Comment: Why Firefox is failing in the corporate environment.

I’ve sat on this article for a number of years, hoping against hope that the Firefox development team would get off their elite self-indulgent asses and realise that, guess what? – the world doesn’t work the way they think it should.

Don’t get me wrong, I love Firefox. I use it daily for nearly all of my web browsing needs, but there is just one little problem – a massive little problem – and that is why I am writing this article.

Most articles on this subject tend to focus on the lack of IT department deployment and management tools for rolling out Firefox, but that isn’t the issue. Really?
So what is it then?

The answer is very, very simple: Firefox does not work on a real-world company Intranet.  There, I said it. 

Really, it doesn’t – the Firefox development team have decided that in their infinite security wisdom that links from one method (e.g. http://intranet) to a local method (e.g. file://server/expense_claim.xls) are so bad that they won’t even put out a warning.

I feel it is bad enough that it doesn’t work, but silently failing without any alert boxes, or an option saying “Yes, I know I’m risking my life, but really, do let me click this link” or putting file://intranet into the trusted domain is the root cause why Firefox will never be accepted as a corporate browser.

IT departments just do not want to deal with the questions “Why doesn’t the link to the document work?”.  The simplest answer for the IT department is “We only support Internet Explorer”.

Any amount of Firefox protestations saying “Oh! but you shouldn’t be running your Intranet like that.” is not going to change the real-world Intranets, and ultimately it keeps pushing Firefox back from acceptance into the Corporate world.

Until the Firefox is able to be used the way that real users want to use it, IT departments will continue to push that reliable old line that we only support IE.

Welcome to the real world.

https://bugzilla.mozilla.org/show_bug.cgi?id=84128
https://bugzilla.mozilla.org/show_bug.cgi?id=122022

TinyURL PHP “flaw” ?

The Register is running a story today TinyURL, your configs are showing which points out that TinyURL has a /php.php page displaying the contents of phpinfo().

The article then goes on to make some scary sounding claims from security consultant Rafal Los “Why would you want to run a web service as ‘Administrator’ because if
I figure out a way to jack that service, I completely, 100% own that
machine.” and “More importantly… why is this server running as ROOT:WHEEL?!

Sorry Rafal – but you appear to have no idea how web servers work, or all that much about (web) security.

All unix based webservers start as root if they want to bind to the restricted (and default) port 80, after which they switch to the configured UID for request handling.  So, right there, goes all Rafal’s claims about pwning the machine.

Check your own server, the _SERVER and _ENV values will reflect the
starting shell/environment, which just happens to be root.  In
other words, there is nothing wrong with the settings. Having said that, they do have register_globals turned on, which isn’t ideal – but it isn’t a gaping hole if the underlying php code is safely coded.

Also to TinyURL’s credit, they are running Suhosin patch to harden their server.  They’re also running the latest production PHP (which is more than I can say).  Granted, they probably don’t want to be exposing phpinfo() – but this all just an overblown storm in a teacup.

St. Patrick’s Day in Downpatrick

I took the kids to the St. Patrick’s Day parade today in Downpatrick,
Co. Down (in Ireland for the non-Irish based people), the “home” of St.
Patrick.

The event itself is described by the organisers:

“ST PATRICK‘S DAY CROSS-COMMUNITY CARNIVAL PARADE
This cross-community event, the centre-piece of the festival, will be a
spectacular cavalcade of floats, bands, people in fancy dress and lots
of attractions! Parade theme: ‘The Sun, the Moon and the Stars’. The
parade will assemble on the Ardglass Road at 1.00pm and depart at
2.30pm for the town centre where it will arrive at approximately
2.50pm. Parade route: Ardglass Road, Edward Street, John Street, Irish
Street and Market Street. The closing date for parade entries is Friday
27 February 2009. Organised by Down District Council.”

Anyway, I took loads of photographs and put them all up over on my photo gallery:

http://photos.pgregg.com/v/Users/pgregg/stpatrick2009/

The
kids enjoyed it greatly, though the funniest moment was a local
Manchester United supporters club who went the entire route to boos and
chants of ” FOUR – ONE ! ” (in reference to Liverpool beating Manu 4-1 at the weekend).

The
parade had a huge variety of themes, only a few of them Irish.  Others
included an American Flag waving troop from Florida, Salsa dancers,
puppeteers on stilts, Spongebob (anything with Spongebob is a win),
Chinese Dragons and drummers, through to kids dressed as Star Wars
characters.