UK Gov't Says "No Evidence" IE Is Less Secure 342
aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"
Probably true, even. (Score:5, Insightful)
That's very likely true, as the stupidity of the user remains the weakest factor in security.
"latest fully patched" (Score:3, Insightful)
*No* evidence? (Score:5, Insightful)
It's one thing to say there is insufficient evidence, but *no* evidence?!
Re:Probably true, even. (Score:5, Insightful)
But the trend of users getting infected seems to indicate IE is worse. User stupidity hurts, but so do unpatched remote code execution flaws.
Microsoft likes to tout how insecure other browsers and OS's are because they receive more security updates, but I'm not convinced. It's a poor measurement of security.
There's no way to know how many landmine exploits are in IE. I consider Firefox more secure, because as its market share goes up, the number of ITW exploits doesn't seem to be exploding.
Re:Probably true, even. (Score:4, Insightful)
I might actually believe that a fully patched IE8 is on par with other browsers, but the UK gov't will undoubtedly take the Home Office's decision to mean that IE6 is OK, too. That's scary.
Re:Probably true, even. (Score:4, Insightful)
Users are the weakest link in the security chain. And the least trained users are normally those on the de facto standard of Windows with IE, which implies a higher infection rate on thos systems.
If we substitute eg. Firefox for IE as the default browser in Windows, unskilled users will still remain unskilled users. They will still follow any shady link they come over, some of which will undoubtedly manage to poke a hole in FF's security.
The challenge and solution to security in the current environment is to educate the "average person."
Re:This is eveidence for something else... (Score:3, Insightful)
Then when someone says there is no evidence of IE being less secure, we can Look for the logo [microsoft.com]
There IS no evidence! (Score:5, Insightful)
The latest patched version of Internet Explorer fixed the bugs that Microsoft found. The latest patched version of other browsers fixed the bugs that other browser-manufacturers found. Ergo, there is no evidence that the latest patched version of Internet Explorer are less secure, since the officially "known" security features have been fixed.
In fact, there's no evidence that there are any bugs at all in the latest patched versions of any software ever written, unless the manufacturers have explicitly stated that there are. In which case, in order for policymakers to accept such a report, they would need to prove that this is the case, by lobbying the government to the effect that their software is inferior.
"Not please" Slashdot readers? (Score:5, Insightful)
Nothing like a good laugh to start your morning.
Re:Probably true, even. (Score:5, Insightful)
With Firefox, there is generally a very high degree of transparency when it comes to security problems. Additionally, fixes are pushed out quickly. Although Firefox continues to gain market share, the actual damage caused by exploits continues to remain quite low. That's certainly not the case with IE, and as long as it's closed source that won't change.
UK Gov isn't running Vista or 7, nor IE8 (Score:1, Insightful)
UK Gov isn't running Vista or 7, nor IE8. In fact almost nobody is using that combination (and note that you are still vulnerable to several attacks under both because you can't run flash or acrobat web plugin with execution privileges turned off and that change doesn't fix Vista completely either).
So in very many ways, your point is wrong. Might as well say running FF on a VM image of Linux which would be even MORE secure.
Nobody does that, but it would be.
Re:Bullshit (Score:5, Insightful)
You get your IT news from the register? Coool!
More seriously - you link to that page, with words that seem to indicate there are a LOT of Firefox exploits in the wild. Care to name some? The IRC exploit only counts as one.
One more time, I'll point up Firefox's main advantage over IE: Vulnerabilities are made public, and people actually address the vulnerabilities as quickly as possible. Firefox exploits aren't hidden under a mountain of shit by some corporate boss, so that he hopes they can go away.
IMHO, Firefox is just about as safe as a browser can be, today, based on current knowledge. It ranks right up there with Chrome and Opera, and Safari, and Konqueror.
IMHO, Internet Explorer MIGHT be almost as secure - if and when people finally upgrade from IE6 to at least 7, and preferably 8. MIGHT BE. You'll notice that MS didn't publicize this newest vulnerability, until Google and others had already done so.
Re:Probably true, even. (Score:4, Insightful)
Let's assume for a second we've educated each and every single user and made them security conscious on the Internet. An educated user browses a site which contains an image that is constructed to exploit a security flaw in the browser without the user ever doing anything but viewing the image. Unknowingly the user's browser is compromised and in the hands of the attackers despite the fact that the user is well educated and security conscious, which means education alone is not the solution. Better software is the solution.
Absolutely. But what we stated was that, as of right now, users are the weakest link in the security chain. By educating users, you strengthen that link and make another link the weakest. Even so, you have by training improved the security of the system.
To get exploited in your scenario, assuming the user now sticks to "honest" sites and doesn't follow all email links) would require something like a web server exploit such a XSS. This is more difficult than simply tricking the user into executing a trojan.
Normally to safely cross the street you only need to look left and right to check for traffic, you don't have to look up for falling objects, you don't have to check the road for mines, tripwires or other booby traps, you don't have to check for sniper fire
We should not ignore software security just because the user is the weakest link. But to borrow your analogy: the problem today is that pedestrians don't look left and right before crossing the street. Training them to do this would save more lives than any piano transportation safety regulation.
Re:This is why... (Score:4, Insightful)
Probably because they are.
By "insufficient evidence" they usually mean "we've not heard enough to convince us". Which means "Someone was telling us stuff, but we don't really understand the field that they were trying to explain about. Instead of trying to understand the stuff we don't understand, we prefer to play nice with the money, because that tells us it's all good.".
The prime qualifications in Labour are history, classics, and a few Lawyers, advertising and marketing. Not really anyone with any solid scientific skills.
So, rather than work out the hard stuff, and make scientific dispassionate decisions which will make the country stronger and genuinely safer, they prefer to use rhetoric and assume that things work by fiat (we say the world works that way, ergo it does, because we say, which is why it lost pretty much the core of its drugs advisory group because the scientific advice of some highly qualified and internationally renowned people was completely ignored, and the opposite decision was made as policy, AND the politician hounded the scientist for not backing him up and twisting scientific results to fit into what he wanted things to be like).
I don't trust 'em as far as I can spit 'em. They need to understand scientific method, not empty rhetoric.
Missing the point (Score:5, Insightful)
Re:Lack of evidence shouldn't be a problem (Score:2, Insightful)
It's a shame that this comment is modded '+5 Funny', since, IMHO, it should be '+5 Sadly and painfully insightful'.
Re:Bullshit (Score:5, Insightful)
That's NOT a Firefox exploit. That's Firefox send a normal HTTP request to a non-standard port (6667), and the IRC server *wrongly* interprets it as IRC protocol.
The only thing they say Firefox does "wrong" is actually connecting to a non-standard port, which I dispute: there are plenty of reasons to run webservers in non-standard ports, and I want to be able to connect to them.
Re:Missing the point (Score:5, Insightful)
I was going to mention this very issue and you beat me to it. I know people who work in local government, both as 'users' of the in-house systems and 'sysadmins' on those same systems, and they all tell me how outdated their setups are. They're by and large using IE6 across the board, because the browser-based apps they use work in IE6 and if there's the slightest glitch in updating the browser they won't touch it - they just don't have the budget to deal with the issue and test it rolled out across such huge networks.
If it doesn't work someone would have to take the blame and we all know how civil servants do everything they can to avoid having any responsibility whatsoever for any decisions, hence the 'committee'. The committee provides plausible deniability wherein any single member can say "I didn't agree with the decision, but the committee decided...".
Welcome to the cosy sheltered world of civil service. People who work there genuinely couldn't survive in the 'real world' of private business/industry!
Re:IE (on Windows) is safer than Firefox (Score:3, Insightful)
IE has something better. Learn something about Trusted Sites and the myriads of settings you can apply to them (like enabling scripting).
You can argue about easy of use, but that's not what you talked about. You talked about security. And blocking scripts on per-site basis (using lists) IS possible already in IE6.
Re:Probably true, even. (Score:3, Insightful)
I don't know if they try to get work or not, but judging by the governments' computer systems, they certainly don't succeed.
Re:in case any other Americans are confused (Score:1, Insightful)
Probably Americans meant "to staple" but most didn't know their own language well enough so they thought it meant "to table" :-P
Re:*No* evidence? (Score:3, Insightful)
But I'm a cynic.
Re:UK Gov isn't running Vista or 7, nor IE8 (Score:3, Insightful)
Maybe in your country. I very much doubt 20% of the UK population has even seen Vista or Win7.
In all probability IE6 usage in the UK exceeds Vista usage, and in Government institutions, IE6 usage probably exceeds all other browsers. Win2k is still widely used, and XP still being installed.
UK government is crawling with Microsoft advisors (Score:1, Insightful)
The combination of computer illiterate politicians and Microsoft consultant advisers is as near corruption as you can get without it necessarily being illegal (and I am not discounting the latter possibility either).
Re:Probably true, even. (Score:3, Insightful)
And really, is this the kind of thing that the "Home Office" does in the UK?
Y'all be weird over there.
Re:Probably true, even. (Score:4, Insightful)
The other thing is that other vendors actually acknowledge when there's a vulnerability which they can't patch post haste which makes it seem like they've got more bugs since they don't have a secret list of unpatched vulnerabilities. Nor do many of them have the option of dong so. Sunshine is the best disinfectant after all.
Re:Probably true, even. (Score:3, Insightful)
Re:Lord Avebury..... (Score:4, Insightful)
It was the Home Office that gave the reply some people don't like, even if it is probably true.
Only on a technicality.
Technically, at this moment in time there are precisely no publicly known exploits for a fully patched up to date copy of IE, a fully patched up to date copy of Firefox or a fully patched up to date copy of Opera.
The fact that history has shown us that exploits for IE tend to show up more frequently, are often nastier than exploits for Firefox or Opera and are almost never dealt with in an out-of-cycle patch (and so will be exploitable for that much longer) is neither here nor there. This is absolutely typical of any UK government department (and probably the same in many Western countries) - when you're asked a question which you don't necessarily like, interpret it in a fashion which allows you to give an answer which you do like.
Admitting that IE may be more dangerous isn't in and of itself a huge problem but it may well invite a lot more questions like "How many internal government systems only work with IE?" - and I bet you anything you like the answer is not "Zero".
Re:Bullshit (Score:3, Insightful)
To be fair I think his point was partially valid.
You're right that Firefox core has the advantage of public vulnerabilities, but the issue is that Firefox allows for non-sandboxed extensions, which are often proprietary (i.e. Flash) and so effectively leaves Firefox with the same issue.
Firefox certainly isn't as safe as any browser can be, simply because of the fact extensions are vulnerable in this manner.
I think what the UK gov is getting at is quite valid- not that IE has the same or less security flaws per-se, I think they probably accept that it does, but that no other browser really is built with a truly secure architecture either, such that even if you switch away from IE, whilst Firefox itself may be secure, many users will end up with extensions that aren't and so will remain vulnerable to something or other regardless.
Re:Lord Avebury..... (Score:3, Insightful)
I do believe that the aforementioned quote is likely to be the source of the response from the Home Office there. The answer is probably going to be closer to "Most of them". That's not an answer people would like to hear at all- probably less than we want to hear the weasel wording from the Home Office there.
Of course it will make people more secure (Score:3, Insightful)
IE or "the latest fully patched versions" of IE? (Score:4, Insightful)
What I notice is that the headline and most of the discussion here talk about the security of "IE", while the Home Office said "the latest fully patched versions of Internet Explorer". There seems to be little understanding that these aren't synonyms.
But does anyone here work for an organization of any sort (government, industry, academia, whatever) that requires that everyone use "the latest fully patched versions of Internet Explorer"?
In all the cases that I know of, when there's such standardization, it's for releases that existed shortly before the standard was established. It's now years later, and the standard is still in place (though often violated by workers who want better security or more features).
A number of people have written about organizations that are still standardized on IE6 and don't permit upgrades to IE8. Is there any data available on how widespread this might be? In my experience, such data is hard to come by, since both governments and private corporations tend to be secretive about their inner workings.
So could the Home Office be pushing for upgrades to W7+IE8? Nah; I thought not.
Well excuse me. but i trust germans over brits in (Score:4, Insightful)
matters like these. with their paranoid attention to detail, psychopathic inclination to procedure, and ungodly patience with working on intricate technical details, any word from germans in that area would trample any word from britain at any point for me.
the fact that u.k. government has been shitting and screwing up in every other field for the last 10 years does not help either.
Re:Probably true, even. (Score:1, Insightful)
That's very likely true, as the stupidity of the user remains the weakest factor in security.
And this is a constant in the UK Government?
Fuck no it isn't constant. Are you daft man? It's increasing at an exponential rate.
Who else is going to do it? (Score:3, Insightful)
We can't trust companies because they have obvious profit motives. Leaves only one thing.
We use governments to test the water, the food, the air, the cars, everything pretty much which is essential to our lives but we do not have individually the resources to test.
The government doesn't test my cooking (that is what kids are for) because I have means to test that myself (if the milk still comes out of the carton, it is fresh enough for guests) but I do not have the means to test a can of Coke I buy on the street, so I expect/need someone else to check that these things are not made by just putting any old sugar and water and rust together, but only properly tested sugar, water and rust.
I would reason that computers have become such a common part of our lives and that we can get into so much trouble if we get it wrong, that government warning us about unsafe products, is the right thing to do.
Or wouldn't you want forced warnings and recalls if the brakes on your car turn out to be faulty? Guess who does that? You car maker? Think again, goverment regulators, my those guys just seem to be everywhere don't they.
Re:Probably true, even. (Score:3, Insightful)
I lollled when I thought of Microsoft's having started offshoring back in 2004 [seattlepi.com]; the thought of Indian programmers writing code for their old colonial master's warships is...amusing.
Of course, I also find the thought of having blind faith in the golden handcuffs of capitalism to be amusing.
Define "prove" (Score:3, Insightful)
The level/degree of proof the UK government seems to be requiring for this is the 'scientific' type. For most things in life, statistical analysis tends to be enough.
What this guy said is akin to saying that North Korea has the strongest army in the world, because there's no proof to the contrary.
Pick any of these:
1) Lackluster/no security features.
2) Lack of improvement over the years. One of the cardinal rules for security is continual improvement.
3) Repeated exploit of said piece of crap.
4) Microsoft itself more-or-less admitting it's insecure and unrepairable - they effectively abandoned it years ago.
5) Anecdotal evidence from tens of thousands of computer repair types; I guarantee you IE is the vector for 9 out of 10 malware infections, and most of those are probably IE.
I'd wager they've been paid off. Anyone with even the slightest amount of intellect can look at the information available and determine that IE6 is rubbish. It's a hell of a lot less proof than most governmental bodies act - often, said bodies act in direct contradiction to the facts for the purpose of special interests money.
Re:Lord Avebury..... (Score:2, Insightful)
Alas, the UK is hopelessly in thrall to Microsoft (Score:2, Insightful)
I recall seeing a timeline of the Internet's development at a display in London, and the first two dots were the 1973 launch of DARPAnet and then, incredibly, the founding of Microsoft in 1979. There was no dot for anything from Britain's own Tim Berners-Lee, for the development of DNS by Mockapetris, or other real milestones.
Honestly, it's sad to see what has happened to the land of Francis Bacon, Newton, Babbage and Turing. The UK today seems run by men without an original thought in their entire being, who slavishly follow fads from American business schools and figure one is always right if you tie your fortunes to those of Microsoft. This doesn't bode well for the future of that island nation, is all I can say. You can't rely forever on frothy financial instruments to fund purchases of food, energy and all technology from someone else.
So security through wishful thinking is better? (Score:5, Insightful)
With closed source software, you're at the mercy of the manufacturer when it comes to even getting an acknowledgment of security issues, let alone receiving fixes in a timely fashion or before damage is already done.
This argument endlessly amuses me. Do you really think the exact same thing is not true of OSS-based browsers such as Firefox and Chrome?
Hint #1: If you have not personally evaluated the source code of the browser you are using, nor employed a skilled specialist to do so for you, then you are just as dependent on other parties over whom you have no direct control to identify and patch security issues before the bad guys exploit them. The theoretical possibility that you can examine the source code is just security theatre unless you actually spend the time and resources to do it.
Hint #2: Which OSS browser do you think has a public bug database listing all known vulnerabilities, whether or not they have yet been patched, and keeps that database updated immediately every time a new vulnerability is reported?
With Firefox, there is generally a very high degree of transparency when it comes to security problems.
Unless you are one of the select few with access to the full security issue process, you don't know that.
Additionally, fixes are pushed out quickly.
Or that.
Although Firefox continues to gain market share, the actual damage caused by exploits continues to remain quite low. That's certainly not the case with IE, and as long as it's closed source that won't change.
Or any of that.
If you really don't see the blind spot you're exhibiting here, try answering these simple questions (and be honest with yourself):
If you can't immediately answer those questions, and provide yourself with objective, factual data to support your claims above, then please consider that you may just be projecting your own prejudices based on IE6 from many years ago onto the IE8 of today, while letting your own faith in OSS onto other browsers convince you that they are more secure even though you don't have access to all the facts.
Re:Who else is going to do it? (Score:2, Insightful)
Right on,
Then lets have the government set up an agency with the authority to make such claims or set one up ourselves as a nonprofit.
The FDA tests consumables, the National Highway Institute governs our transportation infrastructure, the EPA tests our environment.
Except the Insurance Institute of Highway Safety is actually a nonprofit. Which as an expert organization in its field, im sure it receives funding from the government.
Re:So security through wishful thinking is better? (Score:3, Insightful)
By doing what, expressing a sentiment that is not popular around here?
No. You're expressing a sentiment that is patently wrong; it isn't a matter of opinion. I don't need to personally babysit the codebase for Firefox, as there is a ton of transparent, active development on it. Security issues are reported by both the community and third party vendors, and they're handled rapidly. On the other hand, I have absolutely no assurance that Microsoft will either (1) be aware of security issues, or (2) responsibly handle them. How many times do we have to get stung by holes that were reported to Microsoft months ago, when they only get forced into doing something about it due to a widespread and very nasty exploit? That's no way to run an I.T. platform.
I've got 20 years of combined public sector, private sector, and military experience that says I'm right. Again, hand waving isn't going to negate that.