Slashdot Mirror
State of Colorado Calls Firefox Insecure, IE6 Safe
linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"
Well, I'm impressed. I tried to send them a message telling them that they're morons. (Though in a more polite manner.) They got right back to me with this message:
I love how the site is:
A) Being run off of someone's desktop. Out of their My Documents folder, no less.
B) Gives up the username of the machine without so much as a "how do you do"
C) Shows the world that our amazing admin can't even hack it at C#
I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks at the site. :-/
Javascript + Nintendo DSi = DSiCade
A more sensible approach might involve writing a well spoken, coherent, concise email. No reason to come across as a raving nutter - if someone is considering the "angry rant" approach, I'd suggest that perhaps what they are doing, is the opposite of help.
What do you expect from a state who uses 128 characters to describe a perspective hire's education.
The Education Property has been increased to 128 characters due to popular demand. Thanks for your patience.
I tried to leave a comment :
Server Error in '/SKILLS' Application.
Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[NullReferenceException: Object reference not set to an instance of an object.]
Skills.Suggestion.doTheSend() in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:137
Skills.Suggestion.sendEmailLink_Click(Object sender, EventArgs e) in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:127
System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +76
System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746
Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433
LOL ?!?
EDUCATION:
I got a B.S. in computer science at Crazy Go Nuts University, and learned about security, including browsers. And let me tell y
3. Profit!
2. ???
1. On Soviet Slashdot, a Beowulf cluster of alien Natalie Portman overlords welcomes YOU!
Must use IE. Windows is unsafe. FF is not.
Head asplodes.
Absolute power corrupts absolutely. indymedia
I just tried in all sections. I ended up leaving a message with the Gov. Perhaps the webmaster didn't know anything about web programming?
It's all fun and games till someone divides by 0. Then it's hilarious.
From their FAQ: "Can I use Firefox or another Browser? No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later." I suspect the processing issues are the real reasons and they are trying to scare people into not using Firefox so they don't get the phone calls about their site not working.
Email:
oit@state.co.us
Phone:
303-866-6060
Fax:
303-866-6454
US Mail:
Governor's Office of Information Technology
1580 Logan St., Suite 200
Denver,CO 80203
Well, they're mostly wrong, but partially right. All things considered, the biggest security risk isn't the web browser used, it's the incompetent organic mass between the keyboard and the chair.
It still amazes me how many people really think they're the 1,000,000th visitor to a site, and that they've actually won something because of it.
I'm the Devil the Windows users warned you about.
Actually the site doesn't work whether you're using Internet Explorer or Firefox. It looks worse with Firefox because they are using some of the non-standard display tags that cause components to overlap if using a standards compliant browser. Regardless of the browser used, the result is the same: failure.
http://www.colorado.gov/cs/Satellite?c=Page&cid=1165692953912&pagename=OIT-New%2FOITXLayout
oit@state.co.us
-- There is no truth. There is only Perception. To Percieve is to Exist.
"Questions and Answers"
"Can I use Firefox or another Browser?"
"No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later."
"What if I have a Skill that isn't listed?"
"The "Suggestion" tool enables you to communicate directly with the Administrators. We will research your proposed Skill with your input and agreement."
I'd like to learn how to make web pages. Think I might see if I can tap these guys expertise. Anyone else fancy coming along?
Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.
So now Colorado thinks they're smarter than the feds?
Not long ago the DHS said to avoid IE and use firefox for security reasons.
http://www.google.com/search?q=dhs+avoid+ie
http://www.sciencemadesimple.com/sky_blue.html The answer to "Why is the sky blue?" is reproduced from copyrighted material at sciencemadesimple.com
Obviously the correct approach is to send them a link to a special web page that will infect their computer if using IE. Once you've taken over their computer, you can use it to change their policies to supporting Firefox.
Relevant text in case of site slashdotted:
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0" >
<meta name="ProgId" content="FrontPage.Editor.Document" >
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" >
<title>Welcome to The Colorado Department of Labor and Employment</title>
<link rel=stylesheet href="/commoncomponents/contentstyles.css" type="text/css">
</head>
I can't believe you don't know what a Hasemalphaginnojinglanaporphomism is.
Contact information is here. Don't try to contact them using the link in the summary, it doesn't work.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
He at least knew enough to be dangerous and change the default of hiding stack trace information when an unhandled exception occurs.
The correct comparison would be this.
Gun #1: Kills each and every gunman when they don't expect it. You are not even pressing the trigger. But you sure as hell do know they kill the gunman.
Gun #2: You know that a gunman can be killed once in a while, but when it happens somebody will deliver you with upgraded guns preventing it from happening again in a small amount of time.
TY, I'll keep FF
Ok, so explain why apache is less exploited than IIS. It is used far more.
Your little idea is cute and has been proposed by many before, and just like then it is wrong.
Also you should investigate your keyboard it seems to be broken.
Skills.Suggestion.doTheSend()
Priceless. 'send()' would have been a boring name for that function.
First Hosea wins Top Chef instead of an actual chef, and now this.
I hate Colorado now.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/
While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/
Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.
The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.
I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".
If I have been able to see further than others, it is because I bought a pair of binoculars.
I can just drive down there and slap them in person...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Message from the State Chief Information Officer
Michael Locatis, State CIO
"As the Chief Information Officer for the State of Colorado, my role is to provide the momentum and strategy for wide-ranging activities from promoting high end research and development of cutting edge technologies to creating strategies for service delivery supporting the day to day operations for the State of Colorado - thereby making a difference in the lives of the people of Colorado and delivering Governor Ritter's 'Colorado Promise'."
http://www.govtech.com/pcio/articles/386146
Colorado Gov. Bill Ritter and CIO Mike Locatis Launch IT Consolidation
Aug 21, 2008
Before his Cabinet appointment in Colorado, he was CIO of Denver, where he showed his centralization skills (and caught Ritter's attention) by consolidating 20 separate municipal and county departments into a single, citywide IT agency. It's also where Locatis learned how fragmented the state's IT systems were.
"It was while I was working in local government that the issues surrounding state IT were immediately apparent because they impacted how services were delivered at the local level," he said.
Before becoming a public-sector CIO, Locatis was the senior director of enterprise technology strategy for Time Warner Cable Inc., part of Time Warner Inc., a Fortune 50 company and the country's largest entertainment firm. Locatis honed his skills at aligning customer-service delivery systems, standardizing desktop capabilities and managing tech and support teams for huge enterprise resource planning applications.
Despite Locatis' knowledge of the state's IT systems' problems, he wasn't expecting the mammoth job he faced. "It was significantly siloed and fragmented IT delivery, which was a root cause of a lot of the issues - including inefficiencies, a lack of leveraging an enterprise approach and just about every [IT] department in the state doing its own thing," he said.
The state of colorado made attempts to be "ahead" of the curve when it came to an online presence (see also denvergov.com and the atrocity that is netfile; we were one of the first states to have online tax filing). Unfortunately they hired people who knew ass all about javascript (or proper DB handling) and no one knew enough to stop it in it's infancy. Now it has snowballed into something too costly to replace and too borked to simply repair.
I imagine someone told some user that ff was a security risk, rather than go into the technical details of why the site falls to crap on browser it was never tested for. Eventually, through what I like to call "the wiki effect" that same information got passed back as fact to the current web coders who promptly put up a notice to inform their end users.
Even still, fail.
Sometimes, life itself is sarcasm...
That's just in IE6. Better security that way.
Faster! Faster! Faster would be better!
I just looked at the site and I see nothing indicating that FF is insecure. In the FAQ, it does say the IE6 and later are the only supported browsers ("for proper operation"), but "unsupported" is not the smae as "insecure".
The real "Libtards" are the Libertarians!
Look on the bright side, at least it's spelled right. I'd rather have doTheSend() than excetute(), which some kind soul helpfully made an abstract in one of our base classes, and that has since been propagated across a few hundred other classes that I'm not allowed to refactor. A little piece of me dies every time I see it.
At least I sort of know who did it, thanks to cvs history. And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted. Bastard.
Interesting... stack trace displays are turned off by default from remote sites when using ASP.NET for security reasons. They had to explicitly turn them on to display this.
I doubt they are the best people to tell others about security...
Very poor odds. Working for a similar state government agency I can tell you the process probably involved atleast 10 weekly or monthly meetings to outline the basic content, a 2 month review process on the outline documentation for the page layout, a 6 month bidding process from prospective contractors to create the webpage, another couple months for a cost/benefit analysis, with the final decision that a frontpage license and either a new permanent position or an expansion of duties amendment (with associated raise) to one of their high up IT people would be the answer. Total time to create that webpage, probably a year and a half to two years.
I don't suffer from insanity, I enjoy every minute of it!
Well, seeing as its stack trace says *vb instead of *cs, I'm guessing it's VB.
One of them is a statement of fact that they do nothing to back up, the other one is an opinion...
...stated as fact.
These can be insecure. In fact, some were designed as trojans. See the Vladuz saga, who cracked eBay site admin accounts - in part through a Firefox plugin designed to this purpose, and hosted on the firefox plugin site!
When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk. We won't touch FF privacy concerns with the Google relationship, and how hard it is to keep FF from reporting to GOOG as a default. IE is as bad with their parent.
I do think the warning about FF IS misplaced. Our biggest current risk is simply the Adobe PDF file-format. You don't even need to OPEN the file to execute code! Whee!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Skills.Suggestion.doTheSend()
Priceless. 'send()' would have been a boring name for that function.
This is because it's already in use. Just like 'doSend()'. And what do you do when you just happen to need a third 'send()' function?
The truth may be out there, but lies are inside your head
.SendThatBitch() /*if only my bosses ever bothered to read my code comments! They wouldn't be able to keep a straight face while firing me*/
The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...)
Its pretty funny what a good slashdotting will do.
Based on the speed at which things can get fixed by what are normally lumbering juggernauts when they are seen and reacted to by a million people on the Internet, I'd suggest that ten thousand angry rants are often much more effective than hundreds of extremely well spoken, coherent, concise emails.
In this case, a massive spew of vitriolic bile targetting squarely at the fools behind that miserably borked IIS site seems warranted, and is likely to be more effective than some pansy-assed coherent "Dear Sirs, I am writing to engage in a discussion concerning what appear to be some personal biases toward the fine products that Microsoft Corporation produces and their manifestation in a minor slight against Firefox, another fine product, on your web blah blah blah..."
Fuck that. Hoist the pitchforks! Ignite the torches! Geek wrath power ON!
Why are you linking that stuff here? You think anyone from and IT department that lauds the security of IE6 actually reads Slashdot? ;)
-Arthur
Cave ne ante ullas catapultas ambules
Oh yay, another great example of providing a technically correct, but thoroughly misleading answer. "To answer these questions, we must learn about light, and the Earth's atmosphere." No, you mustn't. Ok, you need to learn one thing: "the sky is blue because air is blue" (from Recurring Science Misconceptions in K-6 Textbooks). All that crap about Rayleigh scattering and frequencies of light is...well, it's true but it's generally beside the point.
Q. Why is my shirt red?
A1. (bad) To answer these questions, we must learn about light, and how photons are absorbed or reflected by different materials, and how the cones of the eye convert photons into neural impulses....
A2. (good) because it was dyed red.
Granted, all that other stuff can be interesting too, but to claim that you're providing the simple explanation is just ridiculous.
(At least it's not as bad as the standard explanation of an airfoil, which is simply wrong.)
And what should that email say, exactly? More specifically, to what URLs could I point the devs to an _unbiased_source_ that IE is insecure and Firefox is secure?
I have this problem with Hebrew websites constantly, in fact, about two hours ago I wrote to a local news website about their IE-only policy. Being able to point them to an unbiased, reliable source to back up the "Firefox is safer" claim would help.
It is dangerous to be right when the government is wrong.
I'm laughing my ass off. I've worked with enough government (specifically state) agencies to know that this is not hyperbole. This is probably what actually happened.
-Arthur
Cave ne ante ullas catapultas ambules
doTheSend()... that is amusing. I think it is even funnier that they left the code in:
C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\
So..I guess they could only afford one copy of Visual Studio, and it is....on the server..../boggle
And production code running from "My Documents" haha.
they'll truly know what it means to be excetuted. Bastart.
Broke That For You.
This is why they told you not to use Mozilla. It poses a security risk for the site... look, you went and disobeyed the directions and broke it!
All because you were using Mozilla instead of IE!
Lest people think only government wastes monumental time and effort towards something relatively trivial, Microsoft spent a full year working on a feature one of its developers claims could've been done in a week.
It's a paradox of project management--too many stakeholders or dependencies, and you're going to bog down in red tape. Too few means that no one cares what your project is and won't waste their time helping you, and it'll never see the light of day. Finding a balance is difficult at best in any large organization.
No no no MY comment shows MY ignorance.
Wait... what?
And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted.
Good luck with that. I mean, he could be anyone. ;)
Server Error in '/SKILLS' Application.
That may be the most astute error message I've ever read.
Help stamp out iliturcy.
Nah, go all the way. inUrMethodSendinUrMessage() or bust.
How are sites slashdotted when nobody reads TFAs?
People like these bozos can insult our intelligence and we all are supposed to act politely and rationally.
I say that a few hundreds or thousands rabid replies from aggravated individuals would do wonders.
Sometimes politeness is seriously overrated...
IANAL but write like a drunk one.