How many people do you have to trust to use a piece of software?
September 11, 2015 5:19 PM Subscribe
I downloaded gmailnotifier from gmailnotifier.com and setting it up, it requested my password. Obviously it needs this information but how can I be sure that it won't abuse it? How do you know what software to trust?
Am I just being paranoid? Or am I asking a reasonable question?
Am I just being paranoid? Or am I asking a reasonable question?
You can't really ever know, unless you get all hardcore and analyze them with external tools to monitor what they're sending to whom, and how. Nobody does this.
Known-safety is the value of curated software stores like the App Store or Google Play or whatnot. You're counting on them to gatekeep the bad things out.
(There are also downsides to those sorts of sanitized walled app marts, of course, but that's another thing altogether.)
posted by rokusan at 5:42 PM on September 11, 2015
Known-safety is the value of curated software stores like the App Store or Google Play or whatnot. You're counting on them to gatekeep the bad things out.
(There are also downsides to those sorts of sanitized walled app marts, of course, but that's another thing altogether.)
posted by rokusan at 5:42 PM on September 11, 2015
How do you know Google isn't doing something nefarious with your password? Unless you are going to use only open source products and inspect the source code yourself, you pretty much are always gambling that the software developer cares enough about its reputation to not screw you.
posted by COD at 5:49 PM on September 11, 2015 [1 favorite]
posted by COD at 5:49 PM on September 11, 2015 [1 favorite]
You should not give your Google password to any third-party software. It is more secure to use Google's mechanisms to grant access to third-party software without giving up your password.
posted by grouse at 5:52 PM on September 11, 2015 [8 favorites]
posted by grouse at 5:52 PM on September 11, 2015 [8 favorites]
Grouse is right. There is a login token that is part of the Google api. You should never have to enter your actual password in a third party app.
posted by SecretAgentSockpuppet at 6:08 PM on September 11, 2015 [3 favorites]
posted by SecretAgentSockpuppet at 6:08 PM on September 11, 2015 [3 favorites]
Best answer: Yes, you really want software that uses OAuth to authenticate with GMail. You will be able to tell this is what is doing because it will take your password through a Google-branded login page in your browser, and a page will appear saying something like, "gmailnotifier (or whatever) is requesting permission to use your account". Then in the future you can revoke access from the app without changing your password. In fact, the app will never have your password in the first place!
posted by goingonit at 6:21 PM on September 11, 2015 [4 favorites]
posted by goingonit at 6:21 PM on September 11, 2015 [4 favorites]
If you want a browser extension, I'd use the Google one.
If you need a standalone program like gmailchecker, find one that uses auth tokens or Oauth, yeah.
Ideally you should be using 2-factor authentication anyway, in which case username+password won't even work.
posted by thefoxgod at 7:25 PM on September 11, 2015 [2 favorites]
If you need a standalone program like gmailchecker, find one that uses auth tokens or Oauth, yeah.
Ideally you should be using 2-factor authentication anyway, in which case username+password won't even work.
posted by thefoxgod at 7:25 PM on September 11, 2015 [2 favorites]
I'm not saying that there's anything necessarily wrong with this particular piece of software, but look at its website. It's the product of one man, it says. Do you have any idea whatsoever who that man is?
The contact is "gnotifier1@gmail.com". There are no names anywhere. There's no company. There's no physical address. It's not, apparently, open-source, so even if you couldn't audit the code anyway (by virtue of, say, not knowing how to code) you can't even figure that maybe someone else has. I had to go as far as WHOIS data to find the name of the person who may or may not be the developer, who appears to be in Israel. He did have a Twitter account that mentioned this piece of software... that received only one update, in 2010.
In other words: The warning signs are lack of real names attached, lack of ability to contact the developers personally, lack of corporate backing, lack of source code... basically, lack of accountability. I don't use it myself, but for example the idea of giving Mint your banking passwords, like, it's relatively easy to find out that Mint is owned by Intuit, a huge corporation with a lot of experience handling sensitive data. That's one thing, and some people aren't comfortable with it even then, which is fine. This, I wouldn't use, even though there's still a pretty good chance that it's not malicious.
posted by Sequence at 9:28 PM on September 11, 2015 [2 favorites]
The contact is "gnotifier1@gmail.com". There are no names anywhere. There's no company. There's no physical address. It's not, apparently, open-source, so even if you couldn't audit the code anyway (by virtue of, say, not knowing how to code) you can't even figure that maybe someone else has. I had to go as far as WHOIS data to find the name of the person who may or may not be the developer, who appears to be in Israel. He did have a Twitter account that mentioned this piece of software... that received only one update, in 2010.
In other words: The warning signs are lack of real names attached, lack of ability to contact the developers personally, lack of corporate backing, lack of source code... basically, lack of accountability. I don't use it myself, but for example the idea of giving Mint your banking passwords, like, it's relatively easy to find out that Mint is owned by Intuit, a huge corporation with a lot of experience handling sensitive data. That's one thing, and some people aren't comfortable with it even then, which is fine. This, I wouldn't use, even though there's still a pretty good chance that it's not malicious.
posted by Sequence at 9:28 PM on September 11, 2015 [2 favorites]
COD: How do you know Google isn't doing something nefarious with your password? Unless you are going to use only open source products and inspect the source code yourself, you pretty much are always gambling that the software developer cares enough about its reputation to not screw you.
While technically correct, this is a useless post. The OP is looking for clues that point towards more-trustworthy software.
Software popularity, as previously stated, is right now about as good an indicator as we have, along with googling for "SOFTWARENAME malware".
posted by IAmBroom at 9:21 AM on September 12, 2015
While technically correct, this is a useless post. The OP is looking for clues that point towards more-trustworthy software.
Software popularity, as previously stated, is right now about as good an indicator as we have, along with googling for "SOFTWARENAME malware".
posted by IAmBroom at 9:21 AM on September 12, 2015
This thread is closed to new comments.
In general, trust software that is used by a lot of people, and trust software that doesn't have much come up if you search for 'software name' + malware.
posted by durandal at 5:30 PM on September 11, 2015 [2 favorites]