Muppets. They're everywhere.
I don't mean Jim Henson's friendly bunch, but the English term for someone lacking a bit of skill or intelligence. Though it's an insulting term, it's rather mild and quite cute - and the topic for today's blog post.
Why are muppets relevent to security?
The internet has democratised communications. Anyone with a keyboard and a thought can combine the two and reach people all over the world. Sometimes this is a good thing. Other times - not so good.
Anyone on twitter can shout out a thought - and have it reproduced. Businesses or indidivuals can communicate - and say things that are true, not true, right or wrong - and people will read it and disseminate it. How many internet hoaxes have you read about recently?
The problem arises when people say things with an air of authority that they know nothing about. For example, a muppet tweeted out a security alert yesterday saying that Online Armor contained advertising software. Obviously, it doesn't.
Rather than get upset, I did the right thing - tracked him down and told him about his mistake.
His reply was basically "McAfee alerted". I advised this was a false positive.
His response was "Hmmm, can't find that term in any McAfee help or support groups. Good luck with that!".
Be careful who you listen to
Typing the words "false positive" into google (without the quotes) finds multiple definitions, and quickly. So, we have some Jason Remington issuing public security alerts about our product - yet he has never heard of a false positive and couldn't find it on the internet. I think we have our first "Muppet of the Day".
When you read something, give consideration to the source.
The text of the tweet was "QZVX WARNS OF ONLINE THREAT:(Online Armor) Firewall FREE download contains ADWARE and other nuisance software that may harm your PC ."
I looked up the site in question - it's here. Hardly credible.
Get advice from the right place
There are a multitude of sources of good advice on the internet - techsupport alert,spyware hammer, wilders security forums, calendar of updates, smokey security forums, vendor forums - and many more.
Where do you go for security advice? Have you any entries for the "Muppet of the day"? Let me know.
Thursday, May 28, 2009
Muppets. They're everywhere.
Monday, May 18, 2009
There's been a lot of discussion about the Ask toolbar recently over at Wilders Security and the Calendar of Updates forums. We have a variety of vendors that are now bundling this bar with their products - something that I thought we'd never, ever do.
Then I read a thread over at Wilders where someone pointed out that for every time Ask bar was installed, the vendor got a dollar. I mulled over our OA Free download numbers and thought that this figure was highly likely to be inflated - but at a dollar per download - wow, that's some serious money.
Bundle Ask Toolbar and have an early retirement?
I then read a comment from BillP of Winpatrol fame saying that Ask had approached him - and - had he proceeded with them, he could have made enough money to retire in a few months. Bill basically told the guys to get stuffed - but there are a lot of other vendors that bundle the bar who didn't.
Having had two independent sources confirm just how much money could be made, I did what any self-respecting business owner would do - I contacted Ask to find out what the deal was. After all - if I could add tens of thousands of dollars to our bottom line every month, I'd be mad not to consider it, right ?
At the same time as I contacted Ask, Ask contacted me asking about business relationship opportunities. The chap on the phone I spoke with explained to me that the numbers quoted at Wilders were not quite reality - but for the purposes of basic math, we'll stick with the $1 per install
In other words, for a company like us - a small business out of Sydney - the Ask toolbar sounds like a dream come true. Call it free money. Call it monetizing our free product - we did both. Based on our download numbers we'd stand to make tens of thousands of dollars per month - all for including a harmless toolbar in our program.
Sometimes, I hate the internet...
Here's the problem. Imagine that you could get paid a dollar for each unique user. Imagine that you were moderately skilled at writing malcious code and had no morals. You could make a lot of money real fast by surrupticously installing something like this. And that's what people did. Ask were tarred with this brush.
As we proceeded along the path with Ask, we took note of the questions that they asked us and the hoops we had to jump through to sign up as a partner. They were really, really concerned to prevent malicious folks from bundling their bar.
It was unfortunate that they had been abused by malware writers and scammers - I'd hate for that to happen to us if we paid bounties for installation of Online Armor - but they shouldn't be nailed for this forever. Not only do they try to run a clean ship , but they were also a victim, right ?
This thinking gave us a bit of confidence going forward - as did the fact that a lot of our competitors, from the rats and mice upwards had done this.
...but most of the time it rocks
We decided that we'd proceed with the Ask toolbar. The money looked great. The company was clean. Our competitors were doing it. There were shouts at some of the guys that did it - from a highly vocal crowd - but we figured that provided we did it the right way (no default opt-in, no tricky wording or saying that the bar was required for security purposes) we'd be ok.
I took this to our private test team. They hated it. I took it to our forum admins. They hated it too. I took it to our Beta team after someone came out and said "You would never bundle a toolbar would you ?" - and I said, "um, actually yes, we would". They hated it too.
A rock and a hard place
On one hand, we have a way to boost our business by the tunes of tens of thousands of dollars per month. In this economy, that sort of money is not to be sneezed at - hell, in any economy the chance to quickly add a quarter-million USD per year to the bottom line with minimal effort is not to be sneezed at.
Unfortunately, adding that bar would mean that our users would hate us. Vocally. Is it rational hatred? Who cares. Hate is hate, and Vocal is Vocal. We'd already noted one of the smaller players get slammed for their search bar antics.
In all of our discussions and observations, some key points kept getting repeated:
- Users do not expect a security tool to install unneeded items, even if that security tool is free.
- Default opt-in is the only way people will install due to inattention, accident or trickery of wording.
- Default opt-in is wrong.
- Users place a lot of trust in security vendors. They are trusted to do the right thing. Do not abuse that trust.
- Is it ethical to ask your users to install a product you would not install and use yourself?
In fact - the ICQ bar is even worse - the uninstaller didnt work correctly and now I find myself trying to do a google search and sometimes getting ICQ. It's really, really annoying. Do I want to really, really annoy our users?
When we started our Online Armor project, we somehow stumbled onto a simple formula. Listen to our users, and give them what they want. Provided they don't want free ponies and chocolate, it's a model that works rather well. Everyone wins.
Our users - the ones privvy to the pre-launch information told us pretty clearly "We don't want this, and we don't think it's right". When your friends are telling you it's not a good idea - imagine what people who don't have that relationship will say or do.
So - we've decided not to proceed with Ask, though they'd probably pay us nearly enough to buy a nice car.
When the numbers look good from a financial perspective, and "everyone else is doing it" - it's easy to fall into complacently thinking that all will be fine. It's not fine for security companies to bundle someone elses toolbar. We lost sight of that for a moment and nearly did everyone a disservice.
Why did we decide not to proceed? Well, the money sure would be nice but at what cost? Bundling this bar would lead to a loss of trust... and that's something you generally only get to lose once.
I'll get the car another day.