Neurotech - the weblog of Luke Reeves

The final build of Firefox 1.5 just got released. Shwing!

Unwanted popups in Firefox are usually caused by small embedded Flash movies. If you want to disable them, do this:

• Type “about:config” without the quotes into the addressbar and press Go.
• Right click on any entry and choose “New”, then “Integer”
• Enter “privacy.popups.disable_from_plugins” for the name of the new preference, and set it’s value to “2″.

We all know Firefox is getting more popular; along with the popularity though comes a price, which we’ll probably see in this new year. The price? Malware. Firefox proponents - myself included - point out how much less vulnerable Firefox is than Internet Explorer. There are two primary reasons for this security difference.

First of all, the Firefox development team is (arguably) much more rapid than the Internet Explorer team at releasing patches for critical security problems, specifically buffer overflows and other local exploits.

The second reason is popularity. IE accounts for at least 90% of the browsers out there at the moment, and combine that number with the security track record and it makes a good target for the malware authors.

As Firefox becomes more popular, more malware will target it (there was even a post on Slashdot today about this). This will happen most probably through the extensions component of Firefox - even now it’s quite easy for a user to accidentally install a malicious extension.

Here’s my idea that I’m currently fleshing out: a web-based tool that allows users to download a “Secure Firefox” build. The website can allow you to choose a base Firefox binary (targeted for platform, with perhaps a set of optimized builds). Once that’s chosen, the user can then choose from a list of check boxes which trusted extensions they want installed. The site then creates the installer for the user with one difference - no XPIs from the web can be installed, along with other possible security constraints (no executable downloads for regular users, etc).

There’s a couple of things to slow this idea down. The big one is the concept of a trusted extension - you’d have to have a pool of developers that would audit the uploaded extensions and make sure that they’re benign. The second concern is the building of the installer. I think that can be addressed by simply caching the most common build configurations on the server, so that the builds only occur when there’s a cache miss.

Anybody have any thoughts on this?

Pretty much everyone who reads this site (if there’s anyone left) knows that Firefox is a web-browser. A pretty good one too. In fact, last week the Mozilla foundation - the creators of this free browser - raised enough money to have a two page advertisement in The New York Times announcing the 1.0 release of the software. All of the monetary donators names were listed on the left side with mine in there somewhere (I believe).

Firefox is - along with it’s mail-oriented brother Thunderbird, and their singular parent Mozilla - open source software. That means that anyone - you, me, your mom, and so on can download the source code of the product and examine it, modify it, distribute it, and many other mostly-boring things. In fact I’ve delved through lots and lots of the code trying to find GTK errors, problems with roaming profiles, and other even more boring things. People redistribute optimized versions of Firefox, Mozilla and Thunderbird. It’s arguable that the software isn’t as free as code licensed under the GPL, but that’s a matter of perspective and religion.

Lots and lots of people worked hard on these products. They’re usually billed as an either more efficient or more secure version of Microsoft products - and again, that’s a matter of perspective.

Think of it this way though - say you’ve got a lot of friends who are geeks. Friends who are maybe lacking in the social department, but who have some talent in the area of computers. Check and see how many of them use Firefox - no, not even Firefox. Check and see how many of your hardcore, computer-geek friends use Internet Explorer. I’m betting very few.

I’d like to think that I’m decent with computers, and I may have enough technical traces of myself floating around the Internet to prove this. Anyways though, I use Firefox. I began using it’s ancestor, Mozilla, a long time ago due to the fact that my primary operating system (Linux) had no real alternative. Mozilla provided me with a great browser and mail client that got better every release - in fact, better with each nightly build. I now use it on my gaming PC which is a Windows 2000 system, and my work machine (a Windows XP Service Pack 2 system).

Yet there’s the security angle to consider. Three weeks ago, there was a nasty Internet Explorer exploit that allowed an executable program to be run when a user clicks on a link (the IFRAME one). If that’s too technical, think of it this way - a web page can install *big pause* something on your system without warning, confirmation or indication. Luckily the test page just installed a dummy executable. Yet this problem existed in Internet Explorer 6 on the XP Service Pack 2 machine, my home Windows 2000 machine but strangely enough not on Robin’s XP Service Pack 1 machine. The exploit was around “the wild” for some time, and usually in the Microsoft patch world you’d have to wait until their “scheduled security update” to get a fix. They pushed the fix forward a few weeks I’d guess (feel free to correct me), and the hole got patched. Yet these exploits have existed for years, and will keep popping up, and that’s that - that’s life.

I wouldn’t dream of implying that Firefox, Thunderbird, Mozilla, Linux or even OpenBSD don’t have exploits like this. Buffer overflows, underflows, denial-of-service vulnerabilities - they exist in the open source and free software world too. Yet one of the advantages to these programs - call them products if you like - is that they have no schedule to release security fixes. If there’s a security problem found in any of the products I’m using (save Windows on my gaming machine) they’ll get fixed as soon as humanly possible. By guys like me. Who almost always make no money from this job.

Let me elaborate on that though - it gets better. Take my laptop, or the computer sitting in my closet. Or this site. All three of these systems run Debian GNU/Linux, which is a (surprise) Linux distribution. Debian has a wonderful package system in which I can automatically download all security fixes on any schedule I want, or manually if I so choose. I can also download newer versions of all the software as soon as the person responsible for that package in the Debian system gets it out. That process is usually quick - for large packages like Firefox, a new version (say from 0.9 to 1.0) might be delayed a week or two. But for most packages it’s the next day. And there’s over 10,000 packages in the Debian GNU/Linux system. So that’s quite cool. And like I said, the security updates can be aquired separately from new versions, so you can keep a stable server - like this one - running the versions of software that you’re accustomed to, at the safest level of security that this strange social process can provide.

That got really technical, and I’m sorry for that. I’m trying to compare though the free software and open source (FLOSS as it’s sometimes called) methodology and process with the proprietary software development and release process. Specifically that of Microsoft.

Back to the example of the latest IFRAME exploit for Microsoft. This hole - and others like it over the past few years - have been a wide open, erm, window for malicious, evil software to get installed on the average PC without consent. The stuff is spyware, malware, adware, trojans, spambots, botnet clients, and on and on. I don’t even know all of the terminology. I don’t have to - it all boils down to shit you don’t want on your PC. And it can also come in using other vectors, such as your Internet connection - if you had a system with a public IP address during the DCOM+ nightmare, you may know exactly what I’m talking about.

Most home users whine to guys like me - computer geeks - about their system running slowly. The cable modem transmission and receive lights are solid all the time. Weird shit happens to their systems, like new toolbars, popups when no website is loaded, the PC being unable to turn off - lots and lots of interesting stuff. And it all comes back to this malware. A lot of computer geeks will recommend a one-two punch combination of Ad-Aware and Spybot Search and Destroy to blow this stuff away. The people who recommend this are secretly praying that it is only minor spyware that the user is infected with. This won’t clean the real interesting shit off your system, like Cool Web Search. And it won’t clean viruses. And it won’t find lots of e-mail harvesting programs and spam-sending zombie programs, since those can be written using a very small amount of code and can look very, very legitimate.

So when regular users complain about their system sucking, usually a malware scan is suggested, along with a virus scan, and an increasingly frequent suggestion to switch to another browser. Any other browser. Opera, Mozilla, Firefox, anything - but please, not one of the ubiquitous IE shells since they contain the same vulnerabilities that IE has.

Now everyone plays the blame game when it comes to the root of the problem. Lots of people put the blame on the malware authors - fair enough. But if something makes money - even at the expense of others - it’ll be done. Maybe a harsh attitude, but true at least in the computer world. Look at junk e-mail. Blaming them though, doesn’t help much.

The biggest target of the blame is users. They’re called stupid. A comparison is always made between computers and cars - if you need a license to drive a car….. You get the idea. I disagree. In fact, that attitude - that it’s the average persons responsibility to clean this shit off their computer - actually really angers me. This attitude stems from being lulled into thinking that software has to be like this. Computer users start thinking that they need to run these wacky spyware scans once a month, and on and on. It doesn’t have to be like that. These problems currently come from a few concrete methods of transmission.

Which brings me back to the root of the matter. I have lots and lots of family that aren’t computer geeks - and lots of friends that aren’t computer geeks. And somehow, their systems are clean.

It’s not just “Use Firefox”. It’s a combination of things. Use a hardware router. It can say firewall, router, whatever - as long as you don’t have a public IP address. The XP Service Pack 2 firewall DOES NOT COUNT. It can be programatically changed by software running on your system (yes yes, only with administrator privileges and so on).

Don’t use Outlook, or Outlook Express. They have a horrible, horrible track record of executing attachments that you don’t even click. Just don’t do it - it’s not worth it. Use GMail, Hotmail, Eudora, Thunderbird (obviously) - anything else. Please.

And of course, lastly - don’t use Internet Explorer. Lots of people will shift the blame of the malware installations to the end user by saying that the non-computer person will click the “Accept” button on any dialog box. The people who read about - and understand - the exploits in IE knows that this is bullshit. Malware, spyware and all the other fun things out there can be installed just by going to a web page. And lots and lots of web pages are now created with seemingly innocous purposes that stealth-install this crap on your system. There’s even web pages that clone projects like Wikipedia and provide the same free encyclopedia, with a little trojan surprise to go along with it.

So please - please don’t use IE. When it’s vulnerabilities are found by Microsoft they’re fixed in the next scheduled update to the now venerable software. And Microsoft finding a security flaw certainly doesn’t mean it hasn’t been public knowledge in the malware world.

So I beg you - actually beg you - to use anything else. Buy a Mac. Linux isn’t friendly enough to replace Windows for the vast majority of people, but try Firefox - it’s nice and much, much safer. Or Opera. Remember though, the IE shells will still contain all these problems.

Do I sound loony? Maybe. But go back to the start of this rambling thing. Further. That part about the geeks you know. How many of them use IE for browsing the web? Or Outlook Express at home? (Don’t bring up Outlook in a corporate environment - we know how easy it is to get a replacement in there). Very few. And it works.

My parents use Mozilla for their browser, and they’ve yet to have spyware or a virus in years. Years! Nothing. Same with the wife. I recently went to Oakville to visit my family and an unnamed cousin (you know who you are) was plagued by shit in her PC. She’s using Firefox and it’s all cleaned up - and it’ll stay that way.

A long rant, but the point is trust. I’d hope that some people trust that I’m somewhat informed about these matters, and trust me when I say using IE is like sex without a condom. And to extend that nasty analogy, the SP2 firewall is a condom with holes. Don’t use it, please. None of my friends use it (none of my real friends), and we’re all computer geeks. When we suggest this browser to you, it’s not out of some creepy advocacy plan - we truly do want you to have a better experience using the net, and we want you to understand that using a computer doesn’t have to be an exercise in frustration and loss of control. That’s it.

Firefox 1.0 is finally out. That’s, um, all.

One of the members of Mozillazine has posted MSI installer packages for Firefox to ease deployment in corporate environments. Keep in mind that the browser is still a preview edition.

Fireftp seems to be an excellent full-featured FTP client extension for Firefox - all in about 50k.

Firefox 0.9 has been released. It has a new default theme, so don’t be all shocked or anything. Lots of updates and major bug fixes (as usual).

This is amazingly cool - EditCSS is a (duh) CSS stylesheet editor for FireFox that reflects changes made in realtime. Via Russell Beattie.

Seriously, download Adblock for Firefox. It’s an excellent advertisement blocking tool (which should be obvious) and it beats most solutions I’ve seen. I hate proxy-based filtering, since most proxy software a) has no support for HTTP/1.1 persistent or pipelined connections, and b) has no support for GZIP-encoding. If you don’t have Firefox, go get it.