the problem with the "like" trade

earlier today randy abrams posted an interesting take on facebook advertising and how misleading the word "like" can be (http://randy-abrams.blogspot.com/2011/12/facebook-misleading-advertising.html). this reminded me of a beef that i've apparently had going back at least as far as may of this year (judging by the timestamp on the screenshot i took).

specifically, randy said the following:

If I have to “like” a page to get the information I want, I don’thave a problem with that

well, with all due respect to randy, i do have a problem with it. randy makes some good points about the way people's pictures get used in facebook ads when they "like" things, but a point he neglected is that forcing users to "like" or otherwise post about something before they can see the content they've been lured with is a popular tactic in facebook scams.

now, i'm not trying to suggest that security companies making use of this marketing methodology are scam artists (though i am tempted to say that all marketing is in some way a scam) but they should be aware that by utilizing this sort of marketing they are effectively endorsing a marketing methodology (developed by facebook) that breeds victims. i don't expect facebook to care about such things, since such trickery is how they make their money, but i certainly expect security companies (especially ones with as strong a leaning towards empowering users as eset) to know better than to go along with facebook's questionable methods and do things like this:

"like"s are not something to be bought from users in exchange for free or otherwise tempting content. they are an endorsement and as such can't be legitimate until after the user has sampled the content. the idea of exploiting illegitimate user endorsements should be recognized as unethical and should be understood to have consequences. by using the sort of techniques that scam artists thrive on, one is basically training people to be victims. i expect better from security companies and i think you should too.

Snake-Oil 'R' Us

it seems that snake-oil is changing with the times, evolving and getting worse.

worse? how could it possible get any worse?

well, i've mentioned in the past how certain products very names can represent snake-oil - names like "total protection" or "total security" instill in the user the false belief that they are totally protected and don't have to worry anymore.

well pretty soon there's going to be "total defense" too.

how is that worse? well, "total protection" and "total security" are just product names. total defense? that's apparently going to be a company name. a company that has snake-oil running through it's veins, i suppose. probably not a surprising move for updata partners, the technology venture company running the show - a venture company's focus is on making money, they're buying computer associates' internet security business unit, they aren't existing members of the security or anti-malware community/industry. but they're going to be part of the anti-malware industry, they're buying they're way into it, and they're starting from a position without the established norms and ethics of either the community or industry. no wonder the ethical landscape has been eroding over time.

the covenant is broken

one month ago i published a blog post excoriating mcafee for being involved with a firm that creates and sells malware. for one month i've been waiting - not for a reaction to my own post, but a parallel reaction from the industry to the revelation that mcafee was involved with malware creators. i have been underwhelmed by the response (or lack thereof), and somewhat overwhelmed by the implications.

take a moment to let the AV industry's silence on this matter sink in. what does it mean? does it mean that they can't say anything because they've all got similar skeletons in their closet? or does it mean they're just not interested in capitalizing on that sort of thing anymore?

you see, for a long time there's been a persistent rumour that AV vendors don't just partner with malware writing companies, they hire malware writers outright. the AV vendors, of course, claim that that doesn't happen - they claim to have a policy against hiring malware writers and they say not to just take their word for it because their competition would take advantage of such ethical lapses if they were ever to occur.

they weren't just blowing hot air, either. making an example of an anti-malware company that hired a virus writer has happened in the past (thank you f-secure), so we know that such self-correcting controls have previously been in place. we were supposed to trust AV companies because they were financially motivated to do the right thing. every company had something to lose if they misbehaved and every other company had something to gain if they caught someone misbehaving.

but now the revelation that mcafee works with a malware writing company comes along and nobody has anything to say. well, to be specific, no company has anything to say (since i know there are individuals who felt strongly about this but may not have been able to speak for their employers). it was the job, the duty, of every member company in the anti-malware industry to act as a watchdog for the industry in case things like this happened, and you all failed. each and every one. one month later is too late to strike - the opportunity has passed - the iron is no longer hot.

the industry was supposed to be policing itself, but that no longer seems to be happening. without that, all we have is their word that they should be trusted, but those are just words. nothing but sweet, sweet words that turn into bitter orange wax in my ears (to quote futurama's philip j. fry). without action it means nothing.

the industry's accountability is gone. we can't honestly believe they're still policing themselves now. they used to adhere to and enforce the anti-malware community's standard of ethical behaviour. it's important to draw a distinction between the anti-malware community and the anti-malware industry at this point. although there has always been significant overlap, there has also always been those who were part of one set but not the other. obviously i'm not in the anti-malware industry, and i can think of a number of people who were members of the community long before they became part of the industry. on the other side, do you think HR is staffed by anti-malware community members? the legal department? upper management may have a few here or there, but for the most part they're just ordinary business folks. increasingly, the anti-malware industry is representing business interests instead of the values and ideals of the anti-malware community. the community's influence in the industry has been gradually waning up to this point where there's no one left who can realistically hold them accountable for violations of the community's standard of ethical behaviour.

they can still be held accountable on technical grounds, i suppose, but for how long? anti-malware testing was in a bad state for a while - AMTSO has been helping to elevate the quality of testing, but does the anti-malware industry (which is increasingly losing touch with the anti-malware community) have too much influence over the goings-on there? ideally the inclusion of both the anti-malware industry and anti-malware testing industry should create a balance. the testing industry has an understandable bias towards the more practicable approaches to testing (they have limited resources, after all) and a strong motivation to not appear to be going to easy on the vendors. the vendors, on the other hand, have insights into the inner workings of their products which are sometimes necessary to understanding and eliminating certain sources of testing bias and a strong motivation to perform well on tests. this should create a balance that forces both sides to take harder but ultimately superior paths. as the industry moves away from ethical accountability in favour of business concerns, it stands to reason that they may start to move away from embracing technical accountability as well - and realizing their input in AMTSO feeds back into a system that enables technical accountability, they may try to game the system for their own ends.

this highlights yet another problem. not only does the industry itself become suspect, so does everything it touches. it's not just accountability that's gone, it's credibility as well, and that lack of credibility can be toxic to others.

when the anti-malware industry no longer represents the values and ideals of the anti-malware community, when the bottom line takes priority over everything else, the result is bad for everyone. it's bad for the users because they will eventually have little left but to choose between crappy products in pretty boxes. it's bad for the anti-malware community within the industry because their jobs will cease to be fulfilling and they will be increasingly disturbed by the actions of their employers. it's even bad for the anti-malware community outside the industry simply because of association and the failure of most people to recognize any distinction between the industry and community. this isn't something that happens overnight. this isn't something that started one month ago. it's been going on for a while and you community members in the industry are all frogs in a pot that is being slowly brought to a boil.

i don't know how to correct this. i don't even know if it can be corrected (damage has already been done, and you can't always go back to the way things were). i don't pretend to have those kinds of answers. if i had to guess, i would guess that turning the industry around and getting back on course would take as much influence as the community can muster. full recovery may not be possible, but is not trying really an option? an alternative may be to restore accountability through external sources, but given the particulars in play (a company that sells malware to a nation state), that would involve scrutiny from other nation states and being investigated by scores of foreign nations on an ongoing basis doesn't sound appealing.

there can be no credibility without accountability and there can be no accountability without consequences. that house of cards depends on consequences and as near as i can tell there have been none.

ethical conflict in the anti-malware domain

forgive my silence over the last little while. motivation to blog sometimes isn't easy to find. as time wears on, fewer and fewer things get under my skin enough to drive me to rant (is that what it means to mellow with age?). but since you're reading this i think you can guess what this post infers.

five years ago i wrote a post about what i perceived as an ethical conflict in the anti-'rootkit' domain. it detailed the actions of two of the most notorious names in stealthkit research, jamie butler and greg hoglund, and how they were profiting from making a particular niche of the malware problem more popular (and thus, inevitably a bigger problem).

one of the things i pointed out was that symantec was working with a start-up company (komoku) that had jamie butler (author of what was at one time one of the most widely deployed stealthkits around) as it's chief technology officer. i thought the fact that an anti-malware company was in bed with a company that hired such a high profile malware writer deserved at least a moment of reflection, considering the hard-line stance anti-malware companies take on hiring malware writers themselves. at the end of the day, mind you, that start-up was focused on prevention so maybe the argument could be made that mr. butler had or was trying to reform in some way. (mr. butler has since moved on to mandiant, along with his disciple {the FU2 to butler's FU} peter silberman)

when i read earlier this past week that another anti-malware company (mcafee) had been working with greg hoglund's company (hbgary) i thought it an interesting historical footnote but paid little attention to it beyond that (though, if i had remembered that mcafee had once been pointing fingers at rootkitDOTcom, maybe the hypocrisy would have stood out more). after all, little attention seemed to be paid to such connections five years ago so why should this time be any different? well, that was before i knew what hbgary was in to.

apparently, on top of the legitimate work that one can find out about by visiting the hbgary website (which of course i won't link to), it appears that hbgary also writes and sells malware for fairly large sums of money. the customers for their malware include the government/military but might not stop there. even if that set of customers does stop there, hbgary appears to be in the high-end commercial malware business.

so where does that leave mcafee? it leaves them in bed with commercial malware writers. while AV companies have been proclaiming for decades that they don't and won't hire malware writers, apparently they don't have to. they can simply partner with the boutique security shops that do. clearly they are not picking their business associates as carefully as they are their actual employees.

and then there's the claim that surfaces from time to time that AV companies won't make special provisions to keep malware deployed by the authorities from getting detected. what's the point of making such a claim if you're just going to turn around and do business with the company that may very well be making said malware?

how many other AV companies, besides mcafee, were or are in bed with hbgary? how many are in bed with companies LIKE hbgary? where's their ethical high horse when it comes to partnerships? why wasn't the "malware writers need not apply" policy updated when commercial malware became the norm and presented the loophole we see before us today?

some AV companies are rewarding malware writers financially. it may not be in the ways we traditionally thought of, but with the #2 company in the industry involved in this practice (and arguably the #1 company as well, depending on where you want to draw the line), the end result is AV companies contributing to the commercial success of malware writers, and that is not ok at all.