Stuart J. Johnston, over at PC World's Bugs and Fixes column, does a fabulous job confusing and unnecessarily alarming Firefox users, while at the same time conflating the valuable contributions being made by the ethical security researcher community with the malicious activities of "bad guy" hackers.
That's quite an accomplishment in just 500 words.
Getting those column inches hammered out every month can be hard work, but when the obvious result of an article is that readers will walk away less informed than before they read it, it's time to consider a different approach or a different topic.
This particular piece should never have made it off of the author's laptop and definitely shouldn't have made it past an editor's desk. PC World, IDG, and Stuart Johnston are all better than this, and their readers deserve more.
Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.
More users may make a particular program a more inviting attack target for the bad guys, but in the case of Mozilla's Firefox, more users and our open and responsive process also makes it a more inviting research target for the good guys. Yep, there are good guy hackers too, and it's those good guys working in concert with Mozilla developers that are finding and fixing the vast majority of Firefox security issues.
So, in the case of Mozilla's Firefox, more users may actually be helping to shut the door on bad guys, rather than, as Mr. Johnston claims, opening new doors for them.
Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.
If by "hit hard" the article means to communicate something like "this month security researchers and developers contributing to Mozilla's open source Firefox project have found and deployed fixes for several new potential vulnerabilities, shoring up Firefox's defense against malicious hackers and denying them new attack vectors," then sure, Firefox was "hit hard."
Unfortunately, I don't think that's what the article was implying.
So forget the idea that just because you've switched to a new browser, you're magically safer.
There's no magic here at all. Firefox has a long track record of being more secure by design, more responsive to security issues, and less often targeted by bad guys than I.E. Taken together, those factors really do mean that because you've switched from I.E. to Firefox, you are safer -- no "magically" about it.
You may be for a time, but to stay safe with any software, you need to keep current with fixes.
And here we have the only line in this entire article that could conceivably help users. Unfortunately, it's not in a context where it's likely to be taken that way.
This is one more area where just a bit more research would have resulted in an entirely different article or no article at all -- depending on the author's motivations.
With Firefox, users don't have to worry nearly as much about keeping current with fixes as they do with other browsers, I.E. in particular.
Firefox has the best record in the industry, not just for finding and fixing issues quicker, but for getting those fixes in the hands of users faster.
Thanks to Firefox's well designed update mechanism, 95% or more of our users are automatically updated to the latest secure version in less than a week.
That kind of information could have provided the context to make that one informative point actually useful to readers.
In a somewhat dubious recognition of Firefox's growing popularity, hackers have focused their attention on it, leading to a rash of newly discovered holes.
If by "hackers" the article is referring to Mozilla developers and ethical security researchers who work together to keep Firefox users safe, then sure, "hackers focused their attention on Firefox."
If, however, as it appears from the overall tone of the article, it means to suggest that Firefox users should be alarmed and worried that bad guys have discovered a bunch of new Firefox holes and users are in great danger, then no, not so much.
In an actual attack--neither the Safari nor the Firefox bugs have elicited one so far--a bad guy could take over your PC or steal your navigation history.
In an actual attack, Firefox users would be protected because the vulnerabilities were discovered and fixed by the good guys and rapidly deployed to virtually all Firefox users weeks before Mr. Johnston's article hit the Web.
With this paragraph, we also finally get the buried lede and the admission that should have killed this entire story. Bad guys are not attacking Firefox (nor, apparently Safari,) and all of the FUD from the previous four paragraphs falls apart by the author's own admission.
A month ago, with the help of some amazing security researchers, Mozilla found and fixed half a dozen problems and deployed those fixes to pretty much every Firefox user out there. In the time between those discoveries and the appearance of Mr Johnston's article, there have been no reports of any of those flaws being used to attempt attacks against Firefox users -- attacks that would fail thanks to the Mozilla developers and the security researchers that Mr. Johnston calls "bad guys" and "hackers."
What a waste and what a shame for those people who, having read this article, are now more alarmed and less informed about security than they were before.
Security is a complex area and it takes real effort to learn about all of the factors that interact in determining security outcomes. It simply doesn't lend itself to quick bean counting analysis or casual headline-skimming research.
It's also a critically important topic because a fundamental necessity of a safer Internet is that users have a clear understanding of how it actually works.
Security-related articles and headlines constructed with over-simplicifcations, fear-mongering, and out-right misrepresentations, not only don't inform readers, they actually slow the progress to a more secure Internet.