Embarrassment on Twitter
It's not really the kind of message you expect to get from a friend or a colleague - or indeed from anyone you might know on a social network. The direct message from a Twitter friend read: "hey, i've been having better sex and longer with this here..." followed by a link to a website, which I chose not to follow.
I got this overnight from a colleague at the 大象传媒, but it's also been sent by loads of other Twitterers - including the Energy Minister Ed Miliband.
Now, before you sense another scandal involving politicians and journalists, I should stress that all these people are victims of a phishing attack, which has been documented .
It appears their Twitter accounts and passwords have been compromised, perhaps by an earlier phishing incident - one which very nearly caught me out too. Yesterday I received a direct message - of the kind Twitter users are more inclined to trust. It read "haha, is this you?", followed by a link. I read it on my phone, foolishly clicked on the link - and arrived at what appeared to be a Twitter login page. Only then did I stop - and realise that this was an attempt to get me to give away my password.
It's another reminder that as soon as a service becomes popular, it's all the more likely to become the target for all sorts of scams and viruses - or indeed suffer its own security lapses. I was caught out a while back when a photo I uploaded of a 大象传媒 studio was somehow replaced by someone else's rather more arresting snap of a young woman wearing nothing but a smile.
So what's the best advice? Some people are saying you should never click on a link - but that would destroy one of Twitter's most useful functions, where people share interesting news stories, or point to information around a discussion.
In the end, it's all about trust and awareness - is it really likely that a microblogging friend would boast of their sexual prowess, or share a link without any explanation of what it was about? If not - don't click. And if you do use Twitter or any other service the security of which you fear may have been compromised, I'm sure you don't need me to tell you to change your password.
Comment number 1.
At 26th Feb 2010, Marc wrote:A phishing scam on a web site where nearly all links are masked by URL shortening services... who'd have thought that would ever happen?
Complain about this comment (Comment number 1)
Comment number 2.
At 26th Feb 2010, James Palmer wrote:I use TweetDeck and it has a rather useful preview function. It allows you to see what most of these shortened URLs are actually pointing at before you load them up in your browser. Has saved my blushes on a number of occasions!
Complain about this comment (Comment number 2)
Comment number 3.
At 26th Feb 2010, Anthony Nigel wrote:People just need to be aware of the URL's they're on. If it isn't twitter.com, then you probably shouldn't be giving them your Twitter Login information.
That said Twitter & Facebooks open Authentication is just going to add a whole new level of pain and make it 10 times easier for Phising people to obtain details.
Ant
Complain about this comment (Comment number 3)
Comment number 4.
At 26th Feb 2010, brightengineer wrote:"In the end, it's all about trust and awareness"
not so much trust, as using common sense.
I don't follow any links sent via facebook, IM, or indeed twitter as my computer is not only my prized gadget, but also my means of an income.
My few simple rules are that: i do not follow anything sent to me via one of them url shortener sites (sites that take a long url, give them a unique identifier and stores them in a DB giving the user a significantly shorter url to enable posting on a site such as twitter). Any site that i do not know, and also, i do not follow any link sent over IM that is out of character to the person sending it.
So far with 0 infections, 0 phishing attacks, and 0 malware, i think i am doing quite well.
(also, i hasten to add that i have a lot of security software on my computer should i be drunk one night and start randomly clicking links)
Complain about this comment (Comment number 4)
Comment number 5.
At 26th Feb 2010, Jon Gibbins wrote:It shocking, really. The amount of push that the govt has given on getting people internet savvy has worked better on the public than on their own members!
As Anthony Shapley has already said here, looking at the URL in your browser gives in instant indication as to where you are on the internet.
If it doesn't say Twitter.com, you're not at Twitter.com!
Complain about this comment (Comment number 5)
Comment number 6.
At 26th Feb 2010, Martyn Davies wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 6)
Comment number 7.
At 26th Feb 2010, Sally Dickins wrote:I received one of these just today from a friend who would chop his own hand off rather than send something of the nature of the Direct Message. Also, I registered with Twitter about a year ago and have never been on the site since so I thought it may have been a bit dodgey and didn't go any further except to contact said friend.
Complain about this comment (Comment number 7)
Comment number 8.
At 26th Feb 2010, Mark_Munster wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 8)
Comment number 9.
At 26th Feb 2010, James Branch wrote:It's all about common sense, as much as it is about trust. However, as the people who operate phishing scams know, users of sites such as Twitter and Facebook can lack such common sense and be intrigued with links to click.
It's easily done and I've known people do it without even reading the whole message!
Biz and co. will have to look into this in finer detail I think, especially as site usage and population is growing by the day!
@jaybranch
Complain about this comment (Comment number 9)
Comment number 10.
At 26th Feb 2010, Chris wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 10)
Comment number 11.
At 26th Feb 2010, Laurence wrote:The 'haha, is this you?' scam has been sent around on chat applications like Live Messenger for a long time - with the very same message. Worryingly, any advice to the person whose account has been hacked that they ought to change their password often results in 'oh it's only a message, it's not doing any harm'!
Complain about this comment (Comment number 11)
Comment number 12.
At 26th Feb 2010, gibbonmonkey wrote:hey, i've been having better sex and longer with this here
/blogs/
Complain about this comment (Comment number 12)
Comment number 13.
At 26th Feb 2010, Aidy wrote:People should stop using IE so that they're safer on the internet! I use FireFox on a Mac at work and Chrome on LINUX at home so I know I'm safe from all viri.
/sarcasm
Complain about this comment (Comment number 13)
Comment number 14.
At 26th Feb 2010, Laurence wrote:Aidy: I'm not sure how your advice would prevent you having your account details scammed when clicking on a link and entering your details into another website? It doesn't matter what browser or operating system you use, the scam will still work. People need to be educated about the risks and not conned into thinking that by switching their browser they will be safer.
Complain about this comment (Comment number 14)
Comment number 15.
At 26th Feb 2010, Aidy wrote:@Laurence #14
My post was joke :) I was making fun of the kind of comments usually made here when some security scare is revealed, normally made by people who don't quite "get" the internet but think they do.
PS for future reference, "/sarcasm" means "this is the end of the sarcasm" :)
Complain about this comment (Comment number 15)
Comment number 16.
At 26th Feb 2010, Laurence wrote:Aidy: Was that sarcasm too? :)
Complain about this comment (Comment number 16)
Comment number 17.
At 26th Feb 2010, Daniel Rhodes-Mumby wrote:'Transport Minister Ed Miliband'? Methinks perhaps it's a case of embarrassment on 大象传媒 blogs. ;-)
I do wonder why this sort of thing is being treated as significant news though - Sky seems to be taking it a bit over the top, for example.
Complain about this comment (Comment number 17)
Comment number 18.
At 26th Feb 2010, Sarah wrote:Without wanting to look like I have completely missed the point, Ed Miliband is actually Secretary of State for Energy and Climate Change...
Complain about this comment (Comment number 18)
Comment number 19.
At 26th Feb 2010, Martyn Davies wrote:I saw the suspicious tweet (direct message) myself last week. Something about "LOL, was this you?", containing also a tinyURL link to the fake Twitter logon page. I don't get many tweets of the kind "LOL, was this you?", so perhaps this was a clue for me. As Anthony Shapley suggested before, when offered a logon page you're best to quickly look at the URL in the address bar at the top, and make sure that it really does contain 'twitter.com'. Always bear in mind that address shortners (like bit.ly, tinyurl etc) can be used to disguise obviously suspicious web addresses. Be cautious when following these links.
Complain about this comment (Comment number 19)
Comment number 20.
At 26th Feb 2010, BluesBerry wrote:Victims of a phishing attack.
Yep, the twits and the spamers are usually keeks. They know their way around computer programing better than a brain surgeon knows his way around your brain.
I wish the twits and spamers would devote their time to meaningful, helpful endeavours. My guess is that vile phishing and hanky-panky spamming pays pretty good; whereas decent, hard-working endeavors do not sufficiently reward the geek.
So my advice (which may or may not be the best):
1. Users of reputable systems should not have to resolve these issues on their own, or be constantly exposed to things that are inappropriate, like my several Viagra commercials daily. In my opinion, Twitter (for example) should be fined for not adequately screening its data. Never mine the excuses - just keep fining and fining until Twitter finally reaches the conclusion that cleaning up its act (so to speak) is cheaper than the ever-increasing fines. In other words, we have got to give these networks, an incentive to work our behalf.
a) This would create government revenue and
b) Perhaps, networks would hire some of these geeks to create effective screening & monitoring systems, reducing unemployment (or employment that is not taxed).
2. Changing your usercode may be more effective than changing your password. The culprit already has your usercode; how else dis s/he serve you with the unwanted trash in your in box?
Be safe, change both.
3. Never ever provide personal data onbline unless it is a site known to you and extremely secure, like your pension adminitrator or financial institution.
4. From what I can find there are several different bodies to which you can submit different sorts of complaints. There doesn't seem to be one cordinating site...Maybe one day...
In the meantime, find the spcific body that deals with your problem and report it. But whatever you do, do not attach the scurious email or its troublesome attachment (could spread a malicious virus).
e.g. Anti-Phishing Working Group
5. General info that might help:
Never click on hyperlinks
Use Anti-SPAM filters
Use Anti-Virus Software
Use personal firewalls
Keep all software updated
Always ignore, or at least investigate https and sites that ask for 鈥減ersonal information鈥
Check your credit statements/report carefully
If unsure what to do, ask!
Complain about this comment (Comment number 20)
Comment number 21.
At 26th Feb 2010, TheTomTyke wrote:THank you for making it clear this is a phishing scam, not hacking. It annoyed me quite a lot yesterday to read the article where Harriet Harman claimed she had been hacked. No she wasn't. Hacking takes skill and effort from the hacker, phishing simply requires stupidity from the user.
Complain about this comment (Comment number 21)
Comment number 22.
At 26th Feb 2010, MattL wrote:There are a large number of websites out there that will show you the full URL of a shortened link with out clicking on it: real URL for example.
but at the end of the day use common sense, if it looks suspect.............It probably is!
Complain about this comment (Comment number 22)
Comment number 23.
At 26th Feb 2010, Darren Stephens wrote:@Laurence
Oh no! now we're into meta sarcasm. I can 't cope with it and my brain is going to start bleeding soon.
As for the phishing stuff: I've used windows mac and unix for nearly 20 years. Never been fleeced/infected/pwned yet, but that's because of the application of something unusual in this day and age: it's called common sense.
Complain about this comment (Comment number 23)
Comment number 24.
At 26th Feb 2010, E6BadBoy wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 24)
Comment number 25.
At 26th Feb 2010, Timmay wrote:The thing with common sense is that it is not actually that common ! :)
Complain about this comment (Comment number 25)
Comment number 26.
At 26th Feb 2010, Tim wrote:@Laurence,
At present Aidy's sarcastic software choices would make all the difference.
I just checked one of the twitter phishing URLs. Firefox responds straight away with a "Reported Web Forgery!" warning, making the user explicitly ignore the warning before they can get to the false login page.
ie8, on the other hand, just plays along with the scam and goes straight to the false login page.
Admittedly, as Darren says, it's no replacement for common sense, and there may be a delay before phishing sites are reported and updated on the client, but it certainly helps.
Complain about this comment (Comment number 26)
Comment number 27.
At 26th Feb 2010, Rory Cellan-Jones wrote:Oh dear, yet more embarrassment for me. As some of you have spotted I'd given Ed Miliband the wrong title - he is of course energy minister. And I can't even blame malicious phishers for that....
Complain about this comment (Comment number 27)
Comment number 28.
At 26th Feb 2010, John Ellis wrote:hahah making twits out of twitterers.
dont you just love all this easly hacked software that we chose to put our lives on..
Its just like ICQ all over again...
Complain about this comment (Comment number 28)
Comment number 29.
At 26th Feb 2010, Laumars wrote:@ 28. CommunityCriminal
You wrote:
dont you just love all this easly hacked software that we chose to put our lives on..
My reply:
Twitter wasn't hacked.
In laymans terms: A phishing attack is when people *choose* gave away their account details because the requestor asking for the information pretends to be someone else.
Any and every piece of software is open to this type of attack as it doesn't take much to spoof a product. In fact even these 大象传媒 News pages have been spoofed countless times over the years (albeit for different goals) - so keep an eye on your address bar when next logging on here ;)
Complain about this comment (Comment number 29)
Comment number 30.
At 26th Feb 2010, Laumars wrote:@ 13. Aidy wrote:
I use FireFox on a Mac at work and Chrome on LINUX at home so I know I'm safe from all viri.
My reply:
What about "viruses"? (which is the correct plural for virus) :P
(sorry, bad joke)
Complain about this comment (Comment number 30)
Comment number 31.
At 26th Feb 2010, RandomArbiter wrote:Back in the old days we never had this problem, I've always said computers are nothing but trouble. The only solution is to BAN COMPUTERS.
/mum
Complain about this comment (Comment number 31)
Comment number 32.
At 26th Feb 2010, The_Hess wrote:I set up a hotmail account purely to act as a spam/junkmail filter. It is the only email address I give away (except for things like contact details on CVs). It now recieves about 30~40 messages a day that go straight to the junk email box. Most of these consist of 'I think your Facebook profile has been hacked, look here' as the subject headline. I don't have a Facebook page so it's fairly obvious its a scam. However it does keep my genuine emails free from all the junk. Also, using different passwords for different sites is important, as you don't want to register on a site that turns out to be malicious and find out that someone has the password to your online bank account!
Complain about this comment (Comment number 32)
Comment number 33.
At 26th Feb 2010, John Ellis wrote:#29 been around since the Internet connected at 11k over a flaky phone line and a web page was nothing more then a text doc. Introduced the isp I worked for to BHO's and spy-ware some 8-9 years ago as BB crept above the 512k mark. Hacked is just a general term I use for all the data miners and dubious phishing scams out.
*Choose* (data mined) to give out details in these cases is a bit strange or do people like ED not have the intelligence to keep their own systems clean? maybe such people should not be allowed on such public things considering the positions in life they have.
Still never understood the need for twitter tweets and data farts, give me a good forum or blog anytime.
Complain about this comment (Comment number 33)
Comment number 34.
At 26th Feb 2010, ghostofsichuan wrote:find the virus installers and account thieves and cut their hands off in public. could broadcast over the internet and twitter...might be able to sell ads as well..
Complain about this comment (Comment number 34)
Comment number 35.
At 26th Feb 2010, knowshisclaretfromhisbeaujolais wrote:I was getting genuinely frustrated with some of my followers yesterday who insisted that they had been hacked and were apologising for the direct messages that they had sent.
None of them had even realised that they had willingly given their login details away to a site that was not Twitter.
See the link below for another example of people using the Internet who really do not know what they are doing. These people only ever reached Facebook through typing Facebook into a Google search page/bar and were frustrated when the first result was not what they expected.
Complain about this comment (Comment number 35)
Comment number 36.
At 26th Feb 2010, Alflav wrote:Have you gone out of your way to make these people feel better? This type of scam is literally the oldest trick in the book. I would feel bad for charging people to avoid this type of trick, but then again I could become a rich man.
Complain about this comment (Comment number 36)
Comment number 37.
At 26th Feb 2010, Aidy wrote:#26 @Tim
I don't frequent twitter however I went in search of the phishing page and neither IE8 nor FF flagged it (IE8 has a similar feature to FF that relies on reported sites). I'm guessing there are many of these sites around the net and they won't all be reported to all services. My anti virus software didn't flag anything either.
Anyway...you keep on, safe in the knowledge that FF will always save you. It seems that when dealing with the internet no matter how obviously sarcastic you are, someone will come along and prove you right.
Complain about this comment (Comment number 37)
Comment number 38.
At 26th Feb 2010, Graham Richards wrote:The best one I got was from a lady vicar!
Complain about this comment (Comment number 38)
Comment number 39.
At 27th Feb 2010, Auld Bob wrote:There is a windows function for dealing with this, right click on any link given on any page. Down the bottom of the menu that opens is "properties". Left click on, "properties", and the resultant window that opens shows the link's details. As Meercat says, Simple, "squeek!"
Complain about this comment (Comment number 39)
Comment number 40.
At 27th Feb 2010, Auld Bob wrote:#5. Jon Gibbins wrote:
I suppose you have to be rather gullable to be an MP in any major political party. Just to believe in their parties manefesto shows it's true.
Complain about this comment (Comment number 40)
Comment number 41.
At 27th Feb 2010, Auld Bob wrote:#13. Aidy wrote:
While I noted, "Sarcasm", below the message, it still bears posting that following a link in any browser goes to that link. Giving out details on any browser is stupid and lastly, the only reason IE is more prone to abuses is because it is most used, If it wasn't there the one to replace it would cop the same abuse.
Complain about this comment (Comment number 41)
Comment number 42.
At 27th Feb 2010, Laumars wrote:@41 Auld Bob:
You said:
the only reason IE is more prone to abuses is because it is most used, If it wasn't there the one to replace it would cop the same abuse.
My reply:
Phishing scams aside (because that could really happen on any browser - even Lynx (a UNIX command line browser).
However, Internet Explorer /IS/ more insecure than all other leading browsers.
It's not a myth nor is it because IE is just popular.
The sad truth of the matter is Internet Explorer - the most widely used browser on the planet - is also the easiest browser on the planet to hack.
Sure, Microsoft are making great strides to correct this issue and IE8 is streets ahead of IE6 (despite most sizeable UK organisations still running v6), but IE's security model is still superseded by Opera, Firefox, Safari and Chrome. (IIRC, Opera being the _most_ secure browser).
It really is time that people woke up and realised that IE is:
* one of the slowest browsers to launch
* one of the slowest (if not /THE/ slowest) to render
* the least secure by design
* and by far the worst browser for compatibility (even both the iPhone and Android's inbuilt browsers p0wn IE8 on the Acid3 test)
IE genuinely, significantly and conclusively is /THE/ worst popular web browser.
Complain about this comment (Comment number 42)
Comment number 43.
At 27th Feb 2010, Aidy wrote:@ Laumars #42
I think you'll find FireFox /IS/ more insecure than all other leading browsers.
It's not a myth nor is it because FF is just popular.
The sad truth of the matter is FireFox is the easiest browser on the planet to hack.
Sure, Mozilla are making great strides to correct this issue and FF3 is streets ahead of FF2, but FF's security model is still superseded by Opera, IE, Safari and Chrome. (IIRC, Opera being the _most_ secure browser).
It really is time that people woke up and realised that FF is:
* one of the slowest browsers to launch
* one of the slowest (if not /THE/ slowest) to render
* the least secure by design
* though it is good at displayed pages deliberately designed to make IE look bad.
FF genuinely, significantly and conclusively is /THE/ worst popular web browser.
Wow...look at that. It seems anyone can present uninformed opinion as if it were fact on the internet.
Complain about this comment (Comment number 43)
Comment number 44.
At 27th Feb 2010, Green Soap wrote:When I first saw the headline of this blog, I thought he was talking about the overall 大象传媒 coverage of Twitter.
Maybe next time though...
Complain about this comment (Comment number 44)
Comment number 45.
At 27th Feb 2010, Chris Mills wrote:@Aidy 43, perhaps you should look at secunia.org and find out the security facts for yourself.
Laumars is correct that IE is the most insecure browser in its default config.
Complain about this comment (Comment number 45)
Comment number 46.
At 27th Feb 2010, Aidy wrote:#45 @Chris Mills
I'm not familiar with that site, but a look at the home page tells me nothing but that there is an issue with Google Picasa, Adobe getPlus, "multiple vulnerabilities" with Google Chrome, a FireFox vulnerability, Adobe Flash vulnerability, two vulnerabilities in Adobe Reader, Orbital Viewer issue and two PHP vulnerabilities.
So I downloaded their report for 2009 and learned the following.
In 2009 less than half "0 day" vulnerabilities were in MS software, over half were non-MS.
"Microsoft updating tools provide a very efficient and effective 鈥減atch management鈥 process for Microsoft products on millions of PC. Within a few days, the value of an exploit for a Microsoft vulnerability has diminished significantly, and after just a few weeks, all the updated PCs with patched Microsoft programs are immune to the exploit. This means that the window of exploitation for Microsoft products is substantially reduced, and criminals have to search for other ways to attack PCs. "
"Deployment of non-Microsoft patches is often significantly slower and less organized. All Internet-based applications, especially browsers and browser plug-ins (i.e.,Adobe and Apple QuickTime), should be a top patching priority.鈥
For the number of vulnerabilities per vendor MS was top but considering the vast number of products MS bring out the results are understandably skewed. Adobe were second.
"The top 10 list for the most secure programs in 2009
clearly shows that programs, which are covered by
Windows Update, are updated more frequently."
#1 1.48% of Media Player users were unpatched.
#6 3.61% of IE8 users were unpatched.
#8 6.86% of IE7 users were unpatched
#9 9.33% of FF 3.5 users were unpatched
#10 10.66% of Thunderbird (also Mozilla) users were unpatched
So MS is top of the table and Mozilla bottom. All instances of IE beat FF in terms of patching. So much for someone claiming that IE is left unpatched for years.
Top ten patched browsers
Internet Explorer 8 3.6 %
Internet Explorer 7 6.9 %
Firefox 3.5 9.3 %
Opera 10 14.1 %
IE 6 14.3 %
Opera 9 16.1 %
Firefox 3.0 17 %
Safari 22 %
Google Chrome 3 24.7 %
Again IE 7/8 top of the table.
"As the above statistics indicate, some of the most popular
browsers are also the ones, which users update
most frequently, and thus have a low insecure rate."
So it seems that if you look at the *facts* by the *experts* and not silly little boys spreading rubbish from their bedrooms it seems that on balance IE isn't anywhere near as bad as people are saying.
Complain about this comment (Comment number 46)
Comment number 47.
At 27th Feb 2010, israel idowu wrote:The best way to avoid the Twitter scam is to use a dedicated Desktop App like Twitdeck or a Twitter Application for your Phone.
Complain about this comment (Comment number 47)
Comment number 48.
At 28th Feb 2010, Dominic Pettifer wrote:Phishing scams would never happen if users learned to read the URL properly. Eg. if it says instead of it's obviously a scam/phishing site. Surely the real issue here is lack of understanding of the web and ignorance.
Complain about this comment (Comment number 48)
Comment number 49.
At 28th Feb 2010, 300_thracians wrote:I have myself been caught sleeping twice as well.... Once I entered my password on a link that looked genuine. It took me about 5secs to realise my mistake and I changed my password, no damage done.
The second time I clicked on a picture of a pretty lady in one of the social networks. The link must have had some sort of "share the picture" code in it and the same picture also appeared on my profile. I didn't realise my mistake for a few days :(
Complain about this comment (Comment number 49)
Comment number 50.
At 28th Feb 2010, Laumars wrote:@Aidy:
You said:
For the number of vulnerabilities per vendor MS was top
My reply:
So that pretty much says exactly what I've just stated despite you arguing otherwise.
You said:
"The top 10 list for the most secure programs in 2009
clearly shows that programs, which are covered by
Windows Update, are updated more frequently."
My reply:
That doesn't make software more secure. That just means that /some/ of vulnerabilities are patched quicker.
You said:
So MS is top of the table and Mozilla bottom. All instances of IE beat FF in terms of patching.
My reply:
Again, that doesn't make IE more secure so your statistics are very very misleading.
How about you post some real figures about real vulnerabilities?
From the research I've done over the years, IE has consistently performed badly. Sure Firefox is currently under a lot of fire here as well, but you have to remember that, and I quote from Synaptic: "The increase in Mozilla vulnerabilities was a by-product of internal and community driven security audits of the browse" - so we're not even talking about exploits found in the wild yet.
Plus you're neglecting to mention how badly IE performs against Opera. Particularly when Opera also has one of the largest install-bases on the mobile market - so clearly there's more to browser security than market share alone.
You said:
So much for someone claiming that IE is left unpatched for years.
My reply:
Actually I said many organisations are stuck on IE 6 - which they are.
Despite your assumptions of me being some kid in his bedroom, I've actually spent the last 10 years work for various organisations and I've been disappointed by the number of internal cloud systems targeted specifically for IE6.
Many of these companies can't afford (both in terms of cost and time) to rebuild some of these systems to make them w3c compliment - so they're stuck with IE6.
Complain about this comment (Comment number 50)
Comment number 51.
At 28th Feb 2010, Laumars wrote:@ 47. At 11:16pm on 27 Feb 2010, israel idowu wrote:
The best way to avoid the Twitter scam is to use a dedicated Desktop App like Twitdeck or a Twitter Application for your Phone.
My reply:
And then you just have to trust that the app you've downloaded isn't itself malware. ;)
Complain about this comment (Comment number 51)
Comment number 52.
At 28th Feb 2010, Aidy wrote:#50 @ Laumars
> So that pretty much says exactly what I've just stated despite
> you arguing otherwise.
Now you're grasping at straws. If 10% of the average company's software has a vulnerability then a company that produces 10 products in a year will have 1 vulnerability and the company that produces 100 will have 10. These stats are not tied to browsers, but all internet-exposed software. Given the sheer number of products that Microsoft produces, any impartial observer can't fail to see why the results will be skewed.
> That doesn't make software more secure.
Yes it does. I quoted what the person from Secunia said and here it is again (my emphasis);
"some of the most popular browsers are also the ones, which users update most frequently, *and thus have a low insecure rate*"
> You said:
> So MS is top of the table and Mozilla bottom. All instances of IE beat FF in terms of patching.
> My reply:
> Again, that doesn't make IE more secure
That's funny because on a similar comment someone said that FF was "more secure" because it was patched more than IE. Let's put aside the fact that we now know that IE is patched more, which is it? Is a better patched browser more secure or not? It seems that as usual people dance from black to white as it suits them as long as they can denigrate Microsoft.
> How about you post some real figures about real vulnerabilities?
So people talk all manner of rot about IE with nothing to back it up, I post some actual facts from an expert company but because they don't agree with your bias and uninformed opinion they're the wrong kind of facts? It seems to me that you'll never be satisfied with anything put before you.
Stop trying to have your cake and eat it...if FF was patched better than IE you'd use that as "proof" that FF is more secure, now that FF is patched less than IE it's "proof" that IE has more vulnerabilities. What matters at the end of the day is how well protected the end-user is, and in that respect IE is up there with the best of them.
> From the research I've done over the years, IE has consistently performed badly.
The experts disagree. They were actually very complimentary about Microsoft and also highlighted that it is mainly the add-ons and not the browser itself that is often the issue...add-ons that FireFox has in abundance :)
> Plus you're neglecting to mention how badly IE performs against Opera.
I posted the results where Opera was also mentioned. Do you genuinely only see what you want to see?
Now that I've successfully shown IE to actually be a very secure browser maybe it's time for you to explain yourself rather than regurgitate anti-MS rants you've heard on other sites. Maybe you could start by explaining the difference in security models between the browsers and how IE's is weaker. You mentioned this in your post so I assume you have the knowledge to back this comment up?
#51 @Laumars
I think credit should also be given to the browsers for no longer allowing server obfuscation in their default configuration (I know IE no longer allows it out of the box, I don't know about the others but I assume they'll also stop this). Phishing used to be a lot easier in the past.
Complain about this comment (Comment number 52)
Comment number 53.
At 28th Feb 2010, Peter Hood wrote:Use a package like PINs to generate and store complex passwords, along with the other precautions, including a good firewall and AV system, both of which should be rootkit aware, anti spyware protection that is rootkit aware (Spybot S & D is an example), disable file sharing, use something like 'no script', and so on. Of course the final thing is do not let anyone SE (socially engineer) you, either by bot or in person. These are the oldest tricks in the book, and were commonly employed by people known as 'con men'. Plus 莽a change, plus c'est la m锚me chose.
Wieders.....
Complain about this comment (Comment number 53)
Comment number 54.
At 1st Mar 2010, Laumars wrote:Aidy:
I'm sorry, but you're still wrong to be banding patching figures as the holy grail of security (and no about of insulting me is going to strengthen your argument).
Seeming as you like posting statistics that have no relevance, let me invent some of my own:
You have two products: x and y.
Product x has 100 vulnerabilities and product y has just 20.
Product x gets updated every month and product y gets updated every 2 months.
So which is most secure? By your logic that would be product x (as it has a better upgrade model), but the figures clearly state that product x also has 5 times more vulnerabilities. So logically, technologically and literally that would make product x the least secure of the two products.
Well IE is product x. Sure it's an improving product - but it had to. Opera, Firefox and Safari really put IE to shame so MS /HAD/ to pull some serious overtime. However it's still not on a par yet.
Also, you're just talking about the upgrade path on one platform. If you want to get technical and push your "expert" opinion - then let's look at the whole picture (as Firefox is a multi-platform browser and Microsoft only update their own software via Windows update).
So let's take a look at the next most popular PC OS, Linux:
Most Linux distributions don't work on a "bleeding edge" scenario. They prefer to run software a few versions behind which have been tried, tested and proven to be stable - and then back port security patches.
So your Firefox would show up as false positives on your statistics despite it having all the latest security patches.
But I'm guessing these facts are "irrelevant" to your FUD because IE can't run on Linux - oh wait it can (via WINE) and guess what, it can't be updated via Windows Update. So that would make IE the worse patched browser (and the least secure by your own definition as well)
However you'll only find IE used on Linux for testing purposes (remember my earlier comments you glossed over about IE being the worst browser for supporting standards? Well that's why web developers are often forced to run IE on non-Windows platforms).
So now we've established that you're figures are an interesting distraction but not really all that relevant, let's take a look at raw vulnerabilities:
(Sorry for just posting a wikipedia article, but it was quick and I've already wasted too much time debunking your myth).
On there, you can clearly see IE under performing. Sure, IE8 is improving on the sorry state of IE6, however as already established earlier, plenty of businesses are still on IE6.
Now let's go back to your figures and actually entertain the fact that they are in any way relevant (completely ignoring, for the moment, all the points I made above that crush your argument):
IE is ~5% better than Firefox for numbers of patched boxes.
Now lets feed that percentage back into real numbers (as percentages aren't an accurate gauge for something as precise as this discussion has turned).
To do this, we need to have a web stats (sorry, another wikipedia link):
Here, you can clearly see that Firefox is hot on IE's tail, but it's still on average about 25% behind.
So, given the millions of internet ready PCs and IE's strong market share, that equates to a significantly greater number of boxes with unpatched IE installs than unpatched Firefox installs despite IE having a greater overall percentage of boxes with the latest applied patches.
So now we've established that you're figures are irreverent and misleading and, in places, inaccurate (see, you're not the only expert who reads 大象传媒 blogs) - can we finally leave this myth to rest?
Complain about this comment (Comment number 54)
Comment number 55.
At 1st Mar 2010, Laurence wrote:In reality, the only conclusion you can draw from the number of updates is the amount of effort going into making a browser secure (both in finding vulnerabilities and patching them). You can't draw any conclusions about the insecure state of any browser from those figures because you do not know how many vulnerabilities there are remaining to be found. However you can draw the conclusion that every browser has vulnerabilities and so you should not let using a browser other then Internet Explorer lull you into a false sense of security.
Complain about this comment (Comment number 55)
Comment number 56.
At 1st Mar 2010, Aidy wrote:So let's sum this up. Figures from an expert company in security that state IE offers the lowest of all browser insecurities are irrelevant. The fact that more IE users are better protected against vulnerabilities is irrelevant. IE is less secure because it doesn't run on Linux (I *think* that's what you were saying鈥 don't know why you mentioned that IE won't auto-update on a platform it isn't designed to run on鈥eems like a pretty desperate reach). However your data from wikipedia (that I didn't even look at TBH ) is more relevant (sorry for being a snob, but data that is guaranteed to be current and accurate and from a trusted source is of more interest to me). You talk about how browsers put IE to "shame" and other emotive terms when the experts are more than complimentary about it.
I gave you an opportunity to back up your subjective views with the hard information that you put yourself across as having (your mention of security models etc was an obvious attempt to sway people to your side by implying you knew of facts that others didn't) but you completely failed to address this issue. This leads me to believe that you are not as knowledgeable as you like to make out you are, and you are simply passing on second-hand, badly-informed opinion as fact.
Now when I talk about the MS-haters who will say black is white as long as it means running down Microsoft and IE you are quite the perfect example.
Complain about this comment (Comment number 56)
Comment number 57.
At 1st Mar 2010, MacBookPro wrote:Oh come on, this is stupid. I've seen many of my 200 followers fall for this crap, but I don't see how. The links are so obviously fake it's unbelievable. I can't believe people STILL fall for phising when there's all the security provided by 3rd party software and even the browsers themselves these days.
Whenever I get messages like this, I delete them automatically, the same way I would if I got an e-mail from a company selling viagra, or a Nirgerian banker.
It's common sense.
Complain about this comment (Comment number 57)
Comment number 58.
At 1st Mar 2010, Laumars wrote:Aidy:
So let's sum this up. Figures from an expert company in security that state IE offers the lowest of all browser insecurities are irrelevant.
My reply:
You posted figures on patch updates NOT vulnerabilities. 2 of us have pointed this out to you now.
Aidy:
The fact that more IE users are better protected against vulnerabilities is irrelevant. IE is less secure because it doesn't run on Linux (I *think* that's what you were saying鈥 don't know why you mentioned that IE won't auto-update on a platform it isn't designed to run on鈥eems like a pretty desperate reach).
My reply:
For crying out loud. I mentioned Linux to show that Firefox would be giving you false positives in your figures. If I wanted to get into Linux's security model I would have done (as I have extensive experience in both Linux and Windows' security models), but the underlying OS security is somewhat irrelevant.
What is relevant was the update model in Linux as you keep banging on about IE's patching. I basically proved that not all older Firefox versions are unpatched (thus the false positives I keep referring to).
So I suggest you go back and re-read my post as I really can't explain it more succinctly than I already had.
Aidy:
However your data from wikipedia (that I didn't even look at TBH )
My reply:
So now you're ignoring data that doesn't conform to your misconception?
Aidy:
(sorry for being a snob, but data that is guaranteed to be current and accurate and from a trusted source is of more interest to me).
My reply:
Wikipedia has been proven to be no less accurate than your average hardback encyclopedia.
I would provide you with a reference link, but I'm not going to waste my time given you didn't look a the last two links I provided.
Aidy:
You talk about how browsers put IE to "shame" and other emotive terms when the experts are more than complimentary about it.
My reply:
The only experts I've come across that have been complimentary have been ones that are either partnered with Microsoft or make money off the back of Microsoft (like anti-virus suites).
I'm sure there's experts out there who do favour IE - but I'm yet to meet them.
You see, having worked in IT all my life, I'd like to consider myself somewhat of an expert too - and I'm yet to meet a colleague who has been favourable towards IE (particularly those in web development).
However the opinions of my colleagues are somewhat circumstantial, hence why I've negated to mention them before now.
Aidy:
I gave you an opportunity to back up your subjective views with the hard information that you put yourself across as having (your mention of security models etc was an obvious attempt to sway people to your side by implying you knew of facts that others didn't) but you completely failed to address this issue.
My reply:
But I did and you're yet to counter any of the points I've made aside trying to undermine my experience with personal attacks.
Go back and read my comments.
Aidy:
This leads me to believe that you are not as knowledgeable as you like to make out you are, and you are simply passing on second-hand, badly-informed opinion as fact.
My reply:
As the saying goes - "you can take a horse to water but you can't make him drink."
If you wish to remain ignorant in spite of the numerous points and references I've made - then so be it. But lets try not to make this a personal battle of who knows more.
Aidy:
Now when I talk about the MS-haters who will say black is white as long as it means running down Microsoft and IE you are quite the perfect example.
My reply:
I've repeatedly commented on how IE has improved of the years. If I was out unjustifiably dismiss Microsoft then I'd not even have credited MS for that.
The fact is you keep making claims and have yet to back them up with real evidence then cry wolf whenever anyone counters your points and even outright ignore evidence they provide.
So I get that you like IE. there's nothing wrong with that. I personally don't care what you or anyone else runs. I'm just interested in the facts.
So please don't degrade this conversation with personal attacks.
If you disagree with the facts I've supplied, then prove it. Thus far you haven't.
Complain about this comment (Comment number 58)
Comment number 59.
At 1st Mar 2010, Laumars wrote:Laurence said:
However you can draw the conclusion that every browser has vulnerabilities and so you should not let using a browser other then Internet Explorer lull you into a false sense of security.
My reply:
While I agree with your whole post (#55), I wanted to single this part out as it's by far the best advice I've read on here.
At the end of the day, it really doesn't matter which browser is more or least secure as ultimately the biggest security hole in any desktop system is the users plonked in front of them.
* Don't get complacent
* Don't run untrusted apps
* Install a virus scanner
* Don't run everything as root / administrator
* and if something sounds too good to be true - it usually is.
Complain about this comment (Comment number 59)
Comment number 60.
At 1st Mar 2010, Aidy wrote:#58 @Laumars
> You posted figures on patch updates NOT vulnerabilities. 2 of us have pointed this out to you now.
My original post discussed numbers of vulnerabilities. It was the only stat I posted that you agreed with because it fitted your arguments. All other facts from the same source you disagreed with because they didn't fit your arguments. So you are selective in what you agree with as you have an agenda.
> I mentioned Linux to show that Firefox would be giving you false positives in your figures.
And as MS produce way more products than other firms it was also skewing the data. You agreed with this when it showed MS in a bad light, but now you disagree when it shows FF in a bad light. Again selective reasoning.
> If I wanted to get into Linux's security model I would have done
I don't care about Linux, I wanted you to explain IE vs FF vs Opera vs Chrome security models but you still haven't. I put to you that you haven't as you don't understand them.
> So now you're ignoring data that doesn't conform to your misconception?
I'm ignoring data that is not guaranteed to be accurate. Now you're putting words into my mouth.
> The only experts I've come across that have been complimentary have been ones that are
> either partnered with Microsoft or make money off the back of Microsoft (like anti-virus suites).
Now you can add Secunia to that list.
> I'm sure there's experts out there who do favour IE - but I'm yet to meet them.
It's not about "favouring", it is about honest and accurate analysis and portrayal of the various browsers. You are obviously stuck in a mind set where everything has to be "us" and "them". You can't just prefer FF, you have to show that IE is "rubbish" - but it isn't "rubbish", you just prefer FF and your attempts to paint IE in a bad light are making you look quite foolish.
> However the opinions of my colleagues are somewhat circumstantial, hence
> why I've negated to mention them before now.
Or it could be that you see the argument slipping away from you and in your desperation you are turning to not only wikipedia but the invented credentials of "colleagues".
> If you wish to remain ignorant in spite of the numerous points and references I've
> made - then so be it.
Your "points" and "references" have all been subjective opinion. I'm afraid that opinion does not educate so we must all remain "ignorant".
> The fact is you keep making claims and have yet to back them up with real evidence
Ok.....refer back to post #46.
> I'm just interested in the facts.
It would be nice if you could give us some :)
> If you disagree with the facts I've supplied, then prove it.
You have posted only opinion so far and I have proved that opinion wrong.
You are clearly just one of many MS haters, blind to reason, so I shall bid you good day :)
Complain about this comment (Comment number 60)
Comment number 61.
At 1st Mar 2010, Laumars wrote:Aidy:
I've dealt with people like you in the past.
You lie, misquote and insult people until they give up trying to reason with you and then you claim victory by default
Well go ahead, I can't be arsed to part my experience with someone who's more interested in retorts than facts.
However any sane person can make their own mind up from the data I've posted - as the whole debate is still there in black and white.
And for the record, I've built and hosted countless Windows based solutions over the years (including numerous different configurations of web servers and two specialist Windows-based web browsers with original engines). So I'm not anti-MS. I'm just anti-substandard technology and, from my extensive experience, IE is below par. But clearly anyone who doesn't sing Microsoft's praises 24/7 are naturally anti-MS in your little world.
Complain about this comment (Comment number 61)
Comment number 62.
At 1st Mar 2010, Roy Brookes wrote:I have a foolproof system for avoiding such phishing attacks on Twitter, Facebook & Co. I simply do not use them. If I want to contact people I know, I contact them. The twits who use Twitter do not know me and I do not know them. End of story.
Complain about this comment (Comment number 62)
Comment number 63.
At 1st Mar 2010, Gregor wrote:Less patching can also mean good design from the start.
I mean which road is better the one that is constantly patched or the one that needs it every once in a while?
Many security measures in IE8 were first introduced in FF.
And indeed many services & companies still use IE6 which is a problem.
Complain about this comment (Comment number 63)
Comment number 64.
At 1st Mar 2010, epuk wrote:I really enjoyed the blog post and comments in this article. Thank you.
Complain about this comment (Comment number 64)
Comment number 65.
At 1st Mar 2010, Aidy wrote:#63 @gregor3000
> Less patching can also mean good design from the start.
> I mean which road is better the one that is constantly patched
> or the one that needs it every once in a while?
The security experts are of the opinion that more patching is better and leads to more secure products (or the double-negative of less insecure products that they seem to prefer).
Still, I guess you know more. Funny also how on another blog someone said that FF was "more secure" as it was "patched more", but now that we know FF is patched less all of a sudden popular opinion is now that less patching is better...but when people thought FF was patched more, that more patching was better.
Funny indeed. I assume you also rarely update your virus definitions :) I mean...you wouldn't want to be accused of sour grapes...
Complain about this comment (Comment number 65)
Comment number 66.
At 2nd Mar 2010, Laumars wrote:For the last time Aidy, frequency of patches are irrelevant.
Myself and several others have explained this to you several times but you still keep missing the point.
We've list possibly a dozen examples of where your statistics fall flat on it's arse but who cares when you have dumb ignorance?
You know the saying: "lies, damn lies and statistics"?
Well you're whole argument boils down to this. You've taken one so interesting fact and tried to twist it to prove your own bias.
So while you're comments might mislead the average Joe, the 大象传媒 forums do have some real "techies" online too who know better than to fall for this rubbish.
In fact, I don't know why I'm even replying again when it's become painfully obvious that you're either a troll or just biased to reason with.
Complain about this comment (Comment number 66)
Comment number 67.
At 2nd Mar 2010, Aidy wrote:#66 @Laumars
Again I come back to the same thing....when someone posted saying FF was "more secure" because it was patched more often where were you then? Why weren't you going on and on and on about how that doesn't mean anything?
Yesterday:
"FF is more secure because it is patched more often. IE is rubbish as it is hardly patched."
Today:
"FF is more secure because it doesn't need patched often. IE is rubbish as it needs patched all the time."
It's as plain as the nose on your face that you'll say black is white just to run MS down. Why don't you just admit it and we can all move on with our lives? Sour grapes and fanboyism go hand in hand and you have both in spades. So, again, I bid you good day :)
Complain about this comment (Comment number 67)
Comment number 68.
At 2nd Mar 2010, Gregor wrote:Uuu, i like the spins you are making with data. Are you in PR?
You said:
"
This means that the window of exploitation for Microsoft products is substantially reduced, and criminals have to search for other ways to attack PCs."
Seriously? Oh, so it's because MS Windows are patched the most and the time between patches reduces the chance of exploitation. So the reason we need antivirus is why? I mean the pathces protect you enough don't they? After all security is what Microsoft products are known for.
Also you talk about 0 vulnerabilities. Then what were they patching?
Also you neglect the fact that IE is targeted more by malware because of it's market share and therefore it would need more pathces. Again number of patches doesn't relaly prove if browser is safer or not.
Microsoft says:
"SmartScreen filter has blocked over 8 million malware and phishing scams, and projections show that it's on target for over 1 million blocks per day. Research shows that Internet Explorer 8 catches almost twice as much malware as its closest competition."
Ok first we do not know how many false positives it did here. And second it might just catch them more because it is targeted more.
The real data on security would be how many of the known malware can it block and how it handles against the unknown threats. Also data on detection design would be important.
Complain about this comment (Comment number 68)
Comment number 69.
At 2nd Mar 2010, Eponymous Cowherd wrote:Laumars
Have you ever heard the term "Don't feed the Trolls"?
Its excellent advice. I suggest you take it.
Complain about this comment (Comment number 69)
Comment number 70.
At 2nd Mar 2010, Laumars wrote:Aidy:
Right, so far I've been called a MS hater - right up until I proved that I've built a number of solutions based on MS technology.
So next you call me ignorant - right up until I provided information about how I've built web servers and browser rendering engines.
So now I'm a Firefox fanboy?
I don't even use Firefox for crying out loud.
Your facts were wrong and it's been proven by several people - deal with it!
Complain about this comment (Comment number 70)
Comment number 71.
At 2nd Mar 2010, Laumars wrote:gregor3000:
-> Patching does not reflect vulnerabilities. So can we stop resurrecting this dumb argument. We've presented the flaws in Aidy's argument but he's more interested in trolling than an intellectual debate (as proven by the fact that he's combated my points with character assassinations rather than responding with mature counter arguments based on fresh evidence and facts)
-> Volumes of blocked sites do not reflect vulnerabilities either (otherwise every browser would literally have infinite vulnerabilities due to the number of permutations of IP, DNS and so on.
Complain about this comment (Comment number 71)
Comment number 72.
At 3rd Mar 2010, hadjab wrote:Loving the fact that most of the comments between Laumars and Aidy took place before most people had finished their cereal :)
Complain about this comment (Comment number 72)