So maybe Peter Torr’s claims address some things that will never be resolved. Ultimately, you will never be able to fully trust anything. There is always some chink in the armor – which is why nobody ever guarantees that anything will be 100% secure.

Torr’s blog posts basically create fear, uncertainty and doubt about all binaries in general. But what is complete bullshit is that he pinpoints firefox as the source of this problem, when in fact he is merely questioning software distribution as a whole – which is something Microsoft has struggled with and still has not solved.

In the end, security is just an idea. It is even more a feeling than an idea. The sense of security is what gives consumers confidence in a product. The truth is that in most cases a reasonable sense of security is all anyone ever wants – true security is almost unattainable. You are always vulnerable to something.

To some, that is an alarming thing. But when you look at the definition of vulnerable, you begin to realize that the only way to be truly safe is to not be open. And, yes, in a way that philosophy is in direct conflict with the nature of the web and the nature of open source development.

Microsoft can safely assume that security means closing all doors, since that is what their business philosophy pretty much encourages. “Close all doors and capitalize on the bottleneck” would probably be their philosophy. Not only do they want you to be scared, they want you to pay to be safe. There is a lot of money to be made there.

I think the correct approach to security with software is the same as in real life. Use common sense, and when that isn’t enough make efforts to educate yourself. Don’t leave your keys in the car. Don’t leave your doors unlocked. Don’t trust strangers.

Of note is the fact that in real life most severe crimes are caused by someone you know. This is because trust opens you to harm. When discussing a central signing agency like Verisign, etc. you have to consider that if you empower a central point of trust it becomes a central point of failure. If you trust Verisign to handle all of your stuff, you become ignorant, and it becomes likely that something will fly in under the Verisign blanket and hurt you.

None of that means you have to live your electronic lives in fear of everything out there. Just be safe, man. Keep informed, don’t download random shit, don’t trust sites you aren’t familiar with, etc.

A part of that, ironically, is not trusting Microsoft, which is something Peter surely doesn’t mention in his article. Not using IE has been a great way to secure your computer. Not using Outlook Express is a great way to avoid complications with mail. Not using XP is the best way to avoid damage caused by viruses, etc.

Overall, you will never be safe, but you can do things to decrease the probability of being “attacked”. If you follow common backup procedures, then the worst case scenario is that you lose a night of reformatting your system drive. Surely it isn’t worth living in fear of the unknown for that.

Security is just a feeling, and if you accept that you are on the road to being secure.

Peter Torr’s blog post on signing Mozilla binaries (Firefox, primarily) was a good article. Most people will flame it, but his argument holds some water. I respect his opinions and recognize the validity of his statements, especially considering his follow-up post, which responded to many of his Slashdot readers.

Overall, this is good stuff, it helps Mozilla become stronger in the long run and gives us additional motivation (there was already plenty) to “do the right thing”.

In the coming weeks we will be working on increasing the security of Bouncer in its coming version (v2.0) in addition to many other features (versioning, languages, statistics, statistical exports).

More to come, folks, doing the right thing takes time, and sometimes a little bit of pressure and criticism.

v2.0 is almost complete. This past week I worked on completing the additions of languages and versions, and also made quite a few adjustments in order to accomodate the new database and its relationships. v2.0 should hit production within the next week (pending testing).

Thunderbird 1.0 came out this week, which was relatively lackluster in the wake of the Firefox 1.0 release. Polvi agreed that the lack of excitement is partially a result of market share and competition. Mail clients are largely web-based, and those that aren’t are pretty thorough and do not posess many of the security flaws or standard-ignorance that IE posesses in the browser market. Regardless, you should get your hands on it and test it out. By the way, bouncer is dealing out Thunderbird 1.0 — http://download.mozilla.org/?product=thunderbird&os=win&lang=en-US. 🙂

Nonetheless, Thunderbird is a great program, and beats the crap out of Outlook Express. That said, it’ll be interesting to see what happens with the mail client world — will it start to merge with the web or maintain its tradition of being relatively stand-alone? Time will tell.

One interesting point is that with the development of Gecko and XUL, why did Mozilla try to develop a stand-alone mail client? Isnt’ the idea behind the revolution the un-desktopilization (holy crap – new word!) of the internet and its applications? The future of the desktop lies in the browser and its integration with modules that expand on HTTP — I think developing a complex XUL-based extension to Firefox might have been in line with what some see as the next generation of desktop applications.

My thought is that in order to get consumer buy-in for Thunderbird and increased interest in the foundation, Mozilla needed to cater to the existing market, which means creating replacement tools that are much better in the ways of security and functionality. When, though, will we collectively take the plunge towards a more seamless web/mail browsing environment? The next ten years will be very interesting.

All things considered, Thunderbird is an excellent application and I use it exclusively. Mutt fanatics and Outlook junkies aside, it is probably the best solution around if you’re looking for a newsgroup/mail client that is not retarded. The development team did a great job.

Thunderbird isn’t circa 2040, but as a desktop app, it kicks ass in 2004-05.