Is Firefox More Secure than Internet Explorer?

Well, sure it is. According to the Firefox web site, which must of course be untainted by marketing claims since it is Mozilla, " Firefox continues to lead the way in online security".

OK, marketing hyperbole aside, I'm a data guy. I care about what the data says. Fortunately, Jeff Jones collected the data and did the analysis. Rather than color your conclusions by mine, I will let you draw your own conclusions from his analysis because (a) Jeff is a friend of mine and I won't let that influence a judgement, and (b) there may be a slight conflict of interest in the analysis due to Jeff's current employment situation. Nevertheless, it is an interesting read, and you can check the numbers for yourself.

Don't forget too that IE 7, under Vista, runs in low integrity, rendering a lot of attacks far less severe. Jeff forgot to mention that in his analysis. Firefox does not work in low integrity; at least not yet.

UK Government Leaks Data on Half The Country

Another day. Another data leak. Another round of buck passing. Another round of unsubstantiated claims that they really do care about people's personal information.

This one is a doozy though. A junior IT admin at Her Majesty's Revenue & Customs (the UK tax office) apparently put personal data on 25 million people on a disk and sent it by bicycle courier to a different office. The courier managed to lose (or sell?) it in transit. In other words, this guy took names, addresses, phone numbers, bank account information, birth dates, and national ID numbers, of over 40% of the UK population, and sent it by bicycle courier. What complete moron could ever consider that to be a good idea?

Words absolutely fail me. It is reckless beyond belief, and the fact that it is the third time makes it sound like a poorly thought-out television farce script. This is such a monumental breach of trust that it really is impossible to describe. Alice Miles did as good job of it as anyone can. The only thing I can add is that I sure hope there will be prison time to serve for this, but, alas, facilitating identity theft against half the country is apparently not a crime in the UK.

Oh, one more thing: guess who ends up paying the clean-up costs when governments fail to protect their citizens?

All Software Has Vulnerabilities

No matter how smug you are about it, and how much you claim that security is someone else's problem, software will have vulnerabilities. It is a fact of life because software is, by far, the most complex engineering task mankind has ever undertaken.

In that light, I found a quote by Alan Paller, of the SANS Institute, in the latest @Risk Consensus Security Vulnerability Alert quite revealing:

If you are ever asked which operating system is safer, the following 'non-aligned' rule may be of some help. Given a fixed level of programming skill, the number of vulnerabilities in software is directly proportional to the number of lines of code and inversely proportional to the length of time the software has been in wide use. Large numbers of critical vulnerabilities are being, and were bound to be, discovered in Apple's operating system because Steve Jobs may design better hardware, but his programmers are no better at writing secure code than programmers in other software organizations. Alan

Secure software is produced by software developers who have been adequately trained, who have great tools at their disposal, and who work in a supportive culture that makes it easier to do the right thing and harder to do the wrong thing.

Dilbert Knows Why Security is Struggling

If it weren't because too many security departments are like Mordac, today's Dilbert would be funny. Unfortunately, there are still far too many people working on security that fail to recognize that nobody actually wants security. Nobody bought their computer, or built a network, or hired an IT staff, because security was the ultimate purpose. They did all those things to get something else; efficiency, access to data, to build a web site, enable people to communicate via e-mail, etc. Security is merely the thing they have to have to make all those other things safe. Security is not the end goal, it is the means by which we achieve the end-goal of privacy, of efficiency, of reliability, etc.

If you are a business person who goes to security to find out how to do something safely and your security folks do not ask about the business need, it is time to educate or replace them. If you are a security person, and you do not start out the discussion with the business asking what business need they are trying to meet, you are not acting as a valuable member of the business. Security is there, first and foremost, to help the business achieve its goals safely; not to stop the business from achieving its goals.