IE6: Why the MOD is safer than you

Any IT managers or other decision makers who insist on inflicting IE6 on their companies and staff should hang their heads in shame. This includes the NHS, The UK Government and at least one large high street retailer specialising in being up-to-date with the latest hot technologies. Hmmm, yeah.

There's absolutely no excuse whatsoever, IE6 is two versions old and over 3 years out of date. Upgrading to IE8 is completely free and easy. I expect that they will cite some operational complexities as an excuse not to get with the times, but I suspect this is thinly-veiled laziness so they can continue playing Solitare and eating doughnuts in peace. Having other security in place is a stupid non-excuse... just perform the upgrades and have done with it.

Would these people drive a car with dodgy breaks and no airbags, just because they've done Pass Plus so consider themselves "good" drivers??

Personally I don't think Microsoft should still release security or other updates for IE6 - my reasoning being that they've already released the only update they should have to - a newer version. TWICE!!!

Aside from being a thorn in the side of web developers, IE6 just has absolutely no place whatsoever in the society of 2010. Or 2009, 2008 or 2007 for that matter, as IE7 was released in October '06.


*exhales* rant over!

"So as far as home users with Internet Explorer 6 are concerned, the UK government's advice is, to put it mildly, pretty confusing."
I only see one message from the people you've got in touch with, to upgrade to the latest versions of browsers.
Whilst I don't necessarily agree that a temporary switch away from IE8 is prudent following the publicity and awareness of this individual fault, there will also be flaws found in Firefox, Opera and other browsers that mean a long term switch is not necessarily of benefit.
The MOD's systems will - hopefully - be more secure, being locked down for their users in a way that many commercial companies and indivdiual users are not... please note that getting one press officer to check his/her browser version is not any indication of an MOD-wide policy.
The update of these machines, depending on systems and processes that are internally used at the MOD, may require the update of intranet sites, security software and the machines themselves, making the update not as straight forward (or cheap) as for individual users.

Unbelieveable... our Government is so inept when it comes to technology. You read countless stories of civil servants leaving laptops and memory sticks on trains and now this. If we are to believe the stories, Britain is regularly under cyber attack from China. If this is the case, why are government departments still using a web browser which is vulnerable to attack?

Why switch to Firefox, which is just as bad (if not worse) than Internet Explorer?

Safari, or better Still Opera, is where the security is...

It may be relevant that ie6 is the last version available on Windows 2000, which is still in use. There's no option to upgrade to ie8 available.

Safari. Very secure, and gets 100/100 on the Acid3 test.

IE on the other hand, fails miserably. And it's insecure.

5. At 4:52pm on 20 Jan 2010, B Nelson wrote:
It may be relevant that ie6 is the last version available on Windows 2000, which is still in use. There's no option to upgrade to ie8 available.

-----------

Fair point. But what these organisations running Win2k should be asking themselves is: "Is it wise still to be using a 10-year old operating system?"

Upgrading to XP from 2k shouldn't be a problem as far as hardware is concerned, and really should have been done years ago rather than ignoring it and hoping the problem will go away. If there's absolutely no way they can upgrade from Win2000 then maybe they should look at FF, Chrome or Opera as a temporary solution? [Not sure if these will install on W2k without checking... so you may have to ignore me on that one....]


---------------

6. At 4:57pm on 20 Jan 2010, JimmyJammy wrote:
Safari. Very secure, and gets 100/100 on the Acid3 test.

IE on the other hand, fails miserably. And it's insecure.


---------------

Safari's OK but the webkit rendering engine which powers that and Chrome does some strange things and isn't perfect (not that I'm saying IE8 is perfect, either.) IE8 can hardly be labelled "insecure".... be fair.

Dear dotDotRory, this is a really bad piece of journalism.

I appreciate being reminded that Government recommendations can be confusing and hypocritical, but there is a disturbing lack of inquiry and explanation in this post.

You do not actually explain what vulnerabilities IE6 has. You do not explain what the consequences of these vulnerabilities, and what ramifications they have for organizations like the MoD or the US DoD, two orgs for whom security should be a top priority for their own operations and for our safety. Nor do you provide any insight into why it would be difficult for the MoD to offer clearer recommendations to citizenry regarding digital security. Nor do you offer anyone else's recommendations regarding the issues are inherent in browser security, or security in general.

Security is obviously a complex and difficult subject, but it is not an optional part of our digital lives, just the same way that safe sex is not an optional part of how we conduct our relationships. Both are predicated on the design of the technology we use, and how we conduct ourselves as we go about our daily lives. There are reasons why it is difficult for IT departments to secure their networks, even in intelligent organizations who care about their security (like Google).

People need to be better informed about these subjects (And if that includes you, you've got a responsibility to your readership to become better acquainted with the issues). It is important to all our lives whether we know it or not. Journalism plays a vital part in providing that information. And fundamentally, the question inherent in this piece, and in the MoD recommendations is "how can individuals keep their computers secure?". This piece does not contribute adequately to that question or the broader cause. So, while I'm often disappointed by tech journalism, this piece has managed to reach all the way through my cynicism, and plant itself firmly in my dismay.

Sincerely, and always hoping for/wishing the best,

-Ted Han

I wouldn't recommend any version of Internet Explorer. It is the most insecure, and at the same the most attacked, web browser of them all.

Firefox is many times more secure so what MarkG wrote in comment 4 is biggest load of fanboy rubbish I have read since reading the MOD saying it's IE6 setup is safe!!

I adivse that everybody gets off IE immediately and let that program die a quick death for the benefit of the industry and the public.

It's pretty easy for post commentators to abuse the MOD and companies for not upgrading to the latest browser version.
However, it's not as easy as a simple upgrade.
Most big organisations run tens, if not hundreds of applications in their browser.
A large number of these apps had to be modified to cope with the non-complient behavior of IE6. Now that IE8 is almost web-standards based then a lot of these applications will not work correctly.
Or may not work correctly. It's not clear what will work correctly and what will not since the behavior is not predictable.
So these apps have to be fully regression tested in IE8 before it's rolled out.
This can be a massive operation. Even a simple app can take weeks to regression test. To test hundreds of web apps can take months or years, at a huge cost.
Sometimes it's easier to stick with IE6 and rely on firewall and proxy malware scanning to protect users.
If IE6 had been W3C complient and had adherred to all standards then the upgrade path would be much easier...

I think IE has got a disproportional amount of bad press because of the market share it holds. Hackers target IE because a few years ago it had 95% of the market so it wasn't worth the effort hacking another browser.

Enter Firefox, Safari, Chrome, Opera (yes some of them have been there for years but with such a small market share who would bother) and now Firefox has 25% of the market. How long until hackers start taking pot shorts at Firefox?

Rory when you called the MOD did you ask what OS they were running. The chances are they were running 2000 or NT which would explain why they were running IE6. Not everyone is up to date for the sake of it, a lot of jobs wont involve a browser, for a lot of buisness requirement, Windowss 2000 and IE6 actually do the job.

ESET a market leader in antivirus still sell products for windows 2000 becuase there is still an actual significat demand for it.

I'm not a developer, but I know web developers hate writing for IE, because they effectively have to write their site twice where Microsoft insist on their own standards for the web where everyone else is writing to W3 webstandards.

Microsoft's commitment over the years regarding implementing and complying with W3C web standards in its IE browser has been weak, erratic, incoherent, inconsequent, unpredictable, unreliable and not trustworthy. It that bad Google release Chrome Frame for IE to address the problem not rendering sites correctly.

IE is not a bad product, but ultimately there is good competition and people should use what they feel safe and happy with.

One of the few reasons business are forced to use Microsoft Browser are because of ActiveX plugins which many Microsoft products that work with a Browser, Remote Web Workplace for example aimed at small business. Other browsers do not support the ActiveX standard.

I still feel overall though this has been blown out of preportion as does not deserver as much news time as it gets.

Pish. So they run a good IDS? Whoop-de-doo. The fact that IE6 can't render anything properly is reason enough to upgrade. Lazy.

"A government user working on government systems will benefit from additional security systems unlikely to be available to the average home computer user. These include tools that actively monitor for any malicious attack."

They've installed a virus scanner and firewall, then? Sorry but I just don't believe they have better security than those major corporations that have been hit by this; much of govenment IT is outsourced to those sorts of companies.

Whilst it can be irritating to people that the MoD is still using IE6 on Windows XP across the whole DII system, they have to bear in mind that the network is protected by multiple layers of security to both stop hackers/malware getting, but also for unauthorised attempts to leave the system. The vast majority of websites are blocked on the system, so it would be extremely difficult for a user inside the MoD to compromise their system.

Besides, even if they did manage to breach security, DII would probably fail again before anything bad became of it!

Most government IT consists of various stovepipe systems propped up by a variety of different external service providers. A browser or other piece of software will only be replaced when doing so is an absolute operational imperative. Many workstations still run Windows 2000 or NT.

Think of the amount of complaints over cost if government upgraded overnight to Windows 7 and IE8 across the board, and the further complaints if a security breach resulted from running a bleeding-edge system without service packs or security patches.

Any IT administrator for a secure site that does not have detailed plans for moving away from IE6 to a secure standards based browser should be fired for pure incompetence. Everyone knew a very long time ago IE6 was very insecure and they new they would HAVE to move away. Yes, the web services would have to be updated and preferably made standards based and not lock themselves into this situation.

There is no excuse now to say we didn't know this would happen or that there wasn't time or the budget. That is what the job is about and that is why there are a lot of secure environments already upgraded.

IE6 will be required due to braindead browser-based applications that are coded to exclusively work with it. I've seen that in countless companies.

It is a serious threat to security, regardless what the MOD offers in the way of platitudes.

The government should be advising the public and businesses to get off IE6 as fast as possible. Then they should consider taking a leaf from the French's book and dropping closed-source proprietary solutions altogether. A huge part of UK Plc's IT budget goes into the pockets of companies like Microsoft - and they're just too cosy with US intelligence agencies.

China may not be as high-tech as the NSA but the MOD should take a long, hard look at their security and make sure they can decide who they share information with - even allies.

I feel sure that if you had asked the German High Command, during the second world war, about the security of their encrypted communications, they would have issued equally blad and confident assurances of their impregnability. Unfortunately for them, it was at about this time, that a new form of electronic calculating machine was being invented, for the expresss purpose of smashing its way into such "secured channels". Ever since then, these calculating machines have spread, and proliferated ever since, and their power to smash has burgeoned. Computers will soon be like rats: you'll never be more than ten feet away from one.

But computer systems are also a bit like lathes, in reverse: if the one tool, you need, in order to make another lathe, is a lathe, then the one tool, you need, in order to destroy a computer system, is another computer system. Assuming that these "impregnable systems" that the MOD employs haven't actually been sold to the Chinese Military - and assuming that their maintenance wasn't outsourced to China as part of some brilliant cost cutting scheme at some point during the last decade - then what we *do* know about China's computing resources, is that China is now host to some of the most powerful computer systems that are currently acknowledged to exist, anywhere on the planet. Many of those are actually employed to meet China's insatiable demand for online computer games like World of Warcraft. But if the yearning for World of Warcraft can command such vast resources, only think, what a yearning for the Craft of War, might lead to!

"So as far as home users with Internet Explorer 6 are concerned, the UK government's advice is, to put it mildly, pretty confusing"

Quite funny when noobs in politics, journalism whatever write a report on something like this. Basicaly what the MOD is saying is spot on, honestly if you have a kid ask them to explain, theyll understand and be able to help.

This does not surprise me, I see it all the time in my travels. Management who are not tech savvy don't understand the dangers, and stick their heads in the sand. It's a particular problem for small businesses, but there should be no excuse for large organizations who cam afford to employ IT administrators.

Unfortunately even IT admins, can avoid important upgrades, in fear of unforeseen complications resulting in being very unpopular when things break.

I dont know if the MOD still use the Mobitex radio & Internet networks, but the police do, as do vehicle breakdown recovery firms. There is no encryption on those systems at all, and yet peoples private details, and even whereabouts in the case of a breakdown are sent over the Internet unencrypted.

The government really should be doing more to educate and advise people on technology.

It's too bad that IE6 refuses to die out in the corporate atmosphere:(...

Though I'm no fan of IE, IE 8 is much more better than its predecessors.

@ MarkG: Please let us all know how Firefox's security is worse than IE? Granted Firefox had a large number of vulnerabilities, but they fixed them pretty quickly.

@ JimmyJammy: ummm....Acid3 is a (let me quote from the wiki)"Acid3 is a test page from the Web Standards Project that checks how well a web browser follows certain selected elements from web standards, especially relating to the Document Object Model and JavaScript."

It has nothing to do with the security of the browser. Please get your facts right before posting such stuff.

If there are no known exploits for an older application, it is therefore safer to use than a newer release of the software which has known exploits surely that's just common sense.

It makes perfect sense for a large organisation to move at a slower rate in terms of rolling out upgrades than a typical home user for both training and security reasons, a newer release is rarely more secure than the latest patched version of an older release.

I would not be surprised if government installs of IE6 are customised as part of a large scale distributed build with features likely to cause security risks disabled such as javascript or flash / pdf plugins.

Firefox is not more secure than IE? Just the fact the source code is available adds security - thousands look at it every day, looking for holes, and fixing them. And no C# (Java/Javascript without the security).

Of course the best bet is to get a decent operating system that has had security, proper security, in-built right from the start - Linux/Unix.

I personally use SRWare's Iron browser for home use. It is just Google's Chrome recompiled to avoid having your privacy violated.

The very fact that you had to explain how to find out what browser was used by the MOD shows that you clearly were not talking to an IT specialist. I'm willing to bet that the computers with items like "Plans for World Domination" and "Top Secret Nuclear Weapons Technology" are no simply stored as nice easy Word or PDF files ready to be stolen through the internet via the computer of an MOD receptionist. More likely, the really important stuff will be on completely closed systems with no external access whatsoever. Most companies filter all web access, to stop people playing games, updating Facebook etc and to improve security.

Welcome to the BBC's computing for idiots section.

Please show your braincells to enter.

3? Welcome...

OpenSource does not mean secure (that's a myth put out my Linux nutters, and one that Mozilla are happy to let go). For every person reading the source code and FIXING things, there are hundreds reading the same sourcecode trying to find ways of exploiting holes..

That's why Opera is the most secure browser, it's well designed and closed source.

What's the story here? Are you saying that the MOD has vulnerabilities in its IT environment? If so, say so. If you don't know, then find out before going off half-cocked.

IT Security is my profession - and it's a huge complex area that's seldom black and white. Sometime's is acceptable to trade security for performance, and with most vulnerabilities (even those defined as critical) there is usually another mitigating control that can be put in place if fixing the vulnerability or upgrading is not an option.

The real story should perhaps be the software vendors who release software that's known to contain security vulnerabilities, patch half of them slowly over the first year or two, and then drop patch support and insist everyone upgrades (at a cost) to the next version. And so the cycle continues.

To be honest Rory, IT security in corporations is such a complex issue that unless it's an actual data leakage event, it's best if you steer clear and stick to writing about Apple Macs and futuristic gadgets. A genuine dedicated corporate computing correspondent however would be an asset to the BBC. There are enough stories out there to fill a few pages every day.

Firstly IE6 is a nightmare for web developers and often codes are hacked around with cnditional statements to make it work. So sooner it goes the better it is. I don't buy into the idea that open source means more secure. Opera is a great closed source software, which is secure, complient and fast.

@Richard (9:12pm)
IE weren't built with C#. It will be too slow with C#/.NET or Java because of VMs. Remember you can't build software with Javascript. It is more likely to be written in C++. Although IE extension/addon can now be built with C#.

I don't think it follows that just because an organisation is still using IE6, that they are at any significant risk. My employer (a large UK defence company I won't name) is still on IE6, but our standard PCs are so locked down that a web-based attack would have to be very smart to get through - ordinary users have very little control over the PC: in addition to up-to-date, real-time AV software, the system drive is largely read-only.

We users might bemoan the lack of tabs etc, but I can see that testing and rolling out a later browser would be quite a lot of work, and to what advantage (to the company)?

this is not a sensible story. you rang up someone who didn't even know how to look up their own browser version, found it was an old one, and then wrote about it. what microsoft tells the "think they know it all" "tech savvy" public consumer they "should" do, is not what is practical for large scale organizations. as other people have said, many vendors of web applications are notoriously slow at rewriting those applications to support new browsers. it is hard (and expensive) for the government to force vendors to make their web applications compatible for the newer browsers. the vendors drag their heels, so the enterprise (or government) can't go ahead with the browser upgrade in a timescale it might like. so to call up a department and say "haha you're so out of date" is missing the point entirely. when there is a security hole found in a browser, even an old one, the vendor of that browser (i.e. microsoft) should patch it. which is what they are doing. complaining because it's an old product and feeling smug because you yourself have a newer one, is not going to solve anything. the government will go ahead and upgrade, when the benefits of doing so outweigh the costs. trying to poke fun at them and prove yourselves superior might make funny headlines and get a few more hits onto the bbc website, but its not quality journalism.

It seems a little strange to ask the MOD for advice about domestic browser use, really.

Their entire system will be highly specialised and have very little relationship to what happens to someone's home computer. So I would expect their advice to have the hesitancy of "why on earth are you asking me?"

This is a very disappointing article from a BBC reporter.

The basic premise of the flaw is that the hacker can craft or alter a known webpage to lure the intended victim into running a script on their machine which exploits the found weakness in an old version of IE, this then will then provide access to that machine... This is the basic method most web browser attacks use.

The recommended approach is to upgrade to IE8 or a current version of web browser to protect you from this exploit, alternatively set your IE security settings to high. By setting your IE security settings to high you will automatically block the running of scripts on your machine. This will protect you from this exploit but will limit the functionality of some trusted websites.

Merely asking an MOD IT user what version of IE they are running is a really poor example of whether they are vulnerable to this exploit. Most MOD systems and for that matter most government departments that deal with highly sensitive information, restrict this information to secure networks that have limited or no external access, additionally in most desktop builds the running of scripts is disabled by default, therefore mitigating the risk.

Why these users are still running operating systems and web browsers that are several versions out of date is due to the same issues faced by most businesses, poor application development has tied users to old versions of operating systems or browsers for years and it is a significant expenditure to recode these applications and test them to run on the latest versions of software released. We complain bitterly (several articles on this news site specifically) about the amount of money being spent on government IT projects, do you advocate spending more to update all applications/operating systems/web browsers to their latest released revisions to mitigate a risk from a security weakness that your security settings already protect you from?

Better research please before reaching for your favourite word processor to craft another poorly thought out article.

Have a few points and hope i don't drag on to long for ye

IE has always been an insecure and honestly unreliable browser. I worked in a tech call centre for over a year and during that time I rarely came across problem with safari, firefox or opera! IE on the other hand was a different story!(for numerous different reasons that i wont get into here) Although the major problem with the exploit that was found in IE6 has been said that this exploit affects all there browser "While the flaw affects all versions of IE except for 5.01 SP 4, security protections built in to more recent versions of the browser and operating system can significantly mitigate the threat." from theregister

Also IE8 can and will work (with a few minor tweaks) on windows 2000. Although as stated above this is not ideal because it is made by Microsoft. This is the same company that has had a glaring problem with it O/S for the last 17 years (stick it into your search engine at it will pop up)

Next if you really have to use IE6 which alot of companies still do as some app's are not compatible with other browsers you can get an add-on for firefox that allows you to use it but fool the app into thinking it's a IE (all differnet versions are there). Its called Default User Agent!

Hope this wasn't to boring
Loved the discussion though and had to write in!

Personally, I firmly believe that as Microsoft's huge dominance of the home/desktop browser and OS market continues to diminish, the 'internet' becomes safer. Mainly because malware writers will have a harder job targeting their attacks. As the permutations of what browser/OS you might be running increase, so you become a smaller target. Also, if you run something other than IE on Windows then you are more secure! And before the astroturfers/MS fanbois jump on that, first answer me why virtually all malware is targeted at Windows when there are a huge amount of Linux boxes on the internet in the form of servers. Surely if you could pwn a server, you'd have access to a far more powerful machine for your botnet and/or potentially more account/password details than you could shake a stick at. So the argument that Linux doesn't get attacked because it's not worth it is rot, in my opinion.

So in the absence of any clear guidance from our woefully ignorant government, if anyone asks me I will base my advice on my points above. That being, you are doing yourself and others a favour if you ditch IE and preferably Windows too.

People who live in areas most at risk of burglary need the best locks and alarms. Equally, companies and organisations most at risk of being hacked need the best security. That's why the MOD should have better firewalls and net security than most companies, because they are more likely to be attacked. However, you don't fit the best alarm system, then leave a window open and that appears to be what the MOD are doing. Using the most up to date and secure browsers won't make their system secure and won't stop the hacking attempts but it should be part of any cohesive and comprehensive security strategy.

But we've seen how incompetent Government bodies are at protecting data so let's not be surprised that they are also failing to operate an effective computer security strategy.

The advice to move to the latest version of IE is fine if you are running a recent version of Windows. Many home users and businesses are happily running Windows 98 and Windows 2000, particularly those put off by the bad press Vista received. Windows 7 fixes that, but there is inertia in the system and people will take time to upgrade (quite probably requiring a new PC). Having worked in a large financial corp, I know they go to the nth degree in planning upgrades and it can be 18 months before a new version of Windows is rolled out.

I found this article interesting as it extols the benefits of using Microsoft IE browser, what it does not address is the underlying issue that of the Operating system it runs on. Forget about changing to another version of IE, change the Operating System, Windows by its design is incredible difficult to secure.

We need within the public sector not a decision to update to a new version of IE but a different operating system, one based on being secure, reliable, and to have ownership of the systems they use, as long as a single corporation is allowed to keep selling us systems we have no ownership off, that by design are difficult to secure, we will continue having this debate.

The author (Rory Cellan-Jones) of the original article needs to take his blinkers off, and look at a much bigger reality. The only comment worth any note is:
"10. At 5:31pm on 20 Jan 2010, liassic wrote:
It's pretty easy for post commentators to abuse the MOD and companies for not upgrading to the latest browser version..."

I have worked on several MoD and BAE sites around the country, and running IE at home with wimpy routers and weak firewalls is NOT the same kettle of fish as running legacy applications on IE6 in a category X secure environment.

I'd also add that many more technically minded and financially astute (and more highly paid) people have tried to take this problem on Mr Rory Cellan-Jones, and 5 years down the line after I did my first technical feasability study of the IE issue at BAE, my report is still gathering dust.

With the MoD or BAE sites, the challenge is not to attack IE, but to get beyond the demilitarized zone. As liassic pointed out - the cost of updating if far greater than the risk - with huge conglomerates, with many thousands of instances of IE deployed, the cost is only considered when the risk is far greater than the cost. When you consider that MoD, or even BAE, have been running hundreds of apps for many years with very few reported attemps at malicious intrusion, on IE6, I think you'll agree that the risk is negligable, compared to the cost - yes upgrading to IE8 is 'free' - but in such massive environments, we're talking about thousands of man hours to manage the deployment, as well as the thousands of man hours needed to ensure that legacy apps will even perform on the new browser - and potentailly, thousands of new machines would need to be deployed to support IE8, as well as the associated man hours there-in.

Who picks up the tab? We do, the tax payers. So Rory, rethink your 0 out of 10 article. I don't want to pay for something that does not warrant fixing either.

Yeah, everyone get off of IE, it's rubbish and insecure. FireFox is much more secure…

https://www.hackinthebox.org/index.php?name=News&file=article&sid=27114

*rolls eyes*

IE is just more targeted than other browsers because of its market share. The same way that there are a million people hacking Windows to every person hacking the Mac. All browsers (and all software in general) has bugs and security flaws…no modern browser is inherently "more secure" than any other. Anyone who regurgitates the nonsense they've read on the internet like "IE is insecure" should really just keep the opinions they’ve been given to themselves.

"I worked in a tech call centre for over a year and during that time I rarely came across problem with safari, firefox or opera! IE on the other hand was a different story"

I used to work as a vet and the number of people that had problems with their dog was unreal. Dogs are just rubbish animals. I had hardly anyone have issues with their lions. Lions are much better pets than dogs.

Pretty silly when you think about it, eh padraig?

As for browsers being open-source, that is a double-edged sword. Yes there are more people looking at issues and fixing them, however when malicious people have access to the actual code it lets them discover potential flaws with much greater ease.

As for the focus of the article itself, the issue isn't that the government network is more secure or they have different security requirements from you or I…the issue is that they have to access internal websites that you or I don't. Updating to a later browser is fine when you are accessing public sites that are also moving with the times, but when the site you are accessing has not been updated then updating your browser could easily stop that site from being fully functional. Not only in terms of how the pages are displayed, but advances in browser security can cause some functionality to stop working too. The general public would probably be amazed to learn how many large companies still use IE6 internally as the cost and effort of upgrading can't really be justified.

Our military is running IE6 and we are supposed to feel safe!
Our government are still using IE6 and we are supposed to rely on them making technological decisions??

It just baffles me why?
IE is just not upto scratch for security or standards.

I would recommend using Firefox to anybody. Combine it with an addon called IE Tab and you can run Programs / Applications / Websites that need IE as a prerequisite.

Addons such as AdBlock Plus and NoScript make FF the safest browser on the market. The problem is the average UK users don't know much about security / browsers or ad dons. They think that having an anti virus program is the only thing they need.

@eb2,

C# does not run in a VM. It is compiled by the JIT Compiler into native machine code at runtime (Which means that it runs slower on the first run only). I have seen tests that have shown C# game code running at pretty much the same efficiency as C++ as the slight inefficiencies in the compiling are negated by the better memory management. Most games companies use C# to build their development tools as it is much quicker to develop such tools in .net than c++ but the games are still written in c++ partly due to the fact that c# is still not fully cross platform and partly to do with the fact that there are a ton of games developers out there that have always programmed in C++.

I would also like to point out that there are many games written in C# and they appear on the xbox360 in the indie games section. A browser could easily be written in C# and be fast (in fact I have heard that large chunks of MS office have been written in C# and Nero DVD burner software is also written in C#).

It is also not entirely true to say that you can't build software in javascript. Javascript can be compiled in to an .exe file and run natively in windows. (Not sure if it can do GUIs though).

Rory, if you don't mind me asking, what is the corporate browser and its version at the BBC.

As for why the MOD are still on IE6 - well as many have said its probably down to old apps that wont run on anything more modern. Also when you consider the size of the MOD and the wide range of applications they will have to run on their desktop have you stopped to think how long it would take to build a new desktop built on say Vista or Windows 7 and install up to date versions of all their applications and then carry out full regression testing. Then once you've finished you've got to roll that desktop out to a very large number of PCs, and you can bet that a lot of the existing hardware out there, if its contemporary to the W2K release, is probably not fully compatible, or is on its last legs.

So that's another question for you - when was the last major upgrade of the BBC corporate desktop and how long did it take to implement and roll out?

@ Aidy, Post #41.

I'd just like to pick up on your point about open source vs. proprietary security. Lets see who has visibility of the code.

Proprietary: Good guys - A few of the company's employees. Bad guys - Obtain the code via nefarious in order to find vulnerabilities.

Open Source: Good guys - The developers and anyone with an interest. Bad guys - Obtain the code via legitimate means in order to find exploits.

So, on the one had we have the Good Guys vastly outnumbered by the bad guys. With open source, there is a much greater pool of Good Guys reporting and fixing holes. This is why there are a lot more reported Firefox issues! The only issues that get reported by Microsoft are those they manage to find AND see fit to release information about.

Comment #29

Ouch.

@linuxrich #45

To be a little more accurate;

Proprietary: Good guys - A few of the company's highly trained and skilled employees with a lot of knowledge of the application domain writing code in a coherent and structured manner with the back-up of testing departments, access to all possible environments for backwards compatibility testing etc. Bad guys - can't obtain the code but will simply disassemble the binaries as hackers have been doing since year zero.

Open Source: Good guys - a bunch of bedroom coders. Bad guys - a bunch of bedroom coders.

Like all things there are pros and cons to both development models without one really being "better" than the other. However when it comes to FireFox fanboys this is just one of the many points lost on them. It's good to see you at least admit that FireFox has a lot more bugs :)

Any software from microsoft has major security issues, thats why i dual boot with linux and use a linux box as a firewall with very strict policies.

Yes Firefox and chrome both have issues but on a computer setup with security in mind and a user who is also aware of security risks the risks are vastley reduced. Ive not had a virus in 4 years and dont intend on getting one again. Dump IE and use firefox and chrome both have the plus points and the fact they are opensourse means bugs get fixed and fast.

And one last thing Communications Electronics Security Group dont know Crap about security or privacy and if they say Ie6 is secure then they are VERY wrong!

If you want security on your PC for browsing/net use get Linux dual installed and browse the web on linux, windows is for games and games alone!

"Fair point. But what these organisations running Win2k should be asking themselves is: "Is it wise still to be using a 10-year old operating system?""

How about a major bank running on Win NT, using the likes of office '97. love it!

@48 jamie Warner

As I already pointed out, the latest edition of FF was shipped with security flaws. It took hackers mere hours to compromise it. You obviously consider yourself to be computer-savvy but your "head in the sand" attitude and your naivety regarding operating systems and software is one of the main issues surrounding security on the internet.

BTW linux is also insecure and every piece of open-source software has major security flaws. Switch to the ZX Spectrum; I have and haven't had a virus in years.

No offence here to Rory but you do seem to be missing the point of what "the call from the cabinet office" said. Your average user has mild or little understanding of what really happens on a computer when its on the internet. But there are tools (if you know what to look for) that would make even ie6 safe to use. Chances are the MoD's IT dept. or whoever looks after their computers dont run the same IE6 as average joe anyway.
As i understood it googles compromise was from the average users own ie6 being compromised (not something they have experienced before and possibly had no experience in?).

@ Aidy, #47

Um, have you seen reports of some of the MAJOR organisations that contribute to FOSS these days? They must have bedrooms instead of offices for their coders at IBM, Intel and even Microsoft these days. Red Hat seemed to be doing pretty well out of their parent's basement, last I heard.

"So as far as home users with Internet Explorer 6 are concerned, the UK government's advice is, to put it mildly, pretty confusing."

Er... no. It's pretty straightforward, upgrade to the latest version of your browser.

The MOD did pay a sizeable of money to get Microsoft to produce a special version of Windows evaluated to ITSEC level 4, that addressed its vulnerabilities; I can therefore understand the reluctance to upgrade to the latest commercial version of operating system.

It would seem that the issue is to produce software that is not vulnerable to cyber attacks, but it seems that this is impossible, and better software just reduces the risk without eliminating it, hence why people suggest alternative, more secure, products such as Safari/Opera.

It really doesn't matter which browser they are using if they are going to leave sensitive data on laptops in the back of someone's car.

I do read these Blogs and the comments and wonder at times. I think (personally speaking) being a BLOG it may be part of the BBC News, and that is funded by us the Licence Payers, but it is a Blog at the end of the day. Rory is free to put his views and findings into it (within editorial reason) and therefore is less of a 'News Article' than if this were to be in the main news section of the site.

So I think the point of the post was a bit of a light hearted take on all thsi Browser fuss. What with the Germans and French saying avoid IE - Rory likely thought, I'll call up the Govenment here and see what they have to say, got that and thought ahh the MoD do they use IE6? After talking to a civil servent just at a desk then finds that they use IE6! Gosh a surprise ... really?

And then blogged about it. But then everyone wades in with views, because he is employed by the BBC and this should be better researched and then the Linux/Windows/Apple OS war bregade turn up to add views at the OS level before everyone is saying Chrome is better..No Firefox..No Opera..etc etc.

End of the day, wahtever you use, whatever system you use there is a risk. And you know since having my first computer with an internet connection in 1995, I have had one problem through a virus/malware etc hit me. It was as it turned out a result of my stupidity in downloading an infected email attachment, and nothing to do with what browser I used.

Therefore, personally I shall do as have for all these years. Worry less and life life.

@ London Rascal #56.

You're too hard on yourself. Your browser/email client/operating system shouldn't have executed the malicious code in that attachment. Certainly not to the extent that it could hose your system. I agree we all need to be aware of what we download, there was an episode recently with malware found in a Linux screensaver. (This was picked up on and eliminated VERY quickly, BTW.) Your system (I think we can assume what it was.) was just too ready to run whatever wanted to run without much consideration for security.

Here's a link to an article about the screensaver episode. https://www.ubuntu-user.com/Online/News/Malicious-Screensaver-Malware-on-Gnome-Look.org As mentioned in the article's conclusion. Don't download and install something you don't trust. To me, in Linux terms, this means stick to the official repositories. A concept Microsoft don't have...

I should just clarify that installing malware (As it exists at the moment.) in Linux requires the user to perform some very deliberate steps as the 'root' user, not at all as 'easy' as downloading a file and viewing it through a web or PDF viewer etc. Therefore the danger in Linux is more of a social engineering one rather than system vulnerability.

At MoD I had two computers - one for UNCLASSIFIED and CONFIDENTIAL which had internet access and a second one for RESTRICTED, SECRET and above which was only connected to the classified network.

What I don't get is why they weren't using their own web browser (google chrome) is it seriously flawed as well.

why has it been stated as a fact that all versions of internet explorer contain the same vulnrability in regard to the google vulnrability? this is totally untrue. not only do IE6 and IE7 differ massivly in their code base, IE8 differs so much from IE6 and 7 that there is practically no resemblence between the versions in the actual codebase.
not only is this bad journalism to state an unsubstantiated "fact" its a viral lie started by the german government.

@linuxrich #58

Everything you posted is identical to how it works on Windows. Windows may *seem* less secure to you, but only because it is less likely that the kind of person who falls for social engineering tricks is the type who is running a non-Windows OS.

Even when vulnerabilities *are* exploited, it still usually involves some form of social engineering to leverage it. However you'll never hear of this as people don't want to admit they only got a virus after following a link in a spam e-mail that told them they could see [insert celeb] nude, or get cheap Viagra by following the link.

Your savvy internet user with up-to-date protection really is quite safe from these issues.

The focus of hackers has already massively shifted in recent times as systems become more secure and they have to change their game. In 10 years from now when Windows/IE/whatever is 100% water-tight people will still be falling for social engineering attacks and people will still be spouting on the internet "Use FireFox...I do and I haven't had a virus for years. IE is insecure."

Oh come on! It's widely known and well documented that Windows and Linux architecture is vastly different and Linux is inherently more secure. I don't need to rely on what I believe to KNOW this.

Also, no system will EVER be 100% secure. You can, however, endeavour to have less critical and different vulnerabilities than everyone else.

Please do me the courtesy of making responses that make some sort of sense.

IE is only insecure because it runs on an insecure platform. I really needn't comment any further.

Regardless of who is a fanboy for what, IE is now patched.

Here's some simple advice: Upgrade to IE8. Even though I dislike IE this is surely the better of two evils?

@bizzehdee #61

If it only applies to IE6 and is just a viral lie started by the German government then why does the official patch from Microsoft ( MS10-002 ) state:

"This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate"

Firefox 3.6 installs and runs perfectly well in Win2k.

Even though MS have been shamed into patching early (By there own admission!) if you run Windows AND Internet Explorer then, despite what other precautions you take (Including corporate networks!) your security policy has a hole in it. That hole being you are running the combination of software that crackers will target first due to it's ease of penetration and it's 'surface area' in terms of numbers of users. Make yourself a smaller, harder target! Simples!

Sorry Rory Cellan-Jones, but once again you are completely wrong.

Firefox, Opera, Safari and Chrome ARE more secure than IE8. Whatever Microsoft (MS) have been spoon-feeding you is a lie from their marketing department.
There is no way in hell MS would admit to shipping an inferior web browser so really the people you need to be listening to are impartial security experts rather than those who's jobs it is to sell the browser you're supposed to be writing a critical review about.

Next of all, the UK government aren't any more secure.
1/ virus scanners need to know the nature of an attack before it can capture it. This usually means that until malware has been seen in the "wild" (ie until it's infected someone's computer and been reported), it's impossible to know what to look out for.
2/ working in the government myself - the desktop tools they have no more sophisticated than your average home PC's software. Sure, government servers have greater protection, but you only need one weak link to bring down a whole network (and that weak link is all most always a users desktop PC).


So the advice should be:
1/ Install all the latest OS security patches
2/ Update your virus definitions (and if you don't have a virus scanner installed, download Avast as it's free for home users and out performs many high street packages like Norton)
3/ Upgrade Internet Explorer to v8 (regardless of if you use it or not as many third party applications use IE's rendering engine to display HTML / Internet-based content)
4/ Install another browser (I recommend Firefox and Opera) and use that as your primary browser until MS get their arses in gear and release an web-browser that isn't at least 5 years behind the competition.
4/ Have a glass of whisky if you're running OS X, Linux, Haiku - or any number of the other OSs out there which are not Windows - as you're safe from this particular attack.

@Aidy

You said:
--------
Everything you posted is identical to how it works on Windows. Windows may *seem* less secure to you, but only because it is less likely that the kind of person who falls for social engineering tricks is the type who is running a non-Windows OS.

Reply:
-----
Actually Windows /IS/ less secure by default. sure, you can tighten the security on Windows, however it's the defaults that most people use.
So you can argue until you're blue in but the simple fact is the defaults Windows ships with are insecure.



You said:
--------
Even when vulnerabilities *are* exploited, it still usually involves some form of social engineering to leverage it. However you'll never hear of this as people don't want to admit they only got a virus after following a link in a spam e-mail that told them they could see [insert celeb] nude, or get cheap Viagra by following the link.

Reply:
-----
A good number of attacks don't need social engineering:
* There's DNS spoofing which redirect users from a safe website to a harmful one.
* There's fake >img< tags in HTML e-mails that have URLs with query string data attached (eg www.yourbank.com/?action=withdraw_your_money&destination=my_account )
* There's JPEGs with executable code (yes you did hear that correctly. Pictures can have executable code!)


You said:
--------
Your savvy internet user with up-to-date protection really is quite safe from these issues.

Reply:
-----
Up to date protection is a must. But the only way to guarantee safety is to not go online in the first place.


You said:
--------
The focus of hackers has already massively shifted in recent times as systems become more secure and they have to change their game. In 10 years from now when Windows/IE/whatever is 100% water-tight people will still be falling for social engineering attacks and people will still be spouting on the internet "Use FireFox...I do and I haven't had a virus for years. IE is insecure."

Reply:
-----
That's an absurd comment to make as there's no such thing as 100% security.

Also, you're still missing the point of social engineering. It is possible to make a system safe from social engineering by making it hard for users to make idiotic mistakes. Until recently, Windows didn't bother with this.

@Aidy

You said:
--------
Everything you posted is identical to how it works on Windows. Windows may *seem* less secure to you, but only because it is less likely that the kind of person who falls for social engineering tricks is the type who is running a non-Windows OS.

Reply:
-----
Actually Windows /IS/ less secure by default. sure, you can tighten the security on Windows, however it's the defaults that most people use.
So you can argue until you're blue in but the simple fact is the defaults Windows ships with are insecure.



You said:
--------
Even when vulnerabilities *are* exploited, it still usually involves some form of social engineering to leverage it. However you'll never hear of this as people don't want to admit they only got a virus after following a link in a spam e-mail that told them they could see [insert celeb] nude, or get cheap Viagra by following the link.

Reply:
-----
A good number of attacks don't need social engineering:
* There's DNS spoofing which redirect users from a safe website to a harmful one.
* There's fake image tags in HTML e-mails that have URLs with query string data attached (eg www.yourbank.com/?action=withdraw_your_money&destination=my_account )
* There's JPEGs with executable code (yes you did hear that correctly. Pictures can have executable code!)

So the sad reality is - it's actually very easy to attack a computer without any social engineering.


You said:
--------
Your savvy internet user with up-to-date protection really is quite safe from these issues.

Reply:
-----
Up to date protection is a must. But the only way to guarantee safety is to not go online in the first place.


You said:
--------
The focus of hackers has already massively shifted in recent times as systems become more secure and they have to change their game. In 10 years from now when Windows/IE/whatever is 100% water-tight people will still be falling for social engineering attacks and people will still be spouting on the internet "Use FireFox...I do and I haven't had a virus for years. IE is insecure."

Reply:
-----
That's an absurd comment to make as there's no such thing as 100% security.

Also, you're still missing the point of social engineering. It is possible to make a system safe from social engineering by making it hard for users to make idiotic mistakes. Until recently, Windows didn't bother with this.

Sorry for the double post guys

Whilst I can't generalize for every MOD department, what is surely applicable to many areas is that security is actually important and taken seriously. The quote above indicating IE6 causes no specific and/or immediate threat is entirely understandable given one simple scenario that nobody seems to have considered:

Their machines are not connected to the internet, yes, even today.

No doubt there are some departments who are connected and who are at risk, which does appear somewhat careless...

Reading these posts I laughed out loud as I came across people either criticising or extolling the benefits and virtues of.
IE8, Firefox, Chrome, Opera, Safari.

And I thought 'fanboys' were restricted to owners of Playstation 3 and Xbox 360.
Who would have thought the BBC would become a hotbed of highbrow fanboys?

This is where Journalism picks up a bad name.. it can leave pieces of information open ended and in areas like this make a report which will be read by thousands of people and only understood or misunderstood at a glance.

In reference to another contibutor here, the MOD does use IE6 through on the XP operating system.

Everyone tied into MOD computer access will have a secure workstation on DII and the network is protected by multiple levels of security.

Asides from this it has one of the best filters I have ever seen when it comes to external web use.

So.. yes.. to the public consumer, anyone's personal computer system can be open to attack.

The entire MOD network on the other hand is understandably and thankfully well protected in more ways you can shake a fist at.

So while IE6 may have issues for the general public/small business... it's perfectly safe for the MOD.

As many have said here, this was a poorly researched piece of journalism on an important subject. Perhaps talking to the national experts at CESG (https://www.cesg.gov.uk/index.shtml%29 would help? IT Security is a complex subject; the BBC could take a digital leadership role in helping to educate and explain the issues properly. At the very least, the reporter should take the time to understand the subject.
If an IT system is isolated from the internet (i.e. by an air gap), as sensitive government systems are, then the risks of internet attack are practically eliminated, no matter how clever the Chinese might be.
I think Mr Cellan-Jones or his editor should respond to some of the well founded critism and comments on this blog. Or does someone need to post an official complaint about yet another BBC journalist trying to "sex up" a story?

Very poor article, I feel a lack of knowledge on the subject is to blame.

Working in IT security, you always want to be up to date, but in reality its very difficult and costly to upgrade every computer to the latest software, as someone has already mentioned win 2000 users have to upgrade to XP or higher to get IE8 installed, never mind the cost and time of bandwidth if you have many sites. Its far more cost effective to to stop the threat entering, that's why government and businesses use Firewalls, Intrusion Prevention Systems, Email Anti virus, Web Antivirus, web filtering, and anti virus on all computers. This kind of setup means it doesn't matter too much if computers inside the network are up to date or not. Business and Government spend £50000 / £100000 plus a year on this kind of security.

However if all you have is a £100 ADSL router then yes you should upgrade to the latest software.

The MOD will be protected by having point of presence systems in place where data is restricted to certain levels and data will only pass through certain hubs, switches and backbone interfaces.

The architecture of googles infrastructure and network design is completely different because googles communications are widely in the open and such security mentioned above will make the internet communications restricted to a level where they couldn't function as a search engine along with the other services they provide such as webmail and the subsidary of youtube.com

The vulnerabilities within any program wether it be a web browser or an email client will be exposed by hackers no matter how well hidden they are it is impossible to stop a hacker breaking security, no matter how robust the packages people are putting on the market. The bottom line is if you don't go in the internet you won't be at risk of hackers.

Further to this the only technological solution that has been implemented and not been hacked through is RSA token encryption because it is in used with a device in sync with a clock with the date on a server and issues codes to log on in 60 second intervals or whatever the timeframe is set to.

All technology is fragile and at risk of failure or corruption. If your don't want to be exposed to risk at all you'll have to wipe computers and the internet infrastructure off the face of the earth.

The MOD "Press Office" likely only deals with unclassified, releasable information. I wouldn't be to concerned if I was you.

@Paul Freeman-Powell

Your first comment states:

'Any IT managers or other decision makers who insist on inflicting IE6 on their companies and staff should hang their heads in shame.'

The you reply to someone else in a later comment stating:

'It may be relevant that ie6 is the last version available on Windows 2000, which is still in use. There's no option to upgrade to ie8 available.'

But the final comment I notice, which shows you have absolutely no idea what you are talking about is:

'Safari's OK but the webkit rendering engine which powers that and Chrome does some strange things and isn't perfect'

The whole point to webkit is that it renders web pages exactly as the web standards state that a browser should. I have been praying for Microsoft to change to the webkit rendering engine for years.

ANY version of Internet Explorer is inherently insecure - far more so than other browsers. The reason is Browser Helper Objects, or BHOs. These are methods for webite owners to change how IE works (sure you've all seen the many wonderful toolbars that accumulate inside IE).

Now, it is possible to get BHOs to install into IE SILENTLY - you won't even know they've been installed unless you know where to look. Yep, anyone can set up a site that when you browse to it will install a file into your IE that does something nasty, without you ever knowing. Other browsers are not affected as they do not support BHOs in this way - browser extensions have to be explicitly installed.

By the way, this is all by design from Microsoft - they designed it and want it to work this way.

This prevents a massive opportunity for malicious people to get your IE to do whatever they want it to do. E.g. record all keystrokes you make when visiting www.yourbank.com.

If you are happy to take the risk then by all means use IE. On the other hand, if the BHO issue scares you there are loads of alternatives - none perfect, but none have the inherent design flaw of BHOs.

I'm confused. Rory is blogging about the MOD instead of going on about how wonderful the iPhone is...?

The key point is whatever system you are running you need to regularly upgrade and patch, plus add other layers of security. But as the government has shown time and time again it cannot secure data and is hopeless at IT projects; no surprise there.

"11. At 5:36pm on 20 Jan 2010, Cameron wrote:
Enter Firefox, Safari, Chrome, Opera (yes some of them have been there for years but with such a small market share who would bother) and now Firefox has 25% of the market. How long until hackers start taking pot shorts at Firefox?"

FF3.5 (or 3.6 soon) is still intrinsically more secure than vanilla IE8, add in noscript and adblock addons for FF and it's pretty much bulletproof against any "attack" where the user doesn't actively unintentionally install something.
FF is also patched much more quickly than IE (and without the need for Governments making statement about it first).


It's still not the most secure way to browse the web however, but it is pretty good (as are opera & safari et al).

Of course if your really worried about you on-line security, you'll not be running windows at all, but linux (and on a live-CD at that if you're really paranoid).

That makes sense. Windows is always monitored by the NSA too, I hear. Use Firefox with NoScript, and use OS X (you can even install OS X on a PC, but I won't go into that here. Google is your friend.) Or just install Linux, but that'd probably require you to be more computer literate than most people are to use, TBH.

Just a couple of things here.

1) If the MOD as using IE6 then presumably they are using XP. If they are so far behind with the deployment of up to date browsers then presumably all the other patches and updates are out of date too.

2) I see some comments generally talking about the lack of understanding or sympathy for huge organisations and the work / cost they would have to put in to do the the upgrades...Well my comment to that is that regardless of the size of your infrastructure a budget needs to be in place to maintain it. Cracks appear quickly and if "house keeping" is not performed regularly then one day you (we) will pay. If you have the infrasture you need to budget and teams to support it.

there are no excuses for organistaion to still be using IE6.

No Government or business organization should be using any version of windows. The same machines will run many available versions of Linux with a much ruduced risk of hacking.

@MacBookPro #86

You need to have some computer literacy to install Linux, but not to use it. There are some places you can get Linux pre-installed these days. Obviously you need to Search to find them....

Upgrade to Firefox full stop.

Personally, I think all businesses and consumers who are using IE is just insanely stupid.

There seems to be a lot of people getting on their high horse about old versions of this and that, and how the government is totally inept for allowing systems to be left in play with 2000/IE6.

Rory acknowledges the CESG PR when they state that the entire of the Government backbone is actually private. The border controls between the public peering points and the Government Secure Infrastructure (GSI) are controlled by GCHQ's finest, and regardless of what you think of the Govt of the day you can rest assured that these guys are at the top of their game on the security front.

It's more than "just an IDS", and each individual packet is scanned in real time as it passes over many routing points for anything malicious. It would take an extremely intelligent and highly targetted attack to get past these guys. A buffer overflow in the Image rendering library or an ActiveX exploit really isnt going to even get close to the potentially vulnerable client.

Fact is the technology on the coal face is rubbish, but its also cheap. The technology that controls the core and the distribution layers is stuff that even skilled nerds just can't comprehend.

Is it bad paractice to stay on an old browser, yes - in my book its a bit sloppy. But considering the highly secure environement these machines are deployed in i think the risk is comparatively low.

I would rather the tens of millions of pounds it would cost to upgrade to a new broswer and OS, was spent on the deficit thanks.

Do what the French plan.

Stop paying the Microsoft tax.

That doesn't mean plan a mass-migration. Just, systems have a planned lifetime - there's a resigned reality that you have to eventually upgrade something - even if just because you can't get, or it's prohibitively expensive to find, hardware replacements.

Move to a GNU/Linux infrastructure. If the government then has to invest in specific software development (as they often do) the results can be shared. Rather than having "our chaps at GCHQ" working 24/7 to secure a network full of easy targets, turn it into a network full of secure machines and share the knowledge with the UK public.

After all, in the US the NSA have contributed a significant amount of security code to GNU/Linux.

I use Firefox for everything general, Opera for my internet banking when I used to use - you guessed it - IE6.

The other browsers aren't magically secure but when a fault is discovered, they don't wait up to six months to fix it, or even until the second Tuesday of the following month. The only time I use IE8 now is when it opens up for Youtube links. My last workplace updated and got rid of IE6 at the end of last year, so it's going, slowly but surely.