Penn State Tells Students To Ditch IE

Hoyceman writes "About 80,000 students and staff are being told to use an alternate browser. The Penn State ITS department sent the alert 'because the threats are real and alternatives exist to mitigate Web browser vulnerabilities.' InformationWeek is carrying the story."

Nice!

[Anonymous Coward]

When I was there, Penn State's IT group was rather inept. Glad they're starting to take security and computing infrastructure seriously. Good job guys!

Re:About time

[OffTheLip]

College is a time of rebellion against the 'machine' and power to the people. If ever there was a more benign grassroots movement than open source and 'in your face' smackdown to corporate control suitable to todays US times I can't imagine.

Temple not quite that far

[ntxb229]

I go to Temple University and while our CS department hasn't gone that far they have installed Firefox on all the computers in the labs

Brown's been saying this and acting on it

[c0dedude]

At Brown [brown.edu] we get a CD with all the latest security patches and a copy of Firefox every year. Prevents trouble, methinks.

safari?

[jxyama]

if a student can run safari as an alternative, then he/she must be using a Mac. not to defend IE, but isn't IE for Mac less dangerous than IE for Windows? if he/she has already ditched Windows, does he/she need to ditch IE too?

Security

[FiReaNGeL]

Looks like IE get burned by the very same 'feature' that allowed it to get 95% market share : integration with Windows and total access to stuff it shouldn't. Lesson learned, Microsoft?

But even without security, FireFox is just plain better. Tabbed browsing is huge, Bookmark toolbar, extensions, find-as-you-type (HUGE improvement over CTRL+F search)... Now I look at IE (the rare time I need to open it for windowsupdate) and it just feels...dirty.

Funny, I got my account disabled for using Firefox

[Goosey]

At my college [starkstate.edu] the first thing I did on every computer I touched was to install Firefox. I also put Winamp on a few open lab computers for listening to Internet radio while I worked.

Recently I became unable to login to my student account, with a message "Your account has been disabled, please speak to your network administrator."

Well I went and found my network administrator [mailto] to ask about what was up. Apparently it is against school policy to install programs on their computers. This is totally understandable and reasonable, and I apologized. But he decided I needed to be chewed out and he had a killer fact that he just knew would crush me.

Looking me in the eyes he proceeded to tell me that due to me installing Firefox and Winamp on two of the open lab computers they no longer function and had to be totally reformatted. This man, who is in charge of keeping the school network secure, seriously thinks that Firefox and Winamp could possibly be the root of a computer's DEATH. I did not argue the matter no matter how ridiculous it is; I just wanted my account back.

How is it they let people become the network administrator for an entire technical college, a college that hands out degrees in technical fields, that are just that ignorant. How can any competent network admin possibly think Firefox and Winamp are causing a computer to not boot?

So now under threat of permanently losing my student account I am forced to use IE. It is excruciating, because I am not the only person installing software on the open lab computers, just the only one knowledgeable enough to install useful non adware-infested programs. Just opening Internet Explorer results in about 3 minutes of closing popups.

Re:80,000

[Anonymous Coward]

That depends on whether you want to talk about University Park campus or the entire PSU school system. UP enrollment for fall 2004 was about 41,000. System wide enrollment was about 81,000.

http://live.psu.edu/still_life/2004_10_28_04_enr ol lment/enrollment_fall04.pdf

Re:About time

[eneville]

Well I recently finished a BSc (Hons) Computing, after 6 years of computing study (various different computing courses), so I'm in a good position to add coment here.

The college students don't give a hoot as to what they are running, so long as they can screw it up. Remember the GNVQ Computer Studies reboot technicians can do little else than delete files. The Art students don't care if it says "Internet Explorer" or "Mozilla FireFox" at the window title, just so long as they can access hotmail.

The college administrator will not have to worry so often that something has screwed around with the network because the MS product is faulty.

How exactly do you remove IE from Windows without breaking their support agreement?

Re:safari?

[Blamemyparents]

IE for mac is vulnerable to many of the 'make it crash!' exploits. exploits designed to mess with Windows through IE of course fail. Many mac users use IE because it was the default browser in OS X before Safari came out (Irony, huh?). Safari came with 10.3, but I don't think the system changes the default browser on install.

Re:security through obscurity

[Rits]

But make sure that your alternate browser it is a recent version of Firefox or Mozilla. They have responded very quickly to security issues, and are being proactive about security, much more so than the the people behind Konqueror or Opera.

I'm sorry, but that is FUD. Opera will be the first browser to patch the latest, cross-browser, issue [secunia.com].

A fixed 7.54u1 is being distributed at this moment. See the Opera advisory [opera.com].

And as far as solutions go: why expect perfect safety online, when we don't have it offline either? Software should improve, online systems should be more secure (it is stupid if money can change hands online only secured by a single login), and most people will smarten up in time. Perfection will not be reached.

MSIE has a track record of leaving critical holes open for a while, but most reported holes are not critical. And MSIE is much more informative about it issues than either Opera, which only recently started publishing advisories, and Firefox (what advisories?) Selling Firefox purely on the safety issue will come back to bite it in the long run.

My previous employer has gone backwards.

[DrStrangeLug]

3 years ago I worked at a small college in the SW United Kingdom, and when the Internet became "The Big Thing" we used Netscape and then Mozilla as our browser base.

They've recently been merged with/taken over by a larger college in a nearby town, and the surviving IT department is in the process of converting the site from :

• A Corel WP Suite & OpenOffice mix to MS Office
• Groupwise to Outlook
• Mozilla to I.E.

Common Sense doesn't always win.

IE is evil

[h311sp0n7]

A couple of months ago I was trying to convince the head of ITS at my work to switch to Mozilla. When Firefox went 1.0 he obliged and we did a complete rollout to all clients. The only real problem being that many Web programmers do not conform to W3C standards and only build applications that are compatible with IE. Personally, I do not use IE and have not for a long time, but the pages that I do create conform to W3C standards. The move to any browser is dependant on how pages are written. More of the IT/programming world should take this into account if we are to see a greater move away from M$ IE

Re:Article Misleading

[omicronish]

Interestingly, the University of Washington, which is across the lake from Microsoft, has made Firefox the default on all CS computers, and possibly on all campus computers as well. IE is still available, but Firefox starts by default.

Project

[utlemming]

During a major network reworking project at a college apartment complex, my partner and I recommend that the comlpex go over to Firefox. The interesting thing is that some of the tenats referred to the new internet at "Firefox" internet, as opposed to "Internet Explorer" internet. And even better was the fact that several of the tenats asked where they could get his new "internet." Out of the people over in the complex nearly half have switched over to Firefox. The exposure of Firefox actually started in their Internet lounge. And since people saw that the complex was using Firefox they started to what it. So I think that the best way to get some of these alternative standards-based browsers out is for exposure in main stream enviroments.

My college.

[Anonymous Coward]

My college has been trying to put Firefox on there student computers. The problem is that IE always wants to be the default browser and the students cant simply us Firefox, they always click on IE and make it the default again. It's a constant battle so it's not necessarily the computers fault it has security flaws it's the users always choosing the wrong browser.

At Harvard...

[thefultonhow]

I go to Harvard University, and am a User Assistant -- basically, a student-employee of Computer Services who helps undergrads with computer problems. Our policy whenever someone comes in with a problem, be it a virus or spyware or even a simple problem with Eudora, is to install Firefox. I have never had a user object, and when I show them some features like tabbed browsing, they really warm to the browser. One girl even said that she used DeadAIM primarily for the tabs and loved it that Firefox came with such a feature too.

Of course, the best thing is that once the user is firewalled and virus-protected and has SP2 and Firefox, he or she will probably never come into the Clinic again!

Re:I go to Penn State

[E8086]

I have the same problem at Rutgers and here's my way around it.
Instead of reinstalling every time get the zipped distro of firefox and put it on a usb drive. It can be personalized a little:
replace Firefox\defaults\profile\bookmarks.html with your saved bookmarks
and copy the contents of Firefox\plugins to Firefox 1.0\plugins on the usb drive.
I havn't tried it with any themes or extensions yet.

Re:Now the question is...

[Tim C]

That's the one thing I don't like about Firefox - so many useful options are hidden in about:config instead of being in the GUI configuration settings management tool.

Probably the wrong approach

[MasterVidBoi]

As a linux and firefox user, this is probably the wrong approach. Students should not be told that they must or must not use any particular piece of software as long as that software doesn't damage the network (I don't think IE causes nearly as many problems as p2p on college campuses).

My school has a slightly different way of dealing with this (at least for dorm computers): If your machine appears to be infected, they cut your internet access. Then, they'll fix your computer and give you a talk about security, but only once.

If you get infected again, you lose internet access, and don't get it back until you demonstrate that your machine has been reformatted. Every time. All of a sudden, even the most non-techie people start to be a little more careful, and start listening to you.

Re:safari?

[artemis67]

not to defend IE, but isn't IE for Mac less dangerous than IE for Windows?

A live hand grenade with the pin pulled is less dangerous than IE for Windows.

True, IE for Mac doesn't have any of the vulnerabilities of its Windows cousin. For one thing, when malware tries to install to "c:\windows", Mac OS says, "Huh? What?" That, plus the fact that the Mac development team wrote the browser from scratch, so the two have little or no code in common.

IE for Mac is getting quite old, but it still has its uses. It's the only Mac browser that runs VBScript, and a client site that we inherited from another company makes heavy use of VBScript on the client side, so I end up having to use IE once or twice a week.

It used to be the best browser on any platform, back in the day. Now it looks as bare-bones next to Firefox as Notepad looks next to MS Word.

I actually took it to the boardroom

[skids]

The CIO called a meeting on security, brought in all the CIO's and CS managers from the University branchess for the state, and among other things, we talked about what to do about the slew of problems with student machines.

I pointed out that students get zero education on computer security, and that if they really wanted to fix the problem, they would create a 1 credit required gen-ed course on personal computer security. Students would thus be required to learn how to keep junk off their desktops one hour a week for a semester (plus it would be an excuse to give remedial computer usage insruction to some of the freshmen that come from living-under-a-rock high school.)

That idea raised some eyebrows. They said "now, THAT's thinking out of the box." They diligently noted it in their notepads and pointless PDA gizmos.

And then, did absolutely nothing.

But that's about what I was expecting, that just because they had the wherewithal to recognize a good idea when they heard it, didn't mean they would remember it for more than a week. That's not how it works. If it doesn't reach crisis proportions, these types of people don't do crap about it.

Re:Nice!

[Deathlizard]

Before I got a job at the Current College I work for I worked for one of Penn State's Satellite Campuses.

The IT director that works there is a good friend of mine. when he took the IT position I helped him out for awile and eventually worked there while I was still in college.

Security was priority one there. We didn't screw around when it came to protection of the network. We also understood that our PC's had to be rock solid since they had direct static IP connections to the internet.

Virus wise, I can remember one machine in the 2 years I was there getting infected once we took over, and it was a machine that was setup before we showed up and was so mission critical that PSU main did not let us touch it until we forced them to let us take it over. Hacking wise the only problem we had was outside the network with a particular virus spamming the JetDirect cards with garbled data sothat they would print constantly, which we soon fixed with firmware updates, and this is coming from a place that ran Windows 2000 2 weeks after it went RTM.

Security is only as good as the initial setup of the lab PC. If it is set up correctly no virus can infect it. Basicially you have to handle protection similar to a layer system. that way if the browser protections are compromised then the virus scanner takes over, all the way to user access and the os core itself. Frankly. I can guarantee that the reason their sending that to the students is because it's easier to tell them to switch to something that the spyware people haven't directly targeted yet then give them a five page lesson it how to secure their OS.

MS isn't blame free on this. The best thing on earth that could ever happen to IE is that they lose the Eolas Case, Cause thats the reason their in this hole in the first place. 90% of the exploits in IE occur becuase of their stupid ActiveX plugin automatic download and install garbage that they developed to beat Java. If ActiveX install went away IE would be as secure as any other browser out there. MS knows it and and they know they screwed up and could fix it by removing activeX altogether and replacing it with something that makes some sense, but they will never do that cause they dont want Sun to start pointing the finger saying "see I told you so" or have millions of ActiveX programmers drive to redmond with their pitchforks and torches looking for blood.

Re:safari?

[the pickle]

You clearly haven't used the Mac version of Opera.

Go download it, and tell me I'm wrong.

p