Why you shouldn't always listen to security advice

You should update Java. Or uninstall it. Or not completely uninstall it, but disable it. Or not do anything at all because it's not a problem. Whoever's advice you take, the chances are it's wrong.
Written by Michael Lee, Contributor

Computers? The internet? They're dangerous. It's safer not to use them.

If that sort of advice has your hackles up, then take a step back and consider for a moment that, in a way, it's what so many of us have been saying for years.

There's a lot of advice out there on the recent zero-day exploit, which was found in Java 7 Update 10 last week. Oracle thinks that it has solved the problem and that it's okay to run browser plug-ins again; some say that not everything has been patched; others appear to no longer trust Oracle and warn against enabling the browser plug-in, even once updated; and the most extreme call is for Java to be uninstalled completely. Whatever the advice, it seems that everyone says you should do something right now.

While most suggestions are well intended — people are generally offering advice for your own protection — they don't always speak to each individuals' circumstances.

Since the news broke, I've fielded messages from readers who have been unaware of the issue and not known what to do. I've even seen a question about whether it matters because they're in a certain country. In all cases, however, my recommendation is that users should carefully consider their own circumstances and act accordingly.

Personally, as much as I think that Oracle will continue to fight a losing battle against hackers hell-bent on finding exploits in Java (and that's probably more to the credit of the hackers), I won't be uninstalling it, but I will disable it in my browser and re-enable it on a case-by-case basis. Java is a piece of software that I require from time to time, and despite being aware of the risks, they're manageable or acceptable.

Part of the managing the risk means keeping tabs on any future security issues that might pop up out of the blue, being more than careful with how I browse the web, accepting and considering what might be compromised in an attack, and realising that posting a blog about how I'm approaching the issue could further increase that risk.

It is not the safest route, and it goes slightly against the Department of Homeland Security's advice to disable the plug-in "unless it is absolutely necessary", but the US government (as far as I know) doesn't know me, isn't keeping tabs on me, and doesn't know my exact environment, browsing habits, and mitigating actions. I don't consider myself to be any "better" than anyone else, but the US government's advice doesn't strictly apply to me because I simply have a different set of circumstances.

Likewise, it's impossible for me to recommend that anyone follow my own example, as each and every person has their own unique circumstances where keeping or not keeping Java in some form or another will be best for them. To tell people that they should do one thing or another would be like forcing Vegemite on everyone else, just because that happened to be what I had put on my toast and didn't result in me dying (yet).

The bottom line is, no one can tell you how you should or shouldn't secure yourself, because no one knows your environment the way you do. There are vulnerabilities in every operating system known to man, but no one tells you not to run one — that would be impossible.

In that same vein of thought, we can't prescribe security to people without knowing what they do, how they manage the risks, or if they are prepared to accept them. Otherwise, we might as well go the full hog and tell them that not using a computer is the safest option. And that's just offensive.

Editorial standards