So I never expected myself to do a 180 on this one, but .
Viruses, malware, etc come in one of two forms: 1) Involuntary exploits. Something that takes advantage of system vulnerabilities. Every system everywhere is susceptible to this sort of attack. 2) Voluntary exploits. Something that tricks users into running something voluntarily, that they didn't know would be harmful. The countermeasures of #1 are clear, and frequently effective, but not always: Run antivirus. Do automatic updates. Keep your firewall on. Stay away from dirty places (porn, hacking sites, pirated content etc) The countermeasures of #2 are the point of interest in this message. Presently, when people are prompted by webex, flash, adobe, java, and all various legitimate things they encounter day to day . They see legitimate things so often, they just get in the habit of always clicking Yes, and trusting everything. Enter ClickOnce. Bypass the prompts for confirmation and elevation, as long as the app is signed and conforms to certain restrictions. Google, webex, flash, adobe, sun . should all be able to run without any prompting. App signing is cheap ($200/yr from godaddy) or free from certain locations. Nearly all apps, including freeware, should be able to meet those requirements. So why wouldn't a "bad guy" just sign their apps and bypass the prompts? Surely sometimes they will, but the process requires providing verifiable personal information. So I don't think any significant number of people will release illegal or really bad stuff that way. I think the worst signed apps will be fully legal, and easily uninstallable, although they may be annoying, like popup ads and junk like that. If this becomes popular, people can start getting in the habit of always clicking "No" when they are prompted for elevation and stuff like that. The next thing I would love to see would be a trusted authority, linked to the app signature, which has reviewed the signed app, and provides some sort of description of what it really does.
_______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
