Even though we ARE Nikon lovers,we are NOT affiliated with Nikon Corp. in any way.

English German French

Sign up Login
Home Forums Articles Galleries Recent Photos Contest Help Search News Workshops Shop Upgrade Membership Recommended
members
All members Wiki Contests Vouchers Apps Newsletter THE NIKONIAN™ Magazines Podcasts Fundraising

Annotate Expert - Potential for Harm

sfbillm

Santa Fe, US
870 posts

Click to send email to this author Click to send private message to this author
sfbillm Silver Member Nikonian since 15th Jun 2004
Mon 05-Apr-10 06:28 PM

As someone famously said, "I have a bad feeling about this."

(Please note: My comments are based on the information available here about AE, not from experience on my system. I have not and will not allow this program to dl and install itself on my computer.)

I feel very strongly that this software has been written using some very bad practices, ones which will cause users serious problems and compromise their systems' security.

1. The install procedure compromises security. AE does not allow the almost universal method of dl and install: Dl a file to a location of your choice on your computer, and then run it to install. This is done w.o having to change the security settings on your computer, wit the possible exception of disabling automatic virus checking during the install itself. No changes in IE security settings are required.
AE, OTOH, requires permanent changes to IE security that seriously degrade a system's security when it is connected to the Internet.
a. Install method one requires that Nikonians be added to ones' trusted sites list. While I don't question that Nikonians can be trusted, that setting should be reserved for sites that are verified secure (https). Nikonians is an http site, not https. By adding an http site to the trusted sites zone, you increase the chance that a spoof (making a malicious site look like a trusted one) could put malware on your system.
I realize that the instruction says to do this only temporarily, during the install. But, if Nikonians has to be in trusted sites for the dl to work, how can the automatic update function if Nikonians is removed?
b. Install method two is even more problematic, as it depends on disabling Authenticode verification.
Here's what Microsoft says about this:
From IE help:
"Authenticode technology checks to see if the program has a valid certificate, that the identity of the software publisher matches the certificate, and that the certificate is still valid. Note that this does not prevent a poorly written program from being downloaded or run on your computer, but it helps reduce the chance of someone misrepresenting a program that is intended to be malicious or intentionally harmful."
From MS Support:
"Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process."
Again, the implication is that this change must be permanent if automatic updates to AE are to work. I believe this to be quite simply an unacceptable risk.

2. The idea of automatic updates over which the user has no control or choice in their install is unacceptable.
Sooner or later, there will be an update that causes problems. Almost every sw vendor that I've had experience with, large and small, has at sometime issued an update they shouldn't have.
If the user has the options of when and whether an update is installed, then (as some of us do), we can wait a few days after an update is available to see if it works. Not to allow this runs a great risk that at some point some serious damage will be done to users' systems by a flawed update.

3. AE is installed in a folder that users normally don't have access to.
I believe this is bad practice also. This would seem to indicate that the folder is in some basic way different from a normal Windows folder. (Else why couldn't a reasonably savvy Windows user get access to it?)
If so, this raises questions about whether other Windows operations would have difficulties when they try to access the folder. What of disk defragmentation programs that try to move files? What about backup programs - will they have access? Will such a folder impact the integrity of the Windows file system? What will happen with various disk checking/repair programs?
Finally there's a philosophical issue for me: If it's on my disk, I want to be able to get to it it for some reason I believe I need to. I'm more than irritated by programmers that think I'm too inexperienced (dumb?) to know what to change and what to leave alone.


SantaFeBill

Subject
ID
Reply message No risk for harm using Annotate
1
Reply message RE: No risk for harm using Annotate
2
Reply message RE: No risk for harm using Annotate
3
     Reply message RE: No risk for harm using Annotate
4
     Reply message RE: No risk for harm using Annotate
5
          Reply message Admin note: Do not use the links mentioned
6
     Reply message RE: No risk for harm using Annotate
7

G