The problem with relying on software tools to keep you safe is that a user with administrative privileges and a little knowledge (which, as everyone knows, is a dangerous thing) can defeat or disable those tools. Two examples of this phenomenon appeared this week.
As I’ve mentioned before, I currently am using Microsoft Windows OneCare Live, an all-in-one security suite that’s in beta release right now. On several occasions, I’ve disabled the firewall to troubleshoot problems with my network connection. Whenever I do that, OneCare prompts me to send a quick note to Microsoft explaining why I turned off this essential protection.
Apparently, lots of people have been dutifully filling in that form. Over at the Windows OneCare Team Blog, Microsoft summarizes the results from those submissions:
Based on our investigation, there are four primary reasons people are turning off their firewall.
- Do not think a software firewall is necessary
- Do not like the (sometimes incessant) pop-up dialogs
- An application failed to install with firewall turned on
- An application fails to work with firewall turned on
The entire discussion is worth reading, along with the comments. This is one case where I think “nag” dialogs are essential. In fact, I think one commenter’s suggestion of an option to temporarily disable the firewall for a specified period of time (automatically re-enabling it after the time is up) is a good one.
Example #2 comes from George Ou, who reports that Skype 2.0 looks like a virus. The problem? A bug in the latest version of Skype triggers a Data Execution Prevention warning. The most likely reason is that a chunk of memory that contains executable code isn’t properly marked. In that situation, DEP (which uses a setting in the OS in combination with the CPU itself) views this as a potential attack and blocks execution of the code.
DEP is an excellent first line of defense against buffer overflow attacks and other security vulnerabilities. But in this case what’s likely to happen is that the user, because they want Skype to work right now, is going to configure the program as an exception and turn off the warnings. In fact, that’s exactly what Skype recommends on its support pages.
If that happens often enough, it leaves a gaping security hole. The better approach? Skype users should insist that the company fix its code so that it doesn’t load executable code in segments marked as data only.
Those warnings exist for a reason. Turning off the alarm bell doesn’t make the problem go away.
Ed Bott 
My wife absouletly hates a firewall on her machine. In fact, she disables it every time she turns her PC on. sigh The nagging of programs wanting access is what drives her nuts.
i think instead of “insisting” on skype fixing it’s code it’s about time someone jumped on microsoft’s ass — the idea of a personal firewall is ridiculous, and is necessary because of sloppy code on the part of microsoft. DEP is even more hilarious to me, microsoft code is so sloppy, and so entrenched that intel had to step in. i can’t believe the idea that windows is so inherently insecure it demanded a change at the hardware level, i’m waiting to see what vista will bring, the ctp have shown an even more draconian idea of asking the user what to run or not. it’s seems like in lieu of secure and solid code, microsoft just asks the user whether or not to run any piece of executable code, thereby absolve themselves of any responsibilty….. thanks again microsoft os level browser integration was a great idea