Security Software and the Bad Idea of Having People Switch Them Off
It’s the second time in only a few days that I read this, so I guess I have to comment on it.
Today I had some minor problems loading my GMail account, so it showed me an error as follows:
Alright, so imagine I am a naive computer user who just got this message and I obviously believe what they are saying. Now I am going to go ahead and disable my firewall altogether and live happily ever after — until I come across the first script kiddie that turns my workstation into a spam bot, virus nest, or both.
Similar issue: That blogger on MSDN.com who nicely suggested to switch off the Phising protection altogether when the CPU usage of your new instance of MSIE 7 spikes on some AJAX websites. — While he meanwhile revised it to an acceptable “add these individual sites to a whitelist for which you switch off the phishing protection”, his initial suggestion was just as bad as the one up there by Google.
Come on, people. Not everybody is a computer geek. People actually believe what you are writing there.
So please start thinking before you type. Having people switch all their security features off first (but burying the information that this might be a bad idea somewhere deep inside the help files) is harmful and — sorry — just plain stupid. People will switch it all off, they will see that “everything works” and they will stop reading about the issue right afterwards.
If you really, really, really have to have them switch off part of their software (which is not too surprising for some paranoid security products), at least spend half a minute explaining how the workaround can be done securely, and only for the page in question.
You owe this to your customers. Or, to put it differently: If you handle your customers’ privacy as carelessly as you handle their web security, I sincerely hope nobody ever tells you their social security number.
I agree that one of the main problems with this kind of advice is that most users tend to leave their security solution disabled (if they use any at all and no, Norton/Symantec Internet Security does not count). They will think “I am having so many problems with my security software — I turn it off and everything works fine”. They are just not aware of the risks they are exposed to.
“Why should I upgrade to Windows XP SP2 [almost 12 months after it had been released]? I heard that there are problems with my P2P software I use to download stuff from the internet…” — “Well, have you heard of the number of security leaks that have been fixed?” (and there are still so many left…) — “Oh, you know… I don’t care…”
A short time later you’ll get a call: “Can you come to my place next weekend? My computer is behaving strange. And it’s soooo slow.”
I know that developing software for different kinds/versions of operating systems and applications such as browsers, Java VMs etc. is difficult and for most [web] programmers the solution still is “This site is best viewed in 1024×768 with Internet Explorer”. That makes life easy (from the developer’s point of view) but doesn’t solve the problem itself.
Software Engineers (I do mean those who are responsible for decisions made within software projects, not only the poor code-typing monkeys) should not try to “solve” problems by simply ignoring them. Unfortunately, in most cases you’ll only get paid if you release a product at a specific deadline (perhaps it didn’t make it even to beta status), no matter how many bugs are still inside — “we can release patches and workarounds later”. Quality and tight deadlines don’t go along very well.
Sad, but true.
Well said! Key line: “Come on, people. Not everybody is a computer geek. People actually believe what you are writing there.”
Calling personal firewalls “security software” gives security a bad name. These programs ask questions that are impossible for users to answer, proxy-inject scripts that break web sites, and do nothing to improve security.
@Jesse: Arguably that’s true, but the main point here is not the effectiveness or ineffectiveness of personal firewalls.
It’s about telling people, please switch off your security software (of whatever kind) when a problem occurs, effectively encouraging surfing the web without any firewall, anti-spyware, anti-phishing etc. software.
Making people use software that does a better job on improving web security is a problem that has to be solved elsewhere.
If you’re using “security software” that doesn’t improve your security and does break my site, why shouldn’t I encourage you to disable it?
The claim that it does not improve the user’s web security is not the business of the web site’s owner. You are right: Your business is that it is breaking your site.
As you can read in the article, I am not even saying that you mustn’t tell people that their software is crap. Go ahead.
Imagine, for example, that a friend has a spam filter that checks against a blacklist and your provider makes it on the blacklist, so your mails to him get flagged as spam. Is your suggestion to your friend not to filter for spam at all anymore? “Just deactivate your spam filter. You will at least find my message among the 200 spam messages in your inbox every day then.”
No?
Didn’t think so. Instead you will probably suggest putting your address on a whitelist or similar. But asking to deactivate the whole filter is possibly the worst advice you could give.