Security failures: How not to install software (rant)

Recently I needed to install an Eclipse IDE on my dev system. The proposed way (it’s for openhab) is to
use the Eclipse Installer, since I hadn’t used it before it seemed quite interesting. And indeed it is! Eclipse installations on Windows are unfortunately quite unnerving… Unzipping packages and moving them around is something I really don’t enjoy, so using an installer seems pretty nice.

The first thing I noticed is it’s ability to install itself for later use (good idea!), the second was it behaves like most programmes (e.g. Chrome, Adobe Reader,..) and simply puts itself in a path which doesn’t require the UAC (e.g. my user folder). BAD!

What’s the use of acls on paths when every developer simply uses other paths… Really guys.

But you could’ve guessed, it got worse. After choosing my required IDE style (Java something) it started to download a whole bunch of jar files (nothing expected I suppose). Since this takes some time, I browsed through the web some more, yet after a while I checked the progress and saw the really bad stuff.

Cybersecurity war… it’s all over the news and devs are easily installing excutable software over http? Are we all that stupid?

Yet I guess when I can do things like this:

docker installer

nodejs install

It is really no wonder we get things like this Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store