NEWS AT SEI
This article was originally published in News at SEI on: June 1, 2003
When you buy an appliance, you give little thought to it doing you or your house any harm. Why? Because there are organizations like Underwriters Laboratories that set standards and certify products. When you see a certifier’s label, you have more confidence that a product will be safer than a competing product that does not carry the same label. You’re willing to accept the risk because you believe the product has met some standards and has been certified by a respected authority.
Unfortunately, the Internet is not the same. There are neither standards nor many certification organizations. Anyone who writes a program can distribute it through any means available, such as through the Web or by sending you a copy. Speaking of that, have you ever received a CD-ROM in the mail? How do you know that it contains what the label says? The answer is: you don’t know. More importantly, it’s difficult to know.
No matter how you acquire a program, it runs on your computer at the mercy of the program’s author. Anything, any operation, any task that you can do, this program can also do. If you’re allowed to remove any file, the program can too. If you can send email, the program can too. If you can install or remove a program, the program can too. Anything you can do, an intruder can do also, through the program you’ve just installed and run.
Sometimes there’s no explanation of what a program is supposed to do or what it actually does. There may be no user’s guide. There may be no way to contact the author. You’re on your own, trying to weigh a program’s benefits against the risk of the harm that it might cause.
What’s the problem you’re trying to solve here? You are trying to determine if the program you’ve just found satisfies your needs without causing harm to your computer and ultimately the information you have on the computer. How do you decide if a program is what it says it is? How do you gauge the risk to you and your computer by running this program?
You address these same risk issues when you purchase an appliance; you may just not have realized that’s what you were doing. When you make that purchase, you buy from either a local store you know or a national chain with an established reputation. If there’s a problem with your purchase, you can take it back to the store and exchange it or get your money back. If it causes you harm, you can seek relief through the legal system. The reputation of the merchant, the refund/return policy, and the availability of the legal system reduce your risk to a point where you make the purchase.
Apply these same practices when you buy a program. You should
- Learn as much as you can about the product and what it does before you purchase it.
- Understand the refund/return policy before you make your purchase.
- Buy from a local store that you already know or a national chain with an established reputation.
Presently, it is not as clear what the legal system’s role is for a program that causes harm or does not work as advertised. In the meantime, the LUB practices are a good first step.
But what about all those free programs available on the Internet? There is a multitude of free programs available for all types of systems, with more available each day. The challenge is to decide which programs deserve your confidence and are, therefore, worth the risk of installing and running on your home computer.
So how do you decide if a program is worth it? To decide if you should install and run a program on your home computer, follow these steps:
- The Do test: What does the program do? You should be able to read a clear description of what the program does. This description could be on the Web site where you can download it or on the CD-ROM you use to install it. You need to realize that that if the program was written with malicious intent, the author/intruder isn’t going to tell you that the program will harm your system. He or she will probably try to mislead you. So, learn what you can, but consider the source and consider whether you can trust that information.
- The Changes test: What files are installed and what other changes are made on your system when you install and run the program? Again, to do this test, you may have to ask the author how the program changes your system. Consider the source.
- The Author test: Who is the author? (Can you use email, telephone, letter, or some other means to contact him or her?) Once you get this information, use it to try to contact the author to verify that the contact information works. Your interactions with the author may give you more clues about the program and its potential effects on your computer and you.
- The Learn test: Has anybody else used this program, and what can you learn from him or her? Try some Internet searches using your Web browser. Somebody has probably used this program before you, so learn what you can before you install it.
If you can’t determine these things – the DCAL tests for short – about the program you’d like to install, then strongly consider whether it’s worth the risk. Only you can decide what’s best. Whatever you do, be prepared to rebuild your computer from scratch in case the program goes awry and destroys it. “Make Backups of Important Files and Folders” in Home Computer Security tells you how to make a copy of your important information so you’ll have it if you need it.
Your anti-virus program prevents some of the problems caused by downloading and installing programs. However, you need to remember that there’s a lag between recognizing a virus and when your computer also knows about it. Even if that nifty program you’ve just downloaded doesn’t contain a virus, it may behave in an unexpected way. You should continue to exercise care and do your homework when downloading, installing, and running new programs.
About the Author
Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center® is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.
This and other columns by Larry Rogers, along with extensive information about computer and network security, can be found at http://www.cert.org.
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.