Re: Opinions: Warn about online registration checks?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

JT wrote:
I'm just playing devil's advocate. I'm sure you don't trust emails
saying that you've won the Uganda lottery and all you have to do is
pay a processing fee. Is it any safer to trust software that says,
"Now I'm going to check our online database." when it could very
easily then extracct sensitive information from your PC and send it to
the database instead.

It was not at all clear from your post that you were describing a situation like that.

It's true, you can make your application say anything you want, and then whatever you want. But I thought we were discussing reasonable behavior here, things you might actually implement.

The fact that I _could_ lie to people doesn't stop me from making statements to people that they can trust to be true. Likewise, just because your application _could_ be badly behaved is no reason to avoid having it be well-behaved.

I just think that havng a message box
indicating what you're intending to do gives the user a false sense of
security. I'm not saying you shouldn't do that anyway. I just don't
know what good it really does.

First, the fact that you _could_ do something other than what you say you are going to do should be irrelevant. It is always possible to lie. Good software doesn't, and if you've established trust with your user, the fact that you _could_ be lying doesn't matter, as long as you _aren't_ lying. Of course, part of establishing trust with your user is being explicit about what you're doing and doing only what the user asks you to do.

That said, you seem to be focusing on one narrow part of why it's important to ask the user before using the network, if using the network is not an implicit part of your application's operation. Yes, it's a potential security and privacy issue that the user should be in control of.

But also, the mere act of accessing the network can sometimes have unintended effects. One example is a computer that is using dial-up networking. Simply by making an attempt to use the network, Windows will by default pop up a connect dialog. Yes, the user can cancel that, and your network i/o will fail (and hopefully you handle that gracefully). But it's an annoyance to the user to have to go through that every single time they try to run your application.

The point isn't just to let the user know what you're doing. It's to give the user _control_ over what you're doing. Good software doesn't surprise the user, and it doesn't do things that the user hasn't asked it to do.

Only if the user explicitly does something that requires the network should you use the network. That puts control in the user's hands. I would extend this to say that you shouldn't even be asking the user if it's okay; you shouldn't be trying at all, unless the user has explicitly done something that requires network access.

So, if the user tries to use a feature that requires registration, verify with the user that they want to try to access the registration database. If the user chooses a menu command that explicitly says to access the registration database, obviously no prompt is necessary. But do not automatically try to access the registration database just for the sake of accessing it, not even by prompting the user first.

I'm sorry if you think that this is a one-to-one conversation.

I have no idea what you mean by that.

Pete
.

Relevant Pages

  • Re: Least User Priviledges for Network Administrators
    ... Trust how? ... Do we trust them to maintain network equipment? ... Do we trust them to observe proper security practices on the desktop, ... Training users that need administrator access to logon as a regular ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Are you a good driver? Prove it!
    ... They track network connectivity down to the individual. ... > any time I want to, but I don't abuse this power. ... We are expected to trust you (and me, I do the same things with ...
    (misc.transport.road)
  • Re: Problem with setup VPN and Trust on 2 Win 2003 domains
    ... I was able to get the trust set up, ... > resolved and the server is available." ... We are trying to set up a VPN and then ... >> subnet than our network. ...
    (microsoft.public.windows.server.networking)
  • Re: OLAP and VPN / authentication / trust
    ... You need Network 2 to trust Network 1 users to access the resources on ... This is the essence of a "Trust Relationship". ... attempt to connect to a SQL server on Network2 using credentials like ...
    (microsoft.public.sqlserver.olap)
  • RE: Users unable to browse trusted domain
    ... If I go into server manager on the NT4 Domain Controller, ... This is since I created the trust to the 2003 Domain and migrated one ... you might not have permission to use this network ...
    (microsoft.public.windows.server.migration)