TUAW Recommends Joke App 65
ejdmoo writes "The Unofficial Apple Weblog, a very popular Apple enthusiast site, has accidentally posted (and since retracted) a recommendation for an application called Procrastinatr. Though the original website for Procrastinatr promises to 'efficiently prioritize your calendars and regain lost time,' it gives no real description of the functionality. In reality, the application was written as something of an extensive joke between friends, moving all iCal appointments and tasks forward a week. The author has since apologized and posted a fix for users who borked their calendars. This story once again highlights the importance of making sure something is legitimate before letting it run loose on your system, even if it appears to be coming from a reputable source."
There are questions that should be asked (Score:2, Interesting)
You could read through the source code... no, that's ridiculous. Unless the program is as simple as this one was (I think I could re-write this in one line of awk) then reading the source code would take weeks or even months. That's assuming you have the knowledge.
You could take the recommendation of a trusted source; a source who is trusted through having recommended other software before which was good software and not malicious or buggy. Unfortunately, that is what happened here. TUAW (a trusted source) recommended some software without actually using it themselves. (Unless it was some giant prank on their userbase but that sort of thing is usually reserved for early April.)
You could limit yourself to only using software that came in a box from your local Apple store. Don't ever install anything unless you also have a physical, printed CD, a box, a user manual and a warranty to accompany it. That's a bit extreme but reasonably safe. As with all "reasonably safe" things however, it's pretty boring.
What most people do these days is decide if the software "looks trustworthy". This is usually based on a recommendation from a trsuted source, the product's website (professional looking graphics means money spent, which means legit) and if the product still isn't filling the user with confidence they will usually ask Google.
All that needs to be done to install malicious software on a user's computer is to create a moderately professional looking website, astroturf a few software-related forums and get your software linked from a trsuted source. The best way to that would be to name your software in such a way that tech-savvy people would probably not install the program but the less savvy would jump at it.
I'd like to hear comments anyone has on how unknown software can be verified by non techie people. This means no md5 hashes, no source code snooping, nothing even remotely technical like checking the size of the program. I know the odds are that the 20KB "Open Source MS Office Replacement" I just downloaded probably isn't what it claims to be but plenty of users don't even look at the size of a download.