« Open source is good for vendors | Main | Universities interested in Cobia development »

May 16, 2007

Comments

Tyler Reguly

I'm all for calling people when they are spreading FUD.. I've done it myself on numerous occasions... However in this case I think there is a legitimate claim..

Let's say you're purchasing software from a company selling counterfeit Symantec software. You are assuming this software is safe because the Symantec brand is attached to it... a resource hog yes... but safe :)

It turns out that the AV software you purchased has been modified to include a keylogger... Suddenly your privacy and identity are at risk.. It's not that far of a stretch either. And that's just one example... there are plenty of others that would be just as feasible and just as dangerous.

You also have to consider whether or not you're getting accurate updates. For instance... the software has been modified to "update" from a rogue server. This server doesn't contain new AV signatures... instead it performs data collection. Suddenly you're at risk once again.

If they were spouting FUD... I'd be the first one on board with it, but in this case I think it is a real concern and something that their customers (and the customers of the companies involved with the theft) should be aware of.

Mitchell Ashley

Playing the FUD Card

Tyler,

Thanks very much for the comment. I agree with the "concern" that yes, those things could happen. If they have in Symantec's case, then it's a big deal and should be talked about.

But as far as I've seen, and this could change, no such evidence or even allegations of keystroke loggers or updates not occurring accurately have been lobbied. So far, it's only FUD.

If all the pirates are doing is selling software illegally, then I have to call baloney on the FUD in Symantec's commentary. If there is real evidence of "black hat" wrong doing then that's another story, but first, tell us that's the case before of playing the FUD card.

Tyler Reguly

Mitchell,

That's reasonable... Perhaps the statement was their way of implying that sort of wrong doing... I still wouldn't label it as FUD... In the past it's always been assumed it wasn't worth the cost of tracking down pirates... they are trying to pick up some good press and justify the reason for going after these companies... It might be poor justification (I personally say kudos to the company for doing it) but it's still justification... I really don't know that I can consider this FUD on any level... It was prefixed with "might" and it's true that this might happen and it's a legitimate concern for customers.. When purchasing software you really should ensure that you are obtaining the "real deal"...

I can see where you are coming from with the FUD angle.. I just disagree.

kurt wismer

the mere act of procuring software from untrusted sources (ie. pirates fraudulently posing as authorized resellers) puts one at increased risk from virtually all manner of malware threats (not just keyloggers)...

is there a credible argument for why the pirates should be trusted? if not then symantec are correct, customers of the pirates have deviated from the old-school safe-hex principle of only getting their software from trusted sources and so have put themselves at risk...

Mitchell Ashley

Tyler and Kurt - I respect your position on this and while we agree on some of the finner points, it's okay if we don't agree on what's FUD. Looks to me like it's the same 'ol, same 'ol, from Symantec these days.

I'm concerned about the "cry wolf" factor in all this. If every Symantec pronouncement has FUD unnecessarily smeared into it, everyone (especially the common computer user) is desensitized and will miss the important events, or just stop paying attention at all.

Bottom line is it's over hyping a situation that didn't have any evidence of a real security concern. Possible? Yes. but there are untold "possible" security concerns. This one isn't justified, at least not yet. Symantec's stuck in a rut - if all you can do to differentiate yourself is rely on FUD, good luck. That's a tactic, not a strategy. They're a better company than that, they just need to start acting like it.

Thanks for commenting and reading. - Mitchell

kurt wismer

it seems to me that you are calling FUD because to your mind there is no credible threat here...

i should then call FAS because:
a) symantec has a better appreciation of this particular threat vector than you do (it's their bread and butter after all)
b) in my own experience helping people deal with and learn how to avoid malware problems, running software gotten from untrusted sources is a credible (even significant) threat...

and one last point which escaped me until just now - the people who purchased products from the pirates probably did not pay cash (at least not unless the pirates had brick-n-mortar stores for customers to make their purchases in), so the pirates now have their names, credit card numbers, and billing addresses... since we are talking about criminals it seems like a no-brainer that that identity information has fallen into the wrong hands...

Mitchell Ashley

I'm actually not disagreeing with what you've said, Kurt. And I think you bring a very good point on this, if pirates sold people software then those pirates could use customer's credit card info for nefarious purposes. But that's not what Symantec was "warning" anyone about in their public statements.

Their claim was that counterfeit software might damage users' machines or steal their identities. The implication is that the counterfeit software is tainted. Could it be? Sure could. Are there any reports or evidence of such events? No, no such claims have been made.

The pirates in this scam are much more likely in it for the money and it's very unlikely they took the time to taint the software. Software resellers know how to sell the software, not crack products and plant something malicious in them. It's not likely this situation is any different.

Rather playing the FUD card, Symantec should make this event public and let people know they have purchased illegal software. And as with any software which doesn't come from Symantec, they cannot vouch for its ability to operate properly and securely. Customers who bought illegal software should get authorized versions of those products.

There... I just did all that without using FUD. That's what Symantec should have done instead of giving the press some line about users' stolen identities. That's my point.

kurt wismer

mitchell, there are actually a number of fundamental assumptions in your argument that i think bear closer examination...

first and foremost is that the commercial pirates have neither the skill nor motivation to 'taint' the software... you assume that they're only interested in the money but it seems naive to assume anyone (much less a criminal) has only a single motivation... as for skill, there's really no basis for making any kind of assumptions about what skills they may or may not have...

as a corollary to this there's also the assumption that the entire pirate organization shares a homogeneous set of motivations - but the bigger the organization is, the less likely this is to be the case...

a further assumption is that tainting the software requires motive in the first place... if companies like microsoft can accidentally let malware contaminate their releases, what's stopping the same thing from happening to the pirates? in fact, what's stopping that from being more likely in the pirates' case, since the quality control that legitimate companies put in place to prevent that would eat into a commercial pirate's bottom line (it's not like they have a reputation to maintain, at least not one as valuable as a legitimate company's)...

and last, but by far not the least is the assumption that if the software were to become tainted it would have to happen while in the commercial pirates' hands... are we to assume that the pirates only get their warez directly from the manufacturer? or is it more likely that they downloaded already pirated material (cutting costs and improving their ROI)... the fact is that there's no telling how many people have had access to potentially taint such software - it's not just the pirates' motives you have to account for but the motives of an undefined set of unconnected people/organizations...

warez have famously been one of the major malware vectors that people were warned about (along side bbses and floppy disks)... i know of virus writers who specifically targetted the warez scene and it's not unreasonable to think that there are commercial malware profiteers doing the same thing today...

The comments to this entry are closed.

What I Do

  • product creator, software developer, IT, mobility, smartphones, productivity, musician, guitarist, social media, cloud services, virtualization, security, broadband, data networking, open source, blogger
  • I like to talk about...
    iPhone, iPad, Google Android, smartphones, apps, tablets, graphics cards, laptops, desktops, netbooks, Windows 7, MS Office, Windows Server 2008, .Net, Java, Linux, VMware, Hyper-V, Citrix Xen, application virtualization, gaming, MMOs, Fender guitars, Stratocaster, Telecaster, guitar amps, studio recording, praise and worship music, song writing...

Social Networks

My Blogs

Book Quote

Misc

Blog powered by Typepad

Enter your email address:

Delivered by FeedBurner

Check This Out

Disclaimer

  • Everything on this blog and my podcast are only my views and opinions, and are not those of my current or past employers, investors, customers or anybody else. I make no representations as to the accuracy, validity, relevance or importance of anything I say here. Some of what is said here could very well be true (most likely by accident), a lot of it is obviously made up, and all of it is only one man's opinion. All spelling and grammatical errors are purposefully placed to throw any lawyers off the trail. And if you are a lawyer, "move along... this isn't the blog you're looking for". Read and listen entirely at your own risk, and please, don't try any of this at home (work or school.) Now, get back to work - before somebody catches you reading blogs all day instead of doing something productive. And yes, consider yourself notified.