Who can you trust?
Published March 6th, 2013 at 4:27 PM EDT , modified October 22nd, 2015 at 9:06 AM EDT
Recently, a new reader of my blog asked me, “Why should I trust your information?” While this may seem like an impertinent question, in the security world, it’s actually quite an astute one. In fact, it’s one that people need to ask themselves far more often online. Nearly every transaction you perform online, from electronic banking to just fooling around on YouTube, involves trust. Yet few people think about such things. Let’s try to change that!
It should go without saying that care should be used when downloading and running software on your computer. However, many people download things on a whim, often straight from an advertisement that caught their eyes, and never spare a thought for whether or not they should. This obviously puts the user at risk for being infected with malware, but more commonly, it often results in the user installing what tech support folks like to call “crapware.” There’s a lot of bad software out there that will slow down your computer or even cause it to crash, and a lot of software that is on the border between malware and legitimate software.
The first thing you should do to avoid installing such software is to never install anything on a whim. If you see something that sounds promising, do not download it! First, go find out more about it. Seek out reviews in reputable places, such as from well-regarded publications like MacWorld, MacLife or TidBITS. Beware of user-submitted reviews on software download sites, like Download.com or MacUpdate, as those are known to be manipulated by unethical companies. The same is true of reviews posted on social media sites. Once you have determined that the app is a reasonable thing to try, go straight to the developer’s site and download it from there, or from the App Store if it happens to be available there. Do not obtain it from any third-party download site, where you may or may not get what you wanted. (For example, Download.com has been known to add junky “adware” to downloads. That software will be installed along with the software the user wanted, for the purpose of generating ad revenue for Download.com.)
Further, be sure that you allow Mac OS X to protect you. The latest version of Mac OS X (version 10.8, aka Mountain Lion) includes a feature called Gatekeeper. By default, Gatekeeper will not allow you to open any applications that have not been digitally signed by a developer who has registered (for a fee) with Apple. Although this cannot protect you from junk software, it is pretty effective at protecting against trojans. In the Security & Privacy pane of System Preferences, make sure that you do not allow applications downloaded from “Anywhere,” as that will compromise Gatekeeper’s ability to protect you.
People visit a lot of web sites, and often they just assume that doing so is safe, unless the site looks “dodgy.” Unfortunately, the quality of the site rarely has anything to do with its trustworthiness. I have seen some pretty ugly and unprofessional sites with top-notch information and/or software, and conversely have seen some extremely professional-looking and polished sites that are outright scams. There are, for example, some very professional-looking “review” sites that post glowing reviews of a specific product, but if you scratch beyond the surface, have very little else. A concrete example that was recently shut down was a fake news site that promoted an Acai berry diet. It can be very difficult to figure out what sites are trustworthy and what sites are not.
Fortunately, there are some tools you can use to help. First is Google’s Safe Browsing tool, which is used by Safari, Chrome and Firefox. This will block sites that are known to be malicious. Another is Web of Trust, which provides trust ratings based on user-supplied voting. You can also choose to use some kind of internet filtering software, or use a free OpenDNS account to block access to particular kinds of sites. It’s important to keep in mind that these sorts of things are never 100% reliable. User votes can be falsified, and new sites can take a while to be added to blacklists.
When it comes to information found on web sites, you have to evaluate it as you would any other information. Use your critical thinking skills, and compare the information to other sources. Even a legit web site may now and then slip up and post bad information. Keep in mind that anything that sounds too good to be true probably is.
Worse, though, web sites can be purveyors of malware. The common wisdom is to avoid visiting “dodgy” sites, but as I’ve pointed out already, that can be difficult to do. In addition, recent information suggests that as much as 80% of malware may come from legitimate sites that have somehow been hacked. For example, NBC’s web site was recently hacked to distribute malware. Such hacks involve using vulnerabilities to install without user interaction, or what are termed “drive-by downloads.” This makes it impossible to ever be completely sure that any site is safe! Fortunately, Mac users are safe from drive-by downloads if they take certain precautionary measures, like disabling Java in the web browser and disabling or selectively blocking Flash. For more information, see How can I protect myself?.
Everyone knows that some people are trustworthy and some are not. However, it can be very easy to blindly give trust to someone who has a special badge next to their name on a forum or who has their own fancy-looking web site. Such things give the appearance of authority that may or may not be real. Keep in mind that the hand behind that blog post you’re reading belongs to a human being, and as such, the information may or may not be biased, incomplete, inaccurate or even outright false. As with people in real life, think very carefully about what they say, and pay less attention to superficial things.
So, why should you jump to take my advice? You shouldn’t. I expect you to turn that critical eye on me, as well, and make your own choices.