Hi Goncalo, On Sun, 27 Feb 2005, at 14:07:07 [GMT +0000] (which was 7:07 AM where I live) you wrote: GF> If it's something you can switch on or off then you're in no more GF> danger than being alive.
GF> I'm sure you manage to get a better justification! Let's expound a bit on this though Goncalo. Why exactly is it that IE is so vulnerable in so many ways? It's because IE, like many other Microsoft products, tries to do it all. Well, that's only part of the reason, they try to integrate so much cross application functionality is a better answer. They did this because users wanted this and users wanted that. They did it because Microsoft wanted a bigger market share. They wanted to dominate. They wanted to be able to do it all. But they screwed up. Users began to realize that functionality at the cost of security wasn't acceptable. Microsoft won the browser war, but it was a short lived win. What good are the spoils of war if they really are spoiled and tainted. Now granted. IE made their primary mistake because everything was "on" by default. But my point is that Microsoft gave the users what they wanted without ever trying to tell them why it was risky. The internet used to be a wonderful place, now you have to check, double-check and triple check just about everything you do. Popups were a great idea at first. A nice way to display information without disrupting the flow of the visitors browsing of their main site. Now we have a whole box of bandaids to prevent popups. What I'm getting at is that the populace in general needs people like Tony and Paul and myself to try and keep the sanity. Most people on this list are more tech savvy than the rest of the population, and for every user we have here on the list, we have 20 that aren't. People who won't know why enabling the download of images can be a Bad Thing (tm), or why clicking the "Go to our website to validate your bank account" links almost never take you to your bank, or why Nigerian scams are just that, scams. People are *still* getting sucked into those scams. How long have those been around? Forever. But they still get people. People talk about applications nannying them. I agree, for us, the people in the know, hate it. I hate it. But you tell me a viable way to protect those not in the know and I'll go along with it. A whitelist? It isn't going to work... How do I know this? I can't tell you how many software firewalls I've installed for people. Literally, close to a hundred would be my guess. I do it for every friend/family member/co-worker that I can. I even try to explain when you should and shouldn't "allow" something. It doesn't work. They eventually just start clicking "yes" to anything and everything, and they're no more protected than they were before I installed the firewall. Take PCWSmileys and Rogues. We (9val and I) worked out a system to have trusted servers with which TB could automatically download images from. The same thing we're talking about doing for HTML images. Yet, we decided to drop it because there was no way to make it foolproof. Even if we were able to convince users to only include the PCWize server, you all had to rely on my security knowledge and expertise to ensure my server wasn't compromised. That's a lot of faith to put in me. I'm good at it, but I'm not perfect. Somebody, someday will crack my server. It hasn't happened in the three years it's been on-line, but it will one day. I don't hope for it, but I expect it. People in general do need to be protected from themselves. It makes it rough on those of us in the know, but if it means my mom and dad are protected I'm willing to sacrifice a bit of so-called "functionality" to do that. -- Leif -:- TB Lists Moderator -:- PGP Key ID 0x7CD4926F Tagline of the day: When you go into court you are putting yourself in the hands of 12 people that weren't smart enough to get out of jury duty. Roguemoticons - http://www.PCWize.com/thebat PCWSmileys - http://www.PCWize.com/thebat/pcwsmileys.php ________________________________________________________ Current beta is 3.0.9.1 Deep Alpha | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html IMPORTANT: To register as a Beta tester, use this link first - http://www.ritlabs.com/en/partners/testers/