[Solar-general] la ultima tentacion: gnu/linux

Mar Jul 6 23:32:18 CEST 2004

http://news.netcraft.com/archives/2004/07/05/browser_wars_to_recommence.html

Browser Wars to recommence? 	Security

The rise of the phisher kings continues apace. Their most recent achievements
include the combined IIS and IE exploit that infects visitors to apparently
impeccable sites, and a phishing attack based on the use of Browser Helper
Objects.

There is nothing new in this, since bugs in Internet Explorer have been part
of the Internet landscape for years. What is novel is that this time people
may have had enough, prompting what has been rightly called "a growing crisis
of confidence in Internet Explorer".

One straw in the wind is a recommendation from the Internet Storm Center, a
global monitoring and alert system for online attacks. In the face of the IIS
and IE exploit, this organisation recommended that users "install and maintain
anti virus software, if possible turn off javascript, or use a browser other
then MSIE until the current vulnerabilities in MSIE are patched."

This is not the first time that users have been urged to switch browsers. In
October last year, US-CERT (Computer Emergency Readiness Team) offered the
simple solution of "use a different web browser" as a way of dealing with bugs
in Internet Explorer. Two things make the situation different now.

One is the extreme gravity of the latest phishing scams: victims of phishing
attacks might conceivably lose their life savings. Some people now perceive
Internet Explorer and Internet Banking as a potentially lethal cocktail that
must not be mixed, with insiders in the banking industry urging their families
to switch if not operating systems, then at least browsers, while conversely
some internet banking customers have adapted to the threat by forgoing
convenience and moving funds back into accounts which require traditional
telephone and fax instructions.

The other major difference from previous occasions is that there is now a
serious alternative to Internet Explorer available on Windows. Although the
open source Mozilla project has had a long and troubled history, the current
release of its next generation product, Firefox, seems excellent.

This is an extremely dangerous situation for Microsoft. The phishing threats
and the growing professional chorus of disapproval for Internet Explorer
provide Windows users with very good reasons to turn elsewhere, even if only
temporarily. But Firefox is so good that many will want to stay with it. And
once they have tasted the power and freedom of open source, maybe they will be
tempted to try "just one more program".

Firefox and the Thunderbird email client will form the basis for the next
iteration of the main Mozilla package. One way of obtaining this is to
download the free TheOpenCD image, and to burn it to CDs for easy distribution
to Windows users around an organisation. TheOpenCD also contains the
increasingly viable OpenOffice suite, the powerful GIMP image manipulation
program, and several other useful open source offerings for Windows.

This experience of the professional quality of free software might even lead
some into the ultimate temptation: GNU/Linux itself. That option has been made
as convenient as possible by the creation of Knoppix, another image file that
can be downloaded, burnt to CDs and passed around. Remarkably, this 2 Gbyte
package of GNU/Linux plus applications can be run from any Windows PC without
changing a single file on the hard disc simply by booting from the CD drive.
The automatic configuration allows users to experience GNU/Linux in a
completely risk-free way.

In the very earliest days of Linux, the Yggdrasil distribution could also be
run as demo on a PC. One person to try out this feature, in 1993, was Eric
Raymond, until then rather sceptical of Linux. The rest is history. Who knows
what knock- on effect Firefox, TheOpenCD and Knoppix may have on other people
today?

Glyn Moody welcomes your comments.
Posted by glyn at July 5, 2004 10:16 AM | Subscribe
Comments

To clarify, it appears keywords are "...across different domains".

'Not an apologist for M$, but IE is -not- the only browser involved. In fact,
the -shorter- list (per the Secunia advisory) are those "...not affected" (2).
Opera, Netscape, Safari, and Konqueror are also on the list of
"...vulnerability has been confirmed" browsers >>>
http://secunia.com/advisories/11978/ ...

- http://www.techweb.com/wire/story/TWB20040702S0007 "...'In these times of
phishing attacks and other scams, this is a problem'...Internet Explorer users
can stymie such spoofing attacks by disabling the 'Navigate sub-frames across
different domains' setting under Tools/Internet Options/Security..."

Just an option available for security reasons. Although it may break some
functionality, it is also a way to "stymie such spoofing attacks". No "perfect
world" here.
Posted by: AplusWebMaster on July 5, 2004 04:50 PM

The browser wars were never dead. People don't use Internet Exporer because
they actively choose to use it. Microsoft has shoved it down their throats,
and very few people understand (understood?) that there is more than one
browser, office suite or even operating system.

It never ceases to amaze me how dirty Microsoft's game has been, and still is.
I tribute it to the fact it's more of a marketing air-selling company than a
technical company with pride in what they are doing, in engineering or
under-the-hood quality. Just like extremist right politics here, they play the
people for fools with obvious, arrogant and pompous but empty statements;
sadly enough most people are fools, and fall too easily for populistic
low-content words.

I hope that other software, better software, open (preferably) or closed, will
find a way to the desktop of people again and replace Microsoft's products,
and this kind of continuous security problems can only help to make people
realise they should be looking at alternatives.
Posted by: wouter on July 5, 2004 05:20 PM

It never ceases to amaze me how open source proponents can blame MS instead of
open source software for their failures.
IE won the browser war because
1. It had overtaken Netscape as the better browser by version 4.
2. Netscape, having been beaten, went on a several years retreat instead of
immediately improving their software.
In short, Netscape's demise was their own doing. MS had nothing to do with it.
The situation's the same for open source. If open source proponents spent less
time whining about MS and more time writing good software they might be a
viable alternative. Linux/X/OpenOffice/Gnome are behind because their inferior
to MS equivalent products, not because of any evil MS doings.
Posted by: Matt on July 6, 2004 04:05 AM

i predicted something like this would happen to Passport a while ago.... who'd
a thought it would be IE taking the beating because Passport never got a
foothold....

if Passport wasn't a has been and this happened to Passport, a bunch of bank
accounts would have been wiped out before anybody would have ever known what
was going on.... followed by the death of MSFT.....

hmmm... makes you wonder what would happen if the courts never stepped in...

isn't it funny how MSFT thought it was wise to tie the Browser to windows...

could have been fatal for windows and MSFT....... good thing the courts forced
an out....

i'm kind of wondering what would have happened if users still couldn't "hide"
IE....

imagine the uproar.....

jon.
Posted by: jon on July 6, 2004 04:28 AM

Please can Google and other organizations who offer a browser toolbar add a
security alert section so average users know they are in danger.
Posted by: Stephen Ensor on July 6, 2004 08:30 AM

IE wasn't better than NS - it was just the "default browser" because it was
delivered with Windows. That doesn't say anything about quality of the software.

I know, I was using both (IE out of necessity - NS out of ease-of-use) at the
time (I've been using browsers for 11 years - since Mosaic).

Opera deserves some cudos for their swiftness in releasing security updates
once their browser is known to be vulnerable. As for Firefox; one of the
strengths of Open Source software is the ability to write your own patches.
Even if you lack the necessary interest and/or programming abilities you can
bet that someone out there does and forward their patches to the Firefox team.

In contrast; how long does it take for MS to release a security critical patch?
Posted by: Ronald McDonald on July 6, 2004 11:05 AM

It is a known fact today that the Internet Security is most vulnerable at the
Login entry.
No SSL or other protocols will prevail if your Password is exposed.
The most secured and affordable methodology available today is the TFA (Two
Factor Authentication) and OTP (One Time Password) generation.

These methods cost a bundle with today Token system. That is the reason only
VIPs or very secured sites offer this level of security to their clients.

Change the Token system in a way that every organization can offer it to their
customers, and you get a high level of security for everybody.

Mega AS Consulting Ltd (www.megaas.co.nz) has developed a new CAT (Cellular
Authentication Token) that follows that thought. It is a new concept that
enables new services such as eAuthentication. The CAT runs on a cellular, does
not require SMS or any type of communication and can be installed (one time
OTA) by any Service’s client. It does not cost the user anything.

With this in mind, Services can now offer the users the option to register to
a secured OTP login, at their own time. The Service does not have to supply or
manage the tokens. It is the users’ responsibility to join the secured service
to secure his login.

The eAuthentication Service takes this approach even further. Since the user
can choose to join the secured Login of the Service, the company providing the
service does not have to buy the Authentication package anymore, they get the
users authenticated at Mega AS Consulting CAT Authentication server by
implementing a simple API.

This approach is new. It will change the whole industry and it is available now.

Posted by: AS on July 6, 2004 11:57 AM

Well, another good reason is why pay wasn't it $30 for Netscape when IE is
free with Windows 98? Remember that just to get back at Microsoft, Gateway
bundled Netscape for free.

Just remember that back then IE didn't even have a print preview, something
Netscape had from day one.
Posted by: Sprockkets on July 6, 2004 07:46 PM

Another good reason to use FireFox. You can turn off the parts of Javascript
such as forging the address bar or status bar or resizing the window but keep
image changing on which allows you to sort through pics on say www.toyota.com
but prevents other annoyances of Javascript.
Posted by: Sprockkets on July 6, 2004 07:54 PM 

Diego Saravia 
dsa en unsa.edu.ar