In recent months, I've been asking computer security experts what everyday people can do to protect themselves in an age of massive government surveillance and criminal hacking. As previously noted, you'd have to take extraordinary – and perhaps futile – measures against governments under current conditions, but there are some things you can definitely do to be safer from malevolent hackers. This column focuses on one of those measures, because it may be the single most important for everyday computer users.
Here it is: keep your software up to date.
I'm not going to tell you this is a foolproof way to be safe; nothing is. But updating software – operating systems, applications and plug-ins – is an essential part of everyone's security routine. And in a world where more and more of what we touch is controlled by software, we have no choice.
Why update? One key reason is to plug at least some of the holes that exist in all software. Software developers learn about vulnerabilities, either by being told or by finding them on their own, and they write "patches" that do just what they sound like: patch the holes that give hackers a way into your system.
With modern operating systems, updates should be simple, and in some cases automatic. My OS providers – Ubuntu (GNU/Linux);
This isn't the case for some hardware operating systems. Your router manufacturer may well – and should – update the internal software, but you won't always be notified, and installing the update may not be simple even if you do find out. And Android phone/tablet sellers other than
Application updates work in a number of ways. On my Linux computer they're semi-automatic in most cases – in much the same method as OS updates. This is likely to be true for the software you use on your own system. Phone updates work in somewhat similar ways, though in general they're automatically updated more often than desktop computer software. Some products ask you upon installation if you want them to "phone home" to see if an update is available, on a schedule or when you start them up
Software updates are also used to add features. In the case of modern web browsers like
These new features aren't just interesting or (potentially) useful, they may be helping to protect you. That's what some fascinating research indicates, and it may even suggest a much different approach by software developers to security than the one they've tended to use in the past.
A study from reachers at the
The good news:
the length of the period after the release of a software product (or version) and before the discovery of the first vulnerability is primarily a function of familiarity with the system.
Some not-so-good news: software code reused from previous versions "is a major contributor to both the rate of vulnerability discovery and the number of vulnerabilities found".
Together, those findings may well suggest that the more often a product is updated with new features, not just bug fixes and security patches, the safer it's likely to be, which is why the authors also say their findings have "significant implications for software engineering principles and practice".
Those principles and practices have been a) relatively slow upgrade cycles; and b) updates designed almost solely to fix bugs and patch known security holes. Chrome and
Something else has changed in recent years to challenge traditional methods: the people who find security vulnerabilities used to report them to the vendors, or to the security community, or both. More and more these days, they keep their findings a secret and sell them to the highest bidders – which more and more include governments. In these cases, the only time anyone finds out about the vulnerabilities, if they ever do, is when they're exploited by attacks.
There are still lots of honorable security researchers, to be sure, but the financial benefits for not telling the world – or even the vendor – may be trumping society's best interests.
Most Popular Stories
- Slow Week Ahead of December FOMC Meeting
- Hispanics Seek to Grow School Board Members
- U.S. Companies Eager for Iranian Business
- 'Knockout Game': Myth or Menace?
- Questions Remain in Jenni Rivera's Death
- GM Bailout Saved 1.2 Million U.S. Jobs, Report Says
- Bitcoin Used to Buy Tesla Car
- Banks Fret as Volcker Vote Approaches
- Paul Walker Fans Pay Respects
- Yellen Set to Become One of World's Most Powerful Women