Another meaningless security report…

So Symantec is saying that IE is more secure than Mozilla-based browsers because there were 25 security vulnerabilities disclosed in the first half of 2005 for Mozilla, as opposed to 13 for IE.

Such reports are fine for Clueless Information Officers. Let’s analyze this like someone who actually knows what to do with that thing that sits between your ears.First and foremost, Mozilla lacks tight integration into the operating system, making it fundamentally less dangerous. Internet Explorer is like a bank that leaves its vault open after hours because it locked the front door. Since Mozilla lacks those ties that go directly into the operating system, it’s like a bank that locks the front door and the vault. The more locks the crook has to crack, the better.

Also, past performance isn’t necessarily an indication of future gains. People who invest know this all too well. Remember, the first half of 2005 was when Mozilla was seeing explosive growth. It was still a young product and had a lot of things to shake out.

But the potential is certainly there. Let’s look at Apache vs. IIS. You see fewer Apache vulnerabilities than IIS, even though Apache’s source code is visible for everyone to see, and even though Apache is a much larger market. Mozilla has this same potential.

In the meantime, Mozilla is still a minority browser. Since most hackers these days are motivated by profits, they’re going to do the same thing any other businessman does: Look for volume. Internet Explorer still has 12 times the exposure that Mozilla does. And Internet Explorer is often used in corporate environments, since many corporate intranets rely on IE-specific technology. That makes it an attractive target, since it’s easier to get through a browser than it is a corporate firewall. And once you do manage to get in, there’s a lot more good stuff inside a corporate LAN than there is inside a home LAN.

And by Symantec’s own admission, “at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred.”

That tells us the Mozilla developers are working faster than the would-be Mozilla hackers, and it also suggests that hackers are looking harder at Internet Explorer.

Also, Symantec is being selective about the flaws it’s looking at. The article states that it only counts confirmed flaws. IE has 19 unconfirmed flaws versus 3 unconfirmed flaws for Mozilla. So IE has 19 unconfirmed and unfixed flaws plus 13 confirmed flaws, for a total of 32. Mozilla has 25 confirmed flaws plus 3 unconfirmed and unfixed, for a total of 28.

I don’t know about anyone else, but I’m more concerned about those unconfirmed and unfixed ones. As long as I’m running the current version of either browser, I’m protected against those 25 big bad flaws (for Mozilla) or the 13 (for IE) from earlier in the year. I can’t do anything about those 19 unfixed Internet Explorer flaws.

Frankly, I think Symantec is just trying to get a headline on a slow news day, and maybe trying to kiss up a bit to Microsoft, with whom it’s always had a very close relationship since Symantec traditionally has been willing to write the pieces of software that Microsoft for whatever reason doesn’t want to touch.

I’m sticking with Mozilla Firefox. Not only is it the safer browser when you look at the things that actually matter, it’s also the better one.

I like Firefox 1.0

Big surprise, huh? Seeing as I’ve been running it since the very first version, back when it was called Firebird, and the version number was probably 0.1.

And I really liked 1.0PR, so it was a given that I’d like 1.0. So there’s no big difference, right?

I’m not so sure about that.Maybe it’s just me, but I think 1.0 renders pages faster. Quite a bit faster. And there are some bug fixes, some minor and some less minor, but nothing we haven’t gotten used to from living with IE for all these years. If you were using 1.0PR, there’s no reason not to upgrade to the gold release code.

I see from my logs that 25% of my site’s visitors use some flavor of Mozilla. That’s good. If you’re not in that group, you owe it to yourself to try it.

Believe it or not, you can get excited about a web browser again.

Firefox 1.0 is out, and mozilla.org is down

So I wait. Now I know what it was like to stand in line waiting to buy Windows 95.

Wait. No I don’t. I’m actually standing in line waiting to get something good.

How to get your RSS/RDF feed working with Mozilla Firefox\’s Live Bookmarks

As soon as I upgraded to Mozilla Firefox 1.0, I started noticing that when I visited certain sites that had RSS/RDF feeds, a big orange “RSS” icon showed up in the lower right hand portion of the window.

That’s cool. Click on that, and you can instantly see that site’s current headlines, and know if the site has changed, just by looking in your bookmarks.

Except my site has an RSS feed and that icon didn’t show up. Here’s how I fixed it.At first I figured Firefox was looking for the standard “XML” icon everyone uses. So I added that. No go.

So I investigated. A Google search didn’t tell me anything useful. So I went to Slashdot’s page and viewed the source. Four lines down, I found my answer.

In your section, you need to add a line. In my case, since I run GeekLog, it was this:

LINK REL=”alternate” TITLE=”Silicon Underground RSS” HREF=”//dfarq.homeip.net/backend/siliconunderground.rdf” TYPE=”application/rss+xml”

Just substitute the URL for your RSS feed for mine. The two slashes at the beginning are necessary. The whole line has to be enclosed in , of course. (I can’t show them here because my blogging software is trying to protect me from myself.)

But since Geeklog doesn’t have an index.html file, and its index.php file is mostly programming logic, where do you add your code?

In your themes directory, in the file header.thtml, that’s where. I put mine right after the line that indicates the stylesheet.

The location for other blogging systems will vary, of course. But I notice some seem to do it automatically.

Now your readers can keep track of you without constantly refreshing your page (which they probably won’t do) and without having to run a separate RSS aggregator. Pretty cool, huh?

Will Firefox be Netscape’s revenge?

John C. Dvorak says the browser wars are still raging. He cites figures from his blog as evidence that IE only has 50% market share.Well, my logs have always indicated that IE accounts for somewhere between 50 and 60 percent of hits to my blog. The reason for that is pretty simple. This blog appeared in its first form about five years ago. Two months later, I published a computer book that, among other things, advocated using any browser but Internet Explorer and contained detailed instructions for removing Internet Explorer from Windows 95, 95B, and 98.

It’s pretty safe to say a large percentage of my early readership found out about my blog from my book, and the people who read my blog most likely read it because they read my book and liked it, and if they liked my book, they probably agreed with it and were therefore very highly likely to be running Netscape.

For a while I switched to IE, primarily because IE had better keyboard navigation than Netscape and I had repetitive stress injury. I said so. Around that time I saw IE usage increase. I don’t think it had much to do with me. Netscape’s market share was headed for single digits.

By the time Mozilla was approaching version 1.0, I was squarely back in the Mozilla camp and advocating it. Again, IE traffic started to drop. Did it have much to do with me? Something, surely. People who agree with me are more likely to visit again than people who disagree with me.

I think John C. Dvorak’s logs are more likely to reflect PC enthusiasts than mine, simply because he’s a PC Magazine columnist and I’m the author of a now obscure computer book who happens to enjoy blogging, and who blogs about baseball, Christianity and Lionel trains as often as computers these days. That’s opposed to a year ago, when I had a reputation for writing about baseball and Christianity as often as computers. So hey, my horizons are broadening.

Since more of my traffic comes from Google and other search engines than anywhere else, and often it’s people looking for ways to hook up DVD players to old TVs, ways to disable websense, or information on Lyman Bostock, I probably get a decent portion of the non-computer enthusiast crowd.

I think IE’s market share is somwhere between 60 and 75 percent.

I also think it’s going to drop. The last person I told about Firefox wasn’t so confident about it when I told him it was at version 0.93. Now that the magic 1.0 is near, it’s going to jump as early adopters who are nervous about beta software jump. When it hits version 1.1, it’s going to jump even more when people who have been sensitized by Microsoft dot-oh releases start switching.

So while I think Dvorak is wrong about IE’s market share, I think he’s right that it’s dropping and that the browser wars aren’t over.

What to do when a PC is too bogged down in spyware to run the tools

Spyware was grinding this PC to a screeching halt. I’d click on an icon, and the program never appeared. Or maybe it would finally appear 15 minutes later. And once I finally got a browser window open, it was so slow, I could pretty much forget about downloading any tools to fix it.

What to do?I hit CTRL-ALT-DEL. There was all sorts of stuff in the task list. (This was a Windows 98 computer.) I followed the same rule that I once heard in a movie. Desperado, I think it was. The crime boss said something like this: “How tough can it be? Go around town. Don’t recognize someone? Shoot him.”

So if I didn’t recognize a task, I closed it. In the end, nothing but Explorer.exe and Systray.exe were left running.

The result? When I clicked on icons, programs ran!

I then ran the usual battery of tools: Bazooka, Spybot Search & Destroy, Ad-Aware, then Bazooka again (I have Bazooka scan to give me a quick overview of how bad it is, since it finishes in seconds, then run the others, then run Bazooka again since Bazooka only assists you in removing stuff, but doesn’t actually do it).

Then for good measure, I ran AVERT Stinger, which removes common trojan horses.

No trojan horses, but he had just over 200 different spyware infections. He asked how he could prevent them in the future. I showed him how to use the tools.

Then I installed Mozilla Firefox. I explained to him that it doesn’t have the hooks into the OS that Internet Explorer has, so if a website tries to maliciously install spyware when he visits, the chances are much lower. And since it blocks the popups, his chances of accidentally visiting those kinds of slimeball places drop. Then I showed him the tabbed browsing feature, and the built-in Google search bar. He dug it. I think Mozilla may have gained a convert.

This job took me a while. I cut him a break on my hourly rate, since he’s referred people to me in the past. And besides, he let me see his old S gauge American Flyer train, still in its original box. Letting me spend five minutes with something cool like that is always good for a discount.

A super-cool Mozilla extension

I’m about to get you to dump Internet Explorer for good.

And no, this has nothing to do with the latest security exploits (there were only four revealed this week, right?). This has to do with functionality.

Super Drag & Go is what I call a disruptive technology. It’s like multitasking. You won’t understand what the big deal is when I explain it to you, but once you try it out, you’ll find it impossible to use a computer that doesn’t have it.It’s dead simple. You’re using the Web for research. You’re tooling along, finding lots of information you didn’t know about ancestors, obscure toy train manufacturers, or whatever it is you like to use the Web to research. You hit upon a name or phrase or topic or book title that’s useful, so you highlight it with your mouse, copy the text, then open a new browser window, go to Google or Amazon or Dictionary.com or Wikipedia or whatever the appropriate research tool is, paste it in, and keep on going, right?

Wrong. That’s what you used to do.

What you do is you install Mozilla Firefox, then you click on that Google icon and install the interfaces for whatever search engines besides Google you like (there’s plumbing that hooks you up with Wikipedia, Amazon.com, Dictionary.com, and everything else you can possibly think of). Then you install Super Drag & Go. Then you instantly become about 40 times as productive as you were 20 minutes ago.

How? I tool along the same way I always did. Then, when I find reference to, oh, say, Voltamp, I highlight it like I was going to copy and paste it, but instead of hitting copy, I just drag it with my mouse over to some blank area on my browser window.

Boom-shakalaka, a browser window opens with that phrase punched into Google for me with my results. So then I can read the three–wait, now it’s four!–webpages that make mention of the first company that made an electric toy train that used a transformer plugged into a household AC wall socket.

(You can thank me later for putting that song in your head. Change browsers and I promise I won’t do it again.)

Of course, if you’ve changed your default search engine to something else, then it’ll go to that other page. Now you know why it might be useful to set your default search engine to Wikipedia or Amazon.com. It changes back easily–it’s just a matter of clicking the icon in the browser’s search bar.

Next time I see him, I’ll have to thank Todd, the coworker who showed me how this works. I’d read about it and dismissed it, until he showed it to me. And now?

It’s not a habit, it’s cool. I feel alive. If you don’t have it you’re on the other side. I’m not an addict…. Maybe that’s a lie? –K’s Choice, Not an Addict

If you use Mozilla, you need to read this

No sooner than I presented Mozilla, specifically Mozilla Firefox, as a safe alternative to Internet Explorer did an exploit for Mozilla show up. Argh!

At least the fix came out swiftly and installs painlessly. Visit the page, click another link, wait a minute or so, and then restart the browser. Badda bing, badda boom, you’re patched. No reboot necessary.I still stand by my recommendation of Mozilla, whether it’s the entire bloatware Mozilla suite or the lightweight Mozilla Firefox, over IE. Why? Lessons learned from Linux.

When a vulnerability is discovered in a Microsoft product, an unpredictable length of time passes before the vulnerability is patched. Sometimes it’s a matter of days, but sometimes the length of time is just plain ridiculous. Forgetting for a minute how frequently patches come out–a case can be made that Linux gets more patches than Windows but just as strong of a case can be made that it gets less–the length of time that passes between the instant the vulnerability is discovered and announced and the release of a patch is usually very small. Usually it’s a matter of hours.

The reason is simple. Lots and lots of eyeballs looking at the code. And in Open Source, having your name in the code is a badge of honor. It’s a big, big line on a resume to say you wrote a line of code in the Linux kernel.

Other open-source software gets patched just as quickly, however. Not every open source programmer is comfortable maintaining operating system kernels. And no self-respecting programmer wants his or her system hacked due to a vulnerability in a piece of software she or he was perfectly capable of fixing.

This particular vulnerability stems from a little-known capability in Mozilla. I’m sure there was a legitimate use for it at one time, but were Mozilla being designed and rewritten from scratch today, I can’t see how it would possibly be implemented because the potential for abuse is huge. The code’s gone now. It won’t be in Firefox 0.92 or the next revision of the Mozilla suite.

Will there be other instances of this? Sure. Probably less of it, since Mozilla was a total rewrite of Netscape and the engine is entirely different from the one in Netscape 4.x. The IE codebase goes back to the early 1990s, as it’s based on the old NCSA Mosaic code, which Microsoft licensed from Spyglass. (Go into IE and hit Help, About to see for yourself.) There’s much more potential for harmful dead wood in IE than in Mozilla, but the presence of some in either is inevitable.

But at the end of this year’s storm season, I expect Mozilla to come out a lot stronger because most of the dead wood will be shaken out. I don’t expect the same from IE. The codebase is too old, the teams too disparate, and the motivations behind the changes that have been made were too different from Mozilla.

I’m standing by my browser.

What browser should I use?

Mozilla downloads are spiking since, among other people, US-CERT issued what amounted to a plea for people to use some browser, any browser, other than Microsoft Internet Explorer.

Several well-known computer columnists have been trumpeting Mozilla for months now. At least one has stated repeatedly and publicly that he’s staying with IE. So what should you do?Interestingly, IE only has about 50% of my readership. That doesn’t surprise me; I’ve long been an IE critic, and blogs tend to attract readers who agree with them. So I don’t pretend that my readership is representative of anything.

As far as alternatives to IE, I’ve been running some flavor or another of Mozilla as my workaday browser since about version 0.7, using IE just for running Windows Update and not much else. Why? Well, while IE usually loads faster than Mozilla, once it’s up and running, I think Mozilla is the faster browser. I love tabbed browsing, and I love how you can search web pages by hitting the ‘/’ key and then typing the phrase you’re looking for. To me, those reasons alone are reasons to switch; it just lets me work so much faster.

But I’ve overlooked possibly the best reason to switch, because it’s been so long since I’ve noticed the problem. Are you tired of popup and popunder ads? Mozilla browsers block them. No extra software needed. This weekend, when I used a computer that only had IE on it, I got so sick of popups I was about ready to download and install Firefox to get some relief. Microsoft’s been promising this functionality for months, maybe even a year, and still hasn’t delivered. Honestly, I’ll be surprised if it’s ever delivered as anything other than part of the next version of Windows.

But besides that, it’s a matter of security. So this most recent security hole has been patched. It’s been known for weeks and they’ve just now gotten around to patching it? What about next month’s exploit? I’m confident there’ll be another, and soon, just because IE has nearly as many security patches as Windows itself.

Besides keeping out hackers, it’s been known for some time that people who run something other than Internet Explorer have fewer problems with spyware.

So what about sites that require Internet Explorer? Actually not a whole lot of them do, these days. Most remaining compatibility issues with Mozilla are resolved as soon as you install Sun’s J2SE Java library.

And if you want some more tips on living with Mozilla Firefox, you’ve come to the right place.

I switched to IE at version 5.01 for a simple reason. At that point, IE was the better browser. Mozilla caught up again sometime around version 0.7. That was when I switched back. And it’s done nothing but get better since.

A first look at Mozilla Firefox 0.9

I upgraded to Mozilla Firefox 0.9 today. My initial impression is pretty good, with one caveat.

If you’re running an earlier version and haven’t upgraded already, make a backup of your profile first. I upgraded from version 0.8 without uninstalling version 0.8 first, and lost my saved passwords and bookmarks. What I lost isn’t anything I can’t type in again or find again but it was annoying.

But that’s pretty much where the problems end.This new version feels faster than the old one did. It also seems a bit more stable, but a few hours of messing around isn’t enough of a test to declare something stable or not. I’m also not about to assume that any other living human being’s browser habits resemble mine.

I did notice that memory usage has a tendency to go back down as I close tabs. That’s an improvement–that didn’t always happen with older versions.

The ultimate test is going to be leaving it open for about a week of heavy use. Older versions tended to not like when I did that–memory usage would balloon and over time the speed would degrade. We’ll see how this version handles that torture test.

Since I had to go back and re-customize it, I can tell you the tweaks I make to the browser. Maybe you’ll like some of them too.

First, I type about:config into the address bar to bring up all the hidden options.

I set network.http.pipelining to true, and network.http.pipelining.maxrequests to 100. This speeds up page rendering, at the cost of occasionally mangling a page. (This happens most frequently when I visit Slashdot, ironically.) Reloading usually clears it up. The problem happens infrequently enough that I live with it–I like the speed.

I set image.animation_mode to “none”, since I find animated GIFs distracting. Try browsing with image animation turned off and I’ll bet you’ll wonder how you ever lived without it. You can also set the string to “once” if you like animation. That way you can still see the animation but it doesn’t continue to loop while you’re trying to read.

I set browser.popups.showPopupBlocker to false. I don’t care to know when Firefox has blocked a popup–these days it’s pretty safe to assume that every site up there sent you a barrage of popups.

I set browser.blink_allowed to false. Few people use the dreaded blink tag anymore, especially since it was a proprietary Netscape tag that few others implemented. It doesn’t hurt anything to disable it just in case someone used it somewhere.

Since you can never have too much screen real estate, I customize the toolbars as well. If you go to View, Toolbars, Customize, you can drag the icons and menu items you use wherever you want. Drag things you don’t use down to the bottom. For example, if you never use the Go and Help menus, drag them down to get rid of them. I drag the address bar up to the top, next to the Help menu. Since I don’t use anything else on the navigation and bookmarks toolbars (I use keyboard shortcuts), I turn those off, which opens up lots more screen real estate. If there are some icons you use, you can drag them up to the menu bar and turn off those toolbars to save some space. It’s cheaper than a bigger monitor and takes up less space on your desk.

And as much as we tend to live in our web browsers these days, it’s almost as good as having a bigger monitor, isn’t it?