FARR not a commonly downloaded program?

[db90h]

I wonder if certificate signing really is the solution, do we have any definitive knowledge that it is? If so, I understand the intention, but really don't agree with the methodology. As the recent rash of compromised CAs has shown, this is hardly an effective security measure. What good is "trust" when the trusted parties don't care enough to implement proper security on their trust-granting systems?!

-JavaJones (October 16, 2011, 12:32 PM)

Indeed, the mere presence of a valid cert signed by a trusted CA does not mean squat. What happens is that the security companies rate known certificates as 'not risky', 'risky', or somewhere in between. Not having a valid certificate at all prevents them from doing so, making the executable inherently more risky, since the author can not be ascertained - what IE was trying to inform the user of.

This is a totally different issue than the False Positive Report supports, and I was not happy to see our Twitter account had retweeted this. I expressed that this was not to be a part of our mission. I did so because we support Microsoft and all other security companies, and I have developed a fragile working relationship with them. This moves us one step farther from what we want. We also feel this is outside the realm of what The False Positive Report should address. http://falsepositivereport.org

[db90h]

Since many don't understand this issue, let me explain more thoroughly.

I worked for a security company for years. This debate went on for years. Some wanted to disallow ALL UNSIGNED EXEs... As they did with Vista+ x64 drivers. However, some of us, including me, fought to make it so unsigned EXEs could be run. Of course, backwards compatibility also strongly encouraged this. So, consider yourselves lucky Microsoft didn't decide to put even stronger warnings on unsigned EXEs, or disallow them to be run at all, especially for 64-bit code, where new code had to built anyway (reducing the complications of backwards compatibility).

This change happened in Vista, where, if you never noticed, the UAC elevation prompt for unsigned EXEs has a much more ominous warning than a signed EXE.

The cost last I checked was (always going down) $80 a YEAR. That is $6.66 a month. So, eat one or two less cheeseburgers a month. Even enthusiasts can afford that. The cost of electricity to build the software is probably higher than that. If the cost was $1000 a year, my stance would be different - and so would Microsoft's.

Us engineers are ALWAYS trying to protect the 'small guy' against the 'big business'. Yet, these sort of criticisms come, and it is the malware authors you should blame -- not anyone else.

There is a cost to doing almost anything, and this is one additional (small) cost of publishing software. If you don't want to pay this 'fee', then you can publish unsigned EXEs and tell your users to ignore the security warnings, explaining why.

Now, I've helped you understand why this is so. Do you understand? The malware problem mandated it, and you are lucky the warning isn't worse, and that your code runs at all. As I've said, throughout history, the 'bad guys' come in and force legitimate businesses (or hobbyists) to incur additional overhead in order to prove their trustworthiness. As explained above, the mere presence of a cert doesn't mean much, it is the history of that cert that ends up counting. All security vendors track how good of a history your cert has shown. That is how things are done now, and why unsigned EXEs are potentially inherently more risky.

I do not mean to offend, but you are about 5 years behind the times on this 'debate' ... The debate is long over, and there is no changing things now. I know many here want a world where everything is free. Well, that isn't the utopia we live in. I wish it were. But it isn't. You aren't going to force Microsoft to change a policy they debated for years because you can not afford a cert (hard to believe if you can afford hosting, but.. whatever).

Now, I've helped you get up to speed on things. Don't take your anger, if there is any, out on the messenger.

[wraith808]

Now, I've helped you understand why this is so. Do you understand?

-db90h (October 31, 2011, 08:16 PM)

Nope.  Sorry, we won't see eye-to-eye on this.  If malware mandated it, and they really wanted to enforce this, then the cost should be free.  So many other things are.  And though I like to make software, I'm not footing the bill for an entrance into their glass house.  Sounds a lot like the criticisms against developing apps for Apple to me; that they pay to let you on the platform.  There are other ways that they could have phrased it, and there are other ways that they could have set it up so that the user *knew* that this wasn't necessarily a negative warning.  But the design of the dialog is made to look like a malware dialog.  And that's not cool.

[db90h]

I am just stating how things ARE. I am also saying this is a battle that I can not win! Therefore, I can not fight it ;o Pick your battles, etc..

If it WERE up to me, the warning would be less severe, so I do agree with you on that. But, reversing the decisions of a massive corporation that debated this issue for years...?? Can't do it. It would also alienate them from being involved in the FPR project. Lastly, these certificates must be validated, so they do cost money to 'produce'. You have to submit all sorts of documentation and such. So, hard to make them free.

I consider the cost affordable for anyone who can afford to live.. I mean, that's a few fast food meals, or a dinner out. MANY (if not MOST) industries have some sort of barrier to entrance. Some certification, license, etc..

[db90h]

...

[wraith808]

I consider the cost affordable for anyone who can afford to live.. I mean, that's a few fast food meals, or a dinner out. MANY (if not MOST) industries have some sort of barrier to entrance. Some certification, license, etc..

-db90h (October 31, 2011, 09:44 PM)

This isn't an industry.  An industry implies that you will make money off of it.  The only comparable thing I can see are fishing licenses, since they have commercial and non-commercial licenses.  Non-commercial fishing licenses are $15 in most municipalities for a multi-year license in a lot of cases.  There should be a non-commercial license that is either free or very low cost.  And truthfully, I already give time and money to work on free software.  But I get something for that rather than a nebulous cost that I have to foot yearly.

And don't get me wrong, I'm not blaming you, nor saying your site should fight such battles.  But I am saying it's not right- not even a little.