Netscape 8 is now secure…at least when using gecko

Back when the Beta version of Netscape 8 was released to the public, I stated in a previous blog entry, that:

The plugin used to access Internet Explorer’s rendering engine opens Netscape 8 to the same security vulnerabilities Internet Explorer has, regardless of what rendering engine is being used.

To further explain this, there is a file in the plugins folder called npTrident.dll. The name of Internet Explorer’s rendering engine is Trident. If you enter about:plugins in Netscape 8 you’ll see that the trident plugin is enabled for the MIME types text/HTML, text/plain, text/xml and application/xml. Any website that detects you are using Netscape 8, could use an <embed> to feed you an Internet Explorer exploit, even if you’re surfing in the Firefox mode.

Well apparently this vulnerability has been fixed in the final release of Netscape 8.0. (currently at 8.0.1)
For more info see http://www.stonie.co.uk/nsbvuln.html

Closing threads on secnews

There has been some recent confusion about threads in the secnews.netscape.com newsgroups being closed. I just want to make things clear for everyone.

What is this all about?
There has been too much off-topic discussion taking place on the secnews.netscape.com user support newsgroups. While camaraderie is encouraged, the utility of the user support venue is first priority. Too much off-topic discussion makes reading the group much less efficient. Those looking for technical support, may have to weed through a lot of off-topic discussion to find an answer to their problem. In some cases, an answer may not be there, because the problem may have been lost in the discussion. Those of us offering to help people with their technical problems become less efficient at solving problems, and less quick to get to the technical questions.

After being asked to stay away from off-topic discussion, most replies were in defense of such practise. Most users showed an unwillingness to adhere the request; so something more had to be done.

What is considered to be off-topic discussion?
secnews.netscape.com has newsgroups set up for user support. Each support group is dedicated to a specific product. If the discussion is not about the product the group is for, then it is off-topic.

What is the purpose of closing threads?
Closing threads is a way cutting down on off-topic discussion. This way, people will not have to compose messages with an uncertainty that the message will be deleted.

What is the criteria for a thread to be closed?
I make it a rule not to close threads in which the technical discussion is still ongoing, or the original posted problem has not been solved. Other than that, there must be an ongoing off-topic discussion. The closing of threads has absolutely nothing to do with who the original poster is, or who is engaging in the off-topic discussion. Thread closures are based on message content, not the authors.

If the above rule is exploited or abused at all, I may start partially closing threads, removing only the discussion that is off-topic.

As a general rule, if you want to discuss something that is off-topic, try to move the to an appropriate forum. Jay Garcia has set up a general discussion venue for secnews off-topic posters here.

Why are your “CLOSED THREAD” notices in reply to the original post, rather than the latest post in the thread?
I don’t want to give the latest poster the impression that the thread closure is his/her fault alone.

Why are you (Chris Ilias) the only one closing threads?
Closing threads is my responsibility alone. The rest of the Mozilla Champions have put their trust in me to choose which threads get closed, and to do the removing of messages. This is a responsibility that I asked for.

The posting guidelines say “The “Original Poster” has control of the thread”; so why is it that you can close them?
You control your threads to a certain degree. Ultimately, it is AOL’s server, and the Champions have the authority to delete posts. In the case of using AOL’s Netscape user support news server as your personal chatroom: you abuse, you lose.

Added on May 25th:

Why don’t you create a newsgroup for off-topic discussion?
We don’t have the power to create newsgroups on secnews. Even if we did, I’m not sure we would create a newsgroup for off-topic discussion (Still iffy on the issue). I mentioned the possibility of an OT newsgroup on the new Mozilla server to Gervase Markham, who replied with “OT discussion should happen somewhere where it’s on-topic. Otherwise in mozilla.general.” Yet web-based user support almost always have an OT forum. (After Dark, Lounge, General Discussion) The community is kept together, and able to discuss whatever they want. This is why Jay created a general discussion venue. I suggest you use it.

Part of why I participate on secnews, is because I’m able to talk off-topic. Either let it go, or I’m going to participate somewhere else.
This ultimatum makes me laugh. Most of the people saying it have been participating on secnews for years, yet there was never this amount of off-topic discussion, until just a couple of months ago. Why the change? Why is it, all of a sudden, so imperative? It’s not a question of ‘allow OT or disallow it’. It’s simply a case of volume. Having said that, if that amount of OT discussion is so important to you, take your OT and leave. There’s no shortage of people willing to help; and more will come due the increased efficiency.

Isn’t this censorship?
Why yes it is. Every privately owned user support venue is moderated.

Why don’t you post this URL on secnews?
To keep discussion out of the way of user support. I’ll add this URL to all of my “CLOSED THREAD” notices from now on.

Your browser is NOT outdated

Today Netscape 8 was released; so I went to Netscape.com to download it. I was automatically redirected to a detour page, with this message [click on image for the full page]:

I’m using Firefox 1.0.4. Netscape 8 is based on Firefox 1.0.3.
Folks, if you get this message, don’t believe it. It’s a lie. The only browser detection script being used is one that checks to see if you are already using Netscape 8.

As a matter of fact, if you’re using Netscape 8, your browser is outdated.

No More Address Munging

I while ago, I noticed that Google Groups‘ new Beta system does not display full email addresses. Seeing as Google is probably the most popular usenet archival engine, and thus the main source of email address harvesting for spammers, I wondered how much affect the new system had on spam.

For the past week, I have posted to usenet with a real email address. It turned out to be a total of 21 messages in both alt.* hierarchy and the netscape.* hierarchy.
I didn’t get one spam message.

It just may be time for people to stop munging their email addresses on usenet.

UPDATE: A couple of days later, I got two spam messages.