Jeremiah turned me on to this article about the man at Microsoft whose job is to kill IE6.

“Part of my job is to get IE6 share down to zero as soon as possible,” said Ryan Gavin, head of the Internet Explorer business group.

Gavin said Microsoft will continue to work with companies to move legacy applications to more modern versions of Internet Explorer, as well as continuing to highlight the improved security on offer in Internet Explorer 8. For example, a recent campaign run by Microsoft Australia compared using IE6 to drinking milk nine years past its sell-by date.

Supposedly IE6 is the “most used browser version in the world”. I am not sure I buy that statement, especially as it is not sourced. The article claims this is due to being the default browser in XP and also because of developing nations use of old hardware. Bah, it could just as easily be because robots and scripts masquerade as IE6.

Whatever the case, a good solution would be for Microsoft to work with companies like Yahoo! (we are talking legacy here, right?) Facebook and Google to post a warning banner to users of IE6. Something that says “Hello, your browser needs to be upgraded to use this site” could be very effective. Why would a Google or Facebook ever dare to interfere with the user experience? One giant reason is to help turn off things like SSLv2, which actually dates all the way back to the very fist IE4 in 1998.

Late last year I was surprised when Google called me in and asked for my suggestion for what to do about SSLv2. Hard to believe but their engineers still debated how best to support SSLv2 even though it has no advantages and a giant security disadvantage. I gave the same answer as above — post a warning to users with a deadline, give fair notice and link to more information. Start forcing redirects to an upgrade page. No one needs to use SSLv2 and it has been prohibited by regulations for at least three years. No one needs it, and yet it persists. IE6 thus will be an even harder argument, as it might actually be useful, so what chance does Microsoft have to kill it off?

Aside from security flaws there is really no immediate need to mandate users upgrade from IE6. Why would Google to do the right thing and help Microsoft? Their support of an IE6 end of life plan is improbable, but who knows. Google just added SSL to their search page. They already try to warn users of suspicious or dangerous links. Maybe they would also see value in warning users that Microsoft no longer supports IE6 and then offer Chrome as an update.

Incidentally, I must also comment on that milk analogy by Microsoft. It is probably more appropriate than they realized. I would reply that “milk nine years past its sell-by date” is also called cheese. It could in fact be some really GOOD cheese. The big difference, obviously, is that old milk does not require patches and support from the manufacturer (cow?) to remain safe.

So, unless Microsoft can point out the clear (health) risk (they refuse to support their product any longer) consumers will very likely see no harm to aging their milk for many years to come.

Bruce has quoted a poem in his blog post for today:

If you see something,
Say something.
If you say something,
Mean something.
If you mean something,
You may have to prove something.
If you can’t prove something,
You may regret saying something.

I think the best lines are actually

If you shoot something,
Eat something.
If you eat something,
Floss something.

Bruce brings forward a story about a man who has been accused of the equivalent of crying wolf. This is only slightly removed from yelling fire in a crowded theater. Apparently this man left a bag full of papers and then tried to call in a bomb threat.

My favorite lines are good security references too, but have little to do with the particular philosophical example of fraud and risk to the public.

Bruce often says if you ask amateurs to help with security work then expect amateur results. I think his post today is meant to support this.

I disagree for several reasons. One, intelligence functions best with a network of inputs rather than in isolation. There is always chatter and noise, but go for too much squelch and you lose vital signal. Two, experts all were once amateurs. Why not embrace and provide the opportunity? Three, the definition of expert is rarely accurate, especially with rapidly changing technology — kids can become more “expert” than even “trained” professionals — so who decides? Etc.

This takes me back to the customized billboards I created some time ago.

The Flo Control Project, named after the feline Flo, has posted a promising update on their animal access control door. They added a facial-recognition system to try and deny Flo access if she has something in her mouth. Technically they are basing recognition on a shadow profile, rather than on Flo’s actual face.

The database of images for access success and failure is probably the best part of the entire story. The key weakness (pun not intended) of physical access systems is usually related to monitoring. A building with only ten doors and half that many cameras can easily find an operations center overwhelmed or soon uninterested in the data. One way to avoid this is to create an analysis and alarm system. Another is just to run tests that are interesting or even amusing. Flo gives a perfect example of the latter:

Flo was allowed in in all of these instances, appropriately so. The vast majority of captured images are like these, just Flo by herself. She goes in and out 5-10 times a day, so we get a lot of these. Cases when the latch does not open are much more rare, especially now, when there are not many animals for Flo to catch. Still, she tries to bring something in occasionally, and we also get other unauthorized visitors: skunks and even birds. Below are some of the cases when the latch did not open.

This brings to mind the story of Little Red Riding Hood. It certainly has shades of “what a big nose you have!”

It also brings to mind the purpose of a cat bringing its catch home. Perhaps a better setup would be a cat-trap (e.g. man-trap for cats) where Flo could deposit her catch to secure it and receive praise. A similar model could be a DCZ (De-Catch-ified Zone) that would exist as a segment between outside and inside.

Personally, I have been thinking about another control I would add to an animal control system, which I’ve mentioned before on this blog. Perhaps if I have time I’ll give it a go and test it on my own animal(s). Right now, however, my pet(s) are not violating any policies and I do not have unauthorized animal access issues.

The Associated Press ran a story called Buzz and bullets: Gun fans cheer Starbucks’ policy that gives a good indication of a hot topic in the US:

Dale Welch recently walked into a Starbucks in Virginia, handgun strapped to his waist, and ordered a banana Frappuccino with a cinnamon bun.

Sounds like the start of a bad joke, right?

They make a banana flavored “Frappuccino” now? People drink this? A cinnamon bun on the same order and a case can easily be made that some Americans have lost their senses.

Perhaps he needed the gun to help convince the staff to put the two items on the same order. “Give me as much corn-sweetener as possible, to go, now!”

You think that is funny? There is more, like this sentence:

…about 100 activists bearing arms had planned to go to a California Pizza Kitchen in Walnut Creek, Calif., but after it became clear they weren’t welcome they went to another restaurant.

Walnut Creek? A wealthy white suburban conservative neighborhood was the target of a pro-gun rally? Hardly risky territory for a pro-gun groups, but even with stats in their favor they backed down. Why? Perhaps they realized they didn’t like pizza anyway.

This reminds me of how basic rights are lost on private property. You lose your First Amendment freedom of expression if you step into a Starbucks. Do gun activists feel they should get special treatment for a later Amendment? Start with the first. I have seen some say they believe this is about individual rights, but I doubt they really want to share a stage at Starbucks with speech activists.

Moreover, a security perspective sets aside individual rights and brings it all back to a question of how to manage risk. When those allowed to carry guns are clearly known to have a service role (federal, state, etc.) you have a very different situation. A police officer with a weapon has a uniform, a badge with a number, etc. to make them easily identified as someone trained and trusted with a weapon. This is common around the world because service personnel are essentially trusted. The idea of a random individual carrying a gun onto private property (the individual rights argument) opens a whole different can of worms related to authentication and authorization. How do you, as a customer, let alone a shop owner, make a risk judgment in a world of individuals carrying firearms? In other words if free speech already has been deemed too risky and not allowed on private property for random individuals, one would presume carrying a firearm would be treated the same or even more caution.

Seriously, though, when you think about chain pizza, syrupy coffee and cinnamon rolls this is hardly a story about fundamental rights or even security. Those are just a cover. It tastes more like a marketing campaign with some free press to promote expensive designer fashion food to a group most likely to pay for it — customer relationship management.