Omaze's Journal: Actively sabotaging security

Recently I purchased a new laptop that I've been having all sorts of fun with since it arrived in the mail (if only my Office 2003 would show up!). It only came with a 2 month subscription to Norton's AV service, though. What a ripoff. No matter, I promptly wiped the hard drive, partitioned it correctly, and reinstalled WInXP from the ground up without all the OEM crap all over the system. Without AV on a Windows platform I'm taking extraordinary care with the web browser settings. The internet zone gets no permissions, like, none. Even links has more capability than IE once the javascript is blocked. Well, not really, but close.

First lets talk about Hotmail. Hotmail is a MSN member. This is Microsoft. Microsoft should be instituting policies and mechanisms which encourage, aid, and teach the user how to make proper use of the security settings inside of their web browser. Just to get Hotmail working I had to tcpdump the packets going through one of my intermediary systems and then see who was being called. I knew I had typed hotmail.com, and the Hotmail login page redirects to passport.net--but who would've known that one also needs to add passport.com to the trusted sites list? No where, except inside of the tcpdump log, did I see a reference to passport.com.

I've been unemployed for the last three months. I go to lots of job sites on a daily basis to search for open positions and submit resumes. I've been doing this with Mozilla but I've got a suspicion that, at some level, companies are profiling their potential employees by user agent string (three months of searching and I've had, what, maybe 3 telephone calls? WTF?). Now I'm using my bright and shiny new XP laptop to visit the job sites. Most of them (the general job boards) are pretty good and play well within the restricted internet zone. The ones that pose problems are the employer sites. Many of these sites rely heavily on javascript. No problem, I'll just add them to the Trusted Sites list. Some of these farm out their /careers section to a third party provider through their website. Sure, the address in the top bar still reads the general employer's site, but the data is obviously coming from elsewhere. How do I know?

Well, that's the point of this journal entry. Using Windows, I wouldn't know unless I was real intuitive with that little "powered by" box at the bottom of the page. Even adding that site to the trusted sites list doesn't always completely fix the problem. I often have to resort back to tcpdump on the intermediate system to capture the packets when I refresh or resubmit the page. How would someone else who's not as tech savvy or as experienced as I am know? For them these career pages would be a useless mish-mash of "you must enable javascript you must enable javascript you must enable javascript". These sites do absolutely nothing to play nice with a user trying their best to mind their online security. The very nature of serving these applets third party style without any clear notification would drive most users to give up on their foray into IE internet zone security and put everything back on a medium low security setting.

Therefore, MS and the big corporations create their own security problem. It isn't the users. It is solely the fault of the people who oversee the corporate framework of the internet.