New IE Malware Captures Passwords Ahead Of SSL 986
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
Coming events (Score:5, Funny)
Re:Coming events (Score:5, Funny)
Re:Coming events (Score:5, Insightful)
Except when I'm at work...
I've got no choice at the office. So should I just stop doing online banking at work because the computers happen to use the most popular operating system and browser in the world?
It does seem surprising that this hasn't been done before.
Re:Coming events (Score:5, Insightful)
Re:Coming events (Score:5, Insightful)
Keep in mind, you cannot trust a computer which you cannot restrict physical access to. Period.
No personal stuff on the office computer. Not because the company want it that way, but because you do, whether you know it or not.
Re:Coming events (Score:5, Interesting)
I live in norway and most net-banks here use both your "birth-number" *and* a "securitycard" to generate a key.
The key generated by the securitycard is never the same, and you need a 4 digit pin-code to even get it to generate a code. You type in the first 6 digits and hit "log in" and on the screen you get the last 2 digits, if these match with the ones on your "securitycard" you can be resonable sure that you are really talking with your bank.
Sniffing the password etc wont help you one bit, since it will only be active for a few minutes. After that, you need a new number to log in.
Steal the card? I would just call my bank and they would issue a new one, and put the other on the "watch list" someone try to log on with it: ups, their IP is logged and you have a trail for the police
Another great thing about this way of doing it is that you can access your netbank anywhere and within a few minutes, any information logged by a keycatcher is invalid.
Re:Coming events (Score:4, Interesting)
Knoppix, Linux, DOS, OS/2 -- the OS doesn't matter. The keykatcher is hardware dongle-like thing, looks like an elongated keyboard plug. And all it does is keeps the last 65K of keystrokes you've typed.
You can download it to a floppy without removing it from the PC (if you're running Windows) or you can remove it, download it to a different PC and replace it later. Or, you can remove it, download it to a different PC, and then place it on the next guy's keyboard.
So, the truly paranoid person now has to cut-n-paste bits of their password with the mouse, and hope the bad guys haven't installed Back Orifice.
Re:Coming events (Score:5, Informative)
Do this for a few power users, and within a very short time, the IE-only requirement goes away pretty fast.
Re:Coming events (Score:5, Funny)
If I actually did, I think I would puke...
Re:Coming events (Score:5, Insightful)
Gee, I'm glad I use Firefox on Linux. And why the hell shouldn't I be? In addition to actually supporting standards (CSS anyone?), my decision is constantly reaffirmed by exploints such as these. Do you have a problem with that? (Actually I use Mozilla, but close enough.)
Re:Coming events (Score:4, Interesting)
Mine does. Switch to a different bank. Market forces will take care of the rest.
Re:Coming events (Score:5, Interesting)
And if your bank does not change. Then you change. Take your money to a different bank. It may be a little bit of a pain to have to do that, but that is the only power we have left as consumers, so exercise it.
Re:Coming events (Score:4, Interesting)
Re:Coming events (Score:5, Funny)
Since Mozilla just hit 1.7, this webpage must have fallen backwards in time through a freak wormhole.
If you look in the comments, it also mentions something about IE developers being "the first up against the wall when the revolution came."
Re:Coming events (Score:5, Informative)
It's not anything like IE's bugginess and incomplete support. You don't see freak bugs like IE's margin-doubling [positioniseverything.net]. IE also lacks support for
And the fact is, no browser supports all of CSS2. Mozilla (Gecko) has much better support than most browsers, and they are constantly improving it's rendering. Compare that with the stagnation of IE's development over the last several years.
OK, I'll take the bait (Score:5, Interesting)
Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.
IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.
Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.
Maybe you should be happy that IE is used by so many.
Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.
Re:OK, I'll take the bait (Score:5, Insightful)
Second, it's not that there are so many users that are upset with having to deal with a crappy browser, it's that they don't *know* that IE is a crappy browser. Every time that I have to clean malware off of a machine, I make sure that I let them know (and prove to them by explaining the logs to them) that the spyware was installed via IE. Then, they know that they are using a crappy browser.
Re:Coming events (Score:5, Funny)
Re:Coming events (Score:5, Funny)
Re:Coming events (Score:5, Funny)
it's the only way to fly
Re:Coming events (Score:5, Funny)
Re:Coming events (Score:5, Funny)
Re:Coming events (Score:4, Insightful)
Re:Coming events (Score:5, Insightful)
1) Complain, if you haven't already... some web commerce site (can't remember which, but it was a big one) had a bug where it didn't recognize Mozilla as a sufficiently high version of Netscape. I feedbacked it, they responded with a NON-CANNED thank you within 24 hours, and it was fixed by the time I used the site again three days later.
2) Have you tried fooling the site by sending different authentication? Mozilla can just *tell* the site it's IE. Unless they're doing something very stupid like using ActiveX, that may work just fine. (If they are using ActiveX, switch banks. Seriously.)
Re:Coming events (Score:4, Interesting)
FYI: It was this [dresdner-bank.de] german bank.
Re:Coming events (Score:5, Insightful)
Re:Coming events (Score:4, Funny)
I read about the exploit here on Slashdot a few days ago, so obviously it's reliable. It doesn't use Javascript so disabling that won't help. IIRC, the code that causes it is something along the lines of: There is no known fix for this exploit! (Other than removing Windows from your system.)
Re:Coming events (Score:5, Funny)
Gee im glad im continously overdrawn and therefore have no money whatsover in my bank account...
the last time i asked for money at the bank they knocked me back.
"Fine!" I said, im taking my minus 1500 elsewhere...."
Re:Coming events (Score:5, Insightful)
You are also asserting that a mozilla extension can access the cleartext typed into a login box by "parsing the DOM before navigation begins". It's not clear to me that this is true. If it is, I think it should be considered a security hole. Mozilla should sandbox that text and use protected memory, etc...
I'm suprised (Score:5, Insightful)
Re:I'm suprised (Score:5, Funny)
Because there are no files to check, just packets?
And this... (Score:5, Funny)
SF article (Score:5, Informative)
Gates Defends Microsoft Patch Efforts [securityfocus.com]
Comment removed (Score:5, Insightful)
spybot S&D (Score:3, Informative)
usually a good idea (Score:5, Informative)
There is the slight problem that malware can silently reenable it when they run, but I doubt many do.
Re:usually a good idea (Score:5, Insightful)
Re:usually a good idea (Score:4, Insightful)
BHOs and you (Score:4, Informative)
Maybe this is the kick of the pants that M$ will get now that financial institutions are targetted with a n exploit from a badly-design browser model.
Which is nice.
HA! (Score:5, Funny)
I love IE (Score:4, Funny)
Re:I love IE (Score:4, Informative)
Uh, no. An Apple Mac couldn't run the executable, it uses a different family of CPU. Even if it could, IE's browser share on Mac OS X is very low.
Can someone refer me to a useful BHO? (Score:5, Insightful)
Stuff like the google search bar? Does that count?
Re:Can someone refer me to a useful BHO? (Score:4, Informative)
It's used for adobe acrobats PDF plug in for IE. I turn all of them off on my computer using BHO Demon [definitivesolutions.com]
Re:Can someone refer me to a useful BHO? (Score:5, Interesting)
Re:Can someone refer me to a useful BHO? (Score:5, Informative)
I will upload the project tonight for your downloading pleasures. And yes, of course it's GPL! Well actually it doesn't really have any licenses yet, so it will probably end up being GPL or BSD.
New Genre (Score:4, Funny)
You know you really have something going for you when a single application in your product line helps defines it own genre of exploits:
The fellow in the article... (Score:5, Informative)
Open Source compressor used: (Score:5, Funny)
It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX.
Cue the FUD saying "look I told you Open Source was inherently less secure!"
And the wave of IE abandonment begins... (Score:5, Interesting)
BTM
What, exactly, is the FBI doing about this? (Score:5, Insightful)
I, for one, am sick of it. Where is our FBI and what are they doing about this? If these were criminals setting up videocameras to record pin numbers at ATMs, you can bet there would be a huge effort to track them down. Well, this is worse than that.
Re:What, exactly, is the FBI doing about this? (Score:5, Insightful)
They're much too busy detaining arabs in the US for no reason, searching people's homes without warrants, raiding and siezing the equipment of people they thing are computer hackers...
Oh, and they're busy punishing copyright violation too. That is clearly more important than people's bank accounts.
"New IE Malware" (Score:5, Funny)
Different password entry schemes? (Score:5, Interesting)
In Brazil there seems to be a new regulation saying that users of ATM and online banking shouldn't type the password in a numeric pad anymore.
Instead, you get 5 buttons on the touch screen (or a small Java applet, or Javascript thing in the case of the bank where I have an account there) with combinations of two numbers. It looks like "press this if the next number is 3 or 8".
The thing is, the combination changes every time you enter your password. The first button that was "3 or 8" before will be something like "4 or 7" next time. And the combinations change too, not only the position of the buttons.
So it becomes more difficult for spyware to monitor keypresses / mouse clicks, or things like this [utexas.edu] to work for the scammer. (Ironic or not, the ATM in the pictures at the UT website is from a Brazilian bank).
I haven't seen anything like that in any US bank; it's always a number pad where you type your password, or a text field to type the password online.
Patched in 48 hours (Score:4, Interesting)
Your 48 hours starts now.
Man, I'm so sick of this... (Score:5, Funny)
Wouldn't hurt me too much (Score:5, Interesting)
If I don't want to use one-time passwords, I can choose to use smartcard reader and a PIN number (which remains constant). I'm not sure if that would be vulnerable. Anyway, this follows the "something you have, something you know"-security model, I know the username/password and have either the smartcard or the one-time list.
Do the US banks only use username/password pair?
Re:Wouldn't hurt me too much (Score:4, Informative)
The list is a credit-card shaped piece of plastic that has a bunch of numbers on both sides. Goes easily in wallet. Doesn't matter if it gets stolen because you still need the username/password pair and you can get a new list by calling your bank.
And like I said, you can still use the smartcard version (so you'll skip the typing of one-time-password entirely).
What's going on at Microsoft? (Score:3, Insightful)
What's amazing me is why Microsoft isn't *running* to provide patches, for at least XP and 2K, to mitigate this. They're offering non-solutions like disabling Active X and Javascript. Sure, fixing the problem may mean some serious breakage for some in-house software someplace, but does anyone care that Spyware+Malware+IE is rendering their operating systems junk?
Are they even paying attention? Is XP SP2 a magic fix? Is it just too badly broken to even BE fixed?
Re:What's going on at Microsoft? (Score:5, Interesting)
First, Microsoft can't keep up with every possible exploit, so they don't even try. This is why they have yet to tackle viruses and trojans. Heck most of the virus companies aren't doing trojans, either.
Second, most of the fine-grained ability to really solve these sorts of problems is beyond your average user. If they had a switch to turn off BHOs, people would turn them off and then wonder why the WhizBangSuperBHO application they just downloaded doesn't work and wouldn't think to make the connection. Plus, there's no real concept of a proper sandbox, nor is there much ability to do it properly, if the default install gives everybody root.
Third, a page or internal site that uses ActiveX, BHOs, and other Microsoft-only technologies is a page or internal site that doesn't work under Opera or Mozilla. So by disabling such things, they risk turning back the clock towards standards that they've been enticing web designers with.
Fourth, spyware folks *cough*gator*cough* have a tendancy to sue their foes. Which is probably without basis, but still could cause Microsoft to have weird injunctions if they got too active about it.
The problem, and the advantage for the rest of the market, is that all of this hurts Microsoft, if they do anything, or if they don't.
So.. (Score:3, Insightful)
Re:So.. (Score:5, Insightful)
Re:So.. (Score:5, Informative)
There is no feature in Firefox that would prevent the writing of the application.
There is, however, a feature that would prevent the installation of the application. From my experiences so far with Mozilla's various incarnations, you can't silently install plugins.
I can puzzle out a way for this to run under Mozila, but it's a lot more complicated than under IE. IE uses the global (HKEY_LOCAL_MACHINE) and user (HKEY_CURRENT_USER) registry keys to keep track of plugins. As far as I've been able to find, Mozilla uses a separate registry per profile to keep plugins and customizations working; probably due to an offshoot of cross-platform compatibility.
The tools for installing the IE exploits are already in place: just convince IE to run some code via a buffer overflow or somesuch, have the code run "regsvr32 myfunexploit" and the exploit is installed into HKLM as a browser helper object. With Mozilla, you'd have to do a bit more work: find a buffer overflow exploit to execute remote code, have your code figure out where the profile directory for the user is located, run through that directory looking for a Mozilla installation, parse out the Mozilla registry, install your exploit code and (probably) wait for the user to restart Mozilla before it's loaded.
As the article noted, you need a third party application to easily list and modify BHO plugins. Under Firefox, at least, it's a single click to see what plugins you have running.
This could, in theory, be done with Mozilla-and-friends, but most of the features in the browser, simple plugin viewing and a separate registry, make it, if not unlikely to happen, at least more easily noticed by the end user.
Funny CIAC issued a warning in 2002 (Score:5, Informative)
A good thing this only affects IE users... (Score:4, Funny)
Find a new bank (Score:5, Insightful)
Oh yes, and be sure to tell your old bank WHY you're closing your account with them. "You're only supporting Internet Explorer as a browser, so I'm not supporting you as a bank."
Not like they'll notice on personal accounts, but maybe if a business or three moves their accounts, they'll sit up and take notice.
secure (Score:5, Interesting)
Quit the handwringing and DO SOMETHING! (Score:5, Insightful)
http://www.refestltd.com/cgi-bin/yes.pl
www.refestltd.com is 66.226.64.11; the ARIN pull is below.
I'm on the phone right now with Matt of Abacus America to get the website taken down.
I am saddened to think that I'm the first one that's bothered to go to the trouble...
OrgName: Abacus America Inc.
OrgID: ABAC
Address: 5276 Eastgate Mall
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ABAC.COM
NameServer: NS2.ABAC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-31
Updated: 2003-03-27
TechHandle: AD384-ORG-ARIN
TechName: A Net DNS Administrator
TechPhone: +1-858-410-6900
TechEmail: dns@aplus.net
OrgTechHandle: ANETS-ARIN
OrgTechName: A Net Support
OrgTechPhone: +1-858-410-6900
OrgTechEmail: support@aplus.net
# ARIN WHOIS database, last updated 2004-06-28 22:17
# Enter ? for additional hints on searching ARIN's WHOIS database.
w00t (Score:5, Informative)
Why people use IE (Score:5, Insightful)
For example, I used to work for Cablevision's Optimumonline service. I would sit in meetings and go on and on about how we should support, even lightly suggest our customers use Mozilla. One of the biggest avoidable call drivers in our Call Centers was people complaining of pop-ups. Another large driver was Spam. Mozilla is a great tool for handling both of those problems.
The Higher Ups weren't interested in my ramblings. They would point out that we support IE, Netscape, Outlook Express and Outlook. They eventually came around and offered support of Safari but on a very limited basis (not that it needs anything more).
The biggest problem that most ISPs face is uneducated consumers. Their machines get hijacked and in turn Spam the World, which causes other users to complain and blame the company. These machines also eat up Network resources, again causing other users to complain and blame the service. Don't forget the users that click on EVRERY pop-up that comes their way, thereby infesting their machine with spy-ware to the point that even opening IE is near impossible. Again, this is blamed on the service.
Granted the Mozilla fam aren't really out of the "beta" fase, but I see less Firefox, and Mozilla fixes then there are for IE. Being that Netscape and Mozilla are half-siblings (in a sense) why not support it? It's not like the support staff needs to be re-trained.
People don't care what browser they use, they want one that is intuitive, free, and functional to their needs. I think the Mozilla branch does that. With firefox 9.1 out today, why are people still using IE? Better yet, why aren't ISPs telling people NOT to use IE? It would save them a fortune and a company not looking to save a fortune..... should be investigated!
Darwinian selection in action (Score:5, Insightful)
In nature, when a population gets too large there's a die-off. Usually this die-off is caused by disease or starvation. The better adapted creatures survive and live on.
We can use the fox and rabbit scenario [kluge.net] here.
The malware writers are the foxes and the ignorant users are the rabbits. In our case the foxes don't eat the rabbits, but instead hijack the rabbits' computers for fraud, spam, pop-ups, etc. Foxes die by giving up and moving on to more lucrative off-line crimes.
The rabbits don't eat anything but are increasing in numbers by simply hooking up machines to the Internet. Rabbits die by cancelling their AOL accounts and stop using the Internet.
Right now there are a ton of rabbits (and more every day) and the fox population is exploding.
If we just sit back and let natural selection take its course, the ignorant rabbits will become sufficiently frustrated with their Internet experience and give up. The foxes will concentrate even harder on the remaining rabbits (who will be better adapted to counter the foxes' attacks) or start writing malware for the rest of the rabbits or face a massive die-off as well.
Those that are able to adapt do so by either keeping their machines properly patched or learn to use alternative browsers (or operating systems). These rabbits will then have a better Internet in the end because we will have a better class of users and software.
There's plenty of educational material out there for ignorant users to read. Practically every day there's something in the newspaper about how to protect oneself from these attacks.
The Zombies and SpamBots will make life a hell for the rest of us, but that's a short-term problem in this model. That should fix itself after the die-off itself.
Firefox Too? (Score:4, Interesting)
It's not that I wish such a thing on people, but I'd like to know how secure the repositories are and what kind of damage we're looking at if it isn't.
My apologies (Score:5, Funny)
I really must stop watching Comedy Central.
Stupid hacker.... (Score:5, Informative)
Re:Can someone explain... (Score:5, Insightful)
Re:Can someone explain... (Score:5, Insightful)
I mean come on,,, Just tell her it is the new IE.
Re:Can someone explain... (Score:5, Interesting)
Apparently her ISP software linked directly to Iexplorer.exe and when it asked her to make it default she clicked yes.
Not her fault but still makes you want to slam yur head against the monitor screen.
Re:Can someone explain... (Score:4, Funny)
b) Hide the IE shortcuts
c) Change the IE homepage to say, in big letters, "YOU'RE NOT SUPPOSED TO BE USING THIS NOW GET OUT AND START FIREFOX"
d) If you have Zonealarm on her computer, set it so IE has no Internet access
e) Use IE's Content Advisor to block all Web sites
f) I could go on and on
one word (Score:5, Insightful)
Re:one word (Score:5, Insightful)
Doesn't mean I'm lazy. Nobody can not be ignorant of something.
Because... (Score:5, Funny)
Re:Because... (Score:5, Funny)
Don't I have to use Internet Explorer to connect to the internet?
Whoa! Hold right up there, coyboy! You're telling me there's a difference?
(Sure it's not necessary but...just in case..."proud Firefox user since 0.6!")
Sad... because its true (Score:5, Funny)
[joke]
"This is your computer.. this is your computer on Internet Explorer"
-or-
"Friends don't let Friends use Internet Explorer"
-or-
"Just say No to Internet Explorer"
[/joke]
Seriously, there needs to be a TV campaign or even public service banners on high traffic sites like google or CNN.
Re:Can someone explain... (Score:5, Insightful)
Primarily cos they just use the first thing that is in front of their face.
One small step towards fixing this is to be involved as much as possible with all new computer installations.
Your mum is getting a new computer? Go in there and set it up for her. Put mozilla and firefox on the desktop, show her how to use them, and remove all the IE icons. She won't know any better and you can rest easy knowing there's less chance your inheritance is going to disappear from her bank account.
problematic idea (Score:4, Interesting)
By installing software on a computer-illiterate person's computer, you are implicitly taking *personal* responsibility for that computer, whether you want to or not. From that moment forward, that person will insist that you provide free technical support for them whenever you need it. Refuse this, and you will cast a bad light on open source. (ie: That Mozilla thing broke my Internet and no one will help me!) From experience, Murphy's law will go into effect, and any and every thing will go wrong.
Be wary whenever you offer to help someone with their computer. I have been so burnt out from helping so many people over the years that I refuse to help anyone, even family members, or even talk to them about computers.
Like it or not, open source cannot forever rely on legions of selfless geeks helping everyone. It's just not infinitely scalable. "Mainstream" open source projects like Mozilla, OpenOffice, etc need to 1) proactively focus on usability by recruiting (by paying if necessary) human-computer interface experts and focusing all development on usability and 2) forming political relationships with as many computer manufacturers, banks, and any other organizations we can to get our stuff in front of mainstream users. There is already some movement on these fronts, but it needs to be at least an order of magnitude greater.
Because it isn't so clear cut (Score:5, Insightful)
For the non-power user IE *IS* preferable. I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.
IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.
I don't blame most users for using IE. For them it is "good enough". I see a lot of snobbishness on this site, and maybe some of it is fair enough. I also see a lot of silly arguments with extrapolation from a small sample set "My sister uses Mozilla all the time now!" to big conclusions. As a scientist, I know enough not to make those errors. Anyway I just wanted to say most users don't need Firefox despite what you might read. I guess this is pretty obvious, it accounts for a fraction of 1% of browser usage after all.
For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.
Re:Because it isn't so clear cut (Score:5, Interesting)
IE is not just woefully inadequate for power users. It's woefully inadequate for anyone who wants a reasonable (not to mention decent!) Internet experience.
It's only "good enough" as long as people don't know about alternatives. Then the immediately start downloading extensions to IE -- extensions that you and I know come standard with a real modern browser.
Re:Because it isn't so clear cut (Score:5, Interesting)
The non-power user is most vulnerable to the security flaws IE is famous for. They are less likely to notice if something is downloaded to them without consent, and less likely to be able to fix it if it is.
I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.
There's two things I tell/show people about Mozilla when I install it (waiting for 1.0 to start giving out Firefox):
- Look, tabbed browsing. [perform Google search on something they find interesting. Middle-click on a lot of links.] Shiny!
- Look, no pop-ups. This is the big winner.
Oh, yeah, it's more secure, yadda yadda... but those are the two functions that the average person is going to find most beneficial. They may not pick up tabbed browsing, but they sure will appreciate built-in by-default popup blocking.
It may take some persistence. Every time they call you for help, walk them through like they're using Mozilla. If they're not using Mozilla, tell them to use it instead.
IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.
My mom called me last week, when my phone battery was almost dead. Thankfully, it was a short conversation, because it went like this:
"I heard that there's this new web exploit that MS doesn't have a patch for, but it's ok if you update your antivirus. So if I just update Norton I'll be fine?"
"Are you using IE?"
"No."
"Go ahead and update Norton anyway, but you can only get the virus if you're using IE. Keep using Mozilla and you'll be fine."
[bee-oop, bee-oop, bee-oop, phone goes dead]
The last few months of retraining her to think of Mozilla as her default browser have paid off. Yay!
For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.
You could say the same about IE. Most of the security flaws come from having built-in functionality that is only useful in some very esoteric intranet environments, and has no business on the public web. The whole "Trusted Sites," "Internet Zone," etc. thing is WAY more complicated than it should be, and defaults to settings that aren't safe, so you do have to go in there and change things if you want a somewhat secure browsing experience.
In Mozilla, the preferences are very clearly organized, with only a few things on any one screen. Makes it far easier for me to walk someone through changing something, and easier for the novice to find it themselves. The explanations are a lot more useful, too.
To go with the car analogy, using IE is like using the company fleet's Ford Taurus with no right-hand wing mirror or air bags, because it's closer at hand than your Honda Civic Hybrid. In my opinion, anyway.
Re:Can someone explain... (Score:5, Insightful)
Re:Can someone explain... (Score:5, Informative)
I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain. I always take the time to send a nice e-mail to websites that are broke with Mozilla.
Companies need know that they are limiting their customer base and are losing sales.
Just yesterday I was signing up for a dedicated server at a vendor and their webpage was not working correctly, I brought up IE and worked fine. Ticked - I left and signed up with the competition (servermatrix).
Re:Can someone explain... (Score:5, Insightful)
1. Web sites check the user-agent header, refuse access to anybody not claiming to be MSIE.
2. Users of advanced browsers change their user-agent strings to claim to be MSIE.
3. Webmasters check logs, see most all hits come from MSIE...
4.
Re:Can someone explain... (Score:4, Interesting)
Take, for example, my Mom. A month or so before coming home from school, I mentioned that I planned on building a new computer for myself over the summer. She told me that she was just about fed up with our home PC because it was so slow and working so poorly and crashing. I told her definitely not to go do anything silly like buy a new one, just yet.
So when I get home, she has since cleaned up a lot of stuff (she's fairly tech-savvy as far as Aunt Tillie-types go) and the computer is running OK. I immediately installed Firefox on the computer, and told her, my brother and sister to all start using it instead of IE.
I left a week later for my summer job (6 hr drive, first time I go back is this weekend). As soon as the IIS compromise issue came out, I e-mailed my Mom and made sure she was using Firefox because she had told me over the phone that she had a lot of spyware/malware problems. Of course she wasn't using Firefox. I asked her why the hell not and she says, "I'm old and don't want to have to take the time to learn something new" (she is co-owner of a financial consulting firm). So I explain to her how it's not anything new. A browser is a browser, you've got the back button, the forward button, hell, you can even import favorites. So whatever. That was a few days ago.
I called her last night to make sure she started using Firefox, and of course, she wasn't again. I asked her why and this is exactly what she said, "I may be superstitious or something, but ever since Mozilla was installed, that's when we started getting all the nasty stuff on the computer." Well I didn't want to be rude and point out what problems she was having before I got home from school, so I let it go when she promised I could show her how great Firefox is when I go home this weekend.
I only hope she's not using IE to check her bank statements, etc.
Some people are so set in their ways, like my uncle, for example, who refuses to wear a seatbelt. I feel like switching browsers is the same situation. If anyone has any recommendations on how to convince people that are utterly unconvinceable to switch to Firefox, please let me know.
grr.. typo above (Score:3, Informative)
That query is for "refestldt.com" and I stupidly typed "reflestldt.com" after "domain name". The whois info is accurate, just not what I typed there.
It's probably fake: Blue Valley High (Score:4, Informative)
In other words, it's almost certainly a bogus phone number attached to bogus domain-registration info.
Re:Wow.... (Score:3, Insightful)
There's an outcry when Microsoft pushes their product launch back another year, and followed up with complaints that they didn't spend enough
Re:If this won't get people to switch, what will? (Score:5, Insightful)
Nothing. Probably 75% of computer users out there aren't even aware what a web browser is, much less what "SSL", a "security hole", and a "BHO" are. If they can understand neither what they are using, nor why they shouldn't be using it, they aren't about to switch.
Re:If this won't get people to switch, what will? (Score:5, Insightful)
For crying out loud, people! Nobody even knows what Firefox is!
Quit acting like everybody's a retard and start putting money into a Firefox ad campaign or something. Acting like a raging zealot isn't going to get people to switch.
Re:If this won't get people to switch, what will? (Score:4, Informative)
That sounds nice and all, but if your bank's site only works in IE -- as is true for many banks both large & small -- then the customer doesn't really have a choice in the matter.
I know people that are perfectly happy to use Mozilla 90% of the time, but when they have to log in to Fleet [fleet.com] (or whatever other bank site), they must use IE there.
Yes, the problem here is the bank's broken site, but what can you do? Their standard response is "95% of people use IE, so that's what we support", completely ignoring the line of thought that if they wrote in a portable, standards compliant way, they wouldn't have to think about these issues, and their customers would be much happier. But there we are -- stuck.
Your exclamation points are appreciated, but until the banks & other IE-only sites realize the errors of their ways, you're just berating the victims of the larger crime here.
Re:Why is a gif file getting run as an EXE?!? (Score:4, Informative)
How to switch to firefox on windows... (Score:4, Informative)
- go to http://www.mozilla.org/products/firefox [mozilla.org]
- download the windows installer
- run aforementioned installer
- Realise that installer automatically imports IE favourites
- Select the Internet Explorer icon, press "Del" key
- When asked if you are sure,say yes (with extreme prejudice)
it's really that simple, for added effect you could try replacing the firefox icon with the explorer one (right click|properties|change icon|browse to iexplore.exe|select the icon from the ones that come up), that's what I did as I was used to clicking on a blue e. After a while I weaned myself off.