[ale] nailing down firefox security and privacy - PT 1

Michael B. Trausch mike at trausch.us
Thu Oct 13 00:54:18 EDT 2011


On Wed, Oct 12, 2011 at 04:58:51PM -0400, Ron Frazier wrote:
> comments inline

Is there any other way (that's generally accepted)?

> On 10/12/2011 11:22 AM, Michael B. Trausch wrote:
> > On 10/11/2011 05:38 PM, Ron Frazier wrote:
> >
> >> As I've mentioned in other posts, I like to keep my shields at
> >> the paranoid level, whether I'm running Windows or Linux.
> >> [...]
> >> There are a number of security and privacy settings which come
> >> into play with Firefox, and it's not always obvious how to set
> >> them.  I'm going to explain how I set mine up in order to
> >> maintain a high level of security as well as a decent level of
> >> functionality.
> >> [...]
> >> Hopefully, the research I've done will help others who want to
> >> keep their shields high.  Some of you may already know this
> >> stuff, but some others probably don't.
> >>
> > I have said it before, and I will say it again: The only way to
> > "keep the shields high" is to provide education.  Technology (in
> > particular, things like you advocate here) can *not* save users
> > from anything.
>
> I agree that users should be educated, and should practice smart
> safe computing.  But the fact is, they're human, and they make
> mistakes.

Nobody is making a claim that anybody is perfect, let's get that
sorted straight away.  I am sure that even Mr. Warfield or Mr. Kinney
have made security-related mistakes in their respective areas.  I know
that I certainly have.  That is but one reason why frequent backups
are a best practice, why frequent testing of backups is generally
encouraged, and why the ability to quickly restore things to get them
back up and running again is important.

Most end-users have nothing to lose by reformatting and reinstalling.
On the other hand, those of us who base our entire lives around
working with computers and technology stand to lose a lot of time and
money if we do not have a safety net in place.  And that's exactly
what I would call a good backup strategy: a safety net.  If you
seriously screw something up, you'll always be able to go back to a
recently created backup of your state and be able to move forward with
minimum losses, regardless of what happens.

> I could not disagree more that technology will not save users from
> anything, in that you stated it as an all encompassing universal
> negative statement.  When stated as a universal statement, that is
> patently false.  It is entirely possible, sort of practical, and
> frequently preferable to use technology in addition to user
> education, to create a layered defense against attack.

Then you misunderstand what I have said already.

Technology is a *tool*.  Software is a *tool*.  By and large, we use
computers to automate tasks that used to be time consuming and
difficult.  In that regard we have significantly improved performance
in nearly every area of business, and our personal lives benefit,
too.  Unfortunately, we have lots of "stupid" out there in the world,
and we have to be forever defensive.  Thankfully, however, it is
stupid-easy to do just that.  Stick to what you know, and nothing
more.  That is perhaps the single best way to not get something nasty
on your computer.

What's worse?  There is not enough stigma attached to computer viruses
and the like, there really isn't.  They are so common place because
users simply have no fear of getting them.  They don't realize that
they're really promiscious in their Internet lifestyles.  They don't
know what promiscious even *means* in the context of the Web.  It's
not typically any real shortcoming in intelligence, either, though
most people think that there is a such thing as "computer stupid" or
"computer dumb".  No, they just sell themselves short and figure that
since it's not something they were classically trained about, they are
unable to apply critical thinking skills and truly learn.  They, for
whatever reason, aren't comfortable with real learning and are instead
only comfortable with memorization.

> I have a personal real world example.  One of my family members is a
> fairly knowledgeable, fairly computer savvy, and fairly security
> savvy user.  Recently, she happened on a malicious website by
> mistake while searching around for something else.  Immediately, a
> dialog box pops up on the screen, which says something like Windows
> Security 2000 Warning, or something.  It has a nice graph going
> across the screen, showing a virus scan in progress (supposedly).
> It posts a message saying that malware has been found on her system,
> and asks if she'd like to disinfect it now.  It looks VERY real.  In
> the 5 seconds of indecision she had, she clicked the YES button, and
> that let the virus in the door.  Everything on the screen was fake.

You left out the part where she downloaded and opened the program that
is required to do this.  Programs don't just auto-download and open on
the client system, even on something as insecure as Windows.  Java
applets cannot spawn executables, JavaScript cannot spawn executables,
and Flash cannot spawn executables, so the user still actually has to
download and then open an executable in order for it to deliver its
payload.

Of course, since this user was running Windows, that also means that
they had to accept an additional prompt to run the file that was
downloaded from the Internet.  When a Web browser downloads a file on
Windows, it creates an auxiliary NTFS data stream for the file,
essentially flagging it as something that arrived from the Internet.
Before you can execute that, you are prompted for input to tell the OS
that you really do want to execute the file.  IIRC, it even lets you
view the information and digital signature if one is present, though I
download things so rarely on Windows that I can't tell you if that's
100% accurate or not.

> Then, she thought about it and called me and I logged in remotely to
> look at it.  I told her everything on the screen was fake.  I spent
> the next week rebuilding her machine.  I know, beyond the shadow of
> a doubt, that if she had the technology set up the way I recommend,
> the popup windows would never have happened and her system would not
> have been infected on that occasion.  Now, those of us that keep up
> with security news have heard about those ruses.  She'd heard about
> it too, but she'd never SEEN it.  When she actually saw it, that
> little bit of indecision and panic is what got her.

These ruses have been around for no less than a decade... they're old
hat by now.  Most of them even (stupidly!) re-use the same names from
year to year.  I have cleaned up several of them in their 2006 through
2011 variants in the last, well, five years (basically since I decided
that I did indeed need to at least gain some deeper familiarity with
something newer than Windows 95).

Similar things have existed since the days of early UNIX, even; they
were called "trojan horses".  Of course, avoiding trojan horses _can_
be difficult.  But all of the "low-hanging fruit" ones on the Internet
today are specifically targeting Windows, usually targeting users
visiting sites of questionable utility, including things like online
casinos and pornography sites.  Most of the "infections" that I clean
are things that come from those sorts of venues, though I have seen
people download crap from dirty breeding grounds such as you can find
by googling for "windows software downloads".

> > I find this brand of advice to, itself, be unethical.  It
> > propagates the mindset that technology can solve our problems
> > better than education, and actively serves to lower the collective
> > expectations of not only end-users, but that of IT support people
> > like myself who then have to do even more hard work to try to get
> > people to understand that they are the key, not the software that
> > is running on their computer.
> > [...]
> > It is wrong to teach this to people because it is, and it ALWAYS
> > WILL BE, patently false.
>
> I totally agree that the users should be educated and taught how to
> deal with the risks that are out there.  I have NEVER advocated that
> taking any set of steps technologically absolves the user of using
> his / her brain.  However, there is nothing unethical about me
> teaching people who are interested how to lock the doors, so to
> speak, on their computer.

Disabling some plugins and installing others aren't like doors.
Network ports are more like doors.

Don't get me wrong; Web browsers are built by people, and people
aren't perfect.  Yes, there are potential security vulnerabilities in
Web browsers, just as there are with any other type of software.  The
way to mitigate that risk is to simply not visit unknown or untrusted
Web sites.  Or, at the very least, if you're going to visit unknown or
untrusted Web sites, do it on a secondary system (or even simply as
another, unprivileged user on your normal system) so that you can
easily isolate problems.

> Furthermore, just because I advise you to lock your doors at home,
> that doesn't mean that I'm encouraging you to do something silly
> like walking through a bad neighborhood waving 1 Million dollars
> around so thieves can follow you home, break down your door with a
> sledge hammer, and rob you and kill you.  It is entirely expedient
> for the safety and risk conscious computer user to use technology to
> augment the behavioral steps they're taking and reduce their radar
> cross section on the attacker's screen.  Indeed, it would be
> unethical for me NOT to teach interested users how to do this!

In nearly two decades of browsing the Web, I can say that I have never
once caught anything from a problem due to Flash, Java, or
JavaScript.  I can attribute this to nothing more than simply being
aware of where I am and where I am going.

If I don't like the style of advertisements that a Web site has on it,
I don't go there.  If a Web site has those stupid little JavaScript
hover link video things, I don't go there.  Of course, if I like a
site's content enough, I will visit, and I will let the ads appear in
my browser.  Why?  Because I'm not in the majority that believe that
it is okay to leech from the Web simply because a few horrible sites
unworthy of visits from anyone do horrible things with their
advertisements.

> However, what I thought you were saying at the time was that you had
> posted this open wifi in order to entice and entrap users (my words,
> not yours) and then redirect them to this ugly site.

No, I didn't create it for that purpose.  I created it because I was
constantly dealing with increasing lag and low bandwidth problems
because I lived in an apartment complex at the time, and everyone
there seemed to have computers and WiFi cards, but no Internet.  I had
a reasonably fast Internet connection and apparently word like that
spreads.

I originally got the idea from a blog somewhere.  The original idea
was something along the lines of performing certain transformations on
Web pages.  However, that still rendered the connection useful, and it
didn't handle things like, well, anything but HTTP on port 80.  So, I
created another solution.  I redirected all ports on all unrecognized
MAC addresses to a single system on port 80.

This mostly just rendered everything but the Web useless, and those
who were opening a Web browser would be offended and (hopefully) never
connect again.  I don't recall seeing a MAC address more than once, so
it seems that it succeeded.

> That is what I meant to say I thought was unethical.  And, I believe
> my original comment was that it borders on being unethical, or
> something similar.  So, what you're saying now is that you basically
> want to give a bloody nose (in effect) to squatters who are using
> your hotspot without your permission.  I see your motivation to do
> that.

Indeed that is what my motivation was.

> I see three potential problems with that.  A) Many people feel that
> they are entitled to connect to any available hotspot, like it's
> breathing air or something.  I don't agree, but that's what they
> think.

It is an all too common problem.  It happens for far more than simply
WiFi access.  Entitlement is pandemic in our world.

> B) Many people don't know what hotspot to connect to in an
> unfamiliar city or whatever, so they simply choose one from a list.

Basically (A), restated in a different context, sure.

> C) Many PC's are set up to automatically connect to the strongest
> signal they find.  So, the user may not even know he's connected to
> your hotspot.

I am not familiar with any operating system that does this.  Windows
XP, Windows Vista, and Windows 7, as well as every Linux distribution
I have run that uses NetworkManager, requires that you select a
network before it will connect to it.  They often remember the
networks that they have connected to, though, often simply by SSID.
Then you have to worry about connecting to generic network names like
"linksys", but you can work around that by simply telling it not to
ever connect to a wireless network automatically.

> So, even if you're not enticing people or entrapping people, there
> is a significant chance that innocent or relatively innocent people
> will connect to the hotspot, and get to your gruesome site.  What if
> a 10 year old connects on his ipod, etc.  So, even if the practice
> is not unethical, I see many potential problems with it.

That 10 year old will likely think twice about connecting to open
networks in the future, I'd suspect.  Just as almost anyone but the
sickest of elements out there.  Though, that would be much more likely
a problem today, and in my current location, than during the time I
was at the apartments.

> > It seems that Ron thinks that an open wireless network somehow conveys
> > implicit permission to use it---and this is a problem with a lot of
> > society.  They think the same thing.  They think that if there isn't a
> > safeguard in place on something that they have the entitlement to go
> > through it.
>
> I never said that, don't believe it, don't condone it.  However, to
> prevent either intentional or inadvertent squatting by others of
> your wifi connection, I recommend strong WPA / WPA2 encryption with
> a very beefy cryptographically strong password, if you can.

Of course.  That should be pretty much standard practice today, now
that all networks and all wireless network devices support the use of
strong wireless network encryption.  Additionally, most modern devices
have this WPS button, as do routers, so people can use strong
encryption on their devices without even really thinking about it.
(The theory is that two devices that are close in proximity and
controllable by the same individual are "allowed" devices on the
network.  Simple, but works in many situations.

> >> While not directly related to Firefox, I strongly recommend using the
> >> OpenDNS ( http://opendns.com ) system to resolve your domain names.
> >> They automatically apply phishing protection to all DNS queries as far
> >> as I know.  If you desire to, you can also filter certain sites based on
> >>
> > I would strongly recommend that people NOT use OpenDNS.  Why?  Because:
> >
> >   * They break the DNS standard. [...] [they] also breaks SSL
> >     sessions in certain circumstances and gives users a far more
> >     cryptic error than "the server appears to be down". [...]
> >
> >   * They are a blacklist.  Blacklists contain errors. [...]
> >
> >   * They actively go through the data they collect [...] I don't trust
> >     them to not misuse that information.  Do you?
> >
> >   * [...] do you think that the people you advocate OpenDNS to are
> >     even capable of making the realization that they are they [are
> >     trusting] the system and the people behind it not to screw
> >     them in some way?
>
> I can't speak to the technical merits of OpenDNS.  I use it because
> it provides me phishing protection and content filtering.  I stated
> the content filtering was only effective 95% of the time.

And this is probably a major overstatement.  There is no way that one
individual, team, or even large corporation can keep up with all of
the new sites that appear every day on the Internet.  And with all of
the sites that there are on the Internet, even a 1% error is an awful
lot of Web sites.

Given that we cannot state the unknown, and we don't know how many
sites exist but are unknown, and that we know that such businesses
cannot keep up, I would think that an estimate of maybe 50% to 70%
accuracy might be even generous.

> The same may be true of the phishing protection.  However, I'd
> rather have shields for 95% than 0%.  I trust the motives of the
> OpenDNS folks more than I do of Comcast and other major ISP's.

Most of the stuff that public services filter out is the readily
identifiable stuff.  The stuff that can almost convince me is usually
done intellgently enough to "look" legitimate.  Well-designed
æsthetics and so forth, links that look valid, an overall
professional, polished appearance.  Typically, all the i's will be
dotted, the t's will be crossed, and the words spelled correctly.
Typical headers will be used, and the message won't "look" like spam
or phishing to most filters (or for that matter, most humans).  Those
are the ones that are really to be worried about, and those are the
ones that will very likely get you good.  They are, after all,
targeting a very different audience.

Humans are much better at detecting such frauds, given education, than
computers are.  It's also not bad advice to tell people to assess an
email based on whether or not they expected it in the first place.
After all, if you're not a Netflix customer and you're getting mails
from Netflix, ignore them.  Or if you're a Chase customer and you have
emails from "Wells Fargo" asking you to refresh your account
information, even if it does look legit, you can know that it is not
because, well, you don't have an account there.  If you've never heard
of the business, then don't even bother opening the email.

Been using net mail for almost two decades without incident, even when
I was using horribly complex MUA software that was most likely to be
targeted with any form of exploit.

> >> Now, on to Firefox.  The latest version is 7.0.1.  You should
> >> have this or later once you upgrade or install anew.  They've
> >> been ramping the versions up very fast lately.  The big thing in
> >> UI design these days seems to be to eliminate the menus.
> >> Personally, I hate this design.  So, the first thing I do in this
> >> case is to turn the menus back on.  Firefox will have a little
> >> orange "Firefox" button in the upper left.  Click that, hover
> >> over options, and check menu bar to turn it on.  You should now
> >> have a menu.  You can select help, about to check the version
> >> number.  In some systems, you will see a check for updates button
> >> in this window.  Click View, hover over toolbars, and turn on the
> >> Add-on bar, if it's not already on.  You can rearrange buttons in
> >> Firefox by clicking on the empty area to the right of the menu
> >> and clicking customize.  You can then move things like the back
> >> and forward buttons around, or drag things from the dialog box to
> >> the menu areas or add-on bar.
> >>
> > Minor technical nit, here: I've always had to enable the
> > streamlined menu.  I don't understand why you dislike it, but I
> > find it to be more efficient, and it does yield more (albeit only
> > slightly) real-estate to the browser window.
>
> Different strokes for different folks.  Some say PO-TAA-TO.  Some
> say PO-TAH-TO.  Some like shiny laptop screens.  Some like matte.
> Personal preference.  What I don't like is them suddenly and fairly
> radically changing the UI during an upgrade and me having to spend 2
> hours googling just to put my browser back the way I like it.  If
> they want to give me a choice, then they should actually give me a
> choice.

It does.  That's what the configuration is for, and it's just a
right-click away.  But defaults can and do change in virtually all
software over time.  At least they retained the option---there are
some major program maintainers that like to change the defaults *and*
remove the options, and then you're just screwed with whatever they
handed down from above.

> >> My objective is to configure Firefox so there is no unauthorized
> >> scripting, little or no unauthorized tracking, little or no
> >> unauthorized storage of information on my PC, and no unauthorized
> >> pop-ups.
>
> > I am sure that you realize that this is completely impossible
> > without causing damage to the user experience.  Even if you get an
> > end user to install all the cruft, you will find yourself (or
> > people like me, find ourselves) supporting these users and having
> > to explain to them that it's their software that is causing the
> > problem.  Then they want to know why their software isn't smart
> > enough to just do what they mean.  They then want to know why they
> > have to know anything about the whole bloody mess, when all they
> > want to do is get to their stupid games on Facebook.
>
> Yup.  I do indeed realize this.  Security and ease of use are ALWAYS
> contradictory.

This isn't true at all.  Most forms of security are quite easy to use.
It is not at all difficult to choose good pass words or phrases,
install decent virus and malware scanners if you're running on Windows
(or a non-Windows system that services Windows systems), keep one's
system up-to-date and stick to what one knows.  Those are bloody
simple, and yet they are the least frequently done things.

> I'm not advocating these settings for every user out there, or even
> average users, or even for everyone in my extended family.  I'm A)
> presenting one possible way to set things up, and B) advocating this
> for those users who are security conscious enough and technical
> enough to set it up and put up with a little hassle in order to gain
> a bit more security and privacy.

I fail to understand what you're saying here, exactly.

> If I go to a website that doesn't work just right, I will lower the
> security and privacy settings for that site, on a site by site
> basis, IF the following two criteria are true: 1) I really really
> need the site to work in some special way, as opposed to just
> displaying information.  2) I have some reason to believe the site
> is credible and trustworthy, other than what the site itself says.
> My bank, other financial sites, Amazon, Pandora, my ISP, etc. are
> all sites which I make these exceptions for.  But this list is only
> about 20 sites or less.  95% of everything I do on the web works
> well enough without scripting, tracking, cookies, stored
> information, or pop-ups.

In general, I am all for least-privilege.  In the confines of a Web
browser, I don't see the need for it so much.  If you have a great
many sites that you visit on the regular, or if you are a Web
developer and thus necessarily have a lot of things that you would
need to tweak rules for it becomes very cumbersome.  Or, for that
matter, if you simply need to access a great many sites.  To add to
it, a lot of newer sites are coming out and making the assumption that
everyone will have JavaScript enabled in their Web browser (which
isn't an unreasonable assumption) and be designed for that scenario.

I think that "code for static browsers" was a good rule five years
ago.  I think that coding for interactivity and user experience is the
key today, and that can be done much better (not to mention, more
efficiently and typically significantly more æsthetically) if we use
scripting to accomplish it.

> >> Enable JavaScript - ON (Disabling would be more secure and safer,
> >> but many websites would break.  We'll deal with this using the
> >> NoScript plugin.)
> >>
> > NoScript isn't a solution, either.
>
> There is no single silver bullet solution to most real world
> problems.  NoScript is a valuable tool which helps prevent a certain
> genera of problems.  See the story of my wayward family member at
> the top.  NoScript would, or equivalent settings in IE, would have
> prevented the problem.

Your family member's problems were most assuredly not triggered by
something that could have been prevented by NoScript, unless NoScript
blocks you from downloading executables and subsequently running
them.  IE will happily stop you from downloading executable
files, though---even from microsoft.com!  Nice and useful, you think?
If they were, then people wouldn't be downloading and installing
things on their Windows servers that are trojans, right?

No, they just disable those options because they (usually) think they
know better.

> >> Clear history when Firefox closes - ON
> >>
> > What does this accomplish?  The so-called "awesome bar" is a lot
> > more useful to users when their history is kept.  So by doing
> > this, you effectively disable the additional (and quite useful)
> > functionality.
>
> Partly personal preference.  Should the machine be compromised, the
> less privacy invading history information on the system, the better,
> in my opinion.  Also, I've heard of malicious scripts looking into
> history to find out what other sites you're going to, etc.  It also
> relates to reducing your trackability.  Many people routinely clear
> cookies.  This is just an extension of that philosophy.

This makes sense to me if, for example, your browsing to sites that
you would be embarassed to leak out (though that information is quite
likely easily accessible to anyone who was motivated enough to get it;
Mozilla software makes heavy use of SQLite and SQLite doesn't exactly
like to shrink its database tables when records are "DELETE"d from
it, so that information is likely never explicitly purged from the
database.  That would mean that your last browsing session at the very
least is still accessible.  I'd confirm, but I'm too tired to do so
right now, it's about bedtime.

> >> Block reported attack sites - ON
> >> Block reported web forgeries - ON
> >>
> > I have only ever encountered false positives with these settings; I view
> > them as useless.
>
> I've never knowingly encountered it at all.  However, if Firefox
> thinks the site is a problem, I'd rather it block it and then try to
> figure out why.

So essentially, you trust both Mozilla and Google to decide what you
should and should not see?

> >> Set cookies - ALLOW FOR SESSION
> >> Open Pop-up windows - BLOCK
> >> Maintain offline storage - BLOCK
> >>
> > What does this truly accomplish, other than a false sense of
> > security?
>
> It is part of my basic philosophy not to have persistent data for
> any website on my system unless I specifically allow it.  Taking
> doubleclick as an example.  If you go to site A and they link though
> doubleclick, and you go to site B and they link though doubleclick,
> then, very shortly, doubleclick will have a record of hundreds of
> sites you visit, and that data is shared with marketing types
> without your permission.

Anonymous tracking data such as that is typically useful, but they can
still use a virtual "fingerprint" of your Web browser to be reasonably
certain that they are gathering useful enough data to be able to
continue to use it in the way that they do.  Check out this page for
some additional information:  http://panopticlick.eff.org/

> Pop up windows are annoying, plain and simple.  Also, if you
> accidentally hit some malicious site by clicking an erroneous link
> or typing a web address wrong, you can end up with dozens of popups
> on the screen or porn or ads or "you have a virus" messages.  They
> can be used both to annoy and attack.  Sometimes, if they're
> malicious, just the act of trying to close them invites in a virus.
> I cannot imagine why anyone would universally want popups on.

True pop-ups are disabled by default in all modern Web browsers.  I
haven't seen a single one of them in years.

There are some that can pop up a single window in respose to a mouse
click.  That only ever happens once; I don't revisit sites that do
that sort of intrusive thing.  I feel very strongly about this.  I
think that if you are using a Web site or application (particularly if
you are using it for free) then you should keep the ads on, as that
helps to pay for the service.

> > It is far easier to get people to understand that they shouldn't
> > just click every single stupid link in their email, on the Web, or
> > in a program.
>
> My family member cited above knows this.  It was unforseeable and
> unpredictable that the link she clicked was malicious.  It looked
> perfectly legitimate from the appearance.

What does "looks legitimate" look like?  Good CSS?  Clean HTML?
Proper spelling?

Or how about reputation?  Familiarity?  I'd argue that these are the
characteristics that matter when determining when a site "looks"
legitimate.

> > That said, there is very little *true* problem with running
> > JavaScript.  Today's Web developers require JavaScript be enabled.
> > After all, we can even have that on phones these days.

[I should have said "often require" there, my mistake.]

> Keep in mind, when I run NoScript, I'm not just disabling
> JavaScript, but also Java,

Which, unless you mark an applet as trusted, cannot read, write or
delete files on your computer, create network connections to places
other than its origin (e.g., it enforces a same origin policy), listen
on network connections, create undecorated top-level windows, spawn
programs, and a fair list of other things that are not permitted.

> Flash,

I don't think that Flash can spawn executables or do any of those
risky things listed in the last paragraph, either.

> and pretty much any other automation on the page.  There are many
> potential sources of problems that turning off automation
> eliminates.  I basically don't want anyone I don't trust and know
> running mysterious and unknown programs on my computer.

I do the same thing; I just don't use software to do it.

> Any time a website runs a program from a stranger you don't know, or
> any time it invokes a "reader" to read a PDF or flash or an image or
> an animation, etc., it's just one more opportunity for crackers to
> discover a bug somewhere in your software and exploit it.

And if you keep your software up-to-date, and if you run an operating
system that doesn't mind actually being secure and rolls out updates
quickly then you have nothing to really worry about.  Seriously:

 * Keep software patched/updated.

 * Know where you're going.

 * Keep frequent backups.

 * Don't go anywhere or do anything that you don't know or know how or
   understand.

A significant, perhaps even majority, of your potential security
problems are largely solved through those four things.

> > If we were running Python in the browser, that'd be a little bit
> > different since there is (at least to my knowledge) no truly
> > sandboxed version of Python available.  But JavaScript is
> > virtually always sandboxed, and cannot do any real harm to your
> > system.
> >
> > Keeping a computer secure is all about what the person sitting at
> > the keyboard knows, not about what software is running on the
> > computer.  It has always been this way and it will always continue
> > to be this way.  Educate users; tell them why they shouldn't go
> > browsing every possible link they find, give them an idea of what
> > types of sites can be trusted versus not trusted, tell them why
> > they should have some idea of what is on the other end and whether
> > or not they should trust it.
>
> I agree with what you said about the users and education.  I just
> don't agree that we should exclude technological measures.  Using
> the metaphor of my house, I lock the doors AND avoid the shady areas
> of town.

I don't believe I ever said that technological measure should be
excluded.  I feel that the browser gives us all the technology that we
need to remain secure on the Web; we have certificate checking and
things that help us to be certain that TLS-protected Web sites are
being securely communicated with, for example.  We have rapid
releases, which is perhaps a better security feature than most (though
it is not without its downsides) because code is fixed regularly and
those fixes go out very quickly, both for Firefox and Chrome.  We have
HTML 5 moving into popularity and throwing plugins out of the browser
due to the fact that HTML 5 with JavaScript is more efficient than
many of the browser plugins for various jobs.

What I am saying is that it's better to use our brains for what they
are good at.  If I send you a link, you can look at that link and
determine whether you want to follow it.  If you don't know what's
there, you can ask, or you can run a clean profile to try, in order to
assess its trustworthiness.  Like the link I pasted above, which was
to the EFF... if you see eff.org at the end of it, you're going to be
more likely (well, *I* am going to be more likely) to trust that the
link is to a resource on the 'net that is useful, or at the very
least, not harmful.  Sure, I could be wrong.  But if I were paranoid,
I supposed I'd use the Web for nothing, maybe even the entire
Internet.

> > And tell them why they shouldn't have ad blocking software installed,
> > too.  People keep that shit up, we'll have to pay for everything on the
> > Internet out of our wallets, instead of just the things that aren't
> > ad-supported.  I suspect that you disagree with me on that, too.
> > Wouldn't surprise me, when I had heavy traffic to my blog and I had
> > Google AdWords on it (hey, they're quite non-intrusive), I had something
> > like 99% of people blocking the ads.  Everybody expects something for
> > nothing these days.
>
> I do disagree, but the reason is that the purveyors of ads have made
> them so obnoxious and intrusive, that they're intolerable.  Way back
> in the day when I used to watch old episodes of Star Trek in the
> '70's, the actual show was about 52 minutes and the ad slots were 8
> minutes.  That was tolerable and reasonable.  Now, when I turn on
> any major network, I get 4 minutes of content and about 6 minutes of
> commercials at times.  Overall, I think they're using about 24
> minutes of the hour for commercials and the rest for content.  This
> is unreasonable and abusive.  Therefore, I DVR the program and skip
> ALL the ads, rather than watching 8 minutes of them as I did years
> ago.

This is one of the reasons that television became less and less
appealing to me.  Too much advertising.  Thankfully, they don't
actually get paid by who _actually_ bothered to view the ads.  They
just pay for estimated reach, there.

However, in the case of Web sites, things are very different.

> In terms of web sites, ads are almost universally intrusive and
> obnoxious.  I feel the same way about them as I do about the TV.

I haven't seen obnoxious ads on the Internet for some time.  Then
again, I don't visit a lot of sites and I get a lot of things through
my Google Reader aggregator (when I remember to read through it,
anyway).  The most annoying ads I have seen in recent memory are those
full page interstitial ads that display when you are attempting to
read a news or magazine article.  But even those usually let you
easily skip them, so I don't mind them.  I do mind the moving,
dropping, sliding, evading advertisements that are out there, and I
simply do not visit sites that use them.  But I certainly opt to see
advertisements on sites that I use for free to my own benefit.  They
have to get paid, somehow!

> I don't mind paying for things if the price is right.  I pay for
> Pandora's premium offering.  I like the way Evernote does things.
> Give basic service away, charge for enhanced service.  Modest ads I
> can deal with, but I think most users of ads have gone way over the
> line.  Leo Laporte's podcast network is now ad supported.  I'm OK
> with that as long as they don't get too long and obnoxious and
> frequent.  Remember when they started putting ads on soda cups in
> the restaurants and on the tiles on the floor.  Give me a break.
> I'm there to get a sandwich and a drink, not to be commercialed to
> death.  The key is balance, but most marketers don't understand
> that.

Nope.

I simply don't see a lot of ads anymore.  Even when I do watch ads, I
rarely give a rat's rear about the product that they are plugging.
Sometimes, I see an interesting ad and I will click through or view
the site or look up the product, but that is so rarely the case that I
have a hard time recalling the last time I did buy something as a
direct result of an advertisement.  Most things I buy are things that
I have researched, or things that are the right price, or things that
I know to have a good reputation from previous experience.  After all,
I hate throwing money away, and I hate spending more of it than I have
to.

The one exception that annoys me greatly is Hulu Plus.  I pay them,
PLUS they show ads.  That is really kind of obnoxious.  And it seems
that the FOX shows have more advertisements on them in Hulu than the
others.  But it was that way for my On Demand service as well, when we
were actually watching regular TV.

     --- Mike


More information about the Ale mailing list