Posted on 08/26/2005 6:31:03 PM PDT by Bush2000
Firefox's 'retreat' ensures Microsoft excels
Open source web browser Firefox has lost the momentum it has steadily gained since it was unleashed last year, according to Web analysts at Net Applications.
The online portal’s unique Hit List service reveals a slump in the Mozilla browser’s market share, falling from 8.7% to 8.1 % in July.
Coinciding with its demise, was the advance of Microsoft's IE that has gained some of the ground surrendered in June, climbing back from 86.6 % to 87.2% last month.
The revival for the dominant browser comes on the back of average monthly losses of between .5 to 1% for Redmond, as Firefox started to gain acceptance among a wider audience than just tech-savvy users.
When asked by Contractor UK whether Microsoft’s sudden gains were from the unveiling of a new IE, Net Applications said a re-launch tends revive industry interest, and could have bolstered Microsoft’s market share of the browser market.
When a company launches a new product, there is always renewed interest in what the company has produced and it would also be fair to say that this may have had an effect, said a member of the Hit List team.
Although, there have been browser issues with Windows 2000 in the news, so it is possible that again you may see a dip [in Microsoft’s market share]. Right now, people are looking for security and whenever there are issues with the security of one's system, they will use what they feel will be the most secure.”
Besides Net Applications, web developer site W3 Schools, confirms that adoption of Firefox is falling, just as IE is reaching its highest share of the market in 2005.
According to W3's data on specialist users, Microsoft IE (6) enjoyed a 67.9% share in July, improving to 68.1% in August matched against Firefox’s top share of 21% in May, which has now dropped to 19.8% for the last two months.
Observers noted that both sets of analysis concur that Microsoft’s loss, up until now, has been Firefox’s gain, but over the last month roles have reversed.
Security fears concerning Mozilla and its browser product have recently emerged, coinciding with Microsoft’s high-profile trumpeting of its new safer browser product (IE 7), complete with glossy logo.
Experts at Net Applications said they were surprised at Firefox’s sudden retreat, saying they expected a slow down before any decline.
Yet they told CUK: “Whenever there may be problems with security, there always is a decline with users changing browsers.”
Data from the Web analytics company is based on 40,000 users, gleaned from their global internet operations, prompting some commentators to question the so-called ‘global decline’ in the Firefox market share.
The Counter.com reportedly finds that between June and July, Firefox actually increased its share by two points, and overtook IE5 for the first time ever.
The Web Standard Project suggests webmasters should treat data from web analysis providers with caution, before rushing to make service changes.
So what can we conclude?” asks the WSP, a grass roots project fighting for open access to web technologies.
“Not much: Mozilla-based browsers are probably used by just under 10% of the web audience and their share is growing slowly. IE5.x is probably used by somewhat less than that and its share is declining slowly. IE6 is roughly holding steady.”
Meanwhile, Spread Firefox, which measures actual download rates of the browser, reports that it took just one month for the Mozilla Foundation’s showpiece to reach 80 million downloads in August – from its July total of 70 million.
At the time of writing, Firefox had been downloaded 80701444 times, meaning adoption rates of over 10m occurred one month after Net Applications says Firefox bolted in light of the dominant IE.
Yep, look it up. In this case, it uses a 64GB pre-computed hash cracking table. Videos of it in action are available at the site.
If I get time later today is it okay if I freepmail you a windows 2000 hash to see how easy it is to crack.
I don't have the $500 to blow on buying the pre-computed table, so I can't do it.
This one in W2K3. It isn't remote (as you never specified it must be), but it is an unpatched buffer overflow error that can give system-level access.
Name one where the box is physically secure.
For that matter how does any security prevent a brute force attack?
In regards to windows you don't need physical access to the box, but just need to sniff the wire for the hash to be passed. Then you can crack away (brute force style). What does Linux do to prevent such an attack?
Don't change the terms after the challenge has been taken. You didn't mention physical security in your challenge in the post I replied to, and I provided it for you. Challenge met. End of story.
But now you see why I wanted to nail down terms for the bet on your Mac "virus." If you don't, you can easily lose.
BTW, that Rainbow Crack program won't work on Linux since Linux salts its hashes.
Oh, forgot, as of now it doesn't do the alt key codes, but it does do every character that almost all users use for passwords. As for alt key codes, just wait. IIRC, when Rainbow Crack first came out it didn't do the special characters either. But until then, what percentage of people even know it's possible to use them in passwords? What percentage of people even know they exist?
Why doesn't Windows just salt its hashes and eliminate the problem?
It salts the hash; therefore, Rainbow Crack won't work on it.
Well the challenge was beat before it was ever offered. Any IT hack knows if you don't have physical security the box might as well be considered compromised.
Having said that, and I grant your loophole victory--if that makes you feel good. Let me restate a new challenge. Show me one buffer overrun that can be exploited where the physical security of the box isn't compromised.
The salt hash only puts in something unique per user then hashes it. Think of it as extending each users password by his user name than hashing it. It helps to ensure that no user has the same hash; however, it doesn't do one thing to stop something like Rainbow Crack from brute force attacking their hash.
Unless I'm missing something. What salting gives you (and it's a good thing) is that I can't do a quick dictionary attack against your hash (unless adding the unique salt to the password yields a dictionary word).
But Rainbow Crack is brute force 64GB hash table attack. It should still work against a linux salt hash.
For that we'll have to wait for the next remote buffer overflow exploit that Microsoft decides to sit on.
Score: Me 1 you 1/2 (since it was a parsing of the words).
Yes, but look at it from this perspective. Rainbow uses a brute force method. It checks every possible combination to crack the password. Now add on a 4-digit (some are larger) unique ID to the beginning of the hash, and you increase the possibilities by 7,311,616 times. So--take Rainbow's 64GB table, multiply it by 7.3MB, and your table now becomes over 467TB. The time it would take to go through all that, makes it essentially unbreakable with today's speed and technology.
This isn't accurate. If windows has a policy for 12 character password with uniqueness (letters, caps, special) and Linux has a policy set to only 8 character passwords, then they'd be about the same.
So now you're changing the comparison? I was comparing the same length passwords between the two, and showing what the increase would be if Windows just salted their passwords.
Don't get me wrong, salting is a good thing, but it's not the fool proof against brute force. It's more of a way to help protect dumb admins that allow weak/short passwords.
Oh ya, as far as Rainbow goes...my brief reading of it says you can tailor the hash table to what you need. So if you know the linux password is 8 and the salt is 4...you'd start with 12 character passwords to hash. So Linux is just as vulnerable.
Having said that, it doesn't make that much of a difference based on the way Rainbow Crack works (based on my limited read of the tool). Bascially you customize the hash table to the password policy in affect. So if you know the password is 8 characters and the salt is 4. And you know it must have caps and lower case. Then your hash table gens up hashs based on that info.
That is incorrect as well.
A 12-char password would produce a different hash than a 4 char salt+8 char password. You'd also have to know the 4 char salt, and that is a random string produced by the system for each user--so even if you know a user name, you wouldn't know the salt. Without the salt, you cannot run the hash through Rainbow, as it assumes the entire hash is a password.
Rainbow would just produce a password based on a 12 char policy and it wouldn't work.
Keep in mind antiRepublicrat said Linux wasn't vulnerable to Rainbow Crack brute force attack because it used salting. My point was to show that it is vulnerable. Not that Windows is better.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.