nothing but an "Unspecified error".

Re:Attention all personnel

[yachius]

VB.NET and C#.NET produce identical code once compiled. That may not be a good thing in and of itself but I use VB.NET for small modules myself when getting it done fast is more important than clean, compact code (one time use scripts, reports, etc). Whoever did this is clearly an amateur, but not because they use VB.

Re:Attention all personnel

[tlinget]

I've always hated Colorado since I was singled out while driving south on 25. I had Texas plates and was heading home back to Texas. I was driving 65 WITH the flow of traffic, all of those with Colorado plates. The speed limit was 55. A local cop pulled up alongside me and told me over his PA to slow down. It did not matter that everyone was driving 65 as well. I did not want to be the one to cause a traffic jam because I was the only slow moving vehicle. Fortunately, he did not stop me and write me a ticket.

Re:Attention all personnel

[dem0n1]

Well that's one way to keep all comments to an absolute minimum.

Re:Attention all personnel

VB.NET is equally as powerful as C#. You're comment shows your ignorance

Re:Attention all personnel

[rcw-home]

And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted.

Before they collapse and die, can you get them to fix the HTTP "Referer" field name?

Re:Attention all personnel

[norpy]

VB.NET is equally as powerful as C#. You're comment shows your ignorance

YOUR comment shows YOUR ignorance.

Re:Attention all personnel

[Bryansix]

VB.NET is actually a great programming language. Really for Web Development it's only second to C#.NET.

Re:Attention all personnel

[jwhitener]

doTheSend()... that is amusing. I think it is even funnier that they left the code in:

C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\

So..I guess they could only afford one copy of Visual Studio, and it is....on the server..../boggle

And production code running from "My Documents" haha.

 

Re:Attention all personnel

[Third+Normal+Form]

Congradulations! Your application for the State of Colorado CIO position has been accepted now that you have established that you meet the required minimum skills. If Governor Ritter recognizes your name, you will be contacted for a phone interview.

Re:Attention all personnel

[Third+Normal+Form]

Sorry, I blame the spelling on my Colorado high school education.

Re:Attention all personnel

[jonaskoelker]

they'll truly know what it means to be excetuted. Bastart.

Broke That For You.

Re:Attention all personnel

[roc97007]

> I just tried in all sections. I ended up leaving a message with the Gov. Perhaps the webmaster didn't know anything about web programming?

I was under the impression that a Microsoft webmaster didn't have to know anything about web programming. Just buy some really expensive tools and drag and drop. A secretary could do it.

Re:Attention all personnel

[theshowmecanuck]

No no no YOUR comment shows YOUR ignorance.

Re:Attention all personnel

[mysidia]

This is why they told you not to use Mozilla. It poses a security risk for the site... look, you went and disobeyed the directions and broke it!

All because you were using Mozilla instead of IE!

Re:Attention all personnel

[Tycho]

It happens other places too. I got this back in March 2008.

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, you@example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

(Skipped some dashes, lousy /. filter)

Apache/2.0.54 (Unix) TongWeb-Director/4 Server at www.npc.gov.cn Port 80

Re:Attention all personnel

[Machtyn]

No no no MY comment shows MY ignorance.

Wait... what?

Re:Attention all personnel

[yerfatma]

Wait, so did he build the whole thing with fully referenced paths on his machine, or is someone building that site live on the box? Either way, awesome work.

Re:Attention all personnel

[ers4634]

And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted.

Good luck with that. I mean, he could be anyone. ;)

Re:Attention all personnel

[trick-knee]

Skills.Suggestion.doTheSend()

should have been doTehSend().

Re:Attention all personnel

[mooingyak]

ah.... if only it were doTheSendAsSuch()

Re:Attention all personnel

[ScrewMaster]

And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted. Bastard.

I still can't stop laughing at this one. "Excetuted". +5 Fucking Priceless.

Damn I'm glad I just finished that Pepsi ... it'd be coming out of my nose right about now.

Re:Attention all personnel

[nabsltd]

Duck season!

Re:Attention all personnel

[rtb61]

At a guess it was most likely broken on purpose as a quick way of removing an embarrassing bias likely added in by an external contractor who in turn likely picks up 'er' supplier preference points by inserting blatant marketing bits into other peoples web sites.

Re:Attention all personnel

[symbolset]

Server Error in '/SKILLS' Application.

That may be the most astute error message I've ever read.

Re:Attention all personnel

[Firehed]

Nah, go all the way. inUrMethodSendinUrMessage() or bust.

Re:Attention all personnel

[deathy_epl+ccs]

WABBIT SEASON!

Re:Attention all personnel

[cbiltcliffe]

Your reply got eaten by a grue.

Fixed that for you.

Re:Attention all personnel

[Randle_Revar]

Duck season! Fire!

Re:Attention all personnel

[aynoknman]

they'll truly know what it means to be excetuted. Bastart.

Broke That For You.

Broek That For You.

Re:Attention all personnel

[Keen+Anthony]

He only yelled at you from his car using a megaphone? That's nothing. At least you weren't driving through the nation's largest speed trap, North Carolina, on out of state plates. They give you tickets with the expectation that being out of state, you won't challenge them in court.

But yes, Colorado does suck.

Re:Attention all personnel

[Keen+Anthony]

Hopefully... otherwise a Cook County, Illinois sheriff might try to sue Slashdot for creating a public nuisance. Wait, what?

Re:Attention all personnel

[ubergeek2009]

When I try and view the site from school where we use IE 7 the entire site is messed up and if I try to leave a comment the entire browser freezes. Never happens to me in firefox.

Re:Attention all personnel

[diskis]

BS = Bullshit
MS = More shit
PhD = Piled higher and deeper

Re:Attention all personnel

[scobiej]

You made my day with that comment. Still laughing ...

Re:Attention all personnel

[Lord+Bitman]

quite possible that it's naming conventions gone wild. Something like "all methods which modify the object must be prefixed with 'do'" conflicting with "never name a method with two verbs in a row"

Re:Attention all personnel

[kholburn]

You're an ASS?

Re:Attention all personnel

[Alsee]

Yeah, but they mispelled 'Severe'.

-

Re:Attention all personnel

[Ilgaz]

I can see CmdrTaco copying your message to his 'places_we_should_never_visit.txt' file.

Re:Attention all personnel

[Ilgaz]

Isn't there commercial or even free packages which would do the same thing without such 'My Documents' thing and emberassment?

I think there must be a lot of them.

Re:Attention all personnel

[sqldr]

Good try, but your error didn't provide enough configuration data.

I got this :-)

Server Error in '/SKILLS' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".

Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.

Re:Attention all personnel

[sqldr]

today I discovered that even when pasting "plain text" in slashdot, HTML tags get stripped :(

What I meant to say was (brackets stripped)

Web.Config Configuration File

configuration
        system.web
                customErrors mode="Off"
        system.web
configuration

Web.Config Configuration File

configuration
        system.web
                customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"
        system.web
configuration

Re:Attention all personnel

[jabithew]

For some reason I have Do The Hustle stuck in my head now.

Skills.Suggestion.doTheHustle()
Skills.Suggestion.doDoDoDoDoDoDoetc()

Re:Attention all personnel

[xaositects]

lolcode?

Re:Attention all personnel

[Rary]

I use VB.NET for small modules myself when getting it done fast is more important than clean, compact code (one time use scripts, reports, etc)

...or making a GUI interface to track an IP address...

Re:Attention all personnel

[FunkSoulBrother]

Ah yes, failure of your academic education is certainly a pity. I know such a guy who now spends his days coding PIN numbers into ATM Machines so he can collect his paycheck earnings from the money bank.

Re:Attention all personnel

[hairyfeet]

That reminds me of my old Vb class. This 25 year old kid somehow managed to get his hands on a bunch of my code and tried to pass it off as his own. The teacher took one look and called him in front of the class and let everyone know he was getting an F for stealing code. The kid yelled "How do you know he didn't steal it from me?"

After the teacher quit laughing so hard he said "What is the first computer you wrote code on?" and you could tell the kid was looking for the right answer in his head before replying "Windows 98" and after laughing his ass off again the teacher popped the code in question onto the overhead. He said "See anything a little different about Kevin's code? Notice the line numbers and the use of REALLY old syntax like GOTO? This tells me the writer of this code is old enough that he actually wrote in one of the original BASIC languages instead of VB." and then he got this funny look on his face as he stared at the code and said "Apple or Commodore?" and with a shocked look on my face I said "Commodore VIC20" and he said "Figures. The code is compact and efficient but has all the subtlety of a chainsaw."

The funny part was I got an email from him a year after taking that class where he "thanked" me for spreading GOTO and line numbers "like the clap" because months after I left kids were turning in code with chunks that had really old syntax and GOTOs in it. Of course he said giving GOTO to a kid was like handing a monkey a sledgehammer and letting them loose in a minefield. He said nearly every time the code would die a horrible death and take the PC running it down. But it always struck me as funny how much he could pick up about the code writer just by their writing style. He always said code was like handwriting and everyone was a little different if you knew what to look for.

Re:Attention all personnel

[tritohc]

Slashdot is hosted in Cook County.

Re:Attention all personnel

[EraserMouseMan]

You must not be a .NET developer. When the code is compiled, the line number references and file name references are based on where it is being compiled. Which is always on a local developer workstation. Not on the server. The precompiled bits are simply copied over to the production server.

Of course, if you are a PHP guy "compiling" will be unfamiliar to you since PHP is an interpreted language. Thus being slower (all else being equal).

Re:Attention all personnel

[broomer]

The Colorado Department of Labor and Employment regrets that this service is not avaialble at this time.

when you quote, please quote literal, including errors.

Re:Attention all personnel

[sgt+scrub]

+5 ROFLMAO!!!

and i happend to be taking a drink when i read that.

Re:Attention all personnel

[cromar]

I'm not saying you're a bad coder. I really don't want to imply that. I haven't met you. I will say though, that whenever I get to read someone's VB code, it's pretty obvious that they are fairly mediocre programmers.

For me though, it's purely a matter of aesthetics. Why be so verbose!?

P.S. There are some differences between VB.NET and C#, for instance how events are handled, FWIW.

Re:Attention all personnel

[LrdDimwit]

And of course, it might throw an error, so you probably also need WeGetSignal()

Re:Attention all personnel

[GooberToo]

I'm not sure what you mean. What I posted was a direct cut-n-paste.

Re:Attention all personnel

[GooberToo]

I'm not sure what you mean. What I posted was a literal cut-n-paste. I changed nothing. Shortly after I saw the text I posted, I also noticed they changed their text. Likely they typo'd after I had already captured the original text I pasted.

If I were from colorado..

[Hatta]

I'd be writing a nasty email right now.

Re:If I were from colorado..

[djh101010]

A more sensible approach might involve writing a well spoken, coherent, concise email. No reason to come across as a raving nutter - if someone is considering the "angry rant" approach, I'd suggest that perhaps what they are doing, is the opposite of help.

Re:If I were from colorado..

Obviously the correct approach is to send them a link to a special web page that will infect their computer if using IE. Once you've taken over their computer, you can use it to change their policies to supporting Firefox.

Re:If I were from colorado..

[Thelasko]

Contact information is here. Don't try to contact them using the link in the summary, it doesn't work.

Re:If I were from colorado..

Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/

While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/

Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.

Re:If I were from colorado..

[Tubal-Cain]

The feedback button doesn't work, anyways.

Re:If I were from colorado..

[ColdWetDog]

The feedback button doesn't work, anyways.

That's just in IE6. Better security that way.

Re:If I were from colorado..

[DanWS6]

I'm too busy laughing about this with my coworkers.

Re:If I were from colorado..

[Culture20]

No reason to come across as a raving nutter

Except that the website itself seems to have been written by a raving nutter with the POINTLESS CAPITALIZATION and silly assertions.

Re:If I were from colorado..

Based on the speed at which things can get fixed by what are normally lumbering juggernauts when they are seen and reacted to by a million people on the Internet, I'd suggest that ten thousand angry rants are often much more effective than hundreds of extremely well spoken, coherent, concise emails.

In this case, a massive spew of vitriolic bile targetting squarely at the fools behind that miserably borked IIS site seems warranted, and is likely to be more effective than some pansy-assed coherent "Dear Sirs, I am writing to engage in a discussion concerning what appear to be some personal biases toward the fine products that Microsoft Corporation produces and their manifestation in a minor slight against Firefox, another fine product, on your web blah blah blah..."

Fuck that. Hoist the pitchforks! Ignite the torches! Geek wrath power ON!

Re:If I were from colorado..

[a_nonamiss]

Why are you linking that stuff here? You think anyone from and IT department that lauds the security of IE6 actually reads Slashdot? ;)

Re:If I were from colorado..

[dotancohen]

And what should that email say, exactly? More specifically, to what URLs could I point the devs to an _unbiased_source_ that IE is insecure and Firefox is secure?

I have this problem with Hebrew websites constantly, in fact, about two hours ago I wrote to a local news website about their IE-only policy. Being able to point them to an unbiased, reliable source to back up the "Firefox is safer" claim would help.

Re:If I were from colorado..

[dotancohen]

Try mailing them colorado . nimp . org
(link broken for reasons you either already know, or don't want to)

Re:If I were from colorado..

[dfsmith]

But don't use Thunderbird (it's a security risk). Outlook is much safer.

Re:If I were from colorado..

[morghanphoenix]

Now if only I could find the warning, don't want to be writing to someone about an incredibly stupid warning unless I've seen it myself. Not that I'm calling the original poster a liar, or have any doubt that something like this is likely to be said, but because before I start sending off messages about something I believe I should see it for myself.

Re:If I were from colorado..

[theshowmecanuck]

McCaffee says it is a dangerous site and Nortonsays it's safe. Go figure.

Re:If I were from colorado..

[mysidia]

Or a message written on physical paper, addressed to their offices, and duplicates addressed to various other offices.

Sure, they can throw away the message if they choose, but they'll generally open it, and see what it is, first.

E-mail's a lot easier to ignore.

Re:If I were from colorado..

[ozphx]

I guess that means that everyone gets pwned.

Use Opera ;)

Re:If I were from colorado..

[slim]

Secunia states that Firefox3 has less critical issues

Sometimes I correct people on 'less' vs 'fewer', and I get the response that it's obvious what was meant.

This is one of those occasions when using the wrong word really does change the meaning. And by golly, I checked the page, and you really did not mean 'fewer' as I had expected.

What Secunia says about Firefox is that the most severe unpatched Firefox bug they know of, they rate as 'less critical'. Whatever that means.

Re:If I were from colorado..

[Ilgaz]

Funny is how politicans miss kudos of 20% for not passing a basic law like ''All Government sites should support all web browsers having basic functionality and properly maintained in terms of security''.

Oh of course, I forgot some company with billions of dollars who actually gets happy when their pyramid scheme is in action like the one mentioned on story.

Re:If I were from colorado..

[dotancohen]

Norton says that nimp.org is safe! Ha!

Re:If I were from colorado..

[wljones]

The State of Colorado has clearly qualified for an In Capus Rectum award. They do not need any help from /.ers. Move on to issues. Stupidity and ignorance are too easy as targets.

Re:If I were from colorado..

[Hordeking]

Fuck that. Hoist the pitchforks! Ignite the torches! Geek wrath power ON!

Will this revolution be televised, or just streamed to my computer?

Re:If I were from colorado..

[ofprimes]

Why are you linking that stuff here? You think anyone from and IT department that lauds the security of IE6 actually reads Slashdot? ;)

I am from the CO state IT department (not a webdev), and frankly I find this thread hilarious! I only use FF and when this site didn't work the other day (I did not heed the warnings), I used my handy FF add-in, IE Tab.

Re:If I were from colorado..

[slim]

[citation needed].

I don't like to think of it as a rule, so much a convention - like all language. But it's a convention worth preserving because without it you lose expressiveness.

'Less' and 'fewer' have different meanings, although the difference is eroding as people increasingly substitute 'less' for 'fewer' (never the other way around. You don't hear 'give it fewer power'.)

If you're telling me that until 'very recently', the two words conventionally had the same meaning, and that a difference was 'invented', I need you to provide me with a reference.

Do you also contend that the difference between 'many' and 'much' is 'invented recently'?

The site looks like...

something i made back in middle school with Frontpage. Credible sources spouting uneducated banter about things they SHOULD know about and having a website look like THAT? they should be ashamed

Re:The site looks like...

something i made back in middle school with Frontpage.

Go to http://www.coworkforce.com/ and check the page source...

Re:The site looks like...

[Camann]

Relevant text in case of site slashdotted:
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0" >
<meta name="ProgId" content="FrontPage.Editor.Document" >
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" >
<title>Welcome to The Colorado Department of Labor and Employment</title>
<link rel=stylesheet href="/commoncomponents/contentstyles.css" type="text/css">
</head>

Re:The site looks like...

[smchris]

What are the odds it was clumped together by one of the office workers who was told, "We need a website for this program. Who knows some html?"

Re:The site looks like...

[Adriax]

Very poor odds. Working for a similar state government agency I can tell you the process probably involved atleast 10 weekly or monthly meetings to outline the basic content, a 2 month review process on the outline documentation for the page layout, a 6 month bidding process from prospective contractors to create the webpage, another couple months for a cost/benefit analysis, with the final decision that a frontpage license and either a new permanent position or an expansion of duties amendment (with associated raise) to one of their high up IT people would be the answer. Total time to create that webpage, probably a year and a half to two years.

Re:The site looks like...

[a_nonamiss]

I'm laughing my ass off. I've worked with enough government (specifically state) agencies to know that this is not hyperbole. This is probably what actually happened.

Re:The site looks like...

[NateTech]

And one Slashdotting to get my State government to take down retarded information in less than 24 hours! Yay.

Re:The site looks like...

[quacking+duck]

Lest people think only government wastes monumental time and effort towards something relatively trivial, Microsoft spent a full year working on a feature one of its developers claims could've been done in a week.

It's a paradox of project management--too many stakeholders or dependencies, and you're going to bog down in red tape. Too few means that no one cares what your project is and won't waste their time helping you, and it'll never see the light of day. Finding a balance is difficult at best in any large organization.

Re:The site looks like...

[cojoco]

Yes, but websites are all about the *content*, not the HTML!

Who cares how long the HTML took to write?

Re:The site looks like...

[chthon]

I remember in 1990, on my first job, I had to install a harddrive in a PC XT system. When I arrived, I installed it and the people using it where perplexed. Turned out they wanted 128kB extra memory in their 512 kB system, but the people who had to actually confirm the decision and create the order thought that they needed an extra harddrive. This was in a home for the elderly, ran by a mutuality (?).

The people using the computer where very knowledgeable, but they were not given purchase decision, or even the possibility to check the orders.

Re:The site looks like...

[Theoboley]

So they planned meetings to plan meetings about planning meetings about setting up a webpage that looks like horse manure?

Our Tax Dollars hard at work :D

That's just bad

[AKAImBatman]

Well, I'm impressed. I tried to send them a message telling them that they're morons. (Though in a more polite manner.) They got right back to me with this message:

Server Error in '/SKILLS' Application.

Object reference not set to an instance of an object.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[NullReferenceException: Object reference not set to an instance of an object.]
      Skills.Suggestion.doTheSend() in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:137
      Skills.Suggestion.sendEmailLink_Click(Object sender, EventArgs e) in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:127
      System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
      System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +76
      System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
      System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
      System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
      System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746

Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433

I love how the site is:

A) Being run off of someone's desktop. Out of their My Documents folder, no less.
B) Gives up the username of the machine without so much as a "how do you do"
C) Shows the world that our amazing admin can't even hack it at C#

I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks at the site. :-/

Re:That's just bad

[interkin3tic]

Maybe they're not morons, maybe it's just that the entire state is on the cutting edge of the latest trolling fads? Like, it's so good at trolling that I can't think of how the joke is on everyone, so...

My head hurts, colorado wins again...

Re:That's just bad

[CannonballHead]

I wonder if the website was hacked already and its a fake ;) :)

Re:That's just bad

[neowolf]

I just did the same thing... What a f*cking joke.

Re:That's just bad

[hansamurai]

For being hosted off of someone's machine, they're doing quite well for being posted on Slashdot.

Re:That's just bad

[castorvx]

On the plus side, his workstation is about to get an HTTP benchmark.

Re:That's just bad

[xrayspx]

Were you using IE to send your comment?

Re:That's just bad

The Skills IT developer is staying more true to form and using VB.

See: Suggestion.aspx.vb

Re:That's just bad

[Gwala]

It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.

Re:That's just bad

This is from the site headers:

HTTP/1.1 200 OK
Date: Thu, 05 Mar 2009 22:06:53 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7454

I love how they have the office web server extensions enabled. Ouch.

Re:That's just bad

[Fulcrum+of+Evil]

Maybe qeuc34 is an app user account. Probably not, but maybe.

Re:That's just bad

[Excaliburszone]

The error message says it all: "Server Error in '/SKILLS' Application." It seems, from the way the site is designed to how functional it is that the error in the '/SKILLS' Application is that they do not have any.

Re:That's just bad

[Tubal-Cain]

I should check the IIS version.

6.0 on Server 2003

Re:That's just bad

[jamie]

I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks at the site.

No, you really should not do that.

Sheesh...

Re:That's just bad

[MoFoQ]

that is funny....instead of the ol' "I know you are but what am I?" when called a moron...they go and say "I know we are"

either way, whoever configured the webserver (IIS...ewww) doesn't know how to disable verbose error reporting to prevent sensitive information from becoming public, let alone (and gawd-forbid) set up custom error pages to give a more "professional" and user-friendly error page.

this is what you get from colorado.

Re:That's just bad

[AKAImBatman]

No, I shouldn't. The link to "Bobby Tables" was intended to convey the usual XKCD joke, not suggest that anyone try. I'm very concerned that if I tried, I might succeed. Which would not be a good thing. :-/

Re:That's just bad

[Malc]

But they do have a production server that's printing detailed error messages on the HTTP response. That's a misconfiguration, and an active choice at some point. Presumably debugging system - maybe they don't have test or staging servers.

Re:That's just bad

[davester666]

In other, completely unrelated news, Microsoft announced today that they are opening a new software development center in Colorado.

Re:That's just bad

[Bill,+Shooter+of+Bul]

Oh yeah, I'd love to see them try and apprehend Batman. I mean come on, the cops never catch him.

Re:That's just bad

[rbrausse]

> Sheesh...

nah, the sh-thingy is somewhere else

Re:That's just bad

[a_nonamiss]

"Please come with us Mr. West."
"But I don't even have a computer.

Re:That's just bad

[pembo13]

That doesn't mean for sure it isn't on his desktop.

Re:That's just bad

[changa]

More than likely it is not running off of a desktop.

Visual Studio tends to embed the project information and that is the information of the developer.

Still rather bad they had that let the debug information hit the web user.

Re:That's just bad

[Simetrical]

It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.

I assume that the grandparent thought it was someone's desktop because of the "C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\" path. It looks like a developer is keeping the project in their own documents and running it straight from the source code there.

Re:That's just bad

[Bill,+Shooter+of+Bul]

I'd agree its usually less funny than it thinks it is, sometimes more poetically clever than you think, and often more profane than necessary.

Re:That's just bad

[Sentry21]

I suspect someone did something naughty, because now the entire site is down. I guess whoever designed it doesn't know that much about security after all.

Re:That's just bad

[pyrrhonist]

No, you really should not do that.

...because serious business of this nature is a job for 4chan!

Re:That's just bad

[nametaken]

It's not C#, it's VB. Notice that the codebehind files have the extension .vb?

Suggestion.aspx.vb

Re:That's just bad

[nametaken]

Also, the nasty part is that the exception + stacktrace was even visible. You shouldn't have seen that, and you'll notice that the site is now showing the CustomErrors notice instead, as specified by the web.config. It should really have SOME error handling that takes the message and stacktrace and puts it somewhere for them to read (the system's logs) and notifies someone that something went wrong. Then you should see a "Sorry, something b0rked" message instead.

Re:That's just bad

[Raenex]

It's too damn preachy. Dilbert manages to make a point and actually be funny in a cute and charming way (plus no stick figures).

Re:That's just bad

[nametaken]

Also worth noting that the bulk of the site is done in classic asp, not asp.net with VB.NET behind it.

Re:That's just bad

[Bill,+Shooter+of+Bul]

Preachy? really? Haven't seen that side. What is he preaching for? Nerdosity? Sexuality? Malevolent behavior? Maybe Idiocy.

Re:That's just bad

[Slashcrap]

No, you really should not do that.

Sheesh...

No, we only condone DoS attacks here at Slashdot.

Re:That's just bad

[Killjoy_NL]

Fantastic, in my mind I even heard that in his wonderful voice :D

Re:That's just bad

[cheekyboy]

You think the russians or chineese care ?

They will be there in 2 seconds.

What can the state do? Launch ICBMs?

Re:That's just bad

[glennpratt]

No, this is just where they compiled it.

aspx.vb must be compiled, and where it was compiled is not a problem. The problem was leaving debugging messages enabled in the .NET application which revealed all that info to the world.

Re:That's just bad

[Raenex]

What is he preaching for?

His opinion on life.

Re:That's just bad

[Zantetsuken]

no, that's still evil... we condone much worse - socially engineered DDoS attacks, now with angry mob potency!

Re:That's just bad

[quonsar]

"The Colorado Department of Labor and Employment regrets that this service is not avaialble at this time."

Re:That's just bad

[Bill,+Shooter+of+Bul]

Well, that's clear as mud. Thank you for taking the time our of your busy schedule to clear that up.

Re:That's just bad

[Raenex]

Have you ever heard the expression "preaching to the choir" when somebody is advocating their opinion? It's looking at some facet of life, saying "this is stupid", or "this is the way it should be", or whatever. I already mentioned Dilbert. It manages to make a point in a way I consider cute, charming, and interestingly drawn. With xkcd I can just imagine the nerd behind it and I get tired of "listening" to him.

Re:That's just bad

[Bill,+Shooter+of+Bul]

Ok. I understand. I wouldn't consider that Preaching. But I could see how you could. Although, I'd say he's doing more than just preaching to the choir. In some respect, he's defining himself or his characters to be the gold standard as opposed to pointing to something outside of himself (as a good preacher preaching to the choir should). I suddenly like it a lot less now. Still not a Dilbert fan. I think I'll have to stick to Garfield minus Garfield.

Colorado

[neowolf]

I'm from Colorado. Most of the time I feel the State Government here is on crack. If I write them an email using Thunderbird, I wonder if it would be rejected because it didn't come via Outlook?

Re:Colorado

[morghanphoenix]

I did live in Colorado in the early 90s, really liked it then, but stopping back by last year I had to wonder if the whole state had gone utterly mad. I'd been planning on moving back there, but after a few weks of visiting I think I'd rather not.

What do you expect...

[dark404]

What do you expect from a state who uses 128 characters to describe a perspective hire's education.
The Education Property has been increased to 128 characters due to popular demand. Thanks for your patience.

Re:What do you expect...

[Gat0r30y]

Teachers here in CO often have bumper stickers proclaiming: Welcome to Colorado, 49th in funding for schools. Perhaps there is a correlation, then again, I was educated exclusively in this state so maybe I'm just an idiot.

Re:What do you expect...

[Bob+Uhl]

Teachers here in CO often have bumper stickers proclaiming: Welcome to Colorado, 49th in funding for schools.

I've lived here for over a decade and have never seen one of those. Moreover, the numbers show that's clearly not the case.

Re:What do you expect...

[Gat0r30y]

Where are you at around here? Ever been to Boulder? It was ~ 10 years ago I'd say that one of my HS teachers handed them out to our class in an attempt to recruit us to get our parents to put them on their cars.

Re:What do you expect...

[dontmakemethink]

Teachers here in CO often have bumper stickers proclaiming: Welcome to Colorado, 49th in funding for schools.

I thought it read "51st in fundign for skools"

Re:What do you expect...

[WraithCube]

Well today thanks to popular initiatives the the Colorado legislature is not allowed to raise spending by more than the inflation rate + 1%, but required to raise spending on k-12 education by the inflation rate + 6% iirc(might be 3%). So they just decide cut university funding. Some of the k-12 districts actually have some of the highest salaries for teachers though.
Been in Colorado for 8 years and in Boulder for 2 and I faintly remember seeing one of those, but not in years.

Re:What do you expect...

[a_nonamiss]

The PDF you linked looks like stimulus dollars from DOE given to states. I know nothing specifically about school funding in CO, but I'm guessing that Federal funding is a relatively small part of the big picture. They could still easily be 49th in per-student funding. Maybe that's why they got so much stimulus money.

... 1 hour later ...

I did a little research on the Internets, and turns out per-pupil spending is hotly contested. In my search, no less than 12 states proudly claimed to be in the bottom 3 in per-pupil spending based on whatever data they could find to support their case to get more money. Interestingly, Colorado didn't seem to be one of those. Utah, however, was consistently last so apparently they must hate education there. Either that, or they've figured out a way to do it cheaper. East coast schools are highest, probably because a box of chalk and a ream of paper cost $426.39 in Manhattan. I'd be interested to find a ranking of funding adjusted for cost of living. At any rate, according to this set of rankings from 2001-2002, Colorado is number 34.

Re:What do you expect...

[zigmeister]

Welcome to Colorado, 49th in funding for schools.

Way to rub it in #50's face. Completely insensitive.

Re:What do you expect...

[Brandybuck]

Funding has very little correlation with the quality of education. California is bankrupting itself funding education, yet is quite lackluster in its educational quality.

Re:What do you expect...

[Alsee]

The Education Property has been increased to 128 characters due to popular demand.

I hear they increased the chocolate ration too.

-

Re:What do you expect...

[n3tcat]

Welcome to Colorado, 49th in funding for schools.

Moreover, the numbers show that's clearly not the case.

Um, Bob from CO, it's 6th from the top because the list is in alphabetical order. ;)

Re:What do you expect...

[Just+Some+Guy]

Welcome to Colorado, 49th in funding for schools. Perhaps there is a correlation, then again, I was educated exclusively in this state so maybe I'm just an idiot.

Bumpers in Colorado must be longer than the ones we have here.

Re:What do you expect...

[ujoronen]

I know a teacher that was going to put that on their car, but decided not to. What's the point if the majority of the graduating class can't read it within the time it takes for a light to turn green?

Re:What do you expect...

[ujoronen]

Quite true. Most teachers here spend about 10% of their day teaching. the other 90% is state and federally mandated paperwork, most of it relating to "no child left behind".

Nice idea, but if the teachers spend more time documenting than doing, there will be predictable results.

...besides, what if Johnny is a real moron? The classmates must trudge along, being bored and unchallenged. Admittedly, this is an oversimplification, but the results are clear.

Re:What do you expect...

[Brandybuck]

Need funds to fix up the school buildings? Fire the bureaucracy. If you want a standard uniform education (no-child-left-unsheepled policy) then create one. But beyond that the only thing bureaucrats can manage to do is shovel your dollars into a furnace.

.Net error when submitting feedback

[volfreak]

It seems that the OIT can't even get a .Net application to properly handle feedback. Upon submitting, I get "Server Error in '/SKILLS' Application. Object reference not set to an instance of an object." That really instills confidence in their 'decision'!

But does the site still WORK with Firefox?

[dfm3]

If not, then I'd be a little annoyed if I had to use the site. If it does, then what's the problem? Just ignore the notice and go about your business.

Seriously, is this the kind of "news" that passes as a slashdot article now?

Re:But does the site still WORK with Firefox?

[Aelyew]

Actually the site doesn't work whether you're using Internet Explorer or Firefox. It looks worse with Firefox because they are using some of the non-standard display tags that cause components to overlap if using a standards compliant browser. Regardless of the browser used, the result is the same: failure.

Re:But does the site still WORK with Firefox?

[Chabo]

Can I use Firefox or another Browser?

No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later.

Re:But does the site still WORK with Firefox?

[snl2587]

No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later.

So I'm to assume they don't know the difference between client-side and server-side scripting?

Re:But does the site still WORK with Firefox?

[AKAImBatman]

So I'm to assume they don't know the difference between client-side and server-side scripting?

They wrote their .NET code in Visual Basic. What did you expect?

Re:But does the site still WORK with Firefox?

[Chabo]

To be fair, writing .NET code in VB is exactly the same as writing it in C# -- compile them both and you get CIL code. Although I agree that these guys are likely incompetent, it's not fair to say "anyone who writes in VB is incompetent at programming".

Re:But does the site still WORK with Firefox?

[Xtifr]

it's not fair to say "anyone who writes in VB is incompetent at programming".

It may not be fair, but statistically speaking, it seems to be accurate within epsilon. A few (very few) outlying data points don't invalidate the general conclusion. :)

Re:But does the site still WORK with Firefox?

[ozphx]

Yeah thats a fair point. VB.Net is an equally capable CLR language. The median developer ability however...

Re:But does the site still WORK with Firefox?

[DaVince21]

It's actually good that this is on Slashdot, because now people are continuously making fun of their site and hoping they'll educate themselves a bit. Slashdot is not ALL news, I expect some humor and outrageousness too.

Nice quote

[SnarfQuest]

It has been decided

I wonder who decided that? Does their name start with 'Micro' and end with 'Soft'?

Re:Nice quote

[inthedump]

Maybe their size is "Micro" and its always "Soft".

Re:Nice quote

[CannonballHead]

Uh, very doubtful. More likely, it was the same person that can't even program a feedback thing correctly, and is running their webserver from My Documents ...

This really doesn't have a whole lot to do with Microsoft or IE. This is an "ignorant person" story. Unless you have some link of where MS said Firefox was unsafe, as well as all non-IE browsers?

Re:Nice quote

[fuzzyfuzzyfungus]

A correlation has been observed between situations in which the passive voice has been utilized, and utter asshattery.

Re:Nice quote

[Midnight+Thunder]

I wonder who decided that? Does their name start with 'Micro' and end with 'Soft'?

Chance it is simply a Microsoft Fanboy, who derides anything else. Then again, the site look like it was written in 10 minutes flat, cutting the most corners possible.

Re:Nice quote

[Mr.+Slippery]

A correlation has been observed between situations in which the passive voice has been utilized, and utter asshattery.

Indeed. Politicians who say "mistakes were made" have been cited as evidence.

Re:Nice quote

[turbidostato]

"This really doesn't have a whole lot to do with Microsoft or IE. This is an "ignorant person" story."

It has a lot to do with Microsoft then. Do you relly thing there would be a lot of "ignorant persons" serving web pages out of their own personal VMS or AIX? Microsoft's best bussiness choice was developing tools that seemed so easy that even "ignorant persons" could achieve difficult tasks. Now you have "ignorant persons" atempting difficult tasks and miserably failing at it.

Re:Nice quote

[DaVince21]

No, but I'm sure I have some kind of link where Microsoft acknowledges how unsafe IE6 is, and that's the main reason why they unlocked IE7 for everyone to download...

Their FAQ page...

[gardyloo]

... has an answer to "Why is the sky blue?". It's mostly right, without being informative at all. Of course, I saw that with Firefox, so maybe it'd have been a lot better of an answer if I'd used IE 6+.

Re:Their FAQ page...

[memorycardfull]

http://www.sciencemadesimple.com/sky_blue.html The answer to "Why is the sky blue?" is reproduced from copyrighted material at sciencemadesimple.com

Re:Their FAQ page...

[residieu]

Because it isn't green?

Re:Their FAQ page...

[egcagrac0]

Just shut up and eat your vegetables. Worry about philosophy when you're older.

Who's on first?

[esocid]

Must use IE. Windows is unsafe. FF is not.

Head asplodes.

Re:Who's on first?

[Tubal-Cain]

Use Safari, Chrome, or Opera!

Re:Who's on first?

[Zumbs]

No, no, no! Use Lynx!

Re:Who's on first?

[spartacus_prime]

What, no love for Nexus?

Re:Who's on first?

[mcgrew]

What's on second?

Windows only?

[Leibel]

And while you're there, don't use OS X, Linux, iPhone or anything other than windows to access this site, because they're all unsafe because they don't use IE6.

Re:Windows only?

[khellendros1984]

Unless you run that Wine script that lets you install the newer IEs on Linux, of course. Then you're still screwed, because EVERYONE knows that ONLY IE6 and Windows together will protect you.

The Decider

[janeuner]

He decided.

Another reason

[citricshooter]

From their FAQ: "Can I use Firefox or another Browser? No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later." I suspect the processing issues are the real reasons and they are trying to scare people into not using Firefox so they don't get the phone calls about their site not working.

Re:Another reason

[shutdown+-p+now]

If their HTML/CSS is so sloppy that it doesn't render properly in browsers other than IE, I'm eagerly looking forward to it breaking in IE8 as well, when it gets released. I wonder what other moronic explanation they will come up with when that happens, since "for security reasons" would hardly fly anymore.

Re:Another reason

[Tubal-Cain]

I like paying taxes. With them I buy civilization.

Beyond the Sword?

Re:Another reason

[shutdown+-p+now]

Sorry, I didn't get the reference. What do you mean?

Re:Another reason

[jabithew]

It's the latest expansion of Civ4. Or if it isn't then I'll see you all in the winter.

Here's How to contact them

Email:

oit@state.co.us

Phone:

303-866-6060

Fax:

303-866-6454

US Mail:

Governor's Office of Information Technology

1580 Logan St., Suite 200

Denver,CO 80203

Re:Here's How to contact them

[Paul+server+guy]

Phone:

303-866-6060

And, get this, We /.ed the phone as well!

"Please leave a brief message and your call will be returned in 48 hours"

What a riot!

I've worked with those people in the past... Morons.

PEBKAC

[Devil's+BSD]

Well, they're mostly wrong, but partially right. All things considered, the biggest security risk isn't the web browser used, it's the incompetent organic mass between the keyboard and the chair.

It still amazes me how many people really think they're the 1,000,000th visitor to a site, and that they've actually won something because of it.

Re:PEBKAC

[residieu]

Yeah, you're not really a winner until you successfully punch the monkey.

Re:PEBKAC

[sincewhen]

I thought the expression was "Spank the monkey."

Re:PEBKAC

[ScrewMaster]

it's the incompetent organic mass between the keyboard and the chair.

Or as Arthur C. Clarke once put it, "radiation-sensitive bundles of unstable carbon compounds."

Re:PEBKAC

[ozphx]

Sweet! Hang on...
.
.
.
. ... alright wheres the prize?

Re:PEBKAC

[jaggeh]

it's the incompetent organic mass between the keyboard and the chair.

Or as Arthur C. Clarke once put it, "radiation-sensitive bundles of unstable carbon compounds."

or as star trek TNG put it in S1E17 "ugly bags of mostly water"

"It has been decided"

[Banichi]

I love seeing statements like this from nominal authority figures.

'Look on my works, ye Mighty, and despair!'

Re:"It has been decided"

[Qzukk]

I'm despairing, all right.

Re:"It has been decided"

[blueZ3]

So Colorado's OIT hired Ozymandias?

Re:"It has been decided"

[ColdWetDog]

So Colorado's OIT hired Ozymandias?

Quite possibly. The state's IT infrastructure seems to come from that general time frame.

Re:"It has been decided"

[maugle]

I love seeing statements like this from nominal authority figures.
'Look on my works, ye Mighty, and despair!'

Off-topic, but:
You know, I always figured that Ozymandias knew what was going to happen to his monuments, and was leaving that as a message to the pompous leaders of the future: "You think you're so great? I was 100 times better than you, and look what still happened to me! You'll be gone and forgotten in the blink of an eye!"

Re:"It has been decided"

[idlemachine]

I worked for a government department where the head of IT Security told me that flat telnet was "more secure" than SSH.

It took me a while to realise that when he said something was "secure" he really meant "I don't understand the alternatives". This seems to be a similar situation.

Re:"It has been decided"

[Slumdog]

I'm despairing, all right.

Server Error in '/SKILLS' Application.

Contact info for OIT

[XenonOfArcticus]

http://www.colorado.gov/cs/Satellite?c=Page&cid=1165692953912&pagename=OIT-New%2FOITXLayout
oit@state.co.us

Re:Contact info for OIT

you don't need to go that far ... just click "need help" and see all the pretty email addresses in the drop down boxes - i guess they weren't getting enough spam already ...

From the site

[symes]

From the site:

"Questions and Answers"

"Can I use Firefox or another Browser?"

"No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later."

"What if I have a Skill that isn't listed?"

"The "Suggestion" tool enables you to communicate directly with the Administrators. We will research your proposed Skill with your input and agreement."

I'd like to learn how to make web pages. Think I might see if I can tap these guys expertise. Anyone else fancy coming along?

Re:From the site

[CannonballHead]

I wouldn't mind learning how to write English so well, especially capitalization. I have a tendency to capitalize Proper Nouns even if they aren't really Proper Nouns at all, but just normal Nouns. Oh Well. I Guess it Fits Well with my 128 character Education History, Too?

Re:From the site

[blueZ3]

This is a Government Thing, like the noun, descriptor naming conventions

When I was in the Army, I had a really, really green 2nd Lt. tell me that he wanted a drawing of the company arms room (armory) that showed where everything was located. I tried to talk him out of it, as it was a 15x30 room with open racks that were all visible from anywhere in the room and a single set of locked cabinets. He insisted.

So I painstakingly drew up a "map" of the room using all the correct terminology: rack, weapons, upright rifle holding, M-16/M203; rack, weapons, upright pistol holding, M-9; desk, field portable

When the captain came by and asked me what I was working on, I showed him and got my revenge. :-)

Re:From the site

[SemiSpook]

Gee, sounds like my old office. You know, the place that didn't let me access webmail, but could get to /. with no issue. Yeah, they were insistent on using IE6 as well as, and I kid you not, Netscape 7.2. When I arrived there, everyone was bitching about the fact the IT folks had recently REMOVED FF from the standard desktop image for whatever reason.

It's a freakin' IC component. You would think that they would have enough smarts to customize FF to ensure that nothing got through the browser. Dolts.

Mozilla

[zogger]

Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.

Re:Mozilla

[Simetrical]

Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.

Do you really think it would be good if corporations started suing people who claimed their browsers were unsafe? If so, I can sure think of one browser vendor who has a heck of a lot of people to file complaints against.

Besides, it's probably protected free speech.

Re:Mozilla

[Darkness404]

This is equivalent though to the highway patrol saying NO! You can't drive a Toyota on this road! Because Toyotas are less safe then Ford cars! All the while giving no answer to facts.

It would be one thing if it was an idiot on a blog, but when the idiot in this case is a state government and the blog is a taxpayer funded website.... Things start to get interesting.

It's a trap!

[retroStick]

So IE was the more secure browser all along! Why didn't I see this twist coming?! Everyone stop using Firefox NOW! Mozilla are lulling us into a false sense of security!

Come back IE, all is forgiven...

That's the opposite of what the DHS said

So now Colorado thinks they're smarter than the feds?

Not long ago the DHS said to avoid IE and use firefox for security reasons.
http://www.google.com/search?q=dhs+avoid+ie

Re:That's the opposite of what the DHS said

[PianoComp81]

It's all about states' rights. States must be smarter than the federal government. Therefore, IE is safer than Firefox and DHS is incorrect.

Re:That's the opposite of what the DHS said

[JoCat]

Not to defend them, but a lot of people think they're smarter than the Feds. A lot of people are right, too.

Re:That's the opposite of what the DHS said

[symbolset]

Your posts has two statements. Each might be correct, but adding the two statements together yields a logical error in that the intersection of sets (A:a lot of people) and (B:a lot of people) is null in the specific case cited.

Re:That's the opposite of what the DHS said

[cheekyboy]

Why cant google put that add on the front page of google.com

MS would shit their pants

"Only terrorist supporters use IE, IE gives you aids and pink eye"

Re:That's the opposite of what the DHS said

[MBGMorden]

Those claims are demonstrably false though. However, if Google posted something very similiar to what's on Colorado's page about IE, say:

"Please do not view this page with Internet Explorer as it poses a security risk."

Then MS wouldn't have much of a leg to stand on. It's certainly not demonstrably false - and it's not for any browser. EVERY browser has security issues. Safari, Firefox, IE - all of them. How common and severe they are, along with response time, is what matters. You'll not find any falsehood with a statement claiming that a particular one has security issues though.

Re:That's the opposite of what the DHS said

[JoCat]

I don't think it's a logical error. It's ambiguous grammar. For that I apologize.

Let A be the set of officials in Colorado.
Let B be the set of officials in the Department of Homeland Security.
Let C be the set of Americans constituted in the umbrella statement, "they". (As used in "They say," "They'd like you to believe.")

I do not wish to defend a, where a is a member of the set A.

There exists a nonempty subset of C, C_1 such that for all c in C_1, and for all b in B, c believes himself/herself to be smarter than b.

Re:That's the opposite of what the DHS said

[Bob+the+Super+Hamste]

It's not hard to be smarter than the DHS. I think the jar of mayonnaise in my fridge is smarter than them. But that still doesn't make the statement false.

Re:That's the opposite of what the DHS said

[mattwarden]

Obviously, CO is incorrect. But I do get annoyed when people assume the federal government is more capable than a state government. That's half the problem with this country anymore...

April Fool's?

[oddball33]

Isn't it a little early for an April Fool's joke? If they're serious, then they must have been smoking something really good.

Re:Why the assumption that the claims are uneducat

[h4rr4r]

So perhaps there is an issue with Firefox vs the known issues with IE6.
That seems like some crappy logic there slick.

Re:Why the assumption that the claims are uneducat

[neowolf]

Based on the look-and-feel of the site, and the great error message (already posted by someone else) if you try to send them feedback- I'd say they are completely uneducated.

It honestly looks like the site was done using the first version of FrontPage, on a very-poorly configured IIS that appears to be running on someone's desktop.

The really sad thing this is supposed to be for the Colorado State "Office of Information Technology". I live in Colorado, and this is REALLY embarrassing.

I AM from colorado..

[WindBourne]

and will be voting out Ritter as long as the neo-cons are not ran again.

Re:I AM from colorado..

[charleste]

Huzzah from Fort Fun.

Re:I AM from colorado..

[WindBourne]

Lived there for 15 years (79-95). Did 2 degrees there, opened CBP, and worked a number of the bars such as Wash bar. In fact, is it still there? Also worked at CDC as after switching areas, at HP. Ft. Fun is STILL a good place, though the police leave a LOT to be desired. I still read about the garbage going on there. We had a wicked idiot there by the name of Ernie Telez.

So, what are you doing there? School?

Re:I AM from colorado..

[charleste]

School finished long ago for us. Just doing the Birth, School, Work, Death thing. Fort Fun is a nice boring place to live as a grownup. Or, as one of my friends says: The Fun Never Starts! lol

Re:I AM from colorado..

[Verdatum]

How a comment got through with this subject heading and without "you insensitive clod!" I'll never know.

Slashdotted?

[CannonballHead]

http://oitplaza.colorado.gov:8080/oitplaza is unresponsive. (link taken from their "Home" link...)

Re:Slashdotted?

[greyparrot]

I think the production guys took it down for a while. The rest of the site works pretty well in FF on the Mac. The source does indicate it was all built in FrontPage 6.0, but probably the IT people fixed it up.

Seems they don't know how to layout it for firefox

[roguegramma]

Seems they don't know how to layout it for firefox ..

MUST.. not.. RESET.. everyones PASSWORD for.. THEIR.. EID..

Figures

[supersloshy]

This does kinda seem obvious since they have "Why is the Sky Blue" listed as a FAQ question of all things.

Slashdotted before FP!

[ecklesweb]

What's bad is that you managed to single-handledly introduce the amazing admin to the slashdot effect.

Yes and no

[Pagey123]

Part of my day job consists of administering a small Active Directory domain (25 nodes). And of course I can craft all sorts of nifty GPOs to control the behavior of IE on the clients within the domain. So, from that point of view, one might be able to argue that IE is in fact "more secure". Or, more controllable, perhaps.

Now, I'd personally prefer to have FF on all the clients and have FF controlled via a GPO, but to my knowledge that is not possible. If it is, someone please point me in that direction.

Re:Yes and no

[h4rr4r]

Build your own firefox installer with whatever changes you need and then make an msi and distribute that.

This is so easy even a windows admin can do it.

Re:Yes and no

[Pagey123]

That's an excellent idea! Though it would be nice if you could use a GPO to make changes "on the fly," so to speak. Our core processor use a certain web based app that simply refuses to work with a couple of GPO settings, and it's nice to be able to turn those on/off without reinstalling any software. But I just don't see MS designing in control for FF.

Re:Yes and no

[h4rr4r]

Very true. GPO is just a very limiting way to do things in general. Lots of flash, very little substance, and nothing that could not be done in another automated way if they just used text config files.
Such is the MS way.

Building MSIs and pushing them out via AD, works very well.

Re:Yes and no

[h4rr4r]

Certainly.

http://howto.gumph.org/content/customize-firefox-installer/

You may also contact me at h4rr4rATgmail(dot)com.

Re:firefox and mac

[PIBM]

The correct comparison would be this.

Gun #1: Kills each and every gunman when they don't expect it. You are not even pressing the trigger. But you sure as hell do know they kill the gunman.

Gun #2: You know that a gunman can be killed once in a while, but when it happens somebody will deliver you with upgraded guns preventing it from happening again in a small amount of time.

TY, I'll keep FF

What an epic fail

[jmorris42]

Not only is the site horrible broken, poorly designed, etc. The home link goes somewhere that doesn't exist.

The feedback form is broken and there isn't a working email address anywhere to be found on the site.

EPIC FAIL!

The only hope would be that it hasn't really gone live yet and that looks like the most probable explanation. Strip away the URL to the main server and there isn't an obvious link to /Skills/* to be found.

Re:firefox and mac

[h4rr4r]

Ok, so explain why apache is less exploited than IIS. It is used far more.

Your little idea is cute and has been proposed by many before, and just like then it is wrong.

Also you should investigate your keyboard it seems to be broken.

Re:firefox and mac

[Qzukk]

The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.

I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".

Re:Firefox still has a ways to go

[h4rr4r]

Build your own, numbnuts.
If you can't do that you don't deserve even a windows admin job.

Why?

[Greyfox]

I can just drive down there and slap them in person...

Re:Why?

[Mozk]

You can't have a tie at 50th place with only 50 states. You should've just said Texas.

Re:Why?

[colinrichardday]

Is he counting DC?

Re:Why?

[WindBourne]

yes; most reports add DC in and count it as a state.

Re:Why?

[WindBourne]

TO be honest, it really did not matter. I was simply being funny. Mississippi is almost certainly int the bottom 3, while Tx trends in the bottom 5. But since CO and Tx have a running thing between them (ever since we kicked their butt in the civil war), I was simply using them.

Another IE fan who does not know...

[dysmey]

how easy it is to add the User Agent Switcher to Firefox and set Firefox up to pretend it is IE6.

But then, anyone who does know would not entrust any kind of data to someone's unguarded desktop workstation (as opposed to, say, a firewalled server). It doesn't speak well, not just to the IE fan but also to the State of Colorado for being so cheap as to hire him in the first place and make him use his workstation as a OIT server.

The Firefox warning has been removed

[cnock]

Looks like they just took the Firefox derision off the page. Way to go Slashdot!

Re:firefox and mac

[Fulcrum+of+Evil]

you tend to choose gun #1.

No, you requisition some guns, get manufacturers to submit bids and test their samples. Then you screw it up anyhow by not shipping cleaning kits with the version 1 of whatever you choose.

ie and microsoft are more "battlehardened" than firefox or mac

Yeah right. IE is swiss cheese and I won't use it period. FF leaks memory, but it doesn't have any serious exploits that I've run into, despite being at a probable 10-20% marketshare.

Stupid is as stupid does.

[geekmux]

No, no, no, you guys are getting it all wrong. Firefox does not pose a security risk, Firefox IS the security risk, you see? This setup is so screwed that a Firefox 2 browser with a handful of plugins could probably bring it down.

THAT is what they fear and warn against.

In the meantime, please feel free to use the rather benign (and broken) IE6 to your hearts content. After all, Windows products can't hack Windows servers, right?

Uh, right?

In other news...

[Daswolfen]

... the entire State of Colorado's network shutdown today when every machine became infected with Trojan.BHO. When asked what was the source of the rampant spread of the trojan, the network administrator was at a loss because the state only allows Internet Explorer.

In related news, Colorado has begun issuing IOUs for state income tax refunds because the entire treasure was transferred to Nigeria in what the Office of Technology has determined is a sound investment.

Group Policy Settings

[spinkham]

Honestly, IE 7 is not much less safe then Firefox, and can be locked down via Windows group policy. I can understand how Firefox can be considered a security risk, as this sort of group settings changing is more difficult.

IE 6 is another story, and should be put out to pasture as soon as possible.

I'm no lover of Microsoft or IE in particular, but I can understand this decision. But please, really, let IE 6 die...

Re:Group Policy Settings

[h4rr4r]

Build your own firefox installer, then make an msi and deploy via AD.

So simple even a windows admin could do it.

Re:Group Policy Settings

[Ilgaz]

Well Windows admins don't do it so Firefox should give up this childish behaviour and ship native MSI packages. They _are_ shipping a product for Windows, that is the truth. It doesn't matter if they even use PERL for installation, it is really Windows.

MSI is documented and even have open source packagers coming from MS employees themselves.

Soon or later, OS X may need a .pkg (OS X native method) too, depends on the corporate acceptance. You will see the same story will happen again, they will insist people drag and drop from disk images while it is not viable in networks or even large home networks.

Re:Group Policy Settings

[Dynedain]

Firefox already has a drag-n-drop installer for OSX, so they are already doing it the OSX way. And they do it the Linux way by making it available in the package libraries. The *.exe installer is already a Windows-only way, so just take the plunge and do it as an .msi already.

Re:firefox and mac

[DramaGeek]

In your proposed situation, remember that the troops get to choose which gun they want. You just make the battle plan. Only 2/3 of the troops are using Gun #1(according to Wikipedia, YMMV.)

The real choice is, do you adjust your battle plans to include all of your troops, or cut your force by one third?

What did you expect?

[Roadkills-R-Us]

Given what I've heard about this state from people who live there, thus isn't nearly as insane as a lot of what the CO government does. Which is one reason I hope never to live there.

Message from the State Chief Information Officer

[terminalhype]

Message from the State Chief Information Officer
Michael Locatis, State CIO
"As the Chief Information Officer for the State of Colorado, my role is to provide the momentum and strategy for wide-ranging activities from promoting high end research and development of cutting edge technologies to creating strategies for service delivery supporting the day to day operations for the State of Colorado - thereby making a difference in the lives of the people of Colorado and delivering Governor Ritter's 'Colorado Promise'."

http://www.govtech.com/pcio/articles/386146
Colorado Gov. Bill Ritter and CIO Mike Locatis Launch IT Consolidation
Aug 21, 2008
Before his Cabinet appointment in Colorado, he was CIO of Denver, where he showed his centralization skills (and caught Ritter's attention) by consolidating 20 separate municipal and county departments into a single, citywide IT agency. It's also where Locatis learned how fragmented the state's IT systems were.

"It was while I was working in local government that the issues surrounding state IT were immediately apparent because they impacted how services were delivered at the local level," he said.

Before becoming a public-sector CIO, Locatis was the senior director of enterprise technology strategy for Time Warner Cable Inc., part of Time Warner Inc., a Fortune 50 company and the country's largest entertainment firm. Locatis honed his skills at aligning customer-service delivery systems, standardizing desktop capabilities and managing tech and support teams for huge enterprise resource planning applications.

Despite Locatis' knowledge of the state's IT systems' problems, he wasn't expecting the mammoth job he faced. "It was significantly siloed and fragmented IT delivery, which was a root cause of a lot of the issues - including inefficiencies, a lack of leveraging an enterprise approach and just about every [IT] department in the state doing its own thing," he said.

the sad truth of the matter

[Joe+Snipe]

The state of colorado made attempts to be "ahead" of the curve when it came to an online presence (see also denvergov.com and the atrocity that is netfile; we were one of the first states to have online tax filing). Unfortunately they hired people who knew ass all about javascript (or proper DB handling) and no one knew enough to stop it in it's infancy. Now it has snowballed into something too costly to replace and too borked to simply repair.
I imagine someone told some user that ff was a security risk, rather than go into the technical details of why the site falls to crap on browser it was never tested for. Eventually, through what I like to call "the wiki effect" that same information got passed back as fact to the current web coders who promptly put up a notice to inform their end users.

Even still, fail.

Other things that I could snoop from Google

[sundarvenkata]

Email template http://www.coworkforce.com/skills/emails/email1.htm Some kind of a translation look-up table: http://www.coworkforce.com/skills/data/wipxls.txt Set of skills: http://www.coworkforce.com/skills/data/skills.txt

Re:Other things that I could snoop from Google

[KingAlanI]

All of those links give me 404 errors.

Re:Other things that I could snoop from Google

[symbolset]

You gotta be quick. They're reading this page and fixing stuff while we make fun of them. That keyboard must be humming about now.

Which is kind of a strange way to do website security, if you think about it. All of that information is probably still available in the Google cache, or at least on the wayback machine.

HTML compliance

[Tubal-Cain]

That site looks horrible. Ironically, according to the W3C's "Markup Validation Service" it has 21 errors with it's HTML. Less than Google's homepage.

Re:HTML compliance

[KingMotley]

Yeah, ironically, this slashdot page has 208 errors with it's HTML.

Re:firefox and mac

[rochberg]

First, to suggest that Firefox is "unproven" is a bit disingenuous. According to http://marketshare.hitslink.com/firefox-market-share.aspx?qprid=0&sample=28, Firefox's market share is now over 20% (compared with IE's 67%). That's far from a trivial number of users, and I'm sure there are plenty of bad guys out there taking aim at Firefox. But that's all flame war garbage and irrelevant to the current discussion.

The problem is that you have a governmental organization making a vague, unqualified statement that is completely unnecessary. The site's policy should state, "At this time, we only support IE version 6 and above." There is absolutely no justification for stating that, "Mozilla based, non-IE browsers pose a security risk." (What about non-Mozilla-based non-IE browsers?) The fact of the matter is that any piece of software that interfaces with untrusted servers (that includes ALL web browsers) is bound to pose a security risk. To suggest that IE does not propose a security risk (which is implied by the FAQ statement) is intentionally misleading. And THAT is the cause for the uproar.

Re:firefox and mac

[iNaya]

If I were that general, I would make sure that gun #2 was tested. Anyhow, Firefox is very well tested, and even better than IE, it is possible to see a list of every bug ever reported, which are fixed, and which are not. If I were a general, I would also know how to capitalise my sentences properly.

Re:firefox and mac

[rochberg]

I meant, "To suggest that IE does not POSE a security risk is intentionally misleading." Dang typos...

Where does it say FIrefox is insecure?

[whoever57]

I just looked at the site and I see nothing indicating that FF is insecure. In the FAQ, it does say the IE6 and later are the only supported browsers ("for proper operation"), but "unsupported" is not the smae as "insecure".

Re:Where does it say FIrefox is insecure?

[DanWS6]

They edited the faq and removed that text.

It used to say:

Can I use Firefox or another Browser?

No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later.

Re:Where does it say FIrefox is insecure?

[AKAImBatman]

It looks like they removed the message about Firefox being insecure. Google doesn't have a cache of the page, but you can see it in the summary:

http://www.google.com/search?hl=en&q=http://www.coworkforce.com/Skills/myskills.aspx+Firefox+security&btnG=Search

You can clearly see the text: "DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."

Re:Where does it say FIrefox is insecure?

Still there: http://74.125.47.132/search?q=cache:www.coworkforce.com/Skills/myskills.aspx

Re:Where does it say FIrefox is insecure?

[_bug_]

No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later.

"security reasons" can be a catch-all for anything, really. i know that firefox likes to start downloading content even before you've picked a place to save it, while IE will not start downloading until you've picked a location to save the file. so let's say you have a system where you're afforded a limited number of downloads. You click to download something but then hit the cancel button. Well if the file downloaded before you clicked that "cancel" button in Firefox the server won't know that and think you've downloaded the file, while that behavior doesn't happen in IE. So whenever I create a system that has a limited number of downloads feature I always alert the user to stick with IE.

A similar situation could exist in an application on the State of Colorado's web site. Thus leading to the more generic, user-friendly warning that they need to stick to IE for "security reasons". Because nobody wants to hear about the arcane minutea of a web browser's inner workings, "security reasons" is an easy way to get users to comply.

Re:Where does it say FIrefox is insecure?

[totally+bogus+dude]

Well IE still requests the file (it has to, otherwise it doesn't know what the filename or content-type is). Any naive script that flags the downloaded as having commenced when it first starts serving the data will treat an IE click-and-cancel the same as a Firefox click-and-cancel. Even scripts that wait until it's finished sending the data are likely to be allowed to complete by the web server, since aborting scripts in the middle of execution can be problematic. Most servers take the "safe" approach by default: let the script finish running and just throw its output away if the client disappears.

It looks like IE doesn't acknowledge receiving the data at the TCP/IP layer, and instead plays funny games with the TCP window size (setting it to 0) in order to stall the connection until the user decides what to do. It also seems to send 30+ duplicate ACKs for some reason. However all this is transparent to the web application; at best it'd just seem like a lossy TCP connection.

Interesting to see that IE7 still has the "unbelievable transfer speed" bug in that if you click on a link for a file download and take a while to decide where to put it, the initial transfer speed it shows is ridiculously high because it's already downloaded a few hundred kilobytes of the file before it starts the download speed timer.

Re:Where does it say FIrefox is insecure?

[5of0]

Nah, you're just doing it wrong: http://www.google.com/search?q=cache:www.coworkforce.com/Skills/myskills.aspx

Re:Where does it say FIrefox is insecure?

[sg7jimr]

"security reasons" can be a catch-all for anything, really.

Yup. In this case job security. The people running the site are not comfortable with that scary open source stuff and are afraid if it catches on then someone else who knows how it works will be hired to do their jobs.

Of course that's just my opinion, I could be wrong. Have run into that attitude in government however.

basis for claims

[Cyko_01]

What are they basing these claims on? The number of bugs FOUND or the number of bugs FIXED? If it is the former then I can see how they may have been misled

Re:firefox and mac

[pseudonomous]

Adding the parent, Firefox has something like 21% market-share in the browsing world, at least according to Wikipedia, security through obscurity might be a factor when you've got *really* low market-share, but once you get above the 10% level, if Firefox really *were* less secure, you would see more exploits directed at it. By the GP's logic, you might as well stick to using Windows 95, since most of the security flaws that exist have already been well documented, while people continue to discover new security flaws in Vista.

Re:Firefox still has a ways to go

[lakeland]

Sure anybody can build their own.

But the kind of organisations that insist on an MSI also insist that it's the one that came from the vendor.

If you prefer a Linux analogy then if I install RHEL then improve the kernel I lose any support from the vendor.

Organizations distinguish code as either officially sanctioned or not, and support only the former. Until Mozilla releases a sanctioned MSI there is no officially supported Mozilla installers.

It's like Linus and his holy penguin piss. If he called a kernel 2.6.29RC9 then people have different expectations to if he called it 2.6.29.

Gengis Khan or the Spartans?

[MoFoQ]

from the looks of it, it appears as though the State of Colorado's IT department is run by Gengis Khan....no...I don't mean the descendants of Gengis Khan....I mean Gengis Khan himself...in the flesh....or what's left of his flesh

either that or the Spartans.

The cavemen were smart enough to leave the state and do GEICO commercials.

I wonder who is paying the person off?

[Neanderthal+Ninny]

This is same argument I made about the MS Internet Explorer issue with the European Union. Some person at State of Colorado must be paid off my MS or has a nice cushy job at MS after his or her stint in the State of Colorado.
That person wrote the website for MS IIS so that you must use Internet Explorer and this person is spewing the "virtues" of Microsoft.
As I said before, all public websites should be written so that ALL browsers should work with it so that ALL people can participate in the digital age.
This is just another form digital discrimination.

Re:firefox and mac

[walterbyrd]

>>simply because they have been tested less than ie or microsof

Wrong, ActiveX is an abomination when it comes to security.

It doesn't even layout properly in IE

[thetoadwarrior]

I've sent a polite email stating what was wrong with the site. Hopefully it'll be looked at.

The home link is broke among many other serious problems.

It would appear the messages about firefox being more insecure have been modified though so I guess they're either reading people's emails or they've seen this.

Re:firefox and mac

[Tubal-Cain]

One of them is a statement of fact that they do nothing to back up, the other one is an opinion...

...stated as fact.

Add ins

[Philip+K+Dickhead]

These can be insecure. In fact, some were designed as trojans. See the Vladuz saga, who cracked eBay site admin accounts - in part through a Firefox plugin designed to this purpose, and hosted on the firefox plugin site!

When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk. We won't touch FF privacy concerns with the Google relationship, and how hard it is to keep FF from reporting to GOOG as a default. IE is as bad with their parent.

I do think the warning about FF IS misplaced. Our biggest current risk is simply the Adobe PDF file-format. You don't even need to OPEN the file to execute code! Whee!

Re:Add ins

[zanybrainy941]

When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk.

Any goof can create them, but *not* any goof can *publish* them on the Mozilla site. Mozilla has over the last couple years instituted a number of strict review guidelines and tests that an add-on must pass before it's published by Mozilla. Every add-on and add-on update is code-inspected line-by-line by a human editor. Mozilla has staffed up specifically in support of the add-ons site, and the number of code reviewers has grown dramatically in recent months. Reviewers keep a sharp eye out for remote code execution, violations of user expectations of privacy, and anything that detracts from user experience. Additionally, automated red-flag detection tools are now in the works.

Bottom line: do not install plugins and extensions in Firefox from sites other than addons.mozilla.org. With AMO, every single extension and extension update is inspected and reviewed before being published on the site. It's the only way to be sure.

Re:Add ins

[Vexorian]

We won't touch FF privacy concerns with the Google relationship, and how hard it is to keep FF from reporting to GOOG as a default

Holy shit! Who modded this moron up?

Re:Add ins

[Eunuchswear]

You don't think the feds won't go through the entire chain of Tor proxies if the hack costs them serious money, especially after the recent stimulus bill being passed and our national debt?

Feds? This is a Colorado state website.

Re:Add ins

[Ilgaz]

If my site was featured on Slashdot (and God knows how many more) sites in this manner, I would reach to Desktop, Start Menu and click Shutdown. If it lagged shutting down, I would unplug the ethernet or mains.

Not kidding. This is a site which people still tries to care about others no matter if they are a pathetic developer or not. Imagine other new fashion sites without any kind of real moderation.

Re:Add ins

[andy.ruddock]

With the appropriate permissions set on the server there's no reason why ftp can't be used as a valid method of sending information and uploading files.
A username/password pair on the screen helps a little to prevent automated abuse of the system, although it's still essentially anonymous ftp upload.

Re:Add ins

[hairyfeet]

Which is why I have been saying that Mozilla should go to signing their extensions. They could simply have a checkbox under security that says "Allow Firefox to use unsigned extensions" if anyone wanted to opt out. But with the quality of phishing sites getting better every day and companies like MSFT and Sun installing extensions without permission it would be nice if Mozilla would simply make signed extensions the default on a future build.

This would allow them to enforce some ground rules with regards to extensions, such as asking permission before install and having to have a functional uninstaller. And as you pointed out it really is best if you only get Mozilla Firefox extensions from the Mozilla site anyway. And since they used to host an Abe Vigoda plugin I doubt they are telling developers what they can and can't do, except with regards to malware. So IMHO it simply makes sense and would make FF that much more secure to go with signed extensions as the default.

Re:Add ins

[zanybrainy941]

For the record, I said:

do not install plugins and extensions in Firefox from sites other than addons.mozilla.org

but I should have said:

do not install extensions in Firefox from sites other than addons.mozilla.org

Plug-ins are different from extensions. Plug-ins come from a variety of sources, such as Adobe (Flash), Sun (Java) and so on. Sorry for any cornfusion.

Re:firefox and mac

[__aagmrb7289]

There is a possible explanation that, while stupid, makes sense here, people. If they are using Windows Authentication, which isn't supported by anything other than I.E., then using anything but I.E. poses a security risk. Why, you might ask? Because you can use Windows Authentication on I.E. and have the username/password sent over to the webserver without having to have an SSL certificate to encrypt the transmission. In Firefox, it asks for the username and password, and sends in clear text. There, problem solved. Still not smart, but at least accurate.

Re:I learnt something today - Time Line

[Niris]

protip: Linux

Re:Firefox still has a ways to go

[imemyself]

msi files are no longer recommended by Microsoft for pushing out software via Group Policy. they now recomemd you drop 50000 for a copy of MOM.

Nice MS bashing there. Pushing out MSI's via GPO's is still supported and works just fine. Its not as powerful as using some of Microsoft's other products, but a lot of people use it and it works fine for relatively simple/small software. And btw, MOM has absolutely nothing to do with pushing out software. MOM is used for monitoring. Systems Center Configuration Manager (formerly SMS) can push out software (and do some other things too I believe, I've never had a reason to use it though).

We like Firefox too...and safari.....and chrome...

[Culture20]

The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...)

http://www.coworkforce.com/Skills/

New site update

[Anemophilous+Coward]

Well now it seems the whole site is down. If you go up one directory level you get this message:

"The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...) "

From their FAQ ...

[vic-traill]

Questions and Answers
Why isn't my scrolling location saved?

This is a known issue related to a facility called AJAX within Microsoft .NET 2.0. Scrolling position is easily maintained, but it either causes page failures or decreases response time by 300%. A solution is being explored. In the meantine, the Skills widget enables you to be highly selective in list formation for Skills pinning. We recommend that you use this facility.

Oh, that pesky AJAX facility! There's a lot of info on performance issues using the ASP.NET AJAX. A quick read of the forums on asp.net suggests that this is only an issue if you don't actually think about the use and placement of controls while designing your page(s). In short, like anything else, if you use the wrong tool, and then use it excessively, load will be an issue in production. Too much to ask, I guess.

http://forums.asp.net/p/1296488/2518160.aspx#2518160

Shouldn't this be on idle.slashdot.org?

MOD PARENT UP

[IL-CSIXTY4]

The Dept. has updated their page. The page linked to in the summary now gives a 404, and going to /Skills gives you the text in this post's parent. I must say that's an awesome response, and it looks like there might be some real change ahead.

Re:MOD PARENT UP

[Tubal-Cain]

Ten hours after the story went live, the /Skills page now shows a 404 and the main page shows a Runtime Error.

User Agent

[Brett+Buck]

I can't do it right now, but someone with Safari or Firefox, etc. ought to change their user agent to IE6 and see how broken it really is. Aside from how broken it is with IE6, of course.

        Brett

Re:We like Firefox too...and safari.....and chrome

[Culture20]

Now they removed "(We like Firefox too...and safari.....and chrome...)"
Microsoft must have wanted their money back.

Slashdotted?

[johnncyber]

Either the site got Slashdotted, or they discovered the error of their ways:

Server Error in '/SKILLS' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /Skills/myskills.aspx

Boilerplate refutation

[rysiek]

This might come in handy for those of you that would like to do something about those id10ts:

"I have come across a statement on Your website, stating:

"DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."

Here's the thing:
Development of Internet Explorer has been absolutely stagnant for a decade, to a point where it actually became a synonym for "insecure". But don't take my word for it, let's have a look at Secunia (a great website, tracking bugs in popular software).

Internet Explorer 6:
    unpatched : 16% (22 of 135 advisories);
    highest rated : moderately critical;
    http://secunia.com/advisories/product/11/

Internet Explorer 7:
    unpatched : 26% (9 of 34 advisories);
    highest rated : moderately critical;
    http://secunia.com/advisories/product/12366/

Mozilla Firefox 2.0.x:
    unpatched : 10% (3 of 29 advisories);
    highest rated : less critical;
    http://secunia.com/advisories/product/12434/

Mozilla Firefox 3.x:
    unpatched : 9% (1 of 11 advisories);
    highest rated : less critical;
    http://secunia.com/advisories/product/19089/

So:

1. every single version of Firefox has less unpatched advisories than
      every single version of IE;
2. every single version of Firefox has less overall advisories than every
      single version of IE;
3. every single version of Firefox has less (percent-wise) unpatched
      advisories than every single version of IE;
4. every single version of Firefox has a less critical rating than every
      single version of IE;

Hence - how exactly have you come to the conclusion that Firefox is less secure? It's IE that poses security risks, and its worse than Firefox by leaps and bounds!

I must consider dispersing such information about browsers as you do as utterly irresponsible."

It's purely a cultural thing

[n9hmg]

Until a couple of years ago, this was a "red state". Unfortunately, enough sheeple moved here for the jobs our intelligent government attracted, so now we're a blue state, so that type of government is gone.

That's simple? Here's _simple_!

[Xtifr]

Oh yay, another great example of providing a technically correct, but thoroughly misleading answer. "To answer these questions, we must learn about light, and the Earth's atmosphere." No, you mustn't. Ok, you need to learn one thing: "the sky is blue because air is blue" (from Recurring Science Misconceptions in K-6 Textbooks). All that crap about Rayleigh scattering and frequencies of light is...well, it's true but it's generally beside the point.

Q. Why is my shirt red?
A1. (bad) To answer these questions, we must learn about light, and how photons are absorbed or reflected by different materials, and how the cones of the eye convert photons into neural impulses....
A2. (good) because it was dyed red.

Granted, all that other stuff can be interesting too, but to claim that you're providing the simple explanation is just ridiculous.

(At least it's not as bad as the standard explanation of an airfoil, which is simply wrong.)

Re:firefox and mac

[GrumblyStuff]

Uh, why? I mean, it's not a car analogy or even A GOOD one.

The website is saying Mozilla is a risk to your computer. Why do they care? IE can be a risk to your computer. Computer illiterates are a risk to computers.

But there they say (specifically, according TFS), "...Mozilla based, non-IE browsers pose a security risk." No ifs, ands, or buts about it.

This seems more like an excuse to use whatever easily implemented MS tricks they can without worrying about compatability.

Re:Failure to IE6 spell check

[donatzsky]

You know, when berating others for their spelling you should really pay some attention to your own:
"would of seen" should be "should have seen".

Very smart indeed

[Krneki]

1. Make a web site.
2. Claim Firefox is insecure while IE is.
3. Get yourself noticed on Slashdot.
4 ...
5. Profit?

Re:Very smart indeed

[symbolset]

You know, that gives me an idea. Microsoft could claim that Server 2008 is more secure than BSD in order to attract people to more thoroughly and publicly test their security in order to aid in debugging. That's a wonderful idea! Matt Asay should write a column about this.

Re:Very smart indeed

[Tubal-Cain]

Steps 2 and 3 would force Step 4 to be "Replace fried servers". I don't see the Profit in that.

Re:Very smart indeed

[Krneki]

First rule for a secure network.

Do not get public attention. :)

You mean MS?

[zogger]

Let them try! I don't think it would be hard at all to find at least *one million people* who have had their machines compromised over really insecure IE code, and maybe even lost money and had to go through and repair their credit when their logins or CC details were compromised.

Besides, that isn't the issue here, this is a set of state flunkies who are labeling a corporation's products as insecure, so bad that they dont allow access for official purposes from tax paying citizens of that state, and saying this other corporations products are secure, or secure enough to use, and their choice of what is or isn't "secure enough" is freaking LAUGHABLE. I mean, WTF?? It is bogus on so many levels it ain't funny.

Re:firefox and mac

[prandal]

about:config

network.automatic-ntlm-auth.trusted-uris

Yup, firefox supports NTLM authentication, and has for a long time, and it works for me.

Not the real problem...

[jlarocco]

The real problem is that we have an Office of Information Technology at all. The entire department shouldn't exist. Complaining that they've done something stupid on their website is missing the forest for the trees.

Come Again????

[Aklarr]

I literally laughed out loud at this!!! This is very very ignorant and stupid to say the least when we all know the reverse is true!

Completely down now

[JoeF]

Server Error in '/SKILLS' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /Skills/myskills.aspx

You know this makes twisted sense

[WindBourne]

We had a working computer system, and then owens brought in his friends to do a 6 year makeover of it. When he left is STILL had major issues, and the dems brought in THEIR ppl. The problem is that the head of OIT is as inept as Ritter is. From some of my friends at TWI, they tell me that he was a total idiot, but a politician. WHile Colorado had a great infrastructure in place at one time, between Owens and now ritter it is being gutted fast. TOO FAST.

Why?

[WindBourne]

Neither Texas nor Mississippi care. Nobody can read the reports that indicate that they are tied at 50th.

Re:That's simple? Here's _simple_!

[genericpoweruser]

Fascinating! I always wanted a down-to-Earth explanation of air foils. I never really bought that low pressure air sucks the plane up. Mod up!

Well

[WindBourne]

I have lived here since 79, and I HAVE seen those stickers. And it was a big issue around 2002-3. Owens was trying to cut the education spending.

Let me fix that

[ohxten]

DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers do not properly work with our website, and we don't feel like modifying our code to support other browsers.

Fixed!

Re:Let me fix that

[sirgoran]

More like:

"The kid from down the block that coded our website in the first place moved and we're too stupid to know how to rework our site to work with any other browser."

OK ...

[Skapare]

... wh0z t3h n3w 0wn3r of d31r w36 5173? 5um 1 h3r3z?

Re:Message from the State Chief Information Office

Whew, that's a relief! I was afraid that Jerry Taylor moved from Tuttle and got a job in Denver.

He is doing it for the economy!

[C_Kode]

The more people that use IE, the more work there is for the support tech industry. This is Colorado's contribution to the American stimulus package. :)

It gets worse

[ahziem]

The home page has double HTML tags (and is in designed in FrontPage 6.0). Years ago, I reported the double HTML tags to the web master, but he said it wasn't feasible to fix.

Who takes advice from these people? :)

Re:That's simple? Here's _simple_!

[arkane1234]

I know what you said is correct, but I want to point out to anyone that reads your post that you in NO way mean that they are right in air being blue. The link you provided is a must-read for anyone who seriously doesn't understand the science, instead of just skimming and saying "oh, okay air is blue, thats why." through your message :) (those people don't read quotes right, and such)

No offense to you, xtifr. You did a good job with your post and you are correct.

Mozilla Foundation Must Sue!

[BrendaEM]

If any corporation made unsubstantiated claims such as that, they would be sued.

If open source is to survive, it must protect itself.

BrendaEM

Re:Mozilla Foundation Must Sue!

[Tubal-Cain]

Look at the state of their servers now. The best defense is a good offense...

It's a big state

[colinrichardday]

That would depend on where you are in Colorado. I don't believe that too many would drive from Durango (SW part of the state) just to slap people.

Gub'ment mentality

[Brandybuck]

They're gub'ment workers, whadya expect? They've been trained since kindergarten to never question authority. But unlike the rest of us who went on to productive pursuits after graduating from the indoctrination centers they call public schools, they stayed in the system. Many of them have never learned to think for themselves. Their job is not to help people, but to punch in daily until they can retire on public pension.

All it takes is one supervisor reading an astroturfed rant on the web, and the entire department will take up the faith that Firefox is unsafe.

Re:Message from the State Chief Information Office

Before becoming a public-sector CIO, Locatis was the senior director of enterprise technology strategy for Time Warner Cable Inc., part of Time Warner Inc., a Fortune 50 company and the country's largest entertainment firm. Locatis honed his skills at aligning customer-service delivery systems...

Speaking as someone with first hand experience with Time Warner Cable's "customer-service delivery systems", this whole story does not surprise me in the least.

Wait...

[MacWiz]

In related news, Colorado reports epic crop of hallucinogenic mushrooms.

I think both of you are correct...

[Grog6]

It took two years of meetings, executive staff luncheons, and similar BS; someone got a nice raise...

Then one of the the IT guys was told "have a web page up by monday." (for nothing extra.) So he hacks it out in 10 minutes with frontpage; We are talking MS types, after all.

THAT's how it usually goes.

Wonder who gets reamed after the slashdotting fried their server? (It's currently choking on any browser I use)

Remember, this is a government network...

[Synja]

The environment that this was targeted at is a Windows domain(s), subject to group policy and other restrictions. This extends well past software issues. IE is the ONLY browser I would use in such an environment. Other browsers may beat IE in certain categories, but with the size and complexity of this network, why would you add variables? IE is easily controlled via group policy. You can force and control updates in the same manner that Windows is updated. There are numerous advantages. The thing is, this is a GOVERNMENT network. Ok... so you allow FireFox... Suddenly, users want Opera... ok... Now they want Chrome... Where do you draw the line? The Slashdot community is giving the users WAY too much credit. I work in a federal government IT department. I have watched highly educated (doctors and nurses) destroy ToughBooks. I have sat back and watched them not be able to load paper in a printer, one of them even asked me to change their printer setting so that faxes come out of their scanner. It never ends. I have tried educating them, it does not work.

massive spew of vitriolic bile

[trick-knee]

sir, I like your style.

Programmer does not equal Web Programmer

[microcars]

"Perhaps the webmaster didn't know anything about web programming?"

But just enough to get the job and show a demo.

There is a guy I know who "wrote software" for a living "for the government".
He put up a personal website to sell some stuff and like this site, it had the same warnings about only using IE.
When I could not access his site, I called him and asked him what the problem was and he bemoaned about how he wishes there was only One Browser to write for and how he is used to making "secure" sites for places like 4H or something because "kids" are involved. (gotta keep 'em safe!)
I think it basically boiled down to he just took what he knew from programming something for a closed environment and thought it would work on the web. It doesn't.

His PERSONAL SITE also has INSTRUCTIONS on the main page of HOW TO USE THE WEBSITE.
How to use the xxxxxxx Web Site...
1) Press the F11 key (top row of keyboard) to view site full screen.
2) Do NOT use you browser 'Back' button - always use the various navigation buttons or links on the screen (Return, etc).
3) Always wait for any images to completely resolve or fill before taking the your next step.
4) Exit the site via the 'Goodbye' link, NOT the browser 'X' button.
5) All of these procedures will speed and improve your access to the xxxxxx xxxxx site.

I would post the URL to his site but I hate to see his server get trashed, I'm sure it is out of his home. If you don't make it onto the site, you get this error screen that asks you if you want to Restart The Application.

And he wonders why no one is buying stuff from him.

Re:Programmer does not equal Web Programmer

[ncc74656]

I would post the URL to his site but I hate to see his server get trashed

With stupidity like what you described earlier in your post, don't you think he deserves whatever happens? Perhaps learning that he's running an unstable pile of shite would serve as motivation to figure out what he's doing wrong and get it squared away.

Re:firefox and mac

[ScrewMaster]

Also you should investigate your keyboard it seems to be broken.

Nah ... it's a mouse driver problem.

IE good, FF bad

[JohnGaltt]

...now you know where all the 'D' students went.

Re:firefox and mac

[Em+Adespoton]

The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.

I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".

...and I just automatically assumed they meant JOB security.

It's hilarious

[symbolset]

While we laugh at him some poor dumb web admin in Colorado is working through the night to fix this. The pages are changing while we comment on them.

At this point I actually think he's using this page for tips on how to fix this.

It's sad and funny on so... many levels.

Re:firefox and mac

[symbolset]

Maybe the mouse has a button shortage. It's not politically correct to make fun of the button deficient.

they are right: ff IS insecure

[faargenwelsh]

right now (gmt 06:15) their site is down it was obviously hacked by some ff user that makes their statement quite true :)

Re:firefox and mac

[Hucko]

Heh. Now see here, watch carefully. IE does have more general users. However if something goes wrong, the average user restarts the entire machine again. If it happens again, the average user says something like ... the internet is broken *Again*. They go do something else.

Now you may consider that testing, but I don't. If there is a similar crash in Firefox or OSS in general, then the same users whinge, loud long and to everyone.

Re:firefox and mac

[Hucko]

Gah, Boss came through! Must have press submit absentmindedly.

While neither is testing per se, the latter makes it easier (well to some degree) for debuggers know where to test.

I'd hazard that there are more casual developers & debuggers working on Mozilla stuff than on IE, ergo more likely to be tested properly. Not just the "works for me" kind.

Re:Firefox still has a ways to go

[Hucko]

Strange, I've found it to be the exact opposite for the past year and a half!

Yeah right.

[jotaeleemeese]

People like these bozos can insult our intelligence and we all are supposed to act politely and rationally.

I say that a few hundreds or thousands rabid replies from aggravated individuals would do wonders.

Sometimes politeness is seriously overrated...

Well, gee.....

[jotaeleemeese]

Nice to know that it does not matter to know where the source code is....

You distorted the context.

[jotaeleemeese]

The words "SQL injection attacks" are a link to a humorous depiction of such a situation.

Th GP clearly meant that in jest.

Re:That's simple? Here's _simple_!

[Tubal-Cain]

Why is my shirt red?

May I have the password to your /. account? I am pretty sure you aren't going to be needing it much longer.

Translation.

[jotaeleemeese]

Dear Colorado People,

Now you are MS's bitches.

Yours

Colorado's CIO

this guy got stuck in time

[anton_kg]

If someone would say so 5 years ago some could believe him. It's too late today. Is that guy got stuck in time or just stupid?

moderate vs moderate

[SgtChaireBourne]

Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/

While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/

...

Bzzt. Thanks for playing

On your way out go re-read those "moderate" problems on MSIE and compare them to "severe" bugs on other products. Yeah, the MSIE bugs are frequently downplayed in severity.

the facts are "biased"

[SgtChaireBourne]

Being able to point them to an unbiased, reliable source to back up the "Firefox is safer" claim would help.

Unfortunately the facts are "biased" against MS products. It doesn't matter anyway, since if they're running Windows, then they're not likely to be influenced (or not allowed to be influenced) by troublesome things like empirical studies.

The problem is getting enough mainstream recognition that maybe something might actually be done about it. For now, though, we have the junk science, post-modern business, everything-is-an-opinion legacy to contend with.

Now that's strange...

[flameproof]

Y'know, I looked ALL OVER the M$ website and couldn't find one copy of IE that worked with linux! Whatever am I to do now???

Context

[MrZaius]

Given that their site is down at the moment, rendering their explanation unavailable, I'd like to point out that there is a rational argument to be made for the notion that using preinstalled and patched IE installs instead of a third party browser can increase security. I disagree with it (based on a number of factors expressed elsewhere in this thread), but it's a good argument:

You increase the number of potential security holes on a workstation by increasing the number of installed applications. Your sysadmin is responsible for both maintaining and securing IE and Firefox, and is unable to uninstall the former. This, thank God, goes away in Windows 7. In the meantime, however, you can still disable and cripple IE in a way that limits its exposure - It's just more work than most Windows-heavy, Microsoft-ceritified admins are willing to do as doing so often strips them of their preferred choice, and the tools that they've been heavily trained in locking down and adapting to their local networks. If understaffed and underfunded, forcing IE usage may actually be the right call for some agencies and offices.

Still no excuse for any IE6 or earlier builds being used in the wild.

It must be True!

[Marauder2]

Searching Securityfocus for "Firefox patches" returns only four pages. Searching for "'Internet Explorer' patches" returns 31 pages. More patches for IE means it must be more secure, right?!

Comment removed

[account_deleted]

Comment removed based on user account deletion

How Sad...

[mangusman]

As someone that works and lives in Colorado, I find this truly embarassing.

because its outsourced to india

[cheekyboy]

The indian programmers have to be able to see their nonstop errors they create on a live system, with no shadow dev inhouse system.

Ha ha ha...

[Keith_Beef]

Server Error in '/SKILLS' Application. Runtime Error Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine

Better the devil you know...

[DCheesi]

I would guess that it's not so much the relative security of the two browsers, as it is the IT group's ability/willingness to vet another browser for security purposes.

They don't understand FF, and they don't want to take the time to learn all its ins & outs. So they declare it a "security risk" simply because they don't *know* what security holes might lurk there. In that sense it *is* a security risk for them, since it has not been tested for secure interaction with their site.

They undoubtedly know that IE has security holes, but they know what most of them are and feel comfortable with the countermeasures they've taken for those specific flaws. Whether their confidence is justified is another matter, of course...

Re:Colorado Californicated

[DuBois]

Colorado has finally become californicated. Too many people from L.A. moved here and imposed their whacked-out thinking and lifestyle on the laid-back Western ethos that Colorado used to be famous for.

I'm not sure it's possible to recover from being californicated, but, as a citizen of Colorado, I do hope so.

Re:That's simple? Here's _simple_!

[mcgrew]

The sky is blue because nitrogen is blue, and its air is mostly nitrogen. If its air was mostly chlorene the sky would be green.

This is opportunity calling... who wants to answer

[MidKnight]

I love all the critique of what is obviously a pitiful attempt to produce one of them fancy web application things. I unfortunately can't add to the list here... being a late-comer to the discussion, the site is already offline.

But a lot of folks are missing the obvious opportunity here: government jobs are, frankly, the best thing going right now given the current state of the economy. How many Slashdotters have sent their resume to the Colorado DOL? They clearly need the help!

Re:We like Firefox too...and safari.....and chrome

[cnock]

Actually, now it says: "The Colorado Department of Labor and Employment regrets that this service is not avaialble at this time. " Note the spelling error... I guess that's forgivable.

Re:firefox and mac

[Bert64]

Windows authentication (ie NTLM) is a server option...
Firefox does support it, but doesn't send it automatically like IE does (IE will send your credentials automatically to a remote box that requests them which can be abused)..

NTLM is little better than sending basic auth over plain text, it does a challenge handshake but is weaker than md5 digest auth and can be cracked... basic auth over SSL is actually stronger than ntlm over http... and if using http md5 digest is still stronger.

also ntlm auth breaks the way http works since it requires you to send, receive, respond, receive in a single http connection when http is supposed to be request/receive, this makes it very difficult to use with a proxy.

all in all, ntlm over http is a horrible hack and is typical ms arrogance - create something new, proprietary and inferior, instead of using the existing standard digest auth.

understating the problems with MSIE

[SgtChaireBourne]

Secunia states that Firefox3 has less critical issues: http://secunia.com/advisories/product/19089/

While IE6 and IE7 have moderate problems. Making IE less secure: http://secunia.com/advisories/product/11/ http://secunia.com/advisories/product/12366/

Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.

Good. I hit a nerve. Don't fall for Secunia's misleading descriptions and understate the risk significantly. Qo re-read those "moderate" problems on MSIE and compare them to "severe" bugs on other products. Yeah, the MSIE bugs are frequently downplayed in severity.

The advisories are also hidden away for some products and lifted to the start page for others. Just try to find the MSIE advisories in the by product listing. Can't easily do it. Also notice that in the scope notes, most of the MSIE vulnerabilities expand out to include all applications which can inadvertently call MSIE through hard-coded options, such as WMP. That works out to a very large base of vulnerable applications.

Secunia's not the only one obfuscating the unsuitability of MS products. Even the US NVD is affected. None of them mention avoiding the defective product (Windows) or problem tool (MSIE). It wasn't too many years ago that mainstream magazines were talking about banning MS Outlook for the sake of security. Now even "security" specialists are changing the subject or mumbling when asked if the emperor is really wearing any clothes.

There's just not a business case to stay on the autoflagellation combination, Windows+MSIE

Server Headers

[scum-o]

% wget -S -O /dev/null http://www.coworkforce.com/
--10:24:49-- http://www.coworkforce.com/
Resolving www.coworkforce.com... 165.127.91.10
Connecting to www.coworkforce.com|165.127.91.10|:80... connected.
HTTP request sent, awaiting response...
    HTTP/1.1 200 OK
    Connection: keep-alive
    Date: Fri, 06 Mar 2009 17:24:49 GMT
    Server: Microsoft-IIS/6.0
    MicrosoftOfficeWebServer: 5.0_Pub
    X-Powered-By: ASP.NET
    Content-Length: 26447
    Content-Type: text/html
    Set-Cookie: ASPSESSIONIDASBTDDQQ=NIFBMIKAFMPHFLDLIKBAMPBD; path=/
    Cache-control: private

PART-TIME-JOBS-AVAIALBLE

[nsaspook]

Looking for work?

http://en.ganji.com/jobs/part-time/3-25-19020-1-PART-TIME-JOBS-AVAIALBLE-AT-www-homejobsinuk-com.html

Good Enough For Government Work

[naubol]

The Colorado Department of Labor and Employment regrets that this service is not avaialble at this time.

--

emphasis added

From someone in Colorado

[ujoronen]

Here's scary: CO Workforce has an IT dept of less than 5 techs for the entire state.

They have open wireless routers half the time because the end user gets a Netgear or Linksys from Walmart rather than wait for their overworked IT folks to get around to it.

They often share hardware with other agencies without locking them down or performing an inspection prior to returning them to a State network.

Training and keeping up with advances? With this much of an overworked and underappreciated IT dept, the last training they got was when they were in school.

My point? It's not the IT weenie's fault. If you want to yell at someone, make sure it gives the IT department more funding for more positions. Consider:

If work remains constant, more bodies = problems solved quicker.
Problem solved quicker = more time.
More time = more time for training and learning.
More time for training and learning = less inaccurate statements and stupid decisions.

I thought it was the oxygen

[Xtifr]

I thought it was the oxygen. I had heard that the sky was not-so-blue before life started releasing free oxygen into the atmosphere. But I don't have a definitive reference either way, so I suppose you could be right. Got a cite?

(Posted w/o karma bonus since this is starting to drift off-topic.)

Hi from a sleepy little southern Colorado town!

[ujoronen]

Considering we have 35MPH sustained winds, gusting to 50, I thought your username somewhat ironic.

Re:firefox and mac

[__aagmrb7289]

Agreed.

Re:firefox and mac

[AntiSol]

I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".

This all goes in much the same vein as a failure notice email I got from ebay the other day, telling me that my PGP-signed email had been blocked for 'security reasons', in order to prevent identity theft. As far as I can see this is complete crap, and what they really mean to say is "we can't read emails which aren't sent in cleartext, thus PGP is bad". Basically what it comes down to is relying on the average user's general ignorance, and the terror associated with the repeatedly-drummed-in phrase "security risk"...

Re:That's simple? Here's _simple_!

[garnetlion]

A3: Because you're about to go on an away mission with a bunch of main cast members and get killed.

Re:firefox and mac

[ScrewMaster]

Maybe the mouse has a button shortage. It's not politically correct to make fun of the button deficient.

Actually, I was poking fun at the individual driving the mouse.

Re:You should know

[Qzukk]

this concern would never arise

If you actually knew HTML, and didn't just play with frontpage until the secret input with the server password disappeared behind the logo.

Truth

[mahadiga]

To
State of Colorado:

Please DO NOT buy software from Closed source software vendors.
Because you don't OWN a product unless you can MODIFY it.

Processing issues? Pfah.

[DaVince21]

"Processing issues" = "Our site is not standards compliant and will show incorrectly on all standard-compliant browsers"