The list of talks is now firm for the upcoming hacker conference, known as The Last HOPE. Organized by 2600, who you may know from their weekly radio show, Off The Hook, on WBAI-FM or their quarterly magazine, the conference will be held July 18th through the 20th at the Hotel Pennsylvania in midtown Manhattan.
(Credit: 2600)The 100 scheduled talks cover not only the expected computer hacking, but many other types of hacking too. Among the topics for computer techies are:
- Crippling Crypto: The Debian OpenSSL Debacle
- A fundamental flaw in virtualization
- Malicious User Interface techniques
- Intrusion Detection and Honeypots for the Home User
- Hacking with Microcontrollers
- Hacking the Business Traveler
- Identification Card Security
- Reverse Engineering Proprietary Algorithms
- Hacking the TI MSP430
- IPv6, the Next Generation
- Penetration Testing with Firefox
- Penetration Testing Using LiveCDs
- PGP vs. PKI
- RFID (a talk and a large demo)
- Malware with Adobe's Flash
- VoIP (in)security
- VLAN Layer 2 Attacks
- XSS Vectored Man-in-the-Middle Attacks
The non-computer hacking topics include:
- Biohacking - An Overview (about modifying DNA)
- Brain Hacking
- Consumer Electronics Hacking
- Hacking the Media
- Hacking Sex
- Hacking the Price of Food
- Food Hacking
- Hacking the Post Office
Anyone interested in security in the real world has a lot to choose from, including:
- Escaping High Security Handcuffs
- Design Defects in High Security Locks
- Methods of Copying High Security Keys
- Maintaining a Locksporting Organization
- Safecracking
- Ask a Spy a Question
- Strengths and Weaknesses of Physical Access Control Systems
- Bug Detection (not programming errors, surveillance bugs)
If you are interested in computer hacking but don't have a techie background, try the presentations on "No-Tech Hacking" and "Social Engineering."
Anyone who flies on commercial airlines may be interested in the "Bagcam" presentation by someone who put a small camera in their checked luggage to learn "exactly how TSA or the airlines managed to destroy your luggage". Also covered, "what security measures are actually in place once your checked luggage disappears from view?" Travelers may also be interested in "Warrantless Laptop Searches at U.S. Borders".
Voters would be interested in "Building a Better Ballot Box" and "Hacking Democracy: An In Depth Analysis of the ES&S Voting Systems".
New Yorkers may be interested in "The Art of Do-Foo" talk which aims to use statistics to "quantify successes and failures with the New York City community" and "isolate the key factors that have both positively and negatively influenced the culture in our region". There is also a talk on Privacy vs. Utility in the New York City Taxi System.
Among the featured presenters are Steven Levy author of "Hackers: Heroes of the Computer Revolution" published in 1984. The book was a defining work about the hacker culture. Kevin Mitnick, arguably the most famous hacker of all, will also be a featured speaker, as will Steven Rambam, an expert on privacy, who was arrested by the FBI prior to his talk at the previous HOPE conference.
If getting to New York City is impractical, 2600 is planning a hacker radio station during the conference to "give additional talk and interview time to the conference's speakers, broadcast the keynotes and other popular seminars, and offer attendees who don't speak at the podium a chance to share their ideas."
Information about the speakers is available at thelasthope.org/speakers.php. An interactive schedule is available at thelasthope.org/matrix.
Think of it as the summer semester at hacking school.
See a summary of all my Defensive Computing postings.
This story starts out like so many others, but then takes a twist.
On Monday, Adobe released a patch that fixed a critical bug in their Adobe Acrobat Reader program. This was reported at CNET by Robert Vamosi, at ZDNet by Ryan Naraine, at the Washington Post by Brian Krebs and elsewhere. When I ran the Adobe Reader on a couple machines, I was duly reminded by a yellow tooltip window that a bug fix was available. On each machine the patch installed just fine. Ho hum.
The twist came about when I went to verify that the patch had been installed. I had started with the latest version of the Adobe Reader, 8.1.2. After installing the patch, I still had version 8.1.2.
You would be excused at this point if you thought this posting was about how or why the patch hadn't been correctly installed. But no, it had installed fine. Pretty surprising behavior, especially since the Adobe Reader may be the most widely installed software on the planet.
So, how can you tell if you have the buggy or the patched version of version 8.1.2?
Of course, if you're online, you can always check for updates. But, update applications are far from foolproof. Just today, Adobe's updater warned me that it couldn't check for updates to itself.
Windows
Security firm Secunia issued an advisory about this bug on the June 24. Yet, four days later, its usually excellent online scanner incorrectly flags a patched instance of version 8.1.2 as being version 8.1.0.137. I verified this on Windows XP and 2000.
For Windows XP, an answer came from someone calling themselves "zube" who made a comment at WashingtonPost.com. Go to the "Add or Remove Programs" applet in the Control Panel. At the top, turn on the checkbox to "Show updates" and Windows XP reports the installation of this latest bug fix.
As for Windows Vista, I installed a new copy of the Acrobat Reader today. A check for updates said it was the latest and greatest. But, the "Programs and Features" applet in the Control Panel did not indicate that it included this latest patch.
On a Windows 2000 machine with version 7 of the Adobe Reader, I uninstalled the old version and downloaded version 8.1.2 from Adobe.com. Even though this latest critical patch was released four days ago, Adobe is still offering up the buggy version of version 8.1.2 for download (as of June 27, 7 p.m. PDT). After installing the just-downloaded software, a check for updates showed that it was missing this latest bug fix. After installing the patch, the Add/Remove programs applet in the Control Panel verified that it had been installed.
Update: After this posting was originally written, Adobe pointed me to the Release notes for Adobe Reader and Acrobat 8.1.2 SU1 security update, which details two other ways to verify that you are using a patched instance of version 8.1.2. From the Adobe Reader, click on Help -> "About Adobe Plug-Ins..." -> Comments. The displayed date (see below) should be 6/7/2008. There is also another method that involves querying the registry.
Macintosh
On a Macintosh, Adobe advises clicking Reader -> Adobe Plug-Ins -> Comments. Just as with Windows, they say the API should be dated 6/7/2008. The Release Notes for the patch also describe some files that Mac users can look for. The presence of the files indicates a patched instance of the software.
Linux
The Security Bulletin for this patch doesn't say anything about Linux.
Ubuntu 8.04 does not include the Adobe Reader, instead Evince is used to read PDF files. I installed Acrobat 8.1.2 on Ubuntu after downloading it today from Adobe.com. The Help->About showed that the software was from January 15, 2008. I'm no expert on the four different package managers that come pre-installed with Ubuntu, but it didn't seem there was a more recent update to the Reader. Whether the software is vulnerable, only Adobe knows.
Update: According to Adobe, the software is vulnerable on Linux, an update is "in process" and it's expected to be released in July. When the fix is available, Adobe will update the Security Bulletin (link above).
Foxit
Many people argue that the Foxit PDF Reader is a better choice for viewing PDF files. There is a version for Windows, Linux, U3 and more (but no Mac version). Whatever the prior arguments were, now there is a new one. Adobe should not make patching into a guessing game.
Update June 27, 2008: Added Windows 2000
Update June 27, 2008: Added Secunia
Update June 28, 2008: Expanded Secunia and Linux topics
Update June 28, 2008: Included information from Adobe
Update June 29, 2008: Updated Foxit topic
Some information from the Release Notes for this patch also appears on an Adobe blog by Steve Gottwals
How Can I Tell if I've got Reader 8.1.2 or 8.1.2 Security Update 1 Installed?
See a summary of all my
Defensive Computing postings.
Last night and this morning I couldn't get to my personal website. Other websites and email worked just fine. The website itself wasn't broken ("down" is the official nerd term), the Internet was.
A great service for pinpointing a problem like this is available at siteuptime.com. Their free Quick Check (shown below) can be used to test the availability of a website from New York, Chicago, San Francisco and/or London. The HTTP (website protocol) tests of my site showed that it was fine when accessed from all four cities.
As a politician referred to it, the "tube" between New York (where I was) and Florida (where the site resides) had sprung a leak.
The path traveled between any two computers on the Internet can be long and convoluted. Amazingly so. Fortunately, the underlying transmission protocols (TCP/IP) include a debugging command for just this type of routing problem. On Windows it is called "tracert", on Linux it is called "traceroute". I'm not a Mac person, but, according to this Apple KB item, it's also called "traceroute" on OSX where it is part of the Network Utility.
Traceroute shows every router between you and another computer on the Internet. It also shows the time it took for data to get to these intermediate routers, but that's usually not an issue. Below is an edited sample of a Windows XP traceroute between my New York computer and CNET.
C:\Documents and Settings\userid>tracert cnet.com
Tracing route to cnet.com[216.239.122.102] over a maximum of 30 hops:
... [removed]
10 10 ms 10 ms 11 ms ae-13-69.car3.NewYork1.Level3.net [4.68.16.5]
11 11 ms 10 ms 10 ms att-level3-oc192.NewYork1.Level3.net
12 50 ms 51 ms 51 ms tbr1.n54ny.ip.att.net [12.123.0.90]
13 49 ms 48 ms 50 ms cr2.n54ny.ip.att.net [12.122.16.149]
14 51 ms 52 ms 49 ms cr2.wswdc.ip.att.net [12.122.3.38]
15 49 ms 50 ms 53 ms cr1.attga.ip.att.net [12.122.1.173]
16 51 ms 49 ms 50 ms cr2.dlstx.ip.att.net [12.122.28.174]
17 50 ms 50 ms 52 ms tbr2.dlstx.ip.att.net [12.122.18.214]
18 51 ms 51 ms 50 ms 12.122.100.97
19 64 ms 99 ms 52 ms 12.87.121.22
20 51 ms 50 ms 48 ms c18-sha-redirect-lb.cnet.com [216.239.122.102]
The first column is a sequence number, the next three columns are timings and the last column is the name and/or IP address of an intermediate router. All told, the test data traveling from me to CNET made 19 intermediate stops. At least it did this time, the route is not fixed and will change over time.
Note the first line of output that says tracing stops after a maximum of 30 hops. "Hops" refers to an intermediate router. On Windows XP, the assumption is that there normally aren't more than 30 routers between you and another computer.
When things go bad, traceroute shows asterisks. Below is an edited sample of the traceroute between my home computer and my Florida-based website at the time of the problem.
C:\Documents and Settings\userid>tracert www.michaelhorowitz.com
Tracing route to michaelhorowitz.com [208.84.150.101]
over a maximum of 30 hops:
...
9 13 ms 16 ms 14 ms ae-1-0.pr0.dca10.tbone.rr.com [66.109.6.165]
10 13 ms 15 ms 16 ms 64.132.69.61
11 76 ms 72 ms 73 ms 64.128.245.106
12 72 ms 73 ms 75 ms 64.128.245.106
13 76 ms 75 ms 83 ms core2.rapidvps.net [66.97.162.162]
14 72 ms 74 ms 73 ms moors.rapidvps.net [208.84.151.160]
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
The router at moors.rapidvps.net is not necessarily the problem, it was the last normally functioning router. The real problem lied somewhere beyond it.
I sent the traceroute output and a description of the problem to the company hosting my website, and the problem turned out be with a firewall. For some reason, a firewall under their control was purposely blocking my IP address.
Every computer on the Internet is addressed by a number called an IP address. Large companies are given permanent IP addresses. Consumers, such as myself, normally share a pool of IP addresses given to our Internet Service Provider*. An ISP doles out their IP addresses to customers on an as-needed and rotating basis.
What probably happened was that another customer of my ISP was doing something bad or suspicious and that got them blacklisted in the firewall of my hosting company. But the IP address came from a shared pool and sometime yesterday it got assigned to me.
Go figure.
*I am referring here to public IP addresses, those visible on the Internet. Some IP addresses are reserved for internal use only and are referred to as "private" IP addresses. On a Local Area Network, the IP addresses assigned to each computer normally come from the private group. The most popular private IP addresses are 192.168.x.x and 10.x.x.x. Even if
something gets mis-configured, routers on the Internet are programmed to throw away any packets they get with an private IP address.
See a summary of all my
Defensive Computing postings.
- Tags:
- Internet,
- router,
- firewall,
- traceroute
- Bookmark:
- Digg
- Del.icio.us
I happened upon a computer today that hadn't been used in a couple years and was running Firefox version 1.0.6. That version still had a single X on the far right side for closing tabs. It wasn't until later that each tab got its own little X.
Clicking on "Help -> Check For Updates" told me that the latest version was 1.0.12. Nothing about version 1.5, 2, or the just-released 3. Likewise, when Firefox 2 users check for updates, they are only told about the latest go-round for version 2, nothing about version 3.
In general, the way Firefox self-updates is very well done. This is born out in the stats below, an excerpt from a website activity report showing, for this month, how many hits the site experienced from people using Firefox version 2.x. As you can see, the vast amount of Firefox 2 users are using the latest edition, 2.0.0.14.
Is the failure to look up the version ladder a bug or a conscious design decision? Either way, there are, no doubt, computer users that never got the memo, people still running Firefox version 1.0.12 or 1.5.x, thinking they have the latest and greatest.
Self-updating Firefox from version 2 to version 3 now, would be a mistake. While a new version is new, the decision to upgrade should not be automated. However, at some point Mozilla will stop maintaining version 2, a condition techies refer to as "end of life". Here's hoping that when version 2 hits EOL (the mandatory TLA) that the update checking is a bit more self-aware.
Update June 26, 2008: According an article today at arstechnica, "...Mozilla told us that they have not finalized the schedule for when Firefox 3 will be made available to Firefox 2 users through the update channel, but they suspect that it will happen within the next two or three months."
See a summary of all my Defensive Computing postings.
Unlike many people, my usage of Firefox 3 has been restricted to test and virtual machines. Thus, I may have stumbled across a bug that goes unnoticed on more actively used systems. There seems to be a problem installing the Flash and Java plugins, at least on Windows machines.
Firefox 3 obviously works fine with both Flash and Java, assuming they are already installed. But, if you try to view a web page that requires either plugin, clicking the "Install Missing Plugins" button (shown below) doesn't work, at least on four Windows machines that I tested.
On a Vista machine, Firefox never found the missing plugins, either Flash or Java. It just kept searching and searching. On Windows XP, both plugins were "not available" (see below). I tried this on XP Home and Professional and with both a normally installed copy of Firefox 3 and with the portable version. I even tried this on Windows 2000 and got the same results as with XP. None of these Windows machines had any anti-malware software installed.
It's not all bad news. Every time I manually installed the Flash and Java plugins things went fine.
To test this yourself with Java, you can use the version page at my JavaTester.org site. To test Flash, try the Adobe Flash tester page. You can double check that neither plugin is installed by entering "about:plugins" in the address bar, without the quotes.
A search of the Firefox tech support website and forum turned up nothing about this. Here's a search for "flash player" and one for "Java plugin".
I haven't tried this with other plugins and not being a Mac person, haven't tried it there either. But, I did try it under Ubuntu 8.04 where the auto-install of both plugins ran fine (but you may have to restart Firefox).
My best guess is that this is a Firefox bug. If you're running Firefox 3, and don't have one of these plugins already installed, please try it and let me know. You can email me at michaelhorowitz at gmail. Thanks.
NOTE: I posted this as a question in the Firefox Forum, but it went unanswered. The price we pay for free software is the lack of tech support. I will follow-up, as best I can on this, with Mozilla, Adobe and Sun. This is a Firefox 3 issue, I tested the auto-install of Flash on Windows XP with Firefox 2 and it worked fine.
See a summary of all my
Defensive Computing postings.
My last two postings were about making secure HTTPS web pages more obvious in Firefox 3 by adding back the colored address bar from version 2. There is yet another visual trick available with Firefox 3 that also makes secure web pages harder to miss.
As noted earlier, the new site identification button, which used to be merely a favorite icon, now turns blue on most HTTPS pages and turns dark green (see below) on those that offer extended proof of their identity (such as jr.com and paypal.com).
The dark green site id button includes the strongly verified website name and is thus much wider and more obvious. In contrast, the blue site id button show below is easily missed.
With a little configuring, we can get the blue site id button to also include the website name. While, domain names displayed in blue are not as well verified, the point is to get the extra visual clue that the page is encrypted.
This comes from a comment to this article by Johnathan Nightingale, who works on security at Mozilla.
"I would recommend that color blind users (or others, for that matter) also consider changing the browser.identity.ssl_domain_display pref in about:config. Changing this from 0 to 1 causes the verified domain to be displayed in the button for basic-identification sites."
To do this, first enter "about:config" in the address bar (without the quotes), then click on the all-too cutesy "I'll be careful I promise" button.
Next, in the Filter box, type "browser.id". That should leave your browser looking like the below:
Double click on browser.identity.ssl_domain_display and change the default of zero to 1.
Click OK and you're done. There is no need to restart Firefox, you'll see the new expanded blue site id button the next time you view an HTTPS page. I verified this in Windows XP, 2000, Vista and Ubuntu Linux 8.04. It should work in Macs too.
Combining Tips
Finally, if you read my earlier postings about restoring color (either yellow or green) to the address bar for encrypted HTTPS pages, then the end result is shown below.
There is no missing the fact that this page is encrypted.
See a summary of all my Defensive Computing postings.
My last posting was about how Firefox 3 no longer changes the color of the address bar to indicate encrypted Web pages. It was a feature I liked in version 2, and I explained how to restore the yellow address bar in Firefox 3 for Windows.
However, I never got the concept behind yellow. To me, yellow means "warning" rather than "good" and Web pages displayed using the HTTPS protocol are good things, not something anyone needs to be warned about.
Green means good. Firefox 3 uses dark green for the new site identification button. IE7 uses a light green address bar (see below) when the phishing filter is enabled and you're looking at a Web page with an Extended Validation certificate (IE7 doesn't color the address bar for normally encrypted Web pages).
So, if you're going to force Firefox 3 to color the address bar for encrypted HTTPS pages, why not use green?
Follow the instructions from my previous posting, but insert the below into the userChrome.css file. The only difference is the background color; this specifies the same light green that IE7 uses.
#urlbar[level] .autocomplete-textbox-container
{ background-color: #D0F2C4 !important; }
Here are three screen shots from Firefox 3 of the same page, the NewEgg user log-on page. This is a normal, secure, HTTPS page, it does not use extended validation. Chose the behavior you prefer.
Update June 27, 2008: This also works with Firefox version 2.
My next posting is about
expanding the blue site id button to make HTTPS pages more visually obvious.
See a summary of all my
Defensive Computing postings.
One of the first things I noticed using Firefox 3 was that the address bar for HTTPS (encrypted) pages was no longer yellow. As the old joke goes, it's not a bug, it's a feature. That is, the decision was made for the address bar in Firefox 3 to always be white.
I thought the yellow address bar, advertising encrypted pages, was a great Firefox feature. It was in addition to the classic lock icon that also indicates encrypted pages. The problem with the lock was that it moved around from the bottom right corner to the bottom left corner to the top right corner of the screen depending on the browser being used. Also, it's small and easily overlooked. There was no overlooking the yellow address bar.
In Firefox 3, the visual indicator of encrypted pages is the icon just to the left of the Web page address.
This used to simply indicate the site you were on, nothing more. Webmasters know it as the favorite icon or favicon. In Firefox 3, it was upgraded from an icon to a button with new features, functions and a new name, it's now called the Site Identification button (also known as the "site favicon" and the "site identity button").
In the screenshot above, the gray button color indicates the page is not encrypted. In the screenshot below, the blue button color indicates that the page is encrypted.
The top-of-the-line color though is green (see below), which indicates not only that the page is encrypted but also that the Web site really truly is what it proclaims to be. For more on this see Firefox 3: Site Identification button by Deb Richardson.
To me, this new encrypted indicator is too easy to miss or forget, especially for non-techies and anyone who uses multiple browsers. Fortunately, LifeHacker has a instructions on how to Turn Firefox 3's Location Bar Yellow at https:// URLs. In all operating systems, we have to manually edit (or create) a file called userChrome.css.
Windows XP, 2000 and Vista
In Windows XP and 2000 go to:
C:\Documents and Settings\[User Name]\Application Data\
Mozilla\Firefox\Profiles\xxxxxxxx.default\chrome\
In Windows Vista go to:
C:\Users\<[User Name]>\AppData\Roaming\
Mozilla\Firefox\Profiles\xxxxxxxx.default\chrome
The Xs represent randomly generated characters. In both XP and Vista, you may have to first configure the OS to show hidden and/or system files.
There is no userChrome.css file by default, but there is a file called userChrome-example.css. With Firefox not running, open userChrome-example.css in Notepad, make the necessary change and save it as userChrome.css. The change is simply adding this code:
#urlbar[level] .autocomplete-textbox-container
{ background-color: #FFFFB7 !important; }
Portable Firefox (Windows)
Earlier I suggested that, on Windows, your first foray into Firefox 3 be with the portable version. Portable Firefox users (regardless of the version of Windows being used) should go to:
Z:\yourfolder\Data\profile\chrome
where "Z:\yourfolder" is the folder where your portable copy of Firefox resides. This is where you'll find the userChrome-example.css file mentioned above.
Ubuntu Linux
LifeHacker hadn't tried it on Linux, so I'm glad to report that it does work, at least under Ubuntu 8.04. I found the appropriate folder with the help of this Mozilla Knowledge Base article, Backing up your information, which also has instructions for Windows and Macs. The trail is:
Places menu -> Home Folder -> Show Hidden Files ->
.mozilla -> firefox -> xxxxxxxx.default -> chrome
My thanks go out to David, who pointed out that adding an extra greater than sign and asterisk to the first line is necessary in Linux. That is, the code below needs to be added to the userChrome.css file.
#urlbar[level] .autocomplete-textbox-container > *
{ background-color: #FFFFB7 !important; }
Mac OSX
According to LifeHacker this tweak doesn't work on the Mac. I'm not a Mac user but Andrew read this posting and was nice enough to suggest changing ".autocomplete-textbox-container" to ".textbox-input-box". Thus, Mac users should add the following to the userChrome.css file.
#urlbar[level="high"] .textbox-input-box
{ background-color: #FFFFB7 !important; }
According to Mozilla, the trail that leads to the OS X profile folder is:
Finder -> your home folder -> Library -> Application Support ->
Firefox -> Profiles -> xxxxxxxx.default
Then, as with all the other operating systems, drill down one more level to the "chrome" folder.
Andrew confirmed that this tweak works on 10.5 Leopard on an Intel-based Mac. Later, he tried the Linux tweak above and found that it too worked on Leopard. In fact, he felt the Linux tweak was preferable because it didn't conflict with the Fission extension. Fellow CNET blogger Don Reisinger, who writes the Digital Home blog, confirms that, on Leopard, both the Mac tweak and the Linux tweak work. He too, felt that the Linux tweak is better for Mac users.
End Result
If all goes well, then logging in to a NewEgg account should look like the below. Next, why yellow?
Update June 22, 2008: Added folder location for Windows Vista, thanks to CNET user AXG.
Update June 22, 2008: Added Ubuntu Linux.
Update June 22, 2008: Added Mac suggestion.
Update June 23, 2008: Added confirmation from Don Reisinger of the Mac tweaks.
My next posting is about using a green address bar instead of yellow and the one after that is on expanding the site identification button on HTTPS pages to make things even more visually obvious.
To make a comment or suggestion privately, email me at michaelhorowitz at gmail.
For more on the Firefox "profile" folder, see Profile folder - Firefox from mozillaZine.
Note: I'm using a normally installed copy of Firefox 3 in a virtual machine and a portable copy on a test machine. As I wrote earlier, I'm in no immediate rush to fully convert over to the new version.
See a summary of all my
Defensive Computing postings.
In the first posting on this blog I said it would be a game-free zone. Despite this, I recommend reading The truth about last year's Xbox 360 recall by Paul Thurrott. The story is as much about Microsoft and hubris as it is about the Xbox 360.
You may recall that Microsoft had to replace many Xbox 360s that suffered from a "Red Ring of Death" and even went so far as to extend the warranty to three years. Microsoft never offered specifics on the problem and now we know why, it was embarrassing.
Anyone can call the Xbox 360 "... a hunk of unreliable junk that was foisted on us by people who are more concerned with their own image than with reality." But, it means more, when coming from a pro-Microsoft person, such as Mr. Thurrott.
FYI: The article refers to an "ASIC" which is an Application Specific Integrated Circuit. In the context of the article it refers to the graphics processor.
See a summary of all my Defensive Computing postings.
I love Firefox. Usually it goes hand-in-hand with Defensive Computing, as Firefox is more secure than Internet Explorer. But not today, not with the release of version 3 of Firefox.
Don't install Firefox version 3. Not today. not for a while.
Like all new software, Firefox 3 is best kept at arms length. Version 3 was a long time coming and, no doubt, features lots of new code. At the risk of repeating myself, all new software contains bugs and design flaws. Let the rest of the world debug it for you.
This is not to pick on Firefox or Mozilla. Recently in this blog, I suggested waiting on Windows XP SP3, which turned out, in retrospect, to be the right thing to do. I also suggested holding off on Vista and Leopard when they were new. How long to wait is a matter of opinion. However, waiting rather than rushing, is always the right defensive approach.
And, when the time comes to try Firefox version 3, go with the portable version available at portableapps.com. It can happily co-exist with a normally installed copy of Firefox. The only limitation I've found is that if the normally installed copy of Firefox is running, the portable version won't run (see below).
Finally, another repeat suggestion. Windows XP users should run all their web browsers under the free DropMyRights program. I wrote three postings about this last August. See Every Windows XP user should drop their rights.
Update June 17, 2008: Let me clear up some confusion about portable applications in general - they are not "installed", at least as far as Windows is concerned. When you run an EXE file downloaded from portableapps.com it looks like a normal installation and they even use the word "install" (an unfortunate choice). But, all that is really happening is the application is unpacked/unzipped into whatever folder you point it at. To delete the application, delete the folder. There is no un-install.
Update June 18, 2008: Today, Robert Vamosi wrote Firefox 3 suffers its first vulnerability. This is not what I was referring to here, as the problem, whatever it is, also affects version 2 of Firefox.
Update June 19, 2008: Firefox version 3 is now available as a portable application at portableapps.com. Even if you are not concerned about major new software releases, running the portable version 3 on the same computer as a normally installed copy of version 2 is a great way to compare the two.
Update July 2, 2008: Firefox version 2 is a great web browser. Today, they released an update, version 2.0.0.15. I mention this here because version 14 of Firefox 2 contained 13 bugs, five of which Mozilla rated "critical." That the 14th go-round still contained 13 bugs confirms my reluctance to convert immediately to the first release of a major new version.
Firefox 3 users will find that secure HTTPS web pages no longer display with a yellow address bar. To restore it see
Firefox 3 gotcha: No more yellow address bars
See a summary of all my
Defensive Computing postings.
Dell Desktop only $499; $230 off
