My existing anti-virus software finally expired a few days ago, so I installed the copy of Norton 360 I got for nothing a while back. It's really a habit more than anything, seeing as I haven't gotten any viruses or spyware for as long as I can remember.
So I stuck the CD in, and started the installation process. It's fairly straight forward, except if you have existing Norton products installed it might ask you to uninstall them. And annoyingly, it tells you which one to uninstall, one at a time. So after you uninstall one, you run the setup again, and it tells you another, then another... At least it saves your product key so you don't have to re-enter it each time.
So to help you out, here's an unofficial incomplete list of programs Norton 360 doesn't like:
Be warned that you may lose some functionality, e.g. there is no replacement for Norton Password Manager in Norton 360, no replacement for Norton Ghost in SystemWorks in Norton 360. If you use one of those features a lot, you might want to reconsider Norton 360. It's a bit odd that it doesn't work with its own products, but I guess they want to ensure there's no overlap or conflicts.
Speaking of conflicts, if you had a Norton product previously, I highly recommend you run the Norton Removal Tool to remove all the existing bits, otherwise you could get funny errors in 360 or crashes. It does, as it is named, remove all Norton products though, so do back up your settings, product keys, profiles etc. first.
Once all that was done, the installation is pretty straight-forward and proceeds fairly smoothly, and soon it'll ask you for some info to create your Norton account if you don't have one already to track your product keys and subscription.
Fair enough, I give it my email, a username and password etc., it goes off, works its magic, tells me its all done and runs an update and starts a scan. All works quite well, and I like how it's all very hands-off - the whole thing works by itself, no need to fiddle with any settings or anything (although you can if you want). I might write more on how it is after using it for a few more days.
Oh, by the way, once you activate one copy, the subscription starts. So although you can install it on 3 PCs, the subscription period for them is dependent on the initial install. So when the first installed copy's subscription ends, it ends for the other 2 PCs too.
What annoyed me though and the main reason for this post was the Norton account activation process. It sends you an email to confirm that your email works. Ok, fairly standard procedure.
Yes, look in the red box - there's my email and more importantly, my previously nominated password in plain text! Ok, so its not explicitly shown in the message, instead hidden behind HTML, but it's still there for anyone to get if they have any scrap of skill. If the email program is text only however, then it would be shown explicitly in the text.
This has got to be one of the WORST ways of doing email activation.
Firstly, for that email to get to you, it has to travel its way through a number of email servers, starting at Symantec's and ending at your mail provider's. By including your password in plain text, it means that anyone with access to those servers can read it and use it for whatever purpose they want. Worse, you have no way of knowing until the damage has been done.
Secondly, anyone with access to your email can now know your password too. Sure you may think if people can access your email, then you're compromised anyway, but when you think of the market Norton 360 is aimed at, home users, this situation is very, very common on the shared family computer. May even get stored on a public 'internet cafe' computer if you view the message there.
Thirdly, when you click on that link, your browser opens and navigates to it, storing a copy of the link in its history too. Now anyone with access to the computer can find out your email and password by simply looking at your browser history. Sure Norton 360 includes a tool to clear your browser history, but its disabled by default as your browser history is actually quite useful for other purposes (e.g. address autocomplete, highlighting visited links).
At least your browser is smart enough to encrypt your email and password before sending it through to Symantec. See here for more info on the SSL process.
To make this entire problem worse, no matter how often we've been told, many people use the same username and password for nearly all of their website logins. So with this info you could get into their eBay account, email, PayPal, web forums, myspace, facebook and who knows what else.
It's a bit ironic that a company we pay to keep us safe, and apparently specialises in keeping people's computer and data safe, is being so careless about your private information. Can they really be trusted with all the data on your computer, given what they're doing here?
There's a reason why most web apps that use email activation send you a link containing a randomised activation key, and when the user clicks on that link, they check that the key was sent by them, user logs in and it's activated! That way if anything intercepts it, it's useless to them because the key means nothing.
Alternatively, issue a random, use-once password in the email. It's not as secure however, because if intercepted before you log in and change the password, they get access to that account. At least they don't get access to anything else though.
Maybe they outsourced the website to India or something, the cheapest ones possible, because this is pretty rudimentary I reckon. A password is supposed to be a secret between us, so stop doing the equivalent of sending me my credit card and PIN on a postcard!