It’s late here, but we’re having election night, and the two leading parties are currently tied seat-wise, with a 10000-vote difference. Anyway, it gives me some time to cover a major problem: Microsoft is at it again. The company has pushed an update through Windows Update which silently, without user consent, installs two browser extensions – one for Internet Explorer, and one for Firefox.
Ars Technica has done the legwork here, and it’s actually pretty bad. This Tuesday, Redmond pushed out its usual batch of updates, and one of them relates to the Windows Live Toolbar, MSN Toolbar, and Bing Bar. Without asking the user, and without any indications, the update in question, KB982217, installs two browser extensions – one for Internet Explorer, one for Firefox.
Since the update is related to these search toolbars (the MSN and Live ones are superseded by the Bing Toolbar), it’s safe to assume affected users have one of these toolbars installed. They are available for both Internet Explorer and Firefox, so it makes sense that only these two are affected. Ars did some digging:
Since we could not find any official documentation from Microsoft, we checked the actual IE add-on and Firefox extension. Unfortunately, they were not terribly helpful; all we discovered was that the IE add-on is at version 3.0.126.0, so it has been around for a while, and that the Firefox extension is at version 1.0, so it’s likely it was only released now. Both seem to be installed in “C:Program FilesMicrosoftSearch Enhancement PackSearch Helper.” Inside, there is a file called “SEPsearchhelperie.dll” that is responsible for the IE add-on and a “firefoxextension” folder responsible for Firefox.
Ars installed the update on a test system where the Windows Live Toolbar was installed for Internet Explorer only – yet, the Firefox extension was installed as well. This is very troubling, and as you can imagine, Firefox users are not particularly amused, nor is Mozilla. “We’re in contact with Microsoft, and are looking into it,” a Mozilla spokesperson told Ars Technica, “As far as we know at this time, there are no security implications to this add-on’s background installation.”
Security issue or no, this is troubling on so many levels. First, an update description should properly list what is being altered and/or added to the system. Second, Firefox is not a Microsoft product, and is not updated via Windows Update, and as such, should not be tampered with. Third, if any of the toolbars in question is not installed for Firefox, the extensions should not be installed. Fourth, this is my computer. Just as much as I dislike Apple for pretending my iPhone is actually theirs, I dislike Microsoft for thinking my computer is theirs (okay I’m actually not affected – I use Linux).
Microsoft needs to act quickly on this one, because this is totally unacceptable.
I too busy pressing F5 at the moment to be mad about this. But I think I’ll be pretty mad about it tomorrow.
I wonder if this is actually allowed?
Don’t install that bloated, ad-ridden piece of spyware known as windows live in the first place.
Fact ist that most users don’t care what is installed on their PCs. Actually they’re even thankful that MS installs extensions they would install anyway. And exactly these “most users” is MS’s target market. What MS does is, to fulfill its target market’s wishes. It’s that simple. Of course there are also unhappy users but it’s always a trade-off: 5% of the target market vs. 95%.
But it was the wishes of these very users to use something NON-Microsoft for browsing the Internet. It seems like Microsoft is pissing all over those very people’s wishes by ALTERING their alternate, THIRD-PARTY browser installation by installing their crap in it. Is that *not* why such people may choose to use Firefox anyway? To run something that has a reputation for being safer and not dictating what you do with the Web? And yet Microsoft strikes back yet again–thinking they can change the browsing experience of people who don’t even use *their* f***ing browser.
Edited 2010-06-10 03:02 UTC
a Mozilla spokesperson told Ars Technica, “As far as we know at this time, there are no security implications to this add-on’s background installation.”
That still doesn’t excuse the fact they did this installation without user consent. Google’s Chrome Frame plugin was announced, and is Opt-In.
But Steve Ballmer is living in his distorted reality where making bad decisions, losing major accounts, and then firing subordinates is just fine.
I’m a Mac/Linux guy…so they can’t touch me, but I am seriously giving M$ the Colbert Finger Wag.
I disagree. Actually, most general users do care what gets installed on their computers, they just have a lot of trouble determining what is or isn’t valid and/or expressing what exactly they want. I’ve worked on thousands of computers running Windows, OS X, and Linux and most consumers may not be able to clearly express why or what happens to their computers when there’s a problem but awareness of Microsoft’s putting profit and control over providing their customers with a quality product/experience is well-known. These aren’t ignorant people as you infer, they have skills and expertise in areas outside computer stuff. As for your very, very outdated 95% market share reference, I simply feel guilty for feeding yet another troll with this comment.
Doesn’t matter what the user’s want, Microsoft cannot in any way tamper with any third party software without the explicit permission of the user.
They can’t? Seems to me like they just did, isn’t that why we’re pissed off in the first place? They *should not* mess with 3rd party software, but they most certainly *can* do so. Personally, my Windows system wasn’t affected, as I don’t install windows live at all. As a rule, I don’t install anything with ads in it no matter what the os, and windows live has ads flashing all over the place so it never gets anywhere near my windows machine.
Ever read the Windows EULA?
Try it – you will be surprised – I guarantee!!!
Yeah… And IT SUCKS!
So probably one lazy engineer designed a single update for both versions (IE and FF), instead of two separate updates. Thus it installed the FF extension, whilst fixing the IE one.
Now we have a new conspiracy on hand
So probably one lazy engineer designed a single update for both versions (IE and FF), instead of two separate updates. Thus it installed the FF extension, whilst fixing the IE one.
Now we have a new conspiracy on hand
Indeed. I feel like this is yet another example of a storm in a teacup; people just make it out to be more than it is.
1) It installs the extension only for people who have it already for IE.
2) It doesn’t seem to be intended to be installed with some sort of a malicious intent.
Am I too naive, or are people too paranoid?
Edited 2010-06-10 03:18 UTC
“Am I too naive, or are people too paranoid?”
I would say mostly both. You are naive in thinking that malicious acts by Microsoft is OK; nothing malicious is OK. M$ won the browser war in the past by cheating, now that they are loosing ground…last-ditch effort to no avail. Loose with dignity M$
Paranoia is the reason why people are making the switch away from M$, as we all know bloat is a great hiding place for zero-day exploits. No one wants exploitable code running on they’re machines.I am not saying Mozilla is bullet-proof; but you gotta admit, Firefox is a great browser that holds its own.
I am an engineer and notice that within days of users working on a computer they they request Firefox, Chrome, or Opera. IE just doesn’t cut-it anymore.
Just this week a user was advised to use Firefox because IE could not run a Web application in a local financial institution….imagine that!
“M$”? Are you serious? Is this 2002?
Check this out:
http://www.penny-arcade.com/comic/2002/7/22/
You are naive in thinking that malicious acts by Microsoft is OK; nothing malicious is OK
But that’s the whole point, or did you miss it? I am asking, is this really a deliberate malicious act, or could it just be that the engineer who did the packaging didn’t think it through and threw both IE and FF versions in it? That’s not really too far stretched IMHO, a simple brainfart is all too common. Especially since it doesn’t install such at all on computers which don’t have it already.
M$
It’s really hard to take someone seriously if he uses such childish abbreviations.
Well, given that Microsoft is a huge organization.. it would be the engineer/developer plus several levels of middle management above him along with QA teams that brainfarted. Like Google’s “evil rogue developer” causing three years worth of network packet capture.. the excuse doesn’t hold water. They both have the resources to be held to realistic QA standards.
Your excuse for Microsoft doesn’t make any sense. It doesn’t matter if it was two developers or one faulty IE plugin, or one drunken developer or whatever. Microsoft do not have any reason to mess with Firefox, other than to sabotage it. They should steer clear from Firefox, any “improvement” to Firefox coming from Microsoft should (and is) counted as attack on Firefox users. Especially if “improvement” is closed source. If they have valid contribution, then they should 3-license it under GPL, LGPL and MPL and submit it to Mozilla for review and maybe it will get included, if it is good enough.
Any other approach is unacceptable.
This is vary easy code to implement, and vary important. Look at it this way. If it was an accident as you claim then it is incompetence on Microsoft’s part. If it was purposeful then it was a malicious act. Either way it is not good. And ask yourself which OS would you like to protect your bank account an incompetent one or malicious one?
Probobly the first one.
Your naivness cannot save you from any danger, paranoia can … ask yourself what is the best thing the user can do: to be a paranoid or not to be?
Microsoft producing a plugin for Firefox is all well and good but let them deliver it through the plugin website where users can go and choose it easily and specifically. Same for Flash.. it would conform to the plugin distribution model, users would have a choice about installing it, users would get updates along with the rest of there plugin updates.
Mozilla is also guilty to some extend by allowing unverified plugins to inject themselves in though back doors but that does not change the fact that Adobe has poor delivery and Microsoft is abusing it’s privileged as the OS base by manipulating non-Microsoft software on top of that base.
This actually plugin may be a tempest in a tea cup but the last one opened up security risks, this one may also and the unacceptable behavior by Microsoft continues.
People are as paranoid as they need to be, these days
There’s no excuse for laziness when you’re writing patches that will affect millions of people. Particularly when you’re patching someone elses software (not that laziness is acceptable when patching your own software either)
And if the engineer couldn’t be bothered to do his job properly, then I’m sure there’s thousands of other developers (many of who are likely out of work given the current economic climate) which would be more than happy to have that job.
So storm in a teacup of not, Microsoft are 100% in the wrong.
I don’t like this whole behind-my-back-stuff, it just reeks of monopoly abuse.
This company has so much money, they should be able to pay a few people to prevent them doing this and if they don’t they should be fined again and again.
Or maybe they should do something worse to Microsoft, something they will understand, so they really do change their ways.
Edited 2010-06-10 02:18 UTC
It must be reassuring to be above the law, and able to do whatever you damn well please without being held accountable. Thanks, Microsoft, for reminding me why I don’t use your products at home.
Doesn’t this highlight why Windows itself is inherently insecure? Microsoft leave themselves these loopholes which allows them to silently install what they want (presumably after you have accepted the install in the first place) into non-MS apps. So is it any wonder when you happen to click on some innocent looking link/button on an innocent looking website it is possible for your computer to become completely p0wned?
Shouldn’t there be a message saying… hold on, this application you have launched which has nothing to do with Firefox wants to bugger with Firefox… are you sure about this?
If you are a Windows user, Microsoft owns the OS software on your machine. The EULA, which (Microsoft claim) you agreed to, claims this to be so, even though you paid for the machine and its software. Within that EULA, Microsoft reserve for themselves the right of control over the Windows OS software installed on your machine.
Windows users perhaps shouldn’t be surprised when it transpires that Microsoft thinks it owns the entire machine as well as the OS software.
A related observation is that Windows users perhaps shouldn’t be surprised when it transpires that Microsoft thinks it has a right to determine what you are and are not permitted to do on your machine.
An almost-unrelated observation: Apple appears of late to be thinking along similar lines for Macs and iDevices.
Edited 2010-06-10 05:58 UTC
Firefox is not a Microsoft product so any argument on their behalf is frivolous.
I think the bigger question is… shouldn’t Firefox be doing something about this? I mean, if some rogue 3rd party secretly installs an extension, shouldn’t Firefox warn the user the next time the browser is started that “Hey, something is different than the last time I ran …”
I’m not excusing Microsoft’s behavior here, but I think the problem here is Firefox. If MS can install extensions without the user’s permission, that leads me to believe that anything can.
And, if it can be done on Windows, I assume it can be done on Linux, OSX, or any other platform that Firefox runs on.
Edited 2010-06-10 20:05 UTC
As someone else said the last time this came up, “if the OS decides to mess with an applications, there’s really not a lot that that application can do.” This strikes me as a situation where, practically speaking, there’s not really much that Firefox could have done to defend itself.
Anything more than they’ve already done, anyway: as long as you can still disable the thing through Firefox’s plug-in manager, then you’ve kindof got your wish now.
Edited 2010-06-10 21:40 UTC
I would think there should be a way for the browser to at least be able to tell that an extension was installed outside of the browser, and then alert the user upon startup and give them the option to kill the extension before the browser is run. Surely, there should be a checksum of some sort kept somewhere that would be hard for a 3rd party to tamper with …
Code of any sort is rarely perfect. I’d imagine that this extension will be found to have some negative effects on Firefox, likely though bugs or a performance detriment. Secretly damaging a competitor’s product seems like something that would be highly illegal…
Apple is banning flash and admob
Microsoft is installing FF extensions without your knowledge
Google is mining your unsecured Wifi traffic
Where is my tin foil hat.
]{
PS. get off my lawn
I once placed my car for maintenance and got 4 new tyres of mark A.
Facing my surprise, the garage owner told me that there is a discount on high speed tyres mark A. So I don’t have to worry, it was the same price as my favourite mark B (+normal speed).
So at six o’clock pm, he has removed himself the 4 tyres, to place the old ones.
Because first, I don’t want to drive at high speed even if my car can do.
Second, he don’t even warn me about the need of changing my tyres or offered me a discount on mark B.
So ?
… From then I put my car to another garage.
Will you accept the same “practice” with your Operating System ?
And this is why I think the iPad is a good thing.
Most of my paid time is spent wiping this crap off of machines. All companies assume they are the only thing on the machine and all assume it’s just fine to invite any old crap in just because it would “help” the user. Enough is enough. This problem simply can’t be fixed–it is part of the culture of corporate participation on Windows; you don’t get this behaviour on Linux or OS X, it simply isn’t part of the software cultures there. A fresh start is needed that makes all of this crappy behaviour nonexistent, and the iPad is it.
The web is also it too, because the great thing about the web is that the client browser has control and can veto anything the web app wants to do. The web has put users more in control than a decade of PC software. You can always close a web page, but users have no idea how those tray icons got there, and how to get rid of them.
I’m really sorry, but the iPad is made by a company that has the same tricks as Microsoft, maybe even worse. We’ve seen Apple do things we never thought Microsoft would do.
I wouldn’t trust them with a stick.
I fully agree on the web though. I’ve said it again and again, to companies as well. When you need a new application, create a browser-agnostic website (intranet) and you have more flexibility.
It’s centrally managed, you can put it outside your company if you like or you can manage it yourself, you don’t depend on anything but having a browser. You can use it from anywhere, if it’s connected to the internet, you don’t need a VPN. You are operating system independent, which could get really importand in the ‘near’ future. Especially with all that mobile stuff going on now.
A lot of the time these webapplications are written in scripting languages so when you strike the right deal with the vendor you can probably take it somewhere else when you have problems with your current vendor.
Possible it’s based on an existing open source system, so you can search for a vendor who already knows how that works.
With HTML5 we finally have browsers adapting offline-applications and local-storage and multi-file-drop-upload, support for more grafics (SVG, Canvas, WebGL), etc.
So it also means dependency on third-party plug-ins will diminish.
I don’t recommend an operating system, I can only recommend a properly build web or your own private web (intranet).
I’ve been doing that for over 10 years. Only because of IE developments-speed and vendor-lockin things really slowed down a lot, but now with HTML5 we are starting to see it improve.
I thank Netscape/Mozilla for easting up that marketshare. 🙂 That’s what got things exciting again. It really was a grassroots movement.
Edited 2010-06-10 10:19 UTC
Oh, c’mon, please! you seem to be so naive to think that iDevices are any better than other closed source stuff!
Are you asleep? haven’t you heard of “iAd” platform to throw stupid ads right into your face on your platform-of-choice, which is MacOSX/iOS/iPad?!
jesus, you’re just repetadly release these “with love for Apple” bees … what do you think? that Apple is a company with bunch of the hippies?! flower power, love and opensource? no way, dude. They slashed flash and admob just because they wanted to introduce their own stuff to advertise. D’oh!
Let’s put politics aside for a moment and look at reality; the reality a non technical user experiences when they use the iPad.
Is there any unwanted software that installs itself on the device?
Does it slow down over time for no reason?
Does it crash daily for no discernible reason?
Does it constantly hammer you with pop up message asking questions you don’t know how to answer?
Does it require an anti-virus like Norton or McAfee?
Let’s get real. The iPad is great for users who don’t care about how it works and what geeks debate about on the Internet.
Apple are screwing developers, not users. The users don’t know anything better than the best computer they’ve ever used.
I don’t know about the iPad, but my iPhone 3GS crashes all the time. Mail, Safari, and many applications. Since there is no task manager, if Safari or Mail act up, I’m forced to restart the entire device.
Happens a few times every month.
Granted, but you can see that it is Apple’s goal to distance the iPad from the usual experiences of desktop computers as much as possible. Jobs stated in the keynote that they reject apps because they crash, minimising the crashes you do have to just a fraction of what could be possible.
In this thread I am not defending Apple’s anti-competitive actions. I’m merely defending the viewpoint and experience of your non-technical end user—something oft forgotten on these forums.
Thom, I second this. That was the prime reason I got rid of my iPhone 3gs recently in favor of an older but much more stable Symbian smartphone. Not only did the iPhone crash quite a bit, but some of the apps (Mail, Weather, and the app store) kept draining the heck out of my battery due to a memory/resource leak. That being said, I had an iPod Touch before that and didn’t notice anything like that on the Touch, so perhaps the iPad doesn’t have the same problems as the iPhone. Pretending though that a system is more stable just because it is completely locked down is ignorant at best. On a PC, the user can fcuk things up. On an iDevice, Apple is quite capable of fcuking things up for the user. Given the choice, I’d rather fcuk up my own device… at least then it’s my own fault and can be fixed. If there’s a bug in an Apple device, you’re screwed until Apple deigns to fix it.
Same here, and actually a lot more frequently than once a month, maybe several times a week. Mobile Safari loves to die on image-heavy sites in particular. And, for every time that mobile safari has actually crashed, it’s had long stretches of not responding to user input about ten times — it loves to stop and spin its wheels for between ten and thirty seconds. The ebay app I installed is even less reliable.
And you still don’t get the point, don’t you?
First of all – Apple-oriented software is no better than any other software, plus – they seem to generate many bad bugs.
Secondly – iAD, iAD, iAD, iAD, iAD … now get it? so what your experience is a little better than with Windows … it may be crapped by the ongoing everlasting advertisement … Apple is no way better than MS – they’re both the same actually. They assume your dev is not your dev. You are only granted to use their device with their OS which belongs to them. Face it.
This attitude extends to doing everything to try to make sure that you cannot run a machine that IS actually your machine.
Even if you are the government:
http://arstechnica.com/security/news/2010/06/cyber-war-microsoft-a-…
Especially if you are the government. National security be dammed.
I agree. It’s a very bad practice which leads to total dependency …
I believe the point was that owners are highly restricted from installing any old software on the Ithingy and what does get installed is rather tightly controlled. In terms of security, this does close off the avenue for random installs, drive by droppers and such.
ChromeOS takes it a step further and validates the firmware then replaces it from a known clean image if it’s found to have been tampered with. This may be the closest we’ve come yet to self-healing consumer products.
Neither is attractive to me due to my need for real flexibility but I can see how it stand the potential to reduce the ICB (international consumer botnet).
Control of a user’s own PC was given away just as much as it was taken. A great many users are more than happy to give up a substantial level of control in exchange for convenience. Most users probably won’t want to have much control over what’s running on their systems, so long as that control would require that they have an understanding of what’s running on their systems, what it’s doing, or why. Part of the much-referenced “make it Just Work” attitude is that customers often don’t care what’s done to make their system Just Work, or who they have to sell their soul too to get there, so long as, in the end, things are pretty, their system does roughly what they want it to do, they don’t have to get their hands dirty, and there aren’t too many direct, tangible consequences.
The Web’s not a any better. Think about all the people who use social networks, giving up huge volumes of personal information to third parties, trading massive control and privacy for modest convenience. Actually, for that matter, I’ve heard any number of stories of people embedding all kinds of malicious objects in Facebook messages and applets and such, and carrying off all kinds of shenanigans. I don’t know why you’d think that users won’t happily and eagerly trade privacy, security and control for Convenient and Neat once they get to the web, just like they did on the PC?
I easily recall how installing Flash for Opera on Windows, installs it for Firefox, K-Meleon and a host of other browsers without my consent.
Also, Adobe updates will update all the plugins of all the browsers. I recall no hell gate opening because of this, except for Adobe’s bugs.
Finally, maybe the curious reader of Windows Live Toolbar EULA can see that this crossbrowser update is present in that Agreement.
Bottom line: Don’t install toolbars if you don’t want extra software (wherever it may appear).
That’s one of the reason why I stayed with Opera since 2001, when, out of curiosity, I “tried” it. Yes people (thinking of Thom here) have said “it does too much” but that much is exactly what I want. One keystroke to access my email and feeds account, one keystroke for my bookmarks, one for searching Google, one for Wikipedia, and one for any online service that I would choose. All of this entirely configurable to my wishes. Tabs, adblocking, tab process separation, skins, speed dial, emails, everything is available. Quite surprisingly, pioneer Opera needed Firefox and many many user complaints to bring spell-checking into the browser.
Private company, closed source, there’s bloat in Opera especially the 10.50 to 10.53 versions, there’s still no way to delete only one item from the cache, the HTML emails are not perfect yet, etc. I’m even writing an article on why Opera might lose me as a user. But overall, the philosophy of no extensions (widgets have even been kicked out of the browser quite recently) resonates with me.
I’ve said for a long time that Adobe’s Flash plugin deliver is part of the problem. They also intentionally go outside the browser’s plugin distribution method. Flash for Firefox should be in the Firefox plugin repository where it’s easy for users to find and updates through the browser’s standard method. Adding a seporate update hunt and download when a far cleaner method exists is just one of the reasons I’d drop Adobe in a second given the choice.
(Anyone know when they’ll have the latest vulnerability patched and ready for download. It effects Flash, Acrobat and Reader after all.)
I will never understand how people can let anyone decide what to have and what to have not on their computers. Background activity? ad-ware? ad-systems? this is truly outraging. Fortunately I’m a rather conscious user and so I don’t use close platforms like Windows or MacOSX.
The “close” is not the crux of the matter. As I said just minutes ago in another comment, there’s no ad-ware or ad-system, background activity or shady actions in Opera and there’s been an integrated adblocker for several years now. The savvy user can even define their own javascript file that gets executed on each page. You can even have a specific js file per site!
I am also a techie conscious user, with only secondary mail adresses that I can throw away anytime and no personal information on the web, no social network other than the one on Myspace opened, years before Facebook and Twitter, so I could leave comments to music artists. I’ve never installed any toolbar, I’ve installed no extension on Firefox other than Firebug at work. I’ve disabled Flash, disabled Javascript in Adobe Reader, applied all security upgrades, I’ve always paid the yearly subscription for my antivirus and activated its auto update feature, I regularly check the Firewall configuration and have a disk access monitoring software on Vista, etc. But I chose Opera and I hate OpenOffice so much that the only reason I have it is the pervasiveness of “.doc” files that it’s able to open, especially now that I’m looking for another job and must send résumés and fill forms.
“Open” companies are not to be ignored either as to the evils they can do. The articles published on OSnews about Canonical and the treatment of the developer community come to mind.
Is Linux or FreeBSD impregnable bastions that could resist attacks that a determined ad-ware company would launch at them? Aren’t there security upgrades in the “open” world too?
Yes, there are reasons to steer clear of Windows and Mac OS X, but it’s clearly the open/close distinction does not say all that there is to say.
The problem is more of a culture or philosophy consideration than of an open/close one.
Companies don’t get any control at all over a users Linux or FreeBSD machine, unless that user goes out of their way to give that company control.
It is like the inverse of the situation with Windows and OSX. By default, Linux or FreeBSD will have no commercial software at all, and security updates would also never install any commercial software.
No matter how determined the adware company, a default installation of Linux or FreeBSD is definitely a no-go zone for adware.
After all, the owner of a Linux or FreeBSD machine actually owns the machine, and has complete control over the software that gets installed on it. Furthermore, there is a simple easy-to-follow policy that ensures that no adware will get a look in. That policy is this: “only install software via the package manager, and never add any extra repositories”.
Edited 2010-06-10 12:12 UTC
Totally agree that the owner owns the machine and no one else and no company should.
But do all Linuxers follow that policy? Is it common knowledge? Or is it a “you learn by being burnt” thing like on Windows “never install a toolbar, even to block pop-ups?”
Yet, some Linux users tout the “freedom to create or add repositories” as a feature (even in the OSnews podcasts) despite that policy.
In general, the approach is to stick with a distributions provided default repositories. Going outside to non-default distribution repositories is an extra step that a user would need to learn. Going further outside to repositories not remotely provided by the distribution would be step three; even then, it’s only recommended for software if it’s absolutely required and from a trusted maintainer.
I add non-free to my debian repository list which is an easy extra step but takes me outside the defaults. It’s still Debian’s maintainers so it’s trusted. I also add Webmin’s repository which is not maintained by Debian but Webmin’s maintainers are trusted. I would think seriously before adding some “bob’s obscure repository” link though.
In the case of Maemo Linux, third party repositories are very normal for use who go beyond Nokia’s provided repositories. Such repositories come from a particular listing with a long history in the Maemo community; untrusted repositories would be yanked off the list pretty quickly.
This is all in reverse of Windows where one has millions of software sources and must consciously limit themselves to somewhat trusted download sites. In one case, users have to learn to expand there sources, in the other, they have to learn not to trust every source that turns up.
You know, it’s actually very hard to install software from external sources. The software usually comes as a tar.gz source package which demands some sort of deeper knowledge of how to compile software. It also comes prepackaged, but it is not a “100%” routine.
Usually it is easier to type “package x” in a GUI tool to install a package automatically, than hunt for a software on the internet, which is the case in Windows and MacOSX world.
On a Linux or FreeBSD machine, the owner of the machine, strangely enough, is the person who gets to set the policies.
If the owner follows a self-imposed policy of “only install software via the package manager, and never add any extra repositories”, then the machine will never get malware of any kind.
This is not just a vague boast, the historical record of package managers and repositories stands behind this.
However, having said that, the owner of a Linux or FreeBSD machine has complete freedom to do whatever, including violating policies and installing un-vettable closed-source software from wherever. This comes from being the owner, and therefore knowing the root password. The only person who can follow the policy quoted above, or indeed break it, is the owner of the machine, he or she who knows the root password. This is the very thing with a self-imposed policy.
I know that being in complete control of one’s own property is a foreign concept to those mired in the land of commercial software usage, but there it is.
And how, exactly, is this different than the iPhone/iPad? As long as you stick with Apple’s app store, you’re pretty much guaranteed to never get malware. However, if the user chooses to, he can jailbreak his machine and install whatever he wants. I don’t see there being a whole lot of extra freedom in this regard on a Linux box, where, if you follow the policy stated, you’re basically being dictated what software you can install on your box by the keepers of your distro’s repository.
On a Linux or FreeBSD machine it is a self-imposed policy. For Apple’s app store, it isn’t.
In the Apple App store … does Apple get to vet the App by examining the source code? Does anyone other than the author of the code? Who has visibility of it apart from the author?
Plenty of differences compared with a Linux or FreeBSD machine.
Are you saying that the code of all software packages available on the repositories of a Linux distro, for instance Debian, has been inspected and declared free from any malicious bit? Sorry, I would never believe that.
If the open source is indeed a meritocracy, the devs and projects don’t want to be remembered as the first to have brought malware in that world, they don’t want to impose things on users. They just believe that they’ll make a product so good that you will see that there’s no point picking anything else. That’s what made Firefox popular. It was just better than IE and it appealed to more people than Opera and anything else that existed. Period. Firefox did not become popular because its code is open at a time where people were worried about malicious code. Can you imagine that someone on this planet can go from being a total stranger to the FF code to inspecting it and verifying that it behaves well? I can’t. Finding bugs in a code we’ve made is already not easy. Moreover the code for a browser is immense.
Once again, the code for Opera could go open tomorrow that their market share wouldn’t soar.
I think you’re wrong. It actually is about openness of the environment. Subscription payment doesn’t assure that you’re secure … what does is the ongoing code reviewing and its open source nature. You can’t hide anything when everything is transparent, can you?
Sure Canonical has it’s problems, but – may I say it aloud – Canonical is crap for an advanced users, it is targeted on the average joes out there.
Regarding Opera – its closed nature makes it unreliable when it comes to security. They had their bad episodes like Opera Turbo connecting through their filtered servers and their built-in server thing which makes it even more unreliable and dangerous product.
You are not getting me. What you said was “open is secure and closed is not secure” and you repeated it again with
Hasn’t there been security upgrades to Firefox? Plenty and God knows I’m not a regular Firefox user.
You are having the same attitude as those who said open source is not good quality, which has been proven wrong so many times.
Should Microsoft decide to turn IE open source, would it suddenly become secure? Are Safari, IE, Opera insecure because these are closed source software?
I’m telling you that no, some closed environments are secure and an open environment may also go to wrong if the people who run it decide to install things despite your knowledge. What could prevent them from adding a backdoor with a certain agenda and acting innocent when caught red handed? Not an illustration, but let’s remember that Google Chrome had a benign event weeks ago about the private mode retaining some harmless info (found it: zoom settings!). The code is open. Yet, revealing the problem didn’t come from inspecting the code!
I’m saying “It’s not a white XOR black thing” and if it were, the criteria would not sum up as open vs closed, it would be willingness to respect the users by not acting like they were dumb people who don’t know what they want and what is good for them. In this story, Microsoft acted like that. Avira and Opera don’t. Until now. When they start, I’ll kick them out. That’s what the disk access monitor is for.
Of all the things I’ve written, you’ve picked the payment to Avira as if I had said that paying them assures me of some security. Never said that. Having an antivirus, so good that I choose to pay for it just to have the auto update feature instead of the manual update, gives me a **false** sense of better security since some malware vectors are under watch.
As to Opera Turbo (I must admit I didn’t know of the bad episodes), the problem is not Opera and their misdeeds, it’s that transmitting unencrypted data makes it easy to anyone between the client and the origin server to eavesdrop or steal data that they’ll use as they wish. Using any online email like Yahoo (which I’ve been doing for 11 years) is insecure as well as, following your reasoning, using any non open email client. We opt in to use Opera Turbo or Unite or Link. How different is using Opera Turbo when I was back in Africa with the painfully slow and awfully expensive networks from using Yahoo Mail or GMail or Google Apps? As I said previously, yes I’m very pro-Opera as a browser just as some are pro-Firefox or pro-Chrome, but I know Opera is a company, not an angel. Their browser has its shortcomings and lacks. Security or privacy are not among these, as far as I know and experience.
That’s kind of the point. The issue is not that open or closed software has bugs. The important thing is that those bugs are fixed very quickly and the code is open for anyone to review. Consider Pwn2Own:
The contest itself is a fun show but absolutely no indication of security quality between target systems. Exploits can only be used against one OS/browser combination. Contestants target the hardware they want to take home. It tests the researcher not the target system.
The contest aftermath is where the really interesting stuff happens. We find out only after that the exploit is actually effective against all browsers and possibly all browser/OS combination. We also see Mozilla release a patch within the week after the contest back in April. Apple’s Safari patch comes out last Monday (Jun 7). Microsoft’s IE patch comes out Tuesday (Jun 8). It’s not that they all had a vulnerability but how quickly the developers responsible where able to correct the it.
With open source, the patch can be delivered with the bug report and taken as is or modified by project developers. Patch times can be measured in hours and days. With closed source, a very limited number of developers have access to correct the source code and a bug report (if accepted by the developers) can only include an approximate guess against binary analysis. The lack of transparency often demonstrated by the closed source developer is used to try and “save face” while.. and if.. they bother to fix the issue instead of informing users so risks can be mitigated while waiting for the patch.
Simply put; Counting bugs is crap. Counting patch times and effective results is what is important.
If someone in an open source project included a back door and it somehow got through to the production repository without another maintainer going “hey, what is this code do and why?” you also have a social structure to contend with. No developer wants to make there name by being the first idiot to try and get away with stuffing malware into a FOSS package. Generally, developers write because they use the program and platform; they don’t want to blow security wholes in there own OS platform.
Well, this is M$, what on earth do you expect? Personally I never use WU and have it disabled and removed as far as I can. I run XP with SP3 and that’s it. I run a third party firewall (PC Tools) and use it to block IE, not because of any grudge but because it has often been used by trojans to bypass firewalls in the past. I run FF and do keep that up to date. I am also behind a router (as I’m sure 99+% here are). Never have a problem with this set-up, very stable, AND I never get bugged by M$’s and others attempts to hijack my machine.
Hmm, let’s see… I have a bunch of Java Console extensions I did not install myself. Guess what? Just because I installed Java via IE, which I intended in order to use some Java applets within IE, it also installed the extension for Firefox. OMG! Sun and Oracle are taking over my computer!!!!! /sarcasm
Anyway, it’s not a big deal. You can remove Firefox extensions you don’t intend to use so I don’t see what the big deal about this Windows update.
But don’t let me stop you! Keep bashing Microsoft as usual. Remember, you are not cool if you don’t do it.