In a previous article, I discussed the fundamental nature of our computer’s operating system: its absolute power to see, and potentially expose, anything we do. We frequently assume, often without actually thinking about it, that the OS is trustworthy.
That may or may not be true.
When it comes to the operating system, our options are limited. There’s really no choice: in order to use our device, we must use an operating system of some sort.
When it comes to the applications we install on our computers, we have both more choice and more risk.
Every application adds direct risk
Every application you download and install on your computer – be it your desktop, laptop, tablet, or phone – is an opportunity for your security and privacy to be compromised.
We regularly give applications much broader permissions to operate on our information than they need. In Windows, most programs can read any file, whether they need to or not. For example, that desktop chess game you just downloaded has complete access to the financial spreadsheets stored elsewhere on your computer.
On the other end of the spectrum, some operating systems allow us to control permissions at a per-application level. For example, when installing an app on an Android-based device, you’ll often be presented with a list of things to which the new application requires access.
If we want the application at all, we must grant it all the permissions it requests. And that’s exactly what most people, including myself, do: zip through the list of permissions requested as if it was a license agreement, and accept it all, without reading or considering.
Any application we install could be malicious. It could be explicitly malicious – meaning malware – or it could be less obviously malicious, sharing more information with third parties than we realize, violating our assumptions of privacy.
As we’ll see in a moment, as long as we take appropriate care, we can be relatively safe – but the possibility exists.
Every application adds indirect risk
Even the best-intentioned application includes risk, even if indirectly.
The program could have bugs. It could have errors or omissions that, in turn, could be leveraged by other, malicious software. It could “leak” our information unintentionally in ways third parties can intercept and collect.
Again, none of these risks are included purposefully, but rather as a side effect of oversight, poor design, poor coding or other unintentional accidents.
A great example might be Adobe Flash. It’s not malicious. It’s not intentionally allowing malware on our computers, or intentionally exposing our information to others. But it has so many bugs, errors, and vulnerabilities that its mere presence on your machine – particularly if not updated regularly – increases the risk of other software leveraging those issues to do harm.
All software has bugs. Thus, all software comes with some risk that those bugs, once discovered, could be used by others for unintended actions.
Once again, it all comes back to trust
You and I can’t be expected to understand all the details and nuances of software design and marketing. It’s too complex and ever-changing.
Instead, we rely on third parties. Or, more correctly, we rely on our trust of third parties to either do or provide the right thing, or act as a resource to let us know when the right thing isn’t happening.
This is why I so strongly warn against using download sites. The third parties involved – the download sites themselves – have a poor track record of providing software that can be trusted. Instead, I recommend you take the effort to locate the original vendor of whatever software you’re looking for and download directly from the source.
Assuming, of course, you trust them.
I discuss ways of developing and evaluating trust in What Does It Mean for a Source to be “Reputable”? The advice there applies equally here. When it comes to the software you install on your machine – any software – you must weigh the benefits against the risks, and take care to make sure you trust the source.
Rule of thumb: don’t install what you don’t need
The most secure software of all is the software that isn’t on your machine. If it’s not there, it can’t harm you.
I’m sure you know someone who constantly downloads and installs software on their machine. Be it a bevy of anti-malware tools, to the latest games, to who-knows-what, their machine eventually becomes unstable – or worse, their online accounts get hacked as a result of malware that accompanied all those downloads…
…all for things they probably didn’t really need.
Don’t be that person.
Think carefully before installing any software on your computer or other device. Even the most trustworthy and reputable software comes with side effects of some sort, and in the worst case, as we’ve seen, there’s a risk of more malicious intent as well.
Make sure you need it. Make sure you trust the author. Make sure you get it from a source you trust.
And when in doubt, don’t install it. You’re safer that way.
Is anything safe?
All this sounds pretty daunting and perhaps even a little overwhelming. You might be wondering if anything’s ever safe.
The good news is that, for the most part, the software you need, from reputable sources, is generally not malicious, and generally well behaved. There are bad actors out there, of course, but keeping these basic rules of thumb in mind will generally allow you to be safe.
- Only install what you need.
- Install only reputable software from well-known sources.
- Download only from the vendor’s own download site or instructions.
If you’re at all concerned about security and privacy – and you should be – it’s important to be aware and keep these rules in mind.
You’ll have a much safer and more confident experience.