Slashdot Mirror
State of Colorado Calls Firefox Insecure, IE6 Safe
linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"
Well, I'm impressed. I tried to send them a message telling them that they're morons. (Though in a more polite manner.) They got right back to me with this message:
I love how the site is:
A) Being run off of someone's desktop. Out of their My Documents folder, no less.
B) Gives up the username of the machine without so much as a "how do you do"
C) Shows the world that our amazing admin can't even hack it at C#
I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks at the site. :-/
Javascript + Nintendo DSi = DSiCade
A more sensible approach might involve writing a well spoken, coherent, concise email. No reason to come across as a raving nutter - if someone is considering the "angry rant" approach, I'd suggest that perhaps what they are doing, is the opposite of help.
What do you expect from a state who uses 128 characters to describe a perspective hire's education.
The Education Property has been increased to 128 characters due to popular demand. Thanks for your patience.
I tried to leave a comment :
Server Error in '/SKILLS' Application.
Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[NullReferenceException: Object reference not set to an instance of an object.]
Skills.Suggestion.doTheSend() in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:137
Skills.Suggestion.sendEmailLink_Click(Object sender, EventArgs e) in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:127
System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +76
System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746
Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433
LOL ?!?
EDUCATION:
I got a B.S. in computer science at Crazy Go Nuts University, and learned about security, including browsers. And let me tell y
3. Profit!
2. ???
1. On Soviet Slashdot, a Beowulf cluster of alien Natalie Portman overlords welcomes YOU!
Email:
oit@state.co.us
Phone:
303-866-6060
Fax:
303-866-6454
US Mail:
Governor's Office of Information Technology
1580 Logan St., Suite 200
Denver,CO 80203
Actually the site doesn't work whether you're using Internet Explorer or Firefox. It looks worse with Firefox because they are using some of the non-standard display tags that cause components to overlap if using a standards compliant browser. Regardless of the browser used, the result is the same: failure.
Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.
Obviously the correct approach is to send them a link to a special web page that will infect their computer if using IE. Once you've taken over their computer, you can use it to change their policies to supporting Firefox.
Relevant text in case of site slashdotted:
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0" >
<meta name="ProgId" content="FrontPage.Editor.Document" >
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" >
<title>Welcome to The Colorado Department of Labor and Employment</title>
<link rel=stylesheet href="/commoncomponents/contentstyles.css" type="text/css">
</head>
I can't believe you don't know what a Hasemalphaginnojinglanaporphomism is.
Skills.Suggestion.doTheSend()
Priceless. 'send()' would have been a boring name for that function.
First Hosea wins Top Chef instead of an actual chef, and now this.
I hate Colorado now.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/
While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/
Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.
Yeah, you're not really a winner until you successfully punch the monkey.
Look on the bright side, at least it's spelled right. I'd rather have doTheSend() than excetute(), which some kind soul helpfully made an abstract in one of our base classes, and that has since been propagated across a few hundred other classes that I'm not allowed to refactor. A little piece of me dies every time I see it.
At least I sort of know who did it, thanks to cvs history. And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted. Bastard.
It looks like they removed the message about Firefox being insecure. Google doesn't have a cache of the page, but you can see it in the summary:
http://www.google.com/search?hl=en&q=http://www.coworkforce.com/Skills/myskills.aspx+Firefox+security&btnG=Search
You can clearly see the text: "DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."
Javascript + Nintendo DSi = DSiCade
Interesting... stack trace displays are turned off by default from remote sites when using ASP.NET for security reasons. They had to explicitly turn them on to display this.
I doubt they are the best people to tell others about security...
Skills.Suggestion.doTheSend()
Priceless. 'send()' would have been a boring name for that function.
This is because it's already in use. Just like 'doSend()'. And what do you do when you just happen to need a third 'send()' function?
The truth may be out there, but lies are inside your head
.SendThatBitch() /*if only my bosses ever bothered to read my code comments! They wouldn't be able to keep a straight face while firing me*/
Based on the speed at which things can get fixed by what are normally lumbering juggernauts when they are seen and reacted to by a million people on the Internet, I'd suggest that ten thousand angry rants are often much more effective than hundreds of extremely well spoken, coherent, concise emails.
In this case, a massive spew of vitriolic bile targetting squarely at the fools behind that miserably borked IIS site seems warranted, and is likely to be more effective than some pansy-assed coherent "Dear Sirs, I am writing to engage in a discussion concerning what appear to be some personal biases toward the fine products that Microsoft Corporation produces and their manifestation in a minor slight against Firefox, another fine product, on your web blah blah blah..."
Fuck that. Hoist the pitchforks! Ignite the torches! Geek wrath power ON!
doTheSend()... that is amusing. I think it is even funnier that they left the code in:
C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\
So..I guess they could only afford one copy of Visual Studio, and it is....on the server..../boggle
And production code running from "My Documents" haha.
they'll truly know what it means to be excetuted. Bastart.
Broke That For You.
This is why they told you not to use Mozilla. It poses a security risk for the site... look, you went and disobeyed the directions and broke it!
All because you were using Mozilla instead of IE!
And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted.
Good luck with that. I mean, he could be anyone. ;)
Server Error in '/SKILLS' Application.
That may be the most astute error message I've ever read.
Help stamp out iliturcy.