Like most of you, I received a notice to update Java on my laptop yesterday. It seems like it has become a weekly occurrence. In fact, Java has taken the place of Flash as the primary attack vector used by the bad guys. So, I dutifully clicked the "update now" button. I sat through the download, the extraction and the installer firing up. I was clicking through when I came to the screen below. Luckily, though tired, I was not yet asleep.
How many of you would have caught this? If you don't uncheck the box the good folks at Oracle will sell your soul to Ask.com. Ask.com becomes both your default search engine and your default start page.
What kind of nonsense is this? I expect this kind of stuff when I am installing some shareware utility or program from some small mom-and-pop software publisher looking to stay in business. But Oracle doing it with Java, which is on like 4 billion devices? Is Oracle really that hard up for the money that they would stoop this low?
I understand that Ask.com has been through the search wars and come out the other side as a bit player that has to resort to whatever it can to keep market share. Whoever made the business development deal to bring in Oracle and Java deserves a raise. I would love to see how many new subscribers Ask.com gets through its Java package. I would imagine the number has to be in the millions.
If I were Oracle, I would think I have enough problems with Java security without sneaking what some consider adware onto millions of machines. It cheapens their brand and gives us yet another reason to just tell people to remove Java from their computers altogether.
For those of you who say "what's the big deal? You just have to uncheck the box," think about non-IT people. Your aunt, cousin or neighbor who fires up their computer at home and gets the Java update message. Do you think they are going to unclick the box? Do you think they are going to go against the recommendation from Java and Oracle? As I say, I think the number is pretty high.
In fact, I have seen the Ask.com or other programs that do similar stealthy installs far too often. The fact is Ask.com is one of the easier ones to remove if you happen to click through the install without being careful. Other programs are even harder to detect and remove. I wish software publishers would just stop this practice altogether.
But of course this won't happen unless people vote with their pocketbooks against companies that practice this kind of sneaky behavior. Oracle would be a good place to start, I think. Until Oracle stops trying to sneak in software we didn't ask for, we should stop using the software. It could just make us all safer anyway.
How about it? Can we at least create enough social media buzz to get Larry's attention? I know he is busy getting ready to defend the Americas Cup, but can he cut Ask.com out of the Java install? It starts with you. If you agree with this, tweet to @java and ask to remove ask.com.
They might be a bit busy right now closing the next hole in Java, but before we have to install the update, maybe they can drop the adware.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.