Blogs about security
I have heard a few tales of the shame of Internet Explorer 6, the web browser famously despised by web developers (even its own creator). Submitted for your approval, here are a couple of those tales:
- Six years passed between the release of Internet Explorer 6 (2001) and the next version, IE7 (2007). Why so long? I was told that after IE6 was released, Microsoft decided that browser wars were won. The development team disbanded. I recently mentioned this story to an actual longtime Microsoft employee, who said "that sounds about right".
- An large technical organization has some critical business applications which only work in IE6. They will be upgrading all their workstations to Windows 7, which includes Internet Explorer 8, but not IE6. The solution? Instead of upgrading the legacy web application, this organization will provide virtual WinXp machines with IE6.
Last month, I flew down to Portland from out of King County Airport (aka Boeing Field). There was no security check; no security line, no metal detectors, none of that "pull out the laptop" and "take off the shoes" business. The airline desk attendant simply asked me if I had anything flammable or hazardous in my suitcase and she checked it. At boarding time, we walked out of the waiting room across the tarmac, and right onto the plane. I could have gotten from the parking lot to the airplane in 10 minutes.
I'm not sure what key difference to between flying out of BFI precludes the necessity of a full on security check. Someone suggested the theory that "it's a private plane"; but I fail to see how Jet Blue is somehow public. My best thought was that it had to do with the relatively low risk presented by such a small plane. It only carried 9 passengers and two pilots, very little fuel, and it can't fly very far anyway.
In any case, whether or not I think that a minimal security check is a problem depends on how safe I feel when flying traditionally. Though the security at a normal airport has a long way to go, I don't feel particularly unsafe. When I weigh the actual odds of being in a plane crash (one which would have been avoided through security measures, mind you) against the real hours I have saved by flying without security, I would jump at the opportunity to fly Seaport again.
Internet Explorer is a 9 year old piece of software. It's doing pretty well for such an old collection of 1s and 0s. I wouldn't expect a developer to maintain an application this old, especially an application which was free in the first place. Microsoft does still patch IE6; though perhaps not as quickly as one would like.
Simply "grandfathering" software inside corporate certification policies doesn't seem like a good idea. Threats have evolved in the past decade, but IE6 has not. It is a huge security risk; far beyond simple stuff like popups and spyware. Recent highly sophisticated hacks stole source code from Google and breached over 30 other enterprise networks, including Adobe. IE6 was a major point of entry for these hackers. They knew precisely what they were looking for, and how to get it.
If I were responsible for corporate network security, not only would demand modern web applications; I would ban IE6 from usage, and probably IE7 too.
I may well have a reputation for being security-conscious to the point of paranoia. I say that you can't be too paranoid; nobody writes articles extolling the virtues of web sites that haven't been hacked. Check out these articles about the devious and clever Cross-Site Request Forgery technique.
Plenty to worry about, huh, web devs? Remember: just because you're paranoid, doesn't mean they aren't out to get you.
For most regular web-surfers, I think that here's little to worry about here. Users can protect themselves by logging into accounts only when needed, and logging out when done.
Wired's Threat Level has a round up of The Seven Best Capers of 2008. Our local favorite, The Snohomish Smokescreen, is also a favorite of the article. I also like The Washington-Jackson Switcheroo; the ATM owners ought to be a little culpable in this easily preventable scheme.