When more bugs can mean tighter security

(continued from previous page)

The EULA says that some files on your hard disk will be encrypted, and you won't have the key, and have to ask Microsoft...if you want to read the files. This is digital rights management. This is my computer, my copy of Windows, this is my data. I don't want any company, and not just Microsoft, to dictate what I do with my files.

Since then, I've not used Windows on a regular basis. A computer is a fantastic tool for connecting to the Internet. My whole life is in there--songs, movies, pictures, text, my blog posts. It links my friends through instant messaging and social networks. For many of us it would be impossible to work without a computer.

I don't think Web 2.0 applications are particularly dangerous in terms of security. In terms of privacy they are, as seen on Facebook recently.

--Tristan Nitot, president, Mozilla Europe

This is a tool I want to keep control of. I had the choice of either not updating Windows with SP2, which wouldn't have been secure, or not accepting the contract. So I moved to Linux, and when that machine died I switched to a Mac.

What is the current state of play with open-source development?
Nitot: Open source is amazingly successful. I have a cracked iPhone running BSD, and a Nokia N80 tablet running Gecko 1.9. At home all my routers run Linux.

When I was younger I was fully addicted to computing, and I pictured myself in the future surrounded by Unix machines. I'm a bit geeky. But actually this has happened. Now we're surrounded by Unix and Linux machines, all connected to the Internet. We have open source everywhere.

What are the main future challenges for the open-source community?
Nitot: The open-source community needs to figure out the user experience part and the marketing part. With product quality and reliable operating systems, open source has won hands down. However, today, most open source is built by engineers for engineers, which makes the products not very user-friendly. This is something we've figured out in Firefox. Now this needs to be figured out in other projects.

So which distributions are user-friendly, and which aren't?
Nitot: Ubuntu is interesting--users can use Ubuntu. The tricky part is Windows power users, who get lost on Linux. The inner workings of Linux are not easy to understand if you're coming from XP.

Why is marketing a problem for open source?
Nitot: Open-source communities have way less marketing budget than proprietary software vendors, especially Microsoft, which reportedly spent $500 million launching Vista.

Mozilla released the first beta for Firefox 3 a month ago, and the second beta on Tuesday. You can work on Web applications offline with Firefox 3. Will this work for all Web applications?
Nitot: The Firefox 3 beta has an API (application programming interface) that tells the Web app that it's offline, so it can store things locally, and sync back later. This implies the Web app knows how to leverage the API, so (if it doesn't) it has to be updated.

How much is this a security feature? Do Web 2.0 applications open up new attack vectors?
Nitot: A browser is a window onto the Internet, which is why we take security so seriously. (But) I don't think Web 2.0 applications are particularly dangerous in terms of security. In terms of privacy they are, as seen on Facebook recently.

Are you talking about Beacon (Facebook's ad-tracking feature, which it withdrew Nitot: Beacon was probably a bad idea, if the users think so. People see and adopt so-called "free services," but they do have a cost--a huge cost--to develop and run such systems. People are paying for them by giving up their privacy.

In many cases their privacy is more valuable than the service they get in return, because there's no price tag on privacy. It's hard to balance what you give with what you get. It's hard to understand whether you're getting a good deal. Right now I don't think users are getting a good deal.

There is a price per user to running a social-networking site, and social-networking site executives know that price--probably a couple of pounds per year. What you give in exchange is your age, your location, people you know, Web sites you visit, things you buy--this all gives a precise profile of you. It enables very variable targeted advertising, probably worth much more than a couple of pounds per year. With Beacon, I would have been the first to sign a petition (to stop it).

Tom Espiner of ZDNet UK reported from London.

[Anon-Y-mous]

As usual, both sides of the fence, when it suits them.

Didn't they used to claim "look at all the bugs in IE. Switch to us for higher security/less bugs"

Now that MS has fixed a lot of the bugs and addressed security, somewhat, and happen to have fewer breaches lately, now they're saying that having bugs is BETTER for security??

Whatever.

[Penguinisto]

Err, no they didn't.

It was more like "look at how easily IE makes your computer into somebody else's *****. We want to make something that helps prevent that from happening".

Also, they never said that having bug is better for security. RTFM. What they did say was that having all of your bugs publicly viewable is better for security - at least that way everyone knows about it and is forewarned.

Internet Explorer has bugs in it now that no one outside of Microsoft and the undernet/hacker communities know about. It's like being on a cruise ship that's leaking water badly, but only some of the crew and all the rats down in the bilge know about it. In the analogy as in web browsers, you never really find out about it until it's way too late to save yourself from the results.

/P

[Mike E.]

Yep, Mozilla is full of hypocrisy

First they pointed to IE bugs to show that Firefox is better.
When pointed that Firefox does not have bugs because no security researcher has ever looked at it (because nobody uses it), and that when Firefox gains user share security researcher will find tons of bugs, Firefox guys said it will never happened.
Now it is *starting* to occur (I'm sure we'll see more once Firefox gets more popular), and they tell us that bug counts do not matter.

[rcrusoe]

Cracks in the wall

Who cares which browser had the most "cracks in the wall"? It's
the severity of the problems that counts, not the quantity.

IMO, Mozilla might have had the most cracks, but IE on many
occasions has left all the doors open. When was the last time
you read a security bulletin that advised you to use IE instead of
Firefox? I can't recall any.

But when was the last time you read one advising you to not use
IE? For me, it was last week. In fact, it seems that most
advisories concerning websites have a "don't use IE" or "set IE
security to high".

[protagonistic]

RE: Cracks in the wall

You are wasting your time. You can't argue with a closed mind.
But I have to say I can't recall ever having seen a Firefox browser
hijack and I have seen lots of IE browser hijacks. :-)

[suyts]

Uhmm, yeh....

ok, where are you getting your advisories? Mozilla.com? Haven't seen one yet( a serious security firm) that tells me to not use one web browser or the other.

[fastdodge]

Use whatever you want

at the end of the day you get to pay for your own mistakes. That
includes poor choices in software. I know which vendor has cost us
billions of dollars in losses due to sloppy programming practices.

[wbenton]

Title is Awkward

Just like the initial story.

Posting the illogical crap which Microsoft spews out is low-down enough.

But trying to rectify yourself after the intial blurb... and with the title like you've posted it... (* LOL *)

Sounds like if Microsoft created more bugs... which they continually do... that their Operating System will become MORE secure! (* ROFLOL *)

Thus the title of this article is just as inaccurate as Microsoft's initial Slander against Firefox which you first posted!

Either IE is MORE secure or Microsoft's logic is not logical at all.

CNet News seems to be reporting it BOTH WAYS!... that just doesn't go over very well with me.

Either it is or it isn't... wishy-washy stepping on this side of the fence one time and the other side of the fence the next time isn't a good reputation maker!

Bottom Line: Either you're for or you're against Microsoft... trying to play the middle against each other will get your hands and feet burnt real quick like!

The facts are:
#1: Microsoft has lax security
#2: Microsoft's ill attempts to claim that they're increasing their security have been proven wrong time and again in the past.
#3: Microsoft continues to attempt to make a good name for itself for those willing to listen.
#4: If Cnet keeps supporting Microshaft's stance... I might just have to go out and look for a better source for my news!

Report the facts is what I'm interested in hearing. I don't care what Microsoft says or thinks unless what they say is factual, but I've yet to find that to be the case and I've been watching them closely since 1984!

Walt