Ron Lopshire wrote:
> Nick Skrepetos wrote:
>
> > Leythos wrote:
> >
> >>In article <1162186501.862987.318910@k70g2000cwa.googlegroups .com>,
> >>nskrepetos@yahoo.com says...
> >>
> >>>What needs to happen is education - not the, typically uneducated,
> >>>propaganda of saying "ActiveX is bad". I think this will make a great
> >>>blog topic for this weeks security blog:
> >>>http://superantispyware.blogspot.com
> >>>
> >>>Understand, I am not targeting you here - it just is time that people
> >>>truely understand the facts and properly educate instead of just
> >>>reiterating a canned "ActiveX is bad"
> >>
> >>ActiveX is a sign that the website developer didn't follow the standards
> >>for browser compatibility. Don't get me wrong, I have written many AX
> >>controls, but I don't do it any more.
> >>
> >>There is no need for ActiveX, in fact, while ActiveX is not the real
> >>problem, it's the common delivery method. That's like saying that
> >>Gasoline is not a threat, but people still get killed in fires started
> >>with it.
> >>
> >>I will tell people that ActiveX is bad for now, as there are too many
> >>people using it to make malicious code, and there are a LOT of people
> >>not using it any more, because of that fact.
> >
> > This is not a personal attack but I am trying to make people understand
> > the actual dangers, not the propaganda....
>
> This does not have to be personal, Nick. But to assume that those who
> choose not to use ActiveX, or Java, or IE, or OE, etc., do so because
> they are misinformed or ignorant smacks of ... well, let's not go
> there. [grin]
>
> > "ActiveX is a sign that the website developer didn't follow the
> > standards for browser compatibility" ??? There are two browsers in use
> > by 99% of the surfing public. That's yet even more uneducated
> > propaganda (you should no better than this) - There are basically two
> > platforms used to surfing the web by the "average" user (yes, I know
> > Opera, Safari, etc. etc.) - IE and Mozilla/Firefox - so sites that want
> > to do things such as our File Research Center, Online Virus/Spyware
> > scanning, etc. should use those technologies (ActiveX/XPCOM) to create
> > that type of software. The alternative is writing things in Java - but,
> > in my opinion that would be a waste of our resources - it is slower and
> > we would have to rewrite our complete engines. Java can infect the same
> > way ActiveX/XPCOM can.
>
> Why do you IE fanboys [grin, let's keep this civil] continue to
> fabricate statistics? But then again, 92,7% of all statistics,
> including this one, are fabricated. That's what I told the idiot at my
> bank's help desk when he claimed that 98% of their customers use IE. I
> refuse to support a financial institution where the "technical" people
> fabricate data. See Enron.
>
> The fact of the matter is that IE's market share is now around 80%,
> and falling. Google did not dump millions and millions of dollars into
> Mozilla and Opera (the reason for Opera being freeware) for nothing.
>
> http://www.w3schools.com/browsers/browsers_stats.asp
> http://www.e-janco.com/browser.htm
> http://marketshare.hitslink.com/report.aspx?qprid=0
>
> There is some contention, that these statistics are actually skewed in
> IE's favor due to UA-spoofing necessary to view the contents of sites
> developed by the ignorati. IIUC, most Opera users typically use an IE
> UA out of necessity. But that said, these numbers are of no use to
> you, Nick. They have absolutely nothing to do with your market!
>
> In corporate America (same applies to rest of the Windows-using
> world), _this_ is a typical Windows setup:
>
> OS: Windows 2K/XP
> Office Suite: Office 2000/2003 Professional
> Browser: IE
> Email Client: Outlook/OE
> AV: Enterprise Edition of NAV/NIS or McAfee*
> AS: None or MSAS/Windows Defender*
>
> *When Vista is released, these may change, somewhat gradually, to
> Windows One Care Live. See the bundling of IE with Windows and how
> that worked out for Netscape.
>
> I would be suprised if the market share for IE/OE/Outlook for the
> Fortune 500 companies is less than 99%. These people (multi-million
> dollar IT departments) do _not_ purchase third-party anti-malware
> solutions. These people were schooled by MS, and MS contends that it
> is not only not necessary, it is not recommended.
>
> And of course, these people already have the best anti-spyware
> protection in place. "If you as an employee of this company download
> malware on your company laptop/desktop, your employment will be
> terminated." There is no license fee necessary for this solution.
>
> Your market, Nick, is the Home/SOHO market. This can be divided in to
> two groups --- the clueless and the not-so-clueless.
>
> The clueless bought an OEM Windows box with NAV or McAfee installed,
> and haven't updated their AV definitions since. They don't know what a
> browser or email client is. And they don't know enough to wade through
> the FUD and snake oil. When their boxes get compromised, they pay the
> local "computer expert" $100-200 or more to clean up their systems.
> These "experts" then install freeware AV and AS apps that never get
> updated again until the next time their services are needed. The
> "I-can-fix-your-box-for-$150" folks do _not_ recommend apps that
> require license fees. It cuts into their profit margins.
>
> And then there are the not-so-clueless Windows users. This is your
> true market, Nick. These people are savvy enough to wade through the
> FUD and snake oil, and make their security decisions accordingly. And
> these people practice safe hex.
>
> http://www.claymania.com/safe-hex.html
>
> And part of safe hex (Rule #3) is not using IE/OE/Outlook. Even if
> IE's share were 90% overall, and it's not, it is _way_ below 50% with
> this crowd.
>
> > Why not educate people to look where they are surfing and learn how to
> > see if a site is good or bad vs just telling them "ActiveX is bad" - if
> > people were not surfing porn and trying to steal software, and get
> > everything for free 99.99% of infections would not happen. It's like
> > having unprotected sex - bad things can happen if you don't take safety
> > precautions and learn what you are doing....
>
> Are all four of those 9s significant? [grin]
>
> > This is why we get people saying our site (and others) is/are bad -
> > because people tell them ActiveX is bad. Do you tell people Cars are
> > bad? Planes are bad? Gasoline is bad? Java also can infect a machine
> > just as easily as ActiveX, do you tell people Java is bad? What about
> > videos......those infect machines - do you tell everyone videos are bad
> > too?
>
> You are correct. Java (and VBA, VBS, etc.) is just as risky. The
> issue, of course, is default allow vs. default deny. No one should be
> using Java or ActiveX with un-trusted sites. If your system is
> supported by a multi-million dollar IT department, you can enable
> anything that you want. On _any_ Home/SOHO box, however, both Java and
> ActiveX should be disabled by default. I will leave it to the
> interested reader to determine which of the above groups of Windows
> users is qualified to decide when to allow either to be enabled.
>
> > This is very interesting to me - people are completely misinformed -
> > this is why education of the public is so important - and people in the
> > front lines with "techical backgrounds" should educate the people as
> > you have the power to do so and should understand the facts and truths
> > and not just say "ActiveX is bad"........we, the technical users are
> > the ones that can make the difference.....so why not start?
>
> The best place to start, IMNSHO, is by not insulting your customer
> base. I don't use IE, ActiveX or Java because I choose not to, not
> because I am some ignorant, incompetent, misinformed buffoon. That is
> one of the beauties of the current world. Being able to choose which
> browser to use, which email client to use, and which sites are allowed
> to have access to the data on my HD.
>
> I haven't tried your ActiveX process utility, because 1) using it is
> such a PITA with my setup, and 2) I have several other utilities that
> do the same thing without ActiveX. IE is not my default browser, and
> so your utility is not usable from your GUI. In order to use it, I have to
>
> 1) Open the page in FF.
> 2) Set IE's security to default settings (everything enabled).
> 3) Open IE.
> 4) C&P the link into IE.
> 5) Download the ActiveX control.
> 6) Run the utility.
> 7) Close IE.
> 8) Lock IE down again (Enough is Enough!).
>
> As I said, a real PITA for a redundant utility. If I remember next
> month when I use Microsoft Updates, I will try your utility before I
> put IE away for another month.
>
> I consider you, Nick, to be a stand-up guy and a friend, and I
> consider SAS to be a great product. And I will continue to promote SAS
> as a worthwhile AS solution, freeware and/or Pro. I don't care if you
> develop ActiveX controls for your utilities, just please don't insult
> those of us who choose not use them.
>
> I would like you to do me a favor. When you post your blog about
> "setting the record straight about ActiveX", take a poll among your
> readers as to which browser(s) they are using. From my experience, I
> would be shocked, absolutely shocked, if IE was exclusively used by
> over 30% of those who frequent the security NGs and fora such as yours.
>
> With the release of IE7, ActiveX is now optin. That means that by
> default, for the first time in the history of ActiveX/IE, ActiveX is
> disabled. I will leave it to the interested reader to determine which
> of the above groups of Windows users is qualified to know how and when
> to enable it.
>
> It would appear that Microsoft has decided to go a different direction
> WRT to ActiveX. Those who are interested can Google for replacing
> ActiveX controls with user forms, .NET and several other options.
> Justified or not, this would appear to be the reality.
>
> Back in late 90s, before Firefox and Opera got their feet in the door,
> this was the mantra.
>
> The browser wars are over, and IE won. Get over it.
>
> Allow me to be the first.
>
> With the release of IE7, ActiveX is dead. Get over it.
>
> Ron

Ron,

I am not trying to upset anyone - I am very thankful for all of the
support this, and other groups, have provided for me and my products. I
think my 99% issue was misread - I said "There are two browsers in use
by 99% of the surfing public" - Internet Explorer and Firefox - I
didn't say 99% used IE

For instance, our stats as of right now today on SUPERAntiSpyware.com
is 79.74% Internet Explorer, 19.2% Firefox/Mozilla and the balance
everything else, just FYI. The SUPERAdBlocker.com stats are about the
same with IE @ 82.1% and FireFox/Mozzilla @ 17.3%

I also didn't say, and I hope didn't imply, anyone was a "baffoon" or
"ignorant" because they did or didn't use ActiveX - I stated that
ActiveX was not bad - and simply have issue with the blanket "ActiveX
is bad".

My point is that ActiveX is not bad - neither is XPI/XPCOM - both are
great technologies that are useful. Any technology can be exploited.

I am not sure ActiveX will be "dead" with the release of IE7, as there
are still some native things that can't be done with the other methods
- but either way it will play out how it does

-Nick