Symantec went after 8 US and Canadian companies for selling pirated Symantec software to customers. (That's one way to cut your cost of goods sold, but causes downstream business model problems, like jail time. Shezz, how stupid.)
So, Symantec is going after businesses selling counterfeit products (obviously no revenue to Symantec) but what claims are they really making about this? Here's statements made by Symantec (from theregister.co.uk)
Scott Minden, director of legal affairs at Symantec, claimed counterfeit software might "damage users' machines" or steal their identities.
"These software pirates were moving large quantities of counterfeit product and, as a result, numerous unsuspecting users are now at risk for having their information stolen or lost," he said.
Selling counterfeit software makes customers susceptible to identity theft? Quite a stretch. Symantec has every right to go after anyone selling illegal copies of their software, but what are they trying to claim here?
Is Symantec so much a product of their own marketing even in this situation they have throw FUD into the mix and tell us customers identifies could have been stolen? Sounds like more Yellow Hat behavior!
They stole your software. Just leave it at that, Symantec.
I'm all for calling people when they are spreading FUD.. I've done it myself on numerous occasions... However in this case I think there is a legitimate claim..
Let's say you're purchasing software from a company selling counterfeit Symantec software. You are assuming this software is safe because the Symantec brand is attached to it... a resource hog yes... but safe :)
It turns out that the AV software you purchased has been modified to include a keylogger... Suddenly your privacy and identity are at risk.. It's not that far of a stretch either. And that's just one example... there are plenty of others that would be just as feasible and just as dangerous.
You also have to consider whether or not you're getting accurate updates. For instance... the software has been modified to "update" from a rogue server. This server doesn't contain new AV signatures... instead it performs data collection. Suddenly you're at risk once again.
If they were spouting FUD... I'd be the first one on board with it, but in this case I think it is a real concern and something that their customers (and the customers of the companies involved with the theft) should be aware of.
Posted by: Tyler Reguly | May 16, 2007 at 12:10 PM
Playing the FUD Card
Tyler,
Thanks very much for the comment. I agree with the "concern" that yes, those things could happen. If they have in Symantec's case, then it's a big deal and should be talked about.
But as far as I've seen, and this could change, no such evidence or even allegations of keystroke loggers or updates not occurring accurately have been lobbied. So far, it's only FUD.
If all the pirates are doing is selling software illegally, then I have to call baloney on the FUD in Symantec's commentary. If there is real evidence of "black hat" wrong doing then that's another story, but first, tell us that's the case before of playing the FUD card.
Posted by: Mitchell Ashley | May 16, 2007 at 01:13 PM
Mitchell,
That's reasonable... Perhaps the statement was their way of implying that sort of wrong doing... I still wouldn't label it as FUD... In the past it's always been assumed it wasn't worth the cost of tracking down pirates... they are trying to pick up some good press and justify the reason for going after these companies... It might be poor justification (I personally say kudos to the company for doing it) but it's still justification... I really don't know that I can consider this FUD on any level... It was prefixed with "might" and it's true that this might happen and it's a legitimate concern for customers.. When purchasing software you really should ensure that you are obtaining the "real deal"...
I can see where you are coming from with the FUD angle.. I just disagree.
Posted by: Tyler Reguly | May 16, 2007 at 01:31 PM
the mere act of procuring software from untrusted sources (ie. pirates fraudulently posing as authorized resellers) puts one at increased risk from virtually all manner of malware threats (not just keyloggers)...
is there a credible argument for why the pirates should be trusted? if not then symantec are correct, customers of the pirates have deviated from the old-school safe-hex principle of only getting their software from trusted sources and so have put themselves at risk...
Posted by: kurt wismer | May 16, 2007 at 01:34 PM
Tyler and Kurt - I respect your position on this and while we agree on some of the finner points, it's okay if we don't agree on what's FUD. Looks to me like it's the same 'ol, same 'ol, from Symantec these days.
I'm concerned about the "cry wolf" factor in all this. If every Symantec pronouncement has FUD unnecessarily smeared into it, everyone (especially the common computer user) is desensitized and will miss the important events, or just stop paying attention at all.
Bottom line is it's over hyping a situation that didn't have any evidence of a real security concern. Possible? Yes. but there are untold "possible" security concerns. This one isn't justified, at least not yet. Symantec's stuck in a rut - if all you can do to differentiate yourself is rely on FUD, good luck. That's a tactic, not a strategy. They're a better company than that, they just need to start acting like it.
Thanks for commenting and reading. - Mitchell
Posted by: Mitchell Ashley | May 16, 2007 at 02:30 PM
it seems to me that you are calling FUD because to your mind there is no credible threat here...
i should then call FAS because:
a) symantec has a better appreciation of this particular threat vector than you do (it's their bread and butter after all)
b) in my own experience helping people deal with and learn how to avoid malware problems, running software gotten from untrusted sources is a credible (even significant) threat...
and one last point which escaped me until just now - the people who purchased products from the pirates probably did not pay cash (at least not unless the pirates had brick-n-mortar stores for customers to make their purchases in), so the pirates now have their names, credit card numbers, and billing addresses... since we are talking about criminals it seems like a no-brainer that that identity information has fallen into the wrong hands...
Posted by: kurt wismer | May 16, 2007 at 03:55 PM
I'm actually not disagreeing with what you've said, Kurt. And I think you bring a very good point on this, if pirates sold people software then those pirates could use customer's credit card info for nefarious purposes. But that's not what Symantec was "warning" anyone about in their public statements.
Their claim was that counterfeit software might damage users' machines or steal their identities. The implication is that the counterfeit software is tainted. Could it be? Sure could. Are there any reports or evidence of such events? No, no such claims have been made.
The pirates in this scam are much more likely in it for the money and it's very unlikely they took the time to taint the software. Software resellers know how to sell the software, not crack products and plant something malicious in them. It's not likely this situation is any different.
Rather playing the FUD card, Symantec should make this event public and let people know they have purchased illegal software. And as with any software which doesn't come from Symantec, they cannot vouch for its ability to operate properly and securely. Customers who bought illegal software should get authorized versions of those products.
There... I just did all that without using FUD. That's what Symantec should have done instead of giving the press some line about users' stolen identities. That's my point.
Posted by: Mitchell Ashley | May 16, 2007 at 07:12 PM
mitchell, there are actually a number of fundamental assumptions in your argument that i think bear closer examination...
first and foremost is that the commercial pirates have neither the skill nor motivation to 'taint' the software... you assume that they're only interested in the money but it seems naive to assume anyone (much less a criminal) has only a single motivation... as for skill, there's really no basis for making any kind of assumptions about what skills they may or may not have...
as a corollary to this there's also the assumption that the entire pirate organization shares a homogeneous set of motivations - but the bigger the organization is, the less likely this is to be the case...
a further assumption is that tainting the software requires motive in the first place... if companies like microsoft can accidentally let malware contaminate their releases, what's stopping the same thing from happening to the pirates? in fact, what's stopping that from being more likely in the pirates' case, since the quality control that legitimate companies put in place to prevent that would eat into a commercial pirate's bottom line (it's not like they have a reputation to maintain, at least not one as valuable as a legitimate company's)...
and last, but by far not the least is the assumption that if the software were to become tainted it would have to happen while in the commercial pirates' hands... are we to assume that the pirates only get their warez directly from the manufacturer? or is it more likely that they downloaded already pirated material (cutting costs and improving their ROI)... the fact is that there's no telling how many people have had access to potentially taint such software - it's not just the pirates' motives you have to account for but the motives of an undefined set of unconnected people/organizations...
warez have famously been one of the major malware vectors that people were warned about (along side bbses and floppy disks)... i know of virus writers who specifically targetted the warez scene and it's not unreasonable to think that there are commercial malware profiteers doing the same thing today...
Posted by: kurt wismer | May 17, 2007 at 06:01 AM