Mozilla wants infosec activism to be the next green movement Mozilla has issued a prototype of its first internet health report in a bid to make humans give security and privacy the same level of attention they devote to climate change. The prototype report details rising breaches affecting healthcare and medical industries but largely serves as a pulpit from which the browser baron and …
Mark Surman, FTA: "When I first fell in love with the internet in the mid-1990s, it was very much a commons that belonged to everyone: a place where anyone online could publish or make anything..."
That's still true. Everything available in the 90's remains in place. If straight HTML is your thing there's NFW any hackers are going to take over your site, period. Unless they hack your host. But how often does that happen?
Okay, it's all dynamic now, I get it. I hate it. Wanna go back to the 90's sooo bad. And I make my living writing web code, oy.
And we can all use a bit more security, but where does AGW (aka 'climate change') come into it?
FTA: "Mozilla has issued a prototype of its first internet health report in a bid to make humans give security and privacy the same level of attention they devote to climate change."
I read the linked Mozilla report and it never mentions climate or even the weather. Are we now at a point where article writers feel that the 'climate angle' must be a part of every story?
Besides, most people don't spend many cycles thinking about AGW, or 'climate change' as it's called now (by those embarrassed by lack of actual warming on schedule).
And why should they waste their time worrying about it? That theory's supporters are mostly the same crowd that is now trying to tear down U.S. Democracy in a fit of ill-tempered petulance, aimed in all honesty at those fellow Americans who failed to vote with them.
There's nothing as ugly as a liberal scorned.
> but where does AGW (aka 'climate change') come into it?
Oh dear. I suggest you study some history.
Surman is alluding to The Whole Earth Catalog - an enterprise which triggered much of US creativity, from the late '60s onwards. And that included environmental awareness which, in turn, informed the fact of Anthropogenic Global Warming - (which nutjob denial can never undo).
Sorry, anything Moz says about security is junk and hypocritical.
Do you remember the VERY FIRST security setting you learned, probably on IE? It was to make the browser ask you every time whether you would Allow cookies from a new source, and you maybe also set it to Deny third-party cookies automatically.
And when we all got Firefox for the first time, it had the same thing in its privacy setting: "Ask me every time" for permitting cookies. With that turned on, after a while, we all had a very good list of Allowed and a much longer list of Denied cookie sources.
Well, about a year and a half ago, Mozilla got rid of the "Ask me every time" option in FF, set it to Allow ALL cookies, and didn't tell anyone. They have rebuffed all objections and have no intention of returning this basic, user-friendly and good protective feature.
So, today, FF is less secure than IE and Edge.
When Mozilla gets all high and mighty about internet security, don't believe it. It's a phish.
That's a privacy issue, not a security issue.
I tried to use the cookies permission system years ago, but it very quickly got to be unwieldy... many sites don't work well with cookies disabled, and every damned site out there has to set them, so there was never any end to the prompts if you don't just keep visiting the same sites.
I found a much better way is to simply delete cookies after you're done with the site. I use an extension that automatically deletes cookies when I close the tab, and another to add a delete-cookies button. Of course, that's an all-or-nothing approach, which is how I like it... I don't want ANY cookies persisting between sessions. If you do, I would imagine there are addons that do what you wish with more granularity than simply removing them all.
I get frustrated by Moz's fetish for removing useful features and replacing them with stuff no one asked for, but they can still be undone with addons. For how much longer, I don't know; Mozilla seems dead-set on suiciding their flagship product by the end of this year by eliminating most of the addons.
... I've been trying to "make humans give security and privacy" any level of consideration. It doesn't seem to be working.
I'm still finding passwords on PostIt[tm]s and the like during security sweeps.
And hardly a day goes by without a 419 scam or "IRS calls taxpayer" scam, or "microsoft calls to tell user their computer is infected" scam and the like is reported on the news. Right now, the "place all your valuables in a bag to be blessed" scam is making inroads on the elderly Chinese population in the Bay Area, just as it does every Chinese New Year.
It would seem that people, as a class, are completely ineducable on the subject.
The main problem is that we don't design systems to be secure in the first place. Every code wonk in the known universe wants to add features and Do Cool Stuff. Security is an afterthought. This notion that any random website is allowed by default to run unknown code on your computer is stone motherless stupid. And the ability sites have to hand-off code to other sites, ones you have never even heard of, is beyond stupid.
OK, so that amounts effectively to throwing away Javascript and starting again with a better idea.
Good!
(Yes, yes, it's Javascript is not the only problem child. There are various other completely unnecessary scripting honeypots, such as Flash and active PDF documents, various Microsoft proprietary horrors, and so on. A pox on all of them. And if that means going back to 1995 and starting again, only trying to do it right this time, well, hand me the plutonium and switch on the flux capacitor.)
I take a little bit of exception to the idea that the Internet was a friendlier, safer place back in the 90's. There were plenty of viruses and trojans abounding back in the day, and most of them were more destructive than what is around now. True the Virus writers werent trying to monetise and hold people and their data to ransom, they were just doing it to be d%cks and destory stuff, but it was still the wild west out there. The difference was back then you needed some computer skills to find your way around the Internet properly and so you were a bit more tech saavy at how to deal with the viruses, to stop them getting in in the first place and cleaning up the mess when they did get in. These days, you dont need any Computer skills to get on the Internet, so we see the problems affecting more people.
The Internet has always been a "dangerous" place, so maybe we should instead push for people to have to obtain a licence for the Internet (like you need for a car) with such simple tips as "No, that nice man offering you penis pills will not help you get a bigger erection!" and "No, you should not click on that attachment from someone you never heard of telling you, you've won a Million Dollars".
So you want a license to use something people use in the privacy of their own homes? Not even driver's licenses go that far (a car driven on private property doesn't require a license).
What we need is some kind of HARDWARE lock such that anything potentially stupid requires getting up and pushing an actual button or even inserting and turning a key to engage. The trick would be to actually make it enforceable and nigh impossible to bypass.
What we need is makers of things exposed to the Internet, like say Firefox, to stop stuffing feature after feature into their software faster than security vulnerabilities in existing features can be found and fixed.
And practice slightly safer coding standards for the existing feature base, instead of chasing after the highest Sunspider score regardless of the costs.
Most of this insanity, including much of the WebYaddayadda "features" and the whole Javascript performance race, has been driven by developers, industry actors or various special interests.
The adoption rates for anything more advanced than "run JS and manipulate the DOM at reasonable speed" is still very low and mostly confined to special cases that could as well use something other than a web browser.
I'd bet that most users if given the choice between "being able to play 3D games in the web browser by just visiting a site" and "your computer being stable and your money not going to Russia" would choose the latter.
And honestly, if you're gonna play do-gooder like Mozilla, maybe you shouldn't be part of this insanity? People are actually getting killed, tortured and imprisoned as a result of computers getting compromised via browser vulnerabilities. This is not some theoretical scenario - it's very much ongoing.
How many human lives is WebGL or a higher benchmark score worth?
"And honestly, if you're gonna play do-gooder like Mozilla, maybe you shouldn't be part of this insanity? People are actually getting killed, tortured and imprisoned as a result of computers getting compromised via browser vulnerabilities. This is not some theoretical scenario - it's very much ongoing.
How many human lives is WebGL or a higher benchmark score worth?"
Oh? Specifics, please, because what you say is the kind of thing that could put the government on them...criminally.
Obviously there aren't a lot of exact numbers in public (I wonder how that would look... www.dictator.bananarepublic proudly proclaiming just how they managed to arrest NN counter-revolutionaries?). But som random cases where this has ended up in the public:
- The Hacking Team hack and the states they sold browser exploits to
- The recent case of the 0day exploit attempt against an activist in UAE: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ (First point of entry was a Safari bug)
- The recent FBI "NIT" used against Firefox/Tor browser. This was a vulnerability in SVG animations, yet another very useful web feature: https://blog.mozilla.org/security/2016/11/30/fixing-an-svg-animation-vulnerability/ Exactly what targets were intended is unknown, but you don't need much of a tinfoil hat to suspect that various US TLAs not have universally noble intentions. Locating targets for drone warfare, anyone?
"I'd bet that most users if given the choice between "being able to play 3D games in the web browser by just visiting a site" and "your computer being stable and your money not going to Russia" would choose the latter."
Don't be so sure. Your bet could be covered and you might lose. Never underestimate the depths of human stupidity. That's why we have the Darwin awards, after all.
I agree the idea of a four mile drum circle is a bit horrifying, but at least you wouldn't be able to hear most of them. And neither would they. So local areas on the circle would be keeping their own time, and those separate beats would tend to migrate around the circle as phonons, similar to the 'wave' seen at sporting events. When conflicting beats approach each other, chaos would ensue (just like in real life) and the hippies would then realize we aren't all in this together.
It ought to be highly educational to watch.
...millions of Facebook users do not realise the social network is on the internet...
How?! Wait! I know: these are the same people who type "facebook.com" into Google search in order to get to the web site... or they think the app on their phones is staying in FB when they follow a link because all of the interwebs is actually within FB. We need to build the B Ark and use FB usage as the main criterion for a free trip to another world.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
