Comments on: Security Software and the Bad Idea of Having People Switch Them Off

By: Fred

Fred — Fri, 03 Nov 2006 02:18:55 +0000

The claim that it does not improve the user’s web security is not the business of the web site’s owner. You are right: Your business is that it is breaking your site.

As you can read in the article, I am not even saying that you mustn’t tell people that their software is crap. Go ahead.

Imagine, for example, that a friend has a spam filter that checks against a blacklist and your provider makes it on the blacklist, so your mails to him get flagged as spam. Is your suggestion to your friend not to filter for spam at all anymore? “Just deactivate your spam filter. You will at least find my message among the 200 spam messages in your inbox every day then.”

No?

Didn’t think so. Instead you will probably suggest putting your address on a whitelist or similar. But asking to deactivate the whole filter is possibly the worst advice you could give.

By: Jesse Ruderman

Jesse Ruderman — Fri, 03 Nov 2006 02:06:09 +0000

If you’re using “security software” that doesn’t improve your security and does break my site, why shouldn’t I encourage you to disable it?

By: Fred

Fred — Fri, 03 Nov 2006 01:55:37 +0000

@Jesse: Arguably that’s true, but the main point here is not the effectiveness or ineffectiveness of personal firewalls.

It’s about telling people, please switch off your security software (of whatever kind) when a problem occurs, effectively encouraging surfing the web without any firewall, anti-spyware, anti-phishing etc. software.

Making people use software that does a better job on improving web security is a problem that has to be solved elsewhere.

By: Jesse Ruderman

Jesse Ruderman — Fri, 03 Nov 2006 01:49:25 +0000

Calling personal firewalls “security software” gives security a bad name. These programs ask questions that are impossible for users to answer, proxy-inject scripts that break web sites, and do nothing to improve security.

By: TJ

TJ — Fri, 03 Nov 2006 00:19:27 +0000

Well said! Key line: “Come on, people. Not everybody is a computer geek. People actually believe what you are writing there.”

By: Jean Pierre

Jean Pierre — Thu, 02 Nov 2006 20:45:17 +0000

I agree that one of the main problems with this kind of advice is that most users tend to leave their security solution disabled (if they use any at all and no, Norton/Symantec Internet Security does not count). They will think “I am having so many problems with my security software — I turn it off and everything works fine”. They are just not aware of the risks they are exposed to.

“Why should I upgrade to Windows XP SP2 [almost 12 months after it had been released]? I heard that there are problems with my P2P software I use to download stuff from the internet…” — “Well, have you heard of the number of security leaks that have been fixed?” (and there are still so many left…) — “Oh, you know… I don’t care…”

A short time later you’ll get a call: “Can you come to my place next weekend? My computer is behaving strange. And it’s soooo slow.”

I know that developing software for different kinds/versions of operating systems and applications such as browsers, Java VMs etc. is difficult and for most [web] programmers the solution still is “This site is best viewed in 1024×768 with Internet Explorer”. That makes life easy (from the developer’s point of view) but doesn’t solve the problem itself.

Software Engineers (I do mean those who are responsible for decisions made within software projects, not only the poor code-typing monkeys) should not try to “solve” problems by simply ignoring them. Unfortunately, in most cases you’ll only get paid if you release a product at a specific deadline (perhaps it didn’t make it even to beta status), no matter how many bugs are still inside — “we can release patches and workarounds later”. Quality and tight deadlines don’t go along very well.

Sad, but true.