Input: Safer Software Practices

ADIDS Element

Input

Parent Topic(s)

Safer Software Updating

Duration

45-60 minutes

Have feedback on this content? Does something need updating?

Leave a note anywhere on this page - look for the Hypothes.is toolbar in the upper right-hand corner.

Have content you'd like to share with other trainers?

Email us at levelup@riseup.net (GPG public key here) or read our guide on Contributing to LevelUp.

 

Materials to Prepare

  • PC and LCD projector for demonstrations
  • Flipchart and markers
  • Pre-installed, unwanted software that you can use to demonstrate uninstalling. We suggest the Ask Toolbar, as it is frequently bundled into the installers of other freeware.
  • A sample installer (.exe file) of your choice. One suggestion that may be beneficial to introduce at this stage is Personal Software Inspector, which checks and manages updates for installed applications on a device.

Input Session

Step 1: Defining Terms

Put the following terms on a flipchart and ask participants to define them, writing answers where correct or providing clarifications as needed. All of them will be addressed before the session concludes:

  • Bugs/”Buggy”
  • Vulnerability
  • Exploit
  • Patch
  • Piracy
  • Alpha release
  • Beta release
  • License

Step 2: Software Development & Updates

Ask participants to describe how software is developed (or to guess, if they aren’t sure). Explain that software is written by development teams consisting of programmers, designers, and other specialist roles, depending on the project - also:

While it is being built, an application goes through alpha and beta versions (early versions/draft versions) which are not released to the public, but are tested internally. With open source software, the testing may be a carried out by a community of volunteers to test software. When problems are found, testers alert the developers – they file “bugs”.

  • Software is almost never ‘final’ or ‘perfect’, but is released when it is just good enough for public use, with the expectation that the development team will continue to work on new releases which contain fixes to existing problems.
  • Each new release is an Update, or a Patch. These updates might improve or change features, the user experience or security.

Ask participants what software on their PC receives updates. See what gets listed or left out. Some examples to get the list going include:

  • Browsers
  • Adobe Reader
  • Microsoft Office
  • Windows / Operating System
  • Antivirus

As you work through the list, see what other examples participants can think of and contribute - add these, and see how long you can get the list to be.

Step 3. Vulnerabilities

Vulnerabilities discovered in software are a major problem for governments and companies, and for individuals, too. They are tracked by people who want to protect themselves as well as by people who want to exploit them – hackers. Show on screen the most recent records listed at:

Highlight the number of total vulnerabilities published (for example, over 31,000 on Exploit Database and 66,000 on the US National Vulnerability Database as of Dec 2014).

  • Look through the titles of some of the software for which vulnerabilities have been published, or search for common software titles such as ‘Adobe’ and ‘Office’.
  • Point out that vulnerabilities are linked to particular software version numbers, meaning that newer versions are not vulnerable.

Step 4. Automatic and Manual Updating

  • Ask participants how their software gets updated, and if any of their software is getting old and out of date.
  • Explain the difference between manual and automatic updates: some software can be set to update automatically, others will require users to manually go through the process whenever a new update is available.
  • Discuss the increasing prevalence of ‘App Stores’ such as the Mac and iOS App Store, Google Play Store and Microsoft Store, which simplify updating by putting several updates in one location - these can also can be set to auto-update.
  • Mention Linux systems like Ubuntu Software Centre or general Linux model of repositories these streamline updates.

Step 5. Turn on Your PC’s Alerts

When you install software or update it, you are making a change to your computer. Operating systems have a way of warning users before they allow software to make changes.

  • The User Account Control (UAC) window that pops up when installing something in Windows is one example. It was introduced in Windows Vista (if you are running something older – such as Windows XP, you won’t see this warning pop-up window).
  • If you don’t see this warning when you install an application, you probably have UAC switched off, which is dangerous. It can be turned back on in the Windows Control Panel (Control Panel -> Action Center -> Change User Account Control Settings).
  • On Mac and Linux comparable presentations can be made warning users before software is installed with administrative rights (usually a window requesting the admin password).
  • Because software makes changes to users’ computers, and these changes may be good or may be bad, it is important that users know that they are installing safe software which will not harm their computers.

Step 6. Use the Most Direct Sources

When downloading an application, try to get it from the developer’s official website. That gives you the best chance of avoiding fake versions that may contain viruses and other malware.

Where do participants get their software from?

Some example questions to ask participants may include:

  • Downloading from websites (ask which website)
  • From friends and colleagues
  • Purchased discs from vendors or technicians
  • Purchased online or from stores on original media

If participants use download aggregators like download.com, filehippo.com or others, suggest that they find the vendor’s websites to get original software. Using Google instead of less well known search engines should bring up the vendor’s website within the top search results.

Give several software examples including a mixture of free and paid software, and ask participants to tell you how to obtain it. Good examples include: Firefox, Skype, NitroPDF, Office, PortLocker, CCleaner, Photoshop.

Step 7: Avoid Bad, Dangerous, and Unnecessary Software & Toolbars

Some software can be unwittingly installed by users while installing other, free applications. Free software distributors earn revenue by leading their users to install additional applications during the installation process.

  • Adobe, for instance, usually asks users of free versions of Adobe Reader or Adobe Flash to install an application from anti-virus application maker McAfee.
  • The open source application Axcrypt (http://axantum.com) that comes with OpenCandy bloatware, is one example.

Step 8: Removing the Bad Stuff

Applications

Show the Add or Remove Programs dialogue box in Windows, or the Applications folder on Mac OS X. Review the list and see if there is odd-sounding or unknown software (you could pre-install unwanted software in advance as a demonstration). Show how uninstallation can be done from this window.

Plug-ins

Explain that plugins that get installed into a browser may compromise the security of their online activity and accounts. Open up Firefox and/or Chrome and access the Extensions or Plug-ins page and review for unknown or odd-sounding extensions. Show how to delete and de-activate plugins from this page.

Potentially Unwanted Applications

Explain that this is a class of software recognized by anti-virus as software that may have been unintentionally installed by users. The following anti-virus applications can scan for so-called PUPs (potentially unwanted applications):

  • AVG: http://free.avg.com/us-en/homepage
  • Avast!: https://www.avast.com/en-us/index
  • Kaspersky: http://usa.kaspersky.com/products-services/home-computer-security/
  • ESET: http://www.eset.com/us/home/windows-antivirus/
  • McAfee: http://home.mcafee.com/Default.aspx?rfhs=1

Step 9: Using FLOSS Alternatives

Ask participants to list some of the most desired software which is both a) commercial and b) not free of charge (e.g. Windows, Microsoft Office and Photoshop.) Point out that these are frequently pirated due to cost, but that piracy brings certain risks:

  • Governments and criminals release software with malware in order to compromise computers.
  • Governments often use piracy as a pretense to crackdown on independent organizations.
  • Many users do not know how to vet where their pirated software comes from.
  • Pirated software is often blocked from receiving important security updates.
  • Pirated software often has disabled features, or causes issues after installation.

Open a browser and navigate Osalt (http://www.osalt.com). Present free and open source software as an alternative to the dangers of piracy. For instance:

Linux/Ubuntu instead of Windows

LibreOffice/OpenOffice instead of Microsoft Office

Gimp/Gimpshop instead of Photoshop

For commercial (paid) software platforms, human rights activists and their organizations may be eligible to receive free, or heavily discounted, versions of commercial software: - Users may look for official distributors among local ICT service providers and request for a non-profit or public sector license discount. - A large distribution network for donated software is run by TechSoup. - The following page contains a list of partners and the countries in which they operate: http://www.techsoupglobal.org/network

Step 10: Obtaining Software and Updates in Countries with Content Blocking

Users may be frustrated when trying to update software if they live in a country blacklisted from receiving ’software exports’ from countries like the United States, or where ISPs are instructed to block downloads from certain sites. If this is the case, users can use circumvention tools to access the original sources for software. Refer to training content on Anonymity and Circumvention here on LevelUp.

Warning

Use of circumvention technology or encryption is not allowed in some countries. Please review the laws for your country before attempting to use.