No, it's still not Mozilla's (or Microsoft's) fault that people and businesses have failed to upgrade. The businesses made the decision to peg all of their internal processes to IE6, not Microsoft.
I'm also not aware of a server-side language which has anything to do with the user agent. ASP and ASP.NET do not require IE, if someone made a web application which only works in IE, it's because the developer made poor choices.
Again, not Microsoft. Microsoft deserves a lot of blame and scorn for IE6, but they don't deserve the blame for their customers refusing to upgrade, or having created shortsighted applications pegged to a single browser version.
IT is demonized for decisions that they didn't always have a part in.
I would argue that IT did have a part, when they were asked to help design or approve the software. If management leaves IT out of the loop then that's management's fault, if IT was asked and approved then that's IT reaping what they sow.
How exactly am I supposed to look at Opera's code to determine its security status?
I didn't say you look at Opera's code to determine its security status. You could start by looking at their security record.
How exactly am I supposed to make myself familiar with security features for which I can't read the source code?
These are documented features. Why do I have to explain that?
If you want to evaluate the security of something, say Firefox, do you download the entire source code and audit it personally? Or maybe you look up things like the previous security record, documentation about what's been added since the last release, etc..
Now I'm not claiming that Opera or IE are secure. I'm claiming that not having access to the source code does not automatically make a piece of software insecure. The security of the software does not change before and after you look at the code.
Maybe if you're going to use a different browser, also set it as a default. When I type a URL into Windows Explorer it correctly opens the URL in my default browser, which is not IE.
They can't afford to do what? Rewrite their software? The alternative is to get exploited, then clean up the mess, then end up rewriting anyway to make sure you don't get exploited again.
So, if we're talking about money, is it cheaper to:
A) Rewrite the software B) Get exploited, clean up the mess, and rewrite the software
It doesn't matter how long you wait, you're going to need to rewrite eventually. The question is how long you want to remain vulnerable before upgrading.
Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.
That's not either/or, that's and. There will be a lot of code rewritten, AND a lot of business hanging on to IE6 until then, AND a lot of them getting exploited in the mean time. I wonder if it's cheaper to upgrade your internal applications so that they'll work with every browser for the next 10 years, or clean up a company-wide infection (and then rewrite the code anyway).
I'm not totally blaming the user, but most of the exploited folks are running unpatched, pirated windows versions
Can you show the numbers from your survey where you asked everyone who got exploited if they're running a pirated version? I'm interested to see just how much more than 50% of them are pirated.
"Everyone is the same. Quick to point the blame. All I know is that life is a struggle"
It's clear that you need one. Maybe you could start by changing your worldview that all open source software is secure by virtue of being open source, and all proprietary software is crap. Maybe a look at Opera would prove otherwise. If you're not aware of the several security features which Microsoft has added to Windows 7 and IE8 (not to mention much-needed support for several missing standards), then maybe you can make yourself familiar with those before claiming that everything which you can't read the code for is insecure.
Even though you're being sarcastic, to an extent you're correct. It is the fault of corporate IT, not Microsoft, that IE6 and IE7 are in such wide use and being exploited, when everyone should already be running on IE8. It would be the same situation as if you had tons of people running Firefox 1.5 and refusing to upgrade because it would break something they're used to, despite being vulnerable to a series of known problems. In that situation it's not Mozilla's fault that their user base hasn't upgraded any more than it's Microsoft's fault now.
OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?
One could argue that, in the corporate IT world, Microsoft's known patch schedule is more desirable than random updates from Mozilla appearing whenever they're finished.
I saw an article yesterday where Yahoo was saying that they support Google, although it's easy for them to say it because they don't have any skin in the game in China. There's a Yahoo China, but Yahoo sold that to another company and, aside from maybe a small ownership interest, doesn't have anything to do with Yahoo China. So it's easy for Yahoo to support Google:
"We stand aligned with Google that these kinds of attacks are deeply disturbing and strongly believe that the violation of user privacy is something that we as Internet pioneers must all oppose," a Yahoo! spokeswoman said.
Meanwhile, companies like Microsoft and HP look at China and just see dollar signs:
Microsoft chief executive Steve Ballmer described Google's row with China as "the Google problem," the FT said, while Mark Hurd, CEO of computer maker HP, called China "an amazing market with tremendous growth."... The FT said Ballmer declined to indicate whether Microsoft would stop censoring results on its Bing search engine in China.... The FT quoted Ballmer as saying China represents a big business opportunity for Microsoft as it tries to persuade more people who use pirated copies of its software to pay for it.
HP just wants cheap labor, but I guess I can be a little sympathetic to Microsoft's position. I doubt MS cares much about search in China at all, they just want everyone to stop stealing Windows. They won't be successful, but it seems like their major goal is to stop theft instead of look for new business opportunities like HP wants to do.
I understand that. The PRC identifies the "big four international websites" as Google, Youtube, Facebook, and Twitter. I'm not sure why, but that's what they think.
Right. In college a couple of us managed to flood another guy's room, who happened to have a laptop on the floor. Naturally the first thing he did was turn on his wet laptop "to see if it still worked". I ended up with the laptop and, after drying it, even though it was far from usable it was able to power on and try to post. If he hadn't jumped the gun we may have been able to recover it completely.
Hold on there Slappy, China hasn't responded yet. They could easily just say "we don't know what you're talking about, don't let the door hit you on the way out". I think we may be overrating how much impact this will have on the Chinese government.
Now, if Microsoft, Apple, Yahoo, Youtube, Facebook, and Twitter all followed Google's lead, then we've got something to talk about.
According TFA, this is an internal system. No different from a log file.
OK, first of all, an "internal system" and a log file are in fact quite different. For instance, one of them is a text file, and the other is not. Regardless of the difference, do you want the Chinese on your network checking out your logs? Or is it only "not a backdoor" when it's someone else's network?
Can the law enforcement agencies access it from the outside?
I don't know about that, but the Chinese can sure as hell get inside.
Read their announcement. They have decided that they are no longer willing to censor search results. They are interested in speaking with the Chinese government on the possibilities of continuing to operate in China without censorship (use your own expertise as to the likelihood of that happening). Google has said that if they can't agree with the government, that they will close down google.cn.
They've already made their decision, they gave the ball back to the Chinese to decide whether they want Google to be allowed to operate without censorship. Frankly, an uncensored Google in China may be better than Google leaving China.
I bet that's exactly right. Google said the attacks were detected in December, and that release says Adobe became aware on Jan. 2. Google mentioned they had alerted the other companies involved. Good find. I wonder what they wanted with Adobe though.
Reading some of the news coming out about hackers in China, I get the impression that there might be unofficial sanctioning or sponsorship by the government of some Chinese hacker groups.
I would tend to agree, except I would replace "unofficial" with "actively". These types of large-scale, sophisticated, coordinated attacks from China have been going on for at least 7 years (that's a fairly long article, but it's a good one).
If you are a company like Google, you don't openly call the government for hacking and spying.
In the blog post (TFA), the Chief Legal Officer who wrote it seemed like he made a point not to directly accuse the government of anything. It's a lot easier to give a bunch of evidence and let people draw conclusions themselves than directly accuse the government and have them deny it.
e.g.:
... we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China... we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists... we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties...
Some of the references they link to directly accuse the PRC of participating in this type of behavior in the past, so one would assume that Google is under the impression that the current round of attacks is again led by the PRC.
Lastly, Google's only "retribution" at this point is the censorship issue:
We have decided we are no longer willing to continue censoring our results on Google.cn
That's significant to me because the decision to censor results by Google was made solely for the benefit of the government, and no one else. If Google now wants to withdraw their censorship, then they are targeting the government with that move, and no one else. A rogue hacker group does not get punished if Google removes censorship, the government does. Google is clearly going after the government, without ever stating that outright.
It looks pretty uncensored to me, result #1 is a dead guy lying in the street. #7 shows a bunch of tanks parked in the square. Keep in mind it's going to take some time for the previously-excluded results to work their way up the rankings.
No, it's still not Mozilla's (or Microsoft's) fault that people and businesses have failed to upgrade. The businesses made the decision to peg all of their internal processes to IE6, not Microsoft.
I'm also not aware of a server-side language which has anything to do with the user agent. ASP and ASP.NET do not require IE, if someone made a web application which only works in IE, it's because the developer made poor choices.
Again, not Microsoft. Microsoft deserves a lot of blame and scorn for IE6, but they don't deserve the blame for their customers refusing to upgrade, or having created shortsighted applications pegged to a single browser version.
IT is demonized for decisions that they didn't always have a part in.
I would argue that IT did have a part, when they were asked to help design or approve the software. If management leaves IT out of the loop then that's management's fault, if IT was asked and approved then that's IT reaping what they sow.
How exactly am I supposed to look at Opera's code to determine its security status?
I didn't say you look at Opera's code to determine its security status. You could start by looking at their security record.
How exactly am I supposed to make myself familiar with security features for which I can't read the source code?
These are documented features. Why do I have to explain that?
If you want to evaluate the security of something, say Firefox, do you download the entire source code and audit it personally? Or maybe you look up things like the previous security record, documentation about what's been added since the last release, etc..
Now I'm not claiming that Opera or IE are secure. I'm claiming that not having access to the source code does not automatically make a piece of software insecure. The security of the software does not change before and after you look at the code.
Maybe if you're going to use a different browser, also set it as a default. When I type a URL into Windows Explorer it correctly opens the URL in my default browser, which is not IE.
Firefox replaces operating systems now?
It sounds like marketing speak to me. That sentence reads a lot differently if you add one word:
Customers using Internet Explorer 8 are not affected by some|most currently known attacks and exploits due to the improved security protections in IE8
I doubt they're trying to claim that IE8 is immune to all known attacks.
They can't afford to do what? Rewrite their software? The alternative is to get exploited, then clean up the mess, then end up rewriting anyway to make sure you don't get exploited again.
So, if we're talking about money, is it cheaper to:
A) Rewrite the software
B) Get exploited, clean up the mess, and rewrite the software
It doesn't matter how long you wait, you're going to need to rewrite eventually. The question is how long you want to remain vulnerable before upgrading.
Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.
That's not either/or, that's and. There will be a lot of code rewritten, AND a lot of business hanging on to IE6 until then, AND a lot of them getting exploited in the mean time. I wonder if it's cheaper to upgrade your internal applications so that they'll work with every browser for the next 10 years, or clean up a company-wide infection (and then rewrite the code anyway).
I'm not totally blaming the user, but most of the exploited folks are running unpatched, pirated windows versions
Can you show the numbers from your survey where you asked everyone who got exploited if they're running a pirated version? I'm interested to see just how much more than 50% of them are pirated.
"Everyone is the same. Quick to point the blame. All I know is that life is a struggle"
Hmm, indeed..
It's clear that you need one. Maybe you could start by changing your worldview that all open source software is secure by virtue of being open source, and all proprietary software is crap. Maybe a look at Opera would prove otherwise. If you're not aware of the several security features which Microsoft has added to Windows 7 and IE8 (not to mention much-needed support for several missing standards), then maybe you can make yourself familiar with those before claiming that everything which you can't read the code for is insecure.
Even though you're being sarcastic, to an extent you're correct. It is the fault of corporate IT, not Microsoft, that IE6 and IE7 are in such wide use and being exploited, when everyone should already be running on IE8. It would be the same situation as if you had tons of people running Firefox 1.5 and refusing to upgrade because it would break something they're used to, despite being vulnerable to a series of known problems. In that situation it's not Mozilla's fault that their user base hasn't upgraded any more than it's Microsoft's fault now.
OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?
One could argue that, in the corporate IT world, Microsoft's known patch schedule is more desirable than random updates from Mozilla appearing whenever they're finished.
I saw an article yesterday where Yahoo was saying that they support Google, although it's easy for them to say it because they don't have any skin in the game in China. There's a Yahoo China, but Yahoo sold that to another company and, aside from maybe a small ownership interest, doesn't have anything to do with Yahoo China. So it's easy for Yahoo to support Google:
"We stand aligned with Google that these kinds of attacks are deeply disturbing and strongly believe that the violation of user privacy is something that we as Internet pioneers must all oppose," a Yahoo! spokeswoman said.
Meanwhile, companies like Microsoft and HP look at China and just see dollar signs:
Microsoft chief executive Steve Ballmer described Google's row with China as "the Google problem," the FT said, while Mark Hurd, CEO of computer maker HP, called China "an amazing market with tremendous growth." ... ...
The FT said Ballmer declined to indicate whether Microsoft would stop censoring results on its Bing search engine in China.
The FT quoted Ballmer as saying China represents a big business opportunity for Microsoft as it tries to persuade more people who use pirated copies of its software to pay for it.
HP just wants cheap labor, but I guess I can be a little sympathetic to Microsoft's position. I doubt MS cares much about search in China at all, they just want everyone to stop stealing Windows. They won't be successful, but it seems like their major goal is to stop theft instead of look for new business opportunities like HP wants to do.
I was looking for the movie quote about the people's army driving the people's jeep until they run out of the people's gas, but I failed. :(
I understand that. The PRC identifies the "big four international websites" as Google, Youtube, Facebook, and Twitter. I'm not sure why, but that's what they think.
Right. In college a couple of us managed to flood another guy's room, who happened to have a laptop on the floor. Naturally the first thing he did was turn on his wet laptop "to see if it still worked". I ended up with the laptop and, after drying it, even though it was far from usable it was able to power on and try to post. If he hadn't jumped the gun we may have been able to recover it completely.
China: Finally, we can block that frakking western search engine properly.
I doubt that China watches a lot of Battlestar Galactica.
Hold on there Slappy, China hasn't responded yet. They could easily just say "we don't know what you're talking about, don't let the door hit you on the way out". I think we may be overrating how much impact this will have on the Chinese government.
Now, if Microsoft, Apple, Yahoo, Youtube, Facebook, and Twitter all followed Google's lead, then we've got something to talk about.
According TFA, this is an internal system. No different from a log file.
OK, first of all, an "internal system" and a log file are in fact quite different. For instance, one of them is a text file, and the other is not. Regardless of the difference, do you want the Chinese on your network checking out your logs? Or is it only "not a backdoor" when it's someone else's network?
Can the law enforcement agencies access it from the outside?
I don't know about that, but the Chinese can sure as hell get inside.
Well damn, if it's "probably conceivable" then I hope we've got our top men working on it.
Read their announcement. They have decided that they are no longer willing to censor search results. They are interested in speaking with the Chinese government on the possibilities of continuing to operate in China without censorship (use your own expertise as to the likelihood of that happening). Google has said that if they can't agree with the government, that they will close down google.cn.
They've already made their decision, they gave the ball back to the Chinese to decide whether they want Google to be allowed to operate without censorship. Frankly, an uncensored Google in China may be better than Google leaving China.
I bet that's exactly right. Google said the attacks were detected in December, and that release says Adobe became aware on Jan. 2. Google mentioned they had alerted the other companies involved. Good find. I wonder what they wanted with Adobe though.
Reading some of the news coming out about hackers in China, I get the impression that there might be unofficial sanctioning or sponsorship by the government of some Chinese hacker groups.
I would tend to agree, except I would replace "unofficial" with "actively". These types of large-scale, sophisticated, coordinated attacks from China have been going on for at least 7 years (that's a fairly long article, but it's a good one).
If you are a company like Google, you don't openly call the government for hacking and spying.
In the blog post (TFA), the Chief Legal Officer who wrote it seemed like he made a point not to directly accuse the government of anything. It's a lot easier to give a bunch of evidence and let people draw conclusions themselves than directly accuse the government and have them deny it.
e.g.:
... ... ... ...
we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China
we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists
we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties
Some of the references they link to directly accuse the PRC of participating in this type of behavior in the past, so one would assume that Google is under the impression that the current round of attacks is again led by the PRC.
Lastly, Google's only "retribution" at this point is the censorship issue:
We have decided we are no longer willing to continue censoring our results on Google.cn
That's significant to me because the decision to censor results by Google was made solely for the benefit of the government, and no one else. If Google now wants to withdraw their censorship, then they are targeting the government with that move, and no one else. A rogue hacker group does not get punished if Google removes censorship, the government does. Google is clearly going after the government, without ever stating that outright.
Thanks for taking the time to post that.
It looks pretty uncensored to me, result #1 is a dead guy lying in the street. #7 shows a bunch of tanks parked in the square. Keep in mind it's going to take some time for the previously-excluded results to work their way up the rankings.