Open-source h4xx0rz -- and even regular users -- have been wetting themselves during the past year over Mozilla Firefox, an open-source web browser that, like Linux, is touted as the holy grail of computing. In a utopic future, software will be free and it will be open source. "Open source" means just that: the source code upon which the applications are built is available to the public for viewing, not locked away where no one can see it. The theory behind "open source" is that if you have a million hackers at a million typewriters, you can create a completely secure piece of software, since they will necessarily double-check each other. This model of distributed software development is what powers Wikipedia, the open-source encyclopedia, although a former Encyclopaedia Britannica editor had a few choice words for Wikipedia and its "double-check" model.

Microsoft's Peter Torr examines Firefox and compares it to Internet Explorer in a recent blog entry (via Slashdot). He concludes that if Internet Explorer is insecure, then Firefox is equally insecure. His observation is an astute one: they are not insecure in precisely the same ways. Whereas IE may have been written insecurely, with Firefox, "it doesn't matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions." His blog entry successfully demonstrates that a user must make several insecure decisions when downloading and installing Firefox: the user is redirected to mirrors that he is not familiar with; the user must download and install software that isn't digitally signed; the user can choose never to see warnings that he might be downloading insecure or malicious software (the "don't show me this again" checkbox). While Torr's criticisms are valid, his installation of Firefox is rife with errors that I've never seen before in my many installations of Firefox (I started using it back when it was version 0.7).

As interesting as the original article is the level of comments that have appeared at his website. He wrote a new entry today to answer criticisms from yesterday. It's the typical bunch of comments: you're stupid, you're with the man, you don't know what you're talking about. But he does! Why is it that everyone's tendency is to dismiss someone he disagrees with? For example, Torr was redirected to a mirror provided by DePaul University in order to download Firefox. He suggested (sarcastically) that he didn't know what DePaul University was. He was berated, he says, for "failing to have an encyclopaedic knowledge of all the universities in a country [he] didn't grow up in." His point is "that the average internet user might not know what '.edu' means, or who controls the server. The New York Times told them to download Firefox from a '.com' address, and now they're downloading it from somewhere completely unrelated." Internet users should be worried when they're redirected. This is how spyware infects a computer: by fooling the browser into going to one website, then redirecting it to another (this is especially topical given the existence of an exploit that allows a hacker to put whatever URL he wants into the address bar of Internet Explorer).

There is no such thing as completely secure computing. It's asymptotic at best and Torr does exactly what advocates of open-source should be wanting him to do: pointing out problems in software instead of hiding those problems. Linuxites complain all the time that Microsoft doesn't make its security holes public; that's exactly what Torr is doing. Why are you shooting him now?