Results 1 to 2 of 2
  1. #1
    iNET Interactive
    Join Date
    Jan 2010
    Location
    Seattle, WA, USA
    Posts
    380
    Thanks
    1
    Thanked 29 Times in 24 Posts

    Trouble dispatching dangerous downloads




    IN THE WILD

    Trouble dispatching dangerous downloads

    By Robert Vamosi

    Microsoft is claiming success with a feature in IE 9 that aims to quash malware hidden in application downloads.

    But false positives and false digital certificates keep the feature from being perfect.

    The full text of this column is posted at WindowsSecrets.com/in-the-wild/trouble-dispatching-dangerous-downloads (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,483
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Reputation Services are false security.

    First, they rely on the experiences of a large community of users. This places trust in the wisdom of the crowd. Unfortunately, the crowd can be wrong.

    Second, a reputation builds up over a period of time. But malicious code shows up at a lightning-fast pace and sites can get cleaned up before they can clear their reputations. The same can happen to downloads themselves. What was safe twenty minutes ago may not be safe now, and vice-versa.

    Third, similar downloads can be tarred with the same brush, as has happened with Web of Trust and McAfee Site Adviser. And sorting out the resulting confusion can take months or years, in which time small developers can go out of business. This has happened many times with reputation services.

    And then there's the inevitable "technical issue", such as when Google's reputation service one day marked the entire Internet as malicious. It can happen to any reputation service.

    But the greatest drawback to reputation services is that they encourage user complacency. If it's McAfee Green,I do not have to think about whether I should download this or not. This is anathema to an educated and alert end user. Users should be encouraged to think before we download, not to rely on our security programs or browsers to prevent us from doing anything unsafe.

    So, it's nice to see this feature being piloted in IE 9. But there may be reasons why Firefox and Chrome have not adopted this strategy. Time will tell who is right and who ends up with egg all over their faces. I'm betting on Microsoft to mess this one up just as they have messed up every other security venture they have engaged in -- including MSE.

    And then there are all those fake Certificates...
    Last edited by bobprimak; 2011-06-28 at 04:53.
    -- Bob Primak --

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •