[SOT] Over 600 million Web users at risk? - Linux

This is a discussion on [SOT] Over 600 million Web users at risk? - Linux ; This from the "Uh oh, do we need to be mothered?" department. http://blog.internetnews.com/skerner...-users-at.html Over 600 million Web users at risk? By Sean Michael Kerner on July 1, 2008 3:40 PM From the 'be afraid, be very afraid files': Regular readers ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: [SOT] Over 600 million Web users at risk?

  1. [SOT] Over 600 million Web users at risk?

    This from the "Uh oh, do we need to be mothered?" department.

    http://blog.internetnews.com/skerner...-users-at.html

    Over 600 million Web users at risk?
    By Sean Michael Kerner on July 1, 2008 3:40 PM
    From the 'be afraid, be very afraid files':

    Regular readers of InternetNews.com know that browser vendors
    (Microsoft, Mozilla, Apple and Opera) routinely update their
    software in response to security vulnerabilities.

    But what about those that don't update?

    According to new research published by Computer Engineering and
    Networks Laboratory (CSG), ETH Zurich, Google Switzerland GmbH, and
    IBM Internet Security Systems there are 637 million people out there
    with outdated and insecure web browsers.

    WOW.

    The breakdown is as follows:

    * 577 million outdated Microsoft Internet Explorer users
    * 38 million outdated Mozilla Firefox users
    * 17 million outdated Apple Safari users
    * 5 million outdated Opera users.

    [I've not a clue as to how accurate these figures are.]

    [...]

    My personal opinion on solving this problem is
    simple. ISPs and web sites need to take a stand
    on this issue and restrict access to only
    updated browsers. If a user can continue to go
    about their day to day web browsing with an
    insecure browser - then why will they change? If
    you force them to change by restricting access
    they'll move. It really should be that simple.

    Good luck with that, Mr. Kerner. With all due respect,
    there are several problems I see here.

    [1] Do we trust browsers to report themselves accurately? A
    Konqueror option in particular allows for some interesting
    conundrums. I'd have to check but at one point Opera
    was happy to impersonate IE as well. The vulnerabilities
    of these browsers are of course quite different, especially
    when one factors in non-ix86 hardware.

    And then there are those who would happily write Perl,
    Python, C, or Java code with custom User-Agent: headers,
    for their own needs.

    [2] Are ISPs responsible for their users or for efficient
    utilization of their bandwidth? I could see some
    mildly interesting conflicts of interest here.

    [3] Are ISPs responsible for other issues, such as porno,
    copyright violation, and censorship? This does not
    look like a happy path. Granted, child exploitation
    is even less happy, copyright violation is an issue
    that is going to get a little messy (one right that
    copyright owners have is the right *not* to distribute
    their work, a right which is difficult to enforce),
    and China is a good example of Internet censorship,
    though Saudi Arabia has its moments.

    --
    #191, ewill3@earthlink.net
    Windows. When it absolutely, positively, has to crash.
    ** Posted from http://www.teranews.com **

  2. Re: [SOT] Over 600 million Web users at risk?


    "The Ghost In The Machine" wrote in message
    news:fpoqj5-a3l.ln1@sirius.tg00suus7038.net...
    > This from the "Uh oh, do we need to be mothered?" department.
    >
    > http://blog.internetnews.com/skerner...-users-at.html


    I'd say this is on-topic since it affects all OS's equally. I also like
    these sorts of posts/topics/issues because it creates a nice cross-section
    of different issues.


    > Over 600 million Web users at risk?
    > By Sean Michael Kerner on July 1, 2008 3:40 PM
    > From the 'be afraid, be very afraid files':
    >
    > Regular readers of InternetNews.com know that browser vendors
    > (Microsoft, Mozilla, Apple and Opera) routinely update their
    > software in response to security vulnerabilities.
    >
    > But what about those that don't update?


    They should be gathered up and executed. End of conversation.


    > According to new research published by Computer Engineering and
    > Networks Laboratory (CSG), ETH Zurich, Google Switzerland GmbH, and
    > IBM Internet Security Systems there are 637 million people out there
    > with outdated and insecure web browsers.
    >
    > WOW.
    >
    > The breakdown is as follows:
    >
    > * 577 million outdated Microsoft Internet Explorer users
    > * 38 million outdated Mozilla Firefox users
    > * 17 million outdated Apple Safari users
    > * 5 million outdated Opera users.
    >
    > [I've not a clue as to how accurate these figures are.]


    I would assume this was gathered through web-stats. What they didn't mention
    is what percentage of people update their software vs how many people don't.
    Looking at the names involved in putting these figures together (IBM,
    Google, etc) let's assume the numbers are valid.


    > [...]
    >
    > My personal opinion on solving this problem is
    > simple. ISPs and web sites need to take a stand
    > on this issue and restrict access to only
    > updated browsers. If a user can continue to go
    > about their day to day web browsing with an
    > insecure browser - then why will they change? If
    > you force them to change by restricting access
    > they'll move. It really should be that simple.
    >
    > Good luck with that, Mr. Kerner. With all due respect,
    > there are several problems I see here.


    I think that his solution is a bit draconian. I would assume that a large
    percentage of these users don't know that they are running an old browser.
    They got their computer 1-3 years ago, and they use whatever software it
    came with. So when I rule the world what I'm going to do is to randomly
    (about every 15-20 minutes) redirect the users browser to a page that
    reminds/informs them that their browser is out of date. This page would also
    have links to where they can download the new version of their browser and
    eventually people will get the hint and update.


    > [1] Do we trust browsers to report themselves accurately? A
    > Konqueror option in particular allows for some interesting
    > conundrums. I'd have to check but at one point Opera
    > was happy to impersonate IE as well. The vulnerabilities
    > of these browsers are of course quite different, especially
    > when one factors in non-ix86 hardware.


    If someone is impersonating another browser then they should update their
    settings to impersonate the current version. I'd say that the majority of
    users who know how to go in and configure their browser to impersonate
    something else are probably running current versions. (They're technical
    enough to stay current.)


    > And then there are those who would happily write Perl,
    > Python, C, or Java code with custom User-Agent: headers,
    > for their own needs.


    This is a small number. ISP's would ignore unrecognized user-agents and if
    some script were impersonating an old browser.... then update the script.


    > [2] Are ISPs responsible for their users or for efficient
    > utilization of their bandwidth? I could see some
    > mildly interesting conflicts of interest here.


    I'd say they are *not* responsible for their users but they do own their
    networks and have a monetary stake in their network bandwidth being used
    efficiently. Since they own the networks it's completely reasonable for them
    to dictate the terms in which one accesses their network.


    > [3] Are ISPs responsible for other issues, such as porno,
    > copyright violation, and censorship? This does not
    > look like a happy path. Granted, child exploitation
    > is even less happy, copyright violation is an issue
    > that is going to get a little messy (one right that
    > copyright owners have is the right *not* to distribute
    > their work, a right which is difficult to enforce),
    > and China is a good example of Internet censorship,
    > though Saudi Arabia has its moments.


    I'd say that they are not fully responsible for what users do but they
    should act in a reasonable and responsible manner. Because some guy (let's
    hypothetically call him "Ghost near the Machine") is downloading bootleg
    copies of Barry Manilow concerts and girly pictures then it's not up to the
    ISP to censor him. But if the same "Ghost near the Machine" guy puts up a
    web-server that is being used to distribute bootleg music, illegally ripped
    videos and copyrighted material then the ISP does have the responsibility to
    censor him and shut him down.


    > --
    > #191, ewill3@earthlink.net
    > Windows. When it absolutely, positively, has to crash.


    So... what was the last time that Windows crashed/BSOD on you? (Be honest
    now.)




    ** Posted from http://www.teranews.com **

  3. Re: [SOT] Over 600 million Web users at risk?

    The Ghost In The Machine wrote:

    > The breakdown is as follows:
    >
    > * 577 million outdated Microsoft Internet Explorer users
    > * 38 million outdated Mozilla Firefox users
    > * 17 million outdated Apple Safari users
    > * 5 million outdated Opera users.
    >
    > [I've not a clue as to how accurate these figures are.]


    Let me try some figures on you, Ghost?

    From one site, often quoted here (granted, perhaps/probably not accurate):-
    http://marketshare.hitslink.com/report.aspx?qprid=3

    we see that browser User Base is billed as:-
    I.E.7 45.45%
    I.E.6 26.38%
    Firefox (3.0 + 2.0) 18.44%
    Safari (3.1 + 3.2) 5.43%
    Opera 0.73%

    Lumping I.E.6 and I.E.7 together (as I have for versions of the others) and
    putting in brackets the % of "your" 637 million users who are not up to date
    for each browser, I get:-

    I.E.(7.0 + 6.0) 71.83% (but 90.6% of the people not up to date))
    Firefox (3.0 + 2.0) 18.44% (5.8%)
    Safari (3.1 + 3.2) 5.43% (2.7%)
    Opera 0.73% (0.8%)

    You see what's happening?
    Firefox users are *much* more likely to be up to date than others, Safari
    users are more likely to be up to date, but I.E. users are considerably
    *less* likely to be up to date.

    Why?
    imo the "why" is related to why 26.38% of users are still using I.E.6.

    Have *you* any idea why they don't shift to I.E.7 at least?
    I can think of only two reasons really, excepting web developrs etc. who will
    need it for testing, etc:-

    1. I keep hearing "Linux is for geeks" etc.
    Perhaps there's a tad of truth in that.
    I think we can postulate that Linux users, on average, are more likely
    to know what they are doing? Similarly, somebody who swaps browsers
    from what they are given to what they choose to use?
    Hence, although obviously not all Windows and/or I.E. users are
    ignorant, most of the most ignorant users will be using Windows/I.E.

    2. How any Windows systems are pirated, and (thereby?) perhaps not receiving
    updates?


  4. Re: [SOT] Over 600 million Web users at risk?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ____/ bbgruff on Wednesday 02 July 2008 17:41 : \____

    > The Ghost In The Machine wrote:
    >
    >> The breakdown is as follows:
    >>
    >> * 577 million outdated Microsoft Internet Explorer users
    >> * 38 million outdated Mozilla Firefox users
    >> * 17 million outdated Apple Safari users
    >> * 5 million outdated Opera users.
    >>
    >> [I've not a clue as to how accurate these figures are.]

    >
    > Let me try some figures on you, Ghost?
    >
    > From one site, often quoted here (granted, perhaps/probably not accurate):-
    > http://marketshare.hitslink.com/report.aspx?qprid=3
    >
    > we see that browser User Base is billed as:-
    > I.E.7 45.45%
    > I.E.6 26.38%
    > Firefox (3.0 + 2.0) 18.44%
    > Safari (3.1 + 3.2) 5.43%
    > Opera 0.73%
    >
    > Lumping I.E.6 and I.E.7 together (as I have for versions of the others) and
    > putting in brackets the % of "your" 637 million users who are not up to date
    > for each browser, I get:-
    >
    > I.E.(7.0 + 6.0) 71.83% (but 90.6% of the people not up to date))
    > Firefox (3.0 + 2.0) 18.44% (5.8%)
    > Safari (3.1 + 3.2) 5.43% (2.7%)
    > Opera 0.73% (0.8%)
    >
    > You see what's happening?
    > Firefox users are *much* more likely to be up to date than others, Safari
    > users are more likely to be up to date, but I.E. users are considerably
    > *less* likely to be up to date.
    >
    > Why?
    > imo the "why" is related to why 26.38% of users are still using I.E.6.
    >
    > Have *you* any idea why they don't shift to I.E.7 at least?
    > I can think of only two reasons really, excepting web developrs etc. who will
    > need it for testing, etc:-
    >
    > 1. I keep hearing "Linux is for geeks" etc.
    > Perhaps there's a tad of truth in that.
    > I think we can postulate that Linux users, on average, are more likely
    > to know what they are doing? Similarly, somebody who swaps browsers
    > from what they are given to what they choose to use?
    > Hence, although obviously not all Windows and/or I.E. users are
    > ignorant, most of the most ignorant users will be using Windows/I.E.
    >
    > 2. How any Windows systems are pirated, and (thereby?) perhaps not receiving
    > updates?


    Firefox on Linux updates itself. The same goes for Thunderbird. It's very
    reliable in the sense that nothing unexpectedly 'breaks' after an update
    (unlike Windows Update).

    - --
    ~~ Best of wishes

    Roy S. Schestowitz | Run a Linux server, sit on your hands all day
    http://Schestowitz.com | RHAT Linux | PGP-Key: 0x74572E8E
    19:20:02 up 78 days, 17:32, 6 users, load average: 0.72, 1.27, 1.48
    http://iuron.com - Open Source knowledge engine project
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFIa8fYU4xAY3RXLo4RAuX8AKC0yY/j0k2dj4XiP68d3TVdkqs0/gCghrYR
    DTkBFhip6Z8WANezZo3bJ7Q=
    =+l6z
    -----END PGP SIGNATURE-----

  5. Re: [SOT] Over 600 million Web users at risk?

    Roy Schestowitz wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > ____/ bbgruff on Wednesday 02 July 2008 17:41 : \____
    >
    >> The Ghost In The Machine wrote:
    >>
    >>> The breakdown is as follows:
    >>>
    >>> * 577 million outdated Microsoft Internet Explorer users
    >>> * 38 million outdated Mozilla Firefox users
    >>> * 17 million outdated Apple Safari users
    >>> * 5 million outdated Opera users.
    >>>
    >>> [I've not a clue as to how accurate these figures are.]

    >>
    >> Let me try some figures on you, Ghost?
    >>
    >> From one site, often quoted here (granted, perhaps/probably not accurate):-
    >> http://marketshare.hitslink.com/report.aspx?qprid=3
    >>
    >> we see that browser User Base is billed as:-
    >> I.E.7 45.45%
    >> I.E.6 26.38%
    >> Firefox (3.0 + 2.0) 18.44%
    >> Safari (3.1 + 3.2) 5.43%
    >> Opera 0.73%
    >>
    >> Lumping I.E.6 and I.E.7 together (as I have for versions of the others) and
    >> putting in brackets the % of "your" 637 million users who are not up to
    >> date for each browser, I get:-
    >>
    >> I.E.(7.0 + 6.0) 71.83% (but 90.6% of the people not up to date))
    >> Firefox (3.0 + 2.0) 18.44% (5.8%)
    >> Safari (3.1 + 3.2) 5.43% (2.7%)
    >> Opera 0.73% (0.8%)
    >>
    >> You see what's happening?
    >> Firefox users are *much* more likely to be up to date than others, Safari
    >> users are more likely to be up to date, but I.E. users are considerably
    >> *less* likely to be up to date.
    >>
    >> Why?
    >> imo the "why" is related to why 26.38% of users are still using I.E.6.
    >>
    >> Have *you* any idea why they don't shift to I.E.7 at least?
    >> I can think of only two reasons really, excepting web developrs etc. who
    >> will need it for testing, etc:-
    >>
    >> 1. I keep hearing "Linux is for geeks" etc.
    >> Perhaps there's a tad of truth in that.
    >> I think we can postulate that Linux users, on average, are more likely
    >> to know what they are doing? Similarly, somebody who swaps browsers
    >> from what they are given to what they choose to use?
    >> Hence, although obviously not all Windows and/or I.E. users are
    >> ignorant, most of the most ignorant users will be using Windows/I.E.
    >>
    >> 2. How any Windows systems are pirated, and (thereby?) perhaps not
    >> receiving updates?

    >

    http://www.theregister.co.uk/2008/07...temporary_fix/
    > Firefox on Linux updates itself. The same goes for Thunderbird. It's very
    > reliable in the sense that nothing unexpectedly 'breaks' after an update
    > (unlike Windows Update).


    True:-)

    Doesn't the same apply on Windows though - doesn't Firefox come up with "later
    version available" and offer to install it?

    - and thanks for the link (which I spotted a short time ago in another thread
    of yours. That adds a "3." to my list!
    Presumably what they have to say means that both I.E.6 and Windows will be
    over-counted on many web sites?



  6. Re: [SOT] Over 600 million Web users at risk?

    In comp.os.linux.advocacy, bbgruff

    wrote
    on Wed, 02 Jul 2008 17:41:29 +0100
    <6d1pdlFdub6U1@mid.individual.net>:
    > The Ghost In The Machine wrote:
    >
    >> The breakdown is as follows:
    >>
    >> * 577 million outdated Microsoft Internet Explorer users
    >> * 38 million outdated Mozilla Firefox users
    >> * 17 million outdated Apple Safari users
    >> * 5 million outdated Opera users.
    >>
    >> [I've not a clue as to how accurate these figures are.]

    >
    > Let me try some figures on you, Ghost?


    Bear in mind these are from someone's webblog, which I
    happened to pick up from internetnews.com.

    >
    > From one site, often quoted here (granted, perhaps/probably not accurate):-
    > http://marketshare.hitslink.com/report.aspx?qprid=3


    Oh yeah, them. :-P Still, they're probably as good as any.

    >
    > we see that browser User Base is billed as:-
    > I.E.7 45.45%
    > I.E.6 26.38%
    > Firefox (3.0 + 2.0) 18.44%
    > Safari (3.1 + 3.2) 5.43%
    > Opera 0.73%
    >
    > Lumping I.E.6 and I.E.7 together (as I have for versions of the others) and
    > putting in brackets the % of "your" 637 million users who are not up to date
    > for each browser, I get:-
    >
    > I.E.(7.0 + 6.0) 71.83% (but 90.6% of the people not up to date))
    > Firefox (3.0 + 2.0) 18.44% (5.8%)
    > Safari (3.1 + 3.2) 5.43% (2.7%)
    > Opera 0.73% (0.8%)
    >
    > You see what's happening?
    > Firefox users are *much* more likely to be up to date than others, Safari
    > users are more likely to be up to date, but I.E. users are considerably
    > *less* likely to be up to date.
    >
    > Why?
    > imo the "why" is related to why 26.38% of users are still using I.E.6.


    I'll admit to some curiosity. I would think updates are largely
    automatic, but it is possible to disable it, methinks.

    >
    > Have *you* any idea why they don't shift to I.E.7 at least?
    > I can think of only two reasons really, excepting web developrs etc. who will
    > need it for testing, etc:-
    >
    > 1. I keep hearing "Linux is for geeks" etc.
    > Perhaps there's a tad of truth in that.
    > I think we can postulate that Linux users, on average, are more likely
    > to know what they are doing? Similarly, somebody who swaps browsers
    > from what they are given to what they choose to use?


    Reasonable.

    > Hence, although obviously not all Windows and/or I.E. users are
    > ignorant, most of the most ignorant users will be using Windows/I.E.
    >
    > 2. How any Windows systems are pirated, and (thereby?) perhaps not receiving
    > updates?
    >


    Again, reasonable. Wish I knew.

    --
    #191, ewill3@earthlink.net
    Linux sucks efficiently, but Windows just blows around
    a lot of hot air and vapor.
    ** Posted from http://www.teranews.com **

  7. Re: [SOT] Over 600 million Web users at risk?

    The Ghost In The Machine wrote:

    > In comp.os.linux.advocacy, bbgruff
    >
    > wrote
    > on Wed, 02 Jul 2008 17:41:29 +0100
    > <6d1pdlFdub6U1@mid.individual.net>:
    >> The Ghost In The Machine wrote:
    >>
    >>> The breakdown is as follows:
    >>>
    >>> * 577 million outdated Microsoft Internet Explorer users
    >>> * 38 million outdated Mozilla Firefox users
    >>> * 17 million outdated Apple Safari users
    >>> * 5 million outdated Opera users.
    >>>
    >>> [I've not a clue as to how accurate these figures are.]

    >>
    >> Let me try some figures on you, Ghost?

    >
    > Bear in mind these are from someone's webblog, which I
    > happened to pick up from internetnews.com.
    >
    >>
    >> From one site, often quoted here (granted, perhaps/probably not accurate):-
    >> http://marketshare.hitslink.com/report.aspx?qprid=3

    >
    > Oh yeah, them. :-P Still, they're probably as good as any.
    >
    >>
    >> we see that browser User Base is billed as:-
    >> I.E.7 45.45%
    >> I.E.6 26.38%
    >> Firefox (3.0 + 2.0) 18.44%
    >> Safari (3.1 + 3.2) 5.43%
    >> Opera 0.73%
    >>
    >> Lumping I.E.6 and I.E.7 together (as I have for versions of the others) and
    >> putting in brackets the % of "your" 637 million users who are not up to
    >> date for each browser, I get:-
    >>
    >> I.E.(7.0 + 6.0) 71.83% (but 90.6% of the people not up to date))
    >> Firefox (3.0 + 2.0) 18.44% (5.8%)
    >> Safari (3.1 + 3.2) 5.43% (2.7%)
    >> Opera 0.73% (0.8%)
    >>
    >> You see what's happening?
    >> Firefox users are *much* more likely to be up to date than others, Safari
    >> users are more likely to be up to date, but I.E. users are considerably
    >> *less* likely to be up to date.
    >>
    >> Why?
    >> imo the "why" is related to why 26.38% of users are still using I.E.6.

    >
    > I'll admit to some curiosity. I would think updates are largely
    > automatic, but it is possible to disable it, methinks.
    >
    >>
    >> Have *you* any idea why they don't shift to I.E.7 at least?
    >> I can think of only two reasons really, excepting web developrs etc. who
    >> will need it for testing, etc:-
    >>
    >> 1. I keep hearing "Linux is for geeks" etc.
    >> Perhaps there's a tad of truth in that.
    >> I think we can postulate that Linux users, on average, are more likely
    >> to know what they are doing? Similarly, somebody who swaps browsers
    >> from what they are given to what they choose to use?

    >
    > Reasonable.
    >
    >> Hence, although obviously not all Windows and/or I.E. users are
    >> ignorant, most of the most ignorant users will be using Windows/I.E.
    >>
    >> 2. How any Windows systems are pirated, and (thereby?) perhaps not
    >> receiving updates?
    >>

    >
    > Again, reasonable. Wish I knew.


    Here's something of an update:-

    > What they found was that most users – 52.4 percent – who surfed with

    Internet Explorer had failed to upgrade to IE7, considered by Microsoft to be
    the most secure version.
    >
    > Most users of Opera, Safari, and Firefox had successfully upgraded. Opera

    users running a "safe" version of the browser totaled 56.1 percent, versus
    65.3 percent for Safari and 83.3 percent of Firefox. (The study was conducted
    before the release of Firefox 3, so only Firefox 2 was considered.) Only 47.6
    percent of IE users could be considered to be surfing the Web safely, the
    study said.
    >
    > Between 609 million to 637 million users are surfing without the appropriate

    updates or patches, depending upon some variations in market share or
    measurement, the study found.
    >
    > How can users improve their security? One of the most important methods, the

    study found, was to surf with a browser that automatically patched
    itself. "Critical to this instantaneous patching process is the mechanism of
    auto-update," the study said. "Our measurement confirmed that Web browsers
    which implement an internal autoupdate patching mechanism do much better in
    terms of faster update adoption rates than those without."
    >
    > "Our comparison of the update dynamics between Firefox and Opera identified

    that auto-update mechanisms are crucial for timely patching," the study said.
    Firefox's auto-update was found to be way more effective than Opera's manual
    update download reminder strategy." Most Firefox users updated to the latest
    version within three days.

    > Safari, meanwhile, appears to poll for updates at regularly scheduled

    intervals, the study said. Internet Explorer is the worst, rolling out
    patches as part of Microsoft monthly updates.

    http://www.pcmag.com/article2/0,2817,2324481,00.asp

+ Reply to Thread