Browser security - why you shouldn't use Internet Explorer

Just read this blog post by Bruce Schneier:

MSIE was 98% unsafe. There were only 7 days in 2004 without an unpatched publicly disclosed security hole.

WOW! Friends don't let friends use IE ;)

Predictions...

I found Blake Ross' ten predictions for the new year quite funny. I particularly like the RIAA prediction and this one:

Due to a glitch in Windows Vista, Microsoft CEO Steve Ballmer will mix up his notes at PDC ‘06 and declare: “Developers, developers, developers….We’re going to f*%ing bury those guys!” Nineteen will leave on stretchers with furniture-related injuries.

Peter Quinn resigns

Doing the right thing sometimes costs you a lot, in the case of Peter Quinn, it ended up being his job as CIO of Massachusetts. Steven J. Vaughan-Nichols has written a nice article about it:

Opinion: CIO Peter Quinn's story tells us that if you go up against Microsoft, you can expect everything and the kitchen sink to be thrown at you.

If you've followed this story, you'll know how much he's been through in the last few months and you'll quickly understand why he's choosen to resign. I have no doubt that Microsoft is at least partly to blame and it shows that they will use all means to keep their monopoly, no matter the pain they cause on others.

They could have done the right thing and added support for the OpenDocument Format to their upcomming Office 12 and I don't think they would loose their markedshare because they have a very competitive office suite (probably even the best). They have choosen to use dirty tricks instead.

USA: A dictatorship?

By now you've probably heard about how the President of the USA, GWB, gave the NSA rights to basically spy on everyone. Otherwise you can read about it here and a nice followup here that explains why mass surveillance is a bad idea.

Bruce Schneier has written about it too and his latest blog entry is about what kind of powers the president have. It's a terrifying read:

In defending this secret spying on Americans, Bush said that he relied on his constitutional powers (Article 2) and the joint resolution passed by Congress after 9/11 that led to the war in Iraq. This rationale was spelled out in a memo written by John Yoo, a White House attorney, less than two weeks after the attacks of 9/11. It's a dense read and a terrifying piece of legal contortionism, but it basically says that the president has unlimited powers to fight terrorism. He can spy on anyone, arrest anyone, and kidnap anyone and ship him to another country ... merely on the suspicion that he might be a terrorist. And according to the memo, this power lasts until there is no more terrorism in the world.

...

The result is that the president's wartime powers, with its armies, battles, victories, and congressional declarations, now extend to the rhetorical "War on Terror": a war with no fronts, no boundaries, no opposing army, and -- most ominously -- no knowable "victory." Investigations, arrests and trials are not tools of war. But according to the Yoo memo, the president can define war however he chooses, and remain "at war" for as long as he chooses.

This is indefinite dictatorial power. And I don't use that term lightly; the very definition of a dictatorship is a system that puts a ruler above the law. In the weeks after 9/11, while America and the world were grieving, Bush built a legal rationale for a dictatorship. Then he immediately started using it to avoid the law.

*Puff* it said and democracy was no more...

Sadly, with the new Data Rentention Directive, the EU is happily going in the same direction :(

Various Jabber news

Some time ago Google started their own IM service (GTalk) based on the open standard called XMPP or Jabber. The rest of the Jabber community is still waiting for them to open up for s2s (server to server) communication, which is a rather important part of the XMPP standard since roughly Jabber works similar to email.

Instead Google extended the protocol to support VoIP (voice chat) and they have now released this for the public in coorporation with the Jabber Software Foundation (JSF). They haven't just released the specification, they have released a library too which means that clients should be able to implement support for this pretty fast. One example is the Psi client.

This is only the first step - over the next months they should add support for things like video, gaming and file sharing. A lot more is happening in the Jabber world as can be seen in the latest Jabber Journal.

The future looks bright for Jabber!

I was right :)

The Estonian beers wasn't anything special, certainly drinkable, but nothing compared to a good Belgish beer :)

Mmm...beers :)

My local supermarked have a very decent selection of beers, including most of the very yummy trappist beers. Furthermore they usually have different beers on offer each week which of course means that I visit every week to see what bargain they have. Considering how weak I am when it comes to beers (I find it quite fascinating to taste different beers), I often end up with a couple of beers in my fridge :)

Yesterday I shopped a bit and ended up with these beers:

• LAmére à Boire Boucanier
• La Biére du Boucanier Red
• La Biére du Boucanier Dark
• La Biére du Boucanier Blonde
• Saaremaa Tuulik
• Saaremaa Tume

I don't expect much from the two Estonian beers, but they were very cheap together with the fact that they are from Estonia made me buy them since I visited the country 8 years ago or something like that :) The Belgish beers on the other hand have some pretty decent ratings (not that that neccesarily means I'll like them) and I look forward to trying them. Belgium is my favorite beer country :)

Arstechnica reports on the data rentention directive

So, who might be interested in all that data that's going to be collected? Well, our friend from the music and movie industry of course! Here is a quote of that theory:

If you were wondering who wanted to widen the scope of a measure that tracks internet usage, there's your answer. Our old friends in the entertainment industry such as Disney, EMI, Universal Music and Sony BMG formed something called the Creative and Media Business Alliance (CMBA for short) and started lobbying for better access to customer records. They need to protect their intellectual property against the dire threat of piracy, you know.

It certainly wouldn't surprise me if that would be one of the things it would be used for in a couple of years.

Say welcome to big brother :(

They adopted it :(

Thanks all you crazy politicians for taking away our privacy and letting the terrorists win. Who really believes this will stop any terrorists?

The economics of open standards

Lots of articles have been written about open standards and especially the OpenDocument Format (ODF). The primary reasons being that Oasis recently aproved ODF as a standard and that Massachusetts recently chose to adobt it as their primary format and left Microsofts format out in the cold.

A lot has since happened as you will be aware of if you've read Groklaw or Andy Updegrove's Standards blog.

One aspect of using open standards is economics. How much money can you potentially save by using open standards instead of proprietary? I don't remember seeing any research on this before now, but it looks like this might be changing as you can read in this LinuxJournal article:

I also brought up some examples of how closed formats make a huge impact on private and public digital archives. One example is the Virginia State Laws declaring, due to a lack of hardware and software standards, that electronic records are not acceptable yet for permanent storage. Microfilm and alkaline paper are allowed, but they are much more expensive, not searchable with a computer and unaccessible from the Internet. Another example is a report published in 2000 that discovered most organizations hadn't even realized they had a data preservation problem. Those who were aware of the problem also knew the total cost per year to fix the problem would range from $10,000 to $2.6 million.

This is an important battle, much more important than the battle between proprietary and open source. I hope the governments around the world will see the light and switch to using truly free and open standards. It is really the only sensible choice. Politicians sometimes make incredible stupid choices and laws though, just see my previous post for a shining example of this.

What are our dear leaders of the EU thinking?!

Here is FFII's letter to the MEP's about the Data retention directive that might become law in EU.

I simply don't get it - why is our dear leaders pushing through with a law that most likely will do absolutely nothing to prevent terror? Instead it will cost enormous amounts of money and who's going to pay for that? Everyone of course, since there's no one else to pay.

Can someone explain to me the reasons why anyone would want to push for such a law? Who wins, besides the terrorists which must be laughing long and hard at this directive since besides being the wrong solution, it also contains huge holes they can easily use to avoid any detection.

Firefox versus IE7

Apparently, people are starting to discuss Firefox 1.5 versus IE7. As Asa writes, it's a bit stupid to compare an unreleased browser with one that has been released. There's no estimate when the final version of IE7 will be released (well, I haven't seen any dates) and when it is released, it'll only be available for Windows XP and Vista. Firefox 2.0 might be released by the time IE7 arrives so if you want to compare, compare IE7 with that instead.

Asa from the Mozilla headquarters is writes more about this.

More about the EU democracy

The latest press release from FFII is about the sad state of the EU:

"The EU legislative process is turning into a fast-food factory fed by special interests", says Pieter Hintjens, president of the FFII. He points out: "instead of the careful, balanced, and impartial process we expect to see, law-making is becoming hasty, heavily lobbied, and driven by autocratic commercial and political agendas. The Big Brother anti-privacy law (aka 'data retention directive') is symptomatic of wider problems." He continues: "Europe's citizens are being caught in a 'triple trap'. First, we have lost control over the process, and our elected bodies are being bullied into accepting bad laws. Second, laws are being passed to make ordinary citizens into criminals on a massive scale. Third, the EU is gaining the power to enforce its criminal sanctions in member nations." Jonas Maebe of the FFII says: "The Council and Commission have not given up on their strategy on trying to push through Parliament whatever they like. They misrepresent independent studies. They encourage Parliament to disregard due diligence in the interest of some vague higher goal: the Lisbon agenda in the software patents case, fighting terrorism in case of data retention. Stakeholders don't get a proper chance to be heard, or are plainly ignored."

EU is a good idea, but it is truly sad that it is being made into such a mess :(

I Heart Rootkit T-shirt

I got my cool T-shirt today. I look forward to wearing it :)

Big brother is comming to the EU

The EU Commission have agreed on the "data retention directive" which basically will introduce big brother to all of EU - all in the name of preventing terror. The problem is that this most likely will not prevent terror, all it will do is evade everyones privacy to an extend not seen before anywhere.

The Big Brother "data retention directive" makes Internet and telephony providers record "communications traffic data" for up to several years. These huge amounts of detailed personal data can be easily leaked, stolen, and abused. The forces - mainly the UK government - pushing the Big Brother law claim it will prevent terrorism. The FFII does not accept this simplistic argument. The real targets, it appears, are ordinary citizens, going about their daily business. The FFII president points out, "almost everyone carries a mobile phone. With this law, your mobile phone and web browser becomes Big Brother's way of watching you. You will never be alone again. If you do not like this idea, contact your MEP today, urgently, and explain why it worries you. On 13 December 2005, personal privacy becomes history."

Nasa switches to Firefox

According to this blog post, Nasa has switched to Firefox. Good for them!

David Coursey: Bill Gates Is Not the Next Linus Torvalds

I just read this opinion which is about open standards and he starts out by writing this:

When people stop whining that Microsoft isn't becoming an open source company, I'll be able to stop writing columns like this one, in which I will (again) patiently explain that people who are expecting Bill Gates to become Linus Torvalds or Richard Stallman are bound to be disappointed.

What is this guy smoking? Who exactly is expecting Bill Gates to become the next open source guru? I think you'll find it pretty darn difficult to find a person that believes that. A bit later he continues:

That the open source community might have to make an exception to its licensing structure seems a minor inconvenience compared to what they are getting. Microsoft is not required to let people tinker with its formats, but it should allow the open source community to include those formats—as Microsoft has written and will document them—in its products.

It is pretty clear that he don't have a clue about how open source "works" because it is more or less impossible to make an exception as he suggests and it will most certainly not be a minor inconvenience. The next paragraph in the article only makes that even more clear. There is one paragraph I agree with though:

I believe this whole debate has been miscast. The discussion shouldn't be between Microsoft and the open sorcerers, who are unlikely to ever find satisfaction in anything Redmond does, but between Microsoft and its customers.

That is completely correct. The important question to ask then, is what the MS customers, especially states and government customers, should require of MS. Bob Sutor (Vice President of Standards and Open Source for the IBM Corporation) have written a nice post about exactly that. It is quite clear to me that it would be smart move of David Coursey to do some research instead of writing clueless articles like this one. Isn't that what journalists are supposed to do?

The Human Side of Security

I saw this link on Bruce Schneier's blog which links to this great post about an addition to the SANS Top 20:

H1. Humans

H1.1 Description:

The species Homo sapiens supports a wide range of intellectual capabilities such as speech, emotion, rational thinking etc. Many of these components are enabled by default - though to differing degrees of success. These components are implemented by the cerebral cortex, and are under the control of the identity engine which runs as me.exe. Vulnerabilities in these components are the most common avenues for exploitation.

Anti-virus @ Gmail

Google has added anti-virus protection to it's Gmail service. They are far from the first to add it, but it is still nice that they've added it.

I noticed this piece of news on slashdot and this comment caught my eye:

The next, obvious, and far too long overdue, step is for Google to flag web-sites that attempt to install malware, redirect you to sites you didn't want to visit, spawn endless pop-up windows, attempt to create a full-screen browser that you can't close, or disable features of your browser like right mouse button clicks. Since they've already spidered it, and in most cases cached it, they can darn well scan it for viruses and other crap at the same time! Their virus, adware, spyware, malware signature files would certainly be more upto date than my own. They could even be protecting surfers now from the current unpatched IE exploit by warning of sites that have dodgy or questionable code while MS takes its own sweet time coming up with a patch.

It is certainly an interesting idea.