NSS Labs Browser Report Says IE Is the Best, Google Disagrees

adeelarshad82 writes "Independent testing company NSS Labs recently published a report on the ability of popular browsers to block socially engineered malware attack URLs. The test, funded by Microsoft, reported a 99 percent detection rate by Internet Explorer 9 beta, 90 percent by Internet Explorer 8, and 3 percent by Google Chrome. However, Google doesn't entirely approve of this report's focus and conclusions. According to Google not only didn't the report use Chrome 6 for the tests, the current version is Chrome 8; it also focused just on socially engineered malware, while excluding vulnerabilities in plug-ins or browsers themselves. Google defended its browser by claiming that it was built with security in mind and emphasized protection of users from drive-by downloads and plug-in vulnerabilities."

Socially engineered attacks ARE a huge problem

[devbox]

Note that the report focus on socially engineered malware which is actually a huge problem currently. This includes all those malicious links on twitter, facebook, instant messaging and so on. They are coming directly from your friends, so most people assume they are safe. If Internet Explorer 9 beta blocks 99% of those and Chrome only 3%, that makes a huge difference.

Just like the days of worms automatically spreading over the internet via remote exploits are quite much gone, the amount of drive-by download exploits is lowering too. However a well-crafted socially engineered attack will always work on people and as a bonus it works across all browsers and even on Mac OSX and Linux. That is, if browser isn't itself trying to prevent those, like Internet Explorer 9 is. With IE's sandboxing and this feature, IE9 is surely starting to look like a really secure browser for people to use. Now, if companies would just start updating their stuff and abandon IE6...

Re:Socially engineered attacks ARE a huge problem

[bhcompy]

This is all true and no one should really have a problem with it unless(until?) Microsoft starts marketing it as more than it is(essentially suggesting that IE9 blocks 99% of malware with the small print saying it only applies to social engineering)

Re:Socially engineered attacks ARE a huge problem

[mcgrew]

The test, funded by Microsoft

That says it all.

Re:Socially engineered attacks ARE a huge problem

[DoofusOfDeath]

The test, funded by Microsoft

That says it all.

So its results are unquestionably incorrect and/or irrelevant?

Re:Socially engineered attacks ARE a huge problem

[Joehonkie]

They certainly cannot be considered "independent" or "unbiased" at a minimum. So they aren't of much value until real 3rd party tests are performed.

Re:Socially engineered attacks ARE a huge problem

Yeah no kidding. Everyone knows it's completely impossible to host malware on apache. When will all the microsofties learn?

Re:Socially engineered attacks ARE a huge problem

[lgw]

Do you value the "UL Listing" on electrical gear that you buy? I certainly take that as an assurance that stuff won't just randomly catch fire. All UL Listed testing is paid for by the vendor - and vendor-paid testing is normal in the real world.

This test may be a crock, but you can't just assume that from the fact that MS paid for it. The simple fact is: anyone competent to test browser security probaly has a strong opinion about MS, and pretty much anyne will have a reason to be biased. The professionalism of the tester is what matters, not the existance of a reason to be biased.

Re:Socially engineered attacks ARE a huge problem

[cacba]

Data points: IE 9 gets 99%, Chrome gets 3%, Funded by Microsoft. What a beautiful line.

No I haven't looked at how the study worked, on Slashdot being first is better than being right.

Re:Socially engineered attacks ARE a huge problem

[commodore64_love]

>>>If Internet Explorer 9 beta blocks 99% of those and Chrome only 3%, that makes a huge difference.

Yeah yeah, but Chrome (and Mozilla seaMonkey) can run on my tiny 0.1 gigabyte laptop. Can IE 8 or 9? Ha! Nope. Tried it; was like a snail on molasses. ALSO why in the world was the test run on the latest IEbeta but on the ancient CrO-6? A setup.

Re:Socially engineered attacks ARE a huge problem

[rtfa-troll]

So its results are unquestionably incorrect and/or irrelevant?

They may be technically true in some sense or other. However, in past such situations, Microsoft has been seen commissioning several similar reports; possibly even iterating the instructions for running the reports; then throwing away (under NDA) all the ones which don't match with their marketing wishes. You can basically assume that whatever it says is the opposite of the truth in some way or another because if it was true they would be able to just say directly it instead of commissioning someone else to say it to they can avoid claims of false advertising (for example, their old "Get the Facts" campaign was one of the few things of this type the ASA has clearly stated was misleading). And yes; most companies do this to some extent, but few other companies could come near to sustaining the level of deception Microsoft does because eventually some employee would become disenchanted and start leaking results. For example, have a look at the Comes documents, which only came out because of a lawsuit, to get some idea of the kind of things they can keep secret. Nowadays Microsoft's data destruction policies are much stricter and they ensure that all deals are finalised by lawyers and so are legally privilaged. This kind of secrecy and professional deception means that almost any marketing claim from them should be disregarded completely until there is some level of independent confirmation.

Re:Socially engineered attacks ARE a huge problem

[CyprusBlue113]

UL is to test your products for saftey, this is a *comparative* test against several competing products for quality.

Apples, meet Oranges, meet troll.

Re:Socially engineered attacks ARE a huge problem

[winnitude]

The report is almost useless because it has compared the latest stable and dev releases of IE with versions of Firefox and Chrome that are years old.

To use a car analogy, it is comparing the safety features of a '10 Chev Corvette and a 1970 Chev BelAir. I would be embarrassed if the company I worked for released such a report.

Re:Socially engineered attacks ARE a huge problem

[ardeez]

Just what exactly *is* 'socially engineered malware' ?? which is apparently 'actually a huge problem currently.' ?
I'm curious to know?

In what was is it different to any run of the mill link that attempts to exploit browser vulnerabilities?
Most of which I believe are fixed by the browser vendors pretty quickly the minute they're known about.

Otherwise this whole study seems like a made up problem which is a bit of a non-issue and which appears to be
miraculously solved by only one vendor. Unsurprisingly the sponsor of said report.

Re:Socially engineered attacks ARE a huge problem

[vux984]

The test, funded by Microsoft

That says it all.

And the response from google criticizing it was by someone right on google's payroll representing google's interests. I guess we can ignore their criticism then too?

Or perhaps we should let the work stand for itself, evaluate the methodology, strip away the marketing spin, and come away with some nugget of truth, regardless of who funded it. Of course that's "work".

Re:Socially engineered attacks ARE a huge problem

[dragonhunter21]

If Internet Explorer 9 beta blocks 99% of those and Chrome only 3%, that makes a huge difference.

If being the key word, here. The study was funded by Microsoft, so any pretext of objectivity is out the window. Plus, a 96% discrepancy between Chrome and IE9 is just a little suspicious.

Let's just say I still trust Google a lot more than I trust Microsoft. As my sig might attest.

Re:Socially engineered attacks ARE a huge problem

Yep. I stopped reading after that. Nothing to see here, move along.

Yet another, in a long list of other studies, funded by Microshaft, which come to the conclusion that M$ wants the PHBs to hear...

Re:Socially engineered attacks ARE a huge problem

[MrHanky]

Tests like this are done for marketing purposes. The professionalism of the tester will make sure the test is rigged to give Microsoft the result they want. Get the facts.

Re:Socially engineered attacks ARE a huge problem

[FauxPasIII]

So its results are unquestionably incorrect and/or irrelevant?

Are you just posting this to be contrary?

Seriously, are you advocating that, when we see a study paid for by Microsoft which shows an _overwhelmingly_ lopsided result in Microsoft's favor in a product space where they would generally be expected by experts in the field to be the worst performer, we should take it at face value?

If not, what _are_ you saying?

Re:Socially engineered attacks ARE a huge problem

[blueg3]

UL testing isn't a product comparison, it's a test for standards conformance. The requirements for independence and impartiality are substantially different.

Re:Socially engineered attacks ARE a huge problem

[iserlohn]

I don't know about you but I rarely receive tarballs, rpms or debs from friends to compile or install on IM or facebook. That's the good thing about the repository system, where there is a (hopefully) trusted source where you install the majority of your applications.

I can't really see socially engineered malware taking off under Linux, really.

Re:Socially engineered attacks ARE a huge problem

I work for UL. you don't know shit - UL's tests and the kind of stuff going on here are entirely different.

you can actually reproduce UL's tests, and they aren't out there to "compare to another company".

It'd be more like this:

NSS labs browser report says IE blocks 99% of social networking vectors.

Nothing about "in comparison to chrome", or "excellence", or how well it does. Yet all of those are in the study.

In fact, it's incredibly unethical to comment on the performance of a product as a testing studio as good, bad or otherwise. That by itself in the studies guarantees you that these studies are biased due to the funding.

Re:Socially engineered attacks ARE a huge problem

[alvinrod]

[I'll suppose that you were being facetious, but my sarcasm detector is in the shop---]

Nope, that merely gives you reason to question the outcomes and examine the experimental procedure in depth. It's a meta-level reputation system. If an entity has shown a lack of bias in the past, you can generally choose to accept their work. Otherwise you examine the experiment design and see if anyone was playing fast and loose with the statistics and analysis. Microsoft probably qualifies for most people.

The summery raised a few points. It may be that some older version of Chrome is crap in some aspect compared to the beta of Microsoft's latest and greatest. That's a simple fact that can be supported by some measurement. You can question whether what is being measured is actually useful, but let's assume that it is. Still doesn't change the fact that it's and old version of Chrome vs. a beta version of IE. The study is still perfectly valid, just utterly pointless. It would be like a study on carbon emissions that only looks at cars made during the 60's. Utterly pointless for the current situation.

Skepticism is fine, but be a good skeptic who evaluates the experimental methods and study conclusions. Don't call a club a spade just because it suits your black-and-red view of the world. Otherwise you're really no better than what you purport to despise.

Re:Socially engineered attacks ARE a huge problem

[david_thornley]

If I want to know what is unlikely to burn my house down, I look for the UL listing, and rely on vendor-performed standard tests.

If I want to know whether product A or B is better, I check out Consumer Reports, which accepts no funding from any vendor, not even advertising.

I was willing to believe that IE wouldn't burn my house down anyway, so this report gives me precisely no useful information.

Re:Socially engineered attacks ARE a huge problem

[lgw]

If UL tests 2 products, and finds one passes and another fails, there's certainly a comparison that can be made between them, and a company selling the passing product might feel inclined to draw attention to this (of course, UL itself never comments publicly on failed tests). In this case, the tester tested two products and rated one "99%" and one "3%" against some standard. The methodology might have been totally bogus (no idea), but the act of paying for the test isn't automatically so.

Re:Socially engineered attacks ARE a huge problem

[camperslo]

When one uses only a single test, perhaps a specially crafted one, the conclusions may be misleading.

As an extreme example if one takes an area of a country where people are very well fed, and perhaps taking in far more nutrients than needed, it is entirely possible that one could come up with a study showing substantial nutritional value in sewer waste. Without taking into account the other characteristics (bacteria, viruses, levels of toxic medications, smell etc.), sewer waste might actually be portrayed as a good inexpensive source of nutrition.

I don't mean to pass any judgement on whether IE is wonderful or terrible. The point is that one narrow measure should be kept in perspective and not used as the sole basis for an overall opinion.

Re:Socially engineered attacks ARE a huge problem

[TENTH+SHOW+JAM]

What the Faceless Google rep said was that this test cannot be peer reviewed because they did not release all the data (specifically the URLs visited). Now releasing a report that does not allow for independent review does not make for good science.

The tests may be valid. But until there is enough information to confirm this, I can only be skeptical of the faceless Microsoft rep.

Re:Socially engineered attacks ARE a huge problem

[geekoid]

It raises a red flag, but that is all. They could very well be unbiased and independent.

Yes, like all tests, confirmation from others is a good thing.

Look at the data. compare to the conclusions. Do the match the conclusions? Is the methodology the correct one for the tests they are doing?

That's the only way to tell if a study is good.

Re:Socially engineered attacks ARE a huge problem

[geekoid]

Bullshit. Stop getting the facts from under a tinfoil hat.

Re:Socially engineered attacks ARE a huge problem

[dave562]

I would love to see a study funded by X that does not then show X as being the best product. Given that it seems $ > Truth, I doubt such a thing will ever happen.

Re:Socially engineered attacks ARE a huge problem

[MobyDisk]

This is totally different.

In this case, the tester tested two products and rated one "99%" and one "3%" against some standard.

The key difference is that UL tests against a pre-existing standard. Not a standard that they made after looking at the product. UL can't customize their test to make one product look better or worse.

The methodology might have been totally bogus (no idea), but the act of paying for the test isn't automatically so.

The act of paying for a test to be designed for you, or a test you designed ahead of time to make your product look good, is bogus. Paying to have a test executed for you is not bogus. One is independent, the other is not.

Re:Socially engineered attacks ARE a huge problem

[natehoy]

The report is almost useless because it has compared the latest stable and dev releases of IE with versions of Firefox and Chrome that are years old.

What. No, wait, what?

Read on to the end, because later I'm going to tell you what's really wrong with the test and why it's bullshit, but I have to first burn down the obvious straw man you've introduced.

The report was released in October 2010. http://www.nsslabs.com/assets/noreg-reports/NSS%20Labs_Q32010_Browser-SEM.pdf

It used Google Chrome 6, which was the current stable Chrome at the time (6 came out in September 2010). Google Chrome has gone from 6 to 8 in two months. It used Firefox 3.6, which is the current stable Firefox RIGHT NOW, two months after the report was released. 3.6 was released in January 2010, but Mozilla has only done "dot" releases since October. It also included Internet Explorer 8, which was released in March 2009.

In other words, if you want to say "older is worse", then IE8 should have been absolutely fucking pasted by this test. Ummm, right? It's the oldest browser in the test by almost a year.

Now we get to the point that won't upset you, because THIS is what is wrong with the test.

According to their test, what they were really testing was vendor responsiveness to known threats (on-time maintenance of the blacklist), not some response internal to the browser. They took a bunch of really recent entries of bad sites from someone and plugged them into the browsers, getting a new batch of URLs every few hours. The time was measured in hours, so what this is really saying is that Microsoft seems to be the best vendor at maintaining the server-based "bad URLs" list, though it took them 4 hours on average to block sites as opposed to Firefox's 6 hours.

If they got these sites from their paid sponsor, then the list could easily have been biased. But there's more actual provable bias to the test than just that.

The real bias is in the percentages. They do not actually represent "Microsoft browsers blocked 90% of sites while Firefox only blocked 20%". they are a grade-type score, where 100% means all sites were blocked immediately, while a 0% means no sites were blocked, ever. Early detection (measured in hours) seems to play a much larger role than actual number of sites detected. The scores appear to have been done on some form of normalization curve, with the sweet spot being somewhere around "One Half Hour Longer than Internet Explorer".

Otherwise, how does an increase in response time from 4 hours (IE, both versions to within a few minutes plus or minus) to 6 hours (Firefox) make your score go from 90% to 20%?

The net conclusion is, if you're going to use a web browser and you depend on vendor-maintained "baddie" lists as your primary line of defense (rather than script protections like NoScript, which don't depend on a vendor to maintain stuff for you), you're better off with Internet Explorer than any other mainstream browser in the market.

It doesn't make you "70% safer" or protect you from "70% more threats", it means that it has, on average, 2 hours of lead time on the next-best browser in terms of the list of sites it protects you from. It's like saying that McAfee is better than Norton because McAfee generally releases specific virus signatures, on average, 2 hours before Norton does.

So, the test is correct, it's just expressing the results in a very misleading way, showing a very low number for "everyone but Microsoft" because the test results were designed to score what IE did best in the highest way possible. They even spelled that out in their results:

The value of this table is in providing context for the overall block rate, so that if a browser blocked 100% of the malware, but it took 264 hours (11 days) to do so, it is actually providing less protection than a browser with a 70% overall bloc

Re:Socially engineered attacks ARE a huge problem

Posting as AC so I don't get fired.

This one originated within the team itself and was not a marketing exercise.

I work on a different product group but the last 18 months or so the whole company has been encouraged to put their products through outside testing during alphas so that the goals are useful to the market rather than simply focused on what the marketing and research drones came up with. This test is one of those, the purpose was to see how good the anti-malware protection was, Chrome & IE scored about the same (FF is lagging) across the board but IE did significantly better in this single category (with google doing better in all manner of download exploits to balance things out).

While I don't think they should have released the results the method is actually sound, product teams are fucking awful at looking at competitor products and recognising where they do better. Going outside for advice refocuses us and gives a much clearer picture of where we stand along side competitors.

Re:Socially engineered attacks ARE a huge problem

[monkyyy]

trueshit, some tests were designed to prefer different bowsers and they were testing socially engineered malware for ie beta, the same reason theres no malware for haiku os; theyre wont be anyone who uses ie beta so no point beating its sytem

Re:Socially engineered attacks ARE a huge problem

[vux984]

I can only be skeptical of the faceless Microsoft rep.

Agreed. Skepticism of every studies conclusion is healthy and necessary. However outright disregard for a study based on a single data point: "who paid for it" is not.

Re:Socially engineered attacks ARE a huge problem

Just what exactly *is* 'socially engineered malware' ?? which is apparently 'actually a huge problem currently.' ? I'm curious to know?

In what was is it different to any run of the mill link that attempts to exploit browser vulnerabilities? Most of which I believe are fixed by the browser vendors pretty quickly the minute they're known about.

Otherwise this whole study seems like a made up problem which is a bit of a non-issue and which appears to be miraculously solved by only one vendor. Unsurprisingly the sponsor of said report.

I'll explain as simply as I can hoping I don't over-simplify. There are definitely grey areas and nuances to this subject.

A social engineering attack tricks the user into executing something harmful like malware. The main concept here is that you can have the very best security system in the world that makes it practically impossible to run unauthorized code. That won't protect you from an ignorant user who authorizes malicious code to run. These do require user intervention though. A good example is those annoying pop-ups that say "ZOMG! Your computer has a VIRUS! Click here and install this software to fix it!" Since the user is tricked into downloading and installing the software intentionally the attacker does not have to "break in" to anything.

Other forms of malware rely on remotely exploitable vulnerabilities. They operate without user intervention and probably without the user even noticing anything happened. They rely on flaws in the security systems that are supposed to prevent such malicious code from running. The user typically never has a chance to grant or deny permission for the code to run. Drive-by downloads are a good example of that.

Basically the attackers want to target the weakest link. If the security systems are strong enough and if it's difficult enough to find exploitable flaws in them, then the user becomes the weakest link. Basically it puts the lie to all of the "easier to use than ever!" ad campaigns designed to create the impression that good software alone can maintain security when ignorant users do stupid things.

Re:Socially engineered attacks ARE a huge problem

[cforciea]

The test, funded by Microsoft

That says it all.

And the response from google criticizing it was by someone right on google's payroll representing google's interests. I guess we can ignore their criticism then too?

Or perhaps we should let the work stand for itself, evaluate the methodology, strip away the marketing spin, and come away with some nugget of truth, regardless of who funded it. Of course that's "work".

How did this get modded +5 Insightful? Just because Google's criticism of the study's claim isn't coming from a neutral third party doesn't mean Microsoft paying for a study that praises its own browser shouldn't set off all sorts of red flags concerning the validity of the study, especially when "[...]the list of actual URLs used for testing was not made available to the vendors or to the public, so there's no way to independently verify the results."

In an unrelated note, I just got the results from this study I paid for indicating that I am much more manly, attractive, and intelligent than vux984. Please don't listen to any of his complaints about the study, though, because he has every bit as much a vested interest in the results as I do. No, you may not have full access to the testing methodology. Please just make the best call you can about the validity with the subset of parameters that were carefully selected to exclude any factors that would throw the results into question. I also promise that I didn't order 12 other studies indicating that vux984 was actually more intelligent than I am and then throw them away.

Please use me for all your needs in the future. Remember, I'm smarter and sexier.

Re:Socially engineered attacks ARE a huge problem

[monkyyy]

well if they didnt rig it (HA)
they would burn the results and try a different test

Re:Socially engineered attacks ARE a huge problem

[vux984]

Just because Google's criticism of the study's claim isn't coming from a neutral third party doesn't mean Microsoft paying for a study that praises its own browser shouldn't set off all sorts of red flags concerning the validity of the study,

Who said it shouldn't set off red flags. It sets off a red flag, but it doesn't justify complete disregard of the study. Additionally Google's statements about the study should set off the VERY SAME red flags about googles statements.

especially when "[...]the list of actual URLs used for testing was not made available to the vendors or to the public, so there's no way to independently verify the results."

That's a red herring. It is a very good reason to significantly reduce the credibility of the study. However, it is completely unrelated to who paid for it, now isn't it?

I didn't dispute the conclusion regarding the quality of the study. I only disputed the quality of the argument leading to that conclusion.

"Microsoft paid for it. That's all I need to know." is a poor argument.

Re:Socially engineered attacks ARE a huge problem

[srodden]

I believe that most people who will be influenced by this kind of report are NOT in a position to methodically evaluate the test methodology. They are people who watch Survivor, Big Brother, YourCountryHere Idol and idolize Oprah. They do not have the experience or skills for critical analysis of marketing spin. So when Microsoft (or McDonalds or the US Govt or Buy n Large) claim research that shows their product is superior to others, the reader gets one claim stuck in their head and it is repeated as fact*.

Of course that's a sweeping generalisation; there are many who do think critically (it's possible that some critical thinkers watch big brother but I expect the number is small) but it makes my point.

*Which incidentally, is why I think we should teach critical thinking at all levels of school, not just leave it until university.

Re:Socially engineered attacks ARE a huge problem

[cforciea]

Additionally Google's statements about the study should set off the VERY SAME red flags about googles statements.

No, Google's complaints don't set off the same red flags at all. Microsoft citing a third party study is an appeal to an external authority. The claim is that Microsoft is trying to get their opinion on their own browser credibility by having it come from a mouthpiece that isn't first party. There is no analogous complaint to be made about Google, because they aren't trying to complain about the study by hiring an external firm to make the complaint.

However, it is completely unrelated to who paid for it, now isn't it?

Exactly the opposite. The study arguably has that particular problem because Microsoft paid for it, for a couple different reasons. Either there is a flaw in their methodology that they are hiding because they are being paid for a specific result, or it was an unintentionally flawed study that was alone among dozens of other studies that Microsoft ordered at the time in arriving at a pro-Microsoft conclusion, or Microsoft got to pick the study targets to their benefit, or any number of other things that I can't think of off-hand. Either way, it is a conflict of interest and we should throw out the result regardless of how valid it might appear because there is no other foolproof way of making sure we avoid accepting corrupted study results.

Re:Socially engineered attacks ARE a huge problem

[ScrewMaster]

The test, funded by Microsoft

That says it all.

So its results are unquestionably incorrect and/or irrelevant?

Yes. Sometimes you have to consider the source. And if even said results are correct and/or relevant, the truth is that having Microsoft pay them means exactly what you would expect. They paid for those results, they didn't pay for independent, unbiased testing and reporting of their products.

Re:Socially engineered attacks ARE a huge problem

[ScrewMaster]

This is totally different.

In this case, the tester tested two products and rated one "99%" and one "3%" against some standard.

The key difference is that UL tests against a pre-existing standard. Not a standard that they made after looking at the product. UL can't customize their test to make one product look better or worse.

The methodology might have been totally bogus (no idea), but the act of paying for the test isn't automatically so.

The act of paying for a test to be designed for you, or a test you designed ahead of time to make your product look good, is bogus. Paying to have a test executed for you is not bogus. One is independent, the other is not.

From an ethical perspective, this is no better than when a certain 3D graphics chip maker had their Windows drivers detect running benchmark programs, and run specific code to fool the benchmark and make the chip appear to be faster than it really was.

Re:Socially engineered attacks ARE a huge problem

[ScrewMaster]

can you provide your source of facts that proves your statement to be true?

Don't have to: Microsoft's own reputation preceeds it in this case. As someone who has spent the better part of thirty years dealing with that company and its shenanigans, I will say that you should treat them like Congress. That is, you take a default position assuming that they are lying through their teeth, you don't give them the benefit of the doubt, and you force them to provide proof of their claims.

Re:Socially engineered attacks ARE a huge problem

[vux984]

Microsoft citing a third party study is an appeal to an external authority. The claim is that Microsoft is trying to get their opinion on their own browser credibility by having it come from a mouthpiece that isn't first party.

That is why it raises a red flag. Credibility is questionable.

Its also possible that Microsoft commissioned a 3rd party because they actually wanted an independent study done, perhaps because they lacked the in house expertise or resources to do an internal one properly, perhaps because a internal one is even less credible than a funded 3rd party one.

We can and should be skeptical of Microsoft funded studies.

There is no analogous complaint to be made about Google, because they aren't trying to complain about the study by hiring an external firm to make the complaint.

Fair comment. However google's statements remain suspect because they also have a clear conflict of interest. It is in their interest to discredit the study, so their criticisms likewise raise the "red flag" of questionable credibility.

The study arguably has that particular problem because Microsoft paid for it...

But Microsoft paying for it isn't what invalidates the study. We can't stop our investigation at "Microsoft paid for it. Ergo its flawed." We have to actually find a flaw. After finding the flaw, you can arguably trace the flaw back to conflict of interest from funding, but a funding conflict of interest itself isn't enough to conclude there is a flaw.

Re:Socially engineered attacks ARE a huge problem

[vux984]

I believe that most people who will be influenced by this kind of report are NOT in a position to methodically evaluate the test methodology.

Fair enough.

So when Microsoft (or McDonalds or the US Govt or Buy n Large) claim research that shows their product is superior to others, the reader gets one claim stuck in their head and it is repeated as fact*.

Fair enough. But the real problem here is twofold:
a) a news media happy to regurgitate press releases without doing any sort of journalistic investigation
b) a populace that largely lacks the ability or even desire to think critically -- as you mentioned

Of course if we fixed b) I think a) would largely take care of itself.

Re:Socially engineered attacks ARE a huge problem

[srodden]

Agreed. Journalists say "oh but we don't have time to check our sources". They should be legally required to do so.

Can't back up your printed claims? We have some nice accommodation lined up for you.

Re:Socially engineered attacks ARE a huge problem

[Gerzel]

No but they are very questionably correct.

Re:Socially engineered attacks ARE a huge problem

[cforciea]

We can't stop our investigation at "Microsoft paid for it. Ergo its flawed."

We can and should stop our investigation there. I think you are missing a fundamental distinction here. I'd agree with statement that Microsoft paying for it makes it flawed, but not just because there has to be inherently some flaw in the methodology as such. The fact that Microsoft paid for it is the flaw. The inherent conflict of interest taints the study to the point where it will never be possible clear it of enough doubt to make the data useful.

Re:Socially engineered attacks ARE a huge problem

[vux984]

The inherent conflict of interest taints the study to the point where it will never be possible clear it of enough doubt to make the data useful.

But in nearly any situation the parties interested in paying for studies have an interest. In the health sector at least there is enough public money floating around to fund some research... but in IT? Who is going to pay for the work?

All "independant" review sites host advertising from these companies, some of them are more blatantly biased than others but the 'taint' of the potential for a conflict of interest colors all of them. If you are going to demand there be no conflict of interest then you aren't going to get any studies at all.

Re:Socially engineered attacks ARE a huge problem

[cinderellamanson]

From an ethical perspective Microsoft, IBM, Oracle, etc. are responsible for the business practices that made credit default swaps plausible. Sling them a tonne of bullshit and bill them. Hell, Credit Default Swaps were essentially a financial construct emulating a user interface with no business logic. In this industry the slightest inclination of bias is absolutely guilt and you are a fool not to believe so. That's the job working in IT, trying to figure out how much utter bullshit you can avoid before you get blamed for the bullshit that generates revenue. Fuck, IE9 is irrelevant, because there is still too much bullshit glued onto IE6.

Re:Socially engineered attacks ARE a huge problem

[mwvdlee]

From TFA: "funded by Microsoft".
You can ignore the rest.

Re:Socially engineered attacks ARE a huge problem

[rtfa-troll]

There was nothing wrong with doing the study. I'm sure that there were many such studies done and that's fine. It's the fact that they choose to release this one which is the problem. More important is the way it was released; as an "independent study" as if it had nothing to do with development. That's totally immoral.

The ways in which this cheated are also clearly discussed elsewhere. They took the Google version at the beginning of the study, but worked on the Microsoft version and took the results at the end. To be fair, either you just study the versions as delivered at the beginning or, better this should have been done as a joint exercise with all the other browser vendors with everybody paying together and competing to improve their products. Then, the vendor with the best results at the end can crow about it.

The fundamental of honest use of studies is that you must treat each product identically; you must decide at the very beginning of the study whether you will release the data and you must involve the developers of each package studied equally.

Re:Socially engineered attacks ARE a huge problem

Yes.

Re:Socially engineered attacks ARE a huge problem

[Nitage]

Or perhaps we should let the work stand for itself, evaluate the methodology, strip away the marketing spin, and come away with some nugget of truth, regardless of who funded it.

We can't evaluate the methodology because the methodology hasn't been published. From what we do know, neither the testing nor the data released was objective - the tests compared bleeding edge releases of IE9 to an obsolete versions of Chrome, and the data they chose to publicise focussed on the single areqa in which IE9 triumphed, despite it performing poorly in other areas.

Re:Socially engineered attacks ARE a huge problem

[mr_gorkajuice]

"I know my product X, competing with product Y, does task A really really good, but is lacking on task B, so I'm gonna pay a third party to compare products X and Y in terms of how well they perform task A, and try not to mention task B"

Yes, it's marketing, but it might very well be true that product X is better than Y at A. If third party concludes that X is in fact better at A, we can't consider this false simply because the maker of X paid for the study.

Re:Socially engineered attacks ARE a huge problem

[iamhassi]

"The test, funded by Microsoft That says it all."

page 12 of the test PDF:>
"ABOUT THIS TEST This private test was contracted by Microsoft’s SmartScreen product team..."

Paid for by Microsoft, although really google should just ignore these fake tests since IE usage has dropped from 45% to 28% while Chrome went from 4% to 20% from Jan 09 thru Nov 2010.

So shut-up Google, you're winning.

Re:Socially engineered attacks ARE a huge problem

Indeed, everyone knows Opera is the king of security (and performance, and features).

Re:Socially engineered attacks ARE a huge problem

[mcgrew]

That's totally immoral.

You can't expect morals from an amoral entity. Not just Microsoft, ANY corporation.

"Never let your sense of morals prevent you from doing what's right" -- Salvor Hardin (Asimov's Foundation). For any corporation, anything that raises revenue is "doing right"', even breaking laws and killing miners as happened several months ago in that mine disaster in Virginia. Even people's lives are secondary to stockholder dividends.

The fundamental of honest use of studies is that you must treat each product identically

Honesty is irrelevent to a corporation.

Re:Socially engineered attacks ARE a huge problem

[commodore64_love]

>>>If Internet Explorer 9 beta blocks 99% of those and Chrome[6] only 3%, that makes a huge difference.

Yeah yeah, but Chrome (and Mozilla seaMonkey) can run on my tiny 0.1 gigabyte laptop. Can IE9? Ha! Nope. ;-) ----- But seriously: Why in the world was the test run on the latest IE9 versus the ancient CR6? A deliberate Microsoft setup to make themselves look good.

Re:Socially engineered attacks ARE a huge problem

[mcgrew]

I have seen at least two studies that the results were different than what the funders wanted to see (although in one case the funder wound up in a better position he thought he was in).

In one study, they were trying to prove a correlation or causation between smoking marijuana and cancer. They did a statistical study of four groups of baby boomers; long term cigarette smokers, long term pot smokers, long term smokers of both, and nonsmokers. They fully expected ganja to cause cancer, since all smoke contains carcinogens.

What they found was that predictably, cigarette smokers had more cancer than any of the other groups. They were startled to find that those who smoked both reefer and cigs had half the cancers of those who only smoked tobacco, although far more than the last two groups who were statistically identical. Those who only smoked pot actually had fewer cancers than nonsmokers, although the difference was statistically insignifigant.

Another study was funded by a book publisher trying to find out how much money book piracy cost him. Pirate books usually hit the web two to four weeks after legitimate publication, and he wanted to se how badly sales dropped after it hit the net. He was amazed when the results showed a marked spike in sales, rather than the expected drop.

Despite the pot study (done 2 or 3 years ago, I can no longer find the news sources, I saw it in both New Scientist and the Boston Globe), the lying bastards at the Partnership for a Drug Free America still maintain on their web site that pot causes cancer. Despite the second one, the RIAA and MPAA still maintain that piracy costs sales.

Re:Socially engineered attacks ARE a huge problem

[lgw]

From an ethical perspective Microsoft, IBM, Oracle, etc. are responsible for the business practices that made credit default swaps plausible.

That is the single most irrational bit of geek hate spew I've ever seen on Slashdot - you should get a new Slashdot achievement for that! (Also, there's nothing wrong with CDSs per se, they just need to be regulated the same way as any other form of insurance currently is.)

Re:Socially engineered attacks ARE a huge problem

[vux984]

We can't evaluate the methodology because the methodology hasn't been published

That counts as evaluating it, and finding it missing. Big point against its credibility. :)

the tests compared bleeding edge releases of IE9 to an obsolete versions of Chrome

This much at least is factually incorrect. This study was done *in* September 2010. Chrome 6 was released September 2nd, 2010. Chrome 7 wasn't released until October 21st. What version do you think they should have used?

You appear to have fallen for Googles extremely rapid primary version number changes. Version 4, 5, 6, 7, 8, and the preview of 9 have ALL been released in 2010.

Re:Socially engineered attacks ARE a huge problem

[rtyhurst]

Not only did it beat Chrome 5 (3 versions behind the current), it also beat hell out Netscape Navigator 4.0 and Firefox 1.1...

Re:Socially engineered attacks ARE a huge problem

[MaskedSlacker]

It raises a red flag, but that is all. They could very well be unbiased and independent.

Not if you read the summary and figured out they cherry picked which outdated version of Chrome to use so it would do as poorly as possible rather than the current release and compared it to the new IE9 BETA.

I know, I know. Read the summary? On Slashdot?

It's Clear to Me Why They Waited

[eldavojohn]

From the response article:

It's not clear why Microsoft and NSS Labs waited until December to release the results.

Maybe it's like the last time this happened?

Furthermore, Moy said, the study started as a private test for Microsoft's engineering team, which was seeking to make internal improvements. "They decided to release it based on the positive results. Many of the test reports we write do not get released by vendors, but they do get used to improve products. So what does 'sponsored' mean in this case?"

So you (internally) strike a deal to test your browser (but also your competitors') with an "independent company" that you pay to perform this service. You get to define the "success parameters" of the test. Then you get the results back and you fix everything. After that time spent fixing has passed, you release the report and add that you have fixed all the problems with your product. Unsurprisingly, you look really really good when this news hits. Since your competitor is not also paying NSS Labs, NSS has no reason to update the report to meet the latest and greatest version of browsers. Meanwhile you can decide if your competitor's browser performed inadequately enough or not for the report -- maybe you even select the success parameters afterward? Heck, you already waited to see if you could release the report.

Independent? HA!

Re:It's Clear to Me Why They Waited

[Dan+East]

I know this isn't in the spirit of the other posts on this topic today, but I applaud MS for concentrating on security and the best interests of their end users. It's good to see they are taking these matters seriously as part of the product development process.

That said, I still use Firefox, followed by Chrome, for browsing, but at least they are looking out for those stuck with IE simply because it ships with their OS.

Re:It's Clear to Me Why They Waited

[WARM3CH]

You have valid points, still Google didn't deny the results and in a sense, confirmed it. Read Google's response again: NSS says IE is better than Chrome in X, but hey, they didn't say Chrome is better at Y and Z. NSS didn't claim X covers everything related to security so bringing Y and Z to the discussion is just a move to draw attentions from X.

Re:It's Clear to Me Why They Waited

[Col.+Klink+(retired)]

You missed one other step. When the results DON'T show IE ahead, you just don't release them...

Re:It's Clear to Me Why They Waited

Indeed. This could almost be viewed as a form of extortion, akin to street gangs requiring local businesses to pay "protection" money. Either you pay us, too, or we make your product look like shit when the review hits the press.

Re:It's Clear to Me Why They Waited

[geekoid]

So they use the test to improve their browser until it's better then the others being test, then say it's the best.

Well..good.

Re:It's Clear to Me Why They Waited

This is exactly the case. NSS Labs exists to make big money issuing reports favorable to the people who are paying them for the reports. I've worked directly with them, and a larger bastion of incompetence in an "independent test lab" I've never seen. Idiot conducting the test got really puzzled at a sudden drop in network performance during the middle of a test. He had created a nice loop in his network and disabled spanning-tree, and couldn't actually troubleshoot the issue. Which might not have been a big deal, except that he was their "expert" testing networking gear at the time, not an application tester.

They're also disgustingly open about the whole "if you don't pay us enough we'll trash your product" thing. If you ever work with them, I highly recommend secretly recording all dealings (as long as you're in a single party consent state) so you have some leverage when you (or your lawyers) need it.

Re:It's Clear to Me Why They Waited

You know what... the NSS Labs blog seems to be the only one I've ever seen that does not allow the posting of user comments to articles.
Go figure. Maybe Microsoft paid for the blog too.

Huh?

Google is complaining that a report on socially engineered attacks is only focused on socially engineered attacks? And they're whining that a study done back when Chrome 6 was the most recent release doesn't mention Chrome 8, which is currently the most recent release? Seriously?

Re:Huh?

a study done back when Chrome 6 was the most recent release

If the study is that old, then how did IE9 beta get into it?

Re:Huh?

[natehoy]

The study is from mid-October 2010.

Google Chrome 6 was, in fact, the current "stable" Chrome browser back then. Google Chrome 7 was not released until October 21, 2010, and Chrome 8 is from this month.

Google Chrome 6 only seems "old" because it's two full revisions back. That's because Google has it on a Jack Russel Terrier release schedule, probably desperately trying to get their browser to version 10 "see? one more than Microsoft!" ASAP.

But green bananas purchased when Chrome 6 was still the current stable browser might still be edible today. ;)

There is a valid point about why IE9 Beta got in there, but not Firefox 4 Beta, or Chrome 7 Beta. But the test was testing speed of blacklist signature updates anyway, and those don't change very much between browser updates since it's all vendor-side maintenance, and not some actual property inherent to the browser itself.

Check the funding

[longtailedhermit]

This: "The test, funded by Microsoft"

Re:Check the funding

[eldavojohn]

This: "The test, funded by Microsoft"

The real warning flag is that it doesn't say that on NSS Lab's site nor does it say it anywhere in the report. So if I was being paid to do this, I would have that in big bold letters as a disclaimer on the front page of the report if I wanted to maintain credibility. So either the Google response article is wrong (which the same IE8 report from last year was funded) or you're just being flat out disingenuous when you say "independent." We just happen to receive funding from one of the participants and they decide when and if the report is released.

One more thing, if you dig into this report, the parts where they reference Microsoft read like an advertisement:

It became obvious from this test and comparisons to the earlier test that Microsoft continues to improve their IE malware protection in Internet Explorer 8 (through its SmartScreen® Filter technology) and in Internet Explorer 9 (with the addition of SmartScreen application reputation technology). With a unique URL blocking score of 94% and over-time protection rating of 99%, Internet Explorer 9 was by far the best at protecting against socially-engineered malware. The 89% zero-hour block rate suggests a far superior malware identification, collection, and classification method.

"What kind of registered application reputation technology did you say they used? Simply revolutionary progress!" Compare that section to that same section on Chrome:

With a protection rating of just 3%, Chrome 6 dropped more than 14% from our last test. And, Chrome’s unique URL score of 4% was also a major decline. Chrome’s overall poor protection makes it difficult to compare it to other Safe Browsing API-related products.

"Boo, Chrome sucks!" Hahaha oh my this is too funny. Google shouldn't have to explain themselves. Just take what you can to improve from this report, become aware of your opponent's tactics and move forward.

Re:Check the funding

[Mongoose+Disciple]

And of course, rebuttal funded by Google.

So it's a wash.

Re:Check the funding

[DragonWriter]

The real warning flag is that it doesn't say that on NSS Lab's site nor does it say it anywhere in the report. So if I was being paid to do this, I would have that in big bold letters as a disclaimer on the front page of the report if I wanted to maintain credibility.

The report is of greater value to Microsoft, the paying customer, the less obvious it is the Microsoft is the paying customer.

Re:Check the funding

[geekoid]

Depends on how the funding takes place, and for what purposes. Did they fund This test? DO they just make a annual payment to a generic fund to be part of the 'club'? Are the a testing lab where everyone knows the test is paid for by the vendor*?

*UL safety testing is paid for by the vendor, at it works very well/ Different kind of testing, but hopefully you see my point.

Re:Check the funding

[geekoid]

Too bad the said Microsoft paid for the test. They even put it where it goes in ALL tests.

Anyone who reads these tests know exactly where to look for funding. IT was NOT hidden.

4.4 ABOUT THIS TEST
This private test was contracted by Microsoft’s SmartScreen product team as an internal benchmark,
leveraging our Live Testing framework. It has subsequently been approved for public release.

Bad summary?

According to Google not only didn't the report use Chrome 6 for the tests where as the current version is Chrome 8...

Should it be:

According to Google not only did the report use Chrome 6 for the tests, whereas the current version is Chrome 8...

Re:Bad summary?

[SgtKeeling]

I was wondering about this as well. The way it's written makes it very difficult to understand the intention of the author.

Re:Bad summary?

[natehoy]

Should it be:

According to Google not only did the report use Chrome 6 for the tests, whereas the current version is Chrome 8...

No, it should read "the person who wrote the summary was unaware that Google Chrome 6 was the current version in October of 2010, when the report was written".

Re:Bad summary?

They chose IE 9 beta, so shouldpicked compared it against Chrome 9 beta.

Or beter yet, avoid all the FUD and compare IE 9 to IE 8, and leave the cross browser comparisons to independent studies.

What Googles' response should have been:

[epiphani]

FOR IMMEDIATE RELEASE

REGARDING: Claims by NSS Labs of Chrome vs. IE Security.

Comment:

HAHAHAHAHAHA

Re:What Googles' response should have been:

[rtb61]

For immediate release.

Warning.

M$ Internet Explorer under control the M$ controlled server is better at censoring the web, than any any browser.

WTF, this has nothing much to do with browsers at all, just how much time and effort a company is willing to put into to tracking down naughty web sites and updating their browsers and blocking the naughty payload coming from those web sites.

P.S. If you really want to do something good M$, work together with those other companies to make a universally accessible database of malicious web sites, so that everyone will be safer. Until then you are a dick and technically under law, an accessory after the fact for failure to report to the appropriate authorities an attempt by others to commit a crime ie. give the appropriate authorities access to that database so they can do something much more appropriate than just bloody blocking them.

Attack urls?

[TheL0ser]

I'm well aware of what social engineering is, but what are "socially engineered malware attack URLs"? Those things that pop up in my inbox say "check out this picture of us!" with a link that looks like someone smashed their head on the keyboard?

Re:Attack urls?

[ittybad]

Didn't you read the arti.... oh, wait. Slashdot. Right. From the article: "For clarity, the following definition is used for a socially-engineered malware URL: a web page link that directly leads to a download that delivers a malicious payload whose content type would lead to execution, or more generally a website known to host malware links. These downloads appear to be safe, like those for a screen saver application, video codec upgrade, etc., and are designed to fool the user into taking action. Security professionals also refer to these threats as “consensual” or “dangerous” downloads."

Re:Attack urls?

[tycoex]

So basically, IE9 does a good job at protecting morons who download everything they see... from themselves.

Re:Attack urls?

[monkyyy]

mircosoft warns me before installing an anti-malware, i`d hope they would able to 99% when they warn about everything

Re:Attack urls?

[mindwhip]

Don't knock it... the number of scareware / fake virus scanner infections I have been cleaning recently from friends computers would suggest these attacks are becoming more frequent and harder to spot as malicious until it is too late...

If IE9 is as good as they claim at stopping these then my steady supply of good single malt whisky will dry up, which is bad for me and bad for bot nets but good for everyone else...

dammit, you beat me to it

[ChipMonk]

But really, those five words are the #1 takeaway.

Would SlashBot Dispense With Browser Wars

and pay some attention to the Wikileaks wars?

Thanks in advance.

Yours In Osh,
K. Trout, C.T.O.

Re:Would SlashBot Dispense With Browser Wars

[Wyatt+Earp]

You mean the story on the front page isn't enough? http://tech.slashdot.org/story/10/12/15/1822216/Todays-WikiLeaks-News
Or the one from last night - http://tech.slashdot.org/story/10/12/15/0038211/Air-Force-Blocks-NY-Times-WaPo-Other-Media

Or the one from yesterday - http://idle.slashdot.org/story/10/12/14/1612247/Julian-Assanges-Online-Dating-Profile-Leaked

Or the other one from yesterday - http://tech.slashdot.org/story/10/12/14/168248/Michael-Moore-Posts-Julian-Assanges-Bail

Or the two to four a day we've had for days?

If anything /. has too much about Wikileaks right now, Reddit is slammed with it as well

Re:Would SlashBot Dispense With Browser Wars

You don't know Mr. Trout? You must be new here.

Funny definition of Independent

[schwit1]

As independent as a politician that accepts campaign contributions from AT&T or SEIU.

Re:Funny definition of Independent

[kaizendojo]

...Or posts on a site that promotes open source and LAMP stacks and images Bill Gates as a Borg. What I find interesting is how no one questions the monthly posts here about IE losing market share from a site (Net Applications) that only polls their own clients, but no one ever points that out.

Re:Funny definition of Independent

[tycoex]

"Or posts on a site that promotes open source and LAMP stacks and images Bill Gates as a Borg"

I fail to see how posting on a site where the majority of the members happen to agree on something is in any way similar to getting paid by someone.

Last I checked open source and LAMP aren't paying slashdot users to like them. Slashdot users have genuine reasons for liking them.

Wai . . . What?

[rudy_wayne]

"Independent testing company NSS Labs . . . . . . . . . . The test, funded by Microsoft,"

An "independent" test that was "funded by Microsoft". WTF? How is that independent?

Re:Wai . . . What?

[MobileTatsu-NJG]

It means they get paid whether they get the results Microsoft wants or not.

Re:Wai . . . What?

True, still pretty silly though, from the sounds of it the test is more or less how good of a list of malware downloading sites each browser has. They test 400 sites then give a percentage. Microsoft took the test once, learned which 400 sites are tested, didn't publish the results, but added those 400 sites to their warning list. and supprise supprise they passed with flying colors and published the 2nd results.

Just like every browser test, the company that builds for the test wins the test, microsoft got 90% better this time because it was a painfully easy test to build for. Hell IE 6 or the origional netscape navigator could be patched to 100% with a simple change to the hosts file. Really though what's the point of this one, anyone with technical knowhow can see this test is BS, and anyone without it wouldn't be reading test statistics on browser security.

Re:Wai . . . What?

[DragonWriter]

It means they get paid whether they get the results Microsoft wants or not.

Which isn't really independent. I mean, if it was blind, such that Microsoft wouldn't know who was performing the test and couldn't retaliate against them by not paying them to do future tests if they didn't like the results of this one, then that would be independent.

Re:Wai . . . What?

[MobileTatsu-NJG]

That rationale is pretty weak.

You're right that the results are questionable, absolutely 100% no dispute about that, but the nitpickery over the term 'independent' is overzealous, especially in the context that the same summary pointed out it was funded by Microsoft.

Re:Wai . . . What?

[Col.+Klink+(retired)]

> It means they get paid whether they get the results Microsoft wants or not.

Of course, since they are funded by MS, they only get released if MS feels like it.

Re:Wai . . . What?

[MobileTatsu-NJG]

Yep. That is, however, distinctly different from "paying to make the results what we want them to be".

I'm only nitpicking the semantics here, not the questionable'ness of the data.

Re:Wai . . . What?

[geekoid]

easily.

If you own a bank and contract a team of professional to test your security. they are an independent company.

Same thing here.MS paid a company not owned or affiliated with MS to conduct testing. It's a common practice.

3 percent!

[martin-boundary]

Perhaps Google shouldn't have used OpenBSD code in their browser, then :)

Great example

Looks like the test was a perfect example of social engineering.

Independent?

[lucas+teh+geek]

Independent my ass

Re:Independent?

[ChipMonk]

Your ass is safe, for now.

Grammar po po

"According to Google not only didn't the report use Chrome 6 for the tests where as the current version is Chrome 8"

Should that say "not only did"?

Clear writing

[myNameIsNotImportant]

According to Google not only didn't the report use Chrome 6 for the tests where as the current version is Chrome 8

dude, really? couldn't you have said it without using a double negative?

Re:Clear writing

couldn't you have said it without using a double negative?

Indeed.

Re:Clear writing

[cp.tar]

According to Google not only didn't the report use Chrome 6 for the tests where as the current version is Chrome 8

dude, really? couldn't you have said it without using a double negative?

Apparently, he couldn’t not have said it without using a double negative.

What was even being tested?

[gman003]

Seriously. What were they even testing? I was under the impression that social engineering was a security flaw in the user, not in the application. Reading the report, it sounds like they were just testing the browsers' databases of known malware/phishing sites. Which, really, has little to do with the security of the browser itself.

Re:What was even being tested?

[jfengel]

I was under the impression that social engineering was a security flaw in the user, not in the application.

It is, but you can't debug the user, so you have to compensate in software. I feel a lot better knowing that J. Random Grandma has something looking over her shoulder to tell her she really shouldn't be going to that site. Cuz once J. Random Grandma's computer is hacked, it starts sending spam to MY computer.

Heck... I'm a software developer, and I've been known to screw up. Humans are buggy.

So I really want software that does both. If IE is ahead in that area, good for them. Sending out a press release declaring themselves more secure *in general* is dirty pool, and Google should say so. But they should also start swiping some of what MS does for Chrome, because it does make things safer along one dimension. Lord knows Microsoft has done it enough times. Let them feel the back hand of it for once.

Re:What was even being tested?

[takowl]

Little to do with the *code* security, yes. But it's got a lot to do with real-users-not-getting-viruses security.

Seriously, everyone. I know it's sponsored by Microsoft, and I wouldn't be surprised if there's some dodgy selection of test URLs behind the scenes. But if these results are even in the right ballpark, then it's something that Google (and Mozilla, and Opera) really need to pay more attention to. Stop finding excuses to ignore it just because we don't like what it says. Go and try to find the methodology, and see how it's dodgy. Or even do your own tests.

Re:What was even being tested?

Yep. This is my exact concern - Educating users is the only real method of ensuring security, and a browser catching too many things makes users think that if something isn't caught that it is safe every time. As a network administrator, I would rather use a browser which catches a few things than everything because it keeps users on their toes and means that I will never hear the whole "but the browser said it was safe!" speech.

Re:What was even being tested?

[blueg3]

It has little to do with the theoretical security of the browser code, but it has a lot to do with the practical security of using the browser.

Re:What was even being tested?

[GrumpySteen]

> It is, but you can't debug the user

Yes you can

In a recent study of women...

[GodfatherofSoul]

...researchers discovered that hot supermodels would be most fulfilled in a relationship with Slashdot user GodfatherofSoul*.

* This study funded by GodfatherofSoul

Reminds me of MS

[fermion]

Remember when MS would always complain that their software would run better if only every updated. All viruses were the responsibility of the user who not install patches quickly enough. This was especially true for users that refused to upgrade IE. Of course we all wrote websites for specific versions of IE, so it was pretty impossible to upgrade until the web apps were rewrote web apps. Of course this does not hold a candle to the assertion that everyone was required upgrade fees to insure safety.

So Google is not quite as bad as MS, but complaining that a reviewer used an old version is a tried and true attempt at diverting attention for genuine deficits in the product.

Re:Reminds me of MS

I'm really trying to understand this post.

IE is the best

at being a huge security hole.

That's been true for years... I don't care what any study says.

Especially one paid for by microsoft... Jeez... at least setup a shell company and have them pay for the study. at least put some thought into your lies microsoft. come on now

Stopped reading at

[w0mprat]

"microsoft funded". Google could by rights fund a test of the current Chrome version against IE7/IE8 version from one or two years ago unpatched.

They would have had to intentionally install a old version of chrome with a standalone installer, and prevent it from updating by circumventing google updater which silently updates chrome. Talk about stacking a test.

Re:Stopped reading at

[amliebsch]

Nope, that actually was the current Chrome at the time of the test. If you are going to criticize another organization for being slipshod with the facts, it helps to make sure your own facts are correct.

Very narrow scope

[Lucky75]

Note: This study does not evaluate browser security related to vulnerabilities in plug-ins or the browsers themselves.

The scope is very, very limited. It only focused on socially engineered malware, like popping up windows that look like windows alerts.

What did they do, have a bunch of illiterate idiots using the other browsers to skew the results? I fail to see how you can have an objective test about "socially engineered malware". Maybe IE got a high score because it annoys the hell out of you with annoying popups (that most users would just ignore anyway). I *HIGHLY* doubt the accuracy of these results.

IE Smart filtering and anti phishing "technology" is a load of bullshit anyway.

Scriz

I stopped reading after "The test, funded by Microsoft,"

kthx.

Other browsers don't need it

[Lucky75]

Of course, they forgot to mention that most other browsers don't need explicit prompts and notifications against socially engineered malware attacks since the other browsers are not as vulnerable.

valid in its own way

[Jodka]

The test has an odd kind of validity; The foolish who choose Internet Explorer (instead of Firefox, Chrome, Safari or Opera) would be also the foolish victims of "Socially Engineered Malware". That is, the web browser for dupes protects its users from the same vulnerability which causes them to use it.

beta Apples to outdated Oranges

[DragonWriter]

You have valid points, still Google didn't deny the results and in a sense, confirmed it. Read Google's response again: NSS says IE is better than Chrome in X, but hey, they didn't say Chrome is better at Y and Z.

I think you missed the other important part: "Also, the version of Chrome that NSS says all this about is two major versions behind the current stable release, while the version of IE they say is better is the current beta release."

A more relevant comparison would be IE 8 to Chrome 8 (current generally release version of both version), or IE 9 to Chrome 9 (current publicly available pre-release version of each browser.)

Perhaps someone should do a similar comparison, but using Chrome 9 and IE 6, instead...

Re:beta Apples to outdated Oranges

[cacba]

The reason the test used Chrome 6 was it was performed Sept 17-27, before the Chrome 7 release of Oct 21.

The test specifically stripped out Y & Z from potential malware links.

Re:beta Apples to outdated Oranges

[DragonWriter]

The reason the test used Chrome 6 was it was performed Sept 17-27, before the Chrome 7 release of Oct 21.

Which made it, at the time, merely beta Apples to stable Oranges, which is slightly-less-bad -- but the relevance of the report when it was written isn't important to anyone, the relevance when it is released matters, since that's when people will be reading it and potentially making decisions based on it.

Had the report been released when it was current (leaving aside issues of who was paying for it, and whether what it actually tested was particularly meaningful on its own) it would be a bad comparison of IE's current beta to Chrome's current stable release. Released now, its a really bad comparison of IE's current beta to an outdated version of Chrome.

Re:beta Apples to outdated Oranges

[Daltorak]

I think you missed the other important part: "Also, the version of Chrome that NSS says all this about is two major versions behind the current stable release, while the version of IE they say is better is the current beta release."

A more relevant comparison would be IE 8 to Chrome 8 (current generally release version of both version), or IE 9 to Chrome 9 (current publicly available pre-release version of each browser.)

Perhaps someone should do a similar comparison, but using Chrome 9 and IE 6, instead...

It's quite clear from the study that Chrome 6 was the most recent full release of the browser when these tests were performed in September. Don't forget that Google Chrome is on a six-week major release schedule. If the argument is that Google has made significant improvements in their defenses against socially-engineered attacks in the last three months, then okay, the study is no longer relevant. But have they done this? I haven't heard anything along those lines.

Re:beta Apples to outdated Oranges

[natehoy]

Perhaps, but throwing out the IE9 beta the test was done in October 2010. It used Chrome 6 (released September 2010, superseded in late October 2010 by Chrome 7), Firefox 3.6 (Released January 2010 and still the current stable release), and Internet Explorer 8 (released in early 2009).

If you ignore the IE9 beta, Internet Explorer was actually the oldest of all of the browsers tested.

The real problem with the test is not browser age. In fact, browser age has nothing to do with the test. They were testing the vendor's blacklist update interval and completeness, with a deep bias toward "fast response" and a deep bias away from "completeness". I posted a critique earlier on in the thread detailing the problems: http://tech.slashdot.org/comments.pl?sid=1912006&cid=34567368

The age of the browser is an invalid critique of the test, and almost leads me to believe that some Microsoft shill put it in the article summary to mislead you from the real problems with the test.

Re:beta Apples to outdated Oranges

[DragonWriter]

It's quite clear from the study that Chrome 6 was the most recent full release of the browser when these tests were performed in September.

Which would (considering only the browser versions, and not the scope of the test and other issues that have been raised) have made the test valid, relevant, and meaningful, if the study compared it to the then-current general-release version of IE (IE 8), and was released at a time when that comparison was meaningful to the current market options.

Don't forget that Google Chrome is on a six-week major release schedule.

I don't forget that. No one (well, except maybe Microsoft, who was paying for the study and controlled the timing of its release for its own marketing purposes) forced the report to be delayed nearly three months from the time it was current.

If Microsoft and/or their paid agent decide to delay their report until, even ignoring questions as to the relevance and accuracy of its findings, the comparison it makes is irrelevant to the current options, that's hardly anyone else's fault but their own.

Re:beta Apples to outdated Oranges

[cacba]

The study used IE 8, IE 9 (beta), Chrome 6. IE 8 still performed orders of magnitude better than chrome 6. That is stable to stable, apples to apples.

Studies take time. I doubt chrome has radically changed their social security in the last three months and neglected to say anything. GDP statistics take months to produce, yet they are extremely useful.

I am skeptical of this study, but not for your reasons

Re:beta Apples to outdated Oranges

[Your.Master]

They did compare it to IE8. IE8 blew everything away except IE9 which did a bit better still. Seriously, it's right there in the summary.

Microsoft, who was paying for the study and controlled the timing of its release for its own marketing purposes

Do you honestly think they sat on it until it wasn't true and then released it? What would the point of that be? We'll probably be on a double-digits Chrome version by the time IE9 releases.

Among other things, this is comparing malware lists that actually updates online in real-time, so strictly speaking it's out of date before the statistical analysis is even finished. Hell, IE would have been patched a couple times in the interim. This is roughly equivalent to the frequent comparisons of time-to-patch for client vulnerabilities.

Yes, it's fair to ask to try again on the newest version. It's also fair to question the methodology. No, it's not irrelevant after being out for just a month. Chrome happens to be revving version numbers like crazy while everybody else releases patches.

Who cares? Not Joe six-pack...

[crovira]

Same ol' Microsoft FUD.

They're closing the barn door after the barn burnt down and all the horses are bolted.

Just ask them how Bing is doing to hear paeans about how well that's doing.

Switching the rails on the flacks is trivial, you just have to ask 'em the right question.

Fact is that Microsoft OWNS the business desktop and business things tied to it, but THAT'S ALL.

Browsing is something that occurs OFF the business desktop and NOBODY TRUSTS MICROSOFT not to rat them out to the corporate IT department.

That's why Chrome is a fast riser.

That's why Google is so big in web searches.

That's why Android is the "up and coming" and phone app system.

That's why Apple OWNS the consumer "Intelligent Appliance" space (iPod, iPad, IPhone, Macs of all stripes,)

That's why Nintendo, Sony and X-Box are ducking it out over CONTENT (the best game experience,) in the console space,.

Screw Microsoft... They've been screwing your workplace for years.

For 90% of workers, the money that is spent on IT is money that comes out of THEIR pockets.

Be afraid... BE VERY AFRAID /.ers,

Re:Who cares? Not Joe six-pack...

Someone has been reading too much timecube...

Re:Who cares? Not Joe six-pack...

[bigstrat2003]

Browsing is something that occurs OFF the business desktop and NOBODY TRUSTS MICROSOFT not to rat them out to the corporate IT department.

What does this even mean??

Re:Who cares? Not Joe six-pack...

[hairyfeet]

Lame troll is lame. How many boxes do YOU repair in a week? I average about 6, sometimes more when I've not got so many builds in progress. And I can tell you that without a shadow of a doubt that socially engineered attacks account for a HUGE amount of infections and is in fact growing rapidly. try looking up "Security Tool 2010" or "Rogue AV 2010" and looking at the numbers these things are racking up. As home users slowly move away from XP to Windows 7, which has file and registry virtualization, ASLR and DEP, and which you can even easily add Structured Exception Handling Overwrite Protection , the low hanging fruit is increasingly becoming PEBKAC. I can tell you I see socially engineered bugs spreading a hell of a lot faster on newer OSes than I do anything else, whereas with XP it is still drive bys thanks to running as admin. As XP dies out this problem will only be getting worse.

Now I don't recommend IE OR Chrome to my customers, as I don't like the data mining in Chrome and have had bad luck in the past with IE, if MSFT can get 99% of the social engineered bugs blocked, along with someone cooking up something like ABP for IE 9? Then I'll be happy to recommend my customers use IE over other browsers. I'm already starting to get pissed at Mozilla for refusing to support low rights mode in Windows 7 even though this tech has been out since 07 simply because Linux doesn't have it. Chrome mines waaay too much data for my taste, so that leaves Comodo Dragon and IE. Does anyone know of a good ABP for Chromium based browsers? Or an ABP for IE 9? Because in the end ABP will be the deciding factor for me and my customers. If IE 9 can block 99% of the social engineered attacks while I can block ad based attacks with an ABP clone then it is a no brainer to switch. I just wish the Mozilla team wouldn't act like asses and refuse to support a technology that would help protect so many simply because it isn't supported on a platform that doesn't need the damned thing anyway.

Re:Who cares? Not Joe six-pack...

[ColdWetDog]

What does this even mean??

All your base (instincts) belong to us?

Re:Who cares? Not Joe six-pack...

[ScrewMaster]

Does anyone know of a good ABP for Chromium based browsers?

How about Ad Block

Re:Who cares? Not Joe six-pack...

[Wintervenom]

And Simple Adblock for the Internet Explorers, up to version nine.

Re:Who cares? Not Joe six-pack...

[hairyfeet]

Does it actually keep the ads from being downloaded, or simply blocks them from view? Many of my customers are on lines with caps so it matters. and will that work with ALL chromium based browsers like Comodo Dragon, or just Chrome? The main problem I've been having with these kinds of solutions is I'm just too swamped to do heavy field testing complete with monitoring the network, so I really need to find a "drop and go" kind of solution. ATM the only thing that fits the bill has been FireFox simply because the FF ABP keeps the ads from being downloaded in the first place, and when you have so many sites using flash based that bandwidth really adds up.

I really hate to have to move myself and my customers away from FireFox, but as long as the attitude from the Mozilla developers when it comes to low rights mode is "don't care, won't fix" then I have no choice but to start looking at alternatives. After all it is stupid to have all this extra security built into Windows 7 only to have FireFox completely ignore it and act as a full admin.

So anybody that has experience with the above and can chime in information would be welcome. With all the extra work, last minute shopping, not to mention half the family out of that killer flu bug that is going around, I just don't have time for any long term tests. But with customers (and myself) stuck on capped lines I really can't afford to give them something that only hides ads when going over is $1.50 a GB.

Re:Who cares? Not Joe six-pack...

[BrokenHalo]

It doesn't mean that much when you consider that Chrome can't be trusted not to pass information about you to Google.

Re:Who cares? Not Joe six-pack...

[dwinks616]

Google provides many products and services that I use and like. I've never once had a Google ad which had something like "buy these window drapes, they go great with that new couch you bought last week". In fact, I've clicked on a few Google ads over the years (and ZERO other ads) simply because the product in the ad actually moderately interested me. As for the information "chrome passes to Google", well, that's no more information than they get from simply from tracking the links someone clicks in a Google search. I've never once been wronged by Google, or had them deleteriously affect my life. I don't see any harm in them knowing I frequent slashdot, xkcd, wikipedia, and click on many science and tech news articles throughout the day. I don't see any harm in them knowing I use their search engine to troubleshoot computer issues all day at work. If they use that information to serve me small, unobtrusive ads based on that information, and use said revenue to pay for stuff like Docs and Gmail, that's fine with me. I'd rather have them track my browsing habits, and have targeted ads than pay money for those services. It's not like some person is sitting around at google actively watching your every click, laughing, and choosing what ads to send you, it's all machines, and with hundreds of millions a day, they literally don't have time to put a human in front of that data, and never will.

Engineering Versus Marketing

[eldavojohn]

I know this isn't in the spirit of the other posts on this topic today, but I applaud MS for concentrating on security and the best interests of their end users. It's good to see they are taking these matters seriously as part of the product development process.

Don't get me wrong, I'm always happy when security is improved -- even in the most hated of products by the most hated of companies. The problem I have is when marketing gets a hold of this and spins it to attack competitors, thereby improving the public perception of their own product. This could have all been avoided had Microsoft just kept the report internal like most of NSS Labs' customers. And doing so while comparing the latest IE9 to Chrome 6 and releasing that to the public as a 'current' report now ... well, that's what I have a problem with. If a Chrome user read that report as today's news they're going to think that it's been done with today's Chrome.

I must have missed...

[Das+Auge]

I must have missed the part where Net Applications is a shill for Mozilla, Google, and/or Apple.

The credibility issue here is with a Microsoft. A company that has been shown, time and again, that they're not above tweaking the facts (lying) about their products and their competitors' products. That, and the fact that they paid for this supposed bit of research.

Re:In a recent independent study of women...

FTFY

And that may be all I need to know

[element-o.p.]

"The test, funded by Microsoft..."

That told me everything I needed to know.

Re:IE might be the best (on an intranet), because.

[cp.tar]

Woah.

I haven’t seen style this terrible in a long, long while. Even the GNAA trolls are more legible.

I always knew

I always suspected Microsoft was best, now thank's to NSS my suspicions are confirmed.

Re:IE might be the best (on an intranet), because.

[monkyyy]

he`s no troll, thats ranting

trolling includes lies and links to 'strange' porn

Comment removed

[account_deleted]

Comment removed based on user account deletion

The test, funded by Microsoft,

was all I needed to read. After that tidbit of information, all else is superfluous. "Honey, am I fat?" Gets a similar kind of response from a man not wanting divorce. OF COURSE the supplier of the cash came out on top. OF COURSE! Was there any other possibility? NO! Its either a 'keep testing till we win' kind of situation, a 'game the numbers' situation, or the cheapest, and most effective: 'get your marketing department to write something nice, no testing required' kind of situation. If the cash amount is set, no testing means more money left afterwards for drinks and dining at the club house. Microsoft has been having 'independent, fully paid' tests like this for years. You didn't expect them to start telling the truth now, did you? After all these years?

Proof of IE superiority

With a tip of the hat to the sig on /. that I first read this from...

IE - the best browser for downloading another browser.

Now we can do so with confidence!

Show us your PHD in English cp.tar... apk

"Woah. I haven't seen style this terrible in a long, long while. Even the GNAA trolls are more legible." - by cp.tar (871488) on Wednesday December 15, @05:22PM (#34567244)

See subject-line above, & it appears that 150 others here on /. seem to disagree w/ your "professional opinion" on writing style (not)...

On that note? Well, see list below:

+5 'modded up' posts by "yours truly" (8):

http://it.slashdot.org/comments.pl?sid=1139485&cid=26975021

http://news.slashdot.org/comments.pl?sid=1884922&cid=34350102

http://science.slashdot.org/comments.pl?sid=1872982&cid=34264190

http://it.slashdot.org/comments.pl?sid=1139485&cid=26974507

http://it.slashdot.org/comments.pl?sid=170545&cid=14210206

http://hardware.slashdot.org/comments.pl?sid=175774&cid=14610147

http://tech.slashdot.org/comments.pl?sid=1806946&cid=33777976

http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450

----

+4 'modded up' posts by "yours truly" (5):

http://slashdot.org/comments.pl?sid=161862&cid=13531817

http://developers.slashdot.org/comments.pl?sid=167071&cid=13931198

http://tech.slashdot.org/comments.pl?sid=1290967&cid=28571315

http://tech.slashdot.org/comments.pl?sid=1461288&cid=30273506

----

+3 'modded up' posts by "yours truly" (6):

http://developers.slashdot.org/comments.pl?sid=155172&cid=13007974

http://it.slashdot.org/comments.pl?sid=166850&cid=13914137

http://slashdot.org/comments.pl?sid=175857&cid=14615222

http://slashdot.org/comments.pl?sid=273931&threshold=1&commentsort=0&mode=thread&cid=20291847

http://it.slashdot.org/comments.pl?sid=1021873&cid=25681261

----

+2 'modded up' posts by "yours truly" (27):

http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608

http://it.slashdot.org/comments.pl?sid=158231&cid=13257227

http://it.slashdot.org/comments.pl?sid=1361585&cid=29360367

http://science.slashdot.org/comments.pl?sid=158310&cid=13263898

http://it.slashdot.org/comm

Re:Show us your PHD in English cp.tar... apk

Okay, you are officially crazy.
Informative, but crazy.

Re:Show us your PHD in English cp.tar... apk

Your conditions for understanding English have changed from just requiring having a PhD in it to having a PhD in it and instructing it for decades? I guess someone that did actually have a PhD in it must have pulled you up at some point.

Re:Show us your PHD in English cp.tar... apk

You're quite clearly hugely outnumbered 150++ to 1

Oh, 150++ (ACTUALLY, that was 151, apparently you need math lessons to teach you how to count better! Precision, APK, precision)... Look... see how that compares to the +5 Modded Posts by the (in-)famous Clone!! (P.S. you can count them yourself... you seem good at counting)

http://slashdot.org/comments.pl?sid=1062689&cid=26120641
http://slashdot.org/comments.pl?sid=1065935&cid=26151607
http://slashdot.org/comments.pl?sid=1078839&cid=26304371
http://slashdot.org/comments.pl?sid=1083305&cid=26358333
http://slashdot.org/comments.pl?sid=1094531&cid=26485407
http://slashdot.org/comments.pl?sid=1098089&cid=26529229
http://slashdot.org/comments.pl?sid=1114525&cid=26717493
http://slashdot.org/comments.pl?sid=1120721&cid=26783659
http://slashdot.org/comments.pl?sid=1120721&cid=26786453
http://slashdot.org/comments.pl?sid=1130669&cid=26890501
http://slashdot.org/comments.pl?sid=1130669&cid=26891817
http://slashdot.org/comments.pl?sid=1148223&cid=27063575
http://slashdot.org/comments.pl?sid=1153439&cid=27120913
http://slashdot.org/comments.pl?sid=1187129&cid=27447803
http://slashdot.org/comments.pl?sid=1194161&cid=27523727
http://slashdot.org/comments.pl?sid=1216179&cid=27760405
http://slashdot.org/comments.pl?sid=1221343&cid=27814855
http://slashdot.org/comments.pl?sid=1222985&cid=27834373
http://slashdot.org/comments.pl?sid=1224431&cid=27850583
http://slashdot.org/comments.pl?sid=1229887&cid=27923253
http://slashdot.org/comments.pl?sid=1252663&cid=28173579
http://slashdot.org/comments.pl?sid=1266945&cid=28312707
http://slashdot.org/comments.pl?sid=1274817&cid=28390185
http://slashdot.org/comments.pl?sid=1277369&cid=28423985
http://slashdot.org/comments.pl?sid=1283831&cid=28490687
http://slashdot.org/comments.pl?sid=1293325&cid=28598073
http://slashdot.org/comm

I got a virus while using Chrome.

[bigtallmofo]

Running Windows 7 x64 Professional on my HP netbook. Surfing using Chrome with no plugins on reddit.com. Thousands of other people did as well with various other browsers (see reddit announcement).

It came in through an ad utilizing a Java exploit. I was only 1 minor release behind on updating my JRE. Since this incident and the 45 minutes it took me to get rid of the stupid thing, I now surf with Firefox + adblock + noscript addons. It's just not worth it. I used to be OK with ads and even clicked on them occasionally but forget it now.

I have to say that was I absolutely shocked that Chrome let something like that through and that it was able to infect my system even though I never run as an admin user. Windows Security Essentials detected it but still let it infect my system and was unable to clean it out, so I ended up cleaning it out manually.

Microsoft funds test

[unity100]

IE comes up on top.

......

i mean, what we are supposed to even start thinking about this ...

Chrome isn't built with security in mind.

[Jartan]

Google defended its browser by claiming that it was built with security in mind and emphasized protection of users from drive-by downloads and plug-in vulnerabilities.

I found this line to be quite disgusting. I am very pro google but the chrome team has continually ignored the need for NoScript. A browser without NoScript isn't secure in any way shape or form.

Re:IE might be the best (on an intranet), because.

[Tenebrousedge]

Please don't feed the APK

Lol, are you serious?

[SmallFurryCreature]

There are lot of paid tests, but you pay a fixed fee for a standard test for YOUR equipment. No company can pay KEMA (I presume the dutch equivelant of LU) to test a competitors equipment and KEMA will never ever come out with a comparitive report. Your product either passes its test or not and that is all.

This is a bought report that tests a BETA of the paying company against 2 versions outdated production release of a competitor. If you can't see the bias right there, well... I think it is amazing that medical science has advanced so far that people born without a brain can survive!

Shut the fuck up you stupid douchebag cp.tar

Shut the fuck up you stupid douchebag cp.tar . Who do you think you are, some english writing critic fuckface? Prove to us that you have qualifications as a professor of English then you illiterate little 1 sentence writing FUCK!

Learn to use capitals properly yourself moron

http://slashdot.org/comments.pl?sid=1900072&cid=34480810 and this section of /. isn't the english grammar section (is there such a section, moron?). You're an off-topic little scumbag troll.

TL:DR as off topic douchebag

TL:DR as off topic douchebag

URA trolling 8 digit luserID loser

URA trolling 8 digit luserID loser who just created yet another bullshit trolling account. Do you think your douchebaggishness fools anyone you off topic trolling moron?

TL:DR as off topic trolling douchebag

Your conditions for understanding English have changed from just requiring having a PhD in it to having a PhD in it and instructing it for decades? I guess someone that did actually have a PhD in it must have pulled you up at some point. by Anonymous Coward on Thursday December 16, @01:58AM (#34571046)

Where's your phd in English then? Did your dog eat it along with your homework? No. You're just another out of work trolling off topic douche. I've yet to see any slashdot troll have a phd in anything.

150:1 odds against cp.tar looks good

Okay, you are officially crazy. by Anonymous Coward on Thursday December 16, @01:04AM (#34570808)

Does a PHD in Psychiatry come with your "snap prognosis" Dr. Quack? Or are you just another troll with no qualifications in the psychiatric sciences, just like cp.tar is in English (since he hasn't shown us his PHD in English yet, and he probably never will)

Informative, but crazy. by Anonymous Coward on Thursday December 16, @01:04AM (#34570808)

150:1 odds as the ratio of his readability of his posts tends to put cp.tar into his place: He doesn't dare even reply after that.

Re:150:1 odds against cp.tar looks good

[cp.tar]

Does a PHD in Psychiatry come with your "snap prognosis" Dr. Quack? Or are you just another troll with no qualifications in the psychiatric sciences, just like cp.tar is in English (since he hasn't shown us his PHD in English yet, and he probably never will)

No, I do not have a PhD in English. I am, however, a few exams away from a degree in both English and Linguistics. And no, I am not a native English speaker.

What I am is flattered by all the attention my tiny little comment got me. Really.
I haven’t had an online stalker in quite a long time. Thank you for making me feel special.

150:1 odds as the ratio of his readability of his posts tends to put cp.tar into his place: He doesn't dare even reply after that.

Oh, sorry, I wasn’t expecting a reply. Such posts don’t tend to invoke either replies or moderation, so I tend to forget about them.
I’m really sorry to have kept you waiting. I promise, I’m usually more attentive to my stalkers, even if they be anonymous. Or even Anonymous.

With a HOSTS file? You don't NEED to do that...

"Reading the report, it sounds like they were just testing the browsers' databases of known malware/phishing sites" - by gman003 (1693318) on Wednesday December 15, @03:51PM (#34565790)

Per my subject-line above? With a GOOD UP-TO-DATE HOSTS FILE?? You don't even NEED to do that!

I update mine daily, from these reliable & reputable sources (for blocking out KNOWN bad sites/servers/host-domain names etc.):

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://ddanchev.blogspot.com/
http://www.malware.com.br/lists.shtml
http://www.stopbadware.org/
http://blog.fireeye.com/
http://mtc.sri.com/
http://news.netcraft.com/
http://www.shadowserver.org/

REGULARLY UPDATED HOSTS FILES SITES (reputable/reliable sources):

http://www.mvps.org/winhelp2002/hosts.htm
http://someonewhocares.org/hosts/
http://hostsfile.org/hosts.html
http://hostsfile.mine.nu/downloads/
http://hosts-file.net/?s=Download
https://zeustracker.abuse.ch/monitor.php?filter=online
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

And yes: Even SLASHDOT &/or The Register help!

(Via articles on security (when the source articles they use are "detailed" that is, & list the servers/sites involved in attempting to bushwhacker others online that is... not ALL do!)).

2 examples thereof in the past I have used, & noted it there, are/were:

http://it.slashdot.org/comments.pl?sid=1898692&cid=34473398
http://it.slashdot.org/comments.pl?sid=1896216&cid=34458500

---

So, IF/WHEN you have a HOSTS file that has up to date blocking data in it? There's really no real need to do "browser based checks" of URL's, other than for "layered-security" purposes (which isn't a BAD THING TO DO, & it's the "current trend" for better security online).

Besides: IE, FireFox, and Opera ALL have methods for blocking out known bad sites already:

---

Opera has URLFILTER.INI (Spybot S&D populates this, alongside the Opera community doing updates to it too)

FireFox has an analog to Opera's filter file (which is what SpyBot S&D populates alongside a HOSTS file too vs. known bad sites)

IE has "restricted zones"

---

Still - the folks @ MS doing this in IE9 (which I use here)? Not a bad thing at all, for "layered-security"...

APK

P.S.=> Even the folks @ WIKIPEDIA aren't against blacklists like HOSTS:

---

PERTINENT QUOTE/EXCERPT (from -> http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row/ )

"we are in favour of 'Blacklists', be it for mail servers or websites

---

Why? Well, because they work... especially for layered security online... apk

Feliciano Intini

Non è vero!

Prima di tutto il test risale a Settembre 2010, e il meccanismo di reputazione di Internet Explorer 9 di sicuro non poteva influenzare il test allora (ma neanche adesso).

Poi il test è sponsorizzato da Microsoft e guarda caso Internet Explorer è primo. E poi se leggete il report vedrete che la metodica è fallata, perchè questi della NSS hanno scelto i siti da testare in base a dei "loro criteri" mah!?!

Solito marketing made Microsoft!

Are you "stalking" me, or what?

From the sounds of it you have.

In regards to THIS from you? Heh, ok:

"I guess someone that did actually have a PhD in it must have pulled you up at some point" - by Anonymous Coward on Thursday December 16, @01:58AM (#34571046)

Nope, rather, I've been the one helping & correcting PHD's in the arena of the computer sciences over time, to wit:

---

1. I've helped a PHD named Dr. Mark Russinovich (Microsoft) fix up a program of his that Mr. Russinovich had hardcoded called pagedefrag (despite his having a PHD) and Mr. Russinovich even thanked me in email, in late 2002/early 2003!

2. I'm also the same person that showed that same PHD that Exchange Servers are helped by Memory Optimizers (and much more also) in 2003 at Windows IT Pro magazine forums.

---

Seems I've actually helped, or taken on & gotten the better of, PHD's!

(Heck, I used to do work for the same firm Dr. Russinovich also did work for, in the mid 1990's to the late 1990's, in Sunbelt Software, as well!)

So - Have you?

APK

P.S.=> I'm still waiting for the PHD in English I asked for proof of from you (since you tried to troll me on writing style, & I put up over 150 modded up posts that say the opposite of your "expert opinion" on 'writing style' (the last refuge of the troll, off-topic though it is: Is there even an ENGLISH GRAMMAR SECTION HERE ON THIS FORUMS? No!)... apk

Re:IE might be the best (on an intranet), because.

[cp.tar]

he`s no troll, thats ranting

trolling includes lies and links to 'strange' porn

I didn’t say I considered him a troll. I was simply expressing how appalled I was by his writing style.

Re:IE might be the best (on an intranet), because.

[cp.tar]

Please don't feed the APK

Well, this’ll teach me all right.

Where's that PHD in English cp.tar?

I put up 150++ other posts of mine that were modded up (meaning they were obviously easy enough to read, except for you, because of your 2nd grade reading comprehension level), vs. your trolling:

http://tech.slashdot.org/comments.pl?sid=1912006&cid=34568426

Especially since you saw fit to try to say "how bad my 'writing style'" is!

It seems you are outnumbered 150:1 as the ratio on the opinion of my "writing style", eh? LMAO!

Still - As off topic as that is, ON YOUR PART (you troll), & by the by - IS THERE AN "ENGLISH GRAMMAR" SECTION OF THIS FORUMS?

Answer = NO!

(That makes you DOUBLY off-topic, as well as a troll!)

APK

P.S.=>

"Well, this’ll teach me all right." - by cp.tar (871488) on Friday December 17, @05:50AM (#34585472) Journal

I thought a PHD was "the height of learning"? Hmmm, well, then again?? You STILL HAVE TO PRODUCE YOUR PHD IN ENGLISH!

(You know - the ONE YOU DON'T HAVE!)

apk

Re:Where's that PHD in English cp.tar?

[cp.tar]

Mod points are no proof of writing style quality.
Your posts, however, are proof enough of your disturbed mental state.

Stalk on.

Didn't you come in here stalking first?

"I haven’t had an online stalker in quite a long time" - by cp.tar (871488) on Friday December 17, @05:49AM (#34585468) Journal

Per my subject-line above? YOU CAME IN HERE TROLLING ME, OFF TOPIC & ALL!

See here:

http://tech.slashdot.org/comments.pl?sid=1912006&cid=34567244

(Pal, listen: You don't have the information & evidences to disprove 150 others modding up my posts vs. your "off topic trolling" on "writing style" (is there an "english grammar/writing style" forums here? NO!), nor do you have the skills & experiences (or education) in the computer sciences to disprove any facts I post either!)

---

"No, I do not have a PhD in English. I am, however, a few exams away from a degree in both English and Linguistics. And no, I am not a native English speaker." - by cp.tar (871488) on Friday December 17, @05:49AM (#34585468) Journal

Then who the HELL ARE YOU, to even BEGIN to TRY to tell myself, who has dual degrees to his name in myself (B.S. level &/or A.A.S level as well) in the computer sciences (CSC & MIS), as well as 17 yrs. of professional experience in the art & sciences of computing on my part?

Do YOU have the same? No, obviously.

Especially when I put up contrary evidence to my "writing style" being JUST FINE in the eyes of others here (150++ mod ups no less) -> http://tech.slashdot.org/comments.pl?sid=1912006&cid=34568426

---

"I’m usually more attentive to my stalkers, even if they be anonymous. Or even Anonymous.." - by cp.tar (871488) on Friday December 17, @05:49AM (#34585468) Journal

Well, posting as "AC" on my part is better than being what you are - a "registered LUSER", because of your post history alone, you're SO EASILY TRACKED FOR TROLLING, it's not even funny!

(That makes you doubly stupid!)

APK

P.S.=> Lastly/in any event? I've decided to "grace you" with a "theme song" (for your role as "Capt. Troll", lmao).

I made SURE it was especially "cheesy", to fit you, in fact... take a listen (lol):

"THEME FOR THE 'TROLL SQUAD'":

http://www.youtube.com/watch?v=kd85Qim_Z6A

ROTFLMAO! I can just see it now - the people running @ the start (replace "The MOD SQUAD" logo with "The TROLL SQUAD, instead... lol!) are people afflicted with viruses and slowness + tracking from adbanners... the 1st white fellow runs into the black fellow & the girl, and they all tell one another about HOSTS files (& other measures to protect themselves)!

Then, OUT COMES "CAPT. TROLL" from outta the woodwork (lmao) when "TIGE ANDREWS" shows us, but you have to place a "thought balloon" in there over his head, saying:

"Oh nooooes: Users are 'getting wise' to how to protect themselves vs. my leeching their money in online speed slow ups due to adbanners, and they are also getting away from the malware that come in adbanners too, taking away my malware monies or repair fees I get as a tech for something they ought to never be seeing! I have to TROLL THIS!" - Capt. TROLL!

(ROTFLMAO!)... apk

Re:Didn't you come in here stalking first?

[cp.tar]

I thought I would amuse myself by feeding you tiny one-liner replies, but you’ve apparently taken precautions by trying to feed the whole of /. with tons of copy pasta. Well.

I will, however, grace you with a tiny little grammatical tidbit: evidence is singular.

TL:DR as off topic trolling

"he`s no troll, thats ranting" - by monkyyy (1901940) on Wednesday December 15, @05:50PM (#34567626)

First of all - Is there an English grammar section here? No.

Thus, cp.tar/Capt. Troller IS OFF TOPIC, POINT-BLANK NO QUESTIONS ASKED!

(cp.tar alias "Capt. Troller", lmao, of "THE TROLL SQUAD" ->

http://tech.slashdot.org/comments.pl?sid=1912006&cid=34587112 )

Hey - it also appears you are one also, a troll! That's ok too: You're very easy to "get the better of", as you dull brained trolling dolts usually are (via facts).

(Perhaps you're cp.tar/"Capt. Troller"'s his "evil henchman"?)

I mean, hey - LOOK @ YOU w/ a "BRAND NEW" 8 digit registered LUSER ID too, no less on your part!

(That? Just too transparent/obvious - you're the same guy as cp.tar (as far as I am concerned... it's TOO obvious!))

cp.tar (alias "capt. troller", lol) also lacks that PHD in English too, "big surprise" that (lol, not) &, above all else here? Hell - he CAN'T EVEN SPEAK ENGLISH CORRECTLY himself!

(As cp.tar/Capt. Troller had noted English is not his native language)

LMAO, & he's trying to "school me" there?

(Myself being in possession of dual degrees around the computer sciences (+ 43 yrs. of speaking & writing the language) & the fact I have been INTERNATIONALLY PUBLISHED for my ideas & programs in respected publications around the computer sciences a dozen times since 1996...??

Please...

His off topic trolling on "writing style" (the oldest troll trick in the book no less & very transparent (the "last resort" of trolls usually))?

Useless & effete (right up there with down mods that are technically unjustified)...

Especially since I instantly produced 150++ other people who thought my 'writing style' is just fine. That's 150:1 difference of opinion, BY FAR!

(This is too, Too, TOO EASY... just TOO EZ!)

---

"trolling includes lies and links to 'strange' porn" - by monkyyy (1901940) on Wednesday December 15, @05:50PM (#34567626)

LOL, no, I just linked to your & cp.tar's (alias for "Capt. TROLLER", lol) "theme song"... because NO OFF TOPIC TROLL SHOULD GO WITHOUT ONE!

APK

P.S.=> For the "theme song" to the "TROLL SQUAD" alone? Hey - I figure you 2 owe me! You now are COMPLETE (troll theme song & all, rotflamo!)... apk

Is there an "English Grammar" forums section?

"I didn’t say I considered him a troll. I was simply expressing how appalled I was by his writing style" - by cp.tar (871488) on Friday December 17, @05:48AM (#34585466) Journal

Answer = NO, there is NO ENGLISH GRAMMAR SECTION HERE on this forums (per my subject-line above) - that makes YOU, off topic, first of all!

LMAO - secondly?

Since you're already GUILTY of being said off-topic "troll", because there is no "english grammar" forums section here? (and you're CERTAINLY NO PHD IN ENGLISH & thus, no expert in it anyhow?)

Well, I also posted 150++ mod ups from others here that they gave me -> http://tech.slashdot.org/comments.pl?sid=1912006&cid=34587112 illustrating my writing is JUST FINE??

YOU? You don't have a leg to stand on here, period...

APK

P.S.=> So, "that all 'said & aside'"?? A BIT OF HUMOR FOR YOU IN YOUR HONOR:

I decided to 'grace you' w/ a theme song (+ video too, no less, lol):

I also made DOUBLE SURE it was especially "cheesy", to fit you, in fact... take a listen (lol):

"THEME FOR THE 'TROLL SQUAD'":

http://www.youtube.com/watch?v=kd85Qim_Z6A

ROTFLMAO!

I can just see it now - the people running @ the start (replace "The MOD SQUAD" logo with "The TROLL SQUAD, instead... lol!) are people afflicted with viruses and slowness + tracking from adbanners...

The 1st white fellow runs into the black fellow & the girl, and they all tell one another about HOSTS files or other security-related topics vs. malware etc. (& other measures to protect themselves)!

Then, OUT COMES "CAPT. TROLL" from outta the woodwork (when TIGE ANDREWS APPEARS, lol), but you have to place a "thought balloon" in there over his head, saying:

"Oh nooooes: Users are 'getting wise' to how to protect themselves vs. my leeching their money in online speed slow ups due to adbanners, and they are also getting away from the malware that come in adbanners too, taking away my malware monies or repair fees I get as a tech for something they ought to never be seeing! I have to TROLL THIS!" - Capt. TROLL!

(ROTFLMAO!)... apk

Re:Is there an "English Grammar" forums section?

[cp.tar]

Wow. You really are taking this personally, aren’t you.

Quit bitchin' Capt. Troll: U got a theme song!

See subject line, but then again? You're always off topic and you're not much on keeping on the actual subject at hand, are you, goofball?? So, like the subject above says, shut up already: You've already managed to get a troll theme song already.

No, I just asked a question (can't you read?)

I'll simply ask the question(s) again now:

1.) Is there an english grammar checking forums on this website?

2.) Is this the English grammar section of this forums??

3.) Are you on topic at all here???

(The rest of us know the answer to that, thing is though, do YOU????)

APK

P.S.=> Is this the English grammar section of this forums, & are you on topic?? apk

Is there a /. english grammar forums section?

"Mod points are no proof of writing style quality." - by cp.tar (871488) on Friday December 17, @06:44PM (#34594774)

Your lack of a PHD in English doesn't make YOU an expert on it though, does it? No, it does not. So, answer the question in my subject line above also... your evading it makes you seem either illiterate, OR, avoiding the fact you'll have to answer it and show yourself as an off-topic troll (pretty simple).

---

"Your posts, however, are proof enough of your disturbed mental state." - by cp.tar (871488) on Friday December 17, @06:44PM (#34594774)

Sure, sure - now, care to produce your PHD in Psychiatry, as well as your license to practice it, as well as a formally administered examination of my mental state by you, & in a formal professional setting?

(We already know the answer to that, it's the same as you having no PHD in English to make you even SOMEWHAT of an "authority" on the subject).

You off-topic trolls (the "down-mod squad", lmao) are making me laugh, so hard, it's unreal... you can't PAY for this kind of entertainment!

APK

P.S.=> You're an off-topic troll, because the main thing here is, this is NOT the "english grammar section" of this forums (there isn't even such a section to begin with, showing you're way, Way, WAY off topic!)... apk

Re:Is there a /. english grammar forums section?

[cp.tar]

You know, I haven’t had this much fun reading spittle-flecked posts in a while.
Ever since my favorite religious zealot left my favorite forum.
Well, I say left, but he was most probably simply banned for good. Which I guess explains why you don’t bother with an account.

You can't even get english right...

The use of "evidences thereof" is a widely used phrase, see here:

http://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22evidences+thereof%22

Don't try to "school me" on English, fool... it's the main language I have been using for 43 yrs. now (along w/ 3 others I speak & write fluently also).

APK

Re:You can't even get english right...

[cp.tar]

The use of "evidences thereof" is a widely used phrase, see here:

http://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22evidences+thereof%22

Even if it is, you did not use that phrase. And legalese is a separate language.

Don't try to "school me" on English, fool... it's the main language I have been using for 43 yrs. now (along w/ 3 others I speak & write fluently also).

APK

Well, you could have done without also; it is quite redundant because of along with. However, what fascinates me the most is the fact that you took the time to type up the HTML code for an ampersand even though it is easier to simply type and.
While I may believe you are fluent in a number of languages (after all, logorrhea makes you fluent in whatever you want), this still fails to address the matter of style. Of which you have none. You boast your 43 years, yet you write as if you were 30 years younger.
Now, I wouldn’t have gone into all this if you hadn’t started stalking me. But now it’s party time. Enjoy stalking me further.

Again: Is there a /. english grammar section?

"You know, I haven't had this much fun reading spittle-flecked posts in a while. Ever since my favorite religious zealot left my favorite forum. Well, I say left, but he was most probably simply banned for good. Which I guess explains why you don't bother with an account." - by cp.tar (871488) on Saturday December 18, @07:30PM (#34603462)

Why do you keep avoiding the simple questions I ask? We KNOW why:

So, I'll simply ask the question(s), again, now:

1.) Is there an english grammar checking forums on this website?

2.) Is this the English grammar section of this forums??

3.) Are you on topic at all here???

(The rest of us know the answer to that, thing is though, do YOU????)

APK

P.S.=> You don't DARE answer, do you? If you do and tell the truth (because there is no such section of the forums here on /. in an "english grammar checking" section of this forums), you'll be proved an off topic troll (which we already KNOW you are)... apk

Re:Again: Is there a /. english grammar section?

[cp.tar]

Delishus copy pasta. OMNOMNOM. U maek urself? U mad, APK?

Answer these 3 questions, you off-topic troll

Asking you the set of questions again though, the ones you keep avoiding:

---

1.) Is there an english grammar checking forums on this website?

2.) Is this the English grammar section of this forums??

3.) Are you on topic at all here???

---

(The rest of us know the answer to that, thing is though, do YOU????)

Heck - you couldn't even get your trolling right on english grammar checks - hilarious! "Somehow" (not), I don't think you will answer those 3 questions above...

APK

P.S.=> You don't DARE answer those 3 questions, do you? If you do, and tell the truth (because there is no such section of the forums here on /. in an "english grammar checking" section of this forums), you'll be proved an off topic troll (which we already KNOW you are)... apk

Re:Answer these 3 questions, you off-topic troll

[cp.tar]

It’s English, not english.
Please provide proof of basic literacy. KTHXBAI.

cp.tar are you illiterate? Answer 3 easy questions

1.) Is there an english grammar checking forums on this website?

2.) Is this the English grammar section of this forums??

3.) Are you on topic at all here???

What's wrong with you cp.tar? Can't you read? The questions put to you are there again now and they're not especially difficult either. Your hesitancy in answering them is only proof to others and myself reading that you are, indeed, an off topic troll.

3 simple questions cp.tar won't answer: LOL!

Asking you the set of questions again though, the ones you keep avoiding:

---

1.) Is there an english grammar checking forums on this website?

2.) Is this the English grammar section of this forums??

3.) Are you on topic at all here???

---

(The rest of us know the answer to that, thing is though, do YOU????)

APK

P.S.=>

"Delishus copy pasta. OMNOMNOM. U maek urself? U mad, APK?" - by cp.tar (871488) on Sunday December 19, @04:10PM (#34609870)

No, I am watching you run from answering 3 simple questions, which means I've done a great job on a troll like yourself - as they show you're off topic, OR per my subject-line above? You need remedial reading help, lol, because apparently?? You don't even have the ability to read & answer simple questions (and you're trying to tell ME about English? Please.))... apk

NSS Labs test clarification

[rocketjr]

Hey, here is some clarification on the browser tests from NSS Labs: http://nsslabs.blogspot.com/2010/12/stopping-malware-with-browser.html http://nsslabs.blogspot.com/2010/12/threat-types-and-terminology.html This should clear up some of the questions. And for full disclosure, yes, I do work there.