Tuesday, September 25, 2007

Revisiting the "Firefox Myths" Part 8

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.

This post represents a return to the comment Andrew K posted on September 18, 2007 1:49 PM. He had a lot to say, and I haven't replied to all of it yet.
Myth - "Firefox Vulnerabilities are Quickly Patched"

This clearly proves that Firefox vulnerabilities are not quickly patched thus this Myth is debunked. IE is irrelevant to this Myth and another excuse as you seem to like to make many of them
Statements about the speed with which a bug is fixed requires a context, specifically the context of how quickly other browsers fix their security problems.

Most of Firefox's reputation for fixing bugs faster than IE comes from Microsoft's bungled handling of the createTextRange() Vulnerability. Few people can name the vulnerability, but many remember that their web browsers can be hijacked by hackers just by visiting a web site. They'd never even get a confirmation dialog before hostile software was installed.

Please see my comments on Brian Krebs article "Internet Explorer Unsafe for 284 Days in 2006" below.
Myth - "Firefox is More Secure because it is not integrated into the OS"

The examples are not the sources of the MYTHS!! I know you failed to read that but it is getting old. Mozilla clearly stated what they said. The Myth was debunked by Microsoft.
Andrew is partially right. The browser is not made more secure by not being integrated into the Operating System. The Operating System itself is more secure when a web browser isn't integrated.

This is another example of Andrew attacking my initial write-up even though I agreed with his final conclusion. I used the myth as a starting point to discuss a separate issue, but Andrew has chosen to reassert his original debunking as if it somehow debunked my points about OS security.

Andrew seems a bit confused regarding my intent in responding to his Firefox myths page. I was using his article as a jumping off point to discuss other issues. Yes, I went off on a few tangents, but no, those tangents were no necessarily intended to debunk Andrew's Debunking.

The bottom line is, I've personally seen instances of an Operating System being compromised because some idiot decided to integrate the Web Browser into the File Browser. A single Zero-Day Drive-By exploit was all that was needed to infect several machines.

If Internet Explorer was not integrated into Windows Explorer, I wouldn't have had to clean up several virus infected PCs.
Myth - "Firefox is More Secure because it does not use ActiveX"

Again debunked by Microsoft
To be fair, it WAS true at the time the claim was circulating. Andrew seems to enjoy playing with time frames to his advantage. For example, when discussing the system requirements for web browsers, he happily compares IE 6 to Firefox 2, and ignores IE 7, claiming that since the myth was about IE 6, IE 7 is "irrelevant."

On the ActiveX Myth, Andrew ignores the fact that ActiveX was a major security hole at the time the claim was circulating. He relies upon the fact that most those problems have been fixed to debunk the myth.

Wouldn't it be more honest to admit "Yes, ActiveX was a problem in the past but if you're running IE 7, it isn't a real issue now"?

Just do a Google Search for activex vulnerability and you'll get a whole list of major security holes that Firefox never had to contend with.

Microsoft Security Bulletin MS05-013
Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (8917http://www.blogger.com/img/gl.link.gif81)

National Cyber Alert System Cyber Security Alert SA06-258A
A vulnerability in ActiveX and Internet Explorer could allow an attacker to take control of your computer.

Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability
The Microsoft Windows WebViewFolderIcon ActiveX control contains an integer overflow vulnerability that could allow a remote attacker to execute arbitrary code.

Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability
A vulnerability has been discovered in Microsoft XML Core Services, which can be exploited by malicious people to compromise a user's system.

New Active-X Vulnerability Discovered

ActiveX Vulnerability
Myth - "Firefox Extensions are Safe"

It is proven that they can clearly not be safe, thus debunked.
Again, I agreed with Andrew on this one. I mused about the vulnerability of extensions for other browsers but that's as close as I came to disagreeing with him on this myth. Entirely too much trust is put on Extensions just because you find them through the "Get Extensions" link in Firefox.

Myth - "Firefox is a Solution to Spyware"
The nonsense about drive-by infections are from those who run unpatched versions of IE and has nothing to do with IE fully patched. I have used IE since it came out and have never been infected by "drive-by" installs and neither do my clients. You can do the same using this guide:

http://mywebpages.comcast.net/SupportCD/MalwareRemoval.html

All for free. But Firefox is clearly not a solution to Spyware and thus debunked.
I'm really questioning Andrew's Research skills here. Several times in these threads I've mentioned the createTextRange() Vulnerability, which remained unpatched for weeks and allowed drive by infections.

Andrew's claim that a fully patched IE install will be immune to Drive-By exploits is dangerous and misleading lie. I encourage readers to do a quick online search for phrases like "Drive-by" and "Internet Explorer." Andrew's irrational denial of reality is confusing to say the least.

Brian Krebs wrote an excellent article entitled "Internet Explorer Unsafe for 284 Days in 2006" in which he exhaustively researched the security flaws in Internet Explorer and the time taken to patch them. He even submitted his information to Microsoft to give them a chance to respond.

The following quotes are from that article.
For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them.

Since this whole thing is about Firefox Myths, I'd like to also quote something Krebs had to say about Firefox:
Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.
He even has a chart of Internet Explorer vulnerabilities in 2006.

I encourage Andrew to read the article above. I suspect he'll have difficulty dealing with information from someone who did actual research, and he'll be further enraged by something that contradicts his dogma about a fully patched Internet Explorer, but he needs the information in the article.
Myth - "Firefox 2's Phishing Protection is better than Internet Explorer 7"

No I did no lie. The Google Anti-phishing tech was built right into Firefox 2, regardless I added more sources and the myth is still debunked.
One of Andrew's new sources is Ed Bott's article IE7 or Firefox 2: Which browser is more secure? Testing was done with Firefox 2 Beta 1, not a production release.

The recent information paints an interesting picture for Firefox's anti-phishing features. On one hand, you have a Mozilla sponsored report that gives a glowing review and people claiming that Firefox caught all the phishing sites listed on dslreports.com

On the other hand, we have things like Ed Bott's article that raises some concerns about the Phishing filter. Specifically, he found two sites that IE caught but Firefox didn't and he wants more information on the false positives from the test where Firefox caught more Phishing sites.

While Ed Bott does say:
The two “live” sites I visited in each browser hardly constitute a scientific sample, but it’s still worth noting that IE7 flagged both pages as confirmed phishing sites, while Firefox 2 missed them both
He later states:
I haven’t spent enough time with the Firefox/Google code to form an opinion.
Interesting enough, he also reports that
Update 4-August, 3:40PM PDT: A representative of Mozilla's PR agency contacted me and says that the anti-phishing feature in Firefox 2 Beta 1 "was intended to test the core Phishing Protection framework within the browser, not to provide a full list of suspected scam sites."
Remember, his tests were done with a beta. Would the results change if the tests were repeated with Firefox 2.0.0.7?

I did some more digging, wondering why IE would appear to perform so much better than Firefox. Then I found my answer.

Firefox processes URLs locally, on your own machine while IE7 sends URLS to a Microsoft server for checking.

The IE blog gives some more detail on how this works:
So, for example, if you were to visit http://www.msn.com, nothing will be checked on the Microsoft server because "msn.com" and other major websites are on the client-side list of OK sites. However, let’s say the URL looked like this: http://207.68.172.246/result.aspx?u=Tariq&p=Tariq’sPassword, in this scenario phishing filter will remove the query string to help protect my privacy but it will send "http://207.68.172.246/result.aspx" to be checked by the Microsoft Server because 207.68.172.246 is not on the allow list of OK sites. As it turns out, 207.68.172.246 is just the IP address of MSN.com server, so its not a phishing site but this example should help you understand more about how Phishing Filter checks sites on the server.
IE7 has a local cache of "OK" sites, and if you visit a site that isn't on that approved list, the URL, minus URL data, is sent to a Microsoft server for further evaluation.

The advantage is that the server side analysis can be changed in a matter of minutes. The down side is if you visit a site that Microsoft hasn't deemed "OK" then the URL is sent to Microsoft. In addition to the latency of waiting for the approval to come back from the Microsoft server, This means a lot of your web browsing is likely to end up logged on a Microsoft server.

Microsoft has its own take on the Privacy issues involved.

In terms of the myth as stated by Andrew, it does look like IE 7 has better anti-phishing than Firefox. However, they both suck.

The article "Firefox 2 vs. IE 7 Anti-Phishing: Who Cares? Use Multiple Layers" points out that even the pro-Firefox test "puts it at 460 sites missed by one browser or the other. Which means neither one is really good enough." The article goes on to recommend a variety of anti-phishing technologies to help improve your odds of escaping scammers.

The more I dug into this issue, the more I realized that when it comes to anti-Phishing technology IE7 and Firefox 2 are fighting for dregs. Both anti-phishing technologies suck, but at the moment, it looks like IE's implementation sucks a little less, assuming you're OK with the privacy issues raised.
Myth - "Firefox supports Extensions and Internet Explorer does not"

You excuses are meaningless, this is not about which is better which is an opinion, the Myth is clearly debunked.
Yet again, I didn't disagree with Andrew on this. I went so far as to explain how the myth came to be. Yes, I took a pot shot at IE's Add-On support, largely because I've written add-ons for both Browsers, and found Firefox far easier to work with.

Why did he feel compelled to refer to me making "excuses" when I didn't even disagree with him?
Myth - "Firefox supports an Inline Search Feature and Internet Explorer does not"

Don't put words in my mouth and stop making excuses, this myth is clearly debunked. Tweaking tutorials? WTF? Are you insane?
Fact: A default install of Firefox supports Inline Search.

Fact: You have to install an add-on to get the same feature in Internet Explorer 7.

Fact: Andrew provided no sources for this "myth" on his web site, so I had to find some of my own.

Internet Explorer 7 Review

There are also a number of features I miss from Firefox, such as inline find, which opens a handy and less obtrusive Find toolbar instead of the annoying IE Find dialog. This concern is partially offset by the IE Addons Web site and a new generation of small downloads that improve IE's functionality...

Internet Explorer Not A Monster Anymore

He thinks IE7 has its issues - what he calls "interface gaffs", along with features that Firefox has that he can't live without (such as inline search). But in terms of standards compliance Thurrott says IE7 is an improvement.


Suddenly, I see why Andrew included no sources for the myth. Several times in his replies to my site, he's made a big deal of addressing the myth as he found it in the wild. The discussion about his not including IE 7 in the "System Requirements" myth is a prime example. He refuses to include IE 7 in part because he didn't find examples of people claiming Firefox 2 had lower requirements than IE 7. (The source he links tof ro the myth doens't actually mention browser versions AT ALL, but that's a different issue)

The "Inline Search" myth does not appear to exist in the wild in the way Andrew describes. The complaints I found are that the feature is missing from the base install, or that you have to install an add-on to get Inline Search in IE. Every site that mentions the lack of Inline Search in IE seems to mention an add-on that adds inline search.

I wonder how Andrew would react if I countered one of his other debunkings with a link to a Firefox Extension that fixed the problem? Would he accuse me of making "excuses" for Firefox? Would he rely upon the exact working of the myth as it's stated in his Source?

My main issue with this myth is not if it's true, but that the debunking Andrew uses violates his own rules. If the tables were turned I don't think Andrew would concede that a Firefox Extension that resolved the issue would be sufficient to change his conclusion about the myth.
"Opera also introduced tabbed browsing. I'm surprised Andrew didn't mention this"

Um I did mention Opera invented Tab Browsing under the myth labeled: TABBED BROWSING! It is now clear to me that people read what they want and not what is there.
Funny, I did a keyword search on the page before I wrote that line. It wasn't there. Perhaps I was tired and just missed it, but since I've already seen an example of Andrew editing firefoxmyths and pretending the statements were there before, I'm inclined to suspect my search was valid, and that Andrew edited the page after reading my original post.

In Comic Book terms, it looks like he retconned the article.
Myth - "Firefox had Pop-up Blocking before Internet Explorer"

No this is a Myth and debunked, Firefox is NOT the Mozilla Suite. The only thing misleading is stating it any other way.
I'll grant that, in terms of the Myth as written, Andrew debunks it. However, His debunking makes it sound like Internet Explorer was the first to introduce the feature. Mozilla based browsers had pop-up blocking way back in 2002, two years before IE introduced the feature. There was even some anger over the fact that Netscape 7, based on the Mozilla core, removed the feature in order to coddle AOL popups.
Myth - "Firefox Blocks all Pop-ups"

I am not going to go over this again. The sources and examples are NOT the same ect... Myth debunked.
I should point out here that I never claimed that Firefox blocked all pop-ups. In terms of Andrew's debunking of the Myth, he's right. Firefox does not block all pop-ups.

My issue is that I've never heard the claim that "Firefox Blocks all Pop-ups." Andrew can disperse this concern by linking to a few more sources for the myth, something he has failed to do.

Show me the references.
Clearly you read nothing on my page as my sources for the Myths were multiple locations none of which were the examples.
I'm going to give Andrew the benefit of the doubt and assume he was tired when he wrote that line as it's very poorly worded.

He seems to be claiming that he listed multiple sources for his myths. However, the "Firefox blocks all Pop-ups" myth only lists one source, and that source is a graphic on Andrew's own web site.

The "Firefox has lower System Requirements than Internet Explorer" myth is also nothing but a link to a graphic on his site. I noticed that there's no mention of the browser version in the linked graphic, but Andrew made a BIG deal out of the browser version when rationalizing his exclusion of IE 7 from discussion of the myth.

The following "Myths" have a graphic on firefoxmyths.com as their only "Example" of the myth.

"Firefox's Memory Leak is a Bug"
"Firefox Blocks all Pop-ups"
"Firefox was the first Web Browser to include Tabbed Browsing"
"Firefox fully supports W3C Standards"
"Firefox has lower System Requirements than Internet Explorer"

I believe Andrew needs to do a better job of finding, and linking to, examples for his myths.
I didn't "massage" any data and it is all clearly sourced. I also did not try to hide anything as this page came out in 2005 and is clearly SOURCED!!!!
I encourage anyone reading this little flamewar to go back and review what Andrew and I have written. Decide for yourselves if Andrew is massaging his data or not. Don't take my word for it, and don't take his. Read the arguments and counter-arguments and decide for yourself.
"Ironically, he fails to mention the fact that the free Opera browser is no longer ad supported."

Really? "Opera (now 100% Ad free)"

Give me a break, try reading my page completely next time and not make assumptions or jump to ridiculous conclusions.
Again, this is another example of Andrew editing the page and then claiming that the modified version is what was there when I first read it. When I wrote my original post, I searched for the word "Free" on firefoxmyths.com, both by scanning the page and by using my browser's "search" feature. I didn't see the mention of Opera being Ad Free, and I believe Andrew added it after reading my article.

OODA Loops in User Interface Design

Preamble

I've spent the last month or so engaged in a job hunt. That job hunt has now come to a close, as on September 26, I start work at my new place of employment.

During this job hunt, a few places have asked me to write sample essays or articles as part of the interview process. The following is one of those essays. The company in question was very big on using OODA Loops as part of their overall design philosophy and wanted to know if I could wrap my mind around the concept.

While writing the essay, I realized that OODA Loops are easy to apply to software design as the concept merely describes what most good programmers already do. The Observer, Orient, Design, Act methodology greatly reduces the time wasted in redesigning and rewriting code. If done properly, the actual programming is a matter of following the pseudo code that's already been worked out.

The following assumes some familiarity with OODA Loops, which can easily be gained in a few minutes by reading the Wikipedia article on OODA Loops.

Introduction

The main goal of any User Interface should be to allow the user to accomplish their desired goal as quickly as possible. Despite the typical use of OODA Loops to disrupt the opposition, be they business or military, the same principals can be used to enhance the user experience and create the illusion of having fully anticipated the user's desires.

The OODA Loop cycle was designed to describe a military engagement. It's tempting to depict the end user as an Enemy Combatant. In this scenario, the process of getting inside the enemy's OODA Loop would consist of anticipating the User's actions and presenting interface options that lead them in the direction you desire.

This model has a few flaws. First, it describes an adversarial relationship between the user and the developer. A typical development cycle already has enough stresses between these groups without creating more in fundamental design models. Second, all Military analogies break down. In many respects the User's goals and the developer's are the same. It would be a bit like describing how to help an enemy pilot bomb your own base.

A more useful metaphor would be to view the User as your own soldier. The goal of a UI developer becomes streamlining the user's entire OODA Loop, eliminating bottlenecks and avenues for error.

Example Project, The Report Interface

I unknowingly used many OODA Loop concepts in developing a report interface when at FinancialCampus. The "second generation" interface created by a subsequent developer was rejected by users in part because its development ignored the OODA Loops concept. let's examine both development processes in terms of OODA Loops.

The UI goal was to allow a Compliance Officer (CO) to access and act upon the exam status of his or her Brokers and determine who had not completed their NASD Mandated Continuing Education.

First, I needed to Observe. This meant gathering data on what the COs did with their data and how they needed it presented. The main tasks could be broken down as follows:

Observe:

• Get User Feedback on existing reports
• Review sample reports created manually by end users
• List NASD Legal requirements
• Record data on technical expertise of end users
• Record data on interfaces with which users are already comfortable.
• Get samples of any data files used by the end user.
• List other data available in the Learning Management System (LMS).

Simply acting upon this data would have resulted in either dozens of reports, or a handful of monolithic reports with a complex array of options. COs would have become trapped in the "Orient" stage of their own OODA loops. My own Orient loop was initially a bottleneck until I reevaluated how I was approaching the data. Instead of creating a single report to make everyone happy, I decided to create multiple reports, each one designed to meet the needs of a discrete group of users.

My Orient phase consisted of determining how the potential data sets interacted and who needed that data. I also evaluated who wouldn't mind a few extra bits of data in their report. The end result was a large chart on my wall, listing each piece of data in the system. Legally required data was highlighted. Color coded lines connected the data fields to the customer reports. The color coding flagged the data as "Legal," "Bureaucratic" or "Optional."

Orient: Data is placed into three categories:

• Legal: Information the Compliance Officer MUST present to comply with law
• Bureaucratic: Information the CO needs to present for internal business or workflow reasons.
• Optional: Data present in the LMS but not needed in any reports. This was addressed later.

Once I knew who needed what, I began the Design phase of merging reports. My target was six to eight reports and I met that goal. In retrospect, I could have automated much of this if I had used Semantic Data models and defined relationships such as "Farmers Insurance Needs the exam pass date" and "NYLIC does not want the exam score." This would have allowed me to condense the needed reports faster.

Design:

• Distill format data into the smallest number of possible formats. This process resulted in six basic reports with two to six options each.
• Order the reports by likely number of users
• Define a login process using The IntraLearn user data, as all Compliance Officers were also students. Each report required the appropriate login, and was restricted to the data for a specific company.

By this point, Acting was easy. I simply sat down and began writing the reports I'd specified. I was tempted to engage in another Observe exchange with the COs at this stage, but decided against it, as I did not want to become trapped in an Analysis Paralysis loop, or to allow Feature Creep to delay the deployment of the initial reports.

Act:

• Write the login process for the Reporting Interface.
• Write the report that will be used by the most Compliance Officers. Place that report in a menu that allows for the addition of new reports.
• E-mail the COs about the new reports as they are added.

The Other Loops

During this outer OODA Loop, an overlapping loop was taking place to deal with the "Optional" data. The additional data available, such as the number of times a user had taken an exam, was presented to the Compliance Officers to determine if any of them needed or wanted that data. Additional data was incorporated into the reports as appropriate. For example, the "Times Exam Taken" counter was added to the "Full Data" Excel and CSV export because the only customers who wanted that data were already importing the data into PeopleSoft.

A new OODA Loop began as each report was deployed. CO Feedback initiated the Observe phase. That data was then evaluated for potential use in modifying the existing reports in an Orient phase. If the data was deemed appropriate for use in modifying the report, a Design phase occurred, followed by an Act phase to get the updated report to the end users.

The Resulting Reports

As a result of the above OODA Loops, the Compliance Officer's OODA Loop looked like this.

Observe: Read the brief descriptions of the reports and their options

Orient: Select the report that best met their data needs.

Design: Select the options presented for each report. This typically consisted of such options as the level of detail provided, sort order and if rows will be per rep or per rep/course combination.

Act: Print or download the resulting report, fire, suspend or reprimand Brokers as appropriate. One report even allowed the COs to e-mail the recalcitrant reps with a bulk e-mail or individually, warning them of their pending deadlines.

Two more reports were added within three years, as new customers came on board with new reporting needs.

The "Second Generation" Interface

What did the user rejected "Second Generation" interface get wrong?

At the then CTO's Direction, the developer conducted minimal Observation. Only the data available in the database was reviewed. No other end user requirements or input was taken into account. Due in part to the small data set gathered in the Observation phase, minimal Orientation was possible.

The rationale given for this minimal Observation was that the exiting reports were "truncated" and "failed to take advantage of the data IntraLearn offered." It was further stated that FinancialCampus needed to "Show off what we can do to compete with the big boys."

The Design phase consisted largely of the developer recording every data manipulation he could imagine. Designing and Acting were not separate phases, as the reporting system was written while the developer conceived of new options. This required the developer to completely scrap the existing code twice and begin again from scratch.

As a result, the Compliance Officer's OODA Loop was disrupted. The new system had a steep learning curve, and CO's were unable to separate the OODA Loop stages. They became trapped in the Orient phase, unable to process the Observations presented in the reporting system's "Help" documentation. Few were able to Successfully Design their reports.

Many CO's called or e-mailed to complain about the complexity of the system. FinancialCampus' own CTO, VP and Owner were unable to understand or use the new interface, but still ordered a global switch to the new system.

Summary

The above examples show that the OODA Loop process can be used to create a User Interface that optimizes the User's own OODA Loop, even if the user is unaware of the concept. OODA Loops also help compartmentalize the development process, reducing churn and wasted effort later in the product's life cycle. If the Observe, Orient and Design phases have been carried out, Acting will be little more than using the Pseudo-Code to write the final application.

Monday, September 24, 2007

Revisiting the "Firefox Myths" Part 7

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.

The following is a response to Andrew's September 21, 2007 6:18 PM comment to Revisiting the "Firefox Myths" Part 6. I was originally going to post this as another comment in the thread, but decided it had gotten a bit long and needed to be a new post instead.

Unless otherwise noted, indented text in italics are Andrew K's comments, and my responses follow the quote.
By your logic it is dishonest to Ignore IE3 and IE4. The Requirement Myth is accurate and is not changing.
Andrew,

I'm afraid I don't follow you here.

In Revisiting the "Firefox Myths" Part 6 and the resulting comments I argued that IE 7 needed to be included in the discussion because:
  • It's the fastest growing browser in history, and still growing.

  • It has 50% of IE 6's market share.

  • It's the most recent version.

  • It's the ONLY version of IE available to people running Vista, and most new PCs come with Vista pre-loaded.

  • It's Microsoft's recommend upgrade path for XP users.

  • Bug fixes for IE6 are likely to be few and far between, as most development efforts will be directed at IE7.

  • It's been about a year since the last IE 6 bug fix.

  • While I did not make this point earlier, I'd like to point out that according to most statistics IE7 has a larger market share than Firefox.
How do ANY of those points lead you to claim IE 3 and IE 4 should be included as well? I'm afraid your logic escapes me, as neither IE 3 or IE 4 meet ANY of the criteria I set fourth as arguments for including IE 7 in the "System Requirements" section of your site.
Each Myth is based on how it was heard. With requirements the version number was not mentioned specifically for IE while with performance they are.

I don't care how it looks to those who cannot understand simple logic.
Again, your open hostility is what drives the negative reaction to you and your site far more than the data you present. Running around accusing people of being stupid just because they don't think the same way you do, or because they disagree with your logic, is not constructive. I sincerely hope this attitude doesn't reflect your behavior in real life.

If you want people to understand and accept your statements, you have to take into account the objections people will raise. It's the difference between a persuasive statement that will get people to change their behavior and a rant that few will take seriously.

I don't want to attack you or your page. I want to help you change the things that are causing so many people to dismiss it as the ranting of an anti-Firefox Zealot. The first rule of writing is to think about your target market. For whom are you writing and who will be reading it? Who are the people you're trying to reach with your Firefox Myths page?
The browser news comment you are taking completely out of context. I stated:

"The Browsernews is even more biased looking at the sources as it trys to compare single domain page hits with companies who monitor web traffic across hundreds of thousands of pages."

I never said Browsernews uses thousands of pages for it's samples I said it is comparing sources that use thousands of samples to ones with a single domain.
upsdell.com is pretty straightforward about the sources used in the linked Browsernews article. The whole point was to reflect the wide range of results you get when you modify your sample set. It's one of the reasons I encourage web developers to pay more attention to the statistics from their own sites than to overall browser market estimates.

You keep claiming that the differences in the six sample sets constitutes some kind of disadvantage, something that discredits the article. Those differences, both in the sample data and the ensuing results, are the whole POINT of the article. The goal of the article is to get people to think critically about the numbers being presented to them. Isn't that, in a way, what you were trying to argue in your original article?

You're trying to discredit a few articles by linking to statistics that disagree with those statistics. You're asking readers to treat the number you use as superior to those of the original articles. Isn't it more useful to point out the difficulties involved in trying to get a "global" picture of browser usage?

People can argue the "superiority" of one set of browser statistics against another until everyone turns blue in the face. Educating people about the inherently flawed nature of browser statistics in general will be more likely to get people to look at a "firefox achieves xx.x% market share" headline with a critical eye.
I never stated the definition I used does not define IE or Opera as insecure you keep implying this. I make no such statements or implications. You keep stating it to make an excuse for Firefox being insecure.
I'm not trying to make excuses for Firefox's security issues. I'm trying to help you modify your site so that people take it more seriously. I never denied that Firefox has it's own security issues, but the fact that your site is viewed as a "hit piece" and not an objective, unbiased source means the points you raise aren't being taken seriously, defeating the purpose of the "Firefox Myths" page.

Instead of thinking "Hey, I should demand Firefox deal with the security issues in the extensions," your concerns are being written off as a rant.
I am bashing nothing, just because the majority of the Firefox Myths are overexaggerated positives does not mean that I am bashing Firefox.
Again, you're ignoring the emotional reaction people have to your tone and attitude.

You have a choice Andrew.

Option 1:

Leave the page as it is, occasionally updating it to reflect new data and myths. Continue responding to criticism with a hostile, attacking tone.

Option 2:

Rewrite the page to reflect an unbiased view of the facts. In the rewrite, address the concerns that have been raised about your site and do your best to anticipate new ones. Engage in an actual dialog with the people who criticize the site, treating their concerns with respect, even when they're hostile towards you.

The path you choose will reveal your true intentions with the site. Option 1 is the path for someone who is hard-headed and more interested in angering people than in dispensing facts.

Option 2 could very well make your site into something of a Snopes.com for Firefox, a relied upon and quoted resource that the Firefox developers could very well come to see as a list of issues they NEED to address.
Counterpoints are Excuses and excuses will never be added to the page.
Again, that arrogance, that refusal to even admit someone else might have a point is what's damaging your credibility more than anything else. Isn't your entire site noting more than an attempt to provide counterpoints to the myths and exaggerations you've seen on the Internet? You come across as dogmatically saying "If you disagree with me you're an idiot making excuses."

Friday, September 21, 2007

Fond memories of jobs long gone

The following is in response to a Sharkbait posting about a boss who insisted on a three letter user name and identical password.

I had a boss who made the same demand. He insisted his user name and password be his initials. I pointed out the threat this posed, but he insisted that no one would ever try to hack his account anyway.

I mentioned the name of a former employee who was suing the company. The boss laughed.

I was not surprised when in one of the depositions the former employee's lawyer produced a confidential e-mail that the VP had sent the owner. I asked the lawyer how he got that e-mail and he refused to answer.

I told the Owner about this and his response was "Well if he'd read my e-mail I'd have known because it wouldn't have been highlighted anymore!"

I replied with "If you give me two minutes of your time I'll show you how easy it is for someone to read your e-mail without you ever knowing. I'll use your account as an example."

He stared at me for a second and said "Well there's no need to get carried away."

"Please change your password. If you don't (former employee) will continue reading all the e-mail you receive."

"I'll never remember it."

"Write it on a piece of paper and keep it in your wallet."

He kept the new password in his wallet for a good week before he just wrote it on a post-it note on his monitor. I left the issue be. At least now someone had to get INTO the building to read the owner's e-mail. I also convinced him to change the password whenever an employee left under hostile circumstances.

Tuesday, September 18, 2007

Revisiting the "Firefox Myths" Part 6

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.
Myth - "Firefox is the Fastest Web Browser"

Firefox Myths is 2 years old! You then make ridiculous comments about my "beloved" browser which makes you loose even more credibility when I state no such thing. Regardless this Myth is clearly debunked, Opera is fastest. You however point out irrelevant things to a page about Firefox Myths. This is not IE Myths.
The inclusion of some data on IE 7 makes it clear that Andrew K has been updating "Firefox Myths." With this in mind, I fail to see the relevance of his mention of how old the original version of the article is. IS he trying to beg our pardon for shoddy editing?

My crack about IE 6 being a "beloved" browser is based on Andrew's insistence upon using it as a baseline when comparing Firefox and IE system requirements and his vigorous defense of that decision. He refused to use IE 7 for comparisons when it will show Firefox in a good light.

Of course all that is beside the point. The bottom line is, I agreed that Firefox is NOT the fastest web browser, and Adnrew K still felt compelled to argue with me about it. More and more, I'm convinced that Andrew K is a troll trying to drive traffic to his web site.
Myth - "Firefox is Faster than Internet Explorer 7"

Hello the page is not about IE!! This myth is clearly debunked.
A quick note to Andrew:

The Myth is about Firefox and IE and the comparisons being made between them. This means IE is relevant.

Let's take a look at the criteria used for the speed tests:

Browser name

Cold start

Warm start

Rendering CSS

Rendering table

Script speed

Multiple images

History

Firefox 2.0

11.64

3.05

1.71

1.62

22

2.03

48

Internet Explorer 7.0 (b3)

7.8

2.4

2.13

1.47

36

2.47

39

Opera 9.01

2.47

2.24

0.84

1.08

13

1.44

8


OK, we all know Firefox takes a while to start up. Two of those 7 metrics are only relevant when launching the application. I only launch my web browser once or twice a day at the most. For actual day to day web browsing I'm going to care more about the other statistics.

For rendering a table, IE has a 0.15 second edge on Firefox. The History test involved loading 10 pages from cache, and IE will do that 9 seconds faster than Firefox. On the flip side, Firefox was able to execute the test script 14 seconds FASTER than IE.

According to the stats above, for the actual task of web browsing IE is slower than Firefox. If you're viewing a web site that's graphics heavy, or that uses the Javascript and CSS heavy AJAX framework, Internet Explorer is noticeably slower.

Of course this is all just one set of tests from one site. More to the point, all these statistics came from an Opera employee.
Myth - "Firefox is Faster than Mozilla"

This is all your opinion not substantiated by any data and irrelevant to the page. This Myth is debunked.
Actually I gave quite a bit of data, demonstrating that outside of Firefox's launch time, Opera's speed and IE 7's abysmal Scripting score, most of the performance measures differed by less than half a second. Can YOU tell the difference between a web site taking 5 seconds to load and 5.5 seconds?
Myth - "Firefox Gained 25% Market Share in May 2007"
Myth - "Firefox Achieved 20% Market Share in January 2006 in Europe"
Myth - "Firefox Achieved 10% Market Share in 2005"

These Myths are important to highlight the obvious bias Firefox was getting to promote an untrue market share.
Funny, but there are sources that claim the Firefox headlines are accurate. Let's look at the 10% in 2005 figure.
  • Onestat: 11.51% by November 2005.
  • ADTECH: 12.41% by September 2005.
  • XiTi: 13.08% by October 2005.
Web Browser statistics are a bit of a black art. No one ever has a sample set representing 100% of the Web, they'll always be looking at a subset of the population, specifically, the people visiting web sites that in turn purchased the products of the company providing the statistics.
W3CSchools is a horrible example that site simply records visitor statistics and is severly biased.

The Browsernews is even more biased looking at the sources as it trys to compare single domain page hits with companies who monitor web traffic across hundreds of thousands of pages. Ridiculous. If you don't understand the difference I cannot help you, regardless these myths are debunked.
I wonder how Andrew would try to gather browser statistics. Looking at this reply, it really does sound like he's making a stab at parody. According to his description, Browsernews is trying to generate browser statistics by aggregating data from "Thousands of sources."

Isn't one of the ways to improve a survey's reliability to enlarge the sample size?

What makes the statistics Andrew uses "better" than the other sites? How would he describe the difference between them?
Myth - "Firefox Achieved 150 million downloads in January of 2006"

This was widely spammed at the time which is why it was listed.
Funny, but the only headlines I saw about it were about the miscount and what was being done to keep it from happening again.
Myth - "Firefox is Secure"

Secure as in not vulnerable to anything. This is not a comparison! Security comparisons to be non-biased must be done between a set timeframe since it is obvious a browser that was out for 3-5 more years would have more vulnerabilities. Regardless Firefox is NOT secure and the Myth is debunked.
Pardon me, I got a good belly laugh out of the line "Secure as in not vulnerable to anything." Show me one Web browser that's "Secure as in not vulnerable to anything." Go on Andrew, show me ONE. In my original article I point out that many of the "Vulnerabilities" in Andrew's listing are actually fixed, and never resulted in an exploit in the wild. The method Andrew uses to get his bug counts is inaccurate.

I could debate the nuances of what different people think of when they see the word "Secure" but that would be a waste of time, as it would be entirely too subjective. Instead I'll propose a compromise: I'll gladly concede Firefox isn't "Secure" if Andrew K will concede that by the definition he uses of "Secure" there's no "Secure" version of Internet Explorer or Opera, and add a statement to that effect to the "myth" on his web site.

Revisiting the "Firefox Myths" Part 5

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.
Myth - "Firefox has lower System Requirements than Internet Explorer"

First of all read the examples are not myths section. Regardless I had multiple sources for many Myths but I only started screen capturing them as I found them go off line one after another after I linked to them. There is nothing I can do about it other then to show the screen capture.

The page came out in 2005! Regardless there is no "apples to apples" comparison. I actually compare IE6 to both Firefox 1.x to 2.x IE6 has the most market share of any browser period and the Myth is debunked.
This discussion is based on the fact that Andrew K compared Internet Explorer 6's system requirements to those of Firefox 2, even though IE 6 came out in 2002. He compared Firefox to a version of Internet Explorer that was released FIVE YEARS earlier. An Apples to Apples comparison DOES exist, comparing IE 7 to Firefox 2. When you do that, you find they have the same minimum system requirements.

I challenge Andrew K to include the Internet Explorer version information when he compares the browser requirements for IE 6 to Firefox 2. If you're going to use misleading information and massages statistics, then reveal the browser versions you're comparing.

Why does Andrew K insist upon choosing a baseline of IE 6, a browser whose own publisher wants you to upgrade? What is his fascination with clinging to obsolete technology? As of September 2007, IE 7 already has about half of IE 6's browser share market, and you can't even GET IE 6 on new PCs without going through hoops to install Windows XP or 2000.

Microsoft publishes information on Internet Explorer's product support life cycle. You can see that it's been a few years since IE6 was updated, and despite the fact that IE6 will remain supported for the life cycle of Windows XP, it's clear that all Microsoft's development is being geared towards IE7.

Given how long it took for the IE CreateTextRange remote execution vulnerability to be patched when IE 7 was still close to a year from release, do you really want to be using IE 6 when the Internet Explorer developers are focusing in IE 7?

Andrew only "Debunked" this myth in that he carefully chose his browser versions to get the results he wanted. I stand by my original automotive analogy: "This is a bit like Toyota comparing their safest 2007 Sedan to the late 1980's Ford Pinto and using that comparison to claim that Toyota cars are safer than Ford. Such comparisons make it look like you have something to hide."
Myth - "Firefox uses less memory than Internet Explorer"

If you could please provide a link that shows what part of IE loads when I would be interested and am still waiting for two years for proof of. Regardless the Myth is debunked.
Fascinating. I agreed with him and he still felt compelled to argue with me about it.

No, I didn't refute the common belief that IE components load at boot time, I did one better, I pointed out that it doesn't matter if they do. Even if IE components are loaded at boot, it doesn't matter in terms of memory usage comparisons, unless you can find a way to avoid loading those components when Windows boots.
Myth - "Firefox is Bug Free"

What you consider a Myth is irrelevant to what many others believe. Many people believe this and thus it is a Myth and obviously debunked.
Well, you did find ONE example of someone who thought Firefox was bug free, so I'll grant you this one. However, I recommend you find and link to more sources for this Myth. As it stands, using a Pet Lover's forum as the "source" for the myth is questionable at best. All you're really doing is proving there are idiots who don't know what they're talking about online. A quick look at Yahoo Answers will prove the same thing.
Myth - "Firefox is Stable"

Corrupt Preference Issues and Profile Issues are core browser issues! Again you show your bias for what you think the page is about, it is not to sell a browser or promote IE. I state nothing about IE here and yet you do, I can clearly see now how you are incapable of reading what I clearly state. It is to debunk Myths. This myth is clearly debunked.
Oh, that's cute! Andrew edited the page to add references to "Corrupt Preference Issues, Profile Issues, Plugin Issues." The previous version only mentioned the third party extensions.
Of course the Wayback Machine doesn't have a copy of the old page and I neglected to save a copy to my hard disk. Well, I just saved a copy of the page to my local drive, so if Andrew pulls that stunt again I'll have proof.

Anyone out there have a copy of the previous version of Andrew K's page?

I'm glad to see my article has forced Andrew to revisit and improve his page.

Regardless, the wording of the Myth is highly subjective. The source he chooses is using the phrase "Firefox is Stable" to compare Firefox to Internet Explorer. Yes, Andrew K demonstrated that Firefox is as vulnerable to bugs as any other program, but he does so in a misleading manner.

Most people use the phrase "Stable" to refer to software that doesn't crash all the time, it's safe to use in a production environment and won't leave you frustrated with lost data on a regular basis. An unbiased review of Firefox and this myth would have combined this with the "Firefox is Bug Free" myth to point out all software is vulnerable to stability issues. As it stands, Andrew K implies that Firefox is less stable than other browsers. While I can't speak for Opera, Firefox 2.x is more stable than any released version of Internet Explorer.

Revisiting the "Firefox Myths" Part 4

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.

September 18, 2007 1:49 PM
Myth - "Firefox and Mozilla are the same thing"

It is clearly a Myth if people believe it and it has been debunked. "Value of a web browser" has nothing to do with my page, it is about Firefox Myths. I can see you are starting off as if my page is some attempt to convince people what to use, it is not, it is to stop the spread of Myths about Firefox, period. I don't care what browser you use.
The very first Myth was one where I admitted Andrew K was right. I took issue with the use of the term "Myth" to refer to the confusion, but I admitted Andrew K's response was correct.

I'm amused by the sentence "I can see you are starting off as if my page is some attempt to convince people what to use, it is not, it is to stop the spread of Myths about Firefox, period." when a tangible anti-Firefox hostility permeates the Firefox Myths page. I recommend the reader not take my or Andrew K's word about the intention and bias of the Firefox Myths page. Read it for yourself and decide what you think Andrew K is trying to do.
Myth - "Firefox is spelled 'FireFox' and abbreviated FF"

This is still a Myth and as you can tell a largely believed one, regardless it is clearly debunked.
Again, I made it clear in my original article that Andrew K was correct on this Myth.
Myth - "Firefox is not a Religion"

I have since clarified this one much better with sources I should have used from the begining, my intent was never that Firefox is an organized religion but as the definition I clearly provided says:

"A cause, principle, or activity pursued with zeal or conscientious devotion."

In my experience which goes back over 15 years and I have been online since 1996, I have never seen more fanboys then those who mindlessly endorse Firefox. I provide overwhelming evidence for this and thus the Myth is debunked.
Oh, he's been online since 1996?

Give the little newbie a cookie. I'm glad his wee little virgin mind has never encountered an obsession greater than that of the fringe Firefox Zealots. If he truly has "never seen more fanboys then those who mindlessly endorse Firefox" then I have to say he's just not looking. I decided to take a look at the updated section, and did indeed see a few new links.

Explorer Destroyer - This link is more of a guide on how to abuse Google's ad system than anything else. Oddly, the "Level 3" script to block all IE users from a site sounds a lot like the "Why Firefox is Blocked" site that originally lead me to the "Firefox Myths" page.

Kill Bill's Browser - I don't see the point in including obvious and outrageous humor links.

Block IE - How is this different from whyfirefoxisblocked.com?

IE is Evil! - Again, a humor link, and it's a "I hate Microsoft" zealot, not a Pro-Firefox Zealot. I call shenanigans. Andrew K misfiled this Zealot.

God Chooses Firefox - If Andrew K counts every random humor piece involving Linux as "proof" of "Firefox being a Religion" then I can use The Onion as a source.

Firefox Crop Circle - Again, he misfiled his Zealots. There are hobbyists who make crop circles for FUN. Besides, after reading the site I have to conclude these are Linux Zealots.

Firefox Sidewalk Firefox Balloon - The linked site seems to be down, but they're just links to the same guys who did the Firefox Crop Circle. Besides, these Tetris Zealots have them beat hands down.

Firefox Bus - Including this as "proof" of Firefox being a religion is downright misleading. I read the text, and there's no evidence the artist who painted the bus even knew it was the Firefox logo. Besides, Firefox has a For Profit corporate arm, which means this could very well have been an advertisement.

Andrew K is determined to view the Firefox Zealots as being more extreme than ANY other group. Fine, I won't burst his little bubble.

Why should he face the fact that, for example, Cosplay alone makes Firefox zealots look downright mundane. They routinely spend thousands of dollars on costumes to look like their favorite anime characters. What's the most extreme thing Andrew K found? Oh, right, a Firefox themed crop circle.

Then there's the guy with the Zune tattoo.

And my personal favorite, the Catbus Bus from Burning Man.

The bottom line is, a little online hunting will turn of Zealots and lunatics for just about any topic you can think of. I'm not defending Firefox Zealots by any means. My point is, Andrew K is giving the Firefox Zealots far more credit than they deserve for outright lunacy.

Revisiting the "Firefox Myths" Part 3

Please read my earlier post "Revisiting the "Firefox Myths" Part 2, the Tangent" for background information on where these quotes came from and what the heck is going on.

September 18, 2007 1:49 PM
First of all you haven't "debunked" anything on my page.
A quick note about debating. That kind of statement should be put at the END of a response and not the beginning, and only then if you've demonstrated your claim. It's a bit premature to insist your oppenent didn't debunk anything before you've even replied.
None of my pages have comment sections because my pages are not blogs but all the testimonials are from real emails that is a fact. Go to any companies site and see how many critical comments you will find on their site. That is absolutely ludicrous. There are plenty of fanboy rants about my page online, none of them factually correct or debunk anything but they are "critical".
If Andrew's going to compare his web site to that of a corporate marketing site, what company would he say he represents? Microsoft? Opera?

I'm afraid I didn't express my concerns about the lack of critical comments very clearly. I was thinking in terms of a scientific paper. A scientist writing a research paper is expected to anticipate and address the objections that may be raised regarding his conclusions. For example, Alfred Kinsey was one of the most outspoken critics of his own work. Many people have criticized his use of prison populations for his research and pointed out how that could skew his results. Kinsey himself had stated those very concerns in his original research, and outlined several methods for modifying the research population to better represent the population at large.

Andrew K makes no attempt to outline where he may or may not be wrong or explore likely objections to his conclusions. Even when confronted with proof of Drive by IE exploits, he flat out denies they exist. All criticism or debate attempts are written off as "Firefox fanboyism."
The author of the whyfirefoxisblocked is Danny Carlton not me.
I stand corrected. I can admit when I am wrong.
Nanobot is a flat out liar who is mad because I caught him redirecting visitors coming from my site to different pages.
I'd like more details on how this happened. Was there a forum post of some kind that Nanobot controlled but Andrew K linked to? Did Nanobot hack Andrew K's site, and if so why Andrew contact the police? Inquiring minds want to know, this could be a THRILLING story!
I never spammed my page to Digg I posted it anytime a new version was released which had updated and new information.
Actually, posting the same link to Digg multiple times IS Spamming Digg. You're only supposed to submit it once. Digg has a number of tactics to prevent the same link from being submitted multiple times. The submission interface even discourages the submission of articles similar to those already in Digg.

By his own admission, Andrew K spammed digg, he just chooses not to call it Spamming.
I also never used any of those names.
What the heck, I'll take Andrew's word on that.
Of course there were complaints from the fanboys who did not want anyone to read the truth about Firefox!
I'm torn. Making a crack about paranoia and conspiracy theories feels like a low blow, but he's set himself up for such an accusation time and time again. Perhaps Andrew K is just paranoid with persecution delusions and firefoxmyths.com is just a cry for help. I can't take these censorship claims seriously. He makes wild claims of persecution but then used an example like accounts being deleted form digg.com, when he's already admitted to behavior that the digg submission interface actively discourages.

I checked out the Digg.com Terms of Service and found the following:
By way of example, and not as a limitation, you agree not to use the Services:
...
7. to submit stories or comments linking to affiliate programs, multi-level marketing schemes, sites/blogs repurposing existing stories (source hops), or off-topic content;
...
9. with the intention of artificially inflating or altering the 'digg count', blog count, comments, or any other Digg service, including by way of creating separate user accounts for the purpose of artificially altering Digg's services; giving or receiving money or other remuneration in exchange for votes; or participating in any other organized effort that in any way artificially alters the results of Digg's services.
Submitting the same URL multiple times sounds an awful lot like "repurposing existing stories" to me. If any of the accusations about Andrew K using multiple logins to Digg the same story are true, then he'd be guilty of item 9 above as well.
There are no lies on my page and all quotes in the fanboy quotes section are and were intended as satire.
It's lines like this that make me suspect the "Andrew K" who posted the comment is a fake, or that the firefox myths page is itself nothing more than an elaborate bit of trolling. Caught editing quotes to completely change their meaning, Andrew clumsily claims the entire section is somehow satire, even though there's nothing within the content of the page to imply it's satire. It's similar to a child being caught in the act of stealing a toy from a sibling only to respond with "But I was just borrowing it!"
The Techspot link is about as informative as the Iraqi propaganda minister. Only the fanboy quotes were satire NOT the testimonials.
Again, the clumsy defense that the edited comments are "Satire." I also notice that Andrew K makes no attempt to deny the claims made on the Techspot link. He merely brushes off his borderline slanderous editing of comments as "Satire." The only way that claim would wash is if the entire Firefox Myths site is satire.
I will never give any voice to people who can't read and comprehend facts and sources and flat out lie.
You mean like including only the bolded portion of the following quotes on your web site?
"I'm not a big fan of evangelism or hyperbole, so when a page called "Firefox Myths" entered my radar recently, I was very interested." - Tre
Actual comment - "I’m not a big fan of evangelism or hyperbole, so when a page called “Firefox Myths” entered my radar recently, I was very interested. Then sadly disappointed. Rather than a balanced analysis of some of the folklore surrounding Firefox, it is merely a stream of weak arguments against imaginary “myths” supported by misquoting or deliberate misreading of sources. I’m not even going to reference the page".

"It's an interesting read..." - Robert A. (Mac User)
Actual comment - "Someone looking for their 5 minutes of fame (obviously not worth 15 minutes) decided to post some Firefox Myths. It’s an interesting read, though has a few oddball statements, that really don’t make sense".

"The sources & data are convincing..." - Ryan J. (Editor note - this should start "...the sources")
Actual comment - "Even though the sources & data are convincing, I see nothing pro-Firefox there - notice no links about IE's insecuity I wonder why."

Oh right, I forgot, that kind of creative editing is somehow considered "Satire."
There was obviously a deliberate intent by the Digg administration to keep my page from being posted on Digg.com. This was brought to my attention by various people who attempted to have it submitted and then had the post removed, their account deleted and their IP address blocked. I link to one such testimonial. Conspiracy? I have no idea but deliberate? You bet.
By his own admission, Andrew K was submitting the site multiple times, which clearly violates the repurposing existing stories (source hops) prohibition in the Terms of Service.

Of course, the only way to really debunk the censorship claim would be to, for example, find a collection of anti-firefox links in digg.com

I'll start with a juvenile hunt for the phrase "Firefox sucks" on digg.com. The following are from the first two pages of results. Given the ease with which anti-Firefox articles can be found on Digg, one has to wonder what could POSSIBLY be so special about Andrew K's "Firefox Myths" page that he would be deliberately blocked when all of the links below are allowed in. SOme of the links below are very well written and ended up with triple digit digg numbers.

Occam's Razor leads me to suspect the Terms of Service violations documented above are a more likely explanation than an organized front posed by Digg admins to suppress one page.

the Firefox Sucks Organization - Digg users are firefox fanboys ?
It seems like someone decided to open a "Firefox Sucks" organization, more than that - they are mentioning Digg users as Firefox fan boys. Actually the whole blog is dedicated to sole purpose of stopping the Firefox browser from spreading. Blog owners are inviting other people to join them in this battle. Weird joke ? Or is it a real intention ?


IE7 vs Firefox 2: The Memory Usage Showdown

lifehacker.com — "After running Internet Explorer 7 for a full day now and throwing just as many tabs at it as the 'fox, its RAM suck-uppage consistently stayed less than HALF of Firefox's."More… (Tech Industry News)

Firefox sux?
Check out this page with Internet Explorer and then with Firefox, and marvel at the difference. Looks like Firefox sucks after all. The page uses IE filters and VML which FF doesn't understand.

the Firefox Sucks Organization - Digg users are firefox fanboys ?
It seems like someone decided to open a "Firefox Sucks" organization, more than that - they are mentioning Digg users as Firefox fan boys. Actually the whole blog is dedicated to sole purpose of stopping the Firefox browser from spreading. Blog owners are inviting other people to join them in this battle. Weird joke ? Or is it a real intention ?

Firefox 2.0 hijacks Feedburner rss links
I've just noticed this and it sucks.. I liked the ability to add a RSS feed to my online read (netvibes) via any feedburner link.. to me this looks very intentional.

Opera 9: First impressions of a Firefox user
I decided to try out Opera after reading a Firefox-bashing site (link at the bottom). I’ll admit to being sucked in by the whole “Take back the web” propaganda. So, in order to decide for myself whether Firefox is really the best I downloaded and installed Opera 9.23.

Why the Firefox Extension Site Sucks
Don’t get me wrong. I love Firefox. It is a great browser and one of the things that makes Firefox stand out is its wide assortment of extensions. The problem is when it comes to finding an extension. With thousands of extensions on their site and only about 25% of them being compatible with Firefox 2.0. Here is a solution I have come up with.

Web standards? IE? Firefox? BULLSHIT!
I am really getting tired of seeing all these "holier than thou" articles, comments and rants about how Internet Explorer sucks because it doesn't implement "web standards" correctly, and how Firefox "does".Take a look, and you decide

Revisiting the "Firefox Myths" Part 2, the Tangent

This is the ongoing saga of my responses to a Blogger using the handle "Andrew K." On September 13, 2007, I posted an article entitled "Debunking the 'Firefox Myths' page." The point of the post was to address what I saw as factual errors on firefoxmyths.com. Someone claiming to be the "Andrew K" who created Firefoxmyths.com posted a couple of replies to my original article. Since I expected the resulting thread to get rather long I've chosen to respond to his posts with separate articles on my blog.

First, a little background. One of the comments came from FreewheelinFrank who provided me some insight and a few links. Here are FreewheelinFrank's links.

The article "The myths of Firefox Myths" was written by a blogger who was convinced to try Opera by the original Firefox myths page. He then attempted to contact Andrew K about some of the holes he found on the site, specifically the fact that it fails to approach Firefox in an unbiased manner. He was rudely rebuffed and proceeded to create a page debunking the myths one by one. I recommend reading it, as he makes a lot of good points and the comment links are often hilarious, particularly the superior Firefox Myths page that takes a far more even handed approach.

Next, FreewheelinFrank links to "Internet Explorer Unsafe for 284 Days in 2006" which I wrote about in my first response to Andrew K's comments.

Finally, grantlairdjr.com/wp/2006/05/18/firefox-myths starts off with a link to firefoxmyths.com and contains a thread discussing the claims made on the site and someone claiming to be Andrew K responds.

Revisiting the "Firefox Myths" Part 1

A blogger claiming to be the "Andrew K" behind the "Firefox Myths" page has posted a few replies to my original article about the Firefox Myths page.

Naturally, I can't be sure the posts REALLY came from Andrew K. Because of this, I'm going to respond to the comments as if the author of the posts to my blog and firefoxmyths.com are one in the same. As you read on, please remember that I could be responding to a prankster.

First, I'll respond to the shorter of the two quotes.

September 18, 2007 1:53 PM
Freewheelinfrank is a Firefox Fanboy spammer who has done nothing but spread lies and libel about my page. This is why he is listed on my page as such.

He has never been able to provide me with a URL that proves "auto-installing" spyware on IE.

FYI, they like to link to sites where the comments were closed before I could respond or my acount was banned simply for defending myself.
No one really cares if Freewheelinfrank is a "fanboy" or not. His motivations are secondary. Tossing around phrases like "Fanboy" is a juvenile tactic to begin with. Andrew's decision to use it as his first volley makes him look like his argument is weak and unfounded. Already, this alleged "Andrew K" has tried to direct the debate away from raw facts and into attacks on character and motive.

Andrew K's next comment is even more comical. He claims Freewheelinfrank has never provided "a URL that proves "auto-installing" spyware on IE." Freewheelinfrank's post included a link to the Washington Post article "Internet Explorer Unsafe for 284 Days in 2006" that discussed such exploits. The article linked to yet ANOTHER article entitled "Hacking Made Easy".

Both articles discuss what are known as "Drive by" infections. Specifically, these are viruses, trojans and key loggers that install themselves when you simply visit an infected web site with a vulnerable browser. All you do is "Drive by" the site, and you find your PC infected with a virus or keylogger. Andrew K's comical claim that no such viruses exist for IE betrays either willful ignorance or a profound lack of understanding.

Allow me to provide some more of the references Andrew K claims he's never received. 2006 was not a good year for Internet Explorer users.

The article Drive-By IE Attacks Subside; Threat Remains discusses the zero-day drive-by attacks that were taking place in March of 2006. A vulnerability in Internet Explorer's implementation of createTextRange() allowed for the installation of arbitrary code on the victim machine, simply by visiting an infected web site. No downloads, "OK" buttons or other user activity needed. Most of the infected web sites were spreading SDBot to capture user activity and send it back to the hackers.

Drive-by Ie Attacks Subside; Threat Remains further discusses the same round of exploits, and goes into a bit more detail about how Microsoft spent a lot of time spinning the attacks and tracking down malicious web sites.

Somehow I suspect Andrew K won't be happy without exploit code, so I'll provide a link to the IE createTextRange() vulnerability exploit code.

Of course that was all IE 6 and below. What about IE 7? A similar buffer overflow bug was found in IE 7. Fortunately, this was found by a security researcher and proof of concept exploit code turned over to Microsoft, so there aren't any known infections of IE 7 from this bug. The article "Microsoft Hunts Down New IE Bug" has more to say about the incident.

You don't have to dig very hard to find proof of zero day, drive by IE vulnerabilities. A few seconds on Google turned up the links above and when you can find proof so easily you can't help but wonder why Andrew K is so determined to insist no such proof exists.

"Andrew K" ends his comment by whining about his accounts being closed before he could respond to the accusations made against him. This too is a classic misdirection tactic. No one cares if he didn't get the chance to respond to a criticism in a given forum. What matters is the response he gives to the accusation NOW.

So far, I'm not impressed. A couple of insults, a bit of whining, and an easily debunked claim about Drive By IE Exploits hardly constitutes a viable defense of FirefoxMyths.com.

Thursday, September 13, 2007

Debunking the 'Firefox Myths' page

Not long ago, the web site http://whyfirefoxisblocked.com/ hit Digg.com, Slashdot.org, Reddit.com and several other sites. One of the links on that page was to a "Firefox Myths" site. Right away, two things jumped out at me. There were several "Testimonials" in the left hand navigation bar, all raving about how wonderful the site was, but there was no "Comments" section. Read what you want into this, but there were no comments that were critical of Andrew K. on the site.

I looked at the other links on the page, and began to suspect that http://whyfirefoxisblocked.com/ was, in reality, nothing but a hoax site designed to drive traffic to Andrew K's web site. If this is the case, then I have to admit it was a clever and effective way to bloat his Google Pagerank, and no doubt get a few dollars from ad revenue while he was at it. Nothing drives traffic to a site quite like outrage.

At the bottom of the page, Andrew K claims that "Anyone even posting a link to www.FirefoxMyths.com [On digg.com] will have it removed, their account deleted and their IP address blocked.

If true, such a claim deserves to be investigated, so I did a little hunting. I quickly found a digg.com article on this very topic:

http://digg.com/tech_news/Digg_blocks,_bans,_and_deletes_users_who_post_links_to_firefoxmyths.com

The user Nanobe had this to say:

Here's the story: Mastertech (a.k.a. Andrew K., the author of the Firefox Myths article) submitted his Firefox Myths page to digg a whopping 12 times, once or twice every time he updated the page. He also commented on just about every web browser related article with a template message advertising his page. To put it simply, he was banned for significant levels of spamming, and his website was also banned to prevent him from advertising it under different names (and he is known to pass himself off under many different identities, including David Dobsen, David H. (which is actually my name -- he used it to promote his webpage knowing that I'm a vocal critic of it), Drew, FFeLEET, GeneralAres, Jim, Joe Somebody, Mike G., MT, NewsHound, Realist, TheHardTruth, Thor, Vincent, and possibly others). LOTS of people reported him, there were LOTS of complaints from different people whenever he spammed his page, and I'm frankly surprised it took so long for him to be banned.

It doesn't help that his page contains outright lies and deliberate misquotes from many people including myself. This will make for an interesting read: http://www.techspot.com/vb/topic44405.html

The Techspot link that Nanobe provided was very informative I followed it and found that www.FirefoxMyths.com's "testimonials" and "Fanboys" were crafted by heavily editing the comments of others to the point where the very meaning of the original comment changed. For example his web site recounts the quote:

"Patches are... always sufficient to protect Internet Explorer against auto-installation of malware... Clearly assertions to the contrary are unhelpful & patently untrue." - Thomas

According to http://www.techspot.com/vb/topic44405.html however, the original quote was:

"Reality - Patches are not always sufficient to protect Internet Explorer against auto-installation of malware; several zero-day exploits in past months have highlighted this very issue. Clearly assertions to the contrary are unhelpful & patently untrue. Nor should occurrences of such installations be a source of derision."

Notice how it was edited? The original statement claimed that applying security patches will NOT protect users from all auto-installed malware. When crafting his edited quote, Andrew removed things like the negating word "not" and the mention of zero-day exploits, completely reversing the meaning.

Already FirefoxMyths.com was on shaky ground, and I hadn't even gotten to the actual content!

The next red flag for me was the remainder of the "Disputes" section, wherein he makes vague references to "a few rather amateurish and rash 'rebuttals' to this page" but never links to any of them. He never gives any voice to his critics and the rest of the section degrades into rants about "Fanboys" and claims of a conspiracy to keep his site from being mentioned on Digg.com.

I decided to examine his "Firefox Myths" page and come to my own conclusions. As a disclaimer, I am a Firefox user. This is because I have a PC at work, a Mac as a home desktop and Linux running my Personal Laptop. Firefox, combined with Google's Browser sync, means I can have a consistent interface and set of bookmarks across all three operating systems. That said, I'm always open to new ideas. I've switched web browsers before and if Andrew could make a good argument, I could be persuaded to switch again.

Myth - "Firefox and Mozilla are the same thing"

This isn't so much a Myth, as a bit of confusion common to new Firefox users. A casual read of the Mozilla web site reveals the difference. While the "Myth" is indeed false, it's hardly relevant to the value of Mozilla as a web browser.

Myth - "Firefox and Mozilla are Not for Profit"

The existence of a non-profit foundation, established to fund Firefox has lead to the common misconception that Firefox is itself devoid of Commercial interests. Andrew K helpfully links to a Mozillazine.org article that goes into more detail, but the bottom line is there is an official, commercial entity monetizing Mozilla. The browser itself may be a free download, but, like Opera, people are making money off of it.

So far I was encouraged. The first two "Myths" were addressed and debunked with relevant references. The next myth just plain amused me:

Myth - "Firefox is spelled 'FireFox' and abbreviated FF"

To tell the truth, I found this "debate" to be comparable to the question of if you should write "email" or "e-mail." Whatever The Mozilla Foundation's "official" stance on the matter is, people will spell it however they want. Still, I'm sure the Mozilla Foundation appreciated having another voice repeating their Official stance on the product's name.

Myth - "Firefox is not a Religion"

This had me laughing. The bottom line is, all technologies have their fanatics and Andrew K found a number of examples of Firefox evangelists raving about how great it is, including a rather poorly executed Humor piece claiming that God Chooses Firefox.

http://skiphappens.com/archives/000151.html

The Browser wars however are a poor place to go for entertaining examples of Fanboys raving about their chosen technologies. The best Fanboy ranting I've seen is in the Console wars, specifically, PS3 vs XBOX 360 vs Wii.

http://www.destructoid.com/ps3-fanboy-video-proves-that-99-9-of-youtube-users-are-stupid-as-hell-33631.phtml

To be blunt, the fanatical advocates for ANY technology, be it Internet Explorer, Opera, Windows, Linux, Mac or whatever are generally boring and rarely offer any useful information. Yes, the advocates consider getting people to try their pet technology to be a moral crusade, but in the end, people only stick to a technology if they find it works better. Calling Firefox a "religion" grants the zealots a defining level of power that, to be blunt, they don't have in real life. The logic Andrew uses to declare Firefox a religion could be used just as easily to claim that Internet Explorer, Opera, Windows, BSD or any other technology is a "Religion."

Myth - "Firefox has lower System Requirements than Internet Explorer"

The only "example" given for this myth is a JPEG hosted on Andrew's own web site. The image is of an undated posting by some random individual with no information on WHO the "source" is or with what authority they spoke. The article then links to the System Requirements for Internet Explorer 6, SP1, and Firefox 2.

Why would he compare the requirements for the 2002 version of Internet Explorer with the requirements for the CURRENT Firefox? There's a five year gap between the applications. Netscape 4.x was the browser competing with IE 6, SP1. Firefox as we know it didn't even exist.

Let's try an Apples to Apples comparison, specifically, Firefox 2.x vs IE 7, SP2.

Firefox 2 System requirements:

http://www.mozilla.com/en-US/firefox/system-requirements.html

Windows

Operating Systems

* Windows 98
* Windows 98 SE
* Windows ME
* Windows NT 4.0
* Windows 2000
* Windows XP (Recommended)
* Windows Vista

Minimum Hardware

* Pentium 233 MHz (Recommended: Pentium 500MHz or greater)
* 64 MB RAM (Recommended: 128 MB RAM or greater)
* 52 MB hard drive space

Internet Explorer 7, SP2

http://www.microsoft.com/windows/downloads/ie/sysreq.mspx

Computer/Processor
Computer with a 233MHz processor or higher (Pentium processor recommended)


Operating System

Windows XP Service Pack 2 (SP2) Windows XP Professional x64 Edition Windows Server 2003 Service Pack 1 (SP1)

Memory
For Internet Explorer 7:

* Windows XP Service Pack 2 (SP2) - 64 MB

* Windows XP Professional x64 Edition - 128 MB

* Windows Server 2003 Service Pack 1 (SP1) - 64 MB

* Windows Server 2003 Service Pack 1 ia64 - 128 MB

When you compare the current versions of Firefox and IE, as opposed to comparing the current Firefox to a FIVE YEAR OLD version of IE, we find they have the same minimum system requirements, but Firefox 2.x runs on more windows versions than Internet Explorer 7.x.


To use an automotive analogy, this is a bit like Toyota comparing their safest 2007 Sedan to the late 1980's Ford Pinto and using that comparison to claim that Toyota cars are safer than Ford. Such comparisons make it look like you have something to hide.

Myth
- "Firefox uses less memory than Internet Explorer"

The iexplorer process does indeed use less memory than Firefox. Many of Internet Explorer's components are loaded into the OS at boot time and are broken off into other processes. While the total memory usage of IE is difficult to calculate, it's not really relevant. Firefox is something of a memory hog compared to Opera and the visible IE footprint.

So far, I was still willing to give Andrew the benefit of the doubt. He'd only really screwed up on one "Myth" thus far.

Myth - "Firefox is Bug Free"

I've been a professional programmer for nine years now, and the concept of anything being "Bug Free" is laughable, a fantasy spouted by people who are either ignorant or are seeking to sell you something. I actually have a rule of politely escorting any vendor who claims a "Bug Free" product to the door.

The fact that Andrew chose to link to a forum post on petlovers.com as an example of people who think Firefox is bug free is, in and of itself, a cause for concern. I've heard people claim that Firefox has fewer bugs than IE, and that claim generally degrades into a debate about bug severity and the difference between a mere cosmetic defect and a major rendering or security flaw. If you use the right criteria, you can make any claim you want about IE vs Firefox in terms of relative "bug" status.

Exploring THAT issue, the question of which has more real security bugs, would have been a worthwhile "Myth" to address, and yet there's no mention of the debate on the "Firefox Myths" page. The closest Andrew comes is this laughably softball claim that "Firefox has no bugs."

Myth - "Firefox is Stable"

This too, is a lost opportunity. Andrew chose to address stability problems stemming from poorly written extensions as opposed to any stability issues in the core browser itself. How stable is stock, out of the box Firefox when compared to Internet Explorer? Andrew doesn't say, or even point at any resources on the topic.

What he DOES do is point to resources about how a poor extension can munge up the works. I was immediately reminded of having to dive into the Widows Recovery Console when a Dell desktop at work was rendered unbootable by a bad video driver. I was reminded of the time a bad sound card driver caused a Compaq Desktop to reboot whenever the "New Mail" message played. I was also put in mind of debates I'd had with friends over how many of Windows 2000's stability improvements were related to real code changes, and how many to the "Driver Signing" initiative to increase device driver quality.

I was also reminded of all the times I had to clean up AOL installs that had rendered the office LAN connection useless on "Road Warrior" laptops.

Andrew had a chance to pit Internet Explorer against Firefox on stability and instead chose to point out that Firefox, like all software, is vulnerable to problems caused by poorly written third party developers. It's a shoddy misdirection tactic that, yet again, makes it look like he's trying to hide something. Why does Andrew fail to pit IE 7 against Firefox 2 in a real stability contest? Is he trying to imply that IE can't be crashed by a poorly written third party add-on?

Myth - "Firefox is the Fastest Web Browser"

While the source Andrew links to decrys itself as being "over two years old" it does include statistics for recent versions of Opera, IE and Firefox. I was not surprised to see Opera was the fastest browser. Opera is, after all, the vendor of choice for optimized and embedded web browsers. It looks like some of their optimizations made it into the main browser.

http://www.howtocreate.co.uk/browserSpeed.html#winspeed

That said, I was surprised that Firefox 2 and IE 7 were neck-and-neck, with one browser outperforming the other at different functions. With the exception of starting the web browser, the average user will likely see no real difference between them, as the gains of one area will be swallowed up in the losses of the other.

Myth - "Firefox is Faster than Internet Explorer 6"

Andrew used http://www.howtocreate.co.uk/browserSpeed.html#winspeed as his source, and I will do the same. I will use this data to compare IE 7, Firefox 2 and Opera 9. To see how Andrew's beloved IE 6 stacks up, I'll include it as well. The speeds are in seconds.

Browser name

Cold start

Warm start

Rendering CSS

Rendering table

Script speed

Multiple images

History

Firefox 2.0

11.64

3.05

1.71

1.62

22

2.03

48

Internet Explorer 6.0

6.99

1.77

1.32

1.33

60

2.32

32

Internet Explorer 7.0 (b3)

7.8

2.4

2.13

1.47

36

2.47

39

Opera 9.01

2.47

2.24

0.84

1.08

13

1.44

8

First we see that Opera is, indeed the fastest. Opera's experience in writing embedded browsers has clearly served them well. It's the fastest in all categories. IE 7 is the slowest on some tasks, while Firefox 2 is the slowest on others. Surprisingly, IE 6 was the slowest on script execution.

What I want to point out is the gap between Internet Explorer 6 and Internet Explorer 7. Notice how IE 7 performs worse than IE 6 on all tasks except Script Speed.

Myth - "Firefox is Faster than Internet Explorer 7"

Andrew writes: "Internet Explorer 7 is clearly faster than Firefox 1.x and 2.x in 4 out of 7 measures of performance" and he's right. Of the performance measures given, IE 7 outdoes Firefox in 4 out of 7.

Of course, IE 6 out performs IE 7 in 6 out of 7 of those same metrics. Why isn't he crowing about that?

Myth - "Firefox is Faster than Mozilla"

The test results would lead one to believe that once you get outside of the realm of Hyper Fast Opera, most the other browsers are snails on Valium. This seems a fair assessment. With the exception of launching the application, Firefox 2, IE 6 and IE 7 differ by less than half a second on most tasks. Firefox Murders IE 6 and IE 7 on Script Speed, but is in turn pummeled on "History" browsing, something that the original tester describes as a test of how efficiently the browser used it's cache.

Ultimately, the average web user will only notice a real speed difference when launching the application, or when doing ANYTHING in Opera.

Myth - "Firefox Gained 25% Market Share in May 2007"

Myth - "Firefox Achieved 20% Market Share in January 2006 in Europe"

Myth - "Firefox Achieved 10% Market Share in 2005"

I'm grouping these three together because they are just claims about where Firefox's market share was at a given point in time. Geocities was once the single most popular free website destination and AOL once provided Internet access to over 70% of the people who were online. Netscape 4.x was once the KING of the web browsers to the point where people giggled at Internet Explorer. How many of those statements are true today?

What matters is not the popularity of a browser at a given place in time, or the accuracy of a given article about that popularity but trends in the browser's growth. The problem of course is that it's damned difficult to get reliable browser metrics. Yes, you can get a report about the popularity of a web browser on a given web site, but estimating worldwide popularity or even regional popularity is a hit or miss proposition. The ease with which Firefox and Opera users can spoof their Browser ID makes accurate detection even more difficult.

According to http://marketshare.hitslink.com/report.aspx?qprid=3, one of the sources used by Andrew in his "Myth Debunking" Firefox grew from 11.84% of the browser market to 14.37% in the space of 11 months. According to http://www.w3schools.com/browsers/browsers_stats.asp the picture is very different:

2007

IE7

IE6

IE5

Firefox

Mozilla

Safari

Opera

July

20.1%

36.9%

1.5%

34.5%

1.4%

1.5%

1.9%

Just looking at the stats from a different site gives Firefox a full third of all browser usage.

I think the definitive word on the matter comes from http://www.upsdell.com/BrowserNews/stat.htm

Caution: stats mislead. Caching distorts raw data; audiences vary for each site; methodologies vary for each survey; surveys miss or omit important details; surveys mis-identify browsers or other user agents; some search spiders pose as browsers; small sample sizes exaggerate fluctuations; and stats don’t count those who stay away because their browsers are not supported.

Caution: browser stats may help you decide when a browser is so uncommon that a site need not support people who use it; and the stats may satisfy the curious; but the stats are useful for little else.

They then give a breakdown of stats based on their source. Please note that Mozilla and Firefox are lumped together in their graph under the heading "Gecko Based."

Browser Usage Stats (%)
source
1
source
2
source
3
source
4
source
5
source
6
IE7

28

33

31

22

22

19

IE6

39

45

58

47

57

33

IE5 (windows)

.65

.4

.65

17

.7

1.2

IE5 (Mac)


.2

.1

KHTML based

2.2

4.6

2.2

2.3

3.3

4.2

Gecko based

29

15

7.7

11

15

39

NN8

.1

.15

.1

.1


.05

Opera

1.3

1.1

.1


.7

2.1

Mobile

.1

.3




1.0

other

.25

.25

.45

.25

.15

.35

unidentified





1.3


As you can see, you can make whatever claims you want about browser popularity if you pick the right source. The margin of error is massive.

The only REAL question for developers is: "Should I support Firefox on my web site and if so, what versions?" Given the fact that anywhere from 11% to 39% of all Internet users are running Mozilla, I'd say the answer is probably "Yes."

Myth - "Firefox Achieved 150 million downloads in January of 2006"

Yes, there was one month where the number of downloads was over counted, specifically by about 20 million. Firefox really had 130 Million Downloads in January of 2006. I'm sure lots of people cared in January and February of 2006.

Myth - "Firefox is Secure"

Compared to what?

As Andrew points out "You only need one vulnerability to be insecure" so let's take a look at the metrics he uses and compare Firefox to Internet Explorer 6, Internet Explorer 7, and Opera 9, all on Windows. After all, it wouldn't be fair to count Linux and Mac bugs when comparing Internet Explorer to the other browsers on security. If IE is an option for you, you're running Windows, and Mac and Linux bugs aren't really relevant.

Elsewhere on the page, Andrew makes a big deal out of the need to patch your browser and keep it up to date.

secunia.com

Unpatched Vulnerabilities

Total Vulnerabilities

% unpatched

Rating

Firefox 2.x

6

14

42.86%

Less Critical

IE 6

21

118

17.80%

Moderately Critical

IE 7

10

18

55.56%

Highly Critical

Opera 9

0

9

0.00%

No Rating

Is Firefox perfect? No. Is it more secure than Internet Explorer? According to Secunia.com it is.

Andrew's next source is CVE

http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox

According to a CVE search for the term "Firefox" there are 290 Entries.

For Internet Explorer, there are 606

For Opera, there are 79.

The search Andrew used does not tell you which of these are patched and what their severity is. According to CVE, Internet Explorer has over twice as many vulnerabilities as Firefox. The search Andrew used doesn't tell us how many of these are unpatched vulnerabilities in the wild. A quick review of the first page of hits tells us that for all three browsers, most the "vulnerabilities" are patched, and some only happen under very specific circumstances. CVE-2007-3924 for example, only happens if a user has IE and Netscape on the same machine, and uses a link in Internet Explorer to launch Netscape.

Andrew's CVE number is not just useless, it's misleading.

Finally, there's the 190 Security Advisories on http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox all of which are fixed and most of which were fixed BEFORE any exploits were in the wild.

Myth - "Firefox is the Most Secure Web Browser" -

To be fair, according to secunia.com, Opera is far more secure than either Firefox or Internet Explorer. Many people are fond of saying that Firefox's superior security rating is due to it's reduced popularity. Could Opera's current rank be due to it having less than 2% of the total market share, or is it just written better? Ultimately, we won't know unless Opera, Firefox and IE evenly split the browser market.

Myth - "Firefox Vulnerabilities are Quickly Patched"

Andrew links to two bugs that have been unpatched since 1994. One of them is a Mac OS only bug, hardly relevant for Windows users. It exposes users to a potential Phishing attack if Java is enabled. The other bug refers to the fact that a web site can set a country wide cookie. For example, a web site in the .ru domain could set a cookie that can be read by all .ru domains.

Of course, Internet Explorer has vulnerabilities that have remained unpatched since 2003, "which can be exploited by malicious people to execute arbitrary script code on a user's system."

http://secunia.com/advisories/9056/

In the end, evaluating the relative security of a web browser can't be done by counting off the number of "bugs" that have been found. Windows XP shipped with a much mocked 64,000 "defects" most of which were cosmetic annoyances only the developers noticed. Counting off "Vulnerabilities" with no regard to the relative security of those vulnerabilities is the trick of a Pointy-Haired boss with little to no understanding to technology.

A real evaluation of Firefox vs IE or Opera requires more than a handful of security warnings cherry picked from the Internet.

Myth - "Firefox is More Secure because it is not integrated into the OS"

The only mention of this "Myth" on

http://news.zdnet.com/2100-9588_22-5630529.html

is the line "Not being in the operating system is a phenomenal advantage for us."

The quote is largely out of context. Firefox, Safari and Opera developers share an advantage over IE, in that they don't need to worry how their changes will, for example, impact the OS Help viewer. There are fewer vectors for software bugs when your product is not part of the Operating System.

The reality is, your COMPUTER is more secure when your web browser isn't integrated into your operating system. Merging the file and web browsers alone opens you up to a variety of potential threats. Let's take a corporate situation as an example. A user accesses a shared network drive and in one of those folders is an HTML file that, if opened in your web browser, will infect your PC with malware. It's a Zero-Day exploit (Happens to all web browsers, even IE) and it's so new your corporate antivirus program does not yet detect it.

If your file browser is NOT integrated with your Web browser, then you open the directory looking for that quarterly report, see it's not there and move on. You'd have to open the file itself with your web browser to get infected.

If your web browser IS integrated into the file browser, as it is in Windows, when you open the folder Windows parses the HTML file in order to generate a thumbnail for your viewing pleasure, thus allowing the virus to infect your PC.

I don't pick this example lightly, as it describes the process by which an entire department at one of my former jobs found their PCs infected with a virus. Some people tried to delete the virus laden file from the network drive, but ended up betting infected themselves in the process. It was the last day anyone in that department used the "Thumbnail" view for Windows Explorer.

Let's take another situation. A MAJOR security flaw is discovered in your browser of choice. If it's NOT integrated into your operating system, you can, if you so choose, uninstall it. You can do that with Opera and Firefox, but you can't do it with Internet Explorer.

The Web Browser is not necessarily more secure if it's not integrated into the OS, but the OS is more secure if there are no integrated web browsers.

Myth - "Firefox is More Secure because it does not use ActiveX"

In the bad old days, AxtiveX was essentially a technology that allowed web developers to write executable code that ran whenever someone visited their web site. This code ran on the local machine of the end user, not on the server. Many viruses, trojans and other malicious programs were written to exploit this technology.

The major difference between this and Java, aside from Java being cross platform, was that ActiveX ran wihout a sandbox. Java code ran in an isolated form and barring a software bug, could only touch your local files if you granted it permission. ActiveX on the other hand could upload your entire "My Documents" folder to "Hackers R Us" in the background without so much as asking you if it can read a file.

Eventually, Microsoft added a confirmation prompt to execute ActiveX components. Ironically, this was not because of security concerns, but because of a legal dispute over a patent. It seems Microsoft got to bypass a lengthy and expensive legal battle by adding that dialog box.

Today, the security is a little tighter, but it's still painfully easy for ActiveX to muck up a Windows PC, Dave Massey's Blog notwithstanding.

Myth - "Firefox Extensions are Safe"

Third party products are always a potential vector for security problems. The ease with which Firefox add-ons can be developed has lead to a number that are less secure than they should be, and a few that are downright deceptive. There's an ongoing debate about how easily the "Trusted" designation is granted to Firefox add-ons. This "myth" is another of the rare instances where Andrew raises a valid point. People are not as aware of the security vulnerabilities present in third party products as they should be.

All that said, I find myself wondering if similar security concerns exist for Opera Widgets and Internet Explorer Add-ons. The wise course would be to assume that the third party code for those browsers is as vulnerable as that of Firefox.

Myth - "Firefox is a Solution to Spyware"

No, Firefox won't uninstall existing spyware, and it won't protect you from downloading and running a virus infected executable, if you are indeed dumb enough to do such a thing.

If you click "Yes" to grant an unknown Java program unfettered access to yoru PC, you can get a bevy of Spyware, even with Firefox.

http://www.vitalsecurity.org/2005/03/firefox-spyware-infects-ie.html

Yes, older versions of Firefox are apparently vulnerable to a InstallVersion.compareTo() exploit.

http://sunbeltblog.blogspot.com/2006/04/pssstyou-wanna-see-firefox-exploit-in.html

I've dealt with a long list of sales reps and office personnel who had chronic spyware problems. Installing Firefox stemmed the tide, because suddenly, they had to actually DO something stupid to get infected, as opposed to merely visiting the web site. I like to compare using Firefox to using a condom. It's not 100% safe, but it's a damn sight better than the alternative.

Myth - "Firefox 2's Phishing Protection is better than Internet Explorer 7"

I'm going to flat out Andrew K a liar on this one.

The test he linked to did NOT evaluate Mozilla 2.0's Anti-Phishing filter. The Firefox Phishing filter was introduced in version 2.0, but the study only tested IE 7 against Firefox 1.5.x running the Google Site Adviser. The ONLY mention of Firefox 2.0 is the line "Mozilla recently released a beta of Firefox v2 that incorporates some of this technology directly into the browser, using the same block list service as Google’s “Safe Browsing” tool."

The study Andrew K used to "debunk" Firefox 2's anti-phishing filter never even evaluated that filter.

Myth - "Firefox's Memory Leak is a Bug"

This is one of the few gems of actual information in the article, particularly the link to the article on reducing Firefox Memory Usage.

http://kb.mozillazine.org/Memory_Leak

Myth - "Firefox supports Extensions and Internet Explorer does not"

Yes, IE had "Ad-ons" as early as 1997, but the interface and development kit was poor and cumbersome. They were poorly integrated and infrequently used. The real innovation for Firefox was the creation of a quick and easy process for creating plug-in technology and the integration of an easy, simple Add-On Manager.

Yes, Microsoft did it first, but they did it so poorly it wasn't until Firefox came along over a decade later that anyone took notice.

Myth - "Firefox supports Extensions and Opera does not"

I was pleased to learn that Opera had added "Widgets" as of version 9.0. It's only fair, after all, Firefox did steal tabbed browsing from Opera.

Myth - "Firefox supports an Inline Search Feature and Internet Explorer does not"

This "Myth" should just be reworded to say "IE does not support inline search, unless you install extra software." Remember, Andrew K argues that Ad-ons are a BAD thing when discussing Firefox stability, why then does he advocate one here?

The simple fact is, Firefox supports it out of the box, IE does not. Andrew K didn't mention any of the performance tweaking tutorials for Mozilla when discussing relative speed and performance, why should he then get to mention an add-on for IE?

http://devnulled.com/content/2004/12/how-to-make-firefox-faster/

Myth - "Firefox was the first Web Browser to include an Integrated Search feature"
Myth - "Firefox was the first Web Browser to include Pop-up Blocking"

Again, here, Andrew gets it right. Integrated Search and decent pop-up blocking were first introduced by Opera. Opera also introduced tabbed browsing. I'm surprised Andrew didn't mention this.

Myth - "Firefox had Pop-up Blocking before Internet Explorer"

This is more a word game than anything else. Mozilla, the suite from which Firefox evolved, had pop-up blocking long before Internet Explorer. Since the Firefox name wasn't applied to a Gecko based browser until after IE added rudimentary pop-up blocking, you can technically, if misleadingly, claim IE had it before Firefox.

Myth - "Firefox Blocks all Pop-ups"

I want to see an actual source for this claim, other than the screen shot hosted on Andrew K's site. I've never before heard anyone claim Firefox blocks ALL popups. I've heard people say they haven't gotten once SINCE installing Firefox, but that's not the same as claiming it blocks them all.

Summary:

Andrew's comments about browser speed were the best supported of the article. Outside of that, most of his really "good" points were either pedantic, like Firefox NOT being abbreviated with a "FF" or turned to random, uninformed comments posted in unrelated forums. If the major source for a myth is, like the "Firefiox is Bug Free" claim, a Pet Lover's web site, then the myth itself isn't really worth discussing.

He chose questionable, even laughable sources for his "Myths" and took outrageous statements, like 'Firefox is bug free" and treated them seriously, as if the rantings of a handful of ill-informed newbies were representative of opinion at large.

He also took great pains to massage data to where it suited him. He was inconsistent with which browser versions he used for comparison, mixing and matching Firefox 1.x, Firefox 2.x, IE 6 and IE 7. This resulted in a highly biased article that gave the impression of trying to hide something.

He did make some good points, particularly when evaluating the relative speed of the Firefox Web browser against Opera, but these were lost in a sea of poorly supported half truths. If he stripped away the carefully massaged statistics and pointed out some of the potential flaws in his own arguments, he could make a very good case for trying Opera. Sadly, he chooses instead to stoop to misleading tactics and pedantic issues, squandering the opportunity to do more than just piss off die hard Firefox users.

Ironically, he fails to mention the fact that the free Opera browser is no longer ad supported.