Welcome to MSDN Blogs Sign in | Join | Help

I love Slashdot

The comments from my last post are still coming in thick and fast. Thanks to everyone who didn't just swear at me (and if I didn't approve your comment, it was because it had too much profanity in it).

First things first: I was wrong about uninstalling plug-ins.

Thanks to several helpful posters, you can actually do this via Tools -> Options -> Downloads -> Plugins and clicking on the little blue arrows. Perhaps someone should tell the documentation writers because searching for "Disable" in the Firefox help (or looking for it in the index) found no hits. And I swear I thought I had poked every last option on that dialog in an attempt to find the plugin. Oh well.

Google didn't help much either, but maybe this post will get a good Page Rank and help the next poor guy (or girl).

·How to disable Flash in Firefox. Tools -> Options -> Downloads -> Plugins

·How to disable plugins in Firefox. Tools -> Options -> Downloads -> Plugins

·How to disable plug-ins in Firefox. Tools -> Options -> Downloads -> Plugins

Second thing: Complaining about the installation errors was probably a cheap shot.

Still, if the same errors had appeared during the installation of a Microsoft program, users would have picked them out and laughed at them. Someone mentioned that the blank dialog may have been caused by McAfee (except it's not installed) or by Virtual PC itself (could be, although I've never seen it before). Anyway, that was my installation experience; yours may have been better (just as everyone likes to give their "I browsed one web site and had 28 bajillion pieces of spyware silently installed on my machine!" when I've never seen anything like it. YMMV).

Third thing: I did actually say that Firefox was "a nice browser."

I was merely pointing out that the average user has no way of trusting that the thing they installed on their computer really is Firefox, or that the extensions / plug-ins they load into Firefox really are the genuine articles.

Fourth thing: Jeff Klawiter apparently has a plugin to let you sign Firefox extensions

Thanks for being part of the solution! :-)

Fifth thing: Yes my post was biased against Firefox.

Because every article written about IE or Windows or Linux is completely balanced, no?

OK, let's look at the most common replies:

I am an idiot

There were a lot of these kinds of replies, citing various reasons. But only my friend Pat got it right -- he can call me an idiot, but only due to personal experience.

I am an idiot because I don't know what depaul.e d u is

I guess if failing to have an encyclopaedic knowledge of all the universities in a country you didn't grow up in makes you an idiot, then I am guilty as charged. Seriously -- have you heard of Swinburne?

Anyway, the point is that the average internet user might not know what ".edu" means, or who controls the server. The New York Times told them to download Firefox from a ".com" address, and now they're downloading it from somewhere completely unrelated.

I am an idiot because I used the term "numeric IP address"

Yes, that was a tautology; call me an idiot if you want. The intent was to point out that it wasn't a typical domain name like www.mozilla.org, and some people may equate "domain name" with "IP address" (yes, the same kinds of "idiots" that read the New York Times :-) )

I am an idiot because I think domain names are more secure than IP addresses

The point of that comment was that using an IP address (as opposed to a domain name) is one of the tell-tale signs of a phishing / scamming site. We tell customers to be wary of such sites, because (by and large) any legitimate business will have registered a domain name.

But now they are being asked to download Firefox from a nameless IP; does that make it OK?

I am an idiot because I don't understand MD5

Not true; I know exactly what MD5 is. Nevertheless, manual verification of hashes (generated via any algorithm) is a non-starter with a large majority of the user population, especially when there is no obvious indication on the web site that that is what one should be doing.

Digital signatures don't prove software is good -- even spyware vendors can get certificates

Indeed.

Note the dialog doesn't say "only install signed software" -- it says "only install software from publishers you trust," and the digital certificate is used as proof of who the publisher is. If you don't trust the publisher, don't install the software.

The problem with unsigned code is that you have no idea who the publisher is! Is it really that hard to grasp? Signing isn't a panacea, but it's better than nothing!

But Firefox is more secure!

Hypothetically, let's say that that is the case. Let's assume that the source code for Firefox is perfect and there are no security problems whatsoever with it. (Of course, we all know this isn't the case... but bear with me for a second).

The whole point of the blog was that it doesn't matter how good the Firefox source code is!

Doing what the typical end user would do (download, click, click, click) you have zero proof that what you downloaded is, in fact, the true Firefox web browser. It could be a compromised version of Firefox, or even some completely unrelated root kit.

I could have checked the MD5 "signatures"

Repeat after me: MD5 sums are not signatures. They are hashes.

Anyone who compromises the server hosting the binaries can simply replace the MD5s as well. Compromising a server hosting a digitally signed binary won't help without access to the private key (which would typically be stored on a smart card that is kept physically separate from the hosting web server).

Having said that... this fails the "normal user" test. No normal user would manually verify hashes or signatures (nor are they encouraged to), which is why I didn't. IE makes it obvious to the user who the publisher of a piece of code is (or that no publisher can be verified), although prior to SP 2 I completely agree that the UI was sucky.

I could have downloaded the source, read it line-by-line, then compiled it

And when will I see a two-page New York Times ad telling me how to do that?

Next please...

Code signing is a solution to a Windows / IE problem; Linux / Firefox doesn't need it

Do Linux or Firefox somehow make it impossible to install bad software? I thought not.

Code signing is a way of providing evidence to help users make trust decisions for the software they are going to install, independent of the platform. Check your Linux package installer of choice -- I bet it checks for digital signatures (albeit ones generated by PGP keys rather than VeriSign certificates).

Those weren't random web sites -- they were official mirrors! You should trust them if you trust mozilla.org

Trust is not transitive. If I trust you and you trust Bob, that doesn't mean that I trust Bob.

Let's say I trust the Mozilla developers to write 100% secure code. Let's also say I trust the mozilla.org administrators to run a secure web site. Let's even further suppose that I trust the mozilla.org administrators to only allow "good" mirrors (ie, they won't use www.hackers-r-us.com as an official mirror for Firefox).

Does that mean I should trust the administrators / users of each of those mirrors to keep their systems secure? No.

Hackers now have several websites they can try to hack in order to compromise the Firefox install.

Mozilla can't afford bandwidth, so it needs the mirrors

But they can afford two-page ads in the New York Times? <g>

Mozilla can't afford code signing certificates

But they can afford two-page ads in the New York Times? <g>

Oh and they can apparently afford an SSL certificate.

Mozilla shouldn't buy a code-signing certificate because that supports the nasty closed-source for-profit world

See above; they were happy to get an SLL certificate from Thawte to protect their bug web site.

Next please...

Firefox only installs extensions from white-listed sites, and only update.mozilla.org is trusted by default.

Simply not true.

I downloaded the FlashBlock extension from http://mozdev.xmundo.net/flashblock/flashblock-1.2.5.xpi and "Install Now" was the default button (hint: try typing that URL into the address bar of Firefox and see what happens).

I must be running on a Mac

What, you've never heard of Virtual PC for Windows?

Why am I running under Virtual PC?

Because I wanted to be able to blow it all away. Plus it was a way to get a relatively "clean" machine.

How much are they paying me for this?

Nothing; it's all on my own time.

My boss is on vacation, and I've never met Bill Gates (nor am I likely too... he's a busy guy).

Users are dumb and don't read dialogs anyway, so this whole code signing thing is a waste of time

Great attitude -- let's keep the population uneducated and encourage them to install random code; they probably won't get tricked into installing malware if they're smart enough to run Firefox!

Any arguments to the effect that "users will just click OK anyway" actually work against Firefox; see below (it has less secure defaults for saving and executing files than does IE).

The fact that you can't check the signature on Flash is not Firefox's fault; it's Macromedia's fault

Not true.

The download from Macromedia is digitally signed. Firefox just doesn't choose to convey that information to the user.

OMG IE is insecure coz it is part of teh kernel!!111!

Oh, that gem. Yes, and Paintbush runs as LocalSystem!

For crying out loud...

IE has lots of bugs, so I don't trust it

Fine, you don't trust IE.

IE has lots of bugs (I never denied that).

But again this misses the point of the article -- I don't care if the "true" Firefox has no bugs whatsoever. How do I (as a normal user, not a computer geek) know that I am really running Firefox?

Not fair; you're comparing IE 6 SP 2 with Firefox 1.0

Yes, it's taken Microsoft a while to get IE into good shape. Even so, you didn't have to wait until XP SP 2 to block unsigned ActiveX controls (or to even prompt for signed ActiveX controls). I don't have an old copy of IE or Windows lying around to test on, but I'm pretty darn sure it still prompted you for installs of controls in the past (and check, for example, this newsgroup post from 1998 which seems to confirm my memory).

Having said that, Firefox is still several months newer than SP 2, it has had years to learn from IE's mistakes, and it still managed to "borrow" the Gold Bar from IE. So you can't really claim it is disadvantaged in that sense.

Who cares if getfirefox.com redirects to mozilla.org? microsoft.com redirects a lot, too

Good point; the reason for spelling that out was not very clear. Basically I wanted to show that the download was coming from somewhere completely unrelated to the Mozilla web site (including the redirect).

And it's true -- Microsoft has used bandwidth aggregators like Akamai in the past, which might present an unexpected URL to the user. But at least they can be sure the files haven't been tampered with due to the digital signature which IE dutifully checks for them (ie, not relying on them to get MD5s from some secondary source, manually check them, etc).

ActiveX controls suck

Maybe, but how is the download experience for the Flash plug-in better? At what point during the install was I informed that the thing I had downloaded really was from Macromedia, and not from Hackers-R-Us (or some un-named entity)?

Firefox's downloads are more secure because they don't auto-execute

Neither do IE's.

First you get the "Open, Save, Cancel" dialog, then (assuming you clicked "Open") you get the "Run or Don't Run" dialog. That's two dialogs, each with helpful information in them, and reasonable default actions if you just hit <Enter> (Cancel and Don't Run). With SP 2, even if you choose to save the file to disk, you will still be given the second warning if you later try to execute the file through the shell (with the default, again, being Cancel).

With Firefox, you get the "Save to disk" dialog and then the "Open" dialog; still two dialogs, except the default is "OK" (not Cancel) and there's no protection if you save to disk and then open from there -- ie, only one dialog, the default action of which is to save the EXE to your desktop where you might (accidentally?) click on it later.

Your HTML sucks

Sorry; that's just the way it is. I don't control http://weblogs.asp.net

It's still viewable in Firefox; there's just a bit of a gap after one of the images.

You're spreading FUD

Well, yes, I suppose I am.

·People should fear code they cannot easily verify

·People should feel uncertainty about downloading and executing code that they cannot easily verify

·People should doubt the integrity of code they cannot easily verify

And, to re-iterate what I said earlier, manually checking MD5s or compiling the source does not qualify for 99% of users.

You must be a crappy developer / You should fix your own code

I am not a developer. I am a Program Manager.

My job is not to write code directly; I leave that to the experts.

Why don't you just use Firefox?

Because my blog doesn't display properly...

Published Tuesday, December 21, 2004 8:16 AM by ptorr
Filed under: ,

Comments

# re: I love Slashdot

<quote>
People should fear code they cannot easily verify
People should feel uncertainty about downloading and executing code that they cannot easily verify
People should doubt the integrity of code they cannot easily verify
</quote>

What does "verifying code" mean?

PS: good luck with the zealots!
Tuesday, December 21, 2004 2:26 AM by Filip

# re: I love Slashdot

If your blog doesn't display properly in Firefox, I think you should take it up with the admin. I and many with me won't touch IE.

Signing software does not solve the securityproblem with software. I have been using MS software since 1988 and Linux since 1995 and, signed or not, I do not have any confidence in Microsoft or Microsoft Software. I rather get Linux from ftp.university.edu than but sofitware from Microsoft. MS history is full of security mistakes and monopoloist behaviour, which makes me avoid MS as much as I can.

And guess what? It works very well;)
Tuesday, December 21, 2004 2:27 AM by Debian-lover.

# re: I love Slashdot

It is interesting you point out this FUD about Firefox. Yet the same happens for IExplorer and basically everything a user runs nowadays. Digital signatures and automatic checks don't really mean anything, do they? When you say "Pople should fear code they cannot easily verify", it means if you cannot look at the code and compile it yourself, live in fear. Well, how does IExplorer help that? How does Firefox help for the matter you may ask? It doesn't either, I don't think users will read the code before running a program.

Most of the points you make seem valid, but then you could replace FireFox with IExplorer, and their value wouldn't change. I guess that's why people are accusing you of spreading FUD, because you shoot at things nobody is capable of solving anyway, yet direct those arguments against a specific product, which of course is not made by your company.
Tuesday, December 21, 2004 2:31 AM by Federico Garcia

# re: I love Slashdot

Run with Firefox for a month. Play with it for a bit. I'm sure you'll learn to love it. Many of the offices I admin are stuck on win xp for desktop so I use Firefox and Thunderbird with openoffice.org to lower the chances of infections. Eight months later and I'm virus free and no trojans. There is a little bit of learning to do when switching from one product to another so give Firefox the time like you did IE. BTW it *is* a better browser ;)
Tuesday, December 21, 2004 2:50 AM by port80

# re: I love Slashdot

I too will not use IE. I gave it up years ago and switched to Firefox.
I don't care if it isn't perfect. I will keep updating it. I am careful and do configure my software for security.
Tuesday, December 21, 2004 2:52 AM by Wolverine

# re: I love Slashdot

Mozilla doesn't have enough bandwidth to support all the downloaders? The solution is not to use mirrors. As you say, who knows if they are compromised or not?

The solution is to use BitTorrent. Bandwidth scales with the number of users downloading it, and you can fix the amount of upstream you want going at any one time as the seed. Whatever they set it to, it'll be much less than having normal downloads, and much higher than they'll need to saturate the swarms downloading from it.

Of course, BitTorrent is something of a dirty word these days, since the MPAA and RIAA are going after a lot of BitTorrent sites, but that's just pirates exploiting a good tool. It's a great tool for certain uses, and solving the problem Mozilla is currently having is one of the things its best at.

One of my friends works for Microsoft (he's a Unix programmer, oddly enough), so I don't dislike Microsoft employees, by any stretch of the imagination, but its hard to argue the merits of Internet Explorer when its technology has been basically stalled for the last 4 years.

SP2 introduced popup blocking (finally), but implemented it with one of the most hated features of all time, the information bar, which, for the average user, is impossible to disable. There's no "right click to disable" option on it.

Having a nearly-invisible warning come up every time you download a file, too? Now that's just cruel.

Mozilla implemented popup blocking years earlier and twice as well.

-Bill Kerney
Tuesday, December 21, 2004 3:06 AM by Bill Kerney

# re: I love Slashdot : Dude, give it up already.

I guess this is stage 2. Now that he's got himself to admit things we made him to, now this page is something like a politician's son screaming "Yea, my pop was killed while doin' campainin' for his party. Now since he's no more, gimme all your votes." It's probably sympathy vote/ soft-cornering for Microsoft. Still he does have a few things to get straight, as seen here:

"Yes, it's taken Microsoft a while to get IE into good shape."

Good shape. Jesus. We can see what 'shape' it's in.

"Third thing: I did actually say that Firefox was "a nice browser." "

Then why has all this spewed forth?

"only install software from publishers you trust,"

Do we? Can we? Should we? Can't we just use Firefox and shut up about it? Let him live with IE, guys. Just let him live with it.

On a second note: Can we "trust" Microsoft and all that comes out of Redmond?

"
Your HTML sucks.

Sorry; that's just the way it is. I don't control http://weblogs.asp.net
"
Typical, generic, Microsoftie's default pass-the-buck in action. Hell, Why should I even care to blame you? It's what each one of you there at Redmond do your whole life. Things will never, NEVER change if this is the default at Microsoft. This is JUST the attitude that Windows has towards its users. Nothing to see here.

"My job is not to write code directly; I leave that to the experts."

Yeah. That we can see. <smirk>

"
Why don't you just use Firefox?

Because my blog doesn't display properly..
"

Run your blog through the validator at w3c, it speaks volumes for itself. And was that a Microsoft logo I saw in the Platinum Sponsors section? Dude, give it up already.

I don't intend to spew venom; I wish to show you the truth. It's hard to believe that someone has to SHOW it to you.
Tuesday, December 21, 2004 3:15 AM by Dude

# re: I love Slashdot

I don't care whether you MODerate or FUDerate these posts, but the truth is out there. People know it; it will prevail. I almost forgot that this blog is run by Microsoft.
--thanks for reading
Tuesday, December 21, 2004 3:19 AM by Dude

# re: I love Slashdot

"Trust is not transitive. If I trust you and you trust Bob, that doesn't mean that I trust Bob. "

It can do though. People that use PGP rely on that sort of system. If you trust mozilla.com, it seems reasonable to trust a mirror listed on that site, even if it is to a slightly lesser extent.

As Federico states above many of the problems are more based upon manipulation of the user and that will still be present what ever the options are set to.
Tuesday, December 21, 2004 3:28 AM by Steve Jeapes

# re: I love Slashdot

I think most people missed the point in there comments...
Here in short:

If FireFox is not (trusted) signed, then it might contain a backdoor.
Tuesday, December 21, 2004 3:29 AM by Jochen Kalmbach

# re: I love Slashdot

<p>Looking at the netcraft page for debpaul.edu you can see that many of their servers are running old unpatched/unupdated editions of the Apache, PHP, mod_ssl and OpenSSL. This would seem to reinforce the point about not knowing whether the site you are downloading executables has been compromised, and whether the unsigned file are genuine.

<p>http://uptime.netcraft.com/up/hosted?netname=DEPAUL,140.192.0.0,140.192.255.255

<p>http://www.kb.cert.org/vuls/id/303448

<p>http://www.k-otik.com/exploits/20041127.phpnolimit.c.php

<p>http://www.apacheweek.com/features/security-13

<p>http://secunia.com/product/253/?period=2004#advisories

Tuesday, December 21, 2004 3:30 AM by TR-2003-97

# re: I love Slashdot

The problem with viewing blogs here on weblogs.asp.net in firefox is a problem about the crappy css stylesheets coming with the crappy old version of .Text we're using here.

My blog here with a custom css works fine in firefox for example.
Tuesday, December 21, 2004 3:33 AM by Frans Bouma

# re: I love Slashdot

One thing you didn't mention was that IE6 SP2 is Windowx XP only.
Firefox is much more secure than an older version IE on, say a Windows 98 machine.
Tuesday, December 21, 2004 3:33 AM by jcsston

# re: I love Slashdot

Peter, you say "People should fear code they cannot easily verify".

In my opinion its alot harder to verify IE's code, mainly due to the fact that I cannot possibly ever look at the code.
Tuesday, December 21, 2004 3:40 AM by Omniscientist

# RE: I love Slashdot

Excellent :-)

The whole post is about codesigning (or bettter said, an automated and secure integrity check from trusted sources). But they make it a "FireFox is more secure that IE" batlle from it.

As I just read the reaction from Debian-lover about how he rather download something from and education institution then from M$. Well.. that just about hits the spot! How does he know for sure that the download is not tampered with by using a secury way of an integritycheck.

It really doesn't matter if you are downloading an executable. The whole thing also applies to archives. The weird thing it that none of the mainstream compressors like bzip, rar, 7zip, ace have such a build-in certificate signing solution.

Ok.. the Linux world is using md5 hashes for integritycheck for years. But what if I am installing from a cd and have no internet connection available? Certificates just rule!
Tuesday, December 21, 2004 3:45 AM by exyll@hotmail.com (Ramon 'Exyll' Smits)

# re: Why don't you just use Firefox? Because my blog doesn't display properly...

Is that because the blog uses some non-standard html that has been implemented by Microsoft in Internet Explorer as opposed to the standards developed by the World Wide Web Consortium.

I know... you probably have nothing to do with the blog software but I really hate it when people say stuff like it doesn't display properly in Firefox if the page they are viewing doesn't conform with the standards. And yes I know that the large majority of users don't give a hoot about standards but I think if someone wants to use html they should use standards. If html doesn't do what they want they should develop and use their own format.

Just my two cents worth...
Tuesday, December 21, 2004 3:45 AM by Patrick

# re: I love Slashdot

One very important point: MD5 hashes retrieved from a trusted domain(*) are signatures indeed. When I retrieve the hash from mozilla.org, I am perfectly sure the hash was generated by the Mozilla team. So, MD5 signatures are not an erroneous term.

It is a failure of Microsoft that Windows provides no means of checking MD5s, SHAs and GPG signatures. These are the most common methods of software authenticity verification, and are implemented by all popular Linux distro package managers. This problem crosses most downloadable software, not just Mozilla.

(*) I'll not define trusted domain, but it must at least avoid DNS cache poisoning attacks.
Tuesday, December 21, 2004 3:46 AM by Sérgio Carvalho

# re: I love Slashdot - Trust

>>Trust is not transitive. If I trust you and you trust Bob, that doesn't mean that I trust Bob.

Trust *is* transitive. Or at least it should be. The whole point of trust as far as I am concerned is that you accept information from someone else without checking because you trust them.

If you don't trust what someone tells you - you don't trust them do you!

Or am I being a bit simplistic :)

Tuesday, December 21, 2004 3:49 AM by Sam Phillips

# re: I love Slashdot

> Perhaps someone should tell the documentation writers because searching for "Disable" in the Firefox help (or looking for it in the index) found no hits.

I think Firefox documentation writers are doing just fine when compared to IE's.

Searching for 'Plug-ins' in Firefox finds this advice:'... Select the Downloads category and click the Plug-Ins... button. You can also enable or disable currently installed plug-ins here.'

Search for 'plugins' in IE fails with 'No topics found'. Search for 'plug-ins' finds a page about the Internet Explorer status bar.
Tuesday, December 21, 2004 3:51 AM by Hemmo

# re: I love Slashdot

"Let's also say I trust the mozilla.org administrators to run a secure web site."

You ought to. Those are LAMP servers, and far less vulnerable to crackers than Microsoft's IISes are.
Tuesday, December 21, 2004 3:52 AM by R. Townley

# re: I love Slashdot

I actually went to Swinburne - any reason for choosing that uni?

While I'm happy browsing with Firefox - you have raised many good points that Mozilla might like to address in regards to installation.

I'm not sure why the zealots are crying about it - they should try to take something positive from blog - not argue every point you make.
Tuesday, December 21, 2004 3:55 AM by Pop

# re: I love Slashdot

btw, there is nothing wrong with saying a numeric IP address. IPv6 addresses are hex so they are alpha numeric. By saying numeric IP address one is simply referring to IPv4.
Tuesday, December 21, 2004 4:00 AM by Brian Delahunty

# Firefox und die Sicherheit

Es gibt einen netten Beitrag über den Sicherheitsvergleich zwischen IE und FireFox. Egal welchen Browser man bevorzugt lesenswert ist es auf alle Fälle.How can I trust Firefox? und als Antwort darauf noch I love Slashdot.Liest man sich ein paar Comments d
Tuesday, December 21, 2004 7:01 AM by RaptoR's Blog

# re: I love Slashdot

Dude, you're a smart guy. Thanks for the feedback on your previous article.

And remember, criticism is a particular kind of praise.

Let's just hope that both IE and FF continue to provide a secure and pleasant browsing experience for the end-user.
Tuesday, December 21, 2004 4:05 AM by newrp01

# re: I love Slashdot

Respectfully, we would be having this same conversation were IE not bundled with Windows. Digital signage is irrelevant. As has been shown, even Gator was digitally signed. I learned years ago that digital signatures were so common among the refuse of the software world that I stopped paying attention to them, and started paying attention to the method of delivery and the source.

Yes, some of the FF mirrors could possibly be cagey, but this is the reality of a small, open source initiative. They do not yet have the funds for a server farm that could support the current demand. Again, were Microsoft to start out as a browser company today, we'd be on opposite sides of the table. Given time, and the support of an already seriously loyal following, they'll be able to provide more/better/faster service of this kind.

The fact is that if trust is the major issue that you're here to discuss, then it should disturb the hell out of you that the majority of those of us who know a thing or two about computers distrust Microsoft products out of the box. We <b>know</b>, without having to be told, that MS_AnyProduct will have to be patched, simply because it comes with the Microsoft logo on the box. Part of that can be blamed on being the market leader. The sheer abundance of your product means that it's exposed to the hackers of the world who wish to subvert the dominant paradigm, or whatever kitschy phrase they're using this week.

Contrast this with Firefox. Maybe it's not so abundant, but the code is. What it lacks in exposure it makes up for in transparency. Rather than tons of hackers trying to open IE's black box, we have tons of coders looking at an open framework, each of them zealously trying to safeguard their own machine...because they have a personal stake in the improvement of this browser.

On a personal note, I have to say this: since loading Firefox in May, I've experienced 4 unwanted pop-ups, and found 8 objects in Ad-aware/Spybot (yes, I keep track). Most of those were cookies. I survive the web unscathed whereas the users I support at my job (University software support) are being ravaged by malware, despite our best efforts. Those who I convert to Firefox never have to see me again. Those who don't want to switch, I know I'll see them back in a few months. I don't know what better proof there is of the <b>untrustworthy</b> nature of <b>official</b> Microsoft software.
Tuesday, December 21, 2004 4:11 AM by Matt Shaw

# re: I love Slashdot

Mozilla can't afford bandwidth, so it needs the mirrors

But they can afford two-page ads in the New York Times? <g>

i don't believe this was paid for by mozilla, rather than people that donated money for this ad.


superstardjdev at gmail dot com
Tuesday, December 21, 2004 4:12 AM by Eric

# re: I love Slashdot

looks like you have a problem with Firefox taking a 2 page add out in the new york times , why is that , its not like i see MS add's appearing on my tv all the time is it ?? shame really they could have spent the advertising money on securing IE and bringing it up todate with usefull functions , firefox may not have enough money but they do have the balls to put out a damn good browser that puts ms's Ie to shame , its a shame that you have been so biased in these two articles ,and your reasons for this is the fact that other people do it so why not you ? that to me is childish and very Unprofessional , maybe your just reveling in the slashdot lime light alittle and need to get your head out of the clouds, saying that you work for Ms so i assume that every free advertisement is good for your career , well done at making MS employees look totaly rediculas by providing the more than average and literate pc user this total drivell , i guess you already know this by making this second article , typicle MS style to me, good look with Ie and to all that use it , i can only see it becoming a burden on the ineternet rather making the internet any better
Tuesday, December 21, 2004 4:14 AM by Fubar

# re: I love Slashdot

To be honest I don't think any of the people installing firefox because of a NY Times ad notice the mirror URLs

let's focus on the people behind IE and firefoxs intent

IE as part of microsoft I guess their intent is to make their company money

and Firefox well read their about
http://www.mozilla.org/about/
Tuesday, December 21, 2004 4:14 AM by Jonas

# re: I love Slashdot

Try to be a bit more open minded about the feedback you got on your initial post. 95% of the comments were NOT telling you that you were an idiot at all, they were serious attempts to discuss the issues you brought up.

Im actually surprised by the politeness that the slashdot crowd showed you. This is not a flame war, it's a cozy barbecue =)
Tuesday, December 21, 2004 4:15 AM by grr

# re: I love Slashdot

"Because my blog doesn't display properly..."

Guess you like hammering your own coffin-nails, aye ?
Tuesday, December 21, 2004 4:17 AM by l3v1

# And the spyware/adware angle?

In your first post about FF you mentioned that users are tricked to download spyware and adware. While I agree that it is as easy to do that when using FF, you forgot to mention all bugs in IE that allows web-sites to automaticly download and execute programs without user interaction.
Tuesday, December 21, 2004 4:17 AM by The Arrow

# re: I love Slashdot

One only have to ask how many times IE has been compromised, whether by ActiveX, security bugs, buffer overflows/overruns, etc and compared to how many times Firefox has been compromised. I think even the blindest of IE supporters will be able to understand that. Including the blog writer here.

If we get started on supporting open web standards, then IE is the laughing stock of the whole community. IE can't even support standards like CSS, PNG image display properly.

Suffice to say, many people will never use IE again. It's simpler a safer choice not to use IE.
Tuesday, December 21, 2004 4:22 AM by Web Standards

# re: I love Slashdot

One only have to ask how many times IE has been compromised, whether by ActiveX, security bugs, buffer overflows/overruns, etc and compared to how many times Firefox has been compromised. I think even the blindest of IE supporters will be able to understand that. Including the blog writer here. <br> <br>If we get started on supporting open web standards, then IE is the laughing stock of the whole community. IE can't even support standards like CSS, PNG image display properly. <br> <br>Suffice to say, many people will never use IE again. It's simpler a safer choice not to use IE.
Tuesday, December 21, 2004 4:23 AM by Web Standards

# re: I love Slashdot

"But they can afford two-page ads in the New York Times? <g>"

Mozilla.org did not pay for the ads in the New York Times. Spread Firefox (www.spreadfirefox.com) is not the Mozilla Organization.
Tuesday, December 21, 2004 4:25 AM by z

# re: I love Slashdot

Ok, I won’t bash or flame the post, yes I’m a firefox user and I have nothing against Microsoft, actually I work with MS technology.
Some points he mentioned make sense, the web could be a better place with signed downloads, but as many said, even adware programs can get sign. But myquestion is, dousers really care if a download come from Microsoft.com or myuniversity.edu? most of the people will not even read it.
And about the ip, wow, that was funny, numbers scary numbers.
Now the reasons that I use firefox, as a web developer I love it, DoM inspection, javascript debugger and standards compliance, as a user, tabbed browsing, extensions, is not bonded to the kernel!, you can winne about that, but since I started using FF stopped getting explorer errors or hangs while browsing.
Now for active x, I think it’s a great tool, but has many flaws and the way MS is dealing with it it’s not the best, I work with Project Management and my team use the Project Server and share point, These tools are great and the activex used at the project server is great.
Well, even with that I prefer Firefox, IE need some refreshing 
Tuesday, December 21, 2004 4:29 AM by João Amaro Lagedo

# re: I love Slashdot

Great reply.. i liked it, but still i don't see your point. When you state "How do I (as a normal user, not a computer geek) know that I am really running Firefox?".. you can say the same about IE. I can write a small application that will replace IE's icon on the desktop and run some shitware with IE interface while it formats your PC. And this application might be installed through some hole in IE as other spyware installs it. I'm not blaming you for using IE and supporting it, but hey, i'm webdesigner, i would LOVE to have "full" PNG, more _standard_ HTML (<form> tags add some weird spaces if inserted in the middle of the table sometimes) and few other things.
Anyway, not running firefox (at least giving it a small consideration) because your blog doesn't display correctly is not a fair attitude.
Tuesday, December 21, 2004 4:33 AM by nikolai

# re: I love Slashdot

just an update

IE has lots of bugs, so I don't trust it

Fine, you don't trust IE.

IE has lots of bugs (I never denied that).

But again this misses the point of the article -- I don't care if the "true" Firefox has no bugs whatsoever. How do I (as a normal user, not a computer geek) know that I am really running Firefox?



isnt that down MS to educate the user on what they are installing i mean helping them choose differant browser tell them about it coming to a deal with firefox and putting trusting links on sites and so forth , firefox dont charge for there software where as MS does , instead there is nothing telling the OS user about the differant choices of web browsers out there , reason for this well understandably MS would rather have users using there own software and blatently slagging off others that bring out a better product , yes it my not be digitaly signed but to be honest i never trust anything that is digitaly signed via MS , yes some things do needed to be sorted out but lets not forget firefox 1.0 is a new product where as IE isnt and still isnt upto scratch and secure , i know who i put my trust in and thats firefox version 1.0 cant wait for the next versions it can only get better , now what version is Ie on and is it any better than firefox ? answer is simply no its not , stop moaning do you job and compete with firefox to give all users decent web browsing experiance :)
Tuesday, December 21, 2004 4:33 AM by Fubar

# re: I love Slashdot

I'd just like to leave a message of support for you amongst all the carnage hereabouts. I've found your two blog postings very reasonable, and well thought out; which cannot be said for many of the one line replies questioning your sanity/intelligence.
Tuesday, December 21, 2004 4:34 AM by Andrew Ward

# Peter Torr on Firefox

Tuesday, December 21, 2004 7:42 AM by Martin's WebLog

# re: I love Slashdot

I don't understand your point about installing XPIs. I clicked on your XPI link and got a gold bar saying "To protect your computer, Firefix prevented this site (weblogs.asp.net) from installing software on your computer."
Tuesday, December 21, 2004 4:45 AM by Paul

# re: I love Slashdot

Brilliant.
Tuesday, December 21, 2004 4:45 AM by Alex Barnett

# re: I love Slashdot

Quote: "IE has lots of bugs (I never denied that)."

Quote: "But at least they can be sure the files haven't been tampered with due to the digital signature which IE dutifully checks for them..."

If IE has bugs, and (as we all know) is subject to all sorts of hijacks and pop-ups, how exactly is an "average" user supposed to "trust" the security certificate pop-up windows that appear in IE when they download content?

This is the flaw in your code signing argument: when you can't who controls the messenger, how can you trust the message?

Tuesday, December 21, 2004 4:51 AM by Gerard J.

# douchebag

the 2-page NYT advert came from user donations. Firefox/Mozilla didn't pay for it. As for the other stupid comment about needing server mirrors, it's because Mozilla doesn't really make money except for what's purcahsed through the MozillaStore and/or Donations.
Tuesday, December 21, 2004 4:53 AM by ken

# re: I love Slashdot

If Trust isn't transitive how come active directory uses it in 2000 and 2003 server?
Tuesday, December 21, 2004 4:53 AM by DM

# re: I love Slashdot

>> But they can afford two-page ads in the New York Times?
I was under the impression that the ad was paid for by Firefox's rabid fanbase.
Tuesday, December 21, 2004 4:54 AM by vrunt

# re: I love Slashdot

"But they can afford two-page ads in the New York Times?"

Mozilla didn't pay for the ad. Users that supports Mozilla donated money so that the ad could be printed. They saw it as a meaningful way of spreading the news about a better browser than IE.
Tuesday, December 21, 2004 4:59 AM by Henry

# re: I love Slashdot

I'm glad to see you're responding to Slashdot on some level! Your thread is very popular...

You still haven't answered one question, though. If downloading unsigned content is "unsafe," aren't we doomed?

Almost *everything* is unsigned. I'm sure as heck not paying $400 bucks to sign the stuff on my website. Does that mean I'm dangerous, too? And I can't use a free certificate, because IE will tell the user it's not trusted.

See the mess you guys have created? Microsoft isn't evil, it's just inept.
Tuesday, December 21, 2004 5:02 AM by Colin

# re: I love Slashdot

you're going about installing the flash plugin the hard way. if you go to a site that requires flash, you get a "gold bar" message that guides you through installing flash (without a firefox restart).
Tuesday, December 21, 2004 5:19 AM by zero

# How can I trust Firefox?

How can I trust Firefox? Aos que não olharem com o cabresto irão reparar algumas verdades. Mas ainda acho que muitos dos problemas de segurança ocorrem por usuários sem conhecimento e/ou experiência. Mas sua culpa não é total; ele é...
Tuesday, December 21, 2004 8:24 AM by CFGIGOLÔ

# re: I love Slashdot

I think you're right when you "doubt" that a mozilla mirror could have been hacked.

But if you're paranoid, they can have hacked the microsoft site too.
Of course hacking a mozilla mirror could be much easier since they're uncontrolled.

But let's say they add one of those "download installers" which they download all the program when you run, and you do it via bittorrent so the server can handle it.

I agree that digital signatures are somewhat "stronger" thatn hashes, hoever if you assume a evil spirit can hack a server, I can assume a stupid guy can leave the private key of a certificate on the server and a evil spirit can hack the server and get it.

Note, however, that the point of a linux distribution is to integrate *EVERYTHING* so you shouldn't need to download anything from the net so this is not a big problem in the linux field because as you said, packages are signed with PGP. It's a problem for the windows port however...
Tuesday, December 21, 2004 5:31 AM by Diego

# re: I love Slashdot

I did as you asked and went to the link. I got this in a dialog box at the top: "To protect your computer, Firefox prevents this site (mozdev.xmundo.net) from installing software on your computer." There is an 'Edit Options' button at the end of the bar. From there you would be able to white list the site and then you would have to reload to have the option to install. I find this quite tedious when I have already found the site and the info to download it. But it is a lot of obstruction to force me to opt in to any software that will touch my Firefox. A lot different than my experience with IE (I use it at school and at my office).

And you say that you have never had a site give you so much spyware, have you ever had spyware on your computer? Have you ever run Adaware and found it? I switched to Mozilla in the pre 1.0 days and have not once had spyware on my computer from it. Eventually someone will write something that will corrupt my browser but my guess is that as long as Windows has proper divisions, it will not own my system. Either way, 0 to many is pretty good to this point.
Tuesday, December 21, 2004 5:37 AM by Tim

# re: I love Slashdot

QUOTE
The problem with unsigned code is that you have no idea who the publisher is!

No, you really accidently go to a site like mozdev, accidently end up on the extensions page and accidently click "install" without knowing who made the plugin
BS-O-Meter: Full of ****.

QUOTE
But they can afford two-page ads in the New York Times?

Those were donations. GG_nub

QUOTE
How do I (as a normal user, not a computer geek) know that I am really running Firefox?

Get glasses if you cant tell. Seriously.

QUOTE
Because my blog doesn't display properly...

Now Playing: Justin Timberlake - Cry me a River
Tuesday, December 21, 2004 5:39 AM by Insidious

# re: I love Slashdot

"Code signing is a way of providing evidence to help users make trust decisions for the software they are going to install, independent of the platform. Check your Linux package installer of choice -- I bet it checks for digital signatures (albeit ones generated by PGP keys rather than VeriSign certificates)."

I agree with you 100%. I love IE!! As a matter of fact, I just downloaded and installed the SIGNED gator software. Hrmm.. Why am I now getting all of these popups? Hrmm.. Why is my cpu running at 100%? Umm.. Go IE? Heh.
Tuesday, December 21, 2004 5:42 AM by I <3 IE!!!

# re: I love Slashdot

To take the comment of Federico Garcia a bit further even, when indeed you say:

·People should fear code they cannot easily verify.
·People should feel uncertainty about downloading and executing code that they cannot easily verify.
·People should doubt the integrity of code they cannot easily verify.

Does this then imply that I should be afraid to install any piece of software which I cannot verify? By which I take it with "to verify" you imply either reviewing the origin of the software, or being able to review the code?

And besides that, you keep saying that "it didn't say so in the NY Times add". Meaning what exactly? It should state there that it's trusted software? It should explain how (if you want to) to compile the source code yourself? It should state that maybe the download location may vary as the download site tries to determine the best mirror for your location? First you say users shouldn't be bothered with this kind of info, then you say users should be educated about this kind of info. You know this probably a LOT better than I do, but users don't want to be educated, they simply want to use, and when something breaks, no matter how much you have tried to educate them, they will still blame you for it. Always. So stop whining about this, and maybe actuallty start educating users instead. You're preaching to the choir here, we allready know what you have to say, and most of us FireFox users disagree....
Tuesday, December 21, 2004 5:43 AM by Michiel Oosterling

# re: I love Slashdot

Comment moderation? What ever happened to having an honest-to-god discussion? ;)
Tuesday, December 21, 2004 5:44 AM by Michiel Oosterling

# re: I love Slashdot

The technical savvy of us can make our own decisions on what we install and don't install. The trouble is there's a *lot* of people out there who don't really know what they're doing with a computer. How are these supposed to know how to download code and compile it? or use MD5? They don't.

As for people who say signing is no good, imagine this. There's a game\app you really want to try - a window pops up asking if you want to install plop.exe by Gator what would you say? I'd go no thanks, now a window saying do you want to install plop.exe by unknown publisher you might be more likely to try. So it works both ways. That's the thing with trust.

The other thing to remember, IE gets targetted a *lot* more by writers of malicious software because it's used so widely. Wait until they turn their attention to FireFox and see what happens. Microsoft is just a victim of it's own success.

The volume of people who miss the point is unbelieveable.
Tuesday, December 21, 2004 5:46 AM by luggage

# re: I love Slashdot

"I downloaded the FlashBlock extension from http://mozdev.xmundo.net/flashblock/flashblock-1.2.5.xpi and "Install Now" was the default button (hint: try typing that URL into the address bar of Firefox and see what happens)."

Clicking on your link gave me a yellow bar that said "To protect your computer, Firefox preventedthis site (blogs.msdn.com) from installing software on your computer." and a quik button to edit options and allow your site instal software.

Typing the address in the address bar, simply wouldn't load anything.

I'm using version 1.0.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Tuesday, December 21, 2004 5:59 AM by Steve

# re: I love Slashdot

"Trust is not transitive."

Isn't that exactly how code signing work? You trust Thawte/Verisign/? who trust the code signer? As far as I know, there might even be more "authorities" in between.

There might be a difference in scale but the principle is the same.
Tuesday, December 21, 2004 6:07 AM by MadMoose

# How can I trust Firefox?

On kyllä aikamoista kökköä mitä yrität artikkelissasi heittää! How can I trust Firefox? Miksi vaivautua kirjoittamaan tuollaista sontaa jos ei jaksa vaivautua ottamaan edes asioista selvää? Perkele!
Tuesday, December 21, 2004 6:13 AM by Finnish Elite

# re: Once upon a time, there was this Program Manager that nobody paid attention to in Redmond HQ. So, he decided it was time for a little "carpe diem" ;)

Hello Peter.

In case you missed it somewhere online, there's a special term for your reference. It's called "attention whore", and it would be the perfect description for your case. It seems you will probably get that chance to meet Bill after all that slashdotting and who knows - maybe a bonus is on the way for all this bitching ;)

Congratulations, and keep using IE. You are the most representative speciment of the users that still hang on to IE as if their life was depending from it (it does ?) - MS employees :)

Oh, and by the way, I don't think I need security instructions/suggestions from Microsoft or their employees. Come to think of it, it seems rather funny to use words like "security" and "Microsoft" in the same sentence, so I feel I have to let you know that I'm very happy with the security of all the alternatives I'm using (for free).

Thank you for the suggestions though :)
Tuesday, December 21, 2004 6:16 AM by krikri

# re: I love Slashdot

I applaude you for standing up in what you believe in ... though my opinions differ.

I found an article from Microsoft which basically states that Microsoft's signing of their own software is not to be trusted. While this has since been fixed, there was a window where someone could spoof the signing of Microsoft's software.

Microsoft Security Bulletin MS01-017

http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx

So in this sense, you can't trust that software coming from Microsoft really comes from Microsoft.

I trust Firefox to be Firefox, because

1. It runs like Firefox
2. It hasn't done anything bad to my system (yet)
3. No 3rd party applications report it as spyware/adware/virus, etc.

I think that code signing is very important to more advanced computer users, but to the average joe (take my grandmother), she doesn't care what the popups say... she just clicks "ok" to get them to go away. Yes, we need to educate them. But as far as certificate signing goes, now you have to ask, Do I trust Thawte/Verisign ? I myself do not. They did afterall grant a "Microsoft Corporation" certificate to a non-Microsoft person. Who is to say they would not do the same for anyeone else?



Tuesday, December 21, 2004 6:18 AM by John

# re: I love Slashdot

Wow, this just proves that you have no idea what you're talking about.
Tuesday, December 21, 2004 6:21 AM by Cody aka CypherXero

# re: I love Slashdot

The ad in the NY Times was funded by donations. Just FYI
Tuesday, December 21, 2004 6:26 AM by Jad

# re: I love Slashdot

While some of the problems you note with Firefox are real, some of the views you expressed yourself are even more problematic; and they are worth discussing, because they represent Microsoft's approach.

You say, "trust is not transitive", but this reveals the underlying misconception that trust is a relation, a binary entity: Either you trust me with your life, or not at all. It doesn't work this way. It doesn't even work this way in IE: When security is set to High for a site, that site is still allowed -- trusted enough -- to run some (JScript) code on your computer, though it is not allowed to install ActiveX controls.

The same principle belies your "#1 Immutabale Law of Security": the law should be qualified to say, "If a bad guy's code runs on your computer *with sufficient privileges*, then it's no longer your computer" (I haven't bothered with the link, I'm only attacking your quote).

Microsoft has educated the world, by negligence, to forego privilege separation. AFAIK, the only common way to get a sandboxed code-execution environment in IE is by installing a JVM -- from Sun; no Microsoft representative I've seen even acknowledged the potential usefulness of the idea. The other great tool of privilege separation -- using different users -- was practically impossible until WinXP, because it was very hard to have two users running programs simultaneously from the same terminal. To this day, AFAIK, even after the "run as other user" feature was introduced, there is no standard way for a Windows program to ask the user to "su" in order to get temporary, local permissions. This generated -- and still generates -- a usage-pattern where normal, non-technical users are *usually* running everything with administrative privileges. This is what makes your original phrasing of the #1 Law mostly correct. This is also, I suppose, what made you install a whole OS on a Virtual PC for the experiment; a Unix user in the same situation would just define a new user, and not give that user the privileges to compromise the whole system; or, create a "chroot jail" (this is usually done for server applications).

And last but not least: the whole code-signing scheme assumes an enormous deal of trust in the browser itself. While you fairly granted Firefox the same level of trust as you would IE, many -- as I -- do not trust IE to that level.

So, what's my point? My point is that while what you say is essentially true, and in that sense IE is more secure than Firefox, the difference is marginal, and the primary problems are not really in either browser, but in Windows. Firefox on Linux is more secure than Firefox or IE on Windows, and had it run there, IE on Linux would also be more secure than Firefox on Windows, in the same aspects. The point I haven't made, but this post is too long already, is that there are other aspects of security where Firefox is better than IE.
Tuesday, December 21, 2004 6:26 AM by Shai

# re: I love Slashdot

<quote>
People should fear code they cannot easily verify
People should feel uncertainty about downloading and executing code that they cannot easily verify
People should doubt the integrity of code they cannot easily verify
</quote>

So, they should fear and doubt IE, and for that matter any closed sourced application?
Tuesday, December 21, 2004 6:29 AM by Chris

# re: I love Slashdot

I admire your bravery in taking on the Slashdot crowd!

What's the "gold bar" that Firefox borrowed from IE? The one that appears when Firefox prevents a popup etc?
Tuesday, December 21, 2004 6:34 AM by Nathan Parton

# Signatures versus hashes

As a point of fact mozilla.org does support signing as well as MD5 and SHA-1 hashes (through GnuPG). Signing the hashes is (computationally) reasonably inexpensive.

There is no reason why this 'signature of hashes' functionality couldn't be built into FireFox (especially for extensions) in an end-user friendly way.

Tuesday, December 21, 2004 6:35 AM by Mr Blobby

# re: I love Slashdot

"Mozilla can't afford bandwidth, so it needs the mirrors

But they can afford two-page ads in the New York Times?

...

Next please... "

A single time ad blitz is a proven marketing strategy when it pertains to items that are known in a subculture that is evolving into mainstream. Because many "in-the-know" people know about FireFox, whenever someone says "Hey, what is this FireFox?" there is a chance that a nearby person can explain. Being that there are lots of businesses in NY, and almost every business has an IT department, and most good IT people know about alternatives to MS products, I think you can figure out the rest.

Where am I going with this? Well, I guess I only wanted to make a point saying that the extreme cost of bandwidth would just be a waist and strain on the budget of a company that has the opportunity for free hosting from universities. Yes, there is a chance of the software being compromised, but the chance of it being compromised might be, or would more likely be, less then that of MS having their own built in compromises (bugs).
Tuesday, December 21, 2004 6:35 AM by Matt Freilich

# Signatures versus hashes

As a point of fact mozilla.org does support signing as well as MD5 and SHA-1 hashes (through GnuPG). Signing the hashes is (computationally) reasonably inexpensive. <br> <br>There is no reason why this 'signature of hashes' functionality couldn't be built into FireFox (especially for extensions) in an end-user friendly way. <br> <br>
Tuesday, December 21, 2004 6:37 AM by Mr Blobby

# re: I love Slashdot

First Post! <br>
Tuesday, December 21, 2004 6:38 AM by G. Man

# re: I love Slashdot

Great catch Peter. I've had a good laugh.

Michele (happy MS-free guy who can actually get it ;)
Tuesday, December 21, 2004 6:43 AM by Michele

# re: I love trolling Slashdot

Is there anything lower than making boneheaded comments about a community and then cherry picking and publishing the worst anonymous abuse you (rightfully) recieve in order to make that community look bad?

Professional trolls, like David Coursey, have been earning good money for years by making idiotic statements about Apple products and then mocking the community response. And now you seem to be carrying on this grand tradition. It's a poor show when your argument is so weak that you need to lean on such distasteful rhetorical ploys.
Tuesday, December 21, 2004 6:45 AM by bob

# re: I love Slashdot

I just wanted to compliment you on a very calm reply to many irrational complaints. I didn't read the original article, but linked over from /. to see this post of your replies. I came in thinking "oh boy, another MacroHard fanboy loser going to spout off about the obvious greatness of their (in my opinion) over priced, poorly written bloatware." Instead, I found some very rational reasoning and very valid questions/comments that I may not always agree with, but certain believe the OSS community should listen.
Tuesday, December 21, 2004 6:50 AM by Steve

# re: I love Slashdot

I don't have words. You are VERY stupid!
Tuesday, December 21, 2004 6:55 AM by Steve

# re: I love Slashdot

I love Slashdot too - why is it that people(or maybe just geeks) get so zealous about software? I used to support IE at MS and now I'm using Firefox. You made some valid points about security. I think the Firefox boys got a lot of things right but they should've made it rock solid BEFORE they blew their trumpet. Firefox is doing ok today but it will probably be replaced sooner or later by the next &quot;best browser out there&quot;.
Tuesday, December 21, 2004 6:55 AM by Greg

# re: I love Slashdot

Mozilla can't afford bandwidth, so it needs the mirrors <br>But they can afford two-page ads in the New York Times? &lt;g&gt; <br>Mozilla can't afford code signing certificates <br>But they can afford two-page ads in the New York Times? &lt;g&gt; <br> <br>From the NY Times Ad: &quot;This message has been brought to you by the thousands who contributed funds to the Mozilla Foundation, a non-profit organization dedicated to promoting choice and innovation on the Internet. <br>Special thanks to the employees of Haberman &amp; Associates, MozSource, Oracle, Red Herring, Red Hat, Sourceforge.net, Speakeasy and Sun Microsystems&quot; <br> <br>I just wanted to double check what I already thought. The Ad was paid for by private citizens and companies, not the Foundation directly. That's what it looks like to me anyways.
Tuesday, December 21, 2004 6:56 AM by Peter S

# re: I love Slashdot

I have one question. <br>How do you belive your wife's breakfast? <br>Does she sign on it?
Tuesday, December 21, 2004 6:59 AM by sorry.

# The Firefox flame war is on

I predicted Peter Torr would start a flame war with his Firefox post, and sure enough... To his credit, he's addressed most of the criticisms directly in this follow-up post, entitled, I love Slashdot. My favorite part: You're spreading FUD Well, yes, I suppose I am. People should fear code they cannot easily verifyPeople should feel uncertainty about downloading and executing code that they cannot easily verifyPeople should doubt the integrity of code they cannot easily verify And, to re-iterate what I said earlier, manually checking MD5s or compiling the source does not qualify for 99% of users. This debate is very, very healthy. If Microsoft pays attantion to the success of Firefox and improves IE to remain competitive, we all benefit....
Tuesday, December 21, 2004 10:00 AM by Ed Bott - Windows (and Office) Expertise

# re: I love Slashdot

&#183;People should fear code they cannot easily verify <br>... <br>&#183;People should doubt the integrity of code they cannot easily verify <br> <br>======== <br> <br>So, we should trust Linux a lot more than Microsoft? :-D <br>
Tuesday, December 21, 2004 7:04 AM by Ben

# re: I love Slashdot

OK, this is amazing. From your own statements: <br> <br>1) No normal user would manually verify hashes or signatures. <br> <br>but this same normal user must: <br> <br>2) &quot;only install software from publishers you trust&quot; <br> <br>How in the name of God is a &quot;normal user&quot; who can't even be bothered to take a simple, one-click step to verify their download make a rational decision about whether or not to trust a given publisher? Consider even a small subset of the sort of areas that user would have to review: <br> <br>1) Are the staff who might have the ability to alter the software before it's signed trustworthy? Are these people resistant to outside influences that might try to cause them to alter the build in unauthorized ways, either through malice, or caprice? (For example, something like this: <a target="_new" href="