Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

I am right or wrong to be alarmed at this tech support advice? 2

Status
Not open for further replies.

alicep

IS-IT--Management
Jul 4, 2000
75
US
I had difficulty accessing a tech support web portal for a product we use. They have updated the webportal for the maintenance agreement and I couldn't log on. I was getting an error about XP not being able to install certificate from "unknown publisher". I emailed their support and this is the response I rec'd from their tech support:

"We see that you are receiving an error "unknown publisher" when you try to install the pki certificate.
Please use the below steps:-
Open Internet Explorer
Click on Tools
Click on Internet Options
Click on the Security Tab
Click on Custom Level button
Scroll down to Download unsigned ActiveX controls
Choose enable under it.
Click on OK
Then click on “Yes” and
Click on OK."
They went on with instructions for manually installing the certificate they attached to the email message.

From a technical standpoint, enabling active X as they suggest is not a safe thing to do. What I did do was put their webportal in my Internet Explorer Trusted Sites.

But, I think they are lacking ethics when they suggest I do something unsafe just to make their webportal work. Were they being lazy and leaving off the steps to add their web site address to trusted site? Or, do they really not care that they suggest I open up my system to all Active X controls?

I intend to respond back to them about this. I am probably not the only person they have given this solution to and I doubt I am the only one questioning whether it is secure action to take.

I am just wondering if other people would complain to them or just let it go. Thanks for reading and feedback. Alice




 
Internet Explorer and Windows ships with a default set of Root certificates. Any website which can trace it's certificate back to one of these Root providers will work in your browser without any problems.

However, there are other sellers of Root certificates, as well as Root certificates which are new or updated since Windows came out.

What you can do is examine the certificate when your browser prompts you & you can decide if you trust them.

Be cautious of self-issued certificates, and certs that come from places like Romania. But if they're legit, there's probably nothing to worry about.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first
 
If I blindly followed the tech support's advice to enable unsigned ActiveX, I would never be prompted at ANY website. I think that is where I am having an issue with the advice they gave. They fixed their web portal's problem, but opened my computer up to other (possibly malicious) websites in the process.
 
couldnt you just add it to your trusted sites list and then you just wouldnt be prompted for that set of webpages?
 
That is what I did, but only because I knew their advice wasn't a good solution.
 
that's tech support for ya....

it wasnt the best solution but it was the simplest from his point of view
 
Yep, and by saying that he's probably creating more zombie computers every day.

ActiveX is the worst invention in a long line of Windows security defects. As long as Windows has it, it cannot be secure.

Pascal.
 
I agree that it wasn't the smartest resolution. Most likely though this tech support receives questions from very non-technical users and when they gave instructions that seemed a little more complicated, the users balked and couldn't understand what they were doing.
So most likely you received a response from a jaded tech support and got the half-thought answer response.
 
Perhaps you should contact the support/quality manager for that software company and suggest a more secure response for such a situation (that I'm sure they see a lot)
 
Why didn't you call them back and suggest it to them why you think there's a safer solution? It would be a big help to this techsupport person and future clients don't you think? In everyday techsupport, there's a lot of "trial and error" and "live and learn" scenerios because the clients expect an instant answer when they ask. This techsupport person you've talked to may not have as much expertise experience and it would be a great help for you to demomstrate a better solution to them so they can benefit from you as well.

To me, this post is like laughing behind someone's back for a not coming up with the best solution - yet a solution it is.

Problem fixed, next...
 
dennisbbb - I don't think anything in my posts suggest I am laughing at them. Quite the opposite from laughter. I am alarmed at what they are offering up to their customers as solutions. This was an email support case, so I was not on the phone expecting an instant answer. It was 3 business days turnaround time for the email reply to come.

I think I will follow Auger282's advice and see if I can find out how to contact a quality manager since the issue likley starts at a level above the front line tech.



 
Where it was good advice or not, I don't see any ethics question here.
 
The fault I see in the email is forgetting to mention: DISABLE "Download unsigned ActiveX controls" once you are done with installing the script.

The ethics question arises when Tech Support intentionally give potentially dangerous instruction such as "format c: /x /q"

Anything else is a solution opened for suggestion and comments by the client.
 
Wouldn't it be an ethical question only if they intentionally gave you bad advice?

There is no way to know if they gave the advice in email or other wise to specifically do harm or knowing it could do harm and not saying anything.

Regards,
Chuck
 
cspillman. I guess that is true, I have no way to know if they were intentionally leaving off the more secure (but lengthier) solution of either using trusted sites or resetting the switch back to prompt/disable. I guess it is more of a quality issue than ethics and I hope to address that with a quality manager at that business.
 
It seems at face value, that it might be more of a negligence issue than ethical problem... but that's just my take on it.

Regards,
Chuck
 
no, it is an ethical issue. They took money off you, the customer, offering themselves as professionals with a certain level of technical support. You had a right to expect the support to be professionally safe. They then suggested something that is not safe. This means that either they put themselves forward as technically expert when they weren't, or (more likely) they gave advice they knew to be unsafe, without warning you (because they assumed you were too daft to carry out the better procedure).

It's analogous to a pharmacist telling you to stop taking the antimalarials (because they make you feel sick) without warning you that you are now vulnerable to malaria.
 
But aren't you talking about ethics vs responsibility?

Yes, they are responsible for giving the best technical advice and in this case, obviously fell quite short of that, but that still doesn't definitively point to an ethics issue, does it?

Am I saying that responsibility is not tied to ethics? No. But in this case, it is not entirely clear if this was more of an ethics problem, IMO.

Regards,
Chuck
 
The difference is whether they intended to defraud the customer. Not everyone who gives a wrong answer is unethical.

Perhaps they didn't give the best advice, but was it absolutely wrong? Where is it written in law or engineering standards how IE must be configured? It's a matter of opinion. Professions, such as medicine and law, have standards regarding the presentation of opinions. Computer tech support doesn't.
 
The difference is whether they intended to defraud the customer.

There is no way to know they they intended to defraud the customer.

They very well could have intentially gave the wrong information as a quick shortcut rather than walk them through the correct procedure, but we don't know that for sure.

Until you know for sure they did anything intentionally, you can't really claim this as an ethical issue.

Regards,
Chuck
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top