Why you shouldn't always listen to security advice

Summary:You should update Java. Or uninstall it. Or not completely uninstall it, but disable it. Or not do anything at all because it's not a problem. Whoever's advice you take, the chances are it's wrong.

Computers? The internet? They're dangerous. It's safer not to use them.

If that sort of advice has your hackles up, then take a step back and consider for a moment that, in a way, it's what so many of us have been saying for years.

There's a lot of advice out there on the recent zero-day exploit, which was found in Java 7 Update 10 last week. Oracle thinks that it has solved the problem and that it's okay to run browser plug-ins again; some say that not everything has been patched; others appear to no longer trust Oracle and warn against enabling the browser plug-in, even once updated; and the most extreme call is for Java to be uninstalled completely. Whatever the advice, it seems that everyone says you should do something right now.

While most suggestions are well intended — people are generally offering advice for your own protection — they don't always speak to each individuals' circumstances.

Since the news broke, I've fielded messages from readers who have been unaware of the issue and not known what to do. I've even seen a question about whether it matters because they're in a certain country. In all cases, however, my recommendation is that users should carefully consider their own circumstances and act accordingly.

Read this

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Personally, as much as I think that Oracle will continue to fight a losing battle against hackers hell-bent on finding exploits in Java (and that's probably more to the credit of the hackers), I won't be uninstalling it, but I will disable it in my browser and re-enable it on a case-by-case basis. Java is a piece of software that I require from time to time, and despite being aware of the risks, they're manageable or acceptable.

Part of the managing the risk means keeping tabs on any future security issues that might pop up out of the blue, being more than careful with how I browse the web, accepting and considering what might be compromised in an attack, and realising that posting a blog about how I'm approaching the issue could further increase that risk.

It is not the safest route, and it goes slightly against the Department of Homeland Security's advice to disable the plug-in "unless it is absolutely necessary", but the US government (as far as I know) doesn't know me, isn't keeping tabs on me, and doesn't know my exact environment, browsing habits, and mitigating actions. I don't consider myself to be any "better" than anyone else, but the US government's advice doesn't strictly apply to me because I simply have a different set of circumstances.

Likewise, it's impossible for me to recommend that anyone follow my own example, as each and every person has their own unique circumstances where keeping or not keeping Java in some form or another will be best for them. To tell people that they should do one thing or another would be like forcing Vegemite on everyone else, just because that happened to be what I had put on my toast and didn't result in me dying (yet).

The bottom line is, no one can tell you how you should or shouldn't secure yourself, because no one knows your environment the way you do. There are vulnerabilities in every operating system known to man, but no one tells you not to run one — that would be impossible.

In that same vein of thought, we can't prescribe security to people without knowing what they do, how they manage the risks, or if they are prepared to accept them. Otherwise, we might as well go the full hog and tell them that not using a computer is the safest option. And that's just offensive.

Topics: Security, Oracle

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.