State of Colorado Calls Firefox Insecure, IE6 Safe 530
linuxkrn writes "The State of Colorado's Office of Technology (OIT) has set up a work skills website. The problem is that the site says 'DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk.' (Original emphasis from site.) If the leading IT agency for the State is making these uneducated claims, should the people worry about their other decisions?"
Attention all personnel (Score:2, Funny)
The Education Property has been increased to 128 characters due to popular demand.
That is all.
Re:Attention all personnel (Score:5, Funny)
I tried to leave a comment :
Server Error in '/SKILLS' Application.
Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[NullReferenceException: Object reference not set to an instance of an object.]
Skills.Suggestion.doTheSend() in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:137
Skills.Suggestion.sendEmailLink_Click(Object sender, EventArgs e) in C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\Skills\Suggestion.aspx.vb:127
System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) +90
System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +76
System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +177
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746
Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433
LOL ?!?
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
He at least knew enough to be dangerous and change the default of hiding stack trace information when an unhandled exception occurs.
Add ins (Score:4, Informative)
These can be insecure. In fact, some were designed as trojans. See the Vladuz saga, who cracked eBay site admin accounts - in part through a Firefox plugin designed to this purpose, and hosted on the firefox plugin site!
When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk. We won't touch FF privacy concerns with the Google relationship, and how hard it is to keep FF from reporting to GOOG as a default. IE is as bad with their parent.
I do think the warning about FF IS misplaced. Our biggest current risk is simply the Adobe PDF file-format. You don't even need to OPEN the file to execute code! Whee!
Re:Add ins (Score:4, Interesting)
When any goof startup can create social-network connectors or picture-browsing extensions, Firefox abdicates a good part of its inherent security advantages. Use these at your own risk.
Any goof can create them, but *not* any goof can *publish* them on the Mozilla site. Mozilla has over the last couple years instituted a number of strict review guidelines and tests that an add-on must pass before it's published by Mozilla. Every add-on and add-on update is code-inspected line-by-line by a human editor. Mozilla has staffed up specifically in support of the add-ons site, and the number of code reviewers has grown dramatically in recent months. Reviewers keep a sharp eye out for remote code execution, violations of user expectations of privacy, and anything that detracts from user experience. Additionally, automated red-flag detection tools are now in the works.
Bottom line: do not install plugins and extensions in Firefox from sites other than addons.mozilla.org. With AMO, every single extension and extension update is inspected and reviewed before being published on the site. It's the only way to be sure.
Re:Attention all personnel (Score:5, Funny)
This is why they told you not to use Mozilla. It poses a security risk for the site... look, you went and disobeyed the directions and broke it!
All because you were using Mozilla instead of IE!
Re:Attention all personnel (Score:5, Funny)
Skills.Suggestion.doTheSend()
Priceless. 'send()' would have been a boring name for that function.
First Hosea wins Top Chef instead of an actual chef, and now this.
I hate Colorado now.
Re:Attention all personnel (Score:5, Funny)
Look on the bright side, at least it's spelled right. I'd rather have doTheSend() than excetute(), which some kind soul helpfully made an abstract in one of our base classes, and that has since been propagated across a few hundred other classes that I'm not allowed to refactor. A little piece of me dies every time I see it.
At least I sort of know who did it, thanks to cvs history. And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted. Bastard.
Re:Attention all personnel (Score:5, Funny)
they'll truly know what it means to be excetuted. Bastart.
Broke That For You.
Re:Attention all personnel (Score:5, Funny)
And if I ever figure out who the hell ers4634 is, they'll truly know what it means to be excetuted.
Good luck with that. I mean, he could be anyone. ;)
Re:Attention all personnel (Score:5, Funny)
Skills.Suggestion.doTheSend()
Priceless. 'send()' would have been a boring name for that function.
This is because it's already in use. Just like 'doSend()'. And what do you do when you just happen to need a third 'send()' function?
Re:Attention all personnel (Score:5, Funny)
.SendThatBitch() /*if only my bosses ever bothered to read my code comments! They wouldn't be able to keep a straight face while firing me*/
Re:Attention all personnel (Score:5, Funny)
Nah, go all the way. inUrMethodSendinUrMessage() or bust.
Re:Attention all personnel (Score:5, Funny)
doTheSend()... that is amusing. I think it is even funnier that they left the code in:
C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\Skills\
So..I guess they could only afford one copy of Visual Studio, and it is....on the server..../boggle
And production code running from "My Documents" haha.
Re: (Score:3, Insightful)
Re:Attention all personnel (Score:4, Funny)
Well, seeing as its stack trace says *vb instead of *cs, I'm guessing it's VB.
Re: (Score:3, Insightful)
Re:Attention all personnel (Score:5, Funny)
Wait... what?
Re:Attention all personnel (Score:5, Insightful)
Interesting... stack trace displays are turned off by default from remote sites when using ASP.NET for security reasons. They had to explicitly turn them on to display this.
I doubt they are the best people to tell others about security...
Re: (Score:3, Insightful)
Re:Attention all personnel (Score:5, Informative)
The Colorado Departent of Labor and Employment regrets that this service is unavailable at this time.
(We like Firefox too...and safari.....and chrome...)
Its pretty funny what a good slashdotting will do.
Re:Attention all personnel (Score:5, Funny)
Server Error in '/SKILLS' Application.
That may be the most astute error message I've ever read.
Re:Attention all personnel (Score:5, Funny)
EDUCATION:
I got a B.S. in computer science at Crazy Go Nuts University, and learned about security, including browsers. And let me tell y
If I were from colorado.. (Score:3, Informative)
I'd be writing a nasty email right now.
Re:If I were from colorado.. (Score:5, Insightful)
Here's How to contact them (Score:5, Informative)
Email:
oit@state.co.us
Phone:
303-866-6060
Fax:
303-866-6454
US Mail:
Governor's Office of Information Technology
1580 Logan St., Suite 200
Denver,CO 80203
Re:If I were from colorado.. (Score:5, Funny)
Obviously the correct approach is to send them a link to a special web page that will infect their computer if using IE. Once you've taken over their computer, you can use it to change their policies to supporting Firefox.
Re: (Score:3, Funny)
Try mailing them colorado . nimp . org
(link broken for reasons you either already know, or don't want to)
Re:If I were from colorado.. (Score:5, Informative)
Re:If I were from colorado.. (Score:5, Informative)
Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/ [secunia.com]
While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/ [secunia.com]
http://secunia.com/advisories/product/12366/ [secunia.com]
Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.
Re:If I were from colorado.. (Score:5, Insightful)
Re: (Score:3, Interesting)
Secunia states that Firefox3 has less critical issues
Sometimes I correct people on 'less' vs 'fewer', and I get the response that it's obvious what was meant.
This is one of those occasions when using the wrong word really does change the meaning. And by golly, I checked the page, and you really did not mean 'fewer' as I had expected.
What Secunia says about Firefox is that the most severe unpatched Firefox bug they know of, they rate as 'less critical'. Whatever that means.
Re:If I were from colorado.. (Score:5, Insightful)
Based on the speed at which things can get fixed by what are normally lumbering juggernauts when they are seen and reacted to by a million people on the Internet, I'd suggest that ten thousand angry rants are often much more effective than hundreds of extremely well spoken, coherent, concise emails.
In this case, a massive spew of vitriolic bile targetting squarely at the fools behind that miserably borked IIS site seems warranted, and is likely to be more effective than some pansy-assed coherent "Dear Sirs, I am writing to engage in a discussion concerning what appear to be some personal biases toward the fine products that Microsoft Corporation produces and their manifestation in a minor slight against Firefox, another fine product, on your web blah blah blah..."
Fuck that. Hoist the pitchforks! Ignite the torches! Geek wrath power ON!
Re:If I were from colorado.. (Score:5, Interesting)
And what should that email say, exactly? More specifically, to what URLs could I point the devs to an _unbiased_source_ that IE is insecure and Firefox is secure?
I have this problem with Hebrew websites constantly, in fact, about two hours ago I wrote to a local news website about their IE-only policy. Being able to point them to an unbiased, reliable source to back up the "Firefox is safer" claim would help.
Yeah right. (Score:5, Insightful)
People like these bozos can insult our intelligence and we all are supposed to act politely and rationally.
I say that a few hundreds or thousands rabid replies from aggravated individuals would do wonders.
Sometimes politeness is seriously overrated...
Why? (Score:5, Funny)
Where does it say FIrefox is insecure? (Score:4, Informative)
Re:Where does it say FIrefox is insecure? (Score:5, Informative)
It used to say:
Re:Where does it say FIrefox is insecure? (Score:4, Informative)
Well IE still requests the file (it has to, otherwise it doesn't know what the filename or content-type is). Any naive script that flags the downloaded as having commenced when it first starts serving the data will treat an IE click-and-cancel the same as a Firefox click-and-cancel. Even scripts that wait until it's finished sending the data are likely to be allowed to complete by the web server, since aborting scripts in the middle of execution can be problematic. Most servers take the "safe" approach by default: let the script finish running and just throw its output away if the client disappears.
It looks like IE doesn't acknowledge receiving the data at the TCP/IP layer, and instead plays funny games with the TCP window size (setting it to 0) in order to stall the connection until the user decides what to do. It also seems to send 30+ duplicate ACKs for some reason. However all this is transparent to the web application; at best it'd just seem like a lossy TCP connection.
Interesting to see that IE7 still has the "unbelievable transfer speed" bug in that if you click on a link for a file download and take a while to decide where to put it, the initial transfer speed it shows is ridiculously high because it's already downloaded a few hundred kilobytes of the file before it starts the download speed timer.
Re:Where does it say FIrefox is insecure? (Score:5, Informative)
It looks like they removed the message about Firefox being insecure. Google doesn't have a cache of the page, but you can see it in the summary:
http://www.google.com/search?hl=en&q=http://www.coworkforce.com/Skills/myskills.aspx+Firefox+security&btnG=Search [google.com]
You can clearly see the text: "DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."
Re:If I were from colorado.. (Score:4, Funny)
That's just in IE6. Better security that way.
The site looks like... (Score:2, Interesting)
Re:The site looks like... (Score:5, Informative)
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0" >
<meta name="ProgId" content="FrontPage.Editor.Document" >
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" >
<title>Welcome to The Colorado Department of Labor and Employment</title>
<link rel=stylesheet href="/commoncomponents/contentstyles.css" type="text/css">
</head>
Re:The site looks like... (Score:5, Insightful)
Very poor odds. Working for a similar state government agency I can tell you the process probably involved atleast 10 weekly or monthly meetings to outline the basic content, a 2 month review process on the outline documentation for the page layout, a 6 month bidding process from prospective contractors to create the webpage, another couple months for a cost/benefit analysis, with the final decision that a frontpage license and either a new permanent position or an expansion of duties amendment (with associated raise) to one of their high up IT people would be the answer. Total time to create that webpage, probably a year and a half to two years.
Re:The site looks like... (Score:5, Interesting)
Re:The site looks like... (Score:4, Insightful)
Lest people think only government wastes monumental time and effort towards something relatively trivial, Microsoft spent a full year working on a feature one of its developers claims could've been done in a week [blogspot.com].
It's a paradox of project management--too many stakeholders or dependencies, and you're going to bog down in red tape. Too few means that no one cares what your project is and won't waste their time helping you, and it'll never see the light of day. Finding a balance is difficult at best in any large organization.
That's just bad (Score:5, Interesting)
Well, I'm impressed. I tried to send them a message telling them that they're morons. (Though in a more polite manner.) They got right back to me with this message:
I love how the site is:
A) Being run off of someone's desktop. Out of their My Documents folder, no less.
B) Gives up the username of the machine without so much as a "how do you do"
C) Shows the world that our amazing admin can't even hack it at C#
I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks [xkcd.com] at the site. :-/
Re:That's just bad (Score:5, Funny)
Maybe they're not morons, maybe it's just that the entire state is on the cutting edge of the latest trolling fads? Like, it's so good at trolling that I can't think of how the joke is on everyone, so...
My head hurts, colorado wins again...
Re:That's just bad (Score:4, Funny)
In other, completely unrelated news, Microsoft announced today that they are opening a new software development center in Colorado.
Re:That's just bad (Score:4, Funny)
Re: (Score:2)
I just did the same thing... What a f*cking joke.
Re: (Score:2)
For being hosted off of someone's machine, they're doing quite well for being posted on Slashdot.
Re:That's just bad (Score:5, Funny)
Re:That's just bad (Score:5, Funny)
Re:That's just bad (Score:5, Informative)
It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.
Re: (Score:3, Funny)
This is from the site headers:
I love how they have the office web server extensions enabled. Ouch.
Re: (Score:3, Informative)
But they do have a production server that's printing detailed error messages on the HTTP response. That's a misconfiguration, and an active choice at some point. Presumably debugging system - maybe they don't have test or staging servers.
Re: (Score:3)
That doesn't mean for sure it isn't on his desktop.
Re: (Score:3, Informative)
It's not being run off someones desktop - the developer in question forgot to turn debug symbols off. Debug symbols in .NET include sourcecode filenames and line numbers on Windows.
I assume that the grandparent thought it was someone's desktop because of the "C:\Documents and Settings\qeuc34\My Documents\Visual Studio 2005\Projects\" path. It looks like a developer is keeping the project in their own documents and running it straight from the source code there.
Re:That's just bad (Score:4, Insightful)
I should check the IIS version. I have a sneaky suspicion that it's not up to date. Or maybe take a cue from Bobby Tables and throw some SQL injection attacks at the site.
No, you really should not do that.
Sheesh...
Re: (Score:3, Funny)
No, you really should not do that.
Sheesh...
No, we only condone DoS attacks here at Slashdot.
Re:That's just bad (Score:4, Funny)
Re:That's just bad (Score:4, Funny)
"But I don't even have a computer.
Colorado (Score:2)
I'm from Colorado. Most of the time I feel the State Government here is on crack. If I write them an email using Thunderbird, I wonder if it would be rejected because it didn't come via Outlook?
What do you expect... (Score:5, Funny)
The Education Property has been increased to 128 characters due to popular demand. Thanks for your patience.
Re:What do you expect... (Score:5, Funny)
Re: (Score:3, Informative)
I've lived here for over a decade and have never seen one of those. Moreover, the numbers [ed.gov] show that's clearly not the case.
Re:What do you expect... (Score:4, Informative)
Funding has very little correlation with the quality of education. California is bankrupting itself funding education, yet is quite lackluster in its educational quality.
But does the site still WORK with Firefox? (Score:2)
Seriously, is this the kind of "news" that passes as a slashdot article now?
Re:But does the site still WORK with Firefox? (Score:5, Informative)
Actually the site doesn't work whether you're using Internet Explorer or Firefox. It looks worse with Firefox because they are using some of the non-standard display tags that cause components to overlap if using a standards compliant browser. Regardless of the browser used, the result is the same: failure.
Re: (Score:3, Insightful)
To be fair, writing .NET code in VB is exactly the same as writing it in C# -- compile them both and you get CIL code. Although I agree that these guys are likely incompetent, it's not fair to say "anyone who writes in VB is incompetent at programming".
Nice quote (Score:2)
It has been decided
I wonder who decided that? Does their name start with 'Micro' and end with 'Soft'?
The Decider (Score:2, Funny)
He decided.
Re: (Score:2, Funny)
Their FAQ page... (Score:2)
... has an answer to "Why is the sky blue?". It's mostly right, without being informative at all. Of course, I saw that with Firefox, so maybe it'd have been a lot better of an answer if I'd used IE 6+.
Re:Their FAQ page... (Score:4, Funny)
That's simple? Here's _simple_! (Score:5, Funny)
Oh yay, another great example of providing a technically correct, but thoroughly misleading answer. "To answer these questions, we must learn about light, and the Earth's atmosphere." No, you mustn't. Ok, you need to learn one thing: "the sky is blue because air is blue [amasci.com]" (from Recurring Science Misconceptions in K-6 Textbooks [amasci.com]). All that crap about Rayleigh scattering and frequencies of light is...well, it's true but it's generally beside the point.
Q. Why is my shirt red?
A1. (bad) To answer these questions, we must learn about light, and how photons are absorbed or reflected by different materials, and how the cones of the eye convert photons into neural impulses....
A2. (good) because it was dyed red.
Granted, all that other stuff can be interesting too, but to claim that you're providing the simple explanation is just ridiculous.
(At least it's not as bad as the standard explanation of an airfoil, which is simply wrong.)
Who's on first? (Score:5, Funny)
Head asplodes.
Re:Who's on first? (Score:4, Insightful)
Windows only? (Score:2)
Another reason (Score:3, Insightful)
PEBKAC (Score:4, Informative)
Well, they're mostly wrong, but partially right. All things considered, the biggest security risk isn't the web browser used, it's the incompetent organic mass between the keyboard and the chair.
It still amazes me how many people really think they're the 1,000,000th visitor to a site, and that they've actually won something because of it.
Re:PEBKAC (Score:5, Funny)
Contact info for OIT (Score:5, Informative)
oit@state.co.us [mailto]
From the site (Score:5, Funny)
"Questions and Answers"
"Can I use Firefox or another Browser?"
"No! For security reasons, and some significant processing issues as well, the only supported Browser is Internet Explorer Release 6 or later."
"What if I have a Skill that isn't listed?"
"The "Suggestion" tool enables you to communicate directly with the Administrators. We will research your proposed Skill with your input and agreement."
I'd like to learn how to make web pages. Think I might see if I can tap these guys expertise. Anyone else fancy coming along?
Mozilla (Score:5, Interesting)
Mozilla is an actual bona fide business allied with google among others, and as such I hope they sue the living snot out of that agency for making such a public claim. This sort of thing is no freakin joke. If they do, I would be interested to see what comes out in discovery with the actual human bureaucrats involved in setting this policy and posting that.
That's the opposite of what the DHS said (Score:4, Interesting)
So now Colorado thinks they're smarter than the feds?
Not long ago the DHS said to avoid IE and use firefox for security reasons.
http://www.google.com/search?q=dhs+avoid+ie
Message from the State Chief Information Officer (Score:3, Informative)
Message from the State Chief Information Officer
Michael Locatis, State CIO
"As the Chief Information Officer for the State of Colorado, my role is to provide the momentum and strategy for wide-ranging activities from promoting high end research and development of cutting edge technologies to creating strategies for service delivery supporting the day to day operations for the State of Colorado - thereby making a difference in the lives of the people of Colorado and delivering Governor Ritter's 'Colorado Promise'."
http://www.govtech.com/pcio/articles/386146 [govtech.com]
Colorado Gov. Bill Ritter and CIO Mike Locatis Launch IT Consolidation
Aug 21, 2008
Before his Cabinet appointment in Colorado, he was CIO of Denver, where he showed his centralization skills (and caught Ritter's attention) by consolidating 20 separate municipal and county departments into a single, citywide IT agency. It's also where Locatis learned how fragmented the state's IT systems were.
"It was while I was working in local government that the issues surrounding state IT were immediately apparent because they impacted how services were delivered at the local level," he said.
Before becoming a public-sector CIO, Locatis was the senior director of enterprise technology strategy for Time Warner Cable Inc., part of Time Warner Inc., a Fortune 50 company and the country's largest entertainment firm. Locatis honed his skills at aligning customer-service delivery systems, standardizing desktop capabilities and managing tech and support teams for huge enterprise resource planning applications.
Despite Locatis' knowledge of the state's IT systems' problems, he wasn't expecting the mammoth job he faced. "It was significantly siloed and fragmented IT delivery, which was a root cause of a lot of the issues - including inefficiencies, a lack of leveraging an enterprise approach and just about every [IT] department in the state doing its own thing," he said.
the sad truth of the matter (Score:4, Interesting)
The state of colorado made attempts to be "ahead" of the curve when it came to an online presence (see also denvergov.com [denvergov.com] and the atrocity that is netfile [state.co.us]; we were one of the first states to have online tax filing). Unfortunately they hired people who knew ass all about javascript (or proper DB handling) and no one knew enough to stop it in it's infancy. Now it has snowballed into something too costly to replace and too borked to simply repair.
I imagine someone told some user that ff was a security risk, rather than go into the technical details of why the site falls to crap on browser it was never tested for. Eventually, through what I like to call "the wiki effect" that same information got passed back as fact to the current web coders who promptly put up a notice to inform their end users.
Even still, fail.
HTML compliance (Score:3, Interesting)
Context (Score:3, Insightful)
Given that their site is down at the moment, rendering their explanation unavailable, I'd like to point out that there is a rational argument to be made for the notion that using preinstalled and patched IE installs instead of a third party browser can increase security. I disagree with it (based on a number of factors expressed elsewhere in this thread), but it's a good argument:
You increase the number of potential security holes on a workstation by increasing the number of installed applications. Your sysadmin is responsible for both maintaining and securing IE and Firefox, and is unable to uninstall the former. This, thank God, goes away in Windows 7. In the meantime, however, you can still disable and cripple IE in a way that limits its exposure - It's just more work than most Windows-heavy, Microsoft-ceritified admins are willing to do as doing so often strips them of their preferred choice, and the tools that they've been heavily trained in locking down and adapting to their local networks. If understaffed and underfunded, forcing IE usage may actually be the right call for some agencies and offices.
Still no excuse for any IE6 or earlier builds being used in the wild.
Re: (Score:3, Funny)
I'm despairing, all right.
Re: (Score:3, Funny)
Quite possibly. The state's IT infrastructure seems to come from that general time frame.
Re:firefox and mac (Score:4, Insightful)
The correct comparison would be this.
Gun #1: Kills each and every gunman when they don't expect it. You are not even pressing the trigger. But you sure as hell do know they kill the gunman.
Gun #2: You know that a gunman can be killed once in a while, but when it happens somebody will deliver you with upgraded guns preventing it from happening again in a small amount of time.
TY, I'll keep FF
Re:firefox and mac (Score:5, Insightful)
Ok, so explain why apache is less exploited than IIS. It is used far more.
Your little idea is cute and has been proposed by many before, and just like then it is wrong.
Also you should investigate your keyboard it seems to be broken.
Re:firefox and mac (Score:5, Interesting)
The site does not say "firefox may not be secure" they're saying "firefox poses a security risk". One of them is a statement of fact that they do nothing to back up, the other one is an opinion which may or may not be valid, but is theirs to hold.
I wonder if what they meant was "our site looks like crap in firefox so please don't use it". Or maybe by "poses a security risk" they mean "the secret fields we spent hours figuring out how to hide behind other stuff refuses to stay hidden in firefox, so using it is a risk to OUR security".
Re:firefox and mac (Score:4, Interesting)
One of them is a statement of fact that they do nothing to back up, the other one is an opinion...
...stated as fact.
Re: (Score:3, Informative)
about:config
network.automatic-ntlm-auth.trusted-uris
Yup, firefox supports NTLM authentication, and has for a long time, and it works for me.
Re: (Score:3, Insightful)
Build your own firefox installer with whatever changes you need and then make an msi and distribute that.
This is so easy even a windows admin can do it.