Germany Warns Against Using Firefox

jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.

3.6.2 released

Yup

Re:3.6.2 released

[Z00L00K]

And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.

Re:3.6.2 released

[gzipped_tar]

> No ability to view pr0n.

I doubt that.

Re:3.6.2 released

http://www.asciipr0n.com/

Re:3.6.2 released

[impaledsunset]

http://secunia.com/advisories/search/?search=lynx

Re:3.6.2 released

[rvw]

And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.

Use Noscript.

Re:3.6.2 released

[L4t3r4lu5]

I wonder if that site would set off the text filter...

Re:3.6.2 released

[JohnBailey]

Confirmed. Just popped up for download now.11:03 GMT.

Re:3.6.2 released

[satanicat]

its blocked by opendns...

i have kids! shutup

Re:3.6.2 released

[ericlondaits]

I agree... if you're not satisfied with the default ugliness you can download and apply a number of themes that will raise the ugliness to previously unattainable levels.

Seriously, I tried a lot of themes and most of them make the interface fuzzier and harder to see and operate. Most themes are developed by "pimp my desktop" types and not by UI experts aiming for higher usability with pleasing aesthetics.

Re:3.6.2 released

[nangus]

looking at your list, there was one advisory in 2009, one in 2008, and then one in 2006. I think what is happening here is lynx is just introdusing a minor security flaw about once a year just so they can hang out with all the cool kids. They are just trying to be "edgy" and "hip".

Re:3.6.2 released

[Mister+Whirly]

Gopher is really where it is at. Lynx is too "bloated" with features.

Re:3.6.2 released

[Island+Admin]

Use wget :P

Re:3.6.2 released

[Forty+Two+Tenfold]

curl?

Re:3.6.2 released

[execthis]

I just have one question: Why, if Mozilla were about to release this new update, did not the German gov't at least give them the courtesy of a phone call or something (even a ping on a mailing list or something) saying "Hey guys, we're about to recommend to our 60 million citizens that they stop using your browser" to which Mozilla could have replied "Can you guys wait another few hours?"

I understand if your job as an agency is to protect consumers from harm but the whole point of Open Source is collaborative effort which strengthens projects and creates improvements.

Re:3.6.2 released

[tsa]

telnet to port 80.

3.6.2 is out.

3.6.2 is out.

Re:3.6.2 is out.

[K.+S.+Kyosuke]

No, GGP was the preceding post in version 2.0.

A release that has just happened, in fact...

[n6mod]

Firefox 3.6.2 was released earlier tonight: http://www.mozilla.com/en-US/firefox/3.6.2/releasenotes/

Free software in action

[Statecraftsman]

As soon as I read about this on /. I realized Firefox is downloading an update to 3.6.2. This is why free software is our best tool against malware. Reaction time can scale with importance. And (shameless free software plug alert) it's why I wrote what's in my sig.

Re:Free software in action

Yes but you're forgetting the cancerous communism.

Re:Free software in action

That is a really poor standard you have. I don't want software that patches exploits quickly, I want software that was correctly written and had no exploits to begin with.

Re:Free software in action

[im_thatoneguy]

What the German government should do is release an open source application which switches your default browser.

A team of German security experts would make a bi-weekly security assessment and then set the default browser for the period. ;)

Of course this browser switcher would also be able to push patches as well. Automate their recommendations!

Re:Free software in action

[matria]

Thank you; I needed a good laugh!

Re:Free software in action

[lattyware]

Right. Find me a group of programmers that can write an entire web browser without any flaws or exploits, while having all the features everyone wants. Yeah.

Re:Free software in action

[ipquickly]

I want software that was correctly written and had no exploits to begin with

And I want world peace.

Now which is more attainable? It all comes down to us-meatbags.

Re:Free software in action

[c-reus]

Go ahead and construct a formal verification for any browser currently available. Here's a starting point, let's see how far you'll get.

Re:Free software in action

[Beelzebud]

If Firefox is bloated and crashes a lot, that's your own damn fault for installing 100 addons.

Re:Free software in action

[gzipped_tar]

Formal verification? Doesn't it all bog down to "Does Not Compute"? ;)

Re:Free software in action

[Zontar+The+Mindless]

I want software that was correctly written and had no exploits to begin with.

And I want Anonymous Cowards to start making /. posts that are insightful, useful, and realistic.

And WHERE'S MY PONY?!

Re:Free software in action

[Zoidbot]

You know it's taken over a month to fix this right? The exploit was discovered 18-02-2010 according to securina.

Opera takes less than a week usually (and the occurrence of exploits is less also).

The argument that Open Source allows anyone to fix things and thus making patches quicker does not work, as clearly it also opens up your code for hackers to review looking for new exploits. I don't believe in security by obscurity, but the fact remains, Opera is closed source and the most secure (and fastest) web browser out there.

Re:Free software in action

[Spad]

http://www.deagostini.com.au/ilovehorses/

Re:Free software in action

[DNS-and-BIND]

A sad day on Slashdot when someone saying "programming correctly is the right response" and he's ridiculed by at least 4 replies and modded +3 Funny. What the hell happened to this place?

Re:Free software in action

[bickerdyke]

The gpl guarantees fixes as fast as you are able to debug the code yourself.

Thats what is guaranteed. But what you can expect is getting a fix as soon as someone debugged the code. (usually pretty fast, but not guaranteed)

and even that CMA-guarantee is much better than what you get for closed source.

Re:Free software in action

[chthon]

They where probably all reactions from people who program for a living.

Re:Free software in action

[Jurily]

OpenBSD seems to do just fine, with a bigger codebase, written in C.

Wanna guess what the difference is? They have security-obsessed people in charge.

Nobody gets credit for fixing a bug. Instead, we celebrate the people who get a fix out fastest. We don't care about flammable buildings, but we watch the response time of the fire department like a hawk.

Re:Free software in action

[umghhh]

This is all very strange - on BSI (this is what the german abbreviation of Federal Office for IT Security is) site there is nothing about this, BuergerCert site informs about new upcoming release of firefox that is going to fix unspecified security problem. If you compare it with IE warning from some time ago there is a difference - back then BSI issued a warning telling people not to use compromised software that is actively used for attacks and here you have a warning based on information of new release. Fear mongering - that is what it is - a new and terrible thing has happened - somebody is releasing software to fix the bug that nobody has abused yet. Good that German Gov. is issuing warning but judging on this government record (Moevenpick subsidy to hoteliers or sucking of Mr Sawicki on request of big Pharma) I'd say FDP and/or CDU (governing parties) took money from somebody again. I would not look for conspiracy anywhere but current government actually does not even bother with hiding their deplorable attitude towards private money - funny thing is that they do it in such incompetent way that it is almost laughable (well one should cry actually - they have our tax money).

Re:Free software in action

The guy who found the bug didn't give details to Mozilla promptly, he sold it in his security product to clients for a few weeks, then told Mozilla. Can't blame Mozilla for not fixing a bug they had 0 details on. Once they were given details they fixed it in a few days, not bad for fixing the bug, making a build, QA'ing and releasing it.

Re:Free software in action

[umghhh]

I think you are right but your proposal misses one vital feature - this switcher should also fully automatically transfer all our account information to the tax man - that would save the government some millions usually charged for bank accounts info stolen from swiss banks.

Re:Free software in action

[MrMista_B]

You know it takes a little while to bug test bug patches, right?

Re:Free software in action

[sopssa]

And the fact that the vulnerability has been in the wild for a month.

Just days before the start of a hacking contest set to target Web browser vulnerabilities, Mozilla has patched its flagship Firefox browser. ...

Mozilla had been under pressure to fix the bug, after it was included by Russian security researcher Evgeny Legerov last month in his VulnDisco hacking tool, which is sold as an add-on to the Canvas penetration testing kit.

What did you say about reaction time with importance again?

Re:Free software in action

[sopssa]

It is "bloated" in the sense of feeling slow to begin with. XUL and XML based GUI is probably the worst idea ever. If you've ever used Opera, you know just how fast and snappy the UI feels. This is what has always put me off from Firefox - it just doesn't feel good.

Re:Free software in action

[selven]

Because "don't set this place on fire" is not a fire escape plan. Bugs and vulnerabilities will happen either way, and you still need a plan for dealing with them.

Re:Free software in action

[Jaysyn]

And I want a pony.

Re:Free software in action

[TheReal_sabret00the]

Seriously? I'm all for the opinion that Firefox is becoming the Winamp of browsers, with that best of the rest feel rather than the best feel. But Opera really doesn't have a snappy UI or a snappy feel. Opera is a great browser but has always felt clunky and dopeish. Not to mention that with the same tabs open in both Opera and Firefox, Opera is the one that feels the most sluggish. I fully agree that Firefox is making some disastrous decisions, taking a month to fix a reported bug is beyond acceptable, but lets not make it out like it's the new IE. By all means let's slap them on the wrists and hope they don't do it again. Lets hope that in Firefox 4, you'll be given an installer screen that will let you choose which features you want, I for example, won't be opting for TaskFox installed. But in no way is it the demon browser from hell sent to rape our mothers.

Re:Free software in action

[data2]

Yes, but there is this little detail, which, if you had read http://secunia.com/advisories/38608, you would know. It was not clear that this was a real bug, there were no details known.
A fairly unknown researcher claimed there was a zero day in firefox, without giving enough details to tell where the bug is.
So what happened was that somebody, who we not know if he is to be trusted, claimed there was a bug. Imagine!
Reaction time from knowing the details to roll-out was far better, at least in this case. This is probably not the best bug to be making a point against patching policy with OSS.

Re:Free software in action

[TheLink]

> OpenBSD seems to do just fine, with a bigger codebase, written in C.

They just ship OpenBSD with most services disabled by default, and then claim it is safe by default.

That's similar to Microsoft's shipping IE on their server O/S with most stuff disabled by default, and then claiming that IE is not vulnerable
on their server O/Ses by default.

Yes they are safe by default just like a car with its wheels, engine and battery "disabled" by default is safe from most carjackers.

Re:Free software in action

[Sulphur]

bloated and crashes more often than an old scottish drunk

I am not drunk. I paid a lot of money to learn to walk like this.

Re:Free software in action

[Jedi+Alec]

Maybe they could hook it into the new browser selection screen for Windows the EU mandated?

Having each browser choice come with an "estimated time till you get wtfpwn'd" statistic might be a useful addition ;-)

Re:Free software in action

[dkf]

OpenBSD code quality is higher

Not uniformly. They've got some significant problems (e.g., a non-thread-safe getaddrinfo() for goodness' sake! They've not even bothered to put a lock internally, despite the fact that the specs for these functions have required thread safety since RFC 2553, i.e., over 10 years...) but they perhaps aren't strictly security problems. Just major functionality issues that every other vendor addressed long ago.

Re:Free software in action

[Aceticon]

Creating 100% secure software is like trying to prove an absolute statement (as in "All X have Y") - to prove it right, every single one of the subjects of your statement have to comform to it, while proving it wrong only takes one that does not.

Or in more specific terms: no matter how good the team developing a piece of software is and how long they have to do it, all it takes is one of them doing a single mistake and the results is not 100% secure.

It's reasonable to expect that all first order mistakes (i.e. the blindingly obvious) are caught, it is however not reasonable to expect that higher-order mistakes (for example: "unexpected interactions with a different version of a certain library installed in the same system in the 64 bit version of the OS") are caught, expecially those relating to external factors (which can change after the release is done).

Also there are economic limits to the level of security in a piece of software: more specifically, time is money, getting only the top best professionals to do it is a lot of money and (suprise, suprise) people are not willing to pay the higher price that such a product would require to break-even.

Re:Free software in action

[JohnBailey]

Umm... You forgot the word "known"... Can't count what you are not aware of..

Re:Free software in action

[iVtec]

Sorry to the rest for feeding a troll, but let's have some facts:

A month ago from today, mozilla didn't have any info on the vulnerability:

http://blog.mozilla.com/security/2010/02/22/secunia-advisory-sa38608/

neither did secunia:

http://blog.psi2.de/en/2010/02/20/going-commercial-with-firefox-vulnerabilities/comment-page-1/#comment-666

“This particular report is a bit special because of the lack of information available. Normally, we do not write about vulnerabilities unless certain details are available and / or we can test it. () and previous vulnerabilities reported by this company / person has proved to be reliable.

Mozilla posted was contacted by Evgeny Legerov on the 18th:

http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/

So the response time is well under a month. now compare that to the time it took Microsoft to release the patch for the Aurora exploit:

http://www.wired.co.uk/news/archive/2010-01/22/microsoft-learned-of-ie-zero-day-flaw-last-september.aspx http://www.computerworld.com/s/article/print/9147058/Microsoft_patches_IE_admits_it_knew_of_bug_last_August?taxonomyName=Security&taxonomyId=17

From this evidence I can not come to the conclusion that slashdot is reacting fanboyishly when criticizing microsoft on security. Quite the opposite. I can however say that you're quick at defending microsoft without investigating the whole story, much like what you criticize slashdot readers of doing. I don't know, but in my book that is a fanboyish reaction on your behalf. =]

Re:Free software in action

[NRISecretAgent]

Better way of thinking of it: Would you rather have a program that's been deemed "flawless" with no support or a program that may or may not be flawless but has a good support team?

Flawless programs don't exist. By the time a piece of code has reached perfection, it has already become so old that it's security is moot and defeatable by a teenage girl with an iphone.

Re:Free software in action

[mcgrew]

And WHERE'S MY PONY?!

Outside, next to your flying car.

Re:Free software in action

[Nemyst]

[citation needed]

In other words, one case does not a rule make. And your last line makes your entire post crumble because it's a totally unfounded claim (whether it is true is moot, it's just totally unrelated to the subject at hand and is backed up in no way).

Re:Free software in action

[Nicolay77]

To me the latest Opera looks very good AND is amazingly responsive. I can't really agree with you about Opera feeling sluggish.

I can't say bad things about Firefox after version 2.0. Previous versions were a POS and fanboys were already raving about that POS like it was any good. But Firefox since version 2.0 has been a nice browser, and it was good because they copied a lot of Opera features.

I still prefer Opera to Firefox though.

Re:Free software in action

[Rockoon]

While its true that Mozilla got the fix out pretty fast once someone pointed right at it for them, it is often claimed that Open Source is more secure because there are thousands of eyes looking at the source code.

None of those Mozilla-loving eyes found this bug, yet a researcher unaffiliated with Mozilla but certainly looking for exploits, found it. Now what about all the researchers looking for exploits in order to driveby firefox users.. that will just keep the damn thing a secret?

Yeah.. they got the fix out fast. Bravo. Look at the real significance of these events, tho..

..exploit found
..went unpatched for a month
..only got patched because the person who discovered it pointed right at it.

Re:Free software in action

[Bigbutt]

Well, not "just". It is a bit more secure due to the rigorous testing of the code. OpenBSD has everything off by default except sshd and has the firewall on by default. Perfect for a server (which is how I'm using it). I enable the services as I need them.

But still, Windows could be counted as more secure if it left all the services off by default. So instead of having to read up and shut down services when you install a machine, you'd read up and turn on services as you need them.

So when I install an OpenBSD box, I'm pretty reasonably assured that I don't have a web or e-mail server running waiting for an attack and I can begin making it ready to be a server. It's the opposite on a Windows box. I shouldn't even plug it into the 'net until I'm sure it's patched and all unnecessary services are disabled.

[John]

Re:Free software in action

[natehoy]

No matter how clever you think you are, no matter how hard you work to prevent vulnerabilities, they will be in the release code in something as complex as a web browser (or an Operating System).

"I want software that is written correctly and has no exploits" is an unrealistic expectation. It's like saying "I want my power tools to be built in such a way that they cannot possibly harm me"

Most (certainly not all) software is built with very careful reviews, trying to figure out ways that black hats might exploit the software and code against it. But it's an arms race - the black hats are constantly working on ways to get by the software.

So, yeah, while I agree with GP that "I want software that is written correctly", this is the real world, where there are bad people who will think of things you didn't and break your software. So this cannot possibly be an "either/or" decision.

I want people who write software as correctly as feasibly possible, understanding that humans make mistakes and that other people are out there who are just as clever as the software authors and who do nothing but try to break it. I accept, in return, that I have to take a role in securing my system if I want control over my system.

More importantly, I want people who are open and honest about those flaws when they happen, acknowledge the flaws quickly, and fix them very rapidly. I can't defend myself against a flaw I do not know exists, and I want that flaw to go away very quickly once it is discovered. I have seen precious few teams who crank out fixes faster than Team Firefox.

So far, in the browser world, I have yet to find a team that releases consistently higher-quality (not perfect, but high-quality) code, is more open about their vulnerabilities, and responds to defects more quickly than the Firefox team. That's not to say that all other browsers out there are bad, or that Firefox is 100% secure, but the Firefox team appears to be doing about the best job one could realistically expect. And yet, it's still all free.

Re:Free software in action

[houghi]

It's secure alright. At least that is what we let you believe.

Re:Free software in action

[david_thornley]

No, I didn't think the "a" and "is" were stupid.

Re:Free software in action

[Jurily]

Yes they are safe by default just like a car with its wheels, engine and battery "disabled" by default is safe from most carjackers.

But they have a safe chassis. If you only look at the code involved in the default setup (hell, just the kernel), it's still way more than Firefox.

See? This is what I'm talking about. With all the work they do, this is all the respect they get. Give credit where credit is due: the parts they say is secure, is secure, and that's more than I can say for most software projects.

Let me ask you something: how many software project do you know where for each bug they find, they comb over the whole code base for the same type of bug? How many serious security flaws did they avoid by doing that?

Re:Free software in action

[Island+Admin]

Of course you can write exploit free code ... see example below:
#include <stdio.h>
int main() {
printf("Hello World!\n");
return 0;
}

Well ... anyway, thats all the Anonymous Cowards understand about coding anyway :)

Re:Free software in action

[Jaysyn]

Wrong on four counts mouth-breather.

Re:Free software in action

[Jaysyn]

And it's Gmail, I simply don't see spam you moron. So all your stupid ranting is either wrong or pointless.

Re:Free software in action

[mikkelm]

Are you honestly arguing that "reaction time" can't "scale with importance" in closed software development?

Re:Free software in action

[shutdown+-p+now]

I find it interesting that this story has this bit:

the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month

while the earlier story about a similar warning about IE did not, and just said that "German government advises to not use IE", with no further clarifications (you had to dig into the comments for the story to find out). In fact, the text of TFS for that story rather implied that recommendation is permanent.

Re:Free software in action

[suomynonAyletamitlU]

It is specifically a "For all" proof, which is possible (however infeasible) because there are explicitly a finite number of things which can happen. User input is finite-sized. Webpages are finite-sized. Every html tag, and every script, has a limited number of acceptable permutations and a limited number of hooks into places where things can go wrong. After that, the user-visible data, that's just fluff that gets passed through it.

There is, in theory, perfect code on a perfect OS with perfect libraries that will be impeccably bug-proof no matter what you throw at it. However, if you don't know why that perfect code is written the way it is, you won't write it yourself (discounting an infinite number of monkeys), and you won't learn without experience fixing bugs.

This is another excellent reason for open source--in theory, you can look at thoroughly debugged code and learn from it, and you can watch the process evolve, where things that didn't look like bugs are shown to be such. It isn't just about not reinventing the wheel; it can be an excellent opportunity to improve the quality of code in general.

Re:Free software in action

[jc42]

A fairly unknown researcher claimed there was a zero day in firefox, without giving enough details to tell where the bug is. So what happened was that somebody, who we not know if he is to be trusted, claimed there was a bug. Imagine!

Yeah; it's a good technique to know about. For example, I just wrote a little virus to infect slashdot and then get delivered to your system when you update any discussions like this. So now it's sitting there on your machine, reporting everything you do to my server. But don't worry; unlike those other irresponsible hackers, I won't tell anyone about how it works. So nobody except my clients will have access to the data that it's now collecting about you.

Re:Free software in action

[K.+S.+Kyosuke]

I think you are the preverbial idiot if you really believe it's possible to create something that doesn't have flaws/exploits.

Unless you further qualify the question, I'm afraid that the answer is "you're wrong". Otherwise it would have no sense at all to teach programmers all the formal methods of programming that we have.

Re:Free software in action

[jc42]

Or in more specific terms: no matter how good the team developing a piece of software is and how long they have to do it, all it takes is one of them doing a single mistake and the results is not 100% secure.

And to make matters much worse, there is a widespread policy of attempting to keep software developers ignorant of the details of security issues. You see this all the time in management circles and discussions like this. People argue that the details of exploits should be kept secret. They claim that this is to prevent those evil hackers from using the information. But if this is all that's intended, then why do we hear this response when software developers ask for the details? The obvious conclusion is that the intent is to keep those developers ignorant. Then, of course, they write software with "known" holes, because the details are only "known" to a small group of people who are keeping it secret.

I recall back in the early days of the Web, when I didn't know much about how the Web really worked, and I also didn't know much about SQL. Scary stories started to appear about something called an "SQL Injection Attack". (Yes, this was a while ago. ;-) I tried to learn what this meant -- and I was blocked everywhere I looked. All I could find was vague, fuzzy warnings about the phrase. But I couldn't find any actual examples or other explanations of just how such an attack actually worked. It took me several years to finally learn the details (in a newsgroup post that was soundly denounced by other readers as aiding and abetting the evil hackers ;-).

At that point, I was finally able to look through my code and make sure that it wasn't vulnerable to such an attack. Of course, it was a bit late to do anything about possible vulnerabilities in code that I'd written in the past. That code was (mostly) proprietary and owned by companies that I didn't work for any more, so I was an outsider who (mostly) couldn't get access to it. Of course, I could contact the people who had the code, but there was no way to force them to take the issue seriously.

There are lots of vulnerabilities in our software, and part of the reason is the way that security information is intentionally hidden from the developers. "Check your code for vulnerabilities" is easy to say, but contains no information that a programmer can use. If we want actual secure software, the low-level details of all exploits must be made easily available to software developers. Until this happens, they'll continue to build software that contains known vulnerabilities, because the people writing the code don't know how to identify those vulnerabilities.

Re:Free software in action

[MasseKid]

Perhaps you should have built your building with asbestos and then you wouldn't have fire problems?

Re:Free software in action

[jc42]

Perhaps you should have built your building with asbestos and then you wouldn't have fire problems?

Instead, you'd be dying of lung cancer.

(I'm trying to think of a good -- i.e., bad -- analogy here ... Anyone have one?)

Re:Free software in action

[BitterOak]

A sad day on Slashdot when someone saying "programming correctly is the right response" and he's ridiculed by at least 4 replies and modded +3 Funny. What the hell happened to this place?

Life experience.

Re:Free software in action

[amicusNYCL]

It was not clear that this was a real bug, there were no details known.

It was part of a penetration testing kit. If nothing else, they could have gotten the kit and looked at how it attacked the browser.

So what happened was that somebody, who we not know if he is to be trusted, claimed there was a bug. Imagine!

Yeah, clearly the lesson here is not to trust anyone who you don't know. That's the whole mantra around OSS, right? Only trust the big boys, right?

Re:Free software in action

[data2]

Yes, it was included in the pen testing suite. But way later than was suggest by the parent of my post.
So it has not even been close to a month in between knowing the details and the fix published as was suggested.

Re:Free software in action

[Hurricane78]

Yeah right. Mod the messenger down because you know that I am right, and you would like to censor it, because you hate it.
Doesn’t make it any less true.

Or who of you is his own boss? Hm? Who? (Yep, I am. And I’ll rather die than go back. Really. With blood and pain and everything.)

Re:Free software in action

[mahadiga]

Instead of calling 'free' software, I'd prefer to call 'open source' software.
It improves the credibility.

Re:Free software in action

[TheReal_sabret00the]

I must admit that I find it incredible that so many Opera fanboys talk up Opera as everything that Firefox ain't and in 10.5+ Opera has replicated the functionality of the AwesomeBar without complaint from the Opera user-base. As for the sluggish problems, they've definitely lessened since 10.5, lets hope they continue to improve upon all the major browsers out there.

To add some information to the void..

[Seth+Kriticos]

The vulnerability *only* affects the current 3.6 branch. Patch is complete and will be pushed on the 30th of March.

Here is the Mozilla blog entry on the topic:
http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608

Here is the original bug report:
http://secunia.com/advisories/38608

Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??

Re:To add some information to the void..

[n6mod]

Seth, scroll up one post in the blog. 3.6.2 was released tonight.

Re:To add some information to the void..

[EldestPort]

Why would they wait a week to push an important security patch anyway?

Re:To add some information to the void..

[allo]

and why is the patch not pushed ASAP?!

Re:To add some information to the void..

[andrea.sartori]

it is.

Re:To add some information to the void..

[TheReal_sabret00the]

I got my update Monday morning. I'm guessing that the patch will finish rolling out on the 30th.

Re:To add some information to the void..

[Hurricane78]

Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??

But we are all going to die! Every single one of us. At some point. ^^

Re:To add some information to the void..

[julesh]

The vulnerability *only* affects the current 3.6 branch

Although note that other vulnerabilities with exploits in the wild and being actively used affect the 3.5 branch. I've had malware installed on my machine by drive-by redirects in advertising on otherwise trustworthy sites (TPB, for instance). If you're on 3.5, upgrade now.

Re:To add some information to the void..

[dkleinsc]

Because then I can't come up with the "I'm Just Fixin a Bug Rag" (with apologies to Country Joe MacDonald):

Come on, all you real smart men,
Mozilla Foundation needs your help again.
Got themselves in a terrible mess
Releasing code that fails the tests.
So put down your game, log into a Sun,
we're gonna have a whole lotta fun.

(Chorus)
And it's 1, 2, 3, what are we writin' for?
Don't ask me, I don't give a damn,
just sending out some spam.
And it's 5, 6, 7, resigned to our fate.
Ain't no time to test our code,
Whoopie, we're all botnet nodes.

This just in

[Rijnzael]

German government warns against use of the internet and software that has bugs.

Software is inevitably going to have bugs in it and try as we might, it's something we'll always have to deal with. There are always mitigation strategies, such as running Firefox in a virtualized environment a la Sandboxie or a full virtual machine, but we'll never be privy to using only bug-free software day to day. I'm glad to see the German government taking an active approach to notifying people in regard to vulnerabilities in an attempt to mitigate them, but as TFA states, what's the point in suggesting users quit using Firefox when the alternatives are potentially just as vulnerable?

Re:This just in

[mlts]

Sometimes I wonder if application virtualization like Sandboxie should be part of the OS. Not just Windows, but on UNIX as well. With ZFS, this is easier because a directory can be rolled back fairly easy due to the snapshot functionality.

Another cool idea is how Thinstall (well, now called VMWare ThinApp) packages apps. The app thinks it has admin rights and can happily doodle around the Registry and the filesystem, but in reality, all it does is just modify stuff stored in \users\blarf\appdata\roaming\Thinstall\appname. Even the Registry changes are stored as a file. If an OS could do this for legacy apps, it would help security tremendously, so if an app is compromised via a code injection, only that directory ends up suspect, and not the whole user environment, or even worse, the whole system.

Re:This just in

[rawler]

Only if that app does not have to communicate in any way with the rest of the system. What people encouraging virtualization tends to forget is that a multi-tasking OS already have means of protection. The memory an application sees is virtual, and the access to the rest of the system often enforces a security-model.

Still, however, the user has little use for isolated applications that cannot talk to others. A modern web-browser more or less requires other apps to be of any use, such as flash, a pdf viewer, maybe access to the OS centralised authentication management (stored passwords, Kerberos SSO...), and it needs to be able to store downloaded files where other applications can open them.

Fully contained and isolated apps are great for security, but crap for the user, which is when users usually starts breaking down the security enforcements to get any work done. The key is finding an appropriate balance between usability and security, which of course varies depending on security-requirements.

Re:This just in

[cerberusss]

Actually, OS X supports application virtualization.

http://www.macosxhints.com/article.php?story=20100318044558156

Re:This just in

[Hurricane78]

In other news: (Or in Soviet Russia...)
Internet warns against German government and leaders with narrow mustaches. ;)

Bah

[tsotha]

The take-away from this is Germans are never happy.

Re:Bah

[beh]

So, what would you rather have?

That they warn you about vulnerabilities in IE6, but ignore vulnerabilities in open source browsers?

I think they've done the right thing - there was a security hole (in the 'current' 3.6), and they warned about it. Their warning DID include that it affected the 'current' 3.6 version and that it should be fixed in 3.6.2.

That's fair comment, and it's their job to report it and not lull people into a false sense of security that the (then current 3.6) version of firefox was safe.

If they had NOT warned, it might have damaged their reputation for NOT covering it, and it might also have helped MS lobbying efforts if they could have been shown to be biased by reporting on IE issues, but not Firefox ones...

Re:Bah

[hackel]

If they would have contacted the Mozilla team they could have announced that the update was due out TODAY and advise users to upgrade, instead of advising them not to use it.

This is just irresponsible fear-mongering, and I think it is highly likely that it was done as a form of retaliation against the previous IE recommendation.

Re:Bah

[Zoidbot]

So you are saying it wasn't the severity of the exploit that moved it's release date, it was the media shitstorm...

Sounds like Mozilla have their priorities wrong.

Re:Bah

[PhxBlue]

Whoosh!

Re:Bah

[tsotha]

Insightful? Jeez, you guys, that was supposed to be a joke.

Responsible reporting

[AmiMoJo]

The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.

The government is simply trying to keep people informed about this rather important topic, and has done so in a reasonable and proportional way. Not every warning put out is a damning condemnation of flawed security that mandates switching to Lynx you know.

Re:Responsible reporting

[yuhong]

Yep, this blog entry said that "Switching your web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it's worth.": http://www.sophos.com/blogs/gc/g/2010/03/22/german-government-firefox/

Re:Responsible reporting

[value_added]

The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.

No, it's an attempted government takeover of the IT sector. Do you really want a government bureaucrat telling you what you can or can't do, what sites you can visit, or what browser you should use? I say let the free market decide. This country was founded on the ideas of personal responsibility, freedom and liberty, ideas that were enshrined by the Founding Fathers in the ...

Oops. Sorry. Wrong country.

I'll come in again.

Re:Responsible reporting

[mysidia]

Yeah... that's actually encouraging, it means they are actually providing meaningful distinctive advise/suggestions, and not merely copy and pasting vendor vulnerability lists and activating pretty 'alert level' colors...

not like the US government, who yanked up what used to be the wonderful somewhat independent [but gov sponsored] organization called 'CERT', absorbed them into the department of homeland security, and turned them into US-CERT a mere vacant shadow of their former selves, just another clearinghose that lists every bloody little Windows vulnerability the earth has ever known, nothing too interesting, nothing too distinctive or useful anymore.

That is, ever since, CERT's usefulness has plummeted by orders of magnitude, nowadays they typically just parrot all the major commercial vendors' security advisories, even ridiculously minor ones --- I suppose this is great if you are a Windows user, it should convince you to switch, but for the rest of us it sucks.....

CERT has made what, 1 activity incident report based on actual events or compromises, intrusion patterns, intrusion details, or reports on new types of threats since 2001?

Governments don't know what to do about security, I guess... their efforts at 'reporting' just degenerate into vulnerability listing, and other mundane non-intelligence-requiring activity.

Either that or they think it's too dangerous to tell the public what direction attacks/bad guys seem to be heading.

Re:Responsible reporting

[Sique]

As far as I can see, the BSI didn't release a new EU DIN which required "any browser except Firefox 3.6 until Firefox 3.6.2".
So where do you see a bureaucrat telling you what you have to do?`

It works completely different. If an organisation gets into IT trouble in the next time and the root cause can be determined to be the usage of a pre 3.6.2 release of Firefox 3.6 it can't claim "act of God", because they have been warned.

That's the whole purpose of the warning.

Re:Responsible reporting

[VJ42]

Whoosssssh

Re:Responsible reporting

[jaraxle]

Note as well that the headline of this writeup appears to be misleading. I read the article and nowhere does it say the German government is actually warning AGAINST using Firefox, they are simply warning the public of a security issue in the browser.

Specifically, the article states that the government is also warning people against switching browsers "willy nilly" every time a security hole is found because you never know what you'll be getting into. They're saying to be cautious if you're using Firefox and patch your browser with the security patch as soon as it's available.

Very responsible indeed on their part.

~jaraxle

Re:Responsible reporting

[daveime]

The irony is, had I left off the last paragraph, I'd probably be at +5 Insightful ...

The iMods mighty hammer strikes again.

the way to go

[l3v1]

Well, the Germans, by releasing this warning about the same time the expected Firefox update came out only proves that their eariler recommendation for choosing Firefox was the right one.

Re:the way to go

[jim_v2000]

Opera 10.51 Changelog

"Security
Fixed
Fixed an issue where the HTTP Content-Length header could be used to execute arbitrary code; see our advisory (http://www.opera.com/support/search/view/948/).
Fixed an issue where XSLT could be used to retrieve random contents of unrelated documents, as discovered by crazypops; see our advisory (http://www.opera.com/support/search/view/949/)."

OH SNAP SON! So much for those skilled contractors and their superior skills.

Re:the way to go

[Zoidbot]

Both of those are hard to exploit (unlike the Mozilla flaw, which there are tonnes of exploits in the wild), and both were fixed in 10 days, a quarter of the time it took Mozilla to fix 1 highly critical defect.

The fact it took a media shitstorm to make them release it, rather than the security of it's users, shows where Mozilla's priorities are...

First

[Beelzebud]

First they came for IE, and I didn't speak up because I didn't use IE.

Then they came for Firefox, and I didn't speak up because I didn't use Firefox.

Re:First

[pagaboy]

Then they came for Windows ME...

Re:First

[Bugamn]

And I was quite happy, I must say.

Re:First

[Jaysyn]

And I helped shove them into the incinerators....

Re:First

[SmilingBoy]

They also recommended against the original Google Chrome Beta:

https://www.bsi.bund.de/ContentBSI/Presse/Pressearchiv/Kurzmit2008/090908chrome_htm.html

And they also recommended against Opera 10.50:

http://www.buerger-cert.de/newsletter_suche.aspx?param=HGf116Hsnmjdg%2B95Lx4xLVfgHeBWpfgcdyqiMrbjzdH9yQ4jIcV6TY4STnzgjITQ%2BhD3uF8Dgn3F1%2BDy1Synkw%253d%253d#anchor1

So, nothing to see here.

Re:First

[Abstrackt]

Then they came for Windows ME...

Whoever "they" are, I doubt they want to get their hands that dirty.

Re:First

[NotOverHere]

Then they came for Windows ME...

... and I asked the they need any help loading Windows ME onto their truck.

Re:First

[miceter]

I didn't speak up because I type.

German government warns:

[dushkin]

* against the use of Opera!
* against the use of Chrome!
* against the use of internets!

Re:German government warns:

[gaelfx]

OK, we're computer literate folks around here (mostly), can't we figure out a better way to set up a warning system?

GLOBAL string name=browser.name.random();

c.out"German government warns against the use of " name;

You have been warned.

Re:Google Chrome.

[Beelzebud]

Firefox rocks too, and it doesn't serve as ad tracking software for Google.

Re:Google Chrome.

[RobbieCrash]

That's true, as long as you turn off Google as the default search, disable cookies, and don't use any other Google services. Which, you can do in Chrome too.

They could contact them easily too

[Ilgaz]

Better yet, free software authors (developers) aren't hiding anywhere. It would be hard to contact IE team but Mozilla developers can be reached easily, via mail or even IRC.

Posting this warning while it is easy to figure/ask 3.6.2 is OTW really requires some review by German Govt. For example, did someone from that team have some dinner/launch with some company executive lately?

Re:They could contact them easily too

[TheReal_sabret00the]

They've gotten their priorities a bit wrong, they're so obsessed with Firefox 3.7 and 4.0 that they took their eyes off the ball. Sadly, I don't think that adding a bit of glass or putting tabs on top is really that much to be getting excited about. Glass should've been a feature with the release of Windows 7 and tabs on top isn't my idea of a good time. Where's the innovation? Even their idea of tabs on top simply seems to be following in the same fashion as Chrome/Opera, there's nothing original about the approach. I feel they should've gone for the Ribbon feel from Office 2010, but of course, they're going for what's the most simple and what's easiest.

Re:They could contact them easily too

[maxume]

Your brain is stuck in 5 years ago:

http://blogs.msdn.com/ie/

(Contact information is plastered all over that page)

Beta/Nightly

[Bert64]

Surely anyone who is concerned about this vulnerability could simply run one of the nightly builds until the official update is released?

Re:Beta/Nightly

[sowth]

Or just stay with the 3.5.x series. Problem is, I don't see where they even link to it on their website. Even the 3.5.8 release notes page seems to link to 3.6 for downloads...

Older versions have unpatched vulnerabilities?

[buchanmilne]

The article says:

It is only the current version that is affected, but given that prior releases have different vulnerabilities, reverting to an older version of the browser is ill-advised.

However, the older releases page states that 3.5 will receive security updates until August 2010.

So, since 3.5 was not affected by this specific vulnerability, what vulnerabilities are unpatched in the current 3.5 release (3.5.8)?

If the Beeb or the German government knows something Firefox doesn't know, maybe they should tell us so that people still using/shipping (in the case of most linux distros) 3.5 can upgrade to 3.6? Or, if they *don't* know better, maybe they should stick to fact and not conjecture ...

Re:Older versions have unpatched vulnerabilities?

[sowth]

This is what I was wondering, however the firefox site does point to the experimental 3.6 version last time I checked. When I upgraded to 3.5.8, I had to find the ftp site to download it. WTF? I know they want testers, but seriously, that is crap.

The mozilla project isn't so immature they need lots of people testing their new experimental code. I could see them putting a note on the main page saying "Hey, some of you try out our experimental version 3.6, it has new wiz bang technologies! (not ready for production use)" This is what is wrong with software development today.

I don't want to be accessing my bank's site with experimental software which is more likely to have security problems. Craxy. (Cue Mad Hatter with his eyeballs rolling around in his head.)

Re:Older versions have unpatched vulnerabilities?

[Spad]

Because reverting to older versions increases the chances of accidentally getting part of, say the 3.5.x branch, that isn't 3.5.8 and does have unpatched vulnerabilities. Remember that we're not really talking about /. users here - we already know about the current vulns, patches, workarounds and alternatives - but "regular" users of Firefox who are used to just clicking on the "Firefox x.x Free Download" link on the getfirefox.com frontpage.

Re:Older versions have unpatched vulnerabilities?

[BZ]

> The mozilla project isn't so immature they need lots of people testing their new
> experimental code.

As a matter of fact, the only way to find out whether you broke some intranet site somewhere is to have someone on that particular intranet testing your "experimental code" (which 3.6 is not, by any means).

Typically betas of Firefox end up with several hundred thousand users.... and that still doesn't catch bugs on little-known sites like Hotmail (which apparently thinks Firefox 3.6 is Firefox 2 and therefore breaks in some cases).

Good news for free software

[doublegauss]

Contrary to Slashdot etiquette, I did read TFA. To me, the most extraordinary piece of news is that the BBC (not quite a geek-oriented news source) makes no mention at all of Firefox being FLOSS. This is excellent news. It means becoming mainstream. The Gandhi quote springs to mind.

Re:Good news for free software

[John+Hasler]

> ...the BBC (not quite a geek-oriented news source) makes no mention at all
> of Firefox being FLOSS.

Probably because they don't know. To them it is a product of Mozilla, Inc, one of several companies that offer "alternative" browsers.

Re:Google Chrome.

[heffrey]

I think you'll find that Chrome's record with regards security is no better than IE8 or FF.

Also, as far as rocking, I still can't get over the way it rides roughshod over installation standards and copies program files to your user profile. Until they get that sorted I won't touch it.

And the risk is???

[bradbury]

If I'm reading this correctly, the vulnerability is in WOFF fonts (what is a WOFF font?) and possibly allows some heap corruption. How do these various "exploits" actually get the Firefox code to execute out of the heap? I.e. one presumably has to either scribble on some known call-back function address in the heap, or somehow scribble on the stack (so Firefox/Seamonkey functions return to the exploit code in the heap) and isn't the data in the heap non-executable (at least under Linux)? I would expect that anyone trying to exploit vulnerabilities such as this would be causing the browser to abort (due to SEGV's or other severe faults) and would drive users away from accessing such pages.

So are these many "exploits" one hears about mostly sound and fury or are there serious risks? [In contrast to say something like an SQL injection attack where a person with reasonable knowledge of SQL could compromise insecure servers.]

Re:And the risk is???

[andrea.sartori]

A WOFF font is a font that barks at you while you type. The heap corruption exploit causes it to mess with "local business search" on your smartphone.

Re:And the risk is???

[ewrong]

A WOFF font is a Web Open Font Format font.

http://hacks.mozilla.org/2009/10/woff/

It's basically an extension of the @font-face rule with it's own compression and meta tagging. Please don't tell my designers about it.

Re:And the risk is???

[Silfax]

If I'm reading this correctly, the vulnerability is in WOFF fonts (what is a WOFF font?)

Works On FireFox ?

Re:And the risk is???

[clone53421]

Heh. From what I read, that’s correct... Firefox is currently the only browser that supports WOFF. But there were some interesting things I figured I’d quote:

The WOFF format originated from a collabaration between the font designers Erik van Blokland and Tal Leming with help from Mozilla’s Jonathan Kew. Each had proposed their own format and WOFF represents a melding of these different proposals. The format itself is intended to be a simple repackaging of OpenType or TrueType font data, it doesn’t introduce any new behavior, alter the @font-face linking mechanism or affect the way fonts are rendered. Many font vendors have expressed support for this new format so the hope is this will open up a wider range of font options for web designers.

The compression format is lossless, the uncompressed font data will match that of the original OpenType or TrueType font, so the way the font renders will be the same as the original. Similar compression can be achieved using general HTTP compression but because compression is part of the WOFF format, it’s simpler for authors to use, especially in situations where access to server configuration is not possible.

Second, the format includes optional metadata so that a font vendor can tag their fonts with information related to font usage. This metadata doesn’t affect how fonts are loaded but tools can use this information to identify the source of a given font, so that those interested in the design of a given page can track down the fonts used on that page. Fonts in WOFF format are compressed but are not encrypted, the format should not be viewed as a “secure” format by those looking for a mechanism to strictly regulate and control font use.

Firefox 3.6 will be the first shipping browser to support the WOFF format so it’s important to construct @font-face rules that work with browsers lacking WOFF support.

More, and examples, here: http://hacks.mozilla.org/2009/10/woff/

Re:governments warn us about exploits

[clarkkent09]

Well they warned against IE and Firefox. On Windows that narrows it down to Chrome and Opera. I'm just waiting for one more announcement so I'll know which one is the winner.

(btw please don't show off your knowledge of esoteric browsers by listing them here. those are the four biggest ones by far)

Bah humbug! mod parent TROLL

[beh]

mod parent TROLL...

Have you looked at the BSI page and linked mozilla blog page?

The mozilla blog entry was dated March 18th (giving March 30th as the release date for 3.6.2). The BSI advisory was dated March 19th (4 days before the story broke on slashdot; and 4 days before the actual release of 3.6.2).

So, you're saying, it was retaliation by BSI against Firefox, for publishing a release date the firefox crew themselves published the day before?

On March 19th - with the projected release date 11 days away, it seems it was perfectly in order for BSI to recommend use of an alternative for those 11 days:

    "empfiehlt das Bürger-CERT die Nutzung alternativer Browser, bis die Mozilla Firefox Version 3.6.2
        veröffentlicht ist."

This has nothing to do with fear-mongering - but simply that during a potential danger period, people might want to watch out. Their article clearly stated it only affected 3.6, and their article stated that their advisory is temporary 'until 3.6.2 is released'.

How is that retaliation?

Government Warns against Using the Internet

[Liambp]

The Government warned today issued a warning against using the internet because of security issues.

The office for Information Security reported the discovery of a major flaw that allows bad people to use the internet too. Citing incidents of users who have already been spammed, scammed, hacked, phished, botted, keylogged and otherwise abused the office has issued a strong recommendation to stop using the web altogether until this vulnerability is patched.

It is as yet unclear whether these exploits will be patched in the pending release of Web 2.1

in other news

[alienzed]

China just plain doesn't want anyone using the internet.

Re:In Other News

[Culture20]

Germans Love David Hasselhoff

News: Germany Warns Against Using David Hasselhoff to Browse the Web.
Posted by samzenpus on Wednesday March 24, @08:25AM

Re:Gandhi?!!

[lePooch]

Gandhi had a quote with regards to Open Source going mainstream? ...are we talking about the the same Gandhi here? Pastoral Hindu Cotton-loom ascetic Gandhi?

It ain't over till the fat lady sings

[Hognoxious]

Opera. As any fule kno, Germans are really keen on opera. They have some that go on for weeks.

Re:Google Chrome.

[muckracer]

> That's true, as long as you turn off Google as the default search, disable cookies

And don't forget about LSO cookies (Flash directory), that do NOT get deleted by FF's cookie deletion on exit. Extra add-on is needed (BetterPrivacy) to do so.

Oh...and MozDevs...please restore the 'Clear History on Exit' window on browser exit. Thanx!

And this is why I use IE

[Toreo+asesino]

Mozilla clearly have no idea about....... ....wait a minute....it's not a Microsoft product we're talking about?!

THIS IS SUCH A NON ISSUE! The German government are clearly over-reacting here.

Re:Google Chrome.

[RobbieCrash]

I'm undoubtedly missing something, but why is installing a program in my personal folder a bad idea? It allows non-elevated installs, has no access to files outside of the user dir unless granted, allows each user to have a totally separate installation so fucking one up doesn't fuck up everyone else's, no registry entries aside from ones to HKCU, uninstalls don't mess everyone else's life up, no reboots on uninstall... I don't get it?

Re:governments warn us about exploits

[Zoidbot]

However is REALLY bad, and like where Opera was 5 years ago.

General warning

[weicco]

This is general warning not to use any software that has known and/or unknown bugs in it. This warning goes moot when every known and/or unknown issue is solved.

The Internet is a dangerous place...

[Andrioid]

The Germans are absolutely right to caution against using various browsers - unplugging is probably safest, though.

Re:Google Chrome.

[heffrey]

It's a complete non-starter on a computer with multiple user accounts. How do you update it? Do you really want to update every single version separately? Really? What about corporate environments?

Firefox installer isn't great for corporate Windows environments either because it isn't delivered as an MSI package. Why on earth the FF people can't follow a nearly 10 year old platform packaging standard is beyond me. Yes you can get FF MSI packages from 3rd parties but that has its own problems and barriers.

Re:Google Chrome.

[RobbieCrash]

Oh right, updating. I knew I was missing something.

Re:Pr0n

[TaoPhoenix]

Rule 34a (or similar numbering).

No such system exists whereby Pr0n cannot be discerned. Bertrand Russell and and Alfred North Whitehead became very upset when Kurt Godel figured that out.

In Other News

[Slash.Poop]

Germans Love David Hasselhoff

Re:governments warn us about exploits

[mario_grgic]

Chrome, Opera and Safari, but there are other browsers besides the standard 5.

Why doesn't...

[John+Hasler]

...unchecking "Allow pages to choose their own fonts" block this?

(Or "Stop using Microsoft Windows", but I won't mention that.)

Re:Why doesn't...

[julesh]

Wait, where's the checkbox for that again?

Tools/Options, Content, click on the Advanced button in the Fonts & Colours group.

WTF?

[hesaigo999ca]

So don't use IE, now don't use FF, soon, don't use Opera or Safari, come on, they want no one to use the net, or what?
Seriously, what do they expect, instead of warning to not use them, instead warn how to use them in combination with updates, patches, AV, and firewalls, but that would be a little more effort!

Re:WTF?

[prefec2]

They did not say. Stop using firefox. They said there is a serious bug in FF and until this is fixed, be cautious. Oh and by the way that is exactly what a agency for information technology should do. Tell people that there are risks and how to deal with them.

working exploit

[viralMeme]

Is there a link to a working exploit ?

Re:Bah humbug! mod parent TROLL

[Dr.+Evil]

The difference is that Firefox has vulnerabilities like any normal application... Internet Explorer on the other hand has been the forefront infection vector for botnets of hundreds of thousands of machines for the past decade.

Re:governments warn us about exploits

[icannotthinkofaname]

Yeah, but Safari is made by Apple, Chrome is made by Google, they use the same rendering engine, and so if I need to swear loyalty to one of those companies, I'd rather it be Google than Apple.

The BSI is not the Government

The article implies that Germany (meaning the government) has issued a warning. However, the BSI (Bundesamt für Sicherheit in der Informationtechnik (engl. Federal Agency for Safety and Security in Information Technology)) warned about an issue in firefox. So the BSI does the same job as CERT, they warn about security issues. It is not that the government made a law or a ruling or any other governmental thing. BTW: The same thing applies to the IE problem. And if there is a problem with Safari or Opera or Lynx or Telnet or any other browser you can think of then they will warn about it.

As Firefox is the most used browser in Germany, it is really important that the BSI warns people about any issue.

(I appologize for any inconvenience due to misuse of prepositions and articles in this post)

Re:They never "came for Opera", & here's why

[clone53421]

Yes, because Opera has never had this sort of vulnerability!

I wonder how many..

[Zoidbot]

more security exploits, crashes, slow and bloated browsing experiences Firefox users have ot put up with, before they seek out better alternatives like Opera?

Just wondering. Or are those pains part and parcel of supporting American or OpenSource products? You take those problems with it?

Re:Against Opera? I think not (see inside)... apk

[clone53421]

Really! Well, here you go then:

Opera 10.50 Security Vulnerability

A security vulnerability in Opera 10.50 and previous versions of the web browser was uncovered by security research company VUPEN Security. The issue is caused by a buffer overflow error when the user visits a website with malformed HTTP headers. ... the vulnerability can be exploited by attackers to crash the browser and execute code on the computer system.

It is recommended to only access trustworthy websites until a patch is released or switch to another web browser in the meantime.

Of course Opera 10.51 has been released to patch it... just like Firefox 2.6.2 has been released to patch this one.

What's up with /. ?

[AmigaMMC]

>Germany warns against use of Firefox browser-> on Monday March 22, @11:00PM AmigaMMC

>Submitted by AmigaMMC on Monday March 22, @11:00PM

How does publication of submission exactly work? I had posted the same article nearly 3 hours before this one and yet it was not picked.

Re:What's up with /. ?

[Culture20]

>Germany warns against use of Firefox browser-> on Monday March 22, @11:00PM AmigaMMC
>Submitted by AmigaMMC on Monday March 22, @11:00PM
How does publication of submission exactly work? I had posted the same article nearly 3 hours before this one and yet it was not picked.

http://slashdot.org/faq/editorial.shtml#ed300

I submitted that a month ago!

A lot of times, we don't use a particular story on a particular day, but at some later point, someone else submits it, and it ends up getting used. We have 4 to 6 guys working together to post things on Slashdot. What one of us finds stupid, the others might find interesting. Or it just might be the rest of the stuff that's going on that day. There are a variety of factors: the personality of the post, the quality of the submission, or even the quantity of stories already posted when your submission entered the queue.

Answered by: CmdrTaco
Last Modified: 6/8/00

Someone else got credit for a story I submitted!

As a whole we think we do a good job, but sometimes we make mistakes. We're always sorry when we do, but considering the thousands of weekly submissions, we think we're definitely coming out ahead.

Answered by: CmdrTaco
Last Modified: 6/8/00

The BSI is not the Government

[prefec2]

The BSI is not the government. It is a federal agency. BSI = Bundesamt für Sicherheit in der Informationstechnik (engl. Federal Agency for safety and security in Information Technology). They are more something like CERT. Even though the US government thinks the BSI is some sort of NSA, because the NSA also does security in information technology (e.g. seLinux). However, the BSI does not spy on people. This is done by another agency. And the BSI is so much the government as it is the police or judges.

Re:governments warn us about exploits

[Rockoon]

..and if you have actually used it on Windows, you know that its really bad.

Unresponsive, with a non-conforming UI, and the installer carries a payload of other apple software.

Re:I know WHY you are so far in the past (FF "spee

[clone53421]

Don’t bother. I don’t even read what you post. I barely skim it enough to try to figure out your main point. If I’m not mistaken, you’re saying that my argument is invalid because it is “old news”?

Ah. Well, this is “old news” too. 2.6.2 is out.

And in the future... well, there will always be unpatched vulnerabilities. I doubt that software will ever be perfect... yes, that includes your beloved Opera.

Re:Then why the STALE OLD NEWS REPLY, clone? LOL!

[clone53421]

Why indeed. Why are you trolling Firefox for an old, patched vulnerability?

Other than the reason of you being an idiot, but that goes without saying.

Re:governments warn us about exploits

[houghi]

You have to move to Europe and buy Windows there. Instead of the 4 browsers you get the standard option of 12.

Germany warns against using internet... (eom)

[ukemike]

Germany warns against using internet.

Re:Tell us, what did you post first? (FF "Speed"?)

[clone53421]

You seem to have a very odd definition of “first”. One that means, “second”, apparently.

Re:Facts here, not stale like yours. Not propogand

[clone53421]

Offtopic. I didn’t even read it.

Re:Show us FF's superior SPEED vs. OPERA, won't yo

[clone53421]

Why? We were talking about security, not speed. Stop changing the subject.

Re:Caught "flat-footed" on speed there, clone? LMA

[clone53421]

Oh, "somehow", lol, I think you did

Yes, you caught me. I read the ALL CAPS LINE AT THE VERY BEGINNING OF YOUR COMMENT. That is all. It took me, perhaps 2 seconds. Just like it did to “read” 1 or 2 sentences from this latest post of yours.

Use Lynx!

[Compaqt]

Just sayin'.

http://lynx.isc.org/

Re:At least you admit OPERA is faster than FF!

[clone53421]

When did I admit that?

All I admitted is that I don’t read the vast majority of the drivel you post.

Re:governments warn us about exploits

[Jaydee23]

I'm no Apple fanboy but I have (and occasionally still do) used it (v4) on Windows and it works at least well as any other browser. Certainly better than IE. Probably more conforming in the UI dept than Chrome. And most installers carry a pile of garbage unless you deselect it.

Re:Why not, is more like it - you can't & that

[clone53421]

Your comments are actually starting to look readable. I like it. The paragraphs are still a little bit small, though. You could work on it.

Re:Clone, man! I thought you were BETTER than that

[clone53421]

Offtopic? You started it by bringing up Opera’s speed to troll an article about security.

Re:Google Chrome.

[muckracer]

> Why is it phrased "Clear History on Exit?" That implies it was written to disk.

Well, Cache, Cookies etc. WERE written to disk already. The clearing of those files on closing the browser is what I was referring to. Firefox in the past had the option of popping up a window with your preset to-be-deleted items already checked, but with the option of manual override at that time. Now they've done away with that and do the deletion invisibly to the user (with the presets somewhere in the Preferences).
I know, there's a plug-in to restore it, but I don't get why this great option was removed in the first place. Several friends on trying Firefox the first time (I had already set it up accordingly) LOVED that option and may have been the first time they ever realized, that their browsing does leave traces. Lots of them. So they enjoyed removing them too.

> Why not Store No History? Safer and (marginally) faster.

That'd be the Private Browsing Option. Similar End-Result (no locally stored data), just up-front. Two slightly different approaches though. I like having the history (blue links I visited already, suggestions in the location bar based on previous URL's etc.), when I use my own private computer where nobody else has access to. I don't need, don't want complete private browsing (from whom?) that moment. Removing cookies on browser exit is enough for me, whereas on some other machine (friends, Internet Cafe) I always remove everything on close.

Re:Google Chrome.

[clone53421]

Several friends on trying Firefox the first time (I had already set it up accordingly) LOVED that option and may have been the first time they ever realized, that their browsing does leave traces. Lots of them. So they enjoyed removing them too.

You can still set it up to clear it all automatically when you exit — at the slight risk of forgetting that it was even keeping track of them in the first place. Now, it doesn’t ask... it just clears them, if that’s what you’ve set.

It’s under the Privacy options, if you use custom settings for history.

Re:Learn to read (about Opera's SUPERIOR SPEED)

[clone53421]

Ugh, that’s a step backward. Why don’t you code your links with appropriate descriptions between the <a> tags instead of just slamming the URL in there?

Re:Google Chrome.

[muckracer]

> You can still set it up to clear it all automatically when you exit

I know...thanx. I am unhappy about having this wonderful feature demoted to invisible background status and out of user's awareness!

Re:Clone, man! I thought you were BETTER than that

[clone53421]

No, no PHD in English, but I do have As in several college writing classes under my belt.

Anyway, it doesn’t take a PHD to tell that your writing style is hideous. I’d rank it almost “ass end of a baboon”. Nowhere near “goatse”, though... you have a long way to go, young whippersnapper.

Re:A step backward, YOU CANNOT TOUCH (lol)

[clone53421]

It’s the wrong article.

Post an article about Opera’s superior speed and we can discuss it to your heart’s content.

Re:Opinions vary: Opera speed tests, however, don'

[clone53421]

Do you actually think I read any of that? Why do you bother?

Re:Ask & ye shall receive (OPERA!)... apk

[_Sprocket_]

See subject-line above & also, note this report from SECUNIA:

----

Vulnerability Report: Opera 10.x:

http://secunia.com/advisories/product/26745/

Unpatched 0% (0 of 5 Secunia advisories)

So when the parent asks for "software that was correctly written and had no exploits to begin with", you provide one that has had 9 vulnerabilities as noted in 5 reports, 60% of which are classified as highly critical with the rest as moderately critical. Excellent work.

Don't get me wrong - Opera is a fine browser and definitely worth consideration. But it hardly meets the criteria.

Nein, nein, nein!

[Dretep]

I vill hear no more insinuations about the German people. Nothing bad happened. Sie werden sich hinsetzen. Sie werden ruhig sein. Sie werden nicht beleidigen Deutschland.

Re:governments warn us about exploits

[K.+S.+Kyosuke]

And most installers carry a pile of garbage unless you deselect it.

I certainly haven't noticed that in case of Opera and Firefox.

Don't be ridiculous

[Benfea]

It is not possible to write a modern browser that is completely bug free and completely lacking in security holes. It sure is nice to wish that someone did make such a browser, but since browsers are written by human beings, I'll settle for browsers that are reasonably secure, reasonably bug-free, and frequently patched instead of complaining that none of them are perfect. Of course, if the post we're all responding to was made in jest, it was damned funny.

You are disturbing.

[Beelzebud]

I don't think I've ever seen a browser zealot until now. You are like a religious fanatic. Seek help.

Re:You are disturbing.

[clone53421]

Nah, he’s an equal-opportunity troll. He “likes firefox”, remember? He trolls whoever, whenever, whatever. His problem is severe OCD, not browser zealotry. (Did you know he keeps track of all of his Anonymous Coward posts that have been modded up?)

Still, it’s kind of entertaining to bait him.

Re:0 bugs and more speed looks good for Opera thou

[_Sprocket_]

Again - it's all about "software that was correctly written and had no exploits to begin with." Speed isn't the issue.

Yes - Opera is speedy. It's a fine browser. Do consider it. But consider it for the right reasons. What was that? "Ask & ye shall receive?" Make sure the answers you're getting even apply to the questions you asked, much less the right questions.

And a fine showing, APK. Once again, you're missing the point and using all manner of hand-waving to avoid having to face the fact.

Did MS Ever Fix the IE Bugs?

[PerfectionLost]

That's my real question. FF was fixed in a month. Was IE fixed and how long did it take?

I loan money to individuals and companies

[royalburg]

From Mr. Royal LOAN COMPANY Remittance Director Citi Groups Belgium. E-mail: royal.loancompany02@gmail.com Tel: +324-8136-234-644 DO YOU NEED LOAN FOR YOUR BILLS AND TO INVEST. I am Mr. Royal Burg, a renowned legitimate accredited moneylender. I reside in the Belgium I loan money to individuals and companies who need financial assistance.If you are interested in this offer contact us with this, E-mail below: royal.loancompany02@gmail.com Kindly fill the below form and return as soon as possible with your personal information. Full names :....... Address :......... City :......... State :......... Postcode :......... Country :......... Tel :......... Fax :......... Amount Needed: .. In USD or Euro/POUNDS(GBP) .......... (There are no social security or credit check, 100% guaranteed!) I look forward you will allow me to be of service to you. You can contact me via e-mail: royal.loancompany02@gmail.com Mr. Royal Burg Remittance Director Citi Groups Belgium Sincerely CEO, Best regards,

Re:Settings

[HBoar]

Under tools>appearance you can set different skins. By default, it has the default and a 'windows native' one, that looks terrible, but may be easier to see? I don't know. There are a large number of others to choose from if you select the "find more skins" button.

Re:Bah humbug! mod parent TROLL

[hackel]

Yes, I should have read the actual post to notice the dates, but making that mistake hardly makes me a "troll."

You are quite foolish to underestimate the influence of Microsoft. I'm suggesting that, as soon as the vulnerability in Firefox surfaced, the BSI came under an enormous amount of pressure from Microsoft (and all of its thousands of tiny front groups) to be "fair" and post this anti-Firefox FUD right away. Had they bothered contacting Mozilla themselves, instead of just reading the blog post, they might have been made aware that the release was imminent. Hell, even if the release wasn't ready, Mozilla might have even pushed a minor update simply to fix this one issue instead of having this bad press get out there...

Vulnerable use of browser

[cavebison]

Given that browsers, or your email client, is only "vulnerable" when the user opens something they shouldn't (in the case of email) or browses to a malicious site, why don't they just friggin tell people that? Tell them to BE CAREFUL and what to watch out for, ie. *educate them* instead of "omg Windows/Linux has a security hole, quick turn your PC off now!"

Then again, point me to a government that doesn't treat their citizens like idiots and would prefer them to be so.

Re:Prove you have a PHD in Psych, ok?

[clone53421]

Actually, I am

Yeah. That’s what I said. Why are you repeating what I said? For that matter, why am I repeating what you said I said?

Regarding the rest of your comment, it looks like you got your <quote> tags screwed up. LOL.

Re:Angry? Amused - at your evasions & 'tactics

[clone53421]

No, no, not at all. You accused me of eating my words. I never did any such thing.

No IE, no FF, what do they recommend? Opera? lynx?

[lpq]

If they don't recommend all (2) of the major browsers, what browsers are they using / do they recommend?

Pray tell?

This sounds like FUD to stay off the internet.

Re:Well, show me FF's faster than Opera then!

[clone53421]

Because you have avoided my simple request to submit a related article so we can discuss it.

Re:No PHD in English/Psych & yet "Clone's an e

[clone53421]

Whatever, Kimmo.

Re:Clone, please: REDUCED TO LIES NOW on your end?

[clone53421]

I said AN ARTICLE, not OFFTOPIC COMMENTS.

Re:0 bugs and more speed looks good for Opera thou

[_Sprocket_]

The problem is that your facts are irrelevant. The thread was talking about zero defects. You reply with an example that has a history of defects. Instead of earning up to this fact, you're trying to call attention away with name-calling and off-topic statements. Little surprise - it's what you do.

Re:Relevant enough for you to try to minimize them

[_Sprocket_]

"The problem is that your facts are irrelevant." - by _Sprocket_ (42527) on Wednesday March 24, @10:18PM (#31606602)

Opera = faster than ANY browser & ZERO/0 security vulnerabilities, + the largest set of in-built native features of the "big 3" webbrowsers? Well...

See subject line, & "nuff said"...

I couldn't have made my point any better myself. You quote me about your irrelevant wandering and then you reply with irrelevant wandering. 'Nuff said indeed!

"The thread was talking about zero defects. You reply with an example that has a history of defects" - by _Sprocket_ (42527) on Wednesday March 24, @10:18PM (#31606602)

Show me a complex program that hasn't that's exposed to the internet & javascript especially online... AND, I also point to Opera, with ZERO/0 current security vulnerabilities known for it too!

The fun thing here is that you didn't talk about how difficult it is to create complex systems without defects. You put Opera up as an example. And Operas has a history of defects. Yes - currently there's no unpatched vulnerabilities. That we know about. But there's a history of defects. And that hardly makes Opera the slam-dunk answer you make it out to be.

You're caught clueless again, apk. And you can't avoid it.

"Instead of earning up to this fact" - by _Sprocket_ (42527) on Wednesday March 24, @10:18PM (#31606602)

What is wrong with pointing out to others that OPERA'S THE FASTEST & SAFEST BROWSER OUT THERE I ask you? LOL... I'll tell you what: FireFox fanboyism on your part imo!

I never mentioned Firefox. If anything, this is rampant Opera fanboyism. The fact is that you screwed up (again) and now you're trying to back-peddle. Again.

"Little surprise - it's what you do." - by _Sprocket_ (42527) on Wednesday March 24, @10:18PM (#31606602)

You mean telling others about the FASTEST & SAFEST WEB-BROWSER PROGRAM OUT THERE WITH THE MOST NATIVE FEATURES IN OPERA 10.51?

(YOU BET!)

No - you make grand claims with irrelevant facts. And then you start waving your hands around as soon as someone bothers to follow up and catches you at it.

APK

P.S.=> Fanboys of Firefox - always trying to minimize that Opera's got them outperformed, and is more secure! apk

That's it, apk! Stay on message! This is all about how wonderful Opera is in the face of irrational Firefox fanatics. Nevermind the fact that your zero-defect example is shown to be incorrect even at your first link. But don't admit it. Never admit you're wrong. Don't change a thing.

Re:Uhm, are you BLIND too, Clone? Lmao...

[clone53421]

Here, I’ll help you: http://slashdot.org/submission

Re:Run, Clone, run... lmao! apk

[clone53421]

You know perfectly well what it means, LOL.

Re:Clone: Articles, charts, & tests have been

[clone53421]

Still the avoidance, still the denial. You are a sad case. I even gave you a link.

Re:Clone, your trolling was your undoing... apk

[clone53421]

Sure you don’t, ROFL. And what does speed have to do with ANYTHING?

Re:Sprocket, what is wrong about the truth?

[_Sprocket_]

What is irrelavant (or wrong) about telling people that Opera's been shown, time & again, that OPERA IS THE FASTEST & SAFEST WEB-BROWSER PROGRAM THERE IS WITH THE LARGEST NATIVE FEATURESET BUILT-IN NATIVELY THERE IS?

The thread was about zero-defect code. You produced an example with defects. All this about being fast, safe, and a large feature set is irrelevant to the thread of the conversation; no matter how many times you repeat it.

"The fun thing here is that you didn't talk about how difficult it is to create complex systems without defects." - by _Sprocket_ (42527) on Thursday March 25, @12:56AM (#31607340)

Now wait a second: Didn't I say "HELLO WORLD" level programs 'need not apply' etc. et al? Sure I did, right here -> http://news.slashdot.org/comments.pl?sid=1591778&cid=31599332...

Sprocket? Who screwed up here now?? You did!

(You've done that before & you're skimmning man (or, lying, take your pick))!

Pitty you didn't talk about that in your first post. You remember - "ask & ye shall receive"? The place where the parent asked and you failed to produce.

I like it when you pull out that Ozymandias quote and start to list off your "accomplishments". The poem is about a king and his hubris laid to ruin; his accomplishments dust. It's so fitting. Every time you do this quote-and-list act, it's to try and distract from the fact that you're clueless about whatever subject you're talking about at the time. Clearly, having written some shareware doesn't make you an expert in every subject you can cast your bold text at.

And so my job here is done. You've been outed again, apk.

Re:Me? LOL: Show us FF's faster than OPERA

[clone53421]

All I have asked for is an article, submitted to Slashdot, on which we can topically discuss the slowness or quickness of Opera and Firefox. Currently, you are posting off-topic in an article about security.

LOL OWNED, go troll someone else.

Re:As of today? MORE OPERA SECURITY DATA TOO

[clone53421]

My “undoing”, LOL? You really are grasping at straws.

Re:That's simple: I don't submit articles here is

[clone53421]

That is not an article, submitted to Slashdot, on which we can topically discuss the slowness or quickness of Opera and Firefox. You seem to be incredibly stupid, or dense, or both. I’m sorry for you.

Re:Again: Show us FF's faster than Opera - "m'kay?

[clone53421]

I actually think it is really funny; you started by saying that Opera has NEVER been “owned”, (exact quote, They never "came for Opera") and then when I showed that “they” did “come for Opera”:

It is recommended to only access trustworthy websites until a patch is released or switch to another web browser in the meantime.

Now since I defeated your stupid claims you have switched to browser speed, which is hilarious because the faster Opera is, the quicker it will get “pwned” (to borrow the slang spelling of the word). And if they patched it? Well, they patched Firefox as well, so why are you bringing up OLD NEWS, troll?

Re:Facts are facts period -not avoidances like you

[clone53421]

tl/dr

Submit an article, troll.

Re:Uhm, Sprocket? OPERA HAS 0 KNOWN DEFECTS NOW

[_Sprocket_]

Uhm, Sprocket? See subject-line, & realize that I have data that's from a valid respectable source showing Opera currently bearing NO KNOWN SECURITY VULNERABILITIES... for a complex program, especially one online faced w/ javascript exploits & more galore?? Please - enough w/ your WEAK ARGUMENTS - especially coming from a wannabe technically unqualified nobody like you, ok?

Your same data shows that this version has a history of vulnerabilities. Zero un-patched, but hardly zero-defect. When the parent notes "I don't want software that patches exploits quickly, I want software that was correctly written and had no exploits to begin with," showing an example with 9 patched vulnerabilities hardly meets the mark.

Keep dancing around the fact, apk. Post links that have nothing to do with this fact. Post links where I've caught you out before. I've exposed you in the past and I've exposed you here again - you can't avoid it no matter how much noise you generate to disguise it.

As I noted - my job here is done. And as you are unable to address the issue I've pointed out (9 vulnerabilities are not equal to zero vulnerabilities) in the past four postings, I'll let my argument rest and walk away.

Re:Where'd I say Opera "NEVER HAD A FLAW" or...

[clone53421]

Ok, where EXACTLY did I say OPERA "never ever had a flaw", hmmm?

exact quote from you: They never "came for Opera"

exact quote from the security company: switch to another web browser in the meantime

yet again, 0wn3d. Thanks for playing.

Re:Aw, "poor clone" trolling & on the ropes cr

[clone53421]

Who, me? I’ve beaten you soundly. You’re just too dumb to figure it out. Like a chicken with its head cut off, you make a lot of noise and commotion for someone who’s already been hung out to dry.

Re:You need reading help (you skim & lie too,

[clone53421]

I don’t give a flying fuck what Germany says. I found a recommendation from a reputable security company that I in fact give much more credibility than some pencil-pusher in the German government.

Re:Uhm, Sprocket? OPERA HAS 0 KNOWN DEFECTS NOW

[clone53421]

All vulnerabilities are unknown before they are discovered, moron. That tautological statement shouldn’t even need to be said, but apparently you’re too stupid to figure it out. “Zero known vulnerabilities” does not mean it has no vulnerabilities, just that we don’t know about them.

But if you really want to continue quoting meaningless statistics, please tell me how many known vulnerabilities Firefox has, and back it up with a reputable source obviously.

Re:Beelzebud, whom I replied to, DID though... apk

[clone53421]

ON TOPIC?

You are not one to lecture anyone for being off topic.

Re:Uhm, Sprocket? OPERA HAS 0 KNOWN DEFECTS NOW

[_Sprocket_]

"Your same data shows that this version has a history of vulnerabilities." - by _Sprocket_ (42527) on Thursday March 25, @04:52PM (#31617462)

Hold on: Did I EVER SAY that any complex xoftware "never has or had bugs"? No, I said QUITE THE OPPOSITE, here, in my P.S. in fact in this URL below (& before or after that again mind you, & FAR BEFORE YOU EVER DID):

http://news.slashdot.org/comments.pl?sid=1591778&cid=31599332

I know I said I was done with this conversation, but since you were nice enough to actually get on topic again, I'll reply to the one thing you've managed to be somewhat coherent about. When the parent poster says:

I don't want software that patches exploits quickly, I want software that was correctly written and had no exploits to begin with.

And you reply with:

Ask & ye shall receive (OPERA!)

One is going to expect that you've provided an example of software that was, in fact, without vulnerabilities. Yet the first data you provide shows this is not the case. Perhaps you saw the 0 unpatched vulnerabilities and misunderstood what that meant (you might have even missed that Secunia notes 9 vulnerabilities, not 5). This means that the Opera code has, in fact, had vulnerabilities that needed to be patched. I would assume it was patched quickly. But none the less, it falls out of line with what the parent was talking about.

Again - let me repeat this again just in case you're missing the point. When you note (and I'm quoting you here, not putting words in your mouth) "NO KNOWN SECURITY VULNERABILITIES FOR OPERA UNPATCHED @ PRESENT" that misses the point. The parent said no bugs. And the fact that you even note "Where did I EVER SAY OPERA NEVER HAD A FLAW? Heck - I even stated in the first URL above EVERY COMPLEX SOFTWARE USUALLY DOES" shows that you understand the basic idea. You're just having a hard time getting the two things to mesh together.

Maybe your ego is in the way. I'd work on that a bit more, Ozymandias. It'd be embarrassing for another "nobody" to have to correct you the next time.

Re:You've lost, & all you do now is toss names

[clone53421]

LOL, still at this? APK, you have been beaten badly, why don’t you just give up? too too easy, as you would say.

Germany warns against using Firefox because of vulnerability; patched in new version.

Independent security firm warns against using Opera because of vulnerability; patched in new version.

Exactly the same; I beat you easily on security when you claimed that “they never came for Opera” and so you fell back to your tried and true trolling about speed, which is moot, offtopic, and I even gave you a link to submit a story so that you could make your argument legitimately but you “don’t do that” because oh noes it would require you to write a sane, readable paragraph or two if it had any hope of being accepted for publication. Which of course we both know doesn’t require a “PHD in English” but which capability you seem to lack, despite the fact that you claim to be old enough that we ought to be able to expect sane, readable, and coherent thought from you.

Re:SHOW ME WHERE I SAID OPERA NEVER HAD A BUG

[clone53421]

SHOW ME WHERE I SAID OPERA NEVER HAD A BUG

Certainly: “They never came for Opera”. They did come for Opera; they recommended that people stop using it until this latest version patched the security flaw they found.

Thanks for playing. Too, too easy.

Re:Where did Germany say that about Opera?

[clone53421]

Show me an article from a legitimate and reputable website that states that about Firefox CURRENTLY.

Oh, you can’t. You only have this OLD, OLD NEWS, and besides which you said they NEVER DID and I showed that someone DID. So you fail on all counts!! nice try, troll. play again.

Re:No "lecture", only plainly visible FACT inside

[clone53421]

Actually, that is false, you were NEVER “completely on topic”; your ORIGINAL response was:

FALSE, as “they never came for Opera”... INCORRECT, as I showed;

OFF-TOPIC, as we were talking about Firefox and IE, not “for Opera”... your FALSE information about Opera is not relevant;

OFF-TOPIC, as we were talking about SECURITY, but “OPERA ALSO SURPASSES FIREFOX IN BROWSING SPEED” is 200% UTTERLY OFF-TOPIC.

So you posted FALSE, OFF-TOPIC information from the very beginning, and now you are claiming that I am trolling you?!! LOL, better luck next time, poor apk... you must be slipping.

Re:PROVE WHAT I QUOTE FROM YOU INSIDE... apk

[clone53421]

Who gives a flying shit what the German idiots said about Opera?

I quoted a LEGITIMATE SECURITY COMPANY. You fail, but that was really a nice try.

Trolling all my posts is a nice touch, too. LOL, the last act of a desperate child!

Re:Once more: Prove same was said of Opera by Germ

[clone53421]

Um, yes, that’s OLD NEWS, and updated in the new version... so no, not “CURRENT”. Nice try, apk!

It does make me laugh though to think how many mod points will be wasted modding down all of your offtopic, trolling posts replying to all of my posts.

Re:PROVE WHAT I QUOTE FROM YOU INSIDE... apk

[clone53421]

I already said I don’t give half a worm-eaten turd what the German government said.

I quoted a LEGITIMATE SECURITY COMPANY.

Enjoy your shitty advice from the wannabe security people in the German government, loser. I’ll be over here quoting real security analysts.

You’re such a failure at trolling that it’s really sad.

Re:Once more: Prove same was said of Opera by Germ

[clone53421]

OOOOh yeah, the Germans are experts on computer security.

Not.

Enjoy your shitty advice from German politicians who know nothing about computers and OLD, OLD news about Firefox bugs that were already patched. LOL.

Re:Your profanity = your frustration at LOSING, lm

[clone53421]

Maybe you need to re-read this thread; I never cared what the Germans said about Opera. Or Firefox, because they’re retards and this is OLD NEWS, and has been patched.

I just delivered a knock-out punch when you said “they never came for Opera”, showing that a LEGITIMATE (unlike the idiots in the German government who could be utterly clueless about security as far as I am concerned) company recommended that you NOT use Opera because of exactly the same sort of security flaw. Ever since then you’ve been butthurt about that so you brought up speed to try to bait me into getting off the topic, which I didn’t fall for... LOL.

Re:Change your name to CLOWN, not CLONE (lmao)

[clone53421]

LOL, whatever you say kimmo.

Re:Clone (clown is more like it): Back up your b.s

[clone53421]

No, let me refresh YOUR memory: this article was about THE NEW VERSION, 3.6.2.

The headline of TFA:

Mozilla has released Firefox 3.6.2 almost a week early after security issues were found in earlier versions.

Then they went on to say that the German government had advised against using version 2.6, which was OLD NEWS and anyone with a brain would know this from reading TFA. As I have one, and did, and know this, which are apparently the differences between me and you... LOL!

Re:Clone (CLOWN is more like it), back up your b.s

[clone53421]

LOL, better than a REAL SECURITY FIRM, I guess? Because that is where I got my source. It’s not like I claimed to be an expert.

Nice try, apk, really nice try... APF is more like it though, because you really are an APril Fool (all year long! ROFL).

Re:Your info. is on Opera 9.23 (YEARS OLD & ST

[clone53421]

It’s really quite funny that you want to publicize this spat.

Any sane person could see from this thread that you are clearly batshit insane. And you apparently want people to read it? Why... are you so delusional that you think they’ll agree with you?

Re:You got "KNOCKED OUT" by your own mistakes insi

[clone53421]

LOL, do you seriously think you can win this argument? You are probably certifiably insane, but I will go ahead and deliver the knockout punch. Again, since you seem to have missed it. You’re like that one guy who insists on biting my head off... if only you had any arms or legs to reach me with.

WRONG: That says "later this month" & is a "note" ONLY, you fool... THUS, the article IS ABOUT VERSION 3.6 when it was written, & that it had a serious bug!

Yes. It was about version 3.6. There was a vulnerability in 3.6. Germany advised against using that version.

And Mozilla released version 3.6.2. The bug is now patched. THE ARTICLE SAID THIS CLEARLY, if you could read.

OLD, OLD news!! and too, TOO easy. try again some other time, apk!

Re:Funnier watching you RUN & get knocked out

[clone53421]

Original text:

"Not sure what you mean by that, but, it's FUNNIER watching you run from answering questions, and to see you running from your own mistakes and outright blunders, here:"

...54 translations later we get:

"That is, I know wine, "he said."

Wow, it made more sense than the original!

Re:You got "KNOCKED OUT" by your own mistakes insi

[clone53421]

CAN YOU TELL US THE TOPIC OF THIS ARTICLE? Clue - IT'S ABOUT GERMANY WARNING ITS PEOPLES NOT TO USE FIREFOX as they did about IE also

WRONG, IT IS ABOUT FIREFOX RELEASING VERSION 3.6.2 ALMOST A WEEK EARLY. lrn2read, faggot.

Mozilla has released Firefox 3.6.2 almost a week early after security issues were found in earlier versions.

Re:Wrong dude to call loser. He shut you up fast.

[clone53421]

We all know it’s you, apk.

Re:Article titled Germany Warns Against Using Fire

[clone53421]

The very first sentence, in bold print, of the article, which I already quoted numerous times, read as follows:

Mozilla has released Firefox 3.6.2 almost a week early after security issues were found in earlier versions.

Your absurd ignorance is revealed in your utterly hopeless confusion over versions “3.6” and “3.62” (it is actually 3.6.2). My mistake in quoting version 2.6.2 was simply a typo; I meant 3.6.2. The vulnerability was in version 3.6 and as was clearly stated in the summary:

Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.

— which, as was clearly stated in the article, already happened (not “later this month”) — again from TFA:

Firefox 3.6.2 was originally due to launch at the end of March, but is available to download now from the Mozilla website.

So you were fully wrong, and with the exception of my typo of 2.6.2 when I should have written 3.6.2, I am correct.

Re:Clone's list of errors, quoting his OWN words

[clone53421]

No, Timothy the poster of this article on /. wrote it was about FF version 3.6, which had a bug (not 3.62, it didn't even EXIST @ the time of the writing of this headline here on /., in fact)

Now that’s funny! WRONG as usual, apk, but why am I not surprised?

Posted by timothy on 23.03.2010 1:51

But according to TFA:

12:15 GMT, Tuesday, 23 March 2010

Firefox 3.6.2 ... is available to download now from the Mozilla website.

So, let me recap:

3.62 - WRONG, no such version exists, it is 3.6.2 not 3.62;

did not exist at the time of posting - WRONG, TFA clearly stated that it was already available for download

I NEVER said 2.62; I incorrectly said 2.6.2 (WITH THE EXTRA POINT IN IT, do you need stronger glasses?) which was an honest mistake on my part, merely a typo. I meant version 3.6.2 (WITH THE EXTRA POINT IN IT, do you need stronger glasses?).

LOLOLOL, apk ... wrong, wrong, wrong and wrong some more! As usual, but keep trying (I suspect you will!).

Re:Clone the article was about firefox 3.6, not 3.

[clone53421]

We all know it’s you, APK.

Re:The ac won because of your mistakes

[clone53421]

Stop trolling yourself, apk. It’s pathetic.

Re:Name tossing Clone? Making more mistakes clone?

[clone53421]

Total score of my recent posting history: 62 points
Total score of your replies to those same posts: -7

LOL, so who’s winning, hmm troll?

Re:Germany's being DEFAMED by your b.s. & lies

[clone53421]

What explains your moronic insistence that Firefox version 3.62 even exists? Hmm? It’s 3.6.2, dumbass.

Re:LOL, keep avoiding your mistakes troll

[clone53421]

My karma and the moderation on my posts proves that you’re full of shit, you shitty 60-something year old troll who still lives with his mommy and makes all sorts of money on his shitty software that looks like something a 12-year old wrote.

Re:Funny how you had to shut up though

[clone53421]

LOL, did I?

Frankly it’s impossible to argue with someone who can’t read and whose entire argument entails screaming louder than the person he’s arguing with in mammoth copypasta posts full of gibberish that is semi-related at best to the topic at hand and that only after he has changed the subject away from his previous errors.

But it’s sure fun to keep poking him and watch the gibberish that spews.

Re:Name tossing & mistakes don't work well, do

[clone53421]

making HUGE errors, & 'FireFox 2.62', lol!

I never said “2.62”. You are the one making HUGE errors, LOL.

Re:Anyone can mod themselves up with alternate log

[clone53421]

ANYONE can do it?? NOT SO EASY, apparently, if YOU cannot do it! LOL

Re:Didn't say it was Firefox 2.62? Who's the dumba

[clone53421]

HUGE errors, & 'FireFox 2.62', lol!

I never said that. You are a moron. But I wouldn’t expect much more from you... lies, false information, and retarded arguments that are repeated over and over after they are proved to be faulty.

You also stated you got your information from a "SECURITY COMPANY", about Opera - but, lol, that doesn't look like a security company's site to me. It looks like Opera's site in fact

My quote from the security company was elsewhere. I dare you to find it! Since you are so good at saying what I did and didn’t say, that should be an easy task for you...

getting a bit "rattled in your game", or are you just one of those illiterate "10 below plantlife IQ" types?

No, that’s YOU, LOL... keep trying, apk!!

Re:2 mistakes you made, quoted (1 is a lie too)

[clone53421]

Wow, are you really that stupid? I just said I quoted the security company elsewhere. Go find it, LOL! Since you are the expert on what I said.

Re:You must be, as you've been modded up 4 mistake

[clone53421]

Apparently mods don’t make a big issue over a single accidental typo. But comparing my single typo to your constant trolling and bad karma (you won’t even register an account, because you hit bad karma so quickly... as you have done in the past)? LOL! Good try, apk, really good try!

Re:You screwed up from the start, proof inside

[clone53421]

No, I got a recent quote from a security/tech website about OPERA VERSION 10.50 in which they recommended NOT USING IT. I posted it elsewhere in the discussion on this very article, now since you’re so good at mis-quoting me you can see if you can find it.

Re:Again: Where's your "security company" info?

[clone53421]

Fine, since you’re such an incompetent idiot that you can’t seem to find a post that I posted IN RESPONSE TO YOUR POST, which you OBVIOUSLY DID NOT READ... LOL, and you are still trying to argue with me after CLEARLY NOT READING what I have posted? And you accused ME of skimming and lying! LOL!

Here is the link to the post that you failed to find:

http://news.slashdot.org/comments.pl?sid=1591778&cid=31582542

Re:The burden of proof is on you (and you FAIL it)

[clone53421]

LOL, I wanted to make sure to give you plenty of fair opportunity to find it (because I know you’ll try to wiggle out of this UTTER FAILURE and BEING COMPLETELY WRONG! rofl). But here is the link, since you cannot even do a simple “Search” to find a link on a page.

http://news.slashdot.org/comments.pl?sid=1591778&cid=31582542

Re:No, I am not the person you speak of

[clone53421]

Right... you and apk are two different people and both of you are morons who think that Firefox 3.6.2 is actually called “3.62”. Because normal people think that 62 and 6.2 are the same thing, I guess!

LOL, you’ve been called out on your stupid error, apk... 3.62 indeed, there is no such version and you are the only one who has been saying that!

Re:Who's the moron who wrote "firefox 2.6.2"?

[clone53421]

I said that ONCE, lol, and it was a TYPO (do you know the meaning of the word?). So how many times did you (intentionally) type 62 when you should have been typing 6.2 (I NEVER made this mistake, it’s all on you! LOL)

AND THE FACT THAT OPERA ALREADY HAD versions 10.51 & 10.52 builds out already by the time this article was put up on slashdot

LOL, and THE FACT THAT FIREFOX ALREADY HAD version 3.6.2 out already by the time this article was put up on slashdot as well? STALE & OUT OF DATE - period! keep trying, apk!

Re:Anyone can mod themselves up with alternate log

[clone53421]

LOL, very, VERY lofty claims for someone who writes SPYWARE!

Yes, that’s right, as quoted on MANY sources:

http://www.spywaredb.com/remove-apkapp2backgrounddaemonprocessengine/

http://www.pestpatrol.com/zks/pestinfo/a/apkapp2backgrounddaemonprocessengine.asp

http://www.spycheck.co.uk/genera.php?processfile=apkapp2backgrounddaemonprocessengine.exe&dir=a&pag=50

http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=51276 ...& many, MANY more!! LOL

Re:FUD & lies don't work (see Timothy's news)

[clone53421]

LOL, no YOU learn to read, as if the summary on Slashdot is never wrong? Check the dates on the articles!

Re:Opera had 10.51 a day before this article here

[clone53421]

LOL, I love the way you completely dropped the false identity when I called you out on your bullshit! By the way, did you know that using a fraudulent identity online is now a CRIME in the United States? Haha!

Re:Opera 10.51 was out on 03/22/2010

[clone53421]

this news was posted on /. on March 23rd (& a firefox fix didn't issue until the next day)

Once again, you’re lying, LOL! Show me some proof... oh wait, you can’t, because you’re LYING.

This from a known spyware author as well... well of course we expect you to lie, apk! as you said, “too, Too, TOO EASY”

Re:Changing the subject wont cover your errors

[clone53421]

Haha, I don’t believe for a SINGLE SECOND that you talked to an attorney about anything. Not for a single second. Feel free to try to prove it, though, I suppose you could scan something on official letterhead and post a link. Except you can’t, because it doesn’t exist. LOL.

Re:Timothy's post of this news does it for me

[clone53421]

The summary was wrong, dumbass. Check the date. If Timothy wrote that (it may have been in the original story submission for all I know) it was after 3.6.2 was ALREADY released... old, OLD news!

Re:Spyware author? Ask Nir Sofer or Mark Russinovi

[clone53421]

More lies from the spyware author, LOL!! Read your own quote, I’ll repeat it for you:

Posted by timothy on Tuesday March 23, @02:51AM

But the 3.6.2 update was ALREADY released WELL BEFORE the story was posted (Tuesday March 23, @02:51AM Eastern): https://developer.mozilla.org/devnews/index.php/2010/03/22/firefox-3-6-2-update-now-available-as-free-download/

Firefox 3.6.2 update now available as free download

This entry was posted by beltzner on Monday, March 22nd, 2010 at 8:34 pm

Version 3.6.2 was released THE DAY BEFORE this story even posted! Once again you are caught in your BOLD-FACED LIES, LOL!

Re:Calling me a "spyware author" is LIBEL

[clone53421]

Why don’t you contact Slashdot, I’m sure they’ll be happy to reveal my IP to a known spyware author and troll so that you can sue me. I’m eagerly awaiting a letter from your lawyer!

Re:Calling me a "spyware author" is LIBEL

[clone53421]

LOL, I find it hilarious that the SPYWARE AUTHOR is accusing me of libel! I didn’t call you ANYTHING, I’m just QUOTING many sources as I described above, which call your shitty software suite (or should I call it a “software shite”, LOL) “spyware” and say that it should be UNINSTALLED — despite your claims that it has been proven not to be spyware and that CA now finds it to have NO THREAT LEVELS (which is FALSE, as I quoted, their website STILL lists it as a THREAT! http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=51276 ... right there! I suggest you contact them again, LOL)... just more lies from the spyware author, but what do we expect? Too, too predictable.

Re:Take it up w/ Timothy then, lol!

[clone53421]

LOL, no; YOU take it up with Timothy, since YOU are the one who is claiming his incorrect quote is accurate! It’s not like this is the first time that a Slashdot summary is wrong. But YOU claimed that it was 100% accurate without checking up the sources, LOL, and now you are trying to blame it on Timothy when YOU WERE THE ONE WHO IS WRONG? LOL

The very first reply after this article was published actually said 3.6.2 was released, in fact, and it was posted ONE MINUTE AFTER the article was posted... so no excuses on your part, if you DIDN’T EVEN READ the VERY FIRST POST, lol.

Re:Changing subject, lol? Libel too?? LMAO!

[clone53421]

LOL, changing the subject after you were proved wrong... classic, classic apk! I never said that Opera 10.51 was not out, in fact I even said it in my ORIGINAL POST, here: http://news.slashdot.org/comments.pl?sid=1591778&cid=31582542 - where I even said the following:

Of course Opera 10.51 has been released to patch it... just like Firefox 2.6.2 has been released to patch this one.

100% correct, of course: Opera 10.51 was released BEFORE the article was posted, AS FIREFOX 3.6.2 WAS ALSO POSTED BEFORE THIS ARTICLE WAS POSTED (not 2.6.2, as I made an innocent typo stating and have said multiple times that it should have read 3.6.2).

And you are STILL quoting the FALSE information which you attribute to Timothy AFTER I have CLEARLY showed that it is FALSE... LOL, just too, too easy to beat your ridiculous bullshit, apk.

Re:Also, didn't YOU say this about Timothy's news?

[clone53421]

You’re still here? In case you didn’t already know this, changing your IP address to defeat Slashdot’s anti-spam mechanism constitutes both fraudulently misrepresenting yourself (A CRIME, as I already told you) and also considered unauthorized access to a computer system (HACKING).

That makes you a CRIMINAL and a HACKER who also writes SPYWARE.

Checking my posting history and posting harassing comments on completely unrelated posts of mine also constitutes CYBER STALKING and HARASSMENT. Stop.

Re:Answer these questions, 2 of them, simple ones

[clone53421]

You are still stalking me (cyber stalking / harassment as I already stated) via my profile. I said stop.

Re:I wrote CmdrTaco (Mr. Malda) @ your suggestion

[clone53421]

If you are accusing me of libel, you already have all of the evidence you need. However I suggest that you look up the definition of “libel” before making a fool of yourself further; statements made in good faith and reasonably believed to be true are NOT libelous.

I eagerly await the letter from your fictional attorney. Will it be written in invisible ink?

Re:Answer the question with YES or NO

[clone53421]

I’m not reluctant to answer your question, dumbass. I already answered it and I’m not going to repeat myself. But here is a link, if you have forgotten: http://slashdot.org/comments.pl?sid=1591778&cid=31743416

Re:Well, since you refuse to give a STRAIGHT answe

[clone53421]

I’m not afraid of you. I’m not refusing to answer your question. You can clearly see the answer to your question here: http://news.slashdot.org/comments.pl?sid=1591778&cid=31735632, “very bold claims for someone who writes SPYWARE” — followed by many credible sources which state that very FACT, so of course you cannot accuse ME of libeling you, as that is to the best of my knowledge and in good faith a FACT, and so CANNOT be libel! But of course any real lawyer could have told you this; I suggest you fire your imaginary lawyer, he isn’t worth the imaginary money you pay him.

Re:Your lack of a STRAIGHT answer, says otherwise

[clone53421]

As I said, I welcome a letter from your attorney. You, on the other hand, are a moron and I have no wish to continue arguing with someone as incoherent and stupid as you.

I have shown, to any reasonable person’s satisfaction, credible sources stating that your shitware is in fact malicious software of some sort. For instance:

Spyware Detail
APKApp2BackGroundDaemonProcessEngine

Category

Misc Tool: Any tool that might be used in planning an attack on a system, developing tools for such an attack, or performing it.

Recommendation: Deactivate and eliminate apkapp2backgrounddaemonprocessengine.exe Immediately. This process is identified as a virus or trojan.

Security Risk 0-5: 3

Spyware APKApp2BackGroundDaemonProcessEngine Information
Name: APKApp2BackGroundDaemonProcessEngine
Category: Utility
Date: 2002-02-04
Author: Peter Kowalski
Dangerous: Yes
APKApp2BackGroundDaemonProcessEngine is Utility which is malware.
Installing it is highly not recommended.

That said, and I being a reasonable person, I have concluded from the previous quotes that your stupid software is malware.

If you have any further complaints, take it up with the websites I quoted, and if you still believe that I have libeled you, feel free to have your imaginary lawyers file an imaginary lawsuit for the imaginary defamation.

Re:What have you ever programmed I can see?

[clone53421]

It is clear, at this point, that all of your blustering bravado about my “libel” is nothing more than you tooting your horn and flashing your lights.

I have no more desire to correspond with you personally. As I said, have your lawyer track me down and file something formally if you think you have a case against me. My prediction? You won’t, and you don’t even have an attorney, nor will you get one. You’re full of shit.

I also advise you to cease the cyber-stalking and harassment, which is a serious crime in the United States.

Re:Your "credible source", in Thor Schmuck? LMAO!

[clone53421]

Stop harassing me. If you have a problem with me, I suggest you hire an attorney, but if you choose to continue to harass me I will be forced to pursue my legal options.

Re:Do it, I will countersue for your LIBELLING me

[clone53421]

So... you are not going to sue me, and never intended to. You’re just harassing me with threats of legal action that you fully intend not to carry out.

Yeah, that’s what I thought all along...

Re:Ah, you're nothing but a "no-ware" author (nada

[clone53421]

Actions speak louder than words, apk, and I notice that you’ve stopped stalking me via my profile here and posting harassing, off-topic replies in response to all of my comments (just as I demanded, and as the law backs me up, you had to).

Apparently you do have some regard for the law, or are afraid of getting caught breaking it anyway.

As far as suing me? Go right ahead. You have no case.

Re:Are you calling me a spyware author?

[sopssa]

lol at this conversation

I bet APK could go on forever with this. He has been arguing with himself over 6 years on this articles comments, for over 215 pages.