Choose OS & language at ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0/

thanks for reminding me about it.

about time! Whats new?

Some people say your very unlickly to get adware crap using a non ie or netscape browser unless of cause you click yes to things? is it true?

^^^

Mozilla is becoming increasingly more popular, so it must be good

I have been using it for the last 6 months in various guises, only problems have been plug-ins etc, but other than that, no pop-ups, little adaware etc... :D

Some people say your very unlickly to get adware crap using a non ie or netscape browser unless of cause you click yes to things? is it true?

most spyware are directed to be against explorer. Security holes in Internet Explorer are used by spywere where as Mozilla, it is WAY more secure.

I never use internet explorer, Mozilla is sooo much better.

it is WAY more secure.

Actually, thats incorrect.

It has less exploits against it cause hackers focus on what hits the most number of people. Same goes for linux(not free bsd, more like red hat and such. In general systems with the same number of features are going to be about as secure) versus windows xp.
As it becomes mainstream more and more hits will occur against it.

^^ granted hackers may target Windows & other popular software but when security holes do crop up in open source software tend to have patches within hours and instead of weeks or even months with closed source software like IE or Windows.

Using your line of though shouldnt there be more Apache webserver exploites than those webservers using Microsoft? After all Apache runs about 67.77% of webservers while Microsoft is 21.25% (http://news.netcraft.com/archives/web_server_survey.html).

Since Mozilla came out (then FireFox) I've stopped using IE for all but the most stuborn IE-only website.

Using your line of though shouldnt there be more Apache webserver exploites than those webservers using Microsoft? After all Apache runs about 67.77% of webservers while Microsoft is 21.25%.


How soon we forget how insecure apache was when it first became big? Some of its bugs were down right nasty. You are indeed correct that open source patches hit the scene more quickly then do commercial software. However, honestly that comes down to how often you update your software period.

And its not just my line of thought. Its also the line of most security experts.. My degree in computer science included a specialty in information security(mostly at a high level since I didnt go into grad level).
One of the greatest concern of security experts everywhere is how slack users of open source software are on updates simply because they aren't attacked often. Open source has the benefit for security sake from more eyes on the code.. But only when its main stream. If only a few people work on it or use it, then it isnt going to be that secure.

Security is a compromise with others in a 4 way box with time, features, and convience.

The two largest holes in apache in recent memory involved malformed querys and buffer overflows.
One allowed the putting of a file or reading of a file off the server.
The other involved gaining unprivledged user access. Source: Hacking exposed.. I could look over some more of my reference books and find more.. but im too lazy and tired.

Consider my statement a warning.. Too many idiots get linux or other open source and say to themselves.. I cant get a virus cause its ..insert os or system here..
Dont' ever think your safe cause theres not a system invented that can't be hacked.
Always expend at minimum the amount it will cost you if you are compromised.

^^ When was the last time you heard about major exploit for Apache? When was the last time you heard about major exploits for IIS?

Flipping it around a bit when was the last time you heard of a Mozilla/Firefox major exploit? When was the last time you heard about major exploits for IE?

It's true it does come down to how often you update but so far Mozilla/Firefox upgrades of late is more on stability and features and not for security reasons. Even SP2, that supposed to have solved a lot of exploits has vulnerabilities. Plug a hole and another problem appears.

At one point even CERT recommended people to consider switching to a non-IE browser.

When was the last time you heard about major exploit for Apache? When was the last time you heard about major exploits for IIS?

Last year on both accounts (not that I follow both closely since I dont run a webserver).. Apache has been out longer.. of course its gonna be cleaner by this point. Yet again..
Time by features by security by ease of use.
Thats the function.. and every basic info sec book will tell you that.
Many systems like red hat.. and most likely in this case mozilla due to its lack of catching on so far.. Will definitly have a long list of compromises if/when it takes off until its been around longer or in the case where major features changes are appeneded. Thats generally part of the software lifecycle. Until millions have a reason and thus try to crack it.. you wont find the bugs.. as more people attempt a shot at breaking it.. more bugs are found and more fixed(time aspect of above equation). So for the initial faze where something gets popular and/or recently majorly changed its gonna have a much higher number of bugs.


Flipping it around a bit when was the last time you heard of a Mozilla/Firefox major exploit? When was the last time you heard about major exploits for IE?

I dont follow mozilla.. But redhat linux.. oh.. about 3 weeks ago.


but so far Mozilla/Firefox upgrades of late is more on stability and features and not for security reasons.

No ones targeting it yet..
Yet again.. that box always holds.. Apache has the time thing way up cause its been around so long..

Even SP2, that supposed to have solved a lot of exploits has vulnerabilities. Plug a hole and another problem appears.

Same can and has been said for alot of open source patches.

Quck search for mozilla security problems netted this:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
Most recent two on their page:
Downloading link deletes files 9-29
Send page" heap overrun allows remote execution 9-7


Many of these are major and fixed in september. Also quite similar to the ie bugs. And yet you weren't even aware of them.

I REPEAT: DON'T EVER GET COMPLACENT!

Remember how apple (pre OSX) was never / very rarely targetted and now that every1 has the new imacs, power books and G5's more and more viruses target OSX. If only they could make software more impenetrable

graywolf624: Apache was started in 1995 so using your argument it had time to mature and be less vulnerable than the younger IIS. Question is why is it that Windows that that has been in existed before 1995 still has problems after so long? The just recently released SP2 has 10 exploits (http://news.google.com.ph/news?num=100&hl=en&lr=&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&tab=wn&ie=ISO-8859-1&q=sp2+finjan). How long til Microsoft acknowledge they exist and provide fixes?

Just a correction there are commercial software that are open source and there are free software that is close source.

It has less exploits against it cause hackers focus on what hits the most number of people. Same goes for linux(not free bsd, more like red hat and such. In general systems with the same number of features are going to be about as secure) versus windows xp.
As it becomes mainstream more and more hits will occur against it.
One of the greatest concern of security experts everywhere is how slack users of open source software are on updates simply because they aren't attacked often. Open source has the benefit for security sake from more eyes on the code.. But only when its main stream. If only a few people work on it or use it, then it isnt going to be that secure.

Your two paragraphs seem to contradict your line of thought. So whether it is popular or not hackers will look for exploits irregardless of number of users affected?

I agree that there isnt any software that is 100% secure. It goes for everything man-made actually. Then again the number of exploits for Windows/IE is scary as compared to alternative OSes and browsers. To think Firefox has less security holes in its beta form than IE in its 6 different versions.

Firefox/Mozilla are also targeted by hackers. Though response to such problems are speedier than one can expect from Microsoft.

I also agree that being lax when it comes to updates also contributes to the problem of security. So why use a browser that is so popular that hackers make it a point to concentrate their efforts in exploiting? The Mozilla link you provided concern fixed vulnerabilities so it shouldnt be of issue anymore to those using the latest version. Also notice howm any exploits were found & fixed. While those using SP2 have to contend with 10 newly discovered flaws that MS has to investigate, acknowledge and resolve.

Also check out US0CERT's Cyber Security Alerts section (http://www.us-cert.gov/cas/alerts/). I see only 1 alert concerning Mozilla while the rest relates to Microsoft products.

neilo: there are more viruses (most are MS Office in origin) for pre-OS X than OS X itself. OS X has only 1 virus.

A Brit security firm did a 1 year study on what is the safest OS now and found out that Mac OS X (http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%3A//www.mi2g.com/cgi/mi2g/press/021104.php) had the fewest security breaches against permanently connected machines worldwide in homes, small businesses, large enterprises and governments. It could be because it is based on BSD. It also could be because the number of users using OS X. But you have to consider that hackers like a challenge and OSes like OS X with its generally arrogant userbase is a tempting target to attack.

In the end you choose the OS/browser you're most comfy with, hope that the programmers contributing fixes can do it competently and update when needed.

Question is why is it that Windows that that has been in existed before 1995 still has problems after so long?

Cause in reality.. windows 95 has as much in common with winxp as my car has in common with yours.. absolutely nothing.

Hell even sp2 has about as much in common as winxp sp1. Major changes cause those problems.. Apache youll also notice hasnt drastically changed structurely underneath for quite some time. Also comparing the number of features of an os to a webserver is kinda an apples to oranges comparison.


Your two paragraphs seem to contradict your line of thought. So whether it is popular or not hackers will look for exploits irregardless of number of users affected?

They dont contradict..
The idea is simple.. the more time spent hacking on something.. the more bugs are found..
The more users.. the more time.

Simple math.
Then the more eyes on the code.. the quicker it gets fixed.


Then again the number of exploits for Windows/IE is scary as compared to alternative OSes and browsers. To think Firefox has less security holes in its beta form than IE in its 6 different versions.

Id argue it doesnt... You cant compare the entire lifecycle of ie to mozilla. Look at mozilla and ie for a single month and youll see very similar numbers.


Though response to such problems are speedier than one can expect from Microsoft.

Never argued this or even that they arent targeted by hackers.. Its the degree. Security is only assured by raw number of hackers.. You can't really test for it in the traditional sense. Thats why open source encryption algorithms that are widly used are infinitly more secure then those that are used less.


The Mozilla link you provided concern fixed vulnerabilities so it shouldnt be of issue anymore to those using the latest version. Also notice howm any exploits were found & fixed. While those using SP2 have to contend with 10 newly discovered flaws that MS has to investigate, acknowledge and resolve.

Youll find that those 10 new discovered flaws in sp2 have been fixed.. and youll find that this new version firefly will go through the same process as a major release. Generally microsoft is pretty smart in not letting the public know its vulnerabilities till its fixed them.


Also check out US0CERT's Cyber Security Alerts section. I see only 1 alert concerning Mozilla while the rest relates to Microsoft products.

U cant compare apples to oranges yet again.. microsoft has thousands of products.. mozilla has one..
And there link says multiple vulnerabilities in mozilla. Very equivelent in fact to those found in ie.


OS X has only 1 virus.

A Brit security firm did a 1 year study on what is the safest OS now and found out that Mac OS X had the fewest security breaches against permanently connected machines worldwide in homes, small businesses, large enterprises and governments. It could be because it is based on BSD. It also could be because the number of users using OS X. But you have to consider that hackers like a challenge and OSes like OS X with its generally arrogant userbase is a tempting target to attack.

Now thats the biggest bs IVe ever heard.. There are way more then just 1 virus for mac os x. Furthermore, even a security firm doesn't verify shit. Any security expert will tell you that much. Did you know that a windows nt based system won one of the cyber hack systems and wasnt hacked.. Does that show anything? No.

Read some of bruce schneirs books.

Is it more secure then windows.. probably since it is based off a much older platform. Is it secure.. hells no.
It hasn't been targeted nearly as much as alot of the other systems. For one theres no money in it.

Microsofts biggest problem isn't buggy software. Very few of the major hits at companies and people can be attributed to anything more then users not taking the time to work on upgrades and other security situations.

There problem is out of the box its not setup for security and very few people know how to starting out. Comparably systems like osx tend to be more locked down(but also not completely).

That being said, spend the time to lock it down.. and dont update to sp2 until theyve hammered at it long enough.. And its pretty close to as secure as osx. In fact.. Id bet money my winxp machine is far more secure then my personal osx machine simply cause I took the time to secure the xp machine. (the osx machine rarely if ever sees the network, so its not that much of a concern. As such its almost identical to out of the box, while I spent a good deal of time locking the xp machine down to a reasonable extent(Before anyone gets any ideas.. IF you hacked me the best youd get would be a few older clarkson vids and my homework from last week. It really isn't worth the time or effort).

XP shares no code with 95. I find that hard to believe. With XP having so much bloat there should be some semblance of 9x code in it. Heck if they started XP from scratch they'd have a new and unproven platform that the public would find hard to accept.

Show me the numbers of IE vs Mozilla for a given month.

Microsoft takes its time before announcing then providing fixes for exploits. Solutions to problems were even held back so it may be combined into SP2 instead of releasing it immediatly.

Has Microsoft issued a Windows Update to the 10 newly discovered SP2 flaws? Can I download it already? As far as what's on the news right now Microsoft is still investigating the so-called flaws.

Ok lets count the number of US-CERT alerts concerning IE. I count 1 for Mozilla while IE has 7. The alert concerning multiple exploits for Mozilla products concerns the exploits for Mozilla, Firebird and Thunderbird.

A simple google search on "OS X" and virus (http://www.google.com.ph/search?q=%22OS+X%22+virus) shows up only "Opener". That's it and nothing else. Be my guest and name other virii for OS X.

The security firm did a 12 month study for all the major OSes why cant they verify it? Even the 12 month study says Windows improved a lot vs Linux in terms of security. So are they wrong with that?

Pls post the link concerning Windows NT being hacker-proof.

According to Bruce Schneier (http://www.neowin.net/articles.php?action=more&id=95) "Linux and Mac OSX are both more secure pieces of software, simply because both of those operating systems are designed better." Mr Schneier even testified to a Senate subcommite that "What will happen when the CFO looks at his premium and realizes that it will go down 50 percent if he gets rid of all his insecure Windows operating systems and replaces them with a secure version of Linux? The choice of which operating system to use will no longer be 100 percent technical," (http://archives.cnn.com/2001/TECH/internet/07/16/internet.security/index.html)

So running XP on SP1 w/ all the available patches is better than SP2 w/ all the available patches? That pretty much defies the logic behind having people update everything to the latest version. It would still open SP1 w/ patches to flaws that SP2 solved.

I'm running OS X 10.3.6 w/ patches and it is still more secure than SP2 w/ patches. It doesnt have 10 new flaws unsolved flaws to contend with. If OS X 10.3.6 w/ patches does have flaws it could be easily solved by a simple patch writen by any user that knows how to write code as a temporary remedy til Apple addresses the issue.

Out of the box Panther is a much more secure than an out of the box XP SP2 machine.

Also if anyone tries to hack me they'll just hit my router's firewall. :lol:

XP shares no code with 95. I find that hard to believe. With XP having so much bloat there should be some semblance of 9x code in it. Heck if they started XP from scratch they'd have a new and unproven platform that the public would find hard to accept.

Theres a major problem there.. xp isnt even based on 95.. Its basically based on nt. It seriously has about as much in common with xp as a my car has with a model t.. It still has a suspension, wheels, tires... But most of it is completely different.


Has Microsoft issued a Windows Update to the 10 newly discovered SP2 flaws? Can I download it already? As far as what's on the news right now Microsoft is still investigating the so-called flaws.

The ones that are public have all been patched. The fear is that more will be found. And of that I say there will be.


So running XP on SP1 w/ all the available patches is better than SP2 w/ all the available patches? That pretty much defies the logic behind having people update everything to the latest version. It would still open SP1 w/ patches to flaws that SP2 solved.

if service packs were only about security yes.. But there also about added features.

As we discussed above..
featuresxtimexease of usexsecurity.


Ok lets count the number of US-CERT alerts concerning IE. I count 1 for Mozilla while IE has 7. The alert concerning multiple exploits for Mozilla products concerns the exploits for Mozilla, Firebird and Thunderbird.

I count 2 for the most recent version with updates of ie. You can't look at 2 different versions. Compare the bug list on ies page for say the month of septembers fixes versus the month of september on mozilla. Youll find them disturbingly similar in even the types of bugs.


The security firm did a 12 month study for all the major OSes why cant they verify it? Even the 12 month study says Windows improved a lot vs Linux in terms of security. So are they wrong with that?

Yes.. As schnier states in his book.. That proves absolutely nothing. Security isnt something you can test for like that. The only way to verify somethings secure.. is for it to go out in the mainstream and every tom dick and harry hacker to hit it and every patch with everything they have. It simply cant be tested by typical software testing.


Pls post the link concerning Windows NT being hacker-proof.

Nothing is hack proof.. but in secrets and lies mr schnier even says both systems locked down.. nt versus linux theres not much difference. I dont have my copy in front of me but in it he sites a ciber attack put on by foundstone to test vulnerability.. The linux boxes all feel before the nt box. He also adds this doesn't mean crap about any of there security. Which is the point Ive been trying to make to you.


Linux and Mac OSX are both more secure pieces of software, simply because both of those operating systems are designed better."

Secrets and lies.. a book written after this statement.. He actually changed his statements a little. Particularlly he sites that the major problem with xp is legacy support. Locked down well with all the updates.. He says that linux based systems tend to only be slightly more secure then there windows counter parts. The issue is 3 fold when it comes to windows.. Which he even goes into.
First: Unlike linux windows tries to cram too many features into the os.. I wont restate that equation for the millionth time.
Second: Windows users are more abundent and generally dumber.
third: windows comes less locked down out of the box by a large margin then linux.

He retracted his statement for the very reason Im raising this alarm. People with open source tend to get complacent.. They think.. oh Im running blah so I cant get hit.. too bad it doesnt work like that.

And how did we get to os's from browsers. Especially comparing a os thats been around for 30 years to one thats been around at most.. 10.. and thats if you consider having wheels and a suspension constituting a car.:)


If OS X 10.3.6 w/ patches does have flaws it could be easily solved by a simple patch writen by any user that knows how to write code as a temporary remedy til Apple addresses the issue.

Yes, which possibly opens it up to more security flaws.. with the but that it does allow quicker fix times.



Out of the box Panther is a much more secure than an out of the box XP SP2 machine.

Didn't I just say that?


Also if anyone tries to hack me they'll just hit my router's firewall.

Now if you trust that your a complete idiot.. Firewall routers.. even ignoring trojans and other such things... Are generally not what Id trust thigns too.

Oh good mac virus recently..
mp3gen

quick search.. mac security advisorys..
http://www.securemac.com/

We wont get into the ones caused by programs run on top of osx..

Word viruses come to mind quickly.

DOD on mac-
http://www.ciac.org/ciac/bulletinsByType/vndr_apple_bulletins.html

Theres a major problem there.. xp isnt even based on 95.. Its basically based on nt. It seriously has about as much in common with xp as a my car has with a model t.. It still has a suspension, wheels, tires... But most of it is completely different.[/url]

I never mentioned it was based on 9x what I said was it shared code with it. Even Microsoft says it is (http://labmice.techtarget.com/FAQ/winxpfaq.htm).

[quote]The ones that are public have all been patched. The fear is that more will be found. And of that I say there will be.
It doesnt show up Windows Update.

if service packs were only about security yes.. But there also about added features.

As we discussed above..
featuresxtimexease of usexsecurity.
So you'd rather have people avoid SP2 and stick to SP1 because SP1 is more secure. Baring the fact that it also bundles new features?\

I count 2 for the most recent version with updates of ie. You can't look at 2 different versions. Compare the bug list on ies page for say the month of septembers fixes versus the month of september on mozilla. Youll find them disturbingly similar in even the types of bugs.
Then I count none since Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8 resolves that problem. 0 for Mozilla products and 2 for IE. Still no list. :)

Yes.. As schnier states in his book.. That proves absolutely nothing. Security isnt something you can test for like that. The only way to verify somethings secure.. is for it to go out in the mainstream and every tom dick and harry hacker to hit it and every patch with everything they have. It simply cant be tested by typical software testing.
They left the boxes in the wild for every tom, dick and harry hacker to "rape".

Did you know that a windows nt based system won one of the cyber hack systems and wasnt hacked.. Does that show anything? No.
Here you say it won a cyber hack systems for not being hacked.

Schneier (http://www.schneier.com/news-interview-neowin.html) doesnt correct himself or update the article at all on his website. Would you have an online version of Secret and Lies? If he did retract the statement he should have did something on it on his own website.

Also I couldnt help noticing that Secret and lies was published months before (January 16, 2004) Bruce Schneier did his interview NeoWin (Posted by Tom Graham on 30 August 2004).

You broached the subject over OSes. ;)

Didn't I just say that?
Nope you didnt.

Now if you trust that your a complete idiot.. Firewall routers.. even ignoring trojans and other such things... Are generally not what Id trust thigns too.
ZA doesnt go nuts when I put my XP boxens behind it. Windows Firewall doesnt go crazy either.

Oh good mac virus recently..
mp3gen

quick search.. mac security advisorys..
http://www.securemac.com/

It's really called MP3Concept and according to the link it's just a proof of concept. SecureMac isnt even updated for Opener... More OS X virii pls.

We wont get into the ones caused by programs run on top of osx..

Word viruses come to mind quickly.

DOD on mac-
http://www.ciac.org/ciac/bulletinsByType/vndr_apple_bulletins.html
Word as in Microsoft Word? MS pops up again in connection to exploits. ;) I looked over the CIAC website and the Word exploit you mentioned dates back to 1996. That's 8 years ago and OS X was just but a glimmer in Jobs' eyes. Also CIAC shows that Apple has been responsive to all the exploits found. The latest one was dated Oct 28 and has already been resolved already. It didnt take Apple more than a month to resolve.

I can see this discussion draging on for the next few months so if I might I ask is your solution to Windows & IE exploits, security holes & malware? Seeming you have the degree and the books.

what I said was it shared code with it.

Every application on this planet shares code with hello world. That doesn't mean its got much in common.


It doesnt show up Windows Update.

All the ones so far were in the first update to sp2.. If you upgraded you prolly already got it.


So you'd rather have people avoid SP2 and stick to SP1 because SP1 is more secure. Baring the fact that it also bundles new features?\

Until they get it checked completely.. Thats exactly what Im doing and exactly what security advisors suggest for win xp users.


Here you say it won a cyber hack systems for not being hacked.

That doesnt mean hack proof.. That means there was a challenge for money for people to hack a group of systems.. In one such competition.. The nt box was the only one not to be hacked.. But that doesnt prove shit.


They left the boxes in the wild for every tom, dick and harry hacker to "rape".

See above...



Also I couldnt help noticing that Secret and lies was published months before (January 16, 2004) Bruce Schneier did his interview NeoWin (Posted by Tom Graham on 30 August 2004).


Yes and in the interview he addressed exactly what I was talking about:
It's more complicated than that. Secure software is software that's been analyzed, again and again by lots of smart people. That kind of analysis is possible in the closed source model--experts can be hired--and it's possible in the open source model. For large pieces of very popular open source software, like Linux, many people have analyzed the code for security vulnerabilities. The result is some very well-written code. But there are lots of open source programs that are obscure, and that no one has ever looked at. Making your code open source allows for it to be analyzed for security, but does not magically make it secure. I've written more here.


Nope you didnt.

You stand corrected..
There problem is out of the box its not setup for security and very few people know how to starting out. Comparably systems like osx tend to be more locked down(but also not completely).


ZA doesnt go nuts when I put my XP boxens behind it. Windows Firewall doesnt go crazy either.
Most of the firewall routers are easily hackable. They also have this major issue in they dont protect outgoing at all. Trojans.. ect.


It's really called MP3Concept and according to the link it's just a proof of concept. SecureMac isnt even updated for Opener... More OS X virii pls.

Its called a proof of concept cause its not malicious. It does in fact work. Look at the dod page for more virus and security flaws.


I looked over the CIAC website and the Word exploit you mentioned dates back to 1996.

Thats not the one to which I refer. Word macro viruses can and do still exist. A variant was first discovered in 1996. But any user of office can tell you there still out there.


Also CIAC shows that Apple has been responsive to all the exploits found. The latest one was dated Oct 28 and has already been resolved already. It didnt take Apple more than a month to resolve.


Never argued that open source wasnt faster fixing.

I can see this discussion draging on for the next few months so if I might I ask is your solution to Windows & IE exploits, security holes & malware? Seeming you have the degree and the books.

My solution is two fold. The first part I can't take credit for cause its one of schnier himselfs babies. That is.. Make software companies liable for the product liabilities that occur with there software in a sort of insurance type setup similar to any other product. As such there will be significantly larger incentive for companies to fix security flaws before they happen.

The second part is at some point people need to realize the more features they get, the less secure something is(and also the less reliable as you see in cars). At some point we need to shift peoples desires so getting the next <*insert feature here*> is not as important to them as getting the damn thing to work.