UK Gov't Says "No Evidence" IE Is Less Secure

aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"

Re:So security through wishful thinking is better?

[Anonymous+Brave+Guy]

Speaking of tired old arguments, you lost all credibility right there.

By doing what, expressing a sentiment that is not popular around here?

Suffice it to say there are a lot of eyes on Firefox, for both the code itself and for evaluating and testing exploits.

You are making my point for me: that claim does not suffice.

Either you are personally one of those people and you personally check all of the code you rely on, or you are trusting that other people are doing it. Whether those other people are Firefox developers employed by Mozilla, or a community of OSS contributors, it's no different to trusting that people at Microsoft check IE: all you see is what those people choose to share with you, and you have no way to know how good a job they are really doing.

Re:So security through wishful thinking is better?

[Anonymous+Brave+Guy]

Security issues are reported by both the community and third party vendors, and they're handled rapidly.

As I observed two posts ago, unless you are one of the select few with access to the full security issue process, you don't know that.

On the other hand, I have absolutely no assurance that Microsoft will either (1) be aware of security issues, or (2) responsibly handle them.

To all intents and purposes, the security issue policy for Firefox and IE is exactly the same. In neither case do you or I have any idea how many security vulnerabilities have been reported but remain unpatched at any given time (unless we happen to be a suitably senior member of the development team). In neither case is there any guarantee that any given security bug will be noticed and reported.

How many times do we have to get stung by holes that were reported to Microsoft months ago, when they only get forced into doing something about it due to a widespread and very nasty exploit?

This is where I have to wonder how my universe is so different to yours. I've got my own machine here running Windows. I've worked at small businesses running Windows. I've worked for some of the largest businesses in the world with massive corporate IT departments running Windows. And yet I've never once seen anyone suffering from these disastrous IE exploits that are apparently out there waiting to eat all our babies. Of course, that's not to say they don't exist, but let's not exaggerate the reality, OK?

I've got 20 years of combined public sector, private sector, and military experience that says I'm right.

Are you sure you haven't just built up 20 years of prejudice? You certainly don't have 20 years of experience comparing the security policies of Microsoft's IE8 team and the Firefox project, do you? Or even 20 years of experience of how major OSS projects fare generally in the security stakes, given that they have only become a significant part of the software landscape much more recently.