The itsy, bitsy spider, climbed up the water spout.
Down came the rain and washed the spider out.
Out came the sun and dried up all the rain,
So the itsy, bitsy spider went up the spout again.
That was one of my daughter Alicias favorite nursery rhymes when she was small. And its a great fun as that, but it makes for a lousy IT policy. How many times must Windows desktop users be hosed before they start using a more secure desktop operating system?
Or, if youre not ready to shift over to a good, solid desktop Linux such as Novell Linux Desktop or Xandros or buy a Mac, the least you could do is start using more secure, open-source applications on your Windows.
Take Firefox for example. Ive been using Web browsers almost since before there were Web browsers, and Firefox is simply the best browser Ive ever used on any platform. In addition, Firefox is a lot more secure than Internet Explorer.
Notice I didnt say it was perfectly secure. Like any software program, it has problems. Internet Explorer, on the other hand, is a security hole disguised as a Web browser.
Dont believe me? In past few weeks, weve seen a pair of IE problems that hit fully patched Windows XP SP2 (Service Pack 2), a spoofing problem that also smacks completely patched systems, and the Bofra/IFrame bug, which SP2 does stop. And the IE faults keep coming and coming.
Do you want to spend all of your IT staffs time patching IE and praying that your users dont run into a page that opens up your network like a rotten fruit while waiting for a patch? I dont think so.
Oh, and did I mention that if your shop is still running Windows 2000, you can forget about getting XP SP2-style security patches anyway? I hope your budget is ready to either upgrade all of your systems to XP or add a lot more security to your systems, because Microsoft isnt giving you a whole lot of choice about the matter.
A Microsoft program manager, Peter Torr, recently asked on his blog, "How can I trust Firefox?" My question, of course, is how can I trust IE?
Yes, Firefox has holes, too. For example, theres a pop-up window problem that gets pretty much every browser on the planet.
People who dont get security often say that if Firefox or any other open-source software were only as popular as IE, their security would be just as bad. Nope. Wrong.
First, open-source software is constantly being looked at by numerous developers. When problems are found, and they are all the time, theyre quickly fixed. With Microsoft code, you have to trust that its programmers are on the ball and that theyll fix problems quickly. You look at their track record and you decide if thats true. I know what I think.
Second, on Windows, open-source applications are just that: applications. Microsoft programs, by their very nature, are tied directly into the operating system kernel. This means, IE—and other Microsoft Windows applications such as Outlook—enables any security hole to potentially rip open the entire operating system.
This isnt paranoia. Read eWEEK.coms security section. Youll find story after story about serious Internet Explorer holes that appear, and Microsoft sometimes takes months to patch them. Who needs this?
Torr said he thinks Firefox and its plug-ins and helper applications need better code signing so that users know that an application really is a legit one and not a hacked Trojan that will lie in wait to attack your system. Hes got a point.
But at least with Firefox, the real application isnt a problem. I know who makes Internet Explorer, and IE is the problem.
eWEEK.com Senior Editor Steven J. Vaughan-Nichols has been using and writing about operating systems since the late 80s and thinks he may just have learned something about them along the way.
Check out eWEEK.coms for the latest open-source news, reviews and analysis.