Immunet Blog

For all my German-speaking friends I will start by apologizing if I butchered the title. I was hoping to query "No more Internet Explorer?” That question is probably being asked a fair bit in Germany and France right about now. Both governments recently advised their constituencies to ditch IE in favor of other browsers.

I'd have to be on record that I think this is poor advice because it's at best a short-term fix. It's true that IE has had a long history of security vulnerabilities, but this is also true for all browsers that have been around long enough and have a large enough user bases. 

The more functionality we push into browsers, the more complicated the web becomes, the more we have to add to our browsers to compensate. 'More' in this case means more code, more code means a higher likelihood of mistakes of which some portion will be software vulnerabilities that will be exploited. It's all math at the end of the day and Firefox, Safari and Chrome are no more immune to it than IE.

What makes IE more dangerous is that it has a larger following. People looking to exploit software vulnerabilities for profit are generally going to follow 'Sutton's Law'. Willy Sutton was a famous bank robber who when asked why he robbed banks replied, "Because that's where the money is". People research IE and exploit it's vulnerabilities because it has the largest user base. If you incite people to abandon it in favor of other choices those other browsers will start to suffer the same fate. This is not a problem that's going to be solved as simply as changing browsers.

My advice, consistently, is this:

1. Upgrade to IE 8 - it's much better.

2. Get off XP to Windows 7 if you can.

3. Turn on automatic Windows Update.

4. Run up to date Anti-Virus software

If you are part of any community for long enough you become immersed in a great deal of unspoken, but well understood realities. The computer security industry is such a creature. It’s perhaps more true in this industry than in others because it’s a relatively young industry and many people who have been it in for a long time tend to know each other, and often know each other well. People talk in this industry and while discretion to the outside customer might be a virtue, internal to the community that virtue is, let’s say, somewhat porous.

One of the general truths that you learn when you spend enough time in this industry is that state sponsored hacking is commonplace. It’s been commonplace for well north of a decade (or two) and while it’s not generally tough to recognize it for what it is it can be career ending or financially ruinous to discuss it. Governments buy a lot of product and spend a huge outlay on services each year from the security industry. I think we all know it’s bad practice to bite the hand that feeds you.  This state sponsored activity is hardly limited to China of course. Any country with a GDP worth mentioning likely participates in it to some degree.  China just happens to be more aggressive about it than most and it tends to get caught more often.

So what about Google? This is a company, which can hardly be a stranger to this reality. Their security staff is plumb full of sharp edged veterans who know the score. The attack types seen recently are not even remotely new or novel and it’s not likely the first time Google has been targeted (even successfully). If you have been following this story you know (or have read) that doctored Office attachments in email and Instant Message traffic were targeted at selected individuals. These individuals were exploited which resulted in their machines being compromised. Once their machines were compromised they became gateways into their corporations. This is not new either. In fact I would wager it’s nearly a daily occurrence.

So what then is Google’s sudden cause for umbrage? I don’t know but I can say for certain we do not have the full story here. I expect more will follow over time. For years they’ve been willing to abide by China’s onerous net censorship rules in order to happily take advantage of cheap labor, a market presence in china, and revenue from Chinese adwords. Now, they are speaking of leaving because they’ve been personally attacked. The message as I see it from Google is this “We’re happy to curtail the freedoms of others, so long as you don’t do wrong by us personally”.