Are Security Software (SSW) Products Secured?

The purpose and wishes for this thread:

Discuss the business and/or background reasons for Security Software Products (SSW) being possible security problems themselves.

There are 3 wishes for the thread.

(1) Omit all vendor X versus vendor Y posts.

Example: vendor x forces it’s users to accept secret phone homes and vendor Y doesn’t.

(2) Post the rationale for WHY (in your opinion) these causes are occurring. An example would be valuable.
Please, no fear, uncertainly, and doubt (FUD) or wild unproven accusations. Let’s keep this at a level one rung up from tools versus tool

(3) Avoid the political / government policy / legal/ issues
These political issues are already actively covered in this forum and are outside the scope of this thread.

The Business and Background Reasons (incomplete!)

This issue of security lapses within security software has become more visible.

Besides the problems of buggy and bloated software, there is the privacy issue of organizations public and private, collecting and in some cases selling collective data about their customers to other businesses. ALL of these companies are in business to make money. Utilizing information about their customers to market other software or other things to them is one way to make money. The online behaviour of large groups of people is valuable data for companies that want to market products, collecting massive data for companies who want to pay for it is already a big business. Any software company who can discretely sell information to these companies can make big bucks.

There are security software companies that distribute “free” software and some paid software that also sell collective (not individual) data about their customers. When the profits dry up from subscriptions don’t underestimate the creativeness of the security software companies to find other ways to make money from their business.

It is only fair to point out that computer software companies are not alone in doing this. Many companies (banks, credit card companies, subscription cable and satellite TV services, and most major ISPs) sell collective information about their customer base. It is a way of life and although they say it isn’t personal data about you it is personal data about a collective group. This is still bad business practice. The fine printed agreements that we always click “yes” to are just the tip of an ice burg. Most service agreements that we think of as harmless we accept without reading or understanding are infested with fine print that gives up the collective privacy of groups of people.
The problem with this type of business thinking is that it is NOT in the best interest of the customers and when the customers find out (and they will) then its damage control time.

All of the above raises questions please add to this list as you see fit and suggest answers.

1.What dangers can this issue create for your personal information privacy?
2. Do some/all firms only care about making more money?
3. Are some firms thinking they can get away with it and there is a potential to make a big profit then doing it?
4. If they don’t now, will they at some time in the future?
5. Will the ones that don’t end up going out of business unless they do what their competitors are doing?
5.1 Since

the additional question I put to everybody is
6. How and Can we identify the "white list" of vendors who don't carry out these practices?

 

1.What dangers can this issue create for your personal information privacy?

The dangers involved in the practice of selling information consist mainly of not knowing who they sold the information to. I don't mean that solely in a government spying way, it also includes individuals who have the money and the know-how to fake who they are (for instance, private investigators and such). Also, after the information is sold to another party, who then does THAT party sell to and what do they do with it?

2. Do some/all firms only care about making more money?

No, they don't, BUT, it IS their first priority. Money may not be everything, but no one can live without it you see. They have to make money or their business collapses, bills don't get paid, families go unfed.

3. Are some firms thinking they can get away with it and there is a potential to make a big profit then doing it?

Yes, of course. You will always have shady businesses and business people, if there is a quick buck to be made there is a person standing around his or her bank waiting for that ship to come in. A lot of times they CAN get away with it simply due to the thousands and thousands of laws with as many loopholes that vary state to state, country to country. And when you bring in an un-regulated source like the Internet, it's even easier to get away with it.

4. If they don’t now, will they at some time in the future?

They do now and always will. Again, if there is money to be made, criminally or legitimately it will be made.

5. Will the ones that don’t end up going out of business unless they do what their competitors are doing?

No. A business stays in business in many ways, including reputation, so there will always be honorable businesses and business people out there who honestly want to help their customers. The world may SEEM like it's filled to the brim with bad folks, but it really isn't.

 

Thank you dw426 for your reply. I have added a 6th question to the OP due to your contribution

 

6.How and Can we identify the "white list" of vendors who don't carry out these practices?

Well, this one can be a bit tougher as businesses update their TOS and change various aspects of their business frequently depending on many factors, and often with little or no notice until someone catches the newly updated information. For the most part, all that can really be done is to read those TOS forms word for word (in a computer software environment, an easy way to find out what you are getting into is using something like EULAlyzer), ask questions you feel are important, and get feedback from former/current customers (of course taking reviews with a grain of salt, people who feel jilted have a habit of saying things that may not be entirely correct or plain outright lies).

 

Yes, I used EUAlyser and even though it found wording that I wasn't happy with my " need" or "want" to use/try the SW or service overpowered my unhappiness. Priorities! Who has ever not got a product due to the license agreement?

What I found more useful was joining forums first and watching/reading for major issues like excessive (IMHO) connects back to update sites and many different ip addresses being used. BTW those forums can be usefull for selecting/comparing as well.

I agree 100% with you that "reviews" must be viewed with a sceptical eye thus favouring trials first.

 

"Who has ever not got a product due to the license agreement?"

Actually, I have, and on many occasions I tend not to be the type that thinks to himself "Well, it COULD happen, but that possibility is way too low so the heck with it". I always take the "Hey, if this does happen, what are my options?" approach, and if those options aren't acceptable or if those options are too few, I end it right there. Now of course you can't do that with life, lest you want to be holed up in a dark closet forever, but you can with products and services

 

Hi dw426:

May I ask what key statements/ conditions in a license or ToS stop you from proceeding with the product or sofware tool?

What types of options were you hoping to have that were missing?

I'm trying to id the risks we face with some examples if possible.

 

Hi Escalader, well, I DO have a recent one for you as an example, and one that stopped me dead in my tracks even after seeing multiple references to third-parties and other such things I don't care much for "9. No Jury Trial. YOU HEREBY WAIVE YOUR RIGHTS TO A TRIAL BY JURY IN ANY PROCEEDING WITH RECORDED BOOKS. "

That nice little tidbit came from software used by my local library to stream movies from their collection to my PC. Now, that was a blanket statement in their EULA, not in reference to any specific circumstances. It was the very last line of the EULA. I have a copy of the entire thing in fact. I can take just about anything to an extent, but where I will refuse to bend is my right to a fair trial as an American. This would be a prime example of the statement I made regarding options or the lack thereof.

Other examples of things in a EULA that either stop me or make me proceed with extreme caution is "piggy-back software". If there is a good chance that software can be prevented from being installed, I will usually proceed. If not, depending on the situation (for example a well-known security software), I will abort immediately. I also choose very carefully products that state they sell my information. I want to know what information, and, if there's even a slight chance of finding out, who it is sold to.

There are many many shady things a company can put into their EULA's, and quite a bit of the time it is very very subtle or vague. Any concerning statements in a EULA that are too vague for my taste get further scrutiny/research of the product the EULA is for.

 

Without the vendors name, can I ask you to explain to the thread what piggy back software is and does in general terms?

By preventing software from being installed if it was a Trojan that would be good right? But you meant something else I think? Please expand what you mean there.

As to surrendering your right to a jury or not being told who they sell information too that is crystal clear!

Good stuff this!

 

Certainly, piggy-back software is a separate application that is installed either by choice or silently along with the original installation of the program you intended to install. These separate applications range from relatively harmless add-ons that provide extra functionality, toolbars that also add functionality but also may serve a more devious purpose such as spying on browsing and sending that information back to the servers of that application and/or third parties, and all the way up the malicious chain to trojans used to remotely take over a PC.

When faced with a situation where you can obviously see an extra application being installed or asking to be, it is imperative that you not only pour over the EULA included with the original application, but also take a quick look around Google and get as much information as you can. It takes minutes to prevent problems, it can take hours to fix them. You may not be able to use the most rock solid protection out there due to conflicts, money, or some other reason, but there is absolutely no excuse to not attempt to do the best you can do with the tools you are able to use.

Freeware is an absolutely good thing, and it enables people who may not have the means to acquire the best tools available to secure themselves at the very least reasonably. However, be aware that developers, good intentioned or otherwise, need money just like us, and they will use whatever means are most efficient for them and bring in the most revenue. They are normal people, and, like other normal people, there will always be the good and the bad ones.

 

Thank you. Can you provide the thread with an example of the type of pop up or other warnings that gives users a clue when this is happening and how they could prevent un wanted "piggy exe" from getting on their PC's?

When doing these installs us techies (me) are always in a "rush" to get playing with the new application. So asking them to stop and read legal documents or do research may be the correct thing to do but how can we make this easier for them? Strikes me that a good white list of exe's is the only sure way to do that?

Yes, some good freeware for sure. BUT the $ motive is strong where SSW products are engaged in hot competition with similar products.

Thus the adware. Like TV commercials, without them they tell us the cable service would cost more!

What we need is a rating system like hotels have so I can scan the ratings and see if product x (a freebie) is "good" or not.

Just an opinion.

 

Sure Escalader, here is an example of what can happen if care is not taken about clicking through an installation (This is from an otherwise perfectly safe ISO loading application that allows installs without burning to a disc):

For your other comments:The only way to prevent this sort of thing from happening is to 1. Scan with an AV and AS pre-install. 2. Look over the EULA no matter how "paint drying" exciting it may be. 2a. Use a program like EULAlyzer to do this for you and NOT blow off its warning. 3. Use "custom install" option when available, instead of letting the program install without confirmations. This allows you to check for everything that it will install, and, often, un-checking things you don't want. Ratings would work just as badly as reviews do now. Some will have a bad experience and do nothing but talk BS about the program, whether it's actually malicious or not, and some will mislead others into thinking it's this wonderful app when it's a deadly trap. A word to users, when installing ANY security application, check here at these forums or another well-known security forum FIRST. They have likely seen the program before and know whether it is good or bad. And, if they have not, someone will likely test it.

 

Just adjusting back to the fact we are only dealing with SSW products in this thread I will use quotes and make the process specific. Let break up these steps with example tools and clarify the order of the steps to make sure I have the "filter" steps/logic correct.

Readers should note, I am using my SSW as examples in this thread and am NOT opening up the thread for x vs y posts. You guys use your own tools in creating your own "filter" steps.

1)

.

2) Backup your whole system via image SW before proceeding.

3) Before installing scan the install/setup exe with your AV and AS in my case this would be Nod32 and SAS but these are here only to make it clear, you guys would all use your own favourites as you see fit.

4) Analysis the EULA no matter how long and difficult the wording.

5) If you use a program like EULAlyzer to do this for you, do NOT ignore the privacy and other warnings. The key issues are privacy and sharing of your personnal information and waiving of your legal rights. This list is incomplete.

6) Use "custom install" option when available, instead of letting the program install without confirmations. This should allow you to check for everything that it will install, and, often, un-checking things you don't want or need. The less exe's intall the better. Watch for modification of your search bar, home page and start list do not allow those to happen by neglect.

 

One of the questions in post 1 was:

( I hate having to quote myself )

Today I found this example of voice print privacy policy for a service coming soon for the banks here in Canada.

So, thread readers and contributors,

what risks do you see for yourself in this technology?

It is on topic since the bank installs the programs and employs the algoritim(s) it is no different IMHO than using a web based AV service. The location of the server we use for these SSW doesn't matter. We the client would be using the SSW product and taking the risks inherent in it.

 

That, um, well, that's a tad "1984" to me. Without knowing how they get around such issues technically, it also seems to be extremely flawed. Why can I not just record someones voice and play it over the phone? What happens when that persons voice changes slightly due to illness ( colds, sore throats, the like)? How would background noises affect the accuracy of identification? Can noise even slightly possibly result in an incorrect read, thereby A: Blocking you out, or B: Allowing access to another account? Would it be possible to "hack" into this system and have access to hundreds if not thousands of voices and therefore accounts?

Biometrics are not a sure thing, that's been proven with the manipulating of fingerprints. These things may be smart, but they are still machines, and therefore subject to failure (us being imperfect creatures and all) Nice idea they have, but a bit ahead of it's time and, again, without knowing the intricacies of it's security, not likely to be successfully implemented. Btw, what does this "secret date password" entail? Sounds like an insecure backup to a possibly insecure plan.

 

Right! All good questions! With your permission, with out id'g you or this forum may I ask the bank these very things? If you say no that won't upset me.

 

Here are my answers, in order:

1) Businesses are out there to make money. In order to operate effectively, they need to understand their target audience. There are many ways to accomplish this, but one of the easiest way is by buying/selling customer related data. Unless we know the internal workings of a company, we can't really tell whether they buy/sell critical personal data. As much as I don't want my personal data to be shared, there is really nothing I can do about it. A lot of these companies, like you said, have EULA's that you have to agree to before you can buy their product. And since it contains uninteresting information, we just click yes most of the time without fully knowing what's in there.

2) No, but as dw426 said, it is their first priority. Companies have to make money in order to stay alive. Without money, a business will collapse pretty quickly, even non-profit ones. Money drives innovations, and innovation drives our society forward. Hence, that is the reason why most of us study and/or go to work.

3) Collecting and sharing customer data generates a lot of revenue. Just think about it, how many customer data are available for trade? Lots and lots. Like I said in #1, companies have EULA's that we have to agree to. And most of the time, the EULA mentions something about sharing and collecting of personal information. But since we don't want to get bored to death, we promptly click yes even if we don't agree with all the terms.

4) That really depends on how the company is doing, and what their goals are. Some companies may not practice this because they respect their users privacy. But I've yet to encounter a company that doesn't practice the sharing and collecting of personal data. At least, not with the companies that I do business with (e.g. banks). I have to be honest, though, that I skip most EULA's when dealing with a trusted and known company (e.g. Microsoft, Symantec, etc.).

5) While it is important to know what the competitors are doing, it is not the sole determining factor that will drive a company out of business. In this case, I assume you're talking about the sharing/collecting of personal data. I would say that there are still companies who doesn't fully practice this because there are other ways to generate income.

6) Without extensive research, I think you will be hard-pressed to find a company that does not practice sharing and collecting personal data. Until a law is passed that explicitly prohibits sharing of any customer data, I believe this practice will continue. That is why it is important to be aware of every facet of our lives--in order to protect as much as we can about ourselves, and to prevent someone from damaging our lives, which may or may not hurt our credibility.

 

Of course you may, I myself want to know.

 

Thanks, I didn't want to do sharing of any data without permission which is one of the main issues here.

I will wait til next week to put the questions to them.

 

Questions now submitted to bank, we wait.

PS we may wait forever

 

Yeah, I wouldn't expect any answers too soon. I can't wait to see what argument they pull out of their hat to avoid the questions

 

Returned from 2 day holiday to find these answers waiting for me. I have removed the bank name for the usual reasons. Comments please.

~Private communication removed per the TOS. No private communications to be posted without permission of both parties. Please state other parties recommendations in your own words if possible....Bubba~

 

Sometimes I hate TOS, lol. Escalader, can you PM me the results if it's easier than putting your own words to it?

 

Hi dw426:

Nope, not going the PM message route nor am I going to plagiarize the banks answers by rewriting them. I could easliy error in rewritting these answers.

If a thread reader wants a "bank name removed" copy of these answers to the thread questions email me your request to my wilders email addy and I will forward it along in due course.

Strongly suggest readers NOT use their personal email address and use a disposable address. Please ensure your wilders identity is clear in your request.

The need for the answers is real.

 

I have been enlightened Thank you.