1

At work or at home, I often find some useful piece of software. Sometimes I may find it on a forum, mentioned on a video, or by talking to a colleague.

But how do I know if the editor of the software I install can be trusted ?

To clarify, I am not asking if I can be sure that there are no security issues within the software provided. I am asking how I may check the reputation of the editor in order to prevent the case where the software I install may just be a free tool they provide as an excuse to get a backdoor into my computer, to install a keylogger or basically anything malicious on purpose.

Norgannon
  • 111
  • 1
  • I just noticed two other questions closely related, so this one might be a duplicate. They are [How do I know a software does what the author claims ?](https://security.stackexchange.com/questions/30410/how-do-i-know-a-piece-of-software-only-does-what-the-author-claims) and [How to decide “I'll trust this software” for closed-source or precompiled software?](https://security.stackexchange.com/questions/87395/how-to-decide-ill-trust-this-software-for-closed-source-or-precompiled-softwa), however, neither provides specific resources that can be checked to ensure editor's legitimacy. – Norgannon Jan 12 '19 at 23:25
  • Trust needs to be defined. Trusted not to be malicious? Trusted not to make a mistake that results in a backdoor? One simply cannot determine this. – schroeder Sep 02 '19 at 12:36
  • The question refer to anything "malicious on purpose". Not talking about mistakes creating a backdoor or anything like this. – Norgannon Sep 04 '19 at 14:51
  • Any malicious developer would "rebrand" if they got a bad reputation or manipulate a positive one. – schroeder Sep 04 '19 at 14:54
  • To give you an example, I looked up macro recording software. They are basically keyloggers that have a replay button. They were all from brands I never heard from and had no idea where to turn to see if the product was safe or not. I couldn't know if it were widely used or not or what the brand behind the product's reputation was. It's possible with money to get to or close to the top of search engines even with a brand new product. How would I know if it is going to send everything I press on my keyboard to the developers ? – Norgannon Sep 04 '19 at 15:04
  • That's a different question from "trust". The ***only*** way to know is to look at the code. That's called "verification" – schroeder Sep 04 '19 at 15:05

1 Answers1

0

It's really interesting because in this situation we are dealing with 'trust'.

How can you trust a software editor ?

Because it's famous would be a good answer but still it's not enough.

Look at Sony rootkit scandal

At the moment, I haven't find any website recording editors 'trust factor'. So the best way is to gather information about the different software he has developed. Rummage on different forums to see people's opinion about him or his software. Maybe the editor talks with the community about the software and how to improve it (Being open makes him 'more trustworthy').

In the end, you have to get an idea on him but you'll never be sure about it (like in real life).

Deunis
  • 769
  • 1
  • 7
  • 16
  • 2
    This looks like the same account as the asker. – schroeder Sep 02 '19 at 12:35
  • Can I prove I'm not ? – Deunis Sep 02 '19 at 12:39
  • @schroeder What makes you say this ? What would even be the benefit of answering my own question 8 months later on a seperate account ? – Norgannon Sep 04 '19 at 14:14
  • @Norgannon the most obvious reason would be votes, or simply that you forgot that you already had an account – schroeder Sep 04 '19 at 14:18
  • The wording and sentence structure and cadence are the same, the formatting choices are the same. Both accounts are from France, and your activity on the network coincide. Your questions on other stacks suggest that Norgannon is a student, and Deunis' account states that the user is a student. – schroeder Sep 04 '19 at 14:23
  • @schroeder I don't know if you can see this as a mod, but the upvote I have on the question is from 8 months ago so it can't even be from this guy whose account is new. I really don't get why you do such accusation when I have 6 reputation and he has 11. Our activity on the network coincide ? I literally have only one question up on this forum from 8 months ago, what activity are you refering to ?? – Norgannon Sep 04 '19 at 14:26
  • I am not *accusing*. I am *observing*. "On the network" means all of StackExchange. – schroeder Sep 04 '19 at 14:28
  • If we are from the same country, we are likely to be online at similar hours (french open business hours ?) and speak english doing similar mistakes / inaccuracies native french speakers would do ? He is not me and no, I am not a student (although, I was during my earlier days on the site). – Norgannon Sep 04 '19 at 14:40
  • Yes, those are all valid points and possible explanations. – schroeder Sep 04 '19 at 14:55
  • I can remove my answer if it can arrange things. Now @Norgannon has my point on this subject and the question is too broad. – Deunis Sep 05 '19 at 09:21