BBC BLOGS - dot.Rory
« Previous | Main | Next »

Embarrassment on Twitter

Rory Cellan-Jones | 11:18 UK time, Friday, 26 February 2010

It's not really the kind of message you expect to get from a friend or a colleague - or indeed from anyone you might know on a social network. The direct message from a Twitter friend read: "hey, i've been having better sex and longer with this here..." followed by a link to a website, which I chose not to follow.

I got this overnight from a colleague at the BBC, but it's also been sent by loads of other Twitterers - including the Energy Minister Ed Miliband.

Ed Miliband on Twitter

Now, before you sense another scandal involving politicians and journalists, I should stress that all these people are victims of a phishing attack, which has been documented here by the security blogger Graham Cluley.

It appears their Twitter accounts and passwords have been compromised, perhaps by an earlier phishing incident - one which very nearly caught me out too. Yesterday I received a direct message - of the kind Twitter users are more inclined to trust. It read "haha, is this you?", followed by a link. I read it on my phone, foolishly clicked on the link - and arrived at what appeared to be a Twitter login page. Only then did I stop - and realise that this was an attempt to get me to give away my password.

It's another reminder that as soon as a service becomes popular, it's all the more likely to become the target for all sorts of scams and viruses - or indeed suffer its own security lapses. I was caught out a while back when a photo I uploaded of a BBC studio was somehow replaced by someone else's rather more arresting snap of a young woman wearing nothing but a smile.

So what's the best advice? Some people are saying you should never click on a link - but that would destroy one of Twitter's most useful functions, where people share interesting news stories, or point to information around a discussion.

In the end, it's all about trust and awareness - is it really likely that a microblogging friend would boast of their sexual prowess, or share a link without any explanation of what it was about? If not - don't click. And if you do use Twitter or any other service the security of which you fear may have been compromised, I'm sure you don't need me to tell you to change your password.

Comments

  • Comment number 1.

    A phishing scam on a web site where nearly all links are masked by URL shortening services... who'd have thought that would ever happen?

  • Comment number 2.

    I use TweetDeck and it has a rather useful preview function. It allows you to see what most of these shortened URLs are actually pointing at before you load them up in your browser. Has saved my blushes on a number of occasions!

  • Comment number 3.

    People just need to be aware of the URL's they're on. If it isn't twitter.com, then you probably shouldn't be giving them your Twitter Login information.

    That said Twitter & Facebooks open Authentication is just going to add a whole new level of pain and make it 10 times easier for Phising people to obtain details.

    Ant

  • Comment number 4.

    "In the end, it's all about trust and awareness"

    not so much trust, as using common sense.

    I don't follow any links sent via facebook, IM, or indeed twitter as my computer is not only my prized gadget, but also my means of an income.

    My few simple rules are that: i do not follow anything sent to me via one of them url shortener sites (sites that take a long url, give them a unique identifier and stores them in a DB giving the user a significantly shorter url to enable posting on a site such as twitter). Any site that i do not know, and also, i do not follow any link sent over IM that is out of character to the person sending it.

    So far with 0 infections, 0 phishing attacks, and 0 malware, i think i am doing quite well.

    (also, i hasten to add that i have a lot of security software on my computer should i be drunk one night and start randomly clicking links)

  • Comment number 5.

    It shocking, really. The amount of push that the govt has given on getting people internet savvy has worked better on the public than on their own members!

    As Anthony Shapley has already said here, looking at the URL in your browser gives in instant indication as to where you are on the internet.
    If it doesn't say Twitter.com, you're not at Twitter.com!

  • Comment number 6.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 7.

    I received one of these just today from a friend who would chop his own hand off rather than send something of the nature of the Direct Message. Also, I registered with Twitter about a year ago and have never been on the site since so I thought it may have been a bit dodgey and didn't go any further except to contact said friend.

  • Comment number 8.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 9.

    It's all about common sense, as much as it is about trust. However, as the people who operate phishing scams know, users of sites such as Twitter and Facebook can lack such common sense and be intrigued with links to click.

    It's easily done and I've known people do it without even reading the whole message!

    Biz and co. will have to look into this in finer detail I think, especially as site usage and population is growing by the day!


    @jaybranch

  • Comment number 10.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 11.

    The 'haha, is this you?' scam has been sent around on chat applications like Live Messenger for a long time - with the very same message. Worryingly, any advice to the person whose account has been hacked that they ought to change their password often results in 'oh it's only a message, it's not doing any harm'!

  • Comment number 12.

    hey, i've been having better sex and longer with this here

    http://www.bbc.co.uk/blogs/

  • Comment number 13.

    People should stop using IE so that they're safer on the internet! I use FireFox on a Mac at work and Chrome on LINUX at home so I know I'm safe from all viri.




    /sarcasm

  • Comment number 14.

    Aidy: I'm not sure how your advice would prevent you having your account details scammed when clicking on a link and entering your details into another website? It doesn't matter what browser or operating system you use, the scam will still work. People need to be educated about the risks and not conned into thinking that by switching their browser they will be safer.

  • Comment number 15.

    @Laurence #14

    My post was joke :) I was making fun of the kind of comments usually made here when some security scare is revealed, normally made by people who don't quite "get" the internet but think they do.

    PS for future reference, "/sarcasm" means "this is the end of the sarcasm" :)

  • Comment number 16.

    Aidy: Was that sarcasm too? :)

  • Comment number 17.

    'Transport Minister Ed Miliband'? Methinks perhaps it's a case of embarrassment on BBC blogs. ;-)

    I do wonder why this sort of thing is being treated as significant news though - Sky seems to be taking it a bit over the top, for example.

  • Comment number 18.

    Without wanting to look like I have completely missed the point, Ed Miliband is actually Secretary of State for Energy and Climate Change...

  • Comment number 19.

    I saw the suspicious tweet (direct message) myself last week. Something about "LOL, was this you?", containing also a tinyURL link to the fake Twitter logon page. I don't get many tweets of the kind "LOL, was this you?", so perhaps this was a clue for me. As Anthony Shapley suggested before, when offered a logon page you're best to quickly look at the URL in the address bar at the top, and make sure that it really does contain 'twitter.com'. Always bear in mind that address shortners (like bit.ly, tinyurl etc) can be used to disguise obviously suspicious web addresses. Be cautious when following these links.

  • Comment number 20.

    Victims of a phishing attack.
    Yep, the twits and the spamers are usually keeks. They know their way around computer programing better than a brain surgeon knows his way around your brain.
    I wish the twits and spamers would devote their time to meaningful, helpful endeavours. My guess is that vile phishing and hanky-panky spamming pays pretty good; whereas decent, hard-working endeavors do not sufficiently reward the geek.

    So my advice (which may or may not be the best):
    1. Users of reputable systems should not have to resolve these issues on their own, or be constantly exposed to things that are inappropriate, like my several Viagra commercials daily. In my opinion, Twitter (for example) should be fined for not adequately screening its data. Never mine the excuses - just keep fining and fining until Twitter finally reaches the conclusion that cleaning up its act (so to speak) is cheaper than the ever-increasing fines. In other words, we have got to give these networks, an incentive to work our behalf.
    a) This would create government revenue and
    b) Perhaps, networks would hire some of these geeks to create effective screening & monitoring systems, reducing unemployment (or employment that is not taxed).
    2. Changing your usercode may be more effective than changing your password. The culprit already has your usercode; how else dis s/he serve you with the unwanted trash in your in box?
    Be safe, change both.
    3. Never ever provide personal data onbline unless it is a site known to you and extremely secure, like your pension adminitrator or financial institution.
    4. From what I can find there are several different bodies to which you can submit different sorts of complaints. There doesn't seem to be one cordinating site...Maybe one day...
    In the meantime, find the spcific body that deals with your problem and report it. But whatever you do, do not attach the scurious email or its troublesome attachment (could spread a malicious virus).
    e.g. Anti-Phishing Working Group http://www.antiphishing.org/

    5. General info that might help:
    Never click on hyperlinks
    Use Anti-SPAM filters
    Use Anti-Virus Software
    Use personal firewalls
    Keep all software updated
    Always ignore, or at least investigate https and sites that ask for “personal information”
    Check your credit statements/report carefully
    If unsure what to do, ask!

  • Comment number 21.

    THank you for making it clear this is a phishing scam, not hacking. It annoyed me quite a lot yesterday to read the article where Harriet Harman claimed she had been hacked. No she wasn't. Hacking takes skill and effort from the hacker, phishing simply requires stupidity from the user.

  • Comment number 22.

    There are a large number of websites out there that will show you the full URL of a shortened link with out clicking on it: real URL for example.
    but at the end of the day use common sense, if it looks suspect.............It probably is!

  • Comment number 23.

    @Laurence

    Oh no! now we're into meta sarcasm. I can 't cope with it and my brain is going to start bleeding soon.

    As for the phishing stuff: I've used windows mac and unix for nearly 20 years. Never been fleeced/infected/pwned yet, but that's because of the application of something unusual in this day and age: it's called common sense.

  • Comment number 24.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 25.

    The thing with common sense is that it is not actually that common ! :)

  • Comment number 26.

    @Laurence,

    At present Aidy's sarcastic software choices would make all the difference.

    I just checked one of the twitter phishing URLs. Firefox responds straight away with a "Reported Web Forgery!" warning, making the user explicitly ignore the warning before they can get to the false login page.

    ie8, on the other hand, just plays along with the scam and goes straight to the false login page.

    Admittedly, as Darren says, it's no replacement for common sense, and there may be a delay before phishing sites are reported and updated on the client, but it certainly helps.

  • Comment number 27.

    Oh dear, yet more embarrassment for me. As some of you have spotted I'd given Ed Miliband the wrong title - he is of course energy minister. And I can't even blame malicious phishers for that....

  • Comment number 28.

    hahah making twits out of twitterers.

    dont you just love all this easly hacked software that we chose to put our lives on..

    Its just like ICQ all over again...

  • Comment number 29.

    @ 28. CommunityCriminal

    You wrote:
    dont you just love all this easly hacked software that we chose to put our lives on..


    My reply:
    Twitter wasn't hacked.
    In laymans terms: A phishing attack is when people *choose* gave away their account details because the requestor asking for the information pretends to be someone else.

    Any and every piece of software is open to this type of attack as it doesn't take much to spoof a product. In fact even these BBC News pages have been spoofed countless times over the years (albeit for different goals) - so keep an eye on your address bar when next logging on here ;)

  • Comment number 30.

    @ 13. Aidy wrote:
    I use FireFox on a Mac at work and Chrome on LINUX at home so I know I'm safe from all viri.


    My reply:
    What about "viruses"? (which is the correct plural for virus) :P


    (sorry, bad joke)

  • Comment number 31.

    Back in the old days we never had this problem, I've always said computers are nothing but trouble. The only solution is to BAN COMPUTERS.

    /mum

  • Comment number 32.

    I set up a hotmail account purely to act as a spam/junkmail filter. It is the only email address I give away (except for things like contact details on CVs). It now recieves about 30~40 messages a day that go straight to the junk email box. Most of these consist of 'I think your Facebook profile has been hacked, look here' as the subject headline. I don't have a Facebook page so it's fairly obvious its a scam. However it does keep my genuine emails free from all the junk. Also, using different passwords for different sites is important, as you don't want to register on a site that turns out to be malicious and find out that someone has the password to your online bank account!

  • Comment number 33.

    #29 been around since the Internet connected at 11k over a flaky phone line and a web page was nothing more then a text doc. Introduced the isp I worked for to BHO's and spy-ware some 8-9 years ago as BB crept above the 512k mark. Hacked is just a general term I use for all the data miners and dubious phishing scams out.

    *Choose* (data mined) to give out details in these cases is a bit strange or do people like ED not have the intelligence to keep their own systems clean? maybe such people should not be allowed on such public things considering the positions in life they have.

    Still never understood the need for twitter tweets and data farts, give me a good forum or blog anytime.

  • Comment number 34.

    find the virus installers and account thieves and cut their hands off in public. could broadcast over the internet and twitter...might be able to sell ads as well..

  • Comment number 35.

    I was getting genuinely frustrated with some of my followers yesterday who insisted that they had been hacked and were apologising for the direct messages that they had sent.

    None of them had even realised that they had willingly given their login details away to a site that was not Twitter.

    See the link below for another example of people using the Internet who really do not know what they are doing. These people only ever reached Facebook through typing Facebook into a Google search page/bar and were frustrated when the first result was not what they expected.

    http://www.readwriteweb.com/archives/facebook_wants_to_be_your_one_true_login.php

  • Comment number 36.

    Have you gone out of your way to make these people feel better? This type of scam is literally the oldest trick in the book. I would feel bad for charging people to avoid this type of trick, but then again I could become a rich man.

  • Comment number 37.

    #26 @Tim

    I don't frequent twitter however I went in search of the phishing page and neither IE8 nor FF flagged it (IE8 has a similar feature to FF that relies on reported sites). I'm guessing there are many of these sites around the net and they won't all be reported to all services. My anti virus software didn't flag anything either.

    Anyway...you keep on, safe in the knowledge that FF will always save you. It seems that when dealing with the internet no matter how obviously sarcastic you are, someone will come along and prove you right.

  • Comment number 38.

    The best one I got was from a lady vicar!

  • Comment number 39.

    There is a windows function for dealing with this, right click on any link given on any page. Down the bottom of the menu that opens is "properties". Left click on, "properties", and the resultant window that opens shows the link's details. As Meercat says, Simple, "squeek!"

  • Comment number 40.

    #5. Jon Gibbins wrote:
    I suppose you have to be rather gullable to be an MP in any major political party. Just to believe in their parties manefesto shows it's true.

  • Comment number 41.

    #13. Aidy wrote:

    While I noted, "Sarcasm", below the message, it still bears posting that following a link in any browser goes to that link. Giving out details on any browser is stupid and lastly, the only reason IE is more prone to abuses is because it is most used, If it wasn't there the one to replace it would cop the same abuse.

  • Comment number 42.

    @41 Auld Bob:

    You said:
    the only reason IE is more prone to abuses is because it is most used, If it wasn't there the one to replace it would cop the same abuse.

    My reply:
    Phishing scams aside (because that could really happen on any browser - even Lynx (a UNIX command line browser).

    However, Internet Explorer /IS/ more insecure than all other leading browsers.
    It's not a myth nor is it because IE is just popular.
    The sad truth of the matter is Internet Explorer - the most widely used browser on the planet - is also the easiest browser on the planet to hack.


    Sure, Microsoft are making great strides to correct this issue and IE8 is streets ahead of IE6 (despite most sizeable UK organisations still running v6), but IE's security model is still superseded by Opera, Firefox, Safari and Chrome. (IIRC, Opera being the _most_ secure browser).

    It really is time that people woke up and realised that IE is:
    * one of the slowest browsers to launch
    * one of the slowest (if not /THE/ slowest) to render
    * the least secure by design
    * and by far the worst browser for compatibility (even both the iPhone and Android's inbuilt browsers p0wn IE8 on the Acid3 test)

    IE genuinely, significantly and conclusively is /THE/ worst popular web browser.

  • Comment number 43.

    @ Laumars #42

    I think you'll find FireFox /IS/ more insecure than all other leading browsers.
    It's not a myth nor is it because FF is just popular.
    The sad truth of the matter is FireFox is the easiest browser on the planet to hack.

    Sure, Mozilla are making great strides to correct this issue and FF3 is streets ahead of FF2, but FF's security model is still superseded by Opera, IE, Safari and Chrome. (IIRC, Opera being the _most_ secure browser).

    It really is time that people woke up and realised that FF is:
    * one of the slowest browsers to launch
    * one of the slowest (if not /THE/ slowest) to render
    * the least secure by design
    * though it is good at displayed pages deliberately designed to make IE look bad.

    FF genuinely, significantly and conclusively is /THE/ worst popular web browser.




    Wow...look at that. It seems anyone can present uninformed opinion as if it were fact on the internet.

  • Comment number 44.

    When I first saw the headline of this blog, I thought he was talking about the overall BBC coverage of Twitter.

    Maybe next time though...

  • Comment number 45.

    @Aidy 43, perhaps you should look at secunia.org and find out the security facts for yourself.

    Laumars is correct that IE is the most insecure browser in its default config.

  • Comment number 46.

    #45 @Chris Mills

    I'm not familiar with that site, but a look at the home page tells me nothing but that there is an issue with Google Picasa, Adobe getPlus, "multiple vulnerabilities" with Google Chrome, a FireFox vulnerability, Adobe Flash vulnerability, two vulnerabilities in Adobe Reader, Orbital Viewer issue and two PHP vulnerabilities.

    So I downloaded their report for 2009 and learned the following.

    In 2009 less than half "0 day" vulnerabilities were in MS software, over half were non-MS.

    "Microsoft updating tools provide a very efficient and effective “patch management” process for Microsoft products on millions of PC. Within a few days, the value of an exploit for a Microsoft vulnerability has diminished significantly, and after just a few weeks, all the updated PCs with patched Microsoft programs are immune to the exploit. This means that the window of exploitation for Microsoft products is substantially reduced, and criminals have to search for other ways to attack PCs. "

    "Deployment of non-Microsoft patches is often significantly slower and less organized. All Internet-based applications, especially browsers and browser plug-ins (i.e.,Adobe and Apple QuickTime), should be a top patching priority.”

    For the number of vulnerabilities per vendor MS was top but considering the vast number of products MS bring out the results are understandably skewed. Adobe were second.

    "The top 10 list for the most secure programs in 2009
    clearly shows that programs, which are covered by
    Windows Update, are updated more frequently."

    #1 1.48% of Media Player users were unpatched.
    #6 3.61% of IE8 users were unpatched.
    #8 6.86% of IE7 users were unpatched
    #9 9.33% of FF 3.5 users were unpatched
    #10 10.66% of Thunderbird (also Mozilla) users were unpatched

    So MS is top of the table and Mozilla bottom. All instances of IE beat FF in terms of patching. So much for someone claiming that IE is left unpatched for years.

    Top ten patched browsers

    Internet Explorer 8 3.6 %
    Internet Explorer 7 6.9 %
    Firefox 3.5 9.3 %
    Opera 10 14.1 %
    IE 6 14.3 %
    Opera 9 16.1 %
    Firefox 3.0 17 %
    Safari 22 %
    Google Chrome 3 24.7 %

    Again IE 7/8 top of the table.

    "As the above statistics indicate, some of the most popular
    browsers are also the ones, which users update
    most frequently, and thus have a low insecure rate."

    So it seems that if you look at the *facts* by the *experts* and not silly little boys spreading rubbish from their bedrooms it seems that on balance IE isn't anywhere near as bad as people are saying.

  • Comment number 47.

    The best way to avoid the Twitter scam is to use a dedicated Desktop App like Twitdeck or a Twitter Application for your Phone.

  • Comment number 48.

    Phishing scams would never happen if users learned to read the URL properly. Eg. if it says http://twitter.dodgysite.com instead of http://twitter.com it's obviously a scam/phishing site. Surely the real issue here is lack of understanding of the web and ignorance.

  • Comment number 49.

    I have myself been caught sleeping twice as well.... Once I entered my password on a link that looked genuine. It took me about 5secs to realise my mistake and I changed my password, no damage done.

    The second time I clicked on a picture of a pretty lady in one of the social networks. The link must have had some sort of "share the picture" code in it and the same picture also appeared on my profile. I didn't realise my mistake for a few days :(

  • Comment number 50.

    @Aidy:

    You said:
    For the number of vulnerabilities per vendor MS was top

    My reply:
    So that pretty much says exactly what I've just stated despite you arguing otherwise.



    You said:
    "The top 10 list for the most secure programs in 2009
    clearly shows that programs, which are covered by
    Windows Update, are updated more frequently."

    My reply:
    That doesn't make software more secure. That just means that /some/ of vulnerabilities are patched quicker.



    You said:
    So MS is top of the table and Mozilla bottom. All instances of IE beat FF in terms of patching.

    My reply:
    Again, that doesn't make IE more secure so your statistics are very very misleading.
    How about you post some real figures about real vulnerabilities?
    From the research I've done over the years, IE has consistently performed badly. Sure Firefox is currently under a lot of fire here as well, but you have to remember that, and I quote from Synaptic: "The increase in Mozilla vulnerabilities was a by-product of internal and community driven security audits of the browse" - so we're not even talking about exploits found in the wild yet.
    Plus you're neglecting to mention how badly IE performs against Opera. Particularly when Opera also has one of the largest install-bases on the mobile market - so clearly there's more to browser security than market share alone.



    You said:
    So much for someone claiming that IE is left unpatched for years.

    My reply:
    Actually I said many organisations are stuck on IE 6 - which they are.
    Despite your assumptions of me being some kid in his bedroom, I've actually spent the last 10 years work for various organisations and I've been disappointed by the number of internal cloud systems targeted specifically for IE6.
    Many of these companies can't afford (both in terms of cost and time) to rebuild some of these systems to make them w3c compliment - so they're stuck with IE6.

  • Comment number 51.

    @ 47. At 11:16pm on 27 Feb 2010, israel idowu wrote:

    The best way to avoid the Twitter scam is to use a dedicated Desktop App like Twitdeck or a Twitter Application for your Phone.


    My reply:
    And then you just have to trust that the app you've downloaded isn't itself malware. ;)

  • Comment number 52.

    #50 @ Laumars

    > So that pretty much says exactly what I've just stated despite
    > you arguing otherwise.

    Now you're grasping at straws. If 10% of the average company's software has a vulnerability then a company that produces 10 products in a year will have 1 vulnerability and the company that produces 100 will have 10. These stats are not tied to browsers, but all internet-exposed software. Given the sheer number of products that Microsoft produces, any impartial observer can't fail to see why the results will be skewed.

    > That doesn't make software more secure.

    Yes it does. I quoted what the person from Secunia said and here it is again (my emphasis);

    "some of the most popular browsers are also the ones, which users update most frequently, *and thus have a low insecure rate*"

    > You said:
    > So MS is top of the table and Mozilla bottom. All instances of IE beat FF in terms of patching.

    > My reply:
    > Again, that doesn't make IE more secure

    That's funny because on a similar comment someone said that FF was "more secure" because it was patched more than IE. Let's put aside the fact that we now know that IE is patched more, which is it? Is a better patched browser more secure or not? It seems that as usual people dance from black to white as it suits them as long as they can denigrate Microsoft.

    > How about you post some real figures about real vulnerabilities?

    So people talk all manner of rot about IE with nothing to back it up, I post some actual facts from an expert company but because they don't agree with your bias and uninformed opinion they're the wrong kind of facts? It seems to me that you'll never be satisfied with anything put before you.

    Stop trying to have your cake and eat it...if FF was patched better than IE you'd use that as "proof" that FF is more secure, now that FF is patched less than IE it's "proof" that IE has more vulnerabilities. What matters at the end of the day is how well protected the end-user is, and in that respect IE is up there with the best of them.

    > From the research I've done over the years, IE has consistently performed badly.

    The experts disagree. They were actually very complimentary about Microsoft and also highlighted that it is mainly the add-ons and not the browser itself that is often the issue...add-ons that FireFox has in abundance :)

    > Plus you're neglecting to mention how badly IE performs against Opera.

    I posted the results where Opera was also mentioned. Do you genuinely only see what you want to see?

    Now that I've successfully shown IE to actually be a very secure browser maybe it's time for you to explain yourself rather than regurgitate anti-MS rants you've heard on other sites. Maybe you could start by explaining the difference in security models between the browsers and how IE's is weaker. You mentioned this in your post so I assume you have the knowledge to back this comment up?

    #51 @Laumars

    I think credit should also be given to the browsers for no longer allowing server obfuscation in their default configuration (I know IE no longer allows it out of the box, I don't know about the others but I assume they'll also stop this). Phishing used to be a lot easier in the past.

  • Comment number 53.

    Use a package like PINs to generate and store complex passwords, along with the other precautions, including a good firewall and AV system, both of which should be rootkit aware, anti spyware protection that is rootkit aware (Spybot S & D is an example), disable file sharing, use something like 'no script', and so on. Of course the final thing is do not let anyone SE (socially engineer) you, either by bot or in person. These are the oldest tricks in the book, and were commonly employed by people known as 'con men'. Plus ça change, plus c'est la même chose.
    Wieders.....

  • Comment number 54.

    Aidy:
    I'm sorry, but you're still wrong to be banding patching figures as the holy grail of security (and no about of insulting me is going to strengthen your argument).

    Seeming as you like posting statistics that have no relevance, let me invent some of my own:
    You have two products: x and y.
    Product x has 100 vulnerabilities and product y has just 20.
    Product x gets updated every month and product y gets updated every 2 months.

    So which is most secure? By your logic that would be product x (as it has a better upgrade model), but the figures clearly state that product x also has 5 times more vulnerabilities. So logically, technologically and literally that would make product x the least secure of the two products.

    Well IE is product x. Sure it's an improving product - but it had to. Opera, Firefox and Safari really put IE to shame so MS /HAD/ to pull some serious overtime. However it's still not on a par yet.


    Also, you're just talking about the upgrade path on one platform. If you want to get technical and push your "expert" opinion - then let's look at the whole picture (as Firefox is a multi-platform browser and Microsoft only update their own software via Windows update).

    So let's take a look at the next most popular PC OS, Linux:
    Most Linux distributions don't work on a "bleeding edge" scenario. They prefer to run software a few versions behind which have been tried, tested and proven to be stable - and then back port security patches.
    So your Firefox would show up as false positives on your statistics despite it having all the latest security patches.

    But I'm guessing these facts are "irrelevant" to your FUD because IE can't run on Linux - oh wait it can (via WINE) and guess what, it can't be updated via Windows Update. So that would make IE the worse patched browser (and the least secure by your own definition as well)

    However you'll only find IE used on Linux for testing purposes (remember my earlier comments you glossed over about IE being the worst browser for supporting standards? Well that's why web developers are often forced to run IE on non-Windows platforms).


    So now we've established that you're figures are an interesting distraction but not really all that relevant, let's take a look at raw vulnerabilities:
    http://en.wikipedia.org/wiki/Comparison_of_web_browsers#Vulnerabilities
    (Sorry for just posting a wikipedia article, but it was quick and I've already wasted too much time debunking your myth).
    On there, you can clearly see IE under performing. Sure, IE8 is improving on the sorry state of IE6, however as already established earlier, plenty of businesses are still on IE6.



    Now let's go back to your figures and actually entertain the fact that they are in any way relevant (completely ignoring, for the moment, all the points I made above that crush your argument):
    IE is ~5% better than Firefox for numbers of patched boxes.
    Now lets feed that percentage back into real numbers (as percentages aren't an accurate gauge for something as precise as this discussion has turned).
    To do this, we need to have a web stats (sorry, another wikipedia link):
    http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
    Here, you can clearly see that Firefox is hot on IE's tail, but it's still on average about 25% behind.

    So, given the millions of internet ready PCs and IE's strong market share, that equates to a significantly greater number of boxes with unpatched IE installs than unpatched Firefox installs despite IE having a greater overall percentage of boxes with the latest applied patches.



    So now we've established that you're figures are irreverent and misleading and, in places, inaccurate (see, you're not the only expert who reads BBC blogs) - can we finally leave this myth to rest?

  • Comment number 55.

    In reality, the only conclusion you can draw from the number of updates is the amount of effort going into making a browser secure (both in finding vulnerabilities and patching them). You can't draw any conclusions about the insecure state of any browser from those figures because you do not know how many vulnerabilities there are remaining to be found. However you can draw the conclusion that every browser has vulnerabilities and so you should not let using a browser other then Internet Explorer lull you into a false sense of security.

  • Comment number 56.

    So let's sum this up. Figures from an expert company in security that state IE offers the lowest of all browser insecurities are irrelevant. The fact that more IE users are better protected against vulnerabilities is irrelevant. IE is less secure because it doesn't run on Linux (I *think* that's what you were saying…I don't know why you mentioned that IE won't auto-update on a platform it isn't designed to run on…seems like a pretty desperate reach). However your data from wikipedia (that I didn't even look at TBH ) is more relevant (sorry for being a snob, but data that is guaranteed to be current and accurate and from a trusted source is of more interest to me). You talk about how browsers put IE to "shame" and other emotive terms when the experts are more than complimentary about it.

    I gave you an opportunity to back up your subjective views with the hard information that you put yourself across as having (your mention of security models etc was an obvious attempt to sway people to your side by implying you knew of facts that others didn't) but you completely failed to address this issue. This leads me to believe that you are not as knowledgeable as you like to make out you are, and you are simply passing on second-hand, badly-informed opinion as fact.

    Now when I talk about the MS-haters who will say black is white as long as it means running down Microsoft and IE you are quite the perfect example.

  • Comment number 57.

    Oh come on, this is stupid. I've seen many of my 200 followers fall for this crap, but I don't see how. The links are so obviously fake it's unbelievable. I can't believe people STILL fall for phising when there's all the security provided by 3rd party software and even the browsers themselves these days.

    Whenever I get messages like this, I delete them automatically, the same way I would if I got an e-mail from a company selling viagra, or a Nirgerian banker.

    It's common sense.

  • Comment number 58.

    Aidy:
    So let's sum this up. Figures from an expert company in security that state IE offers the lowest of all browser insecurities are irrelevant.

    My reply:
    You posted figures on patch updates NOT vulnerabilities. 2 of us have pointed this out to you now.



    Aidy:
    The fact that more IE users are better protected against vulnerabilities is irrelevant. IE is less secure because it doesn't run on Linux (I *think* that's what you were saying…I don't know why you mentioned that IE won't auto-update on a platform it isn't designed to run on…seems like a pretty desperate reach).

    My reply:
    For crying out loud. I mentioned Linux to show that Firefox would be giving you false positives in your figures. If I wanted to get into Linux's security model I would have done (as I have extensive experience in both Linux and Windows' security models), but the underlying OS security is somewhat irrelevant.
    What is relevant was the update model in Linux as you keep banging on about IE's patching. I basically proved that not all older Firefox versions are unpatched (thus the false positives I keep referring to).
    So I suggest you go back and re-read my post as I really can't explain it more succinctly than I already had.



    Aidy:
    However your data from wikipedia (that I didn't even look at TBH )

    My reply:
    So now you're ignoring data that doesn't conform to your misconception?



    Aidy:
    (sorry for being a snob, but data that is guaranteed to be current and accurate and from a trusted source is of more interest to me).

    My reply:
    Wikipedia has been proven to be no less accurate than your average hardback encyclopedia.
    I would provide you with a reference link, but I'm not going to waste my time given you didn't look a the last two links I provided.



    Aidy:
    You talk about how browsers put IE to "shame" and other emotive terms when the experts are more than complimentary about it.

    My reply:
    The only experts I've come across that have been complimentary have been ones that are either partnered with Microsoft or make money off the back of Microsoft (like anti-virus suites).
    I'm sure there's experts out there who do favour IE - but I'm yet to meet them.
    You see, having worked in IT all my life, I'd like to consider myself somewhat of an expert too - and I'm yet to meet a colleague who has been favourable towards IE (particularly those in web development).
    However the opinions of my colleagues are somewhat circumstantial, hence why I've negated to mention them before now.



    Aidy:
    I gave you an opportunity to back up your subjective views with the hard information that you put yourself across as having (your mention of security models etc was an obvious attempt to sway people to your side by implying you knew of facts that others didn't) but you completely failed to address this issue.

    My reply:
    But I did and you're yet to counter any of the points I've made aside trying to undermine my experience with personal attacks.
    Go back and read my comments.



    Aidy:
    This leads me to believe that you are not as knowledgeable as you like to make out you are, and you are simply passing on second-hand, badly-informed opinion as fact.

    My reply:
    As the saying goes - "you can take a horse to water but you can't make him drink."
    If you wish to remain ignorant in spite of the numerous points and references I've made - then so be it. But lets try not to make this a personal battle of who knows more.



    Aidy:
    Now when I talk about the MS-haters who will say black is white as long as it means running down Microsoft and IE you are quite the perfect example.

    My reply:
    I've repeatedly commented on how IE has improved of the years. If I was out unjustifiably dismiss Microsoft then I'd not even have credited MS for that.
    The fact is you keep making claims and have yet to back them up with real evidence then cry wolf whenever anyone counters your points and even outright ignore evidence they provide.


    So I get that you like IE. there's nothing wrong with that. I personally don't care what you or anyone else runs. I'm just interested in the facts.
    So please don't degrade this conversation with personal attacks.
    If you disagree with the facts I've supplied, then prove it. Thus far you haven't.

  • Comment number 59.

    Laurence said:
    However you can draw the conclusion that every browser has vulnerabilities and so you should not let using a browser other then Internet Explorer lull you into a false sense of security.


    My reply:
    While I agree with your whole post (#55), I wanted to single this part out as it's by far the best advice I've read on here.

    At the end of the day, it really doesn't matter which browser is more or least secure as ultimately the biggest security hole in any desktop system is the users plonked in front of them.

    * Don't get complacent
    * Don't run untrusted apps
    * Install a virus scanner
    * Don't run everything as root / administrator
    * and if something sounds too good to be true - it usually is.

  • Comment number 60.

    #58 @Laumars

    > You posted figures on patch updates NOT vulnerabilities. 2 of us have pointed this out to you now.

    My original post discussed numbers of vulnerabilities. It was the only stat I posted that you agreed with because it fitted your arguments. All other facts from the same source you disagreed with because they didn't fit your arguments. So you are selective in what you agree with as you have an agenda.

    > I mentioned Linux to show that Firefox would be giving you false positives in your figures.

    And as MS produce way more products than other firms it was also skewing the data. You agreed with this when it showed MS in a bad light, but now you disagree when it shows FF in a bad light. Again selective reasoning.

    > If I wanted to get into Linux's security model I would have done

    I don't care about Linux, I wanted you to explain IE vs FF vs Opera vs Chrome security models but you still haven't. I put to you that you haven't as you don't understand them.

    > So now you're ignoring data that doesn't conform to your misconception?

    I'm ignoring data that is not guaranteed to be accurate. Now you're putting words into my mouth.

    > The only experts I've come across that have been complimentary have been ones that are
    > either partnered with Microsoft or make money off the back of Microsoft (like anti-virus suites).

    Now you can add Secunia to that list.

    > I'm sure there's experts out there who do favour IE - but I'm yet to meet them.

    It's not about "favouring", it is about honest and accurate analysis and portrayal of the various browsers. You are obviously stuck in a mind set where everything has to be "us" and "them". You can't just prefer FF, you have to show that IE is "rubbish" - but it isn't "rubbish", you just prefer FF and your attempts to paint IE in a bad light are making you look quite foolish.

    > However the opinions of my colleagues are somewhat circumstantial, hence
    > why I've negated to mention them before now.

    Or it could be that you see the argument slipping away from you and in your desperation you are turning to not only wikipedia but the invented credentials of "colleagues".

    > If you wish to remain ignorant in spite of the numerous points and references I've
    > made - then so be it.

    Your "points" and "references" have all been subjective opinion. I'm afraid that opinion does not educate so we must all remain "ignorant".

    > The fact is you keep making claims and have yet to back them up with real evidence

    Ok.....refer back to post #46.

    > I'm just interested in the facts.

    It would be nice if you could give us some :)

    > If you disagree with the facts I've supplied, then prove it.

    You have posted only opinion so far and I have proved that opinion wrong.

    You are clearly just one of many MS haters, blind to reason, so I shall bid you good day :)

  • Comment number 61.

    Aidy:

    I've dealt with people like you in the past.
    You lie, misquote and insult people until they give up trying to reason with you and then you claim victory by default

    Well go ahead, I can't be arsed to part my experience with someone who's more interested in retorts than facts.

    However any sane person can make their own mind up from the data I've posted - as the whole debate is still there in black and white.


    And for the record, I've built and hosted countless Windows based solutions over the years (including numerous different configurations of web servers and two specialist Windows-based web browsers with original engines). So I'm not anti-MS. I'm just anti-substandard technology and, from my extensive experience, IE is below par. But clearly anyone who doesn't sing Microsoft's praises 24/7 are naturally anti-MS in your little world.

  • Comment number 62.

    I have a foolproof system for avoiding such phishing attacks on Twitter, Facebook & Co. I simply do not use them. If I want to contact people I know, I contact them. The twits who use Twitter do not know me and I do not know them. End of story.

  • Comment number 63.

    Less patching can also mean good design from the start.

    I mean which road is better the one that is constantly patched or the one that needs it every once in a while?

    Many security measures in IE8 were first introduced in FF.

    And indeed many services & companies still use IE6 which is a problem.

  • Comment number 64.

    I really enjoyed the blog post and comments in this article. Thank you.

  • Comment number 65.

    #63 @gregor3000

    > Less patching can also mean good design from the start.

    > I mean which road is better the one that is constantly patched
    > or the one that needs it every once in a while?

    The security experts are of the opinion that more patching is better and leads to more secure products (or the double-negative of less insecure products that they seem to prefer).

    Still, I guess you know more. Funny also how on another blog someone said that FF was "more secure" as it was "patched more", but now that we know FF is patched less all of a sudden popular opinion is now that less patching is better...but when people thought FF was patched more, that more patching was better.

    Funny indeed. I assume you also rarely update your virus definitions :) I mean...you wouldn't want to be accused of sour grapes...

  • Comment number 66.

    For the last time Aidy, frequency of patches are irrelevant.
    Myself and several others have explained this to you several times but you still keep missing the point.

    We've list possibly a dozen examples of where your statistics fall flat on it's arse but who cares when you have dumb ignorance?

    You know the saying: "lies, damn lies and statistics"?
    Well you're whole argument boils down to this. You've taken one so interesting fact and tried to twist it to prove your own bias.

    So while you're comments might mislead the average Joe, the BBC forums do have some real "techies" online too who know better than to fall for this rubbish.

    In fact, I don't know why I'm even replying again when it's become painfully obvious that you're either a troll or just biased to reason with.

  • Comment number 67.

    #66 @Laumars

    Again I come back to the same thing....when someone posted saying FF was "more secure" because it was patched more often where were you then? Why weren't you going on and on and on about how that doesn't mean anything?

    Yesterday:
    "FF is more secure because it is patched more often. IE is rubbish as it is hardly patched."

    Today:
    "FF is more secure because it doesn't need patched often. IE is rubbish as it needs patched all the time."

    It's as plain as the nose on your face that you'll say black is white just to run MS down. Why don't you just admit it and we can all move on with our lives? Sour grapes and fanboyism go hand in hand and you have both in spades. So, again, I bid you good day :)

  • Comment number 68.

    Uuu, i like the spins you are making with data. Are you in PR?

    You said:
    "
    This means that the window of exploitation for Microsoft products is substantially reduced, and criminals have to search for other ways to attack PCs."

    Seriously? Oh, so it's because MS Windows are patched the most and the time between patches reduces the chance of exploitation. So the reason we need antivirus is why? I mean the pathces protect you enough don't they? After all security is what Microsoft products are known for.

    Also you talk about 0 vulnerabilities. Then what were they patching?

    Also you neglect the fact that IE is targeted more by malware because of it's market share and therefore it would need more pathces. Again number of patches doesn't relaly prove if browser is safer or not.

    Microsoft says:
    "SmartScreen filter has blocked over 8 million malware and phishing scams, and projections show that it's on target for over 1 million blocks per day. Research shows that Internet Explorer 8 catches almost twice as much malware as its closest competition."

    Ok first we do not know how many false positives it did here. And second it might just catch them more because it is targeted more.

    The real data on security would be how many of the known malware can it block and how it handles against the unknown threats. Also data on detection design would be important.

  • Comment number 69.

    Laumars

    Have you ever heard the term "Don't feed the Trolls"?

    Its excellent advice. I suggest you take it.

  • Comment number 70.

    Aidy:

    Right, so far I've been called a MS hater - right up until I proved that I've built a number of solutions based on MS technology.

    So next you call me ignorant - right up until I provided information about how I've built web servers and browser rendering engines.

    So now I'm a Firefox fanboy?
    I don't even use Firefox for crying out loud.


    Your facts were wrong and it's been proven by several people - deal with it!

  • Comment number 71.

    gregor3000:

    -> Patching does not reflect vulnerabilities. So can we stop resurrecting this dumb argument. We've presented the flaws in Aidy's argument but he's more interested in trolling than an intellectual debate (as proven by the fact that he's combated my points with character assassinations rather than responding with mature counter arguments based on fresh evidence and facts)

    -> Volumes of blocked sites do not reflect vulnerabilities either (otherwise every browser would literally have infinite vulnerabilities due to the number of permutations of IP, DNS and so on.

  • Comment number 72.

    Loving the fact that most of the comments between Laumars and Aidy took place before most people had finished their cereal :)

 

BBC iD

Sign in

BBC navigation

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.