Microsoft Advises to Type in URLs Rather than Click 984
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
i knew it (Score:5, Funny)
Re:i knew it (Score:5, Funny)
Re:i knew it (Score:5, Interesting)
IMO, as XHTML 2.0 is meant to be non-backwards-compatible, they should use the a element for the functionality of the acronym and abbr elements.
Re:i knew it (Score:3, Insightful)
Re:i knew it (Score:4, Informative)
XHTML = DOA (Score:5, Insightful)
Any solution that relies upon millions of people changing their behavior is dead on arrival.
They can't be serious... (Score:5, Insightful)
I mean, either you continue as usual and get screwed should you hit a malicious link, or use a different browser. Who in their right minds would ACTUALLY follow the steps here. "Hmmm, this link looks suspicious... I'd better manually enter the address". Or copy a piece of JScript code for a more verbose description of the link...
Yeah, right. I can't get over this article - it's nearly like a spoof or something.
I've never had problems with Mozilla Firebird - ever. And it's not even v1.0 yet! I've been using it since November last, every day nearly, at work and home.
Re:They can't be serious... (Score:5, Funny)
Not microsoft!
They're innovative. They'd send a helpful sheet out to owners:
-----------------
Things you can do to protect yourself from an engine fire:
The most effective step you can take to protect yourself from an engine fire caused by the known defect, is pushing your car manually. By pushing your car manually, you can avoid creating the temperatures required to initiate combustion. This will keep your car safe. Also, you can save fuel and contribute to a cleaner environment.
-----------------
Re:They can't be serious... (Score:4, Funny)
Re:They can't be serious... (Score:5, Funny)
Pushing your car can also cause unburnt fuel to poison the catalytic converter, and pollute the atmosphere with hydrocarbons. In certain situations, the unburnt fuel in the exhaust pipe may explode, possibly taking out the muffler, catalytic converter etc. with it. If this occurs, you should report the problem to your fuel supplier and/or exhaust manufacturer.
Re:They can't be serious... (Score:5, Funny)
We'll find out next fall on an all-new FOX Reality Miniseries: "The Simple Life: Redmond".
(What? Didn't you notice that the KB is suppose to Microsoft Internet Explorer 6.0 SP1, when used with Anal Wiener Buggers?)
Re:They can't be serious... (Score:5, Interesting)
Re:They can't be serious... (Score:5, Interesting)
i totally agree with you about the absurdity of the whole situation. however, i will admit that i know someone who will follow these instructions to a tee. my roommate refuses to listen to anyone when they recommend using an alternate browser [firebird, mozilla, and opera have all been suggested numerous times by numerous people]. instead i get to sit there and laugh at him while he bitches about popups, security holes, and having to copy/paste links into notepad to make sure they really go somewhere he wants to go. i truly get the feel that some people purposefully put themselves through pain to try to make a point. what that point is, however, is totally lost on me...
Upgrade Path (Score:5, Funny)
I've sent that page to a few people now, and the responses are pretty amusing. It redirects IE users to a spoofed MS Update page for Internet Explorer that offers Mozilla for download as the "update" for IE.
Re:They can't be serious... (Score:4, Informative)
This one will crack you up even more: Don't use the word "begin" -- use "start" or "commence" instead [microsoft.com]. That's right, the parser doesn't need fixing, the English language does.
It's frightfully for real. How's MS's level of support looking now?
Re:They can't be serious... (Score:5, Interesting)
Considering IE is here to stay (as you could never hope convert the masses out there who think Opera is just the thing with fat ladies singing and that Mozilla is some stupid Japanese monster) I think people's time would be better spent raising awareness of IE's flaws and encouraging Microsoft to fix them rather than encouraging people to change browser.
Plus on
Re:They can't be serious... (Score:3, Interesting)
I have tested my browser (Mozilla Firebird) against all the spoofing bugs I can find and it is not vulnerable to any.
Re:They can't be serious... (Score:5, Informative)
bzzt - wrong. It existed only partially. The status bar would display the URL incorrectly, however the address bar always correctly displayed the full URL. There was a patch for this the same day that it was discovered Mozilla was partially affected, and an improved fix has since been checked in to all major Mozilla variants. Mozilla 1.6 [mozilla.org] is fixed, as will be Firebird 0.8 (due any day now).
Check to see if your browser is vulnerable at the Secunia Adddress Bar Spoofing test page [secunia.com].
Re:They can't be serious... (Score:5, Interesting)
Considering IE is here to stay (as you could never hope convert the masses out there who think Opera is just the thing with fat ladies singing and that Mozilla is some stupid Japanese monster) I think people's time would be better spent raising awareness of IE's flaws and encouraging Microsoft to fix them rather than encouraging people to change browser.
"People" do weird things sometimes - a large number of people went to the theater and paid perfectly good money to see 'Gigli' for example. I think it's incredibly weird that people still use IE even without the security problems, given that there are a number of faster, better-featured browsers available free for downloading. But "people" tend to move in flocks. All it would take would be a large enough catalyst, and I think there would be a mass migration.
Is this it? No. People are stupid - they won't switch because they should switch. People won't switch until they come to a roadblock: they want to do something and they find they can't. Even if every IE user were to see this KB entry, 99.9% would ignore it, and they'd blame "hackers" if they got hit by the vulnerability, not MS or IE.
If people get exposed to and get used to better browsers, though (corporate IT gets tired of trying to teach users not to click on things, for example), they'll get used to tabbed browsing, native popup-blocking, their BenJen browser theme, etc., then find they can't do the same at home with IE... they'll switch.
If IE were almost as good as Opera or Firebird, you'd be right about it being nigh invulnerable. It just isn't, though.
Also mozilla (Re:They can't be serious...) (Score:3, Insightful)
Perhaps same reason than why mozilla do not do that filtering?
Re:They can't be serious... (Score:4, Informative)
That is exactly how MS plans on fixing this problem. Read more here [microsoft.com].
Re:They can't be serious... (Score:5, Informative)
Ah! But there is a google toolbar [mozdev.org] for Moz. Happy switching.
Re:They can't be serious... (Score:5, Informative)
When I was using Galeon [sourceforge.net], I would just put a "Search Google" box in my toolbar. (Here's a screenshot with three Google search boxes. Two of them are folded closed to save space [sourceforge.net]). Firebird [mozilla.org] has similar functionality.
For a variety of reasons I switched back to plain old Mozilla, and certainly don't visit Google.com directly. Personally I use a bookmark keywords . I've got "g" mapped to Google, so I just type something like "g galeon screenshots" in my address bar and I get a search for "galeon screenshots" from Google. It's such a handy feature that I've got similar keywords for Wikipedia, Everything2, dictionary.com, FreshMeat, and a few others.
However, if I was only using one search engine, I might use the default behavior build into the address bar. When you type an address in a drop list of suggests appears below. The bottom one is always, "Search ENGINE for 'YOUR KEYWORDS'", where ENGINE is one of the many options you can configure (including Google), and YOUR KEYWORDS are whatever you typed. You just select it and off you go.
If you're really keen on having a search box dedicated to Google, well, besides trying something like Galeon or Firebird, you can install the Googlebar [mozdev.org] (screenshots [mozdev.org]). Personally I'm no longer keen on adding search boxes to toolbars, I want less user interface on screen, not more. Less interface means more space for actual web page.
As a general rule I try to not obsess about what piece of software thinks about my web site or the web sites of others. Knowing PageRanking is certainly amusing, and it may be marginally useful if you're doing professional web work, but is it really that critical?
I'll admit, it's a shame Mozilla doesn't provide it, but it's not really that big of a deal.
Neither have I. It seems a bit odd to co-mingle popup-blocking and searching into a single component, but I guess if it works for you. Mozilla's popup blocking support works great and comes built in to the browser. As a bonus I can also stop sites from doing other irritating things. For example, I've forbidden sites from resizing or moving existing windows or moving windows up and down in the screen ordering. If you're sick of sites doing stupid crawls in your status bar or hiding the real destination for links you can just click "Allow scripts to...Change status bar text."
Tabbed browsing has never been about resources; that you think it does shows a serious lack of understanding about modern web browsers. Every major browser (including IE and Mozilla) will only run one copy of the program, regardless of how many windows you have open. Tabs are not significantly more efficient than windows.
Tabbed browsing is about organization. The task bar works fine, but it doesn't scale. If you've got 20 windows open you've just got twenty little teeny icons with almost no text. XP's grouping helps, but all of the web browser windows get lumped together. A typical use case would be to have a window open to a web email site, another window reading a list of bugs assigned to me and a bunch of tabs for individual bugs I'm loo
I haven't clicked links for YEARS! (Score:5, Funny)
Hah! (Score:5, Funny)
I have a suggestion that's not in the Knowledge Base: don't use IE!
Yeah, and I have a solution to prevent malicious programs like IE from running that's not in the Knowledge Base...
Install Linux.
I hear you can buy a copy of it for around $600 somewhere [sco.com].
Windows can be secure (Score:5, Insightful)
I know this really isn't a popular opinion around here, but still, it needs to be said.
While it's true Windows isn't really the state of the art platform when it comes to security, it beat's Linux when it comes to a few key issues. Like hardware support.
Yes. I know. Hardware support in Linux isn't that bad, but still you encounter hardware you simply cannot get working under Linux. This isn't exactly a flaw in Linux, but for all hardware that is developed, you can swear the vendor will release Windows-drivers that makes hardware support a non-issue.
And as far as voting with your wallet goes, you really never can tell it's an issue before you try it. This goes for my MP3-player (Creative). I couldn't get it working under any Linux or *BSD platform.
Back to the issue. Running Windows securely really only requires you to configure the system properly. Like disabling all unnecassery services (Universal PnP, Remote assistance, remote registry and so on...), and using none-Microsoft products. Like Mozilla or Opera for web-browsing.
As much as we all love to hate Windows, it can be configured to operate decently. But in the name of "user-friendlyness" it configured to be insecure by default.
And there goes my karma.
Re:Windows can be secure (Score:5, Insightful)
why don't people see that this is a MAJOR FLAW with the OS?
the majority of home PC users are not slashdot geeks and simply don't have the time, and shouldn't have to worry about this sort of stuff.
the whole founding principle of a home PC is that joe somebody is empowered to pursue his lifelong dream of starting a small business and can focus on producing/selling/etc. without having to be a mainframe technician on top of it. at what point does the amount of required fixes/patches/workarounds make a device cease being a tool and become a liability instead?
sally middle-school teacher should be able to check her email without 5 service packs.
bill janitor should be able to boot up a computer and check a sports score without being decieved by a major browser flaw into installing 16 trojans and zombie-fying his machine.
the folks at redmond have forgotten so utterly and completely that the original idea of a computer was to help people that it's mind boggling.
one of the most satisfying things in software dev can be watching someones day become markedly easier b/c of something you worked on.
microsoft has become the antithesis of that.
Re:Hah! (Score:3, Informative)
Re:Hah! (Score:5, Interesting)
Firebird seems lacking in a few things for now.
Re:Hah! (Score:5, Informative)
I'm sure the majority of the glaring errors or lacking features will be addressed before it becomes an official product.
Re:Hah! (Score:4, Insightful)
I can't think of anything wrong with the way Firebird handles mailto URLs. Firebird certainly handles them better than Mozilla Navigator -- Firebird opens them in your default mail program, while Mozilla Navigator always opens them in Mozilla Mail.
Re:Hah! (Score:4, Informative)
to add mailto: support to Firebird just install mozex [mozdev.org] extension
Re:Hah! (Score:5, Interesting)
Examples would be things like plugins and things from mozdev.org that don't work, preferences that are not present in Firebird, etc.
Firebird is going to be a wonderful browser, it's already a very good browser, I just don't feel it's ready for (my) usage yet.
Re:Hah! (Score:4, Informative)
Mozilla Firebird [mozilla.org] is a lean, mean browsing machine. Highly recommended. Remember not to click the link if you're in IE!
Re:Hah! (Score:5, Funny)
This is all a big ploy, by Microsoft, to prevent "their" customers clicking on links which might take them to competitors' products. Sneaky! It might even be patentable!
What'll they think of next?
Re:Hah! (Score:5, Interesting)
Also if you can also educate others into non-IE browsers that will help marketshare and make more sites develop to the standards and not to MS only HTML/JS. Although to be honest I know of very few IE only sites, and I never need to use them anyway, YMMV.
Re:Hah! (Score:5, Informative)
However, I recommend Opera [opera.com]. It's small, fast, very standards-compliant, and has lots of nice features that make browsing the web just a little more comfortable. Examples:
Don't want to wait for those graphics to load? Press G to stop loading them. You can selectively view some images if you need to.
Can't read the fonts? Color scheme ticking you off? Press Ctl+G to use the default stylesheet. Black text on white background, couldn't be more legible. Don't like the default stylesheet? Don't worry, you can change it.
Type g litigious bastards [sco.com] in the address bar to search for litigious bastards [sco.com] on Google.
Bookmark pages and assign aliases to them to surf there quickly. For example, I used sd for Slashdot and osn for OSNews.
I don't like mouse gestures, but some people love them. Opera does, too.
Etc, etc.
It's a pity Opera on Linux keeps crashing. On Windows, it's great, though.
Re:Hah! (Score:5, Funny)
Re:Hah! (Score:5, Informative)
This is in no way bashing Opera, which has a lot of great innovations and I hope to return to when this problem is fixed. Just a warning that Opera may not be as fast as everyone thinks!
Re:Hah! (Score:3, Interesting)
Opera is fast, but Firebird is faster still, it renders pages better than Opera does. Another plus is SOCKS support which Opera does not (or did not?) have.
Firebird comes with less options than Opera basically, but so many add-ons exist, like the mouse gestures.
And if you have a small screen with a resolution that is not higher than 1024*768, Firebird gives far less space for its toolbars, leaving more for the pages.
Re:Hah! (Score:5, Informative)
Firebird: Press ESC
Firebird: has image blocking: right click -> block images from <server name>
Firebird: Ctrl++, or Ctrl+- for smaller fonts
Firebird: No shortcut for default colours yet.
Firebird: Preferences->General->Fonts&Colors
Firebird: By default has `google' as alias for google, but you can do this with anything by assigning alias to sites with %s for the search term, eg:
See above.
Firebird also has type ahead searching. A feature which one can't live without.
Re:Hah! (Score:5, Funny)
Why go half way? (Score:5, Funny)
Better solution (Score:5, Funny)
Re:Better solution (Score:5, Funny)
Re:Better solution (Score:5, Funny)
I followed Microsoft's advice and typed in your address but all I got was the MSN search engine telling me that the domain "fax the webpages" doesn't exist.
How About.. (Score:5, Insightful)
Really. perhaps a few more people should install pegasus email under windows, and download mozilla firebird - the world would really be a slightly better place!
Or is that just too obvious?
PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?
Sigh.
Re:How About.. (Score:5, Interesting)
damn, no kidding.
i design web sites for a living. there's nothing worse than getting a web site looking just the way you want, then running a W3C CSS and HTML validator and having everything check out 100 percent.
Re: How About.. (Score:3)
> They turn off all the 'automate EVERYTHING' approaches microsoft seem to think are a good idea, then it will become safe again to actually click on the links?
But if they turn off 'automate EVERYTHING' then Windows will become susceptible to the Linux "forward this message to a friend and then delete all your files" virus.
But yeah, "type in the links" is the ultimate irony from the company whose fixation on faux "ease of use" has wrecked the internet with a crapflood of viral e-mail.
Almost (Score:5, Insightful)
I know this is offtopic flamebait, but hell it's so likely to be true...
I believe Microsoft intentionally has a slightly broken CSS, so that everything that looks good in IE will look crappy in any standard-compliant browser.
C'mon, it's not that crazy! We all know which mother has the marketshare's here.
It's not like most people even know there are standard's anyway. "People" use FrontPage, or even worse, Word to make webpages these days, remember?
So yes, I believe IEs CSS-support (or the CSS-support in any Microsoft product) to be intentionally broken. To gain marketshare. And that's paranoid me.
Btw, my W3C-validated, visually confirmed (opera, mozilla) good webpages look like shit in IE. And, no I don't bother to make IE-CSS.
In other news: secure banking (Score:5, Funny)
uhh? (Score:4, Funny)
Eight-hundred-thirty-three-thousand-seven-hundred- eighty-six Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks
CLIE? (Score:5, Funny)
So now MS is promoting a return to command line interfaces?
I use Firebird. (Score:3, Interesting)
9% is done with Opera 7.23. Mostly at home, since it's still small and light enough for my poor little Pentium machine.
Less than 1% is done with IE, mostly with horribly broken site that only accept it, and I am actively searching for replacement
FWIW, I never use MS Outlook or Outlook Express either. Earlier this week, when MyDoom struck our email servers, a couple of coworkers were infected. I was not.
The moral of the story is that you can't trust Microsoft products.
Homograph attacks might bite us all (Score:5, Interesting)
Although this article on the insecurities of IE (or in a more general sense, Windows' URL handling) is fitting for ./, the advice to type URL
into the address bar may be one that we should all take to heart in the
future.
As pointed out here [technion.ac.il], the advent of multilingual (Unicode) domain names gives rise to a new possibility for attacks: the Homograph attack.
Example: one could replace the o's in http://www.microsoft.com [microsoft.com] with Greek omicrons, Cyrillic o's or characters from other charsets, as long as they are rendered by our browser as something resembling an "o". The users won't notice the difference, but they might be redirected to another site, even though they visually inspected the URL.
A more serious example: my bank, the Dutch Rabobank [rabobank.nl], features internet banking. It specifically displays a warning before logging in: Make sure that the address in the address bar starts with https://www.rabobank.nl/, then you are sure you're communicating with us. Now, with a homograph attack, even that might not be certain again: it looks the same, and users are reassured even though reassurance is not due! And it's not limited to using IE or Windows either.
A comment is in order here: we're not that far yet, as most clients require special (non-default) DNS clients to access Unicode domain names. But it might become a big problem in the future.
Are there any people from countries using non-latin domain names that might want to comment on this?
Re:Homograph attacks might bite us all (Score:5, Insightful)
So it's upto the browser makers to take action if this is really a security risk.
The simplest solution to me would be to not allow multiple charsets to be displayed in the URL bar making this not possible.
Re:Homograph attacks might bite us all (Score:5, Insightful)
I fully agree with you that it should not be necessary. However, I assume that you are from a country using a latin charset (being Dutch, I am). However, even though we as "westerners" might still be in the majority (are we still?), this might not always be like this.
For example: the number of Chinese internet users [technewsworld.com] went from roughly 600 thousand to 80 million in the timespan 1997-2003. So there will be lots more. And that's only China. I can only imagine that these people want domains in their own charset (at least we have lots of domain names in Dutch here in Holland, but of course we have the advantage of using a Latin charset).
In that case, a general "block" on multilingual domains in the address bar won't work.
Re:Homograph attacks might bite us all (Score:5, Insightful)
Re:Homograph attacks might bite us all (Score:3, Insightful)
The whole point of Unicode is that it _is_ one charset for everything. I personally think that Unicode, especially UTF-8, is an even better invention than sliced cheese, and should be used anywhere and everywhere.
True, this is not going to stop attacks involving spoofed URLs, but trusting URLs is bad from a security viewpoint anyway. What to think of misdirecting surfers with mal
Re:Homograph attacks might bite us all (Score:5, Insightful)
-MT.
... and SSL will still work (Score:5, Interesting)
https://ϲоmmоnwealthbank.com.
(may not display properly - whatever, you get the picture)
and getting a perfectly valid ssl session. With entirely the wrong people - but the user would only notice if they looked at the cert.
Of course, you'd have to find a cert registrar dumb or unethical enough to give you a cert for the domain, but with people like Verisign around that can't be hard.
Use colors (Score:4, Interesting)
1. Display something for EVERY byte in the URL! (this is Microsoft's main problem). The only character that could plausably display as a blank area is the byte with the value 32, and even that could show an underscore or something. If "%0102" is in the url, show the characters '%', "0', etc. And obviously the text "%00" in the url should not cause the rest to disappear. In case you think only Microsoft is stupid, Unix software often displays '\n' characters as breaks making multiple lines, in Mac's Safari this makes those spoof URL's display almost as badly as IE.
2. Display all non-ascii characters in a different color. Please ignore the probably loud Politically Correct crowd that will say you are demonstrating anglo-centric bias, those same people kept UTF-8 from being adopted for over 12 years (since it is obviously a bias to have westerners have the shorter characters) and actually hurt i18n far more than the most ignorant midwestern Cobol programmer did.
3. Display as much of the URL that corresponds to a site you have visited before in a different color. Ie similar to showing a visited link a different color in the page, show the preview of the URL with the hostname and leading directory levels colored that match some URL you visited before. Then, assumming you visited your bank once, the fake bank address will be noticable by not being colored.
What about .... (Score:4, Insightful)
Ahh sweet sweet irony (Score:5, Funny)
Need I say more?
Don't use IE (Score:4, Informative)
The other people just don't. It's not like they don't know how. These are proper techies. they just make up daft excuses like not trustin free software.
Maybe trust is importatn. You can trust IE after all. You can trust it to be insecure.
Microsoft to remove the @ symbol from URLs (Score:5, Informative)
For more information, please see microsoft's advisory [microsoft.com]. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".
After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..
Workarounds for this new behavior are listed as:
* Do not include user information in HTTP or HTTPS URLs.
* Instruct users not to include their user information when they type HTTP or HTTPS URLs.
How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".
Re:Microsoft to remove the @ symbol from URLs (Score:5, Insightful)
-----
You are entering www.thewebsite.com while using this login information:
User name: blah
Password: foo
Proceed?
[ Yes ] [ No ]
-----
Re:Microsoft to remove the @ symbol from URLs (Score:3, Interesting)
To quote
Re:Microsoft to remove the @ symbol from URLs (Score:5, Informative)
(There's an interesting "discussion" over on Mozilla's bug id 122445 - regarding this, too)
This is great ... (Score:3, Insightful)
My main issue is this, the knowledge base is huge - there are thousands of articles, therefore although the article is there how many *normal* people actually read it ? The people that need the information the most are those that are less computer literate and the same people that would rather be playing flash games than reading a document on a "geeky computer" website.
It is same with the "oh they should use another browser", at the end of the day they dont really care until they get bitten - and even then they will make the same mistakes again. I personally think that the software update mechanism (where the window pops up if there are updates) is great under OS X. You would have to be really retarded to ignore it.
Maybe Windows and Linux could do with something like this ? I know debian has it's security feed (which I use), but it'd be useful if it alerted me that there were updates. I also remember there being a update manager but maybe it shouldn't allow you to not install the security updates. (Please forgive my lack of knowledge of the recent windows situations WRT updates- I rarely use it so please dont flame back but I would be genuinely interested to know - for the sake of my parents computers)
Anyway, end of post.
Internet Explorer should offer... (Score:5, Interesting)
Re:Internet Explorer should offer... (Score:5, Funny)
Alas, some of us have little choice. (Score:5, Interesting)
Their reasoning? Security. Judging by the number of times in the past two months they've had overtime to do, and the amount of times they have to send out emails-which-get-deleted-without-further-reading on what not to do with a web browser, I suspect it's the security of their jobs they're trying to protect, but anyway...
So, instead, I sit and shake my head with wonder at all the people, particularly from the Management stream -- although I've seen for myself that engineers aren't immune -- who blindly click links without checking their content, who don't check for SSL, and so on and so forth. And, in two cases, get swindled out of cash because they believed an email supposedly from their bank [anz.com]...
ObRant: Why conceal this kind of knowledgebase article? Microsoft should have it in forty-foot-high letters of fire on their front page. No, more than that; it should be in every freaking news syndication everywhere for every single windows user to see and read, repeatedly, until they get the hint.
Then, and only then, can we honestly say that those who still don't do the "right" thing deserve it.
Re:Alas, some of us have little choice. (Score:3, Insightful)
Close. Replace "MCSE graduates" with "MS apologists", and for the most part, you've got it spot on. Some of them do have MCSEs, a few more have MCSAs, but by and large, they're "surviving" on their experience. Of Windows NT and 95 environments, largely -- we've only upgraded to Windows 2000 in recent history.
In my personal Utopia -- indeed, when or if I run my own company w
Re:Alas, some of us have little choice. (Score:3, Insightful)
People click it -- which that particular bank tells you not to do, since they make it a policy of sending material regarding accounts of any kind, out on paper only -- and enter their details. Whee, within a day their accounts are empty.
Sure, 99.99% of the time, clicking links is harmless. Heck, that's what they're there for. It's the remaining 0.01% of the time which poses the
Re:Alas, some of us have little choice. (Score:3, Insightful)
Yup, aware of that. Unfortunately the group policies in place are "good enough" to prevent it Just Working, and while it doesn't take too long to get around those, it's simply not worth the hassle. That, and having seen the IT dept follow through on their threats of termination in the past, I don't really feel
What's next? (Score:5, Funny)
"Protect yourself from email worms by walking to the post office!"
"Protect yourself from p2p worms by buying your music on 8-track tape!"
"Protect yourself from joe-jobs by not using your hotmail address!"
"Protect yourself from internet credit card theft by using dollar bills exclusively!"
"Protect yourself from e-banking snoopers by keeping your savings under the mattress!"
"Protect yourself from spam by disconnecting the internet!"
"For Christ's sake, protect yourself from illegal operations by turning off your computer NOW!
(Oops, this one's not new.)
Use mozilla (Score:5, Funny)
Absolutely hysterical (Score:5, Insightful)
I'm laughing so hard I can't type. Hang on... OK. This MS article is so wrong I don't even know where to begin... How about here:
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
Is MS going to issue a patch to disable hyperlinks then? If you can't click hyperlinks, doesn't IE cease to meet the definition of a browser? Look at the bright side, finally Netscape has closure.
Now, from the "but it's so easy to use" department:
Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information. [....] By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. [...] double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site.
Huh? Does anyone expect Joe Luser to understand that? Checking the certificate against the stated URL and the IP address supplied by a DNS lookup of that URL seems rather straightforward. Someday, someone ought to invent a machine to do things like that. We could call it a computer. A computer might also be able to display the actual site name an nothing else, rather than allowing it to be spoofed in any way, eliminating the need for such manual babysitting.
From the "but it's so easy to use" department, take two:
In the Address bar, type the following command, and then press ENTER:
javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");
I see. We just proved this week that a huge segment of the Windows user base still hasn't learned about attachments. But grandma, who wants to look at the pictures of her grandchildren, is expected to be a Java programmer. There must be some incredible acid floating around Redmond. A complete break from reality, this is.
Security: Text-only email? (Score:4, Informative)
Read E-mail Messages in Plain Text.
By reading e-mail in plain text, you can see the full URL of any hyperlink and examine the address that Internet Explorer will use. The following are some of the characters that may appear in a URL that could lead to a spoofed Web site:
* %00
* %01
* @
Gee, ya think that HTML email is a bad idea..? I wonder how many people even realize that this "IE advisory" applies to Outlook and their email as well?
Nice way to bury that one, guys..
One leap for man (in reverse)! (Score:5, Funny)
No bugfix? (Score:3, Funny)
This just in... (Score:4, Funny)
Microsoft Coperation today advised users to upgrade their current Internet Explorer web browsers to Carrier Pigeon 1.0. This newly released software package transferes HTML documents safely and securly over the friendly skies.
NOTE: Microsoft is not responsible for packet loss during hunting season, unless it's wabbit season but definatly not duck season!
I know I should probebly read the advisory, but I use mozilla. So how would it help?
ulitmate defeat (Score:5, Interesting)
1) we (Microsoft) know what a bad url is
2) we (Microsoft) assume that you may know what a bad url is
3) but for the life of us, we (Microsoft) just can't tell IE what a bad URL is
4) we (Microsoft) give up trying to teach IE what a bad URL is
5) hence we (Microsoft) ask you to please take care and avoid bad URL links
People, you misunderstand the problem! (Score:5, Informative)
The bug is not allowing URLs style:
http://fake.host.as.username@the.real.evi
This is perfectly legal and most people will spot it! (well, at least I do.)
The bug is:
http://fake.host.as.username[somespecialchar
where the special character prevents IE from displaying anything after it.
This is NOT the case in other browsers, this is a serious vulnerablity (because no matter how hard you look at the URL bar in IE, you won't see the URL is fake) and this is THE way crackers and spammers exploit the bug!
Why IE and Outlook are still so widely used... (Score:3, Insightful)
Outlook is less easy to replace... I've a target platform of XP, and need to interact with an exchange server. While I hate the clunky configuration, gaping security flaws and slow bloated memory-hogging Outlook, I have to admit that I find Word a very effective productivity tool when writing prose - even though it is a sledgehammer to crack a nut. I only want to send ASCII mail, but I want real-time spelling and grammar checking. When will open source catch up on this front?
Sorry it took me so long to reply to this... (Score:5, Funny)
STFU about not using IE at least with this senario (Score:4, Insightful)
If your the type of person who misstypes www.paypl.com(www.paypal.com) and end up going to a scam site, using Konqueror, Opera, Safari, whatever isn't going to help you not get scammed.
Thats why it's important for those who make those types of mistakes to pay attention to the url, and not what the page looks like. And if your complaining about not having popup blocking well, most AV (Norton, McAffee) programs now include popupblocking. And if the person doesn't have a AV then they probably the person who also doesn't pay attention to their url's and is also the person who needs to learn about these things.
I know you want to be "1337" and all but pick a better example or reason to flame a product thats obviously more used than your favorite browser.
Who has control? (Score:4, Insightful)
It is entirely possible to design a page that would open in an IE window without toolbars, scrollbars and statusbar. Then it is entirely possible to add interactive graphical elements to the sides that would behave exactly like real IE interface elements, only they would be fake. This is wrong. The standards should give limited control to providers of information, while browsers give ultimate control to the users. It is completely wrong that standards allow javascript to intercept mouseclicks and block rightclick menu. It doesn't affect me because I use Opera, which doesn't give a shit about that, but when I click the wheel (button 3), I see that stupid message window that informs me I shouldn't right click on that site. This isn't more than an annoyance, since scrolling still works and rightclicking is not affected at all, but this should never happen in the first place.
Unicode addresses are wrong as well. They are an annoyance to the users. Have you ever seen a user (a visitor, the one who browses the web) request ability to use Unicode in URLs? I've never heard about that. It's some webmasters, who decided they want this stupid-stupid-stupid trick to work (and greedy registrars and their marketdroids) and broke a perfectly good addressing mechanism (I am Russian, but I never ever wanted Cyrillic URLs, even though now they are apparently supported).
Re:fpfpfp (Score:5, Funny)
Re:Turn off Javascript, turn on the status bar (Score:5, Informative)
Re:Turn off Javascript, turn on the status bar (Score:5, Informative)
On the other hand, I use Opera, and I love it. While it has a little banner that display ads depending on what you're currently surfing (unless you pay 30 bucks for it), I find it in no way to be intrusive. Go try it out.
In an ideal standard world... (Score:5, Insightful)
In an ideal, standardized world where W3C-specs were followed, and no-one sought to conquer the entire web trough non-standard HTML-extensions and market-dominance...
In such a pretty and ideal place, you wouldn't have to develop different sites for different browsers. You are making yourself the extra work, by supporting none-standards. No sympathy for you, my friend. No sympathy for the devil, indeed.
As a slashdotter I thought you knew that IE is more or less a Win32-only product. And there's a hell lot more to the internet than Win32.
Anyone excusing their IE-support with sheer marketdominance has obviously ridden themselves of all the principles the net was founded on. But I guess that is ok, since most IE-users wouldn't know.
Re:Turn off Javascript, turn on the status bar (Score:4, Insightful)
Re:Easier way... (Score:5, Insightful)
You could install computers with IE and Mozilla, with a large message that popped up *every time* you ran IE saying "This browser is insecure and will allow criminals to steal your money. There is a far more powerful and secure browser on this computer - it's the red icon on the desktop".
And people would still use IE "'cos it's Microsoft".
normal people (Score:5, Funny)
Where we go "cool, nice features" they... don't.
The other thing is, they always, with unwavering precision and frightening speed, manage to find the pages that it doesn't render properly.
gah, normal people.
the other thing is, that MS have succeeding frighteningly well in making their applications and icons synonymous with the tasks they perform in the minds of so many people. it's been said before, but that blue 'e' sort of IS the internet to so many people, like that 'w' IS the word processor. gah again. sorry for the lack of capital letters in this post.
lolRe:You can't just use another browser. (Score:5, Informative)
http://www.amazon.com%01@malicious-site.com
will show as http://www.amazon.com%01@malicious-site.com in Mozilla, Firebird, Opera, etc.
In IE, it will show as http://www.amazon.com
That is the flaw. It has everything to do with IE.
Re:You can't just use another browser. (Score:3, Insightful)
Ah! The joyous sound of yet another microsoft apologist.
If the user is dumb as a brick and cannot see something funky with the URL - that's the users problem.
If Microsoft SCREWS the URL so royally that it looks perfectly normal that's Microsoft being the mass producer of crap sof
Re:Don't use IE? (Score:3, Interesting)
Visit that link in IE and see where it takes you. You might be surprised. I'd have just linked it, but
My other post [slashdot.org]
Liar Liar Pants on Fire (Score:4, Insightful)
I just did, Firebird 0.71 on XP.
Every URL clearly shows the correct site it's going to in the statusbar when I mouseover.
Yeah you faked it by putting your entire site in a whole-page frameset, but that's cheating - as opposed to showing a major security flaw and violation of the standards (which in this instance Microsoft is clearly admitting but flat out failing to fix).