×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Gov't Says "No Evidence" IE Is Less Secure

timothy posted more than 4 years ago | from the maxwell-smart-elocution dept.

Internet Explorer 342

aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

342 comments

Probably true, even. (5, Insightful)

toQDuj (806112) | more than 4 years ago | (#30969250)

That's very likely true, as the stupidity of the user remains the weakest factor in security.

Re:Probably true, even. (5, Funny)

MichaelSmith (789609) | more than 4 years ago | (#30969282)

That's very likely true, as the stupidity of the user remains the weakest factor in security.

And this is a constant in the UK Government?

Re:Probably true, even. (1)

toQDuj (806112) | more than 4 years ago | (#30969366)

I have no evidence for believing otherwise. OTOH, I do know there are (very) stupid people working in the government of the Netherlands, or so my friend working there indicates. IT savvy people perhaps don't try to get work at the UK government.

Re:Probably true, even. (3, Interesting)

Runaway1956 (1322357) | more than 4 years ago | (#30969496)

This is the same UK government which thought that Windows for Subs was a good idea, right?

http://www.theregister.co.uk/2009/01/15/royal_navy_email_virus_outage/ [theregister.co.uk]

Royal Navy warships lose email in virus infection

        * Alert
        * Print

Windows for Warships(TM) combat kit unaffected, says MoD

By Lewis Page Get more from this author

Posted in Malware, 15th January 2009 16:53 GMT

Free whitepaper - What Exchange can't do - and Dell can

The Ministry of Defence confirmed today that it has suffered virus infections which have shut down "a small number" of MoD systems, most notably including admin networks aboard Royal Navy warships.

The Navy computers infected are the NavyStar (N*) system, based on a server cabinet and cable-networked PCs on each warship and used for purposes such as storekeeping, email and similar support functions. N* ship nets connect to wider networks by shore connection when vessels are in harbour and using satcomms when at sea.

Re:Probably true, even. (5, Funny)

roscocoltran (1014187) | more than 4 years ago | (#30969580)

I loled at this fake, then I type "windows for warships" in google... We are living in a strange world.

Re:Probably true, even. (4, Insightful)

BikeHelmet (1437881) | more than 4 years ago | (#30969284)

But the trend of users getting infected seems to indicate IE is worse. User stupidity hurts, but so do unpatched remote code execution flaws.

Microsoft likes to tout how insecure other browsers and OS's are because they receive more security updates, but I'm not convinced. It's a poor measurement of security.

There's no way to know how many landmine exploits are in IE. I consider Firefox more secure, because as its market share goes up, the number of ITW exploits doesn't seem to be exploding.

Re:Probably true, even. (2, Informative)

abigsmurf (919188) | more than 4 years ago | (#30969320)

The majority of exploits nowadays attack plugins. Firefox is just as vulnerable to PDF exploits as IE is.

There are also plenty of Firefox vulnerabilities out there, they just don't get national headlines like IE does. Here's a current one [theregister.co.uk].

Re:Probably true, even. (2, Interesting)

Shisha (145964) | more than 4 years ago | (#30969336)

I'm very happy that majority of users use IE. This makes it still the most attractive target for hackers. In turn that means that they have less time to work on exploits for the browser I'm using. "Security through obscurity" works in this case (though of course the phrase comes originally from open source vs. closed source).

Re:Probably true, even. (4, Insightful)

palegray.net (1195047) | more than 4 years ago | (#30969520)

The fundamental issue here actually is "security through obscurity," although not in the context that you use it (instead, referring to the traditional context). With closed source software, you're at the mercy of the manufacturer when it comes to even getting an acknowledgment of security issues, let alone receiving fixes in a timely fashion or before damage is already done. Microsoft has a terrible track record in this department; more times than I can count I've become aware of a security issue they were alerted to weeks or months late.

With Firefox, there is generally a very high degree of transparency when it comes to security problems. Additionally, fixes are pushed out quickly. Although Firefox continues to gain market share, the actual damage caused by exploits continues to remain quite low. That's certainly not the case with IE, and as long as it's closed source that won't change.

Re:Probably true, even. (1)

Aldenissin (976329) | more than 4 years ago | (#30969526)

"Security through obscurity" works in this case (though of course the phrase comes originally from open source vs. closed source).

I believe that you are referring to "Security through lack of interest for malicious intent due to popularity or rarity", while the meaning of the phrase "Security through obscurity" would be clearer with the word obfuscation instead. But hey, then it wouldn't rhyme or be as memorable either.

Re:Probably true, even. (3, Informative)

cl!p (902247) | more than 4 years ago | (#30969362)

There are also plenty of Firefox vulnerabilities out there, they just don't get national headlines like IE does. Here's a current one [theregister.co.uk].

This is not a exploit in firefox. This is a vurnabillity in some IRC servers. The Freenode people agree [freenode.net]. They are moving to a new IRCd.

Re:Probably true, even. (2, Interesting)

abigsmurf (919188) | more than 4 years ago | (#30969414)

It is ALSO an IRC server vuln. You can't tell me that starting up an IRC session without the user's knowledge is something that should be expected.

Re:Probably true, even. (2, Informative)

cl!p (902247) | more than 4 years ago | (#30969440)

You can't tell me that starting up an IRC session without the user's knowledge is something that should be expected.

Thats not what is happening. Firefox is just running a post request to a IRC server. The Irc server happely ignores all the http protocol headers and iterprets the data in the post request as a irc protocol data. So the only thing firefox is doing "wrong" is allowing a post request to a non-standard port.

Re:Probably true, even. (4, Insightful)

Daengbo (523424) | more than 4 years ago | (#30969338)

I might actually believe that a fully patched IE8 is on par with other browsers, but the UK gov't will undoubtedly take the Home Office's decision to mean that IE6 is OK, too. That's scary.

Re:Probably true, even. (1)

toQDuj (806112) | more than 4 years ago | (#30969348)

Still, the user would have to browse to a malicious site. Perhaps the users who "choose" IE (or not choose at all and end up with the default browser), are the type of users more likely to browse to particular types of sites. Changing them to choose another browser, therefore, would not prevent them from browsing to sites with malicious code. This malicious code can then still be executed if it's a vulnerability in a plug-in instead of the browser.

Now I think the browser should keep the plug-ins in check.. Sandboxing perhaps?

Re:Probably true, even. (0)

Anonymous Coward | more than 4 years ago | (#30969514)

But the trend of users getting infected seems to indicate IE is worse.

And if you factor in market share? Meaning, all those computers that had ie installed on them and the folks who never switched to FF or even updated their ie.

Re:Probably true, even. (0, Troll)

Malc (1751) | more than 4 years ago | (#30969592)

Of course, with its backwards monolithic architecture that has been so popular for almost two decades with Netscape and then Mozilla, it's now become almost unusable. I have to restart it every half day or so because its memory footprint creeps up to 1.5GB on all my computers (Windows and OS X), from 230MB when restarted. As soon as Chrome + Xmarks is available on my Mac, I'll be saying goodbye to FF.

Re:Probably true, even. (2, Interesting)

abigsmurf (919188) | more than 4 years ago | (#30969294)

Except there is no evidence that a fully patched version of IE could be exploited. The bug was there but it was impossible to exploit with the default security settings.

I notice Slashdot is quietly ignoring the IRC exploit currently in the wild for Firefox.

Re:Probably true, even. (1)

toQDuj (806112) | more than 4 years ago | (#30969380)

I have never seen anyone use a browser for IRC, so perhaps the impact of the bug is not very heavy.. But then again, I don't know what the current youth is into.

Bullshit (1)

YA_Python_dev (885173) | more than 4 years ago | (#30969300)

Thanks to the China exploit most IE versions out there execute arbitrary code just by visiting a web site. I don't think this is true for any other browser: e.g. when new vulnerabilities are discovered in Firefox they are patched quickly (Microsoft sits on bugs for months or years) and most user actually upgrade to the latest Fx version because they don't have to fear that a security upgrade will cripple their computer.

Re:Bullshit (1, Informative)

abigsmurf (919188) | more than 4 years ago | (#30969334)

Most people aren't running IE6. The exploit does not work on IE7+ unless you disable security settings that few people would.

It's true for every single browser that runs an adobe or java plugin. Failing that, there are no shortages of Firefox exploits in the wild [theregister.co.uk]. It's a myth that firefox can't get malware through regular browsing.

Re:Bullshit (4, Insightful)

Runaway1956 (1322357) | more than 4 years ago | (#30969570)

You get your IT news from the register? Coool!

More seriously - you link to that page, with words that seem to indicate there are a LOT of Firefox exploits in the wild. Care to name some? The IRC exploit only counts as one.

One more time, I'll point up Firefox's main advantage over IE: Vulnerabilities are made public, and people actually address the vulnerabilities as quickly as possible. Firefox exploits aren't hidden under a mountain of shit by some corporate boss, so that he hopes they can go away.

IMHO, Firefox is just about as safe as a browser can be, today, based on current knowledge. It ranks right up there with Chrome and Opera, and Safari, and Konqueror.

IMHO, Internet Explorer MIGHT be almost as secure - if and when people finally upgrade from IE6 to at least 7, and preferably 8. MIGHT BE. You'll notice that MS didn't publicize this newest vulnerability, until Google and others had already done so.

Re:Bullshit (4, Insightful)

icebraining (1313345) | more than 4 years ago | (#30969628)

That's NOT a Firefox exploit. That's Firefox send a normal HTTP request to a non-standard port (6667), and the IRC server *wrongly* interprets it as IRC protocol.

The only thing they say Firefox does "wrong" is actually connecting to a non-standard port, which I dispute: there are plenty of reasons to run webservers in non-standard ports, and I want to be able to connect to them.

Re:Bullshit (0)

Anonymous Coward | more than 4 years ago | (#30969630)

Much of the British Government is still running IE6. I weep.

Re:Probably true, even. (0)

Anonymous Coward | more than 4 years ago | (#30969308)

That's very likely true, as the stupidity of the user remains the weakest factor in security.

You sir, are wrong. If the stupidity of the user remains the weakest factor in security, then it is the weakest factor for each browser and not only for IE, which means we can eliminate it from the security equation if we want to compare browsers on their own merit in terms of security. Once we eliminate the stupidity of the user from the security equation, IE can be compared, with all of its known gaping security holes, to all the other browsers which have no such known security holes at this point in time. It is this comparison that shows IE is indeed less secure than any of the other browsers when known security holes and the security track records of all the browsers are taken into account. The UK government failed to acknowledge this fact for reasons best known to them, but we all know that their decision was not an objective one.

Re:Probably true, even. (4, Insightful)

Geirzinho (1068316) | more than 4 years ago | (#30969386)

Users are the weakest link in the security chain. And the least trained users are normally those on the de facto standard of Windows with IE, which implies a higher infection rate on thos systems.

If we substitute eg. Firefox for IE as the default browser in Windows, unskilled users will still remain unskilled users. They will still follow any shady link they come over, some of which will undoubtedly manage to poke a hole in FF's security.

The challenge and solution to security in the current environment is to educate the "average person."

Re:Probably true, even. (1)

JackieBrown (987087) | more than 4 years ago | (#30969412)

Then maybe the default settings should be more secure and allow for the "more trained" users to weaken the security.

Honestly, if we know that the user is the weakest link, why isn't MS setting the defaults to compensate for that?

Re:Probably true, even. (0)

Anonymous Coward | more than 4 years ago | (#30969450)

Security usually costs (its user's) convenience.

Re:Probably true, even. (0)

Anonymous Coward | more than 4 years ago | (#30969456)

The challenge and solution to security in the current environment is to educate the "average person."

Let's assume for a second we've educated each and every single user and made them security conscious on the Internet. An educated user browses a site which contains an image that is constructed to exploit a security flaw in the browser without the user ever doing anything but viewing the image. Unknowingly the user's browser is compromised and in the hands of the attackers despite the fact that the user is well educated and security conscious, which means education alone is not the solution. Better software is the solution.

Normally to safely cross the street you only need to look left and right to check for traffic, you don't have to look up for falling objects, you don't have to check the road for mines, tripwires or other booby traps, you don't have to check for sniper fire, you don't have to check the stability of the road and the quality of the materials and the processes used to build the road like a civil engineer would, you just cross the street without giving any of that any thought. So why it that using a browser should be any different? Why should you be expected to take into account a million things just to be able to browse the contents of a site safely? It should be as simple as crossing the street and software needs to provide that simplicity with builtin security.

Re:Probably true, even. (4, Insightful)

Geirzinho (1068316) | more than 4 years ago | (#30969588)

Let's assume for a second we've educated each and every single user and made them security conscious on the Internet. An educated user browses a site which contains an image that is constructed to exploit a security flaw in the browser without the user ever doing anything but viewing the image. Unknowingly the user's browser is compromised and in the hands of the attackers despite the fact that the user is well educated and security conscious, which means education alone is not the solution. Better software is the solution.

Absolutely. But what we stated was that, as of right now, users are the weakest link in the security chain. By educating users, you strengthen that link and make another link the weakest. Even so, you have by training improved the security of the system.

To get exploited in your scenario, assuming the user now sticks to "honest" sites and doesn't follow all email links) would require something like a web server exploit such a XSS. This is more difficult than simply tricking the user into executing a trojan.

Normally to safely cross the street you only need to look left and right to check for traffic, you don't have to look up for falling objects, you don't have to check the road for mines, tripwires or other booby traps, you don't have to check for sniper fire

We should not ignore software security just because the user is the weakest link. But to borrow your analogy: the problem today is that pedestrians don't look left and right before crossing the street. Training them to do this would save more lives than any piano transportation safety regulation.

Re:Probably true, even. (2, Interesting)

Runaway1956 (1322357) | more than 4 years ago | (#30969596)

"So why it that using a browser should be any different?"

Because, morally speaking, if your computer is made into part of a botnet that eventually steals billions of dollars, incidentally wiping out the savings of Ma and Pa Kettle - you are responsible.

Secure your system. The law may not come after you to get Ma and Pa Kettle's money back, but you're still a snake for helping to rip them off.

Re:Probably true, even. (1)

toQDuj (806112) | more than 4 years ago | (#30969394)

But the study was on whether the implementation of other browsers beside IE would increase security. If the user is the weakest link, the choice of browser would not affect the level of security much. The user should be just as big a part of the security assessment as anything else, since testing the browser without the user will not give you a real-world risk level.

Reread your post. (0)

Anonymous Coward | more than 4 years ago | (#30969534)

Reread your post.

You say

"But the study was on whether the implementation of other browsers beside IE would increase security"

Then go to say that user error is why this wouldn't change IE's state. Then you go and say:

"the choice of browser would not affect the level of security much."

So which is it? Is it that it doesn't change security or it does change security?

You can't have both.

Re:Probably true, even. (3, Funny)

NoPane (1536723) | more than 4 years ago | (#30969340)

It really doesn't matter what browser they use, they will still copy unencrypted data onto CDs and then put them in the post, send unencrypted emails to each other, leave laptops and memory sticks on the train or if that fails, stand in front of photographers with confidential information showing. The 'Chinese' (or whoever) really don't need to bother with browser attacks.

Re:Probably true, even. (0)

Anonymous Coward | more than 4 years ago | (#30969374)

> That's very likely true, as the stupidity of the user remains the weakest factor in security.

As you put it well, "the stupidity of the user" is a "factor in security". Any system that does not address this is flawed, because it doesn not deal well enough with one of its factors.

This tendency to blame users shows incompetence; IMHO it contributes to worsen the already extremely bad security image M$ products like IE have.

As one admin I knew once told me: "If you don't understand it, don't mess with it".

M$ should stick with fields on which they're really good: hardware (in spite of somewhat high prices).

No, WRONG (2, Informative)

omb (759389) | more than 4 years ago | (#30969466)

1. This is the POLITICAL part of government and is as easily bought as ISO, maybe easier.

2. Look at the record of UK Government IT projects.

3. It is not IE that makes Windoze insecure, it is the OS and the design philosophy

-- COM is a security disaster

-- executing any vaguely executable rubbish based on its extension is a disaster

4. Backward compatibility, and a zillion features that assume an essentially insecure and trusted
world are a disaster. M$ has no way out.

Re:Probably true, even. (1)

JoshDD (1713044) | more than 4 years ago | (#30969474)

Are you calling MS users stupid.? Isn't that racist or poligamous or anti american or sumpthing? That's it they are terrorists.

Re:Probably true, even. (1)

toQDuj (806112) | more than 4 years ago | (#30969518)

I'm just saying that your average government employee might not be the most savvy cookie in control of a browser.

Re:Probably true, even. (0)

Anonymous Coward | more than 4 years ago | (#30969494)

That's very likely true, as the stupidity of the user remains the weakest factor in security.

Yeah -- if the user is stupid enough to run MSIE you have security problem. Get over it.

Re:Probably true, even. (1, Interesting)

AftanGustur (7715) | more than 4 years ago | (#30969576)

That's very likely true, as the stupidity of the user remains the weakest factor in security.

While that may be true, that is the right answer to a different question.

The original Question was:
To ask Her Majesty’s Government what discussions they have had with the governments of France and Germany about security risks of using Internet Explorer; and whether they will encourage public sector users to use another web browser. [HL1420]

The problem Google and others had was that they were not using "the latest and fully patched version of IE", but instead outdated but fully supported version from Microsoft, full of security holes. Even the UK governmaneprobably isn't using the "lastest and fully patched version of IE" [guardian.co.uk]

Also, MIcrosoft has a 6 months check cycle for patches, that simply doesn't correspond to today's security landscape where both criminal organisations and state governments have people on payroll searching for vulnerabilities to turn into money or somehthing more valuable, as soon as they are found.

Goatboy (0, Funny)

Anonymous Coward | more than 4 years ago | (#30969254)

I think the late great Bill Hicks would have said this best "Suckers of Satans cock, every last one of 'em"

In agreement (0)

Anonymous Coward | more than 4 years ago | (#30969260)

Couldn't agree more. Show me some evidence man!

Guess we going to have to provide "evidence" (0)

Anonymous Coward | more than 4 years ago | (#30969266)

Someone... quick... grab the evidence!

"latest fully patched" (2, Insightful)

Doviende (13523) | more than 4 years ago | (#30969268)

Sorry, how many users are actually using the latest fully patched version of IE? Google is still trying desperately to phase out IE 6, of which there are still many users. Perhaps as a "neutral" gesture to throw MS a bone, they could make an announcement saying "Upgrade to the latest IE8, or to another browser such as Firefox, Chrome, etc. Your current version of IE is probably ass^H^H^Hinsecure".

Re:"latest fully patched" (0)

Anonymous Coward | more than 4 years ago | (#30969434)

More drastic solution: show the user a page which kindly tells them to upgrade their browser (there browser isn't suited for the web page anymore). Don't allow them to access your services unless they upgraded. Then write your webpages in such a way that they *crash* IE6. This should take care of the matter.

Re:"latest fully patched" (1)

Runaway1956 (1322357) | more than 4 years ago | (#30969618)

And, this should have been done as much as 6 years ago - and not less than 4 years ago.

I simply do not give a rat's arse for those who "depend" on IE6. Use a standards compliant browser, or stay off the intartubez. Try driving a ratheap rustbucket junker down the interstate highways, and see how far you get. The cops WILL be along shortly to impound the damned thing for the safety of more responsible people who also use the interstate.

Re:"latest fully patched" (0)

Anonymous Coward | more than 4 years ago | (#30969490)

Yes Minister.
They answered a different question to what was asked.
No evidence for latest+patched IE - well yes, that changes weekly, so yes, there can be no comparisons, and statement is technically true.

Based on everything known, it would be better to move to something else - they have forgotten the 'standard' environment is a huge huge risk. So they got rid of this factor by adding 'users'. The implication being .gov firewalls and IDS's and the like back up a brittle, insecure product.

Re:"latest fully patched" (1)

thetoadwarrior (1268702) | more than 4 years ago | (#30969508)

Microsoft is fine to go ahead and do things behind the users back but they won't force IE updates on people. If they would do this (and quit worrying about if they've pirated Windows before allowing them to get IE updates) then we would have fewer problems. For once can't they abuse their monopoly in a way that helps society?

Re:"latest fully patched" (1)

Synkronos (789022) | more than 4 years ago | (#30969556)

I'm assuming that they will be running AD domains, with a local MS SUS server (and Automatic Updates setup correctly). This is, I realise, not necessarily the case. If the network admin is any good at all, he will approve (and set a deadline) on all security updates. This should keep everything up to date. Again, I realise this isn't always the case, but on a properly set up, properly maintained network, it's relatively easy to make sure that everyone is running the latest MS products and updates.

Please consider (0)

Anonymous Coward | more than 4 years ago | (#30969278)

that parliamentary questions aren't meant to please, especially politicians. It's more of a time for the civil service to cover their asses in front of politicians.

Governments will say and do anything.... (0)

Anonymous Coward | more than 4 years ago | (#30969280)

...when large corporations are stuffing their pockets.

Lord Avebury..... (0, Troll)

oldmeddler (1614805) | more than 4 years ago | (#30969286)

... is an idiot.

Re:Lord Avebury..... (0)

Anonymous Coward | more than 4 years ago | (#30969358)

... is an idiot with m$ money in his backpocket.

Fixed it for you.

Re:Lord Avebury..... (1)

Eunuchswear (210685) | more than 4 years ago | (#30969476)

Uh, why?

He asked a reasonable question.

It was the Home Office that gave the reply some people don't like, even if it is probably true.

Re:Lord Avebury..... (0)

Anonymous Coward | more than 4 years ago | (#30969484)

The idiot here is the one who couldn't even understand the first two lines of the summary.

in case any other Americans are confused (5, Informative)

Trepidity (597) | more than 4 years ago | (#30969290)

In UK governmental English, "to table" apparently means something like "to propose" or "to bring up for consideration", almost exactly the opposite of the U.S. meaning, which is "to withdraw from further consideration".

I guess there's some international disagreement over whether this mythical table is where you put things to be considered, or where you put things to die. Perhaps to Britons, putting things on a table is officially proposing them, whereas to Americans, if it's on the table it's inert, and if you want it proposed, you had better have it in your hand waving it in someone's face.

Re:in case any other Americans are confused (2, Informative)

twisting_department (1329331) | more than 4 years ago | (#30969352)

Think about King Arthur and the Knights of The Round Table. Obviously questions were brought to the table, asked, answered and debated. Nothing "inert" about it. I guess any part of the history of our ancestors prior to the discovery of America is not taught over there very much.

Re:in case any other Americans are confused (2, Informative)

Tim C (15259) | more than 4 years ago | (#30969372)

Perhaps to Britons, putting things on a table is officially proposing them

Well I don't know for sure, but I'd always assumed that it was from "to bring something to the table", which is a fairly common expression here in the UK. (Think meeting room table, and bringing something with you for consideration (or perhaps even a dining table))

Re:in case any other Americans are confused (1)

Trepidity (597) | more than 4 years ago | (#30969454)

Yeah, oddly, "to bring something to the table" is the same in US English. But "to table" something is the opposite--- to take it off the table, so to speak.

Re:in case any other Americans are confused (1)

Aldenissin (976329) | more than 4 years ago | (#30969558)

Think of "to table" something as setting it down in US English, as opposed to putting it up on the table in the UK. Context clues help to make it clear, and I have heard it used the "UK" way in the US. E.G. "Alright, lets table that, what else have you got?" - Lets set it down and move on; "Good idea Frank! However keep in mind if we (put this on the) table this now, we wont have time for your other presentation." - What are we about to look at or talk about?

Re:in case any other Americans are confused (4, Informative)

gigne (990887) | more than 4 years ago | (#30969400)

Yes, indeed you are correct.

UK: To place an item on the agenda for discussion.
US: To remove the item from consideration.

In the UK we shelve discussion items when they are removed from consideration.

Re:in case any other Americans are confused (3, Funny)

TheRaven64 (641858) | more than 4 years ago | (#30969594)

Until we run out of shelves, then we table them until the table is cluttered, and then we floor them.

Re:in case any other Americans are confused (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30969602)

Other countries don't play poker, apparently -- but even in that game winning is accomplished by putting card on the table and demonstrating which card one has.

I think American English use is misguided.

But then, I'm biased, I think the entire English language is braindamaged.

Assuming they are actually using IE8. (0)

Anonymous Coward | more than 4 years ago | (#30969296)

To a certain extent, other browsers benefit from their low levels of use. IE is SO common that pretty much all sophisticated attacks target it. Given that a targeted attack on the uk gov't will target whatever browser they use, switching browser doesn't make all that much sense. And these aren't the days of IE6 anymore.

Re:Assuming they are actually using IE8. (1)

Synkronos (789022) | more than 4 years ago | (#30969568)

Except that, by using a not-most-popular browser, they dodge all generic attacks not specifically aimed at them. Which is, oh, most of them. As you say, a crafted attack will exploit a known bug in a known used system, and so doesn't matter which (since they all have exploits at various points in their lifecycle), but removing yourself from the random crossfire can't be bad.

This is eveidence for something else... (1)

Mojo66 (1131579) | more than 4 years ago | (#30969354)

This is evidence for the fact that nowadays, decisions aren't made by politicians anymore, but by lobbyists. Politicians are just the muppets who stand in front of the camera. Best example is my country, Germany, where the FDP is doing this openly, it is called "clientel politics" here.

Re:This is eveidence for something else... (2, Insightful)

atomic777 (860023) | more than 4 years ago | (#30969398)

I saw an idea somewhere that politicians these days should require NASCAR/Formula-1 style sponsor patches to be worn on their suits at all times, to indicate which corporations are funding their campaigns.

Then when someone says there is no evidence of IE being less secure, we can Look for the logo [microsoft.com]

IE (on Windows) is safer than Firefox (3, Informative)

Manip (656104) | more than 4 years ago | (#30969390)

A fully patched IE8 running on either Vista or Windows 7 is far safer than Firefox. Why?
  - Low privileged mode. IE8 runs with lower rights than the logged in user, Firefox doesn't...
  - DEP is turned on for IE8 by default. Firefox has to be added (or the "all applications" option).
  - IE8 patches can be deployed from the Domain very easily. Firefox on a corporate network is a pain in the butt...

Now I entirely grant that this is Microsoft's browser running on Microsoft's OS and thus it gains unfair advantages but that doesn't change the facts or reality of the situation.

UK Gov isn't running Vista or 7, nor IE8 (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30969566)

UK Gov isn't running Vista or 7, nor IE8. In fact almost nobody is using that combination (and note that you are still vulnerable to several attacks under both because you can't run flash or acrobat web plugin with execution privileges turned off and that change doesn't fix Vista completely either).

So in very many ways, your point is wrong. Might as well say running FF on a VM image of Linux which would be even MORE secure.

Nobody does that, but it would be.

Re:IE (on Windows) is safer than Firefox (3, Informative)

Anonymous Coward | more than 4 years ago | (#30969584)

There are currently 23 unpatched advisories for IE 6.x http://secunia.com/advisories/product/11/
There are currently 10 unpatched advisories for IE 7.x http://secunia.com/advisories/product/11/
There are currently 3 unpatched advisories for IE 8.x http://secunia.com/advisories/product/11/

Advisories often contain multiple vulnerabilities. Doing a little quick math, that comes out to around 59 vulnerabilities (not an exact number, just a ballpark estimate) for those 3 versions of IE

This is compared to 0 unpatched advisories for the 3.x line (19 months old, now) and 3 unpatched advisories for the 2.x line. http://secunia.com/advisories/vendor/18/

Mozilla also generally gets their patches out faster than Microsoft.

Re:IE (on Windows) is safer than Firefox (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30969608)

IE8 is completely useless until you start disabling some of this "security". You can't download anything. Pages don't render properly. It's crap.

Firefox can easily be updated over a corporate network. Very easily.

Re:IE (on Windows) is safer than Firefox (0, Offtopic)

selven (1556643) | more than 4 years ago | (#30969612)

IE doesn't have Noscript. That's a pretty big one in terms of security.

follow up questions should be asked (0)

Anonymous Coward | more than 4 years ago | (#30969404)

While user stupidity remains a large factor in security breaches, Microsoft's products are the products which allow for the most user stupidity - and everything which is supposed to prevent that, is broken by design.

So, question remains: why is the UK government still using software which is broken by design?

Re:follow up questions should be asked (1)

JoshDD (1713044) | more than 4 years ago | (#30969452)

Because they don't want any one to have a secure browsing experience.

Same source that said Saddam Hussein has WMD? (0)

Anonymous Coward | more than 4 years ago | (#30969406)

It's the UK government. It's very likely that whatever they say, the opposite is true.

Lack of evidence shouldn't be a problem (5, Funny)

noidentity (188756) | more than 4 years ago | (#30969416)

They just need grow suspicious of IE harboring WMDs. Then the lack of evidence wouldn't be a problem at all.

Re:Lack of evidence shouldn't be a problem (2, Insightful)

alx5000 (896642) | more than 4 years ago | (#30969622)

It's a shame that this comment is modded '+5 Funny', since, IMHO, it should be '+5 Sadly and painfully insightful'.

Ah, UK and the big corps. (0)

Anonymous Coward | more than 4 years ago | (#30969420)

They just love 'em, dont they? Monsanto, Microsoft, mmmm.

(More on topic -- of course each browser has its weaknesses. It's not as much technical as it is process, I think)

Internet Explorer is safe for them... (1)

AHuxley (892839) | more than 4 years ago | (#30969428)

What would the cubicle spooks at the UK Government Communications Headquarters do without MS?
They would have to learn to hack real operating systems and would have messy logs to correct everytime.
No more UFO hunters with perl scripts.
Forward intelligence teams and community policing with their 'sneak and peek' anti gang, eco and domestic terrorist operations.
All the ex spooks selling back MS cracks, ip loggers, websites, tools with polished gui's at dreamy consulting fees.
Then you have the bureaucrat with a rolodex who wants to get into the private sector. First rule, dont burn the US monopolies.
Add to that the 30 something point and click MS tech clones advising the MP's.
MS has many friends around the world who love sloppy networked computing.
Never believe anything until it's been officially denied.

There IS no evidence! (5, Insightful)

guyminuslife (1349809) | more than 4 years ago | (#30969444)

The latest patched version of Internet Explorer fixed the bugs that Microsoft found. The latest patched version of other browsers fixed the bugs that other browser-manufacturers found. Ergo, there is no evidence that the latest patched version of Internet Explorer are less secure, since the officially "known" security features have been fixed.

In fact, there's no evidence that there are any bugs at all in the latest patched versions of any software ever written, unless the manufacturers have explicitly stated that there are. In which case, in order for policymakers to accept such a report, they would need to prove that this is the case, by lobbying the government to the effect that their software is inferior.

Re:There IS no evidence! (2, Informative)

Anonymous Coward | more than 4 years ago | (#30969528)

Please forgive me if I'm wrong but I was under the impression Microsoft had know about this latest flaw for several months, but had deemed it not important enough to fix, so there IS evidence that they do not immediately fix all know security holes.

IE is a must-have for every Government member (1)

Jorl17 (1716772) | more than 4 years ago | (#30969486)

With IE, everybody gets a shot at spying others -- and to think we needed KGB for that before!
"Internet Explorer -- You'll explore your neighbours' world."

This just in... (0)

Anonymous Coward | more than 4 years ago | (#30969512)

UK Gov't Says "No Evidence" condoms lower the risk of pregnancy and STD transmission

"Not please" Slashdot readers? (4, Insightful)

Jane Q. Public (1010737) | more than 4 years ago | (#30969516)

I don't know why it would "not please" Slashdot readers. I am very pleased. That is the funniest thing I've read all week.

Nothing like a good laugh to start your morning.

Are these the same people.... (4, Funny)

Joce640k (829181) | more than 4 years ago | (#30969536)

Are these the same people who said IRAQ was full of WMDs and terrorists?

This is why... (2)

lattyware (934246) | more than 4 years ago | (#30969550)

I fucking hate our government. Seriously. They just all appear compeltely incompetent.

Re:This is why... (3, Insightful)

malkavian (9512) | more than 4 years ago | (#30969614)

Probably because they are.
By "insufficient evidence" they usually mean "we've not heard enough to convince us". Which means "Someone was telling us stuff, but we don't really understand the field that they were trying to explain about. Instead of trying to understand the stuff we don't understand, we prefer to play nice with the money, because that tells us it's all good.".
The prime qualifications in Labour are history, classics, and a few Lawyers, advertising and marketing. Not really anyone with any solid scientific skills.
So, rather than work out the hard stuff, and make scientific dispassionate decisions which will make the country stronger and genuinely safer, they prefer to use rhetoric and assume that things work by fiat (we say the world works that way, ergo it does, because we say, which is why it lost pretty much the core of its drugs advisory group because the scientific advice of some highly qualified and internationally renowned people was completely ignored, and the opposite decision was made as policy, AND the politician hounded the scientist for not backing him up and twisting scientific results to fit into what he wanted things to be like).
I don't trust 'em as far as I can spit 'em. They need to understand scientific method, not empty rhetoric.

Let's face it (0)

Anonymous Coward | more than 4 years ago | (#30969590)

Let's face it, the only fact that makes IE less secure vs Firefox et al, and Windows less secure than OS X et al., is the market share (which makes them bigger targets).

Forget all other arguments! (1)

Aldenissin (976329) | more than 4 years ago | (#30969606)

Whether anything is more secure when both often need patches can be argued all day. What should matter and is scientific, is the percentages or users who have been compromised. If you want to be a nitpicky, then compare the same demographics, most preferably the highest risk and or biggest selection. (Perhaps more IT centered people do not use I.E. and can skew the results for an example, but I would take that as a sign myself if that were the case...)

  This approach centers on "real" and verifiable end result solutions and ignores time wasting arguments. In other words, what really matters will be assessed and highest yield of success suggestions given.

Missing the point (5, Insightful)

sparky81 (1309369) | more than 4 years ago | (#30969620)

"The reason for this statement by the UK government is very simple - it has intranet and business systems in virtually every government department which work only with IE. They frequently ridiculously old versions at that - IE6 take a bow - giving the lie to the "latest, fully patched" comment anyway. There is no way that the UK government is going to incur the conversion costs for these systems at this moment given the state of its books at the moment. Stating that IE was insecure would create an inexorable pressure to do exactly that. This statement has nothing to with security, and everything to do with internal government politics.

Is not talking about home user (5, Informative)

DaveGod (703167) | more than 4 years ago | (#30969646)

The quote bears no reflection of any opinion on the security or quality of IE in general. The "user" being referred to in the quote is UK government staff, using UK government IT, and his response is wholly within that context. As is very often the case on Slashdot (and, to be fair, much of the media), the summary shifts the context slightly and then omits significant information and thus infers something other than what was communicated at the time.

Immediately after the quoted text, unmissable except by the most... Let's give the benefit of the doubt and say hurried of submitters and editors, is the following: (my emphasis added for the most hurried of Slashdot readers)

26 Jan 2010 : Column WA317

Microsoft issued a patch to fix the recent Internet Explorer vulnerability on 21 January. Prior to this, government departments had been issued with a GovCertUK alert on how to deal with this particular incident and to mitigate vulnerabilities in relation to particular versions of IE.

A government user, operating on government systems, such as the Government Secure Intranet (GSi), will benefit from additional security measures, unlikely to be available to the average home computer user. These include tools which actively monitor for evidence of any malicious attacks.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...