Slashdot Mirror
IE7 Toolbar Mayhem
nikostheater writes "A user called anyweb tried to infect IE7 with as many toolbars as possible and it's interesting to see what happens and how secure IE7 is.." This is funny if only for the screenshot of a browser window with like 80% of the screen covered with toolbars.
You go to the website, and click multiple times to install something on purpose? Sometimes even downloading and running something? I'm not an IE apologist, or even an IE users, but it seems like infection is a bit strong.
If you're actively trying to install lots and lots of toolbars on your own computer, which you have admin access too, there's a very large chance you're going to succeed.
This is news?
By summer it was all gone...now shesmovedon. --
MSFT came up with it's own extension central of the *same quality of that of the mozilla foundation* (I know there is one out there allready).
Afaik these toolbars add "extra browsing enhancements". If MSFT told it's users that these bars are Teh evil if installed from some random adress I'm sure the "toolbars" will die out soon.
perpetually dwelling in the -1 pits
There is nothing to see here: he systematically disables all of IE7's protections, clicks past up to FOUR warning boxes to get some of the toolbars, and goes through the manual install process (!!) for some of them because IE was like "Uh oh, sorry, you look determined to shoot yourself in the foot and I just can't let you" and denied the install through the browser.
Help poke pirates in the eyepatch, arr.
Looks like the host took out the pictures.
(Some were large JPGs.)
Interesting text nonetheless.
There was a video of some guy recording his browse by infection of IE a while back that was very revealing. Just visited a site and his computer was infected, he proceeded to try to pull the stuff out and noted the techniques the spyware authors used to keep a user from being able to uninstall it.
The critical difference in security though is not what the user can do (as he or she is probably running as administrator anyway) but what can be done without their permission. That's where the work needs to go. Not stopping someone from doing something they have to agree to (no matter how nefarious the wording is).
"And considering what I put Internet Explorer 7 through, the reset tool did a very very very good job, see below, just one toolbar left, and it was Yahoo's, maybe that's a telling result ?"
We'll see how well this works a year after release. That said, it's about damn time MS did something about IE.
The screenshot reminds me of my mother or my sisters computer every time I go over there. They're always ending up with crap like "mycoolsearch", I did an adaware search and got something like 600 items the first time I tried it. I got fed up, and installed firefox and made IE less obvious on the computers.
I go back two weeks later, and now firefox has a mycoolsearch toolbar! Arrg.
I just upped the profit forecast for my spyware removal service startup.by 300%.
Think of the Children; Sleep with your Sister
Really? The guy pretty plainly states that he ignores all the warnings and clicks yes/allow/next/install no matter what it says. So he is ignoring the security warnings and installing it anyways just to see how cluttered it will become. Not really a test of IE7's 'security' any more than running a rootkit on linux (as root) is a test of its 'security'.
The images don't seem to be loading on the site, but why do I get the feeling it's going to be somewhat reminiscent of this?
This guy's the limit!
So whats with the submitter implying that allowing third parties to install toolbars is a security hole? The article even said they went looking for them and clicked "yes/install/whatever" to every window they were presented with.
The only possible way to prevent this (and why would you want to prevent users from using their favorite toolbars?) would be to completely disallow downloading toolbars from the internet in IE.
By the way, did the submitter actually refer to Google toolbar as an "infection" with the implication that IE should have prevented it?
It looks like these upcoming MS releases are actually going to be good products based on the things slashdot articles are having to resort to in order to bash them.
It won't be long before every toolbar you download will want 80% of the screen space. As they say in real estate: location, location, location.
I read as much of the article that would load, and I don't think that there are any points against IE here. Users should be able to override security measures on THEIR system. I would much rather Microsoft not cater to the really stupid.
/". I suppose it would be nice if IE prompted for a password.
If Microsoft didn't allow people to override those controls I can just see a lot of internal applications breaking in a lot of businesses.
There's a lot wrong with Windows (which is why I chose not to use it), but from what I can tell from this article, the security on the upcoming version of IE might not be one of them (for once).
No one chastises Linux for allowing you to "sudo rm -rf
Help I'm a rock.
This is funny if only for the screenshot of a browser window with like 80% of the screen covered with toolbars.
Is like CmdrTaco like really a blond? Like I would expect an article to be like more like using more than like simple language, you know?
It either is 80% or is not 80%. It is NOT like 80%. Am I the only one irrated by this?
Newsflash: New Microsoft software still can't protect against user stupidity!
Follow-up: Einstein's doubts taken away! It really is infinite!
Come on guys, where's the news here?
We can expect to see him simulate a viral attack, this will envolve him formatting his hard drive while running IE, removing it and hitting it multiple times with a hammer.
Im not sure what we can expect from that, but I sure cant wait to see!
This sig is licensed under the Free Sig Foundation License, you may re-distribute it as long as you retain this notice
Mirror
Or it is approximately 80 percent, which I see as a legitimate use of "like 80%".
Picture. All I did was right click where the image should be and selected view picture.
That which does not kill me only postpones the inevitable.
Um... Isn't quite a bit of software "insecure" by default? I mean, the majority of software has a bunch of general settings that you are supposed to alter to make the software behave the way you want, rather than use the (usualy) permissive settings out of the box. I currently use IE. I don't get spyware. It's called proper security settings. Also, I know what looks suspicious. Seems to me that a little education and setting up your browser correctly would solve the problem. Maybe part of the current belief you can't secure your browser is fostered by the anti-spyware companies. On another forum, one guy was complaining about how insecure Firefox was because when he ran his anti-spyware it found cookies and they were a high threat. COOKIES?!? yeah.. I'm pretty sure that every browser accepts those by default.
As far as this "test" or whatever it was supposed to be goes; I imagine that if I wanted to compile a virus and run it with the root account on a linux machine I could get it infected too. See? Linux is insecure. When you are TRYING to get infected, what else would you expect. Maybe all the people who try to secure IE with 3rd party utilities should try to do it with just the browsers own internal settings.
For the record, I am not missing a ton of webpage functionality either. And before you assume that I'm a Microsoft/IE nazi, I use it because it's already on my machine and does everything I want it to, and I don't care what browser you use...if you wanna use a text browser for everything, knock yourself out, I hope you enjoy it.
Is there a point in this article...?
Secure = Administrator on the machine should be blocked from installing google toolbar?
Truth is, he should have tried to see how much damage he can make as a standard user without providing Administrator credentials. Being and admin and clicking through all the warning dialogs is like running as root in linux and being surprised you can install software...
Hate to whine, but why do these articles make it into slashdot? It seems like often the other technical subjects discussed here are well moderated, and the articles thought provoking. But as soon as someone with a fleeting command of the english language lays down any thoughts that are anti-Microsoft, it immediately makes the front page.
I wonder if it actually removes the downloaded toolbar files from your HD and registry, or if it just hides them from the ie display. I mean could they still be in the system and doing stuff behind the scenes? (such as planting virusses or opening backdoors, or even just using CPU/memory/disk?).
Its bad that the auto-cleanup thing didn't remove Yahoo. Either Microsoft explicitly made an exception for Yahoo or Yahoo found a workaround (I'm not sure which is worse). If yahoo can do that then so will all the others pretty soon.
It's a pretty useless thing to do, because with basically ANY software that allows toolbars/extensions you can do the same thing and make it look bad.
IE sucks for plenty of reasons. This is not one of them.
Not news.
Just goes to show that productivity is inversely related to the number of toolbars installed on any given browser.
I did not expect all those applications (where some of them had direct access to file system and registry) could be removed by a single click (and a confirmation).
So we learn three new strong points of IE7 (added to what IE6 already provides):
I'll personally continue to use Firefox, however I'm glad to see IE getting secure, because every now and them I have to use some "bad designed" site which only works on IE. And now I can be more assured about the security of my system.
When I use my Windows and I use IE on an off chance, there's usually at least five or more toolbars that I don't remember installing. Most toolbars are useless. But I agree, this is not news.
Here's an alternate link to the final outcome.
One thing that the author encountered in his tests was that once a user says OK to a UAC dialog in IE, then IE turns off "protected mode" and that mode remains off until IE is shutdown and restarted. "Protected mode" prevents IE from writing anywhere in the filesystem except the cache (without explicit implicit user permission, such as the File-Save dlg), so malware installed on top of IE can't do any harm. But if "Protected mode" is off, then the IE process can write to any place allowed by the permissions of the user, meaning that malware running within IE's process can do the same. This might be a legit bug in IE7 (which hasn't reached RTM yet, so there's still time to fix it, if it is indeed a bug).
-- "I never gave these stories much credence." - HAL 9000
Doesn't seem to help much since the images are linked from another site.
In school, a design professor never hesitated to point out, "If it is possible to 'break' the application as a concenquence of the selection made, then you must think of it like that. The number of people that are going to answer 'Yes' to "Do you wish to ruin your computer? Yes/No" is irrelevant since you shouldn't have offered them to chance to see that dialog in the first place."
Most of the UI systems I've studied tell me that if the design has a "need" to ask the user to consider doing something bad, then the system designer should reconsider doing it all. I don't think it is very shocking that IE can be screwed up. I do think it is shocking that Microsoft knows of at least 4 interactions that shouldn't be done by the user and allows them the choice of doing it anyway.
Come to irc.efnet.net #windowsxp and rag on anyweb for being a un-secure administrator.
After reading several comments on how this isn't news (because disabling protections to install stuff is easy) ... the point that was COMPLETELY MISSED that was in the article, was that the "IE Reset" function actually worked, sans Yahoo.
This, I believe is the main point of the article, because this will help EVERYONE keep junk off of IE. Not that it deletes anything, but allows the clutter to be easily fixed.
[
It's pretty clear that this particular article isn't really an attempt to disparage Microsoft's new security surrounding IE7. (Or, if it is, then it does a pretty lousy job, what with all the "Yes, I really want to install this you damn, stupid browser" stuff.)
/. with a wink-and-a-smile. But is there really anything here? Anything? No?
So, it gets posted to
Honestly, when are we to see the first article about how Steve Ballmer refused Linus Torvald's rest-room offer of a handshake only to have the readers find out that Ballmer hadn't washed his hands yet? Are we really so desperate to disparage MS that we'll ignore manufactured evidence?
I swear: This article smells just like Fox News "accidentally" labeling Foley a Democrat.
If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.
Quite on topic with the kind of article we're given here, I'd like to run a little improvised poll/research here.
When do you think Slashdot jumped the shark? That is, versus giving us actual news that matter about OSS and IT, we started getting 80% of this crap like this one.
Thanks in advance for your opinions!
And here I thought this was the place for "stuff that matters".
The title and description is rather misleading. The article goes through how difficult it was to actually install many of these. In one case he actually had to open firefox to download the executable in order to "infect" Internet Explorer. In addition to that, he mentions that he was able to reset Internet Explorer rather easily removing all browser addons minus Yahoo's toolbar.
Comment removed based on user account deletion
ok, IE7 did a great job making it dificult to having all those toolbars installed by error...BUT after installing those toolbars they have a way to survive to the reset button process just as yahoo tool bar did, In one year the reset button will be useless if it is not fixed because more toolbars or malware would have found a way to protect themself.
:)
it would have been interesting to see a screenshot of the add/remove programs AFTER the reset process.
Holy crap! I never thought I'd see the day when nearly all of the posts in a thread about a Microsoft product would be *defensive*! Time to clean out the fallout shelter!
Ok, I managed to wget the final screenshot, enjoy: http://cosurgi.googlepages.com/iemess2.jpg
#
#\ @ ? Colonize Mars
#
It's all just pedals on the floor of your car.
Take a break from writing posts.
Seems as though he went to some fairly benign sites and installed a bunch of not-so bad toolbars. Not that I'm saying that the toolbars he installed are clean and rosy, but wtf.
.. but *yawn* I'm not in the mood right now..
:) However, I hate having to do the same repetitive scans on a PC over and over, because someone wanted smilies and stationary in Outlook Express....
Why not take Vista / IE7 to some not so great sites. Like some of the more underworld (note, I didn't say illegal) porn sites, or better yet, crack sites that (still) try to use the WMF vulnerability and other tricks. Maybe I'll do that in a VM session
And hell, the product is still BETA. Half the software won't work with Vista right off the bat. But wait until some little teeny bop programmer actually finds an exploit.
I love and hate spyware. It keeps me employed.
= Grow a brain...
If the normal workflow in IE7 is having to click a lot of yes/allow/ok popups thats what people will do. Thats not better security, its just a way of handing over the responsibility of the security to the users. For an OS targeted at baffoons thats not really a bright idea. Thanks to this Microsoft will just blame any security problem as a user error not having done anything to fix the bad security in IE.
HTTP/1.1 400
I hate all these security warnings. Whatever you do, you get a stupid modal "are you sure?" pop-up. Yes, I am. I know what I'm doing, thank you very much. What piece of shit are you to dare question my actions? If I want to install a hundred toolbars, I don't want to be asked again and again and again.
It's the proliferation of excessive pop-ups and EULAs that trains users like pavlov's dogs to drool and click on "Yes" each and every time without paying attention.
What we need is (a) to educate users to be aware of the risks of installing software, (b) fine-grained controls in the software to selectively enable and disable warnings, so that pop-ups are rare, so that the user knows when to pay attention, and (c) legislation that disallows selling your soul by EULA.
Here's a mirror
I think it's useful as it shows whether or not IE7 can be restored to a default state after you hose your system with a bunch of crap. A typical IE7 situation may not be like this, but for admins and those repairing PCs, or even if -- heaven forbid -- IE7 has a flaw that is taken advantage of by spyware, if a user can restore it to full functionality.
Twinstiq, game news
Those toolbars are a plague. Does every company in the world need a toolbar? It has nothing to do with filling a need for anyone, it's pure marketing trash. In the early days of IE6 there was literally no defense against them, and some of them were practically impossible to remove (hotbar, cool web search). The anti-spyware tools (at the time) were horribly inadequate; using Ad-Aware and Spybot with up to date definitions back then would only remove some of the toolbars. My company spent a lot of money removing that crap. Fortunately people started using another web browser and Microsoft finally admitted that spyware was a problem (years too late IMHO). That whole situation was enough to get me off of Microsoft products. I've been an Ubuntu Linux user for quite some time now, and never had a *single* unwanted toolbar or spyware installed on my computer. The old cliche's about "you must be visiting questionable web sites if you have spyware" is completely ridiculous. I can't tell you how many times I've heard techs (or Microsoft) wrongly blame users for crappy OS and web browser security. It is 100% possible (and likely) for someone to get spyware and unwanted toolbars in Internet Explorer without visiting questionable web sites or agreeing to install it. It's a virus plain and simple. And where are the anti-virus companies? Instead of adding virus definitions for spyware to existing AV products, they IRRESPONSIBLY used the opportunity to create a new category of viruses and sell additional products. MS has used the opportunity to themselves launch anti-spyware products (Defender is currently in free beta, but word is that it will be pay only when out of beta). Nevermind that IE is the ONLY browser with this problem. What makes it worse is that companies like Adobe and Sun bundle toolbars with their software. So if someone isn't paying close attention they get Yahoo or Google toolbar. The fact that IE now has a "cleanup" option is completely meaningless IMHO. The fact that the browser can be loaded down with crap toolbars filling up 80% of the page in less than a few minutes should tell Microsoft that IE still needs a LOT of work.
it would be an even slower news day!
Now go to mozilla's website. Download and install every damn extension there is for Firefox. Take a screen shot and post it please. I am no MSFT supporter. But TF(antastic)Article is just stupid.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Dear Microsoft apologists:
IT'S JUST A HUMOR ARTICLE. IT SAYS RIGHT IN THE ARTICLE THAT HE'S DOING IT ON PURPOSE TO SEE WHAT HAPPENS. NOTHING MORE.
Okay? Get it? We know it requires user action to infest IE7 with toolbars. That's not the point of the article, which is just to see what happens and laugh on a Sunday. For crying out loud, why does everyone think they have to leap forward and be some sort of heroic truthbringer to the poor Slashdot masses who won't understand the article? We're not idiots.
"Sufferin' succotash."
Toolbars themselves are a good feature add. By design, "plug-ins" allows for extension of the framework in ways the user wants. I'm all for Microsoft or Mozilla or Opera to have a way to install plugins! What is bad is the way Microsoft goes about doing this with their rules and exceptions which lead to a confused user.
By design or miracle, "warning dialogs" are somewhat minimal in Mac or Linux but in Windows its all over. "Are you sure you want to do this? Yes/No" over and over again causes "fatigue" where users just dismiss it for the sake of making it go away. I've seen users who just click and dismiss things that are clearly warnings and indicators that something is wrong. Why? Because they see it dozens of times and its nonsense as far as they can tell. The reason they never hit "No" is because it stops what they were doing. They would rather be encumbered by a flakey IE than not do what they wanted and frankly these errant users have a point.
The point is worth repeating: Adding a toolbar to IE7 isn't a bad thing. The real problem is the way the process works and it isn't getting better for Vista. For each plugin there should be one and only one confirmation. If it fails **any hard defined requirements** then it the plugin is not installed. They should not be asked to elevate their privilages. They should not be asked if they want to activate secondary controls (Active X). They should not be asked if the install can modify the registry.
Why does any toolbar need 'elevated privilages' at all to install or work? IE is supposed to be an issolated framework that is user dependant. Why does a toolbar need another control hosted outside of itself (violates sandbox)? Why does any toolbar need to access the registry (again violates sandbox)? None of this stuff seems necessary at all for toolbars to function. Why bother asking the user "Yes/No" questions on things that are "violations"?? In most normal cases, when a program violates the rules it doesn't allow it. Why is IE different?
I saw this easily 2-3 years ago.
It looks to me like IE7 did pretty damn well (and this is coming from a linux/firefoxista). The author actually had to use firefox during the process and (unrelated) toolbars were actually installed in his firefox browser.
Second off, that screenshot made me crack up. I set it as my desktop background.
...the Man with a Thousand Toolbars (2002).
Timeo idiotikOS et dona ferentes
but how effective will it be once people start writing software that specifically targets IE 7? Is the Yahoo! bar there because it couldn't get rid of it or because they're in cahoots?
The first picture is hilariously absurd, but what really shocked me was the second one, and he says
This is the first time I had seen MSIE7, so maybe it's old hat and "standard" to everyone else, but I thought the "clean" picture was provocative. Why? Look at it: the menu bar isn't even at the top of the window; the url and back/forward arrows are. Are they trying to slow down the user and make them hunt for things? Is this normal and default for MSIE and recent Microsoft applications, for the menu bar to be somewhere other than top? Or had this user already diddled with some settings to make MSIE look bad?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Reading many of these replies makes me think a lot of people at /. actually believe most users are careful and conscientious about the warning messages they receive from the 'system.' They are not. Many are willfully dismissive of these messages; it's beneath them to have to stoop to sufficient levels of geekery to be bothered by such things. That fact explains a large fraction of the Apple market.
Computing just isn't important enough (yet) to warrant such concern. Until it is, Microsoft et al won't be bothered to do what is required to really secure these products.
BTW: If anyone from Nero happens to read this; your product lacks at least one customer because your 'Nero 7 Ultra Edition ENHANCED' software pollutes the host with unnecessary background indexing crap that I simply will not tolerate.
Replace semen by toolbar and face by IE7. Disgusting? "Bukkake is a group sex practice wherein a series of people take turns ejaculating onto someone. There can be strong overtones of erotic humiliation in this practice. Various styles exist, but a common form of bukkake seen in such publications will involve a woman or man sitting, lying down, or kneeling while men (or functional transsexuals) approach to masturbate until they ejaculate on her/his body, primarily on the face or in the mouth. The semen is left on the face as another man repeats the routine."
Who would have thought, if you Manually install spyware toolbars they will be installed...who would have thought? This article is useless. IE7 is a huge leap ahead in terms of security for the "normal" user. Sure people are prone to just click yes, but IE7 will make you click it 3 or 4 times to install something god awful (and in most cases it still won't install it then either). You can only make the loaded gun more safe, but you're still giving stupid (and clueless) people a loaded gun either way.
I looked at the picture and my first thought was that the user simply didn't have a big enough screen.
This issue is a bit more complicated than you think.
Take a look at the final screenshot- aside from the obvious Yahoo! toolbar still being there- the search box still says "My Web Search", additionaly the "File" menu seems to be gone.
The author also didn't mention whiether IE was able to open new tabs, or continued to crash as it did.
Amusing article, but dissipoiting he didn't disect the reset version.
I just felt dirty.
Help me get a new laptop - http://nocreditcard.yourgiftsfree.com/?id=3012
Simply ban users from installing software that's not signed by Microsoft? MS doesn't think that's a bad idea, by the way. Other than that, what's the answer? You cannot have power without also having the power to do damage. I can't give you the power to install any software you want without also making you able to install any harmful software you want.
So sure, MS could increase security by mandating that all apps, addons, etc bore an MS signature but I think then we'd be hearing a huge outcry about how they were locking people out of their OS. In fact I guarantee they'd get sued over it.
You can have it both ways, you can have power, or you can have something protecting you from yourself. How do you want it?
Are the words Microsoft and secure ever used in the same sentence?
Anyone want to take a bet??? Vista will be less "secure" than XP ever was.
"If any question why we died, Tell them because our fathers lied."
I like the screenshot at the top of page 4. http://www.windows-noob.com/review/ie7/part_4.html #part_4
In the Dogpile toolbar the news ticker reads "ABC News had molested children before"
This is for the masses who seem to do nothing more than follow blindly what they read on /.9 .aspx
http://blogs.msdn.com/ie/archive/2006/06/12/62849
I really need to find a way to make money off of you guys.
There should be a nuke option for Windows in its entirety (at least the registry), along with applications having the ability to export their registry settings into .reg files (although I'd still prefer each having plain old INI files). If Windows gets slow you open all programs you know you need, let them dump their settingg in some folder, backup their files if neccessary, nuke Windows and load the settings from the dumps. That would make repairing a borked Windows installation much easier (at least one would avoid having the installer copy everything to the hard drive again).
Alternatively, just have every app capable of creating registry dumps and make the setup DVD smart enough to only write files that are changed. Also invent a hashing algorithm that works in constant time (with a small constant) so that checking whether a file is changed is faster than just copying it anyway.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Indeed, I'm a firefox fan, but it's clear from this that IE7 did perform very impressively in the test. Of course, the problem is that he's testing it with spyware and adware and stuff that were not designed for IE7 (somewhat akin to running windows viruses in Wine...), so it is likely that over time, things will get worse, not better - in which case, the question has to be asked whether Microsoft can keep up the pace of updates.
But for now, this article is a big thumbs up for the MS devs.
Of course this article has Google Advertising, that is keying off the topic and offering all sorts of toolbars and downloadable smilies, and Google Toolbar itself.
It wan't quite that many but it was close
Just because he reset IE7 which disabled many of the toolbars doesn't mean that his computer was cleaned of the bad guys. He allowed some of these programs to run applications, and he showed us processess running. Once you have a program running outside of IE resetting IE does nothing to ensure you are clean.
I clean computers of these infections day in and day out. Some of the programs he showed us is just nasty nasty stuff. There were so many malicious programs there I cringed every time I saw another added.
Just because the distributor says these aren't malicious doesn't make it so. It is like them telling everyone that these toolbars are worth $30.00. They are stupid fucks. Pardon my french. These guys are compeletely and utterly bastards trying to take over and control systems. If they can claim you get something for nothing that they value at $30.00 while you allow them to add advertisements to your system, then they or you or both of them are fucking nuts. Again, pardon my french.
I went into a daycare to get a computer that was having ads pop up and when I saw the screen it was filled with porn ads. The machine was heavily infected. It took alot of dedicated time to rid the computer of it. It wasn't about them putting ads on the computer or even providing easy steps to remove the software. All of this software downloads and installs bad programs in the background. There is no legitimate adware. All adware is malware. No one should read this posting with the thought that these are good solid toolbars from reputable companies. The two that I would say they could keep are the yahoo toolbar and the google toolbar. Every other one should be looked at and be believed to be malware. No MATTER WHAT!!!!!
Just remember that this guy allowed some programs to run as an exe. And he showed running processes. And more than one put entries in the registry to make the computer load the program at start up. All of these are now running or are going to be run outside of IE. It only takes one to create havoc on your computer.
You can lead a man with reason but you can't make him think.
One thing on this article made me think: I was wondering if anyone tried this "massive toolbar installation" on FF and tested tabbed browsing to see if it works...
Er Galvão Abbott - IT Consultant and Developer
How would this be any different for an Apple user who is told to enter their root password (and first given instructions on how to enable it). Generically this is called the "dancing bunny", if people really want to see the dancing bunny, they will follow amazing instructions... here install this new bios, ignore that warning, disable the whatever.
The best a good adminstrator can do is use strong policies and never let a user run as adminstrator. The home user is pretty much screwed.
After he put a link to the forum post (which is getting slashdotted now as well), I've put a full mirror of the original forum posts, complete with the images on my university servers. Amusing read, especially for seeing just how many users will blindly hit "OK" before getting all this crap.
http://iddl.vt.edu/~jackie/ie7/
Enjoy!
p.s. Any Google ad credit is still his, as I've copied and pasted his code from the original post to help him deal with his huge bandwidth bill coming up. Mine is on the University tab, so I don't need that money, and I have no ad account. Please check the code for a match is you desire. Karma Whoring is not as bad as ad whoring when you've had your account shut down.
The author has permission to link to my copies of the images, or contact me to have me post a proper mirror (of more than just the front page.
I am, and always will be, an idiot. Karma: Coma (mostly effected by
Am I the only one irrated by this?
Yes, you are, troll. Now, go like totally fuck off or whatever...
So, let me get this straight...
The problem with IE6 security is that it allows things to be done without the user's knowledge, and oft times without their agreement.
Now that the user must be complicit in the act, it's still not correct?
Seems a little ludicrous to expect the browser to "know" what good programs are and bad programs are, to automatically possess a will to protect the user, or to impose that will onto a user, and from that point, the only thing you can do is allow the user to make the determination. Would a person who ostensibly uses an OS intended for non-"baffoons" appreciate it if the OS made the determination of what software does and does not belong on their machine, even if it is their intent to install it?
I would appreciate an explanation of what the right tack would be.
The fact of the matter is, that whether or not Windows is targeted at "baffoons" is immaterial, good security is good security, and all good security involves engaging the responsibility of those being secured. That some choose not to accept that responsibility is what takes security and obviates its protection.
You can have an alarm system on your house, rabid watchdogs, a panic room, etc. but if you're going to just invite in any old stranger who walks up into the house, all of that security is precisely meaningless. The same applies to "security" as we've come to understand it in a computing environment.
did anyone else notice the complete lack of standardisation or uniform feel to the dialogs?? How's a user supposed to learn (or be taught) the difference between the confirmation boxes and the warning boxes.
Surely the only real 'content' of this article, is that Windows/IE has far far too many dialogs with different designs, but mean similar things...
I can't imagine why there should be more than 2 dialogs max, one for confirmation (to prevent accidents) and one warning.
----- I refuse to have an argument with an unarmed person
wow. glad to see that things are more "secure" on ie7. now when i actually want to install software I have to go through a twelve stage process of "are you sure? are you really, really sure? are you sure you're really sure?" screens. The fact remains that anyone who know what they're doing most likely won't install bad software on their computer. It's good that it comes up with a warning, but if these warnings come up for everything you try to do, people will become accustomed to them and see them as only another annoyance and go ahead and install spyware anyway. this is like the "warning: contents hot" on a coffee cup. people are going to continue to burn their lips on it anyway.
- MS deciding whether I know what I am doing. One warning is understandable, but "Are you really, really, really sure?" gets annoying. That's not added security. If someone ignores one warning, they'll probably ignore all of them (whether they know what they're doing or not).
- The warnings are inconsistent - you get different numbers of warnings from different toolbars. Does that mean that some warnings are voluntary and the toolbar author can bypass them?
- Wouldn't it be better if, for their "toolbar API" or whatever they call it, MS gave the toolbar author a "sandbox" to restrict their activities (like not changing the registry or starting up additional processes)? Then they could make one warning that says "Do you want to install a new toolbar?" And if you click "yes", a toolbar will be installed and that's all.
Just a thought and maybe easier said than done, but as this article shows, you can only protect Joe User so much via "Are you sure?"Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
Some years ago, in a fit of misplaced boredom, I asked myself "what do all these toolbars in Word do, which no-one ever uses." So I switched them all on ... rearranged a little bit, and ended up with a very artistic "upgrade" of Word to function more-or-less like Edlin did in the Good Old Days. Come to think of it, the program was called LinEd on the Honeywell mainframe last time I used it.
I've got a screenshot somewhere, which confused the children at work, who couldn't see the joke.
Tried doing the same in OO.org - can't get the window more than ~2/3 full of toolbars (without creating custom bars), on a full-screen 1400x1050 window. Be maybe 3/4 full on a wide-format screen.
Pointless. But fun.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
I can't believe all the people ragging on this guy as if he were a dolt for trying to take something to its silly extreme. Despite anything he might have said to the contrary, it was clearly done in jest. About the only serious test he did was the "reset" to see if he could get IE back to its original state (which seemed to me to be an afterthought). I say Way to go, Mr. Clicks "Yes Install" on Anything Guy. Pop yourself a cold Bud Light and go surf the Peeps Autopsy and Fur Disection web sites on the 1/2 square inch of browser page you have left.
You really didn't answer my question. Whether or not security is addressed as an a priori forethought or as a response to later realizations of potential real abuses really have no practical effect the strategy for security for an Internet browser. People will want functionality and usability. It doesn't really matter what level of user you may be, whether a computer know-nothing or a software architect, people use browsers for the same reason. Just because you may be an advanced user doesn't mean that you don't want features.
But we're not even talking about features here, we are talking about user interactivity and control.
My question to you, rephrased, is how do you expect browser security to operate without some level of informed responsibility offload to the user? I don't mean this from an esoteric standpoint, I mean from a material standpoint. Do you expect the browser to take the responsibility off the user for installation of software, even if the user purports to want it? If so, I'd like to hear a strategy for implementation.
Informed consent is the middle ground between a fully non-exceptional lockdown (undesirable) and a fully open system (undesirable). From what I've seen, IE7 is addressing those issues. Where IE6 implemented modest, nearly useless controls on the automatic download of malicious or unwanted code, IE7 uses a system of informed consent to alert users of potential hazards. That some people brainlessly click OK is another discussion entirely. As a software engineer myself, I understand that you have to often make an engineering trade-off decision as to how far to go to bulletproof an application from users before you start introducing usability issues.