Slashdot Mirror
State of Colorado Calls Firefox Insecure, IE6 Safe
linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"
Well, I'm impressed. I tried to send them a message telling them that they're morons. (Though in a more polite manner.) They got right back to me with this message:
I love how the site is:
A) Being run off of someone's desktop. Out of their My Documents folder, no less.
B) Gives up the username of the machine without so much as a "how do you do"
C) Shows the world that our amazing admin can't even hack it at C#
I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks at the site. :-/
Javascript + Nintendo DSi = DSiCade
A more sensible approach might involve writing a well spoken, coherent, concise email. No reason to come across as a raving nutter - if someone is considering the "angry rant" approach, I'd suggest that perhaps what they are doing, is the opposite of help.
What do you expect from a state who uses 128 characters to describe a perspective hire's education.
The Education Property has been increased to 128 characters due to popular demand. Thanks for your patience.
I tried to leave a comment :
Server Error in '/SKILLS' Application.
Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[NullReferenceException: Object reference not set to an instance of an object.]
Skills.Suggestion.doTheSend() in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:137
Skills.Suggestion.sendEmailLink_Click(Object sender, EventArgs e) in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:127
System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +76
System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746
Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433
LOL ?!?
EDUCATION:
I got a B.S. in computer science at Crazy Go Nuts University, and learned about security, including browsers. And let me tell y
3. Profit!
2. ???
1. On Soviet Slashdot, a Beowulf cluster of alien Natalie Portman overlords welcomes YOU!
Must use IE. Windows is unsafe. FF is not.
Head asplodes.
Absolute power corrupts absolutely. indymedia
Email:
oit@state.co.us
Phone:
303-866-6060
Fax:
303-866-6454
US Mail:
Governor's Office of Information Technology
1580 Logan St., Suite 200
Denver,CO 80203
Actually the site doesn't work whether you're using Internet Explorer or Firefox. It looks worse with Firefox because they are using some of the non-standard display tags that cause components to overlap if using a standards compliant browser. Regardless of the browser used, the result is the same: failure.
http://www.colorado.gov/cs/Satellite?c=Page&cid=1165692953912&pagename=OIT-New%2FOITXLayout
oit@state.co.us
-- There is no truth. There is only Perception. To Percieve is to Exist.
"Questions and Answers"
"Can I use Firefox or another Browser?"
"No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later."
"What if I have a Skill that isn't listed?"
"The "Suggestion" tool enables you to communicate directly with the Administrators. We will research your proposed Skill with your input and agreement."
I'd like to learn how to make web pages. Think I might see if I can tap these guys expertise. Anyone else fancy coming along?
Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.
So now Colorado thinks they're smarter than the feds?
Not long ago the DHS said to avoid IE and use firefox for security reasons.
http://www.google.com/search?q=dhs+avoid+ie
http://www.sciencemadesimple.com/sky_blue.html The answer to "Why is the sky blue?" is reproduced from copyrighted material at sciencemadesimple.com
Obviously the correct approach is to send them a link to a special web page that will infect their computer if using IE. Once you've taken over their computer, you can use it to change their policies to supporting Firefox.
Relevant text in case of site slashdotted:
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0" >
<meta name="ProgId" content="FrontPage.Editor.Document" >
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" >
<title>Welcome to The Colorado Department of Labor and Employment</title>
<link rel=stylesheet href="/commoncomponents/contentstyles.css" type="text/css">
</head>
I can't believe you don't know what a Hasemalphaginnojinglanaporphomism is.
Contact information is here. Don't try to contact them using the link in the summary, it doesn't work.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Ok, so explain why apache is less exploited than IIS. It is used far more.
Your little idea is cute and has been proposed by many before, and just like then it is wrong.
Also you should investigate your keyboard it seems to be broken.
Skills.Suggestion.doTheSend()
Priceless. 'send()' would have been a boring name for that function.
First Hosea wins Top Chef instead of an actual chef, and now this.
I hate Colorado now.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/
While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/
Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.
The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.
I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".
If I have been able to see further than others, it is because I bought a pair of binoculars.
I can just drive down there and slap them in person...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Yeah, you're not really a winner until you successfully punch the monkey.
Look on the bright side, at least it's spelled right. I'd rather have doTheSend() than excetute(), which some kind soul helpfully made an abstract in one of our base classes, and that has since been propagated across a few hundred other classes that I'm not allowed to refactor. A little piece of me dies every time I see it.
At least I sort of know who did it, thanks to cvs history. And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted. Bastard.
It used to say:
It looks like they removed the message about Firefox being insecure. Google doesn't have a cache of the page, but you can see it in the summary:
http://www.google.com/search?hl=en&q=http://www.coworkforce.com/Skills/myskills.aspx+Firefox+security&btnG=Search
You can clearly see the text: "DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."
Javascript + Nintendo DSi = DSiCade
Interesting... stack trace displays are turned off by default from remote sites when using ASP.NET for security reasons. They had to explicitly turn them on to display this.
I doubt they are the best people to tell others about security...
Very poor odds. Working for a similar state government agency I can tell you the process probably involved atleast 10 weekly or monthly meetings to outline the basic content, a 2 month review process on the outline documentation for the page layout, a 6 month bidding process from prospective contractors to create the webpage, another couple months for a cost/benefit analysis, with the final decision that a frontpage license and either a new permanent position or an expansion of duties amendment (with associated raise) to one of their high up IT people would be the answer. Total time to create that webpage, probably a year and a half to two years.
I don't suffer from insanity, I enjoy every minute of it!
These can be insecure. In fact, some were designed as trojans. See the Vladuz saga, who cracked eBay site admin accounts - in part through a Firefox plugin designed to this purpose, and hosted on the firefox plugin site!
When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk. We won't touch FF privacy concerns with the Google relationship, and how hard it is to keep FF from reporting to GOOG as a default. IE is as bad with their parent.
I do think the warning about FF IS misplaced. Our biggest current risk is simply the Adobe PDF file-format. You don't even need to OPEN the file to execute code! Whee!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Skills.Suggestion.doTheSend()
Priceless. 'send()' would have been a boring name for that function.
This is because it's already in use. Just like 'doSend()'. And what do you do when you just happen to need a third 'send()' function?
The truth may be out there, but lies are inside your head
.SendThatBitch() /*if only my bosses ever bothered to read my code comments! They wouldn't be able to keep a straight face while firing me*/
The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...)
Its pretty funny what a good slashdotting will do.
Based on the speed at which things can get fixed by what are normally lumbering juggernauts when they are seen and reacted to by a million people on the Internet, I'd suggest that ten thousand angry rants are often much more effective than hundreds of extremely well spoken, coherent, concise emails.
In this case, a massive spew of vitriolic bile targetting squarely at the fools behind that miserably borked IIS site seems warranted, and is likely to be more effective than some pansy-assed coherent "Dear Sirs, I am writing to engage in a discussion concerning what appear to be some personal biases toward the fine products that Microsoft Corporation produces and their manifestation in a minor slight against Firefox, another fine product, on your web blah blah blah..."
Fuck that. Hoist the pitchforks! Ignite the torches! Geek wrath power ON!
Why are you linking that stuff here? You think anyone from and IT department that lauds the security of IE6 actually reads Slashdot? ;)
-Arthur
Cave ne ante ullas catapultas ambules
Oh yay, another great example of providing a technically correct, but thoroughly misleading answer. "To answer these questions, we must learn about light, and the Earth's atmosphere." No, you mustn't. Ok, you need to learn one thing: "the sky is blue because air is blue" (from Recurring Science Misconceptions in K-6 Textbooks). All that crap about Rayleigh scattering and frequencies of light is...well, it's true but it's generally beside the point.
Q. Why is my shirt red?
A1. (bad) To answer these questions, we must learn about light, and how photons are absorbed or reflected by different materials, and how the cones of the eye convert photons into neural impulses....
A2. (good) because it was dyed red.
Granted, all that other stuff can be interesting too, but to claim that you're providing the simple explanation is just ridiculous.
(At least it's not as bad as the standard explanation of an airfoil, which is simply wrong.)
And what should that email say, exactly? More specifically, to what URLs could I point the devs to an _unbiased_source_ that IE is insecure and Firefox is secure?
I have this problem with Hebrew websites constantly, in fact, about two hours ago I wrote to a local news website about their IE-only policy. Being able to point them to an unbiased, reliable source to back up the "Firefox is safer" claim would help.
It is dangerous to be right when the government is wrong.
I'm laughing my ass off. I've worked with enough government (specifically state) agencies to know that this is not hyperbole. This is probably what actually happened.
-Arthur
Cave ne ante ullas catapultas ambules
doTheSend()... that is amusing. I think it is even funnier that they left the code in:
C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\
So..I guess they could only afford one copy of Visual Studio, and it is....on the server..../boggle
And production code running from "My Documents" haha.
they'll truly know what it means to be excetuted. Bastart.
Broke That For You.
This is why they told you not to use Mozilla. It poses a security risk for the site... look, you went and disobeyed the directions and broke it!
All because you were using Mozilla instead of IE!
No no no MY comment shows MY ignorance.
Wait... what?
And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted.
Good luck with that. I mean, he could be anyone. ;)
Server Error in '/SKILLS' Application.
That may be the most astute error message I've ever read.
Help stamp out iliturcy.
Nah, go all the way. inUrMethodSendinUrMessage() or bust.
How are sites slashdotted when nobody reads TFAs?
People like these bozos can insult our intelligence and we all are supposed to act politely and rationally.
I say that a few hundreds or thousands rabid replies from aggravated individuals would do wonders.
Sometimes politeness is seriously overrated...
IANAL but write like a drunk one.