Security companies are 'quids in'!

It looks like the security companies may be making a bit of a profit (or are quids in as we say in my part of the world) with all of the recent security scares.

Read here.

 

What else is new? These companies love a good security scare and love it even more when suckers blow their money on their ineffective software.

 

Yeah, all the scary stories certainly make them richer!

 

I think the security companies like to "enhance" the scares also.

 

I've often wondered if they actually start some of the rumours & stories. I've noticed that most of them love to have lots of information & charts of threats for you to look at. Even I get paranoid after reading some of their stuff!

 

Welcome to the age of panic.

Todays lecture:
Malware Hysteria - how to fuel it and how to profit from it.

Cheers

 

I don't pay too much attention to the hype. With safe computing practices the chance of you getting hit by something are rare...even if you aren't running 5 or 6 security programs consecutively like most of us Wilderites.

 

I agree, but it's easy to make a mistake. Over a year ago I decided to surf Russian news sites using SeaMonkey's translator. I think it was only about three days before I got a trojan!

Luckily SUPERAntiSpyware caught it. I didn't know at the time that Russian web pages are full of malware.

I have been more security conscious ever since so I suppose it was a good lesson.

 

Yeah, sure, obviously security software companies can benefit from any hype or scary news about security issues. And it's in their interest to spread such hype and news, in particular without mentioning methods how to negate such threats without resorting to buying their wares, so people will get scared and spend their money on security software. Ugly business.

 

Hi Daveski17,

From personal experience (10 years +), I can assure you that the companies and organizations I have been associated with have never done this or would even consider it.

In most cases, the uptick in sales are more associated with environmental issues related to a general sense of worry and fear that come from the general focus on threats when there is danger, war, economic uncertainty, terrorism, etc.

Some examples:

1. There is a crime committed in one of those sleepy communities where no one locks their doors. Let us further assume that the perpetrator of the crime has not yet been identified and/or caught by law enforcement. This causes people to feel vulnerable and as a result, purchases of security equipment may rise temporarily (people start locking doors, purchase locks for other buildings, deploy cameras, etc)

2. A natural disaster is coming. I live in the south and can attest to the reaction people here have when a hurricane, snow, or ice storm is predicted: all the bread and milk at the local store disappears rapidly.

Now are these consequences a result of advertising by the security and food industries or would you concede that the result of higher sales for these items is a natural result of a temporary "blip"?

To a person, everyone I have ever worked with is focused on the mission of providing the best solutions possible to address the security of the user. While they are also cognizant of the overall need to make a profit, this is not a motivating factor to step outside of ethical behavior or to risk alienating the public against their products and services.

Be careful not to confuse coincidence with cause and effect...

JMHO

Mike

 

Well, admittedly I was not being totally serious , but I still think that many security companies can only profit by reminding people regularly of the dangers on the Net. This is not always a bad thing & if it makes more people security conscious & gets them to take another look at their respective security set-ups it can only be better for all of us online eventually.

I don't blame a company from trying to make a profit if they offer a good product though & competition can be beneficial. You have to admit however that Internet security is big (huge) business now & although many of the threats are very real it can bring the slightly cynical side out in me.

I certainly don't blame security companies from taking advantage of a flap occasionally, after all, they'd be foolish not to in many ways. Just as long as it doesn't border on the exploitative.

Much of the anti-malware I run is freeware & that, a decent AV & a safe browser with all of my apps as up-to-date as I can get them should be good enough security for anyone.

Anyway, I regularly read several security site's web-pages. Frightening myself occasionally keeps me on my toes! I have to go now & keep an eye on my firewall...

LOL

 

This is more of a likely motivating factor for much of the industry messaging to the public. The security industry is a very competitive one with a large number of players who normally see only x amount of traffic to their sites on a daily basis with the subsequent limitation to the time any one potential customer spends reading their messaging. This naturally sets limits on the potential number of new customers that company can expect to convert through said messaging.

This then leads to optimization of the text/images/etc to grab the attention of those visiting their site pages regardless of the overall threat level in the wider environment. This tends to keep the messaging somewhat static over time though the images and text may change.

When there are dangers, people start searching for solutions and you will see an increase in overall traffic with the resultant exposure of the user to the messaging they may not ordinarily see during more peaceful times which leads potentially to a perception on the part of the user that the industry is trying to take advantage of fear...

Mike

 

I'm more concerned about the rip off merchants making a profit than any of the good guys.

http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html

 

I'm just probably over-cynical at times. I don't know whether that is a good thing or a bad thing though. I will say one thing however, there are a lot of people who have no idea about Internet security at all. They switch on their computers every day & never think about updating an app unless they get a 'nag-screen' or something. If more people worldwide got a bit more computer-security savvy like us on forums such as these, the Net would be a lot safer I reckon. In fact, I've been mocked by some on non-security oriented forums for being a tad 'nerdy' about computer security. These are the sort of people who when you ask them what operating system they are using often reply; 'What's an operating system?'

I understand that computers can seem very alien to many people & they may have a very fundamental grasp of what they are doing, but would you buy a car & not know whether it had a diesel or petrol engine? My knowledge of computers is not particularly great but I like to know a lot of the basics. I suppose that in many ways it is a matter of computer education. I've learned a lot in the past couple of years myself.

 

I count it as a personal victory that I managed to convince a friend of mine to uninstall STOPzilla off his & his wife's respective computers.

It may not be an outright rogue application, but it is bordering it in many people's opinion. It was causing him & his wife a lot of grief on their computers.

 

I agree with much of what Coldmoon says and don't begrudge companies making an honest living from internet security. Despite all the recent publicity, I haven't noticed a significant drop in the infection statistics on the Prevx homepage - tens of thousands of infections every day, and that's just a tiny fraction of what's happening worldwide. If the security firms can make a few bob protecting people from all the malware that's around, then good luck to them.

I feel much less charitable towards the ISPs, who make a lot of money from the internet. And yet they seem to turn a blind eye to infected machines operating on their networks. Instead of providing a goldmine for criminal gangs, they could actively start to fight them. That would make their customers, and everyone else on the internet, much safer.

 

But there's the question of privacy and safe-harbor laws and all that. I don't want my ISP snooping around and playing Internet cop (unless there is an obvious problem on the network, like a DDOS or something). The MAFIAA is already trying to get laws passed forcing them to police P2P, and the prospect of them policing virus ridden machines would further tax their manpower. As a result, our costs will continue to sky rocket.

I got an e-mail from my ISP a year ago or so saying to check my machine for viruses because spam was being sent from my port 25. I LOL'ed because I do not run Windows, do not have port 25 open, and am a maniac when it comes to my PC's security. I run Firefox in a sandbox, run from a user account (the default in Linux), update religiously, run a MAC system and memory hardening features in my OS's kernel, and am behind a hardware firewall. Just to name a few. Basically, I know their e-mail was totally bogus.

What's my point? Well, obviously their mechanism for detecting suspicious behavior is far from perfect. I went to the forums for my ISP and there were numerous other people there complaining that they got the same e-mail even though they are positive they do not have viruses, etc. (most of them do not run Windows either). My point is, since their mechanism for detecting "malware" is dubious at best, I think it is better if they just left it alone rather than falsely accusing people of spam.

(Actually many of us speculated that these e-mails were just an excuse for the ISP to block port 25 in order to stop everyone from running e-mail servers. Shortly after these e-mails, the ISP blocked port 25 for everyone).

 

I agree with Chronomatic on this one. They shouldn't be allowed to "babysit", and, believe me, you don't want them to for the following reasons:

1. Say goodbye to unlimited access and hello to being charged per the amount of data consumed. That might sound like the "magic bullet" for the P2P issue, but, it'll kill or severely cripple everything else along with it.

2. If they are forced to babysit by law, you not only have problem number 1, but the added issue of even higher bills due to the extra manpower as stated.

You are responsible for what happens on your computer, not the ISP or anyone else. If you make a mess with viruses and what have you, YOU clean it up.

 

I understand your point of view. We all value our privacy and nobody wants to be falsely accused, like Chronomatic, of spamming - was that mistake maybe due to a dynamic IP address?

Like everyone else on this forum, I take my PC security seriously. But most people evidently don't bother or don't know how to make their PCs secure, despite all the free or paid security apps that are available. I can't see that changing fundamentally however much publicity the matter gets. You just tend to get a blip in public interest when something big like the Google attack is in the news.

In any case, I don't imagine that the gangs who make money from their botnets and phishing scams etc lose too much sleep when Microsoft fixes another bug in Internet Explorer. They know that there are still plenty of rich pickings around - the world is almost literally their oyster. So, if it's technically possible for the ISPs to do more to put some of those pickings beyond reach (without encroaching unnecessarily on users' privacy), then they should help to make the internet safer.

I daresay that such security has a small cost. But in the UK we're having to pay a small government levy (50p, I think) each month to fund the rollout of broadband to some remote rural areas. Just as there's a social value in everyone having broadband access, so there's also a social value in everyone being able to use the internet safely.

I know that there are issues of privacy with both the government and the ISPs and I respect your views on that. But I think they're at least wearing white hats, and it's the guys in the black hats that we really need to go after.

 

Chronos' situation could likely (pretty likely) have just been a screwup, or, as said, it could have been a disguised way of taking away something "detrimental to the network". It isn't unheard of, and it's likely to happen more and more, out in the open if the neutrality laws here in the U.S come to pass. Different subject though, on to the topic at hand.

Security will always have a cost, sometimes small, sometimes large. That's something that can't even be argued. However, what's been happening here, and, in many cases globally (especially the U.K), is that the threat of danger is not only being feared, in some cases, to the point of paranoia, but also that threat is being abused to fund and implement control, a level of control that before this threat was so large, would never have been allowed by the people of a state/country.

That's where the problem is. People have been led to believe that if such and such is not done, if we AREN'T being monitored, if our internet is not monitored as closely as possible, then, as some would have us believe, World War 3 is going to break out. Company and government hats are turning gray. I'm not trying to inject conspiracy in here when I say that. I'm merely saying that boundaries are being stepped on and over by the well-intentioned out of, sometimes, irrational fear, and, in some cases, by those who want either more control, money, or both by using fear to advance their cause.

It isn't just about higher monthly bills, ad servers tracking us or the loss or crippling of high bandwidth content we've all come to take for granted. It goes deeper than that. In closing, the more we leave protecting ourselves in the hands of others, the more vulnerable we're going to become.

 

Successive UK governments have been utilising the fear of many things for their own agendas for a few years now. In fact, I think that they just like to scare people about the Internet in general. I think governments fear the Net because it is such an open platform of debate & opinion. I'm sure that many people who don't use the Net much particularly have a mental picture of the Internet being used primarily by criminals, perverts & porn merchants. I think it is because we are living in a postmodern political world where people just don't believe politicians or their respective manifesto promises any more. Fear is a great controlling force, even if much of the cause of it is fabricated or exaggerated somewhat.

I agree.

A classic gambit by any government, create fear, find a solution to the 'problem'. The solution may be worse than the fear though!

This is what I fear.

 

Well in my opinion if STOPzilla for some reason can't be classed as a rogue then it definately deserves a PUP (Possibly Unwanted Program) rating and there's a few others around as well.

If I remember right you had a bit of strife in getting rid of STOPzilla as well?

Something I've been playing around with is to use ZSoft uninstaller to monitor any programs install routine in a VM then keep the saved log which can be used on another machine.

Install ZSoft onto the machine where the crapware resides then copy and paste the log from the VM to where ZSoft normally saves it's install logs and you should be able to uninstall it completely.

Kill all of the uninstall target's processes first though.

 

The reason that STOPzilla cannot be classed as a rogue is due to legal reasons. Although it may not be the 'best' (referring to word of mouth) at removing the newest malware and spyware, if a system was heavilly infected with spyware that it does detect, STOPzilla will remove it. Therefore, it does impact on the system positively, even if it is only minimal. For this reason, it cannot be detected otherwise companies may be sued over false detection and hurting revenue of a non-malicious product

 

Many play on the original name of an application. STOPzilla sounds not unlike Mozilla for instance. I once downloaded something called Spy-Bot off Google. Not Spybot S&D, but a rogue imitation. I was more naive in those days & I didn't realise it was a rogue until it asked for a 'one off payment' to clean my system after finding a few tracking cookies. It uninstalled easily thankfully. I think STOPzilla is definitely an unwanted program!

He said it uninstalled without problems.

 

I have never used it so it is difficult for me to comment, but my friend who had downloaded it said that it slowed both computers it was on hugely. Also he reckoned it was consistently interfering with everything he did on the computer, such as opening email. His knowledge of computers is less than mine (& that ain't much) so he was just confused by all the hassle he was getting from the application. They may have improved the way it behaves but from what I can gather it certainly borders rogue status. Many people would give it that. Rogue applications can be perfectly legitimate (if essentially ineffectual) spyware but when an ostensibly freeware application starts asking for money to remove a threat from a computer it is generally classified as a rogue. It appears that there are many grey areas legally here.