NEWS AT SEI
This article was originally published in News at SEI on: June 1, 2003
When you buy an appliance, you give little thought to it doing you or your house any harm. Why? Because there are organizations like Underwriters Laboratories that set standards and certify products. When you see a certifier’s label, you have more confidence that a product will be safer than a competing product that does not carry the same label. You’re willing to accept the risk because you believe the product has met some standards and has been certified by a respected authority.
Unfortunately, the Internet is not the same. There are neither standards nor many certification organizations. Anyone who writes a program can distribute it through any means available, such as through the Web or by sending you a copy. Speaking of that, have you ever received a CD-ROM in the mail? How do you know that it contains what the label says? The answer is: you don’t know. More importantly, it’s difficult to know.
No matter how you acquire a program, it runs on your computer at the mercy of the program’s author. Anything, any operation, any task that you can do, this program can also do. If you’re allowed to remove any file, the program can too. If you can send email, the program can too. If you can install or remove a program, the program can too. Anything you can do, an intruder can do also, through the program you’ve just installed and run.
Sometimes there’s no explanation of what a program is supposed to do or what it actually does. There may be no user’s guide. There may be no way to contact the author. You’re on your own, trying to weigh a program’s benefits against the risk of the harm that it might cause.
What’s the problem you’re trying to solve here? You are trying to determine if the program you’ve just found satisfies your needs without causing harm to your computer and ultimately the information you have on the computer. How do you decide if a program is what it says it is? How do you gauge the risk to you and your computer by running this program?
You address these same risk issues when you purchase an appliance; you may just not have realized that’s what you were doing. When you make that purchase, you buy from either a local store you know or a national chain with an established reputation. If there’s a problem with your purchase, you can take it back to the store and exchange it or get your money back. If it causes you harm, you can seek relief through the legal system. The reputation of the merchant, the refund/return policy, and the availability of the legal system reduce your risk to a point where you make the purchase.
Apply these same practices when you buy a program. You should
Presently, it is not as clear what the legal system’s role is for a program that causes harm or does not work as advertised. In the meantime, the LUB practices are a good first step.
But what about all those free programs available on the Internet? There is a multitude of free programs available for all types of systems, with more available each day. The challenge is to decide which programs deserve your confidence and are, therefore, worth the risk of installing and running on your home computer.
So how do you decide if a program is worth it? To decide if you should install and run a program on your home computer, follow these steps:
If you can’t determine these things – the DCAL tests for short – about the program you’d like to install, then strongly consider whether it’s worth the risk. Only you can decide what’s best. Whatever you do, be prepared to rebuild your computer from scratch in case the program goes awry and destroys it. “Make Backups of Important Files and Folders” in Home Computer Security tells you how to make a copy of your important information so you’ll have it if you need it.
Your anti-virus program prevents some of the problems caused by downloading and installing programs. However, you need to remember that there’s a lag between recognizing a virus and when your computer also knows about it. Even if that nifty program you’ve just downloaded doesn’t contain a virus, it may behave in an unexpected way. You should continue to exercise care and do your homework when downloading, installing, and running new programs.
Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center® is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.
This and other columns by Larry Rogers, along with extensive information about computer and network security, can be found at http://www.cert.org.
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.