The roots of Internet Explorer’s security problems

About a day ago Zack Whittaker posed the question: Has Internet Explorer ever been safe?

Overall I think this is a pretty good write-up on the history of Internet Explorer for those who don’t understand its faults and/or are actually still using IE for serious Web browsing.

I think on a greater scale, it’s a great example of Microsoft’s utter failure in terms of security, and quite possibly a testament to the problems facing non-free software.

Non-free software is defined here as software licensed under terms which do not grant at least one of the four freedoms in the FSF’s Free Software Definition. This includes most of the shrink-wrapped boxes on the shelf at your local computer/electronics retailer.

This class of software, particularly software made available without human-comprehensible source code (like just about all of Microsoft’s products),  starts at a significant security disadvantage. The users are stuck waiting on the maintainer’s patch, and in the case of some remotely exploitable holes, are “sitting ducks” until one is available.

The FSD’s freedoms 1 and 3 are particularly important for getting security fixes out on the users’ timetable instead of the maintainer’s timetable, with freedom 2 playing a strong supporting role in the case where the maintainer refuses to even acknowledge the problem. This is how the teardrop vulnerability in the kernel, Linux, made it out in a matter of hours, instead of days or weeks like the corresponding patch for Windows. Unfortunately for the Windows users in 1997, Microsoft’s stance on security had much more room for improvement than it does today. Even if there was a fix which came from a user or group of users, it could not be legally distributed due to Microsoft’s end-user license agreement (EULA).

Note that this is only an example. The issues are still just as relevant in 2008 (or soon 2009) as it was in 1997. They apply to the recent zero-day IE exploit the same as they do to the teardrop vulnerability.

It is possible Microsoft’s programming staff may one day, finally, match the speed at which Firefox’s development team (which includes users capable of fixing security holes in Firefox)  on a consistent basis. In fact I would like to see that happen in the near future.

However, I’ll be honest here and say I’d also like to win a multi-million dollar lottery jackpot in the near future. Casting wishful thinking aside and sticking to strict realism, I don’t see either happening soon.

[Edit 2020-12-15: dead link updated]

An ever-so-brief commentary on voting and politics

So today we had a run-off election for a Texas Senate seat. I got all kinds of political ads over the past week from both candidates, so there was no way I was going to forget to vote in this one. I have missed a couple of minor elections before.

What shocks me is that there was a rather low turnout. I was the 21st voter in my precinct, and I’m pretty sure we have at least 10 to 20 times that many eligible voters. I’m not expecting huge lines for an election like this, but I’d like to think we could get at least a 20% turnout.

I don’t think we’ll ever see mandatory voting like some other countries have. Indeed, that would go against a lot of why the US was founded to begin with. But, I also think our Founding Fathers way underestimated the possibility of voter apathy two centuries later.

The joys and heartaches of being a sports fan

So I got to watch (most of) the hockey game involving my favorite NHL team (the Colorado Avalanche) tonight. Besides realizing just how long it’s been since I’ve actually watched a game, I’m rather pleased overall; the Red Wings have historically been a very tough team for the Avalanche to crack, but tonight they did just that. Combine that with the Texans’ recent wins, and one could reasonably infer I have quite a bit to be happy for right now. And for the most part I do, except for one thing…

Maybe it’s a bit behind the times for me to be commenting about this just now, but this is big enough to me that it’ s still on my mind. I am still rather disappointed the WNBA decided to fold the Comets instead of looking harder for a buyer and/or running the team themselves for the coming season. On one hand, I already had another favorite WNBA team, that being the Connecticut Sun (which, for the moment, are now my only favorite team still playing), but this is still a huge loss. The Comets won four championships in a row, the first real dynasty in the WNBA, and arguably the only real, honest-to-goodness dynasty of any Houston-based team in any sport. I barely had any idea the league was looking for a buyer when I awoke to the news the team would be folded and the dispersal draft would be next week. (It also is rather unfortunate that the WNBA has actually had this level of experience with dispersal drafts and teams folding, but I’ll save that rant for another day. For now, suffice it to say that the WNBA is missing the elements of the men’s pro game that turned me off from watching basketball at all for a while, and I find it a real shame that the fan base is as small as it is.)

I do appreciate that the WNBA president has not ruled out a future return of the WNBA to Houston. I just hope that they keep the name and let the future owner display the championship banners once again when that day comes, because first and foremost, when it comes to the WNBA, I will always be a Comets fan.

Hello, and welcome

So, it’s finally time for me to start a real blog. I have, on occasion, posted bite-sized rants on Twitter that stretched into two or three tweets to fit within the 140-character limit. I tend to be a bit verbose; it is often a challenge for me to keep what should be a one-page letter down to a single page.

I had intended to start a blog many months ago, but for some reason gave up when it came down to fiddling with MySQL. Which, I have since learned, really isn’t that hard. (I’ve installed OpenBSD before, which is about as intimidating as installation procedures come. It’s only easy now because I’ve done it so many times.)

I’ll make a much longer, er, real post later.

But for now… <voice type=”silly kid”> Hey look everybody, my blog works! </voice>

(Had to do it, once.)