When more bugs can mean tighter security

When more bugs can mean tighter security

Summary: Mozilla Europe's president Tristan Nitot explains why having fewer disclosed vulnerabilities doesn't mean Internet Explorer is safer than the open-source web browser

TOPICS: Security

...if you want to read the files. This is digital rights management. This is my computer, my copy of Windows, this is my data. I don't want any company, and not just Microsoft, to dictate what I do with my files.

Since then I've not used Windows on a regular basis. A computer is a fantastic tool for connecting to the internet. My whole life is in there — songs, movies, pictures, text, my blog posts. It links my friends through instant messaging and social networks. For many of us it would be impossible to work without a computer.

This is a tool I want to keep control of. I had the choice of either not updating Windows with SP2, which wouldn't have been secure, or not accepting the contract. So I moved to Linux, and when that machine died I switched to a Mac.

What is the current state of play with open-source development?
Open source is amazingly successful. I have a cracked iPhone running BSD, and a Nokia N80 tablet running Gecko 1.9. At home all my routers run Linux.

When I was younger I was fully addicted to computing, and I pictured myself in the future surrounded by Unix machines. I'm a bit geeky. But actually this has happened. Now we're surrounded by Unix and Linux machines, all connected to the internet. We have open source everywhere.

What are the main future challenges for the open-source community?
The open-source community needs to figure out the user experience part and the marketing part. With product quality and reliable operating systems, open source has won hands down. However, today, most open source is built by engineers for engineers, which makes the products not very user-friendly. This is something we've figured out in Firefox. Now this needs to be figured out in other projects.

In many cases users' privacy is more valuable than the service they get in return, because there's no price tag on privacy

So which distributions are user-friendly, and which aren't?
Ubuntu is interesting — users can use Ubuntu. The tricky part is Windows power users, who get lost on Linux. The inner workings of Linux are not easy to understand if you're coming from XP.

Why is marketing a problem for open source?
Open-source communities have way less marketing budget than proprietary software vendors, especially Microsoft, which reportedly spent $500m (£250m) launching Vista.

Mozilla released the first beta for Firefox 3 a month ago, and the second beta on Tuesday. You can work on web applications offline with Firefox 3. Will this work for all web applications?
The Firefox 3 beta has an API that tells the web app that it's offline, so it can store things locally, and sync back later. This implies the web app knows how to leverage the API, so [if it doesn't] it has to be updated.

How much is this a security feature? Do Web 2.0 applications open up new attack vectors?
A browser is a window onto the internet, which is why we take security so seriously. [But] I don't think Web 2.0 applications are particularly dangerous in terms of security. In terms of privacy they are, as seen on Facebook recently.

Are you talking about Beacon [Facebook's ad-tracking feature, which it withdrew], and if so, was it a bad idea?
Beacon was probably a bad idea, if the users think so. People see and adopt so-called "free services", but they do have a cost — a huge cost — to develop and run such systems. People are paying for them by giving up their privacy.

In many cases their privacy is more valuable than the service they get in return, because there's no price tag on privacy. It's hard to balance what you give with what you get. It's hard to understand whether you're getting a good deal. Right now I don't think users are getting a good deal.

There is a price per user to running a social-networking site, and social-networking site executives know that price — probably a couple of pounds per year. What you give in exchange is your age, your location, people you know, websites you visit, things you buy — this all gives a precise profile of you. It enables very variable targeted advertising, probably worth much more than a couple of pounds per year. With Beacon, I would have been the first to sign a petition [to stop it].

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Bugs ahoy!

    Good interview and nice to get a view straight from the horses mouth about the other side of the fence .... erm, I'll quit with the sayings now.

    When people say that one application is plainly more secure than another I tend to doubt them instantly. Of course it frequently turns out to be a loyal fan of that application rather than an outside and independant voice of reason.

    I for one like that Firefox updates when there is something that needs fixing, plus I can go and read all about the update what it changes and what it fixes.
    With IE patches the updates aren't very frequent nor do they easily explain the content (read : Cumulative Update)

    It's nice knowing what is going to be placed on your machine and I think as more users become alerted to Privacy related topics that an open method may appeal to them over the closed method.