Web developers have hated Internet Explorer 6 for a long time. If you design Web sites or write Web front end code, you know all too well how much work it is to support IE6 on all but the simplest Web sites. What we’ve recently learned is that IE6 is much more insecure than its successors, and now Microsoft admits that IE6 has security holes that they cannot fix.
Getting rid of the last vestiges of IE6 is going to require a three pronged attack. IT departments that still require it are going to have to be educated on the security risks of sticking with it. Or, more likely, the executives who have the power to tell the IT department what to do are going to have to be educated. I imagine that in the near future, we’re going to see a lot of IE6-remediation work. Web applications that support only IE6 are going to have to be upgraded so that IE6 can be abandoned.
Users who haven’t upgraded due to indifference are going to have to be made to suffer. Web sites need to start dropping support for IE6. When sites like Facebook and YouTube no longer support IE6, those users will upgrade Internet Explorer or find another browser.
And finally, Microsoft is going to have to take more steps to induce users to upgrade. Microsoft has waffled on phasing it out completely to placate companies with applications that depend on IE6, but it seems like today is the day that policy has to be revised.
I’ve been reading Bruce Schneier for more than a decade now, so very little of Joel Johnson’s piece, President Obama, It’s Time To Fire the TSA, is news to me. The more interesting question to me is, is there any reasonable path to changing how we think about security? Schneier hammers the TSA repeatedly for protecting against tactics that have been used previously rather than trying to think more systematically about the shape of future threats, but given human nature, it’s not surprising that we handle things that way.
The canonical example of security theater is the requirement that everyone remove their shoes before passing through security. We all know why that rule exists — Richard Reid tried to blow up an airplane with a bomb in his shoe on December 22, 2001 (yes, we’ve been removing our shoes at the airport for 8 years). There’s nothing special about secreting a small bomb in your shoe. As we learned this week, you can stuff a bomb into your underwear just as easily. But imagine the political casualties if someone were to blow up an airplane with a shoe bomb now. The opposition and the media would crucify everyone they could get their hands on for not protecting against a tactic we know that the terrorists use.
In fact, if a politician even tried to stop the shoe removal process, they would be attacked for not taking terrorism seriously. Many of us wish for more political courage from our politicians, but the incentives of every political system serve to diminish political courage and to cull out the truly courageous as quickly as possible. So I’m all for firing the TSA and restoring sanity to airport security, but I’m not optimistic that it’ll happen.
Leave it to Bruce Schneier to come up with a reasonable explanation for why the video downlink from Predator drones is not encrypted. His theory is that it’s because it would be a key management nightmare, given the way the military manages encryption keys. Basically, the audience for the UAV downlinks changes frequently and has a wide variety of security clearances, and military encryption is for data is for top secret stuff.
Letters of Note has a really cool example of steganography in practice — a letter from a British revolutionary war general that includes a secret message readable by placing a mask over the letter. The mask and letter were sent to the recipient via different routes.
What do you guys think of the new link format? Good? Bad? Should each link be a separate post?
Trying yet another format for daily links. Here we go:
© rc3.org. Powered by WordPress using the DePo Skinny Theme.