#newtwitter, IE9, and the change in user experience expectations Microsoft, Please work with us on pinned sites like this
Sep 17

Crowd sourcing security and permissions; IE9’s baby steps

Security, Tech Add comments

The Web lives in a sandbox. An important one. It means that you can click around on links and “feel” safe (that is, until you go to a talk by Jeremiah Grossman).

On your desktop however, you have a binary situation. You either run some code that can do pretty much anything (ignoring file permissions and virtualization etc) or you don’t run that code.

One of the dialogs that I dislike is from OS X when you “download something from the Internet”:

internet permission

I would love to see the stats that Apple may have on how people react to this. I can imagine a scenario where something has mistakenly been downloaded and run, but I would guess that 99% of the time a user goes through the following:

  • Click on something to download an app
  • Run the app, because I wanted to, hence me clicking on it
  • I have no information here…. so I think I will just click yes!

Some will yell, “think of the children!” and that if this popup has stopped ONE virus or malware through, it is worth the pain for the other millions of up pops.

Surely we can do better. Of all of the features in the IE9 beta, one that may not shout out as you as much as fancy fast chess or goldfish bowls, is how they manage this situation.

In Dean’s whirlwind keynote presentation (very nicely produced!) he showed a feature where clicking on a particular .exe wouldn’t alert the user based on crowd data. Basically, if enough people have used foo.exe and it is trusted, it can Just Get Through.

The virus scanning world is doing a lot of this on the backend. Places with scale can monitor the crowd and do a lot more than we have done now, and I can’t wait to see what comes of this.

We have talked about social permissions before. It will be great when I can see that Jeremiah Grossman is using a particular application for example ;) I look forward to a way out of app permissions hell.

7 Responses to “Crowd sourcing security and permissions; IE9’s baby steps”

  1. Jesus Says:

    So if enough people have ran foovirus.exe it will have a free pass for everyone else, considering it’s not detectable by scanning? Sounds dangerous.

  2. Jan Says:

    I think the new security model is an interesting idea, but do you really trust other people to make security decisions for you? Those are the people that forwarded all these other trojans to you.

  3. Heiko Says:

    @Jesus especially as virus writers will find a way to submit millions of “foovirus.exe is safe to open” messages to the crowd (or is it cloud ?)

  4. Sam Says:

    I think they are protecting a different threat vector. It is very easy to get someone to download something with the way browsers work. That thing gets indexed in spotlight. It might be named similarly to another program that you run often. This would in some cases get you to execute something that you shouldn’t without much trouble. For example, you could name it Mail or Safari and it would rank quite high in search. Just speculation but I am ok with it asking me. Collaboration doesn’t help this case because a fast spreading virus or malware by definition would have been installed by your friends and others.

  5. Nikita Vasilyev Says:

    By the way, any idea how to disable that annoying OS X dialog?

  6. Chris Messina Says:

    I designed something like this for Twitter apps awhile back:


  7. Jake Says:

    Some will yell, “think of the children!” and that if this popup has stopped ONE virus or malware through, it is worth the pain for the other millions of up pops.

    I think if there’s anything we learned from Vista, it’s that the pain of millions of popups should not be underestimated. And if you put too many unimportant popups out there, by the time an important one comes up the user will be desensitized into just clicking “Allow”.

Leave a Reply

Spam is a pain, I am sorry to have to do this to you, but can you answer the question below?

Q: Type in the word 'ajax'