Can reputation systems protect you from unsafe, buggy software?
You're about to install a new piece of software. Is it safe? Is it reliable?
Those are the two questions you should ask before you install a new program on any device—PC, smartphone, tablet—regardless of what operating system it runs.
The trouble is, most people don't ask those questions at all. And even when they do, the answers can be hard to come by. I regularly download and test Windows programs (I test Mac software, too, but not as often). For special-purpose utilities in particular, making trust decisions is difficult. They often lack digital signatures, and even those that do come from sites that are unfamiliar.
Is there a way to get those answers?
Apple's solution for iOS devices is the app store. It's heavily curated—you don't get in unless you pass Apple's stringent tests. Beginning with OS X Lion, Apple has extended the same concept to desktop apps. For Windows 8 apps, Microsoft plans to offer a similar option.
For a customer, an app store has obvious advantages. It represents a one-stop shopping opportunity, with assurance from the store's operator that the product you're about to buy is safe and reliable.
For developers, there are advantages, including the potential of striking gold by being promoted on the app store's front page or making it to the top of a category list. But there are disadvantages, too: You have to play by the store's rules, which might limit your ability to add features or capabilities to your program. You have to pay a commission to the store's owner, you lose the opportunity to sell directly to your customers, and you are unable to create relationships with customers that aren't mediated by the store's owner.
Linux users can rely on repositories, where available software is certified as legitimate and compatible. That works great for free software, but it's a nonstarter for commercial software developers who want to sell software to customers.
For traditional Windows and Mac software, there are no stores and there are no rules. That means when you download a piece of software, you're on your own. You can search for reviews, but how do you know those reviews are reliable and accurate?
One possible solution that is just beginning to take root involves the use of reputation systems. Microsoft has built a feature called SmartScreen Application Reputation into Internet Explorer. It does a good job of identifying potentially dangerous software, and in my experience it offers tremendous advantages over other Windows-based browsers.
See also:
Symantec also offers a reputation-based screening system as part of its Norton Internet Security Product. For the past month or so, I've been using the 2012 version of NIS, which adds a new and important feature to that reputation analysis. It ranks a program's reliability as well as its safety. Here's the report for the latest release of Firefox, for example:
I love this feature. It has steered me away from a couple of utilities that have been known to cause reliability problems.
See also:
Today I decided to compare the results of these two reputation systems by using one of the most scam-ridden categories of all: Windows registry cleaners. I've made no secret of my dislike for this category of software in general. By and large I believe running a registry cleaner is far more likely to screw up your system than to fix it.
But still, people use this stuff, and scammers love to take advantage of them to push malware and adware. So what happened when I went looking for a registry cleaner? I found the top three "system optimizer" programs being sold through lots of sites that use the same templates and sell the same software under affiliate arrangements. The programs themselves are legit and virus-free, although I don't recommend them.
But it didn't take me long to find a suspicious one. And it illustrated both the strengths and weaknesses of reputation systems. The gory details are available on the next page.
Page 2: How to spot a scam -->
<-- Previous page
It came from a web site that looked like every other registry cleaner affiliate site I have ever seen. Internet Explorer allowed me to download it without any warnings. Why? Well, the file is digitally signed, and it has apparently been downloaded multiple times without triggering virus warnings.
The first red flag came when I looked at the digital signature itself:
This program was signed just seconds before I downloaded it. That's very, very odd. Was my timing really so amazingly good that I captured this download just a few seconds after the developer released it? I doubt it. More likely, this file was "customized" just for me.
The certificate that was used to sign the file is roughly two years old. That gives the publisher some extra reputation cred, especially if it has never been used to sign a known piece of malware or spyware.
But Norton's reputation database had a different message for me. After the download completed, this message appeared:
Clicking the View Details button led to this dialog box:
For all I know, this program is perfectly legit, but it displays the characteristics of malware. The big difference is that it is digitally signed.
Submitting the file to VirusTotal turned up a clean report: no current antivirus signatures detect it as malware. But submitting the same sample to ThreatExpert found something much more disturbing:
The more detailed report revealed that one of the executable files included in this package is detected by Kaspersky as a known backdoor that allows the program to download and install other software. Is that detection accurate? I don't know, but I sure wouldn't trust this file.
Another program with the same name is available on CNET. It has terrible reviews, with multiple reviewers warning that it is a rogue program. The two good reviews are from users who registered the same day they submitted the review and never reviewed another download.
Internet Explorer allowed this executable file through with no warnings. Norton flagged the file as extremely suspicious but didn't block it. If I had been using a different browser and a different antivirus program, I would have had no clue that it was potentially dangerous.
And there's the problem with a reputation service. It shouldn't be tied to a browser or an antivirus program. It should be freely available to any computer user. In an ideal world, my OS should scan any executable file I download and run for the first time and give me enough information about it that I can make an intelligent decision about whether or not to run it.
Would you welcome such a service?