Stop urging people to run Firefox

By: Qwaider

On:Thursday, November 20, 2008 7:32:25 PM
In:Science & Technology
Viewed: (4837) times

Currently 4.7/5 Stars.
1
2
3
4
5

Rated 4.7/5 stars (81 votes cast) Thanks for your vote!

Tech Warning:
If you're not interested in Browser Security, Internet exploits, you may skip this article
Firefox fanboy warning:
This is NOT to bash Firefox or accusing it of being insecure, so read well before you explode. I personally think Firefox is great, same goes for Opera, Chrome and Safari. If you have a beef with that, bring it up with Saltzer, link provided below

In a very recent security related article by Larry Saltzer, he deconstructs the aging myth of how Firefox is impervious to attacks. Or at least, he shows shows that it's no longer safe from being a target. It's worth mentioning that his article is based on security findings reported by, Microsoft. But exactly as he notes...

With Microsoft and Adobe both doing a better job of fighting vulnerabilities in their own products, it's not surprising, as the Microsoft Security Intelligence Report also finds, that vulnerabilities in software across the industry are declining. This is why social engineering and malware are becoming the real problems. But in the meantime, it makes sense that some of our longstanding biases about product security are not as correct as they might have been at one time.

So shouldn't you.

What caught my attention is was

We're just stereotyping here, but it makes sense that Firefox users are more likely to be technically sophisticated and appreciative of security concerns. Such users are more likely to update their software religiously, more likely to recognize a scam site when they see it, less likely to fall for a fake error message. But these people push other, less sophisticated users to run Firefox as well; with browser share numbers of 20 percent, clearly there are a lot of novices running Firefox. So perhaps the percentage of users being exploited through third-party controls is larger for IE, but it should be above zero and rising for Firefox.

Which is a clear call for more technical users to stop advocating firefox to less technical users. This might be putting these folks unintentionally in harms way.

Instead, we should all be advocating few of things that have been proven by the industry to keep everyone safe

Get the latest Operating system that you can afford
Reports show that Vista is more secure than Windows XP, even with all the SP applied
Keep your operating system updated with the latest service pack.
Charts show that every service pack removes as much as 50% of the security issues related to OS
Keep your software patches up to date
Vendors are rushing to release these patches whenever a vulnerability is exposed.
Enable automatic updates on your OS
If your OS supports this feature (Windows supports this, Windows Mobile also). It will give you a piece of mind
Don't install any software that you get on the internet unless you're absolutely certain of it
With Operating systems getting better at handling vulnerabilities. Hackers are turning their attention to more social engineering attacks. Don't end up a statistic
Keep your anti-virus ON, and UP TO DATE
Your LAST line of defense might be your anti-virus, Anti-Malware, Windows Defender ..etc. Keep these little beasts on. Regardless of the performance penalty. They're WORTH IT!
But they wouldn't be worth much if they're not up to date. So make sure they are
Unless you know what you're doing (seriously) don't venture into the wonderful world of alternate browsers, alternate Operating systems and such
Granted, Firefox might be alluring with all the buzz around it. Same might go to Linux. But for the average user, they would REALLY be putting themselves in a bad situation. Worst part, they don't even know why!
Don't believe ANYONE when he says, "This thing is safe" there is no such a thing
It's been shown time after time, that almost anything that is connected to the internet is vulnerable. So, better be aggressive about security than sorry.
Stay away from bad sites
No brainer. But try to convince your teenage brother of that! huh!
If you get links in your Email, messenger ..etc, don't follow them, unless you have actually requested something from that site
This is usually a social engineering attack. Email trying to fool you into clicking on links that redirects you to sites that appear legitimate when they're run by organized cyber crime!

If you have any other points, please share them here. And can someone wipe that stupid "more secure" false advertizing off Mozilla's site? Please?

Other Memories Documented on November 20

No thanks, I'm a Muslim!..
by: Qwaider.
In: 2007
Viewed: (7170) times

Wifi - Shock and Awe!..
by: Qwaider.
In: 2006
Viewed: (3879) times

From Amman, with love..
by: Qwaider.
In: 2006
Viewed: (4686) times

« Never judge a book by its cover!

Google/Blogspot warning! »

Memories....

#1
mab3oos
Said
On: 11/20/2008 8:12:47 PM
SpamScore=[0]

Open Source is the best.

FireFox Rocks!!!! Go Foxieeeee.

#2
Qwaider
Said
On: 11/20/2008 8:47:53 PM
SpamScore=[0]

Just answer me ONE thing, What does "Open source" do to you? how many times have you actually downloaded the whole source code of Firefox and did anything with it?

Now if you answer something like, "I do this all the time, and I update the code for firefox on a daily bases and make checkins weekly" then ALL THE POWER TO YOU. You're AWESOME! You're FANTASTIC ... and you're 0.0001% of the people on the internet
Let the rest of the 99.999% enjoy their experience with a little security

#3
Nizar
Said
On: 11/20/2008 9:18:01 PM
SpamScore=[0]

firefox for the win!

#4
bakkouz
Said
On: 11/20/2008 9:19:31 PM
SpamScore=[1.2]

Ok. setting security aside, Firefox is a faster, sleeker, more powerful browser. It supports a wide array of plugins and features that IE doesn't. these plugins and add-ons are, for me at least, essentials that I cannot do without. for example, the Aardvark developer extension, Adblock plus, the stumbleupon toolbar, the digg toolbar, greasemonkey, the RealPlayer broswer record plugin, and many others. I simply cannot and will not use a browser that is not fully compatible with my needs. Firefox enables me to do anything and everything I want, and maximize my web surfing experience and interaction to the limit, IE doesn't.

Add to that, IE is just stupid. it really is, being an IT guy I have encountered many occasions on whihc IE has shown its stupidity, like sometimes when you install the yahoo toolbar, IE refuses to connect!! remove it, and it works fine. on some pc's on our LAN, IE also seems to dislike our proxy and refused to connect, Firefox works just fine, and I know there's probably an explanation, but I consider myself a well informred guy and I know my way around these things and I couldn't for the life of me figure out this odd behavior by IE.

Having said all that, security is still better on Firefox for the same reason that Macs and *nix machines have less Malware and less vulenrable to attacks by Malware, people who develop this crap aim it mainly at Windows and IE, and even though Firefox may have its issues, it is a lesser and an un-convenient target for hackers/attackers to attempt to mess with.

So.. the question is really simple. would you rather use a piece of software that you can fully customize pretty much everything about, use the way you want and make it run just the way you like, and is faster and more reliable? or one that is slower, very limited in features and you can't customize crap about it?

#5
Qwaider
Said
On: 11/20/2008 9:35:02 PM
SpamScore=[1.1]

Thank you Bakkouz, yeah, I think Chrome is awesome too! It's way faster than Firefox.
Opera is my second best browser. It's also amazing

Firefox is more stupid than IE. The way it interprets things is just lame. I created a page once, EVERY single browser rendered it correctly. Except Firefox!

Halt!! How did we get here!?
This is not about showing off what X does better than Y! It's about the new fact that Firefox is no longer safe from drive bys. It might be good news to Firefox people that they have enough percentage that malware is targeting them! Woo hoo!

As for the Misconceptions, preconceptions ...etc read what Saltzer is saying. He's saying... OH YOU'RE SO 2006 dude!

#6
za3tar
Said
On: 11/21/2008 3:54:19 AM
SpamScore=[1]

I agree with you. I don't think that there are many useful pieces of software that are perfectly secure; and chances are that it will be a very long time if we get there, if ever.

I personally don't have much of a bias against this browser or that. It is true that old versions of IE used to be terrible, but i think they are much better now.

By the way, speaking of web security, i am sure you will appreciate this article: http://www.cs.washington.edu/homes/creis/publications/nsdi-2008.pdf . The presented solution has an obvious flaw, but the paper does present a new window of web attacks.

#7
Qwaider
Said
On: 11/21/2008 7:54:06 AM
SpamScore=[0]

Surprise, surprise :) I'm actually aware of that paper. I'm also aware of couple of BHO attacks that alter content in-flight. From injecting false referer data to stealing other people's ad space to you name it. The web is a freakin scary place. And that's barely the surface. Many think they're protected by the plethora of ad-ons that FF or others are shipping. When I believe the way things are going, the next attack victor is going to be these specific addons. Man in the middle will always be an issue for everyone

#8
Khaled
Said
On: 11/21/2008 2:31:48 PM
SpamScore=[1.2]

I have a quick question about security of websites. If you visit a website but don't download any executable, are you in danger of getting viruses/spyware/malware/etc?

#10
Qwaider
Said
On: 11/21/2008 5:08:38 PM
SpamScore=[0]

Yes Khaled, you might still be in danger due to Browser vulnerabilities, OS vulnerabilities and plug-in/add-on vulnerabilities.
That's why I say keep everything up to date. Latest patch, latest SP ..etc

#11
Hani Obaid
Said
On: 11/22/2008 6:30:27 AM
SpamScore=[-0.01]

This is an old logic trick. Taking a falsehood, and then needlessly working hard on debunking it. Any IT professional should know no browser is impervious to attack.

What people subscribed to was that firefox is less vulnerable for the very fact that IE is so much more popular and so it makes a more worthwhile target. I think firefox has become popular enough since then that this statement may no longer be true.

#12
Qwaider
Said
On: 11/22/2008 8:43:17 AM
SpamScore=[-8.28]

Trust me Hani, many and I mean MANY think of Firefox's security as the ultimate truth and nothing else comes close!
Anyway, the security points above are still valid regardless of the OS or Browser.

#13
Jad
Said
On: 11/22/2008 9:45:24 AM
SpamScore=[0.5]

Qwaider,
You should stop blabbering about things you don't understand.

"Open Source" term isn't just about the ability to download the source of your favorite software and customize it although it's giving you the chance to investigate it yet there are plenty of proprietary solution that offer the source code to their clients with NDA.

When we say Open Source we refer to the power of the community and if you want to go deep it's about the power of humanity to create a solution that all the whole humanity own without discriminating religion, race or buying-power.

Using a FOSS (Free & Open Source Software) gives you the power that you want, imagine that you were able to investigate the code of your favorite Microsoft Windows release back when you were a student, wouldn't that make you a better programmer? Engineer?
On the other side, if that code was available to people then why do you think it's hard to find hundred of brilliant brains around the world to make it better just for the sake of solving puzzles? imagine it now with believing that you are contributing to the humanity, imagine that you are giving back because you are getting it for FREE as in FREE BEER (Free doesn't mean money isn't involved here)

Maybe the article you are trying to populate is true but you have to understand that the possibility of finding a vulnerability in FOSS is easier because there are million of people with access to the source code. Yes, FOSS is giving that access to humanity the good humans and the bad ones who tries to exploit your system but of course we don't do that to make their life easier but because we do believe that this is the norm and closing the source is the exception that people do for the sake of fear of security flows when they want to release a new product that they are not certain about its quality which they do release updates under the name of Service Pack to fix their mess in it.

What we are discussing here isn't a pure technical topic but it is more of TechnoIdeology topic, you do have the right to accept buying a car without being able to change its oil or fix the engine yourself but believe it or not there are plenty of people who love getting their hands dirty fixing their own engine while you wait for someone whom you have accepted that he's smarter than you to fix it.

You are one smart slave to propriety solutions owners who insist to be a slave because of genetic reasons instead of being creative or at least caring about having a personal, local, regional or world wide shared solution; I understand your happiness while being a slave but remember that the only freedom your lord gave to you is to nag about other solutions, voices or anything that your lord doesn't like.

with all due respect, you suck when it comes to this topic :-)

#14
Qwaider
Said
On: 11/22/2008 5:53:00 PM
SpamScore=[-8.29]

Jad...
Cliche after Cliche. That's all what I hear. Humanity, and the heritage of man kind.
FYI, I WAS able to debug windows issues when I was back in the University. And without source most of the time.
FYI2, hackers/cracker don't stop at "open source" or closed source to find, and create exploits
FYI3, You really really need to understand that I'm not against Open source. In fact, I don't care if something is open source or not if it's good!

Where in my whole article have I said Open Source is bad!? You really baffled me with the way you left that comment. As if I was after your precious open source legacy with a pitchfork!

I said, and I stand firm by what I said, Don't install linux if you don't know what you're doing! If you do (like programming gurus such as your self) Do whatever you want... Install it ... don't install it ... that advice is not directed at you!

I'm really disappointed Jad, I expected way more of you than an insult

#15
Jad
Said
On: 11/22/2008 10:42:04 PM
SpamScore=[0.5]

Just answer me ONE thing, What does "Open source" do to you? how many times have you actually downloaded the whole source code of Firefox and did anything with it?

That was your comment, wasn't it? anyway I didn't mean to insult you :-)

by the way, your answer is the Cliche not mine, one more thing, it feels SO good to fight with you :-)

#16
Qwaider
Said
On: 11/23/2008 12:13:31 AM
SpamScore=[0.5]

You didn't answer that question. What have you ever done with the source code of Firefox?
In that respect the logic is, If you're never going to use it, then what difference does it make?

And trust me, I have nothing against Open source