Dept of Homeland Security says use a different web browser

US CERT, part of the Department of Homeland Security continues to recommend that users of Internet Explorer "use a different web browser". The folks there can't say it but we all know what they want to say and that's use Firefox.

Here's the vuln note:

Here's the text:

Use a different web browser

There are a number of significant vulnerabilities in technologies involving the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Someone at Microsoft had said that they didn't gain anything when Firefox has vulnerabilities, and they go into their standard line that security is an industry problem which it is. The fact is though, they do gain, they should be checking their own code when someone finds a vulnerability in ours because chances are, they may have the same problem (I know of several cases when that was the case). But I don't know if those guys think that way.

The tricked out Firefox PC


Here's the background for this (though the important part is that three of these things are being awarded for the Extend Firefox contest that's out TODAY!.)

For a prize we thought, let's get a really, really awesome computer. David Hyatt, one of the early Firefox inventors, has one of these Alienware thingies. We wanted a computer that was fast and powerful and also very unique, and so we came up with the Alienware Aurora 7500 Firefox Edition PC which is going to be customized with Firefox decals and airbrushed with real flames — in other words, we're going to pimp your PC. How cool is that?!?

A few more details:

There's only three of these bad boys. Three. And we can't wait to award them to the winners of the Extend Firefox Contest. These entries better be damn good.

An old school friend of mine "Poots", up in Oakland is taking care of the airbrushing. I'll post pictures up on this site as we go through the design and custom paint job on these bad boys, and a shout out to the Alienware folks who are so awesome to work with.

Alienware Aurora 7500 Firefox Edition PC specs

Here are the specs:

Aurora™ 7500 (Alienware Aurora 7500 Firefox Edition PC)
Processor: AMD Athlon™ 64 X2 4800+ w/HyperTransport
OS: Microsoft® Windows® XP Pro SP 2 and/or Ubuntu Linux
Case: Alienware® Full-Tower Case – Space Black w/ custom Firefox graphics and airbrushed flames
Case Upgrades: Alienware® Acoustic Dampening

Motherboard: Alienware® nForce™4 SLI™ Chipset Motherboard PCI Express
Graphics Processor: NVIDIA® GeForce™ 7800 GTX KO ACS PCI-E 256MB DDR3
Memory: 2GB Ultra Low Latency DDR PC-3200 SDRAM at 333MHz – 4 x 512MB
System Drive: 250GB Serial ATA 7,200 RPM w/8MB Cache
Primary CD ROM/DVD ROM: 16x Dual Layer DVD±R/W Drive
Sound Card: 7.1 Surround Sound with S/PDIF and Coaxial Digital Outputs
Floppy Drive: 3.5" 1.44 MB Floppy Disk Drive – Black
Network Connection: Integrated High Performance Gigabit Ethernet
Monitor: Alienware® 20.1" 16ms LCD Display – Silver/Black

Warranty: 3-Year AlienCare Toll-Free 24/7 Phone Support w/Onsite Service Bundle w/ AlienAutopsy and Respawn
Power Supply: Alienware® Approved 650 Watt ATX 2.0 Power Supply with Active PFC
Keyboard: Microsoft® Multimedia Keyboard – Space Black
Mouse: Microsoft® IntelliMouse Explorer 4.0 – USB – Saucer Silver
Alienware Exclusive Offers: Gamespot Complete – Free 90-day Trial
Alienware Exclusive Offers: 10% off your next EB Games online purchase
Cable Management: Alienware® Cable Management System
Free Alienware Mousepad: Free Alienware® Mousepad
Desktop Enhancements: Exclusive AlienGUIse Theme Manager
AlienInspection: AlienInspection – Exclusive Integration and Inspection
AlienWiring: AlienWiring – Exclusive Internal Wire Management

Testing Firefox – WSJ article

For my archives:

Tapping Employees' Tech Lust
WSJ – Michael Totty
Oct. 24, 2005

*Testing Firefox*

Fidelity Investments' Center for Applied Technology, which develops and
tests new technologies for the Boston-based mutual-fund giant,
encourages employees to try out new innovations — within limits.

Recently the center began testing the open-source Firefox browser, an
alternative to Microsoft's dominant Internet Explorer. Charlie Brenner,
a Fidelity senior vice president in charge of the center, says the idea
came from engineers in his department who were using it at home and
liked Firefox's advanced features, such as the ability to open new
browser windows in tabs rather than in a whole separate browser, and its
promise of being more secure from hacker attacks than Explorer.

The center has recruited several hundred volunteers from around the
company to try Firefox on their computers, mainly to see whether the
browser's security controls are "industrial strength," says Mr. Brenner.
He expects Firefox ultimately will be permitted for use on its computers
in addition to Explorer.

Mr. Brenner cautions that while the center encourages employees to be
unrestrained in their ideas, they're not permitted to try out new
technologies on their own. "Too much freedom is chaos," he says. "We
can't just let a hundred flowers bloom."

The Flying Mozilla

Mitchell is really the trapeze expert, I've only had the experience of doing trapeze twice, once at ClubMed at Turks & Caicos, and the other time here in Cancun.

This time I was able to do a knee hang "catch" hawk-style. I tried doing a "heels-off" but wasn't able to do the catch. So the photo above is the split second that's not supposed to happen where I'm supposed to be just hanging from Chucho's arms (versus still hanging from the other bar with my knees). It's a pretty cool photo.

Anyway, here's the rest of the slideshow of my trapeze efforts. It's a pretty fun sport(?)/activity. The thrill of flying and twisting in the air is pretty neat. Apparently there's places like Trapeze Arts in Oakland where I could go to school for this.

Inside Firefox 1.0.3

Seeing the dedication of the Mozilla community (which you and I are a part) with the Firefox 1.0.3 and Mozilla 1.7.7 release, first hand is just amazing. It's not new as we've been doing this for quite some time, but it's always, always awesome to see.

People's Friday evening plans are rescheduled, weekend plans, working with folks (as is usual) from all over the world whether it's Germany, Japan, too many countries to list.

The press won't see this dedication or maybe they will. Maybe they'll see all the different people involved from top companies and top community members working on the issues. Maybe they'll see the feedback loop and the high quality standards we've set for our products. Maybe they'll see that when we say we are passionate about security, we mean it. Maybe they'll see the fast response time and think of some of the personal sacrifices.

We do our best to work with the press to get the word out to make sure users get the latest security updates. It's tough when the press makes a story out of it instead of making it a public service announcement. The press may go in and compare us to MSFT (it's always favorable) but still not what the focus should be. Or they'll be completely off the mark trying to explain JavaScript engine memory heap vulnerability in their own words, but lately they've been pretty good.

Going forward, Firefox's update mechanism will be the primary mechanism for notifying users of updates versus also using a full on media blitz to get the word out that an update is available. Press releases for security updates seem to cause confusion so we've been going with a security Q&A that we give to reporters that has some better clarification.

MiniMo(zilla) coming to a cell phone near you

I thought Asa was going to beat me to the punch with these photos. Here are a couple of photos of MiniMo on a cell phone and PDA taken on my camera by Doug or Asa, not sure who. Anyhow, it's very cool and can't wait for us (well, dougt) to get this out to people. A very rich browser experience on a PDA or cell phone is going to be interesting for both content developers and consumers. The form factor of cell phones and PDAs definitely presents a challenge, but you can see it's not too shabby in these two photos. Having access to the web via these devices is convenient and may prove invaluable.

Even more photos of MiniMo in action. Just in case you can't get enough…

**Another Update**
MiniMo project can be found here:

It's a stripped down browser only product ala Firefox. This is a Windows CE port and also works on Familiar Linux and Symbian. Maybe others on the way, not sure. This is based on Gecko 1.8 off the trunk so fairly recent.

Firefox and Thunderbird Deployment Resources

This is an unofficial draft and set of links and instructions for deploying Firefox and Thunderbird. Note that companies are already deploying Firefox and Thunderbird and others are writing up the documentation and building the tools out to support it. I'll be consolidating the resources here, and then publish on when ready.

Also note that is focused on end user consumers (home users) and we are NOT at this time doing enterprise customer support or deployments. Supporting enterprises is HARD because everyone does something a little different and want x or y feature or x level of support. That takes up a lot of resources and we'll need to rely on consultants, and internal IT staff, etc. who already do this.

That said, there are features in Firefox and Thunderbird that are enterprise friendly and companies that are large enough have the resources to support themselves in deployment. Certainly other companies are able to provide customer and deployment support.

  • Lock settings such as homepage, proxy and many others in Firefox
  • Set defaults on many settings within Firefox
  • Create a profile on user first usage
  • And feature list ever growing (already on way to same feature-completeness as IE's Group Policy setting features)
  • Firefox .msi builds (for testing only, give me feedback)
  • More tools and documentation to come.