I recently linked to an article stating that users of Internet Explorer have been exposed to known critical vulnerabilities for 284 days last year. That sounds bad enough but unfortunately it is not all. For example I came across a vulnerability in Internet Explorer that has been ranked “Less critical” for reasons I don’t understand. What this does — it basically eliminates same-origin checks, any web site can read contents of another site. I put up an example that can check whether you are logged in on Google or Yahoo and read out your user name — provided that you use Internet Explorer. It could just as well read out your mail or change your mail password. It could also go into your banking account if you happen to be logged in. Information on this vulnerability has been published April last year and still unpatched in both Internet Explorer 6.0 and 7.0.
Thanks to morgamic for telling me this, I probably wouldn’t have noticed otherwise — Addons.Mozilla.Org has made an important move towards raising the quality bar. The autogenerated spyware-infested Conduit-based toolbars have been disabled, all 93 of them. Any new submissions will be automatically rejected. Way to go, AMO!
Mike Shaver writes:
I have seen many people complaining about how Firefox is no more secure than Internet Explorer. Usually this impression comes up when people read the long lists of security bugs fixed with every maintenance release. Since I have reported a few security bugs myself and could observe how Mozilla deals with those, I knew well that Firefox is still incomparably more secure than Internet Explorer — and now there is proof. Internet Explorer Unsafe for 284 Days in 2006 has the data. Last year users of Internet Explorer have been exposed to unpatched critical security flaws for 284 days in total, on 98 of those days the security flaws were actively abused by web sites. In comparison, there was only one vulnerability in Firefox that was publicly disclosed before a patched Firefox release was available, amounting to 9 days of exposure.
So where did the long lists of security bugs go? Did the author of this article overlook them? No, he didn’t. These bugs were there, they have been discovered and fixed — and only then the information on them has been disclosed. So while each and every software has bugs, the major difference here is that Firefox vulnerabilities are reported and fixed before the information is disclosed and somebody gets a chance of abusing them — and with Internet Explorer it often happens the other way round.
I should be finished with my PhD in May. What should I do once I am done? This question is bugging me right now. These three years have made it very clear that I don’t want to continue an academic career. I want to produce good software that will be used by real people, and sadly this is simply unrealistic being at a university. Most of the research produced will never turn into real applications, and even if it does, most of the time nobody will ever notice those.
There is also a complicating factor — after spending three years away from my family and my fiancé, I really want to settle down in the area of Cologne or at least somewhere from where one can easily go to Cologne for a weekend. Finding a company in Germany where I could spend most of my time programming instead of fighting the process isn’t exactly easy. Add to this that I’m not the convenient type of employee — I have a strong opinion on just about anything and I won’t hesitate to tell it. All this together means that I don’t have all too many choices.
The spell checker in Firefox 2 is certainly a great feature. I have already seen lots of people write this and I agree. And yet, it has some certain deficiencies that make me use it far less than it could be. The reason is: it seems to assume that you always write your texts in the same language. Yet I am frequently switching between languages, I write texts in English, German and Russian all the time. And going to the context menu, digging into the languages menu and choosing the right language is just annoying, especially for a short text. There is also another issue: switching languages takes a while, and for a huge dictionary like the German (10 MB) it becomes a major annoyance.
These issues could be solved of course. For example one could make the UI for switching languages more accessible by adding keyboard shortcuts, maybe Ctrl+Shift+1 through Ctrl+Shift+9 (extension, somebody?). Then, when I switch away from a language this probably doesn’t mean that the dictionary should be released — I want it to be kept in memory. I don’t care about the extra 30 MB of memory usage for the German dictionary but I care very much about the 10 seconds delay when Firefox has to load it again.
Disclaimer: I don’t blame people working on AMO for anything. They face extremely difficult problems and are working very hard. I am simply noting some areas where they still have a long way to go.
I started a little experiment — downloaded all extensions from addons.mozilla.org (AMO), unpacked them and tried to find security holes by searching for specific strings. As expected, it wasn’t all too difficult, one can easily find a dozen vulnerable extensions in an hour, and that not even accounting for the fact that there is a certain unpopular class of extensions on AMO all sharing the same buggy code. The only reason I didn’t hit all too many high profile extensions was that I was going through the extensions in alphabetical order instead of going by popularity.
Do you still remember? Sometime in the beginning of year 2004 Bill Gates promised us to take care of the spam problem by 2006. It was big in the news all over the world. Well, the year is almost over and I don’t see anything change for the better. A look at my inbox tells me that spam got much worse if anything. In fact, spammers have made considerable progress in these two years. They are now making heavy use of botnets thus rendering the spam protection methods based on IP address checks or identity verification almost irrelevant. They successfully use randomized mail content and images to trick Bayesian filters. And they got much better at social engineering. What did Microsoft do? They sued a few spammers — which didn’t quite make the expected impact because spam is still much too profitable.
It’s not that I really expected them to find the silver bullet. I mean, it was obvious that Bill Gates was selling hot air there. But I miss the public outcry. Where are the newspapers who reported about this two years ago, do they want to let him simply get away with a lie?
I just came back from Germany a few days ago and now (in a few hours) I am going there again. This came quite unexpectedly, I didn’t know myself until two days ago. This time I will stay in Darmstadt for a few months, working with the guys at the university and hopefully producing something useful together. I should come back to Oslo in the beginning of March to finish my PhD thesis — plan is to be all done before May. That’s some crazy time coming up…
Подумал недавно над тем, как наши бывшие соотечественники, родившиеся на территории бывшего Союза и эмигрировавшие в Германию уже в сознательном возрасте, эту самую Германию воспринимают. Получилось, что тут в основном существует три категории. Скорее всего, те же категории существуют и в других странах, но тут моего опыта недостаточно.
- “Новички”: новоприбышие, судят о Германии и населяющих ее немцах исключительно по привезенным с Родины предрассудкам. Обычно убеждены во врожденном превосходстве “русского” над немцем, о чем и заявляют во всеуслышание. В зависимости от круга общения, человек может оставаться “новичком” даже несколько лет, после чего либо становится “неприспособленным”, либо “полуассимилированным”.
- “Неприспособленные”: люди, не сумевшие найти для себя места в чужой для них стране — будь то из-за возраста, бесполезной в Германии профессии или просто нежелания приспосабливаться. Убеждение о превосходстве “русского” перешло в религию, общаются только со “своими”, любимая тема для разговоров — ругать Германию и перемывать косточки немцам. “А что, вообще, эти немцы делают в нашей Германии?” Страдают тяжелой ностальгией по Родине, на которую иногда даже возвращаются.
- “Полуассимилированные”: все еще не стали немцами (и никогда не станут, что прекрасно понимают), но уже научились жить с ними. Предрассудками не пользуются, поскольку имеют дело с “местным населением” постоянно. Видят реальные проблемы страны, но не стараются их преувеличить, поскольку замечают и достоинства. Из всех категорий именно эта может дать наиболее адекватную оценку Германии, но тоже неспособна корректно сравнить ее со странами бывшего Союза — тут уже из-за недостаточного понимания полузабытой Родины.
Добавим к этому еще мнения товарищей, которые не эмигрировали, но осчастливили Германию своим визитом. Тут получается еще две категории: “телячий восторг” (“Ах, как все-таки хорошо в Германии, ну почему же нас не пускают”) и “брезгливое презрение” (“Запад загнивает, а наше болото все равно круче”). Итого, читать/слушать, как наши бывшие соотечественники обсуждают жизнь в Германии, получается смешно — или грустно, в зависимости от настроения.
I will be traveling a lot, starting this Saturday. I am taking the remaining week of my vacation visiting Cologne and Hamburg, then I’ll be attending to ACM Multimedia in Santa Barbara, CA and NetGames in Singapore. I won’t be back in Oslo until November so don’t expect me to do much Adblock Plus development until then. I’ll try to answer mails from time to time.