There used to be a time when if a security advisory came out you should pay attention and take immediate action – it seems more and more these days most security advisories should be ignored because it’s just some brain-dead, wanna-be security company desperate for attention.  The most recent example of this is the so called “infection” is this piece of trash from Vital Security.

People, when a security dialog comes up with 3 exclamation marks you probably shouldn’t say yes.  I mean seriously, if you’re stupid enough to run untrusted code with full permissions, I just have to link to a .exe to own your machine.  Users should be allowed to use their computers, they just have to be taught not to trust unknown sources of software and not say yes to random dialogs that popup.  This is not a technological issue, it’s a problem of education.  Previously you used to have to teach people not to delete the Windows or System Folder because if they did the computer wouldn’t boot.  Now you have to teach them to not trust things by default.

For the record, any browser which doesn’t correctly run the applet and display the security to the user has a bug in it – it is failing to activate a plugin (or doesn’t have a Java plugin).  There is a lot of software that runs as a signed applet, from online content editors used heavily on intranets to conferencing software for sharing desktops and applications etc.  Not supporting this technology seriously impairs a significant amount of business software.  Note that Java isn’t the problem here, you can sign JavaScript to give them full permissions as well, not to mention plain applications, firefox extensions, browser helpers and a huge number of other things that provide mechanisms to allow applications to interact with the user’s data and provide functionality outside of the normal HTML sandbox.  That’s not a bad thing, you couldn’t distribute software over the internet without that functionality – you couldn’t download OS updates, you couldn’t download a Linux distribution, you couldn’t share perl scripts (or python or ruby or asp or php or whatever).  People want to be able to do this and it is fundamental to computing that code can be transferred over the network and executed if the user desires.  Heck, I’m using a signed Java applet to write this post so I get on-the-fly spell checking, WYSIWYG editing and the ability to import files from my hard drive, save a back-up copy to my hard drive, pull resources from sites other than the one the applet loaded from and a range of other things that make my life easier and aren’t possible while stuck in the standard applet sandbox.

It’s also worth noting that adding more warning dialogs won’t solve this problem - Windows XP SP2 added a second warning before you can run an exe you downloaded from the internet.  Why?  They heard you the first time and decided to run the software.  What makes you think the second dialog is going to make them less likely to just say yes?

A similar problem often comes up when deleting things.  It seems like a good idea to require confirmation before deleting anything so that users don’t accidentally delete stuff.  This just doesn’t work.  People get used to the dialog and automatically agree to it without thinking.  All you’ve done by adding that dialog is require the user to perform two operations when they really want to delete something – they’ll make just as many mistakes when deleting.  What you should do is allow the user to undo their mistake.

Oh dear, I just noticed that this is the same guy who made a big fuss over spyware installing the .NET framework.  Sigh.  Once you have malware on your computer, you’re boned.  If you got off with just having .NET installed you should consider yourself lucky – it could have wiped your harddrive or added your computer to a DDOS bot-farm and used a ton more bandwidth or anything else it felt like doing.  Why is it surprising that spyware would install its dependent libraries?  Why is it surprising that spyware isn’t desperately trying to save the user’s disk space?

The worst part is this guy doesn’t even seem to realize he’s an idiot.