It seems some people did not understand the point I made about Firefox on 10 November. This has even been demonstrated more explicitly by a video displaying all the horrible things that might happen to you if you run software with known vulnerabilities. That's not the phrase used by these people, of course. They use the phrase "run IE" instead of "run software with known vulnerabilities."
I use Firefox but I have no illusions about the security properties of the Firefox codebase. Firefox is a big, fat, steaming turd, just like IE is. If my business customers - who almost exclusively run Windows - asked me which browser to use, I would still tell them to stick to IE until it became possible/easier to upgrade and manage Firefox from a central location.
Asa says: "If you're on Windows and your system isn't fully up to date, you're hosed." -- I believe that is true for all operating systems. Windows just happens to make a more interesting target at the moment. Maybe all the anti-exploit technologies and application design changes in OpenBSD would mean you are not totally hosed right away, but anyone running software with known vulnerabilities deserve to be shot anyway.
So, as Firefox advocates and developers seem to be a little slow, here is what you should do:
Yes, I know all of this will make the schedule slip. Please give us a reliable, standards compliant browser. Firefox would be the first. Allow me to quote Brian Snow: "Do your jobs better. Please."
I have composed more than a fair share of business and technical proposals in my time with varying levels of preparation time and success. Today I delivered a proposal which has been approximately four years in the works. She accepted immediately.
Jerry suggested that I not ruin the Firefox propaganda but I am going to anyway: Firefox is not a secure browser unless you define 'secure' as 'does not support ActiveX applets'.
The sheer volume of bugs found to date, including ones fixed just in time for 1.0 clearly demonstrate that almost no security considerations went into the design, implementation or testing of Firefox. Granted, the user interface for launching external applications helps reduce the attack surface to just Firefox. How reassuring. No doubt there are hundreds of security bugs, some of them very serious, waiting to be found and exploited.
Firefox is going to turn out to be one big turd, just like IE currently is. The difference is that IE can be auto-updated by computer illiterate users even if they are running as restricted users (which they should be). Maybe I will change my mind if the Firefox update function automatically used the Run As functionality to make it easier for users to get the latest version without too much hassle. Users who do not have the tech savvy to check for new versions and upgrade manually have no business running Firefox - or any other software that can not be autoupdated when used in a secure configuration.
Firefox also refuses to run with the "Protect my computer" option in Run As checked. Come on developers! Why do you not use the security features available to you? Do not make it harder for security people to get users to run as restricted users instead of local administrators. Use privilege seperation in your code; one process exposed to the internet cannot access the filesystem, only send and receive messages to a 'privileged' process with filesystem access. The ideas behind "secure the interface" and "least privileges" are hardly new.
I have discovered something much more terrible than Bush winning the election. Stanford University, the bastards, have restricted their video streams of classes to registered students. I was watching that! I was taking classes on compilers and programming languages at my own pace before them fuckers decided to intervene. I bet they are also the people responsible for Toblerone. An agressive sweetie. Who else but them fuckers? Imagine a sweetie that will hurt you. A mountain of chocolate going through the roof of your mouth and into your brain!
(Apologies to Billy).
OpenBSD 3.6 is finally available on ftp.dkuug.dk. Stanford and DKUUG are bastards.
The bunnies are officially unhappy about the load of shite features going into ksh as we speak. We are going to start eating chocolate and we will not stop until all plans for more crap is halted and the offending commits are reverted.
Someone named Peppe has stepped up to help with the installer. It is going to be nice and clean.
Proof that Kerry won the 2004 election.
If I were king, makers of clocks that do not auto-switch between summertime and wintertime would be first against the wall.
OpenBSD 3.6 has been out for days and still it's not available on any of the fast (from here) mirrors. ftp.dkuug.dk and ftp.esat.net admins suck arse. I hope you are reading this, because I want you to know what I think of you.
I have been working on unattended installer support for OpenBSD and it's there, functionality-wise. I can perform unattended custom installs on my test system just by booting from floppy. Environment variables are read from a configuration file which feeds into a slightly modified install script. If you know your way around the OpenBSD installer and shell programming, I could use some help. I need a good way of handling multiple nics, multiple servers/set locations and partitioning. No, awk(1) is not available on the OpenBSD install media.
This is my config. (My modifications also support accepting default answers offered by the installer when no answer has been specified in the configuration, but I have disabled this during development to make sure I can specify any type of answer I want.
u_terminal=vt220 u_setkbencoding=no u_proceedinstall=yes u_rootdisk=wd0 u_useentiredisk=yes u_disklabel="z\na a\n\n300M\n4.2BSD\na b\n\n100M\nswap\n/a d\n\n100M\n4.2BSD\n/t mp\nw\nq" u_reallyproceed=yes u_hostname=fibble u_configurenetwork=yes u_initnic=le1 u_nicsymname=symname u_nicip4addr=dhcp #u_nicip4netmask= u_fqdn=test.mongers.org u_dns=194.239.134.83 u_usedns=yes u_defaultipv4route=dhcp u_edithosts=no u_manualnetconfig=no u_rootpassword=snoevsen u_installsetsmethod=http u_installproxy=none u_installmirrors=no u_installserver=192.168.42.3 u_installdir=pub/OpenBSD/3.6/i386 u_filesets="bsd etc36.tgz base36.tgz" u_ready=yes u_startsshd=no u_runX=no u_changedefcon=no u_timezone=GMT u_autoreboot=yes
