Security Vendor McAfee to Pay $50 Million Fine

goombah99 writes "RedHerring.com reports that Security Vendor McAfee has agreed to pay a fine of fifty million dollars stemming from false SEC filing. McAfee cooked its books, overstating its revenues one year by 131%, or half a billion dollars. The method employed was 'channel stuffing' in which compliant re-sellers are effectively paid to buy and hold inventory they may never sell. The shipped goods are booked as revenue and the payments disguised in the books. When it caught up with them, McAfee's stock price crashed, wiping out a billion dollars of shareholder capitalization. The story quotes an analyst saying this maybe the swan song for the once dominant vendor."

Oh, what a...

disappointment. After they're gone, I'm sure it'll only be another twenty years before I stop seeing customers' boxen with Macafee's anti-virus expired demo notification popping up every time I touch it. Maybe they should have given away more nagware, that might have helped.

Re:Oh, what a...

I see plenty of Norton demo expiration alerts appear on computers I fix. I think it's misleading and annoying to have virus protection expire after 90 days of use. I've seen plenty of people who see that Norton or McAfee is still on their system so they think they're protected. Of course, the responsibility of wise computer use should be that of the user, but let's face it, most users don't know much anyway and having their anti virus expire on them just confuses them more.

Re:Oh, what a...

When I was just a boy, Norton AV killed my father. I will never forgive it! NEVER!

Re:Oh, what a...

Well, that's funny. I don't see ANY nagware out of mcafee and that's part of the problem. I see it updating whenever it's an active subscription, but after that it just doesn't do anything. This is the online/newest version not the old stuff that did nag all the time. The problem I see with McAfee is everything is all online. While that's a good way to do it, customers sign up, then change ISPs, then change ...., and a year later they don't remember what information they used for online registration. The client doesn't even show their email address used so you have to take guesses at it. In several cases they have to buy a brand new AV client simply because they don't have access to the old email address.

Furthermore, I've had cases where their antivirus would keep the anti-spam from working and thus mail would never get delivered. It would just sit there fighting each other. Let's not even talk about the thousands of machines that come into my shop that won't even boot because McAfee is damaged. Boot into safe, uninstall McAfee and the system will boot properly.

I don't disagree that you would see McAfee for years after it's gone (by whatever method), but that's partly because of the poor way they keep the customer informed and handle the account/licensing. Their products are in desperate need of a complete revamping. I even get about 300 "spam from your network" emails because of their crap client a day. Not a single one of them come from my ISP, they just spoof an email address on domains run/hosted by us or spoof our domain in the EHLO statement.

That's not to say Symantec is any better. Up until the 2006 version I was pleased with Norton, but now it's just so in your face that you have to wait 5 minutes after boot up before really doing anything because of a popup screen that says "Norton is up and working properly" kind of crap and will sit there for 30 seconds or until you physically close the window yourself. I've had quite a few times their stupid little popups gets right in my way, or even kicked me out of a game I was playing

Mainstream AV is too intrusive (but I can understand why since users just keep ignoring what it's saying) and in several cases ineffectual. They are all bringing a false sense of security and allow users to think they don't still have to follow good security on their own like....I don't know....not opening email attachments they aren't expecting.

On that note, I'll bet money on the fact that more than 70% of the computers that were infected with the most recent outbreak of the sober virus were all computers purchased with McAfee OEM with only 90 days of service and probably half of those weren't even activated the other half were unknowingly (or uncaring) expired. Gotta love it when OEMs use McAfee as the default OEM product by default.

The thing to remember about nag screens, they are there for a reason. Users always "oh, I just clicked close on that" and then complain about "why do I get viruses", "why do people do that", "is there anything I can do to go after these people?", and my personal favorite "what can I do to keep this from happening again?".

Re:Oh, what a...

I wasn't happy with Norton 2k4, but it was Norton 2k5 that really made me lose it. Resource hogging, constant badgering. I had the damn software running on a machine that was pretty well protected anyway, so the intrusiveness of it was infuriating.

I've noticed when people have the fancy Norton Security Suites installed, they tend to disable them because it makes it too annoying to browse the internet, for example. You get psychotic firewall notifications every few seconds, and it doesn't really remember what applications are safe, so it bothers you over and over for the same damn program.

It's that funny thing with security...The best security is so restrictive that people ignore it and disable it whereever possible...Like requiring 10 digit passwords, changed monthly...those damn things are always written on a sticky, stuck under the keyboard.

Re:Oh, what a...

After reading up on the whole thing, McAfee did the funky accounting in the period from 1998 to 2000, and had $50m laying around, "reserved" for when they'd need it to pay the fine. I don't think that McAfee is really going anywhere any time soon.

wtf?

This is reminiscent of Enron's mark to market [investorwords.com] accounting, wherein you basically determine the real market asset value, then you just make up a bunch of shit.

Re:Yes, it is what Enron did.

It appears that they may have actually been implementing more than one bad accounting practice.

Why limit yourself to just one.

Re:wtf?

They started early in their career and never stopped these kinds of tactics:
http://www.billparish.com/msftfraudfacts.html [billparish.com]

Financial Pyramid Building Techniques Being Used by Microsoft:

"Stock option programs are an excellent benefit and many companies use them responsibly. At Microsoft, however, stock option accounting is only one of its many pyramid building techniques, what could be called a cash generating component. Additional pyramid building techniques include the following. It is important to note that the genius of the pyramid scheme is to leverage share growth from investors using a passive investment approach based upon indexing to the S&P 500. Most smaller and mid size technology firms are not in the S&P 500 and therefore are locked out of this key aspect of the pyramid from the beginning. ..."

and there's more. This accountant outlines 12 things Microsoft did and then describes the effects on our economy of those 12 things.

Fines are not enough

Fines are not enough and hurt shareholders more than those who are responsible: the executives. The true punishment should be fines and jail time for the COO, CFO, CEO and all the other Cx0's. What does fining a company do except bleed the shareholders?

Wait just a minute

Fines are not enough and hurt shareholders more than those who are responsible: the executives. The true punishment should be fines and jail time for the COO, CFO, CEO and all the other Cx0's. What does fining a company do except bleed the shareholders?

Hey, wait just a second. Leave the poor CTO out of it :-)

Re:Fines are not enough

As far as I can tell, SOX only causes pain and suffering to IT and accounting departments, and does not actually prevent executives from doing anything wrong. (IMHO as a low-level network flunky as part of a publicy-traded company)

Re:Fines are not enough

Dude, the whole function of the corporation as we know it is designed as such to shield individuals from direct legal action. That's why they're so popular.

Dude, you don't know what the hell you're talking about. Corporations shield their owners from bankruptcy and civil courts (to an extent). They do not shield the officers of those corporations from criminal charges. Just ask Enron Chief Accountant Richard Causey [cnn.com], who's serving seven years in jail for his role in the corporation's implosion. His old bosses, Ken Lay and Jeffrey Skilling, are about to get their day in court in the next few months, too. If they can find an impartial jury, that is (if they're smart, they'll try to plead out, but if they were smart they wouldn't have cooked the books in the first place...but that's another story).

I don't know where this myth of corporations protecting people who out-and-out break laws came from, but it's not in the least bit grounded in reality. The cases where corporate executives get away with murder, figuratively and literrally, have more to do with state corruption than the legal fiction behind the "corporate veil". The infamous Union-Carbide tragedy was as much an exemplar of the corruption in certain parts of the Indian government as it was the amorality of company officials.

One of the oldest

accounting tricks.

The method employed was 'channel stuffing' in which compliant re-sellers are effectively paid to buy and hold inventory they may never sell.

I think there should be class in 'B' school called, "Accounting Tricks That Get You In Trouble with the Law: You're not as smart as you think you are."

Re:One of the oldest

Actually, auditing is NOT fraud detection. The following wording is taken from a standard audit opinion letter:

http://www.dsbcpas.com/services/accounting/audit/o pinionaudit.html [dsbcpas.com]

Notice that fraud is NOT included in the opinion. The idea of fraud is to go undetected, and you cannot audit for collusion. Therefore, unless the environment suggests fraud is taking place, fraud is discovered by the company or auditor in the normal course of operations or the audit, or if the company reports to the auditor that fraud is taking place, it is extremely difficult to audit for fraud, if not impossible.

The following link is to the auditing standards by the AICPA
http://www.aicpa.org/members/div/auditstd/auditing _standards.htm [aicpa.org]
See:
SAS 1 - Responsibilities and Functions of the Independent Auditor
SAS 99 - Consideration of Fraud in a Financial Statement Audit

It's good to be the king

Seems like a lot of companies are into hot potato. When did it become frowned upon to care about what happens to the business five or more years down the road?

AddaFee

And people wonder why they don't trust the government, the stock market, or anti-virus software to do what is right and correct. They need to run a thorough fraud scan on their accounting software and then quarantine the fraud.

if they're that corrupt

If they're corrupt enough to fuck their shareholders like that, I wonder what other lengths they're willing to sink to. Eg., I wonder if any of the anti-virus vendors actually create viruses themselves, so they can get one up on the competition by having the virus definitions already complete.

I'm not making any accusations, of course, just food for thought. But, with all the corruption in corporate America these days, I'd actually be surprised if something like that hasn't taken place in at least one of the major firms.

what interests me

what interests me is what norton/symantec is going to do, now that (one of) their biggest competitors is in such a position.

well, that's easy...

what interests me is what norton/symantec is going to do, now that (one of) their biggest competitors is in such a position.

Norton/Symantec are now going to do what every good corporation does nowadays.. .. try and find another method to cook their own books since this method seems to be flawed...

Me, cynically...

The age-old intrinsic problem with capitalism

It's always easier and often more profitable to take the money and run then build for the future.

Microsoft Rescue?

Seeing as how they (MSFT) are playing the anti-spyware role, maybe McAfee is ripe for a MSFT buyout and integration with Vista?

Who else are they lying to, and about what?

Hmmm... a company that cooks the books so they can lie to shareholders. What other unethical/illegal/standard business practices are they up to?

50 million fine for a 500 million dollar fraud?

No wonder corporate fraud is so popular. Even if you get caught, the cost is less than the benefit.

This will continue until a lot of these people end up in prison for a few decades.

Good bye, so long

Never liked them anyways. 'Stuff was crap.

Microsoft induced panic

They probably figured they needed to do something. After all... a 800 lb gorilla (called Microsoft) just entered their space. So they are screwed anyways.

Irony

Sorta ironic...all of our machines here at the SEC building I work at have McAffee virus scan installed. Not having it updated to the most recent virus lists is something that's gotten me kicked off the network at least 3 times.

--trb

Wonder how this was picked up

Since Sarbanes-Oxley has only been in effect since last fiscal year, I wonder if this was caught during a SOX audit or it just got outed on its own.

WTF?

When it caught up with them, McAfee's stock price crashed, wiping out a billion dollars of shareholder capitalization.

If I cause damage worth X dollars, you can bet your ass that I will be forced to repay the amount. And yet these guys get away with paying a nickel per dollar? Shouldn't they be forced to compensate the shareholders for their losses? Take it out of the paychecks of all of the top executives! Throw some in jail! At the very least, take back the money these executives made due to the artificially high price.

Welcome to earth

Shouldn't they be forced to compensate the shareholders for their losses?

No. No, they shouldn't. The shareholders bought the stock hoping it would go up. It went down. The shareholders factored in various kinds of risk -- market risk, credit risk, compliance risk. Looks like they should have allowed more for compliance risk in this case, but that's life.

Are you suggesting that whenever a stock goes down because of human stupidity/greed/malice, investors who were holding it at the time should be compensated?

What about when a stock goes up? Should investors with short positions, be compensated?

Who should do the compensating? I don't think McAfee has that kind of money now.

I think it might be a lot simpler and fairer to just expect investors to take responsibility for their own investments.

I also think that it's pretty fucking sad that the above is no longer intuitively obvious to everyone.

System Scan Results:

....16,284 files scanned. Warning! Unknown file found: CookBooks.exe Do you wish to Quarantine or Delete?

Damn

McAfee cooked its books, overstating its revenues one year by 131%, or half a billion dollars.
Anyone else disappointed it wasn't for making shitty and processor hogging software?

You gotta wonder

is that all they've been up to? Like making viruses...

I can't believe they can get away with it

All the recent accounting scandals basically start with artificially incresing the revenues in the books, but from the beginning it is clear that at some point all of it will go down.

In this case, sure they can ship like mad to the distributors, but at some point the distributors are going to stop accepting and sending back the excess supplies. This could only work if demand for their product will dramatically increase in the future, but I doubt they were betting on that.

Given all this I can't understand how the executives of these companies hope they can get away with it. I guess that given all the pressure and stress that they face, their judgement is clouded and they hope for a miracle in the future. I am especially surprised by these methods b/c they generally only work for a very short time. If they worked for 40-50 yrs I could understand why the executives use them.

Honest mistake...

I hear this was caused by an Excel Marco virus, only McAfee was to embarrased to admit it.

Then why is the stock price up?

The death of McAfee is exaggerated. Look at the stock price [yahoo.com]over the last 24 hours: it's up 1 point...

How come...

... I can't find a company that want's me to take part in channel stuffing? What a great deal...

1. Get paid to buy a ton of stock with an agreement not to sell it for x months / years.
2. Tip off SEC.
3. Supplying company dies.
4. Sell stock.
5. Profit!

Well damn!

So much for my three free months of system resource hogging antivirus protection that came with my new PC.

This is yet another reason to go with Trend Micro.

Swan Song?

Apparently, I missed the analyst gloom/doom forecast. I did see this:

Analysts said the settlement would close a chapter in McAfee's history and let the company focus on its market, which is expected to heat up this year with the entry of Microsoft.

Here's their finance info on Yahoo [yahoo.com]. They seem to have a $4.73B market cap and are currently dead center of their year stock price range.

Doesn't seem that damaging to them, actually - though they are in for a tough scrap when MSFT gets in the act.

McAffee?

I think you mean Network Associates [nai.com], who bought McAffee years ago. Just after they'd bought Dr Solomon's, in turn, as it happens.

A slope vs a cliff

These kinds of antics, while not always as dramatic, are widespread and endemic. Execs can and should be held accountable, but the kinds of incentives to "cram" within the last part of a fiscal period come from the revenue-reporting environment in which companies exist, namely from the cut-off cliff that ends a given fiscal period. I think it'd be a major step forward to get rid of this cliff, and replace it with a slope. For example: let 't' denote a value between 0.0 and 1.0 denoting how far into the current fiscal period the company is. Any booking made at time t is booked in the current period by multiplying by (1.0-t), and the remaining fraction is reported in the NEXT period. Cubic, non-linear curves could be used, but the point is that this would avoid the all-to-common situations of salesmen frantically calling in favors during the last few hours of any given period.

Good riddance

I've been disgusted with McAfee for a while, but I finally had enough when my parents got a new Dell recently (which ships with McAfee for some configurations).

I installed Firefox and made it the default browser. Then I tried to configure some of the advanced McAfee antivirus options. First, I couldn't even open the interface because McAfee must use IE (with ActiveX) to produce the GUI. Since Firefox was set as default, McAfee just spun and spun fruitlessly until I realized what was happening.

Then, my last name has an apostrophe in it. Alas, McAfee cannot launch the AV scheduler if your logged in user name (on XP Home) contains an apostrophe. That took a LONG time with a McAfee tech to figure out.

Never again. Crappy software for a crappier company.

Accounting Fraud Detection & Protection

I bet there's a market for a little windows program that sits in the system tray and monitors the revenues and accounting trends of a particular company. It could match the trends and heuristics of the financials against known trouble patterns. When something suspicous is detected it could pop up a warning, or ask the user what they want to do.

WTF?!!!!

Would somebody please tell me why nobody is going to jail over this? %%!@$* it torques me off when nobody in corporate america is ever held accountable for outright fraud and are allowed to continue to draw seven and eight figure salaries + infinite perks and incentives at the expense of employees, stockholders and customers.

Don't admit guilt - avoid jail?

Isn't it about time CEOs start going to jail for this kind of fraud and deception? How many folks lost their retirement portfolio when this scheme crashed?

The fiction of the "CORPoration" - a "person" with even more rights and less responsibilities then a REAL person, a CORPUS, should be outlawed and people in charge held PERSONALLY responsible for these "corporate" crimes.

Very old details in commentary for the article

"When it caught up with them, McAfee's stock price crashed, wiping out a billion dollars of shareholder capitalization. The story quotes an analyst saying this maybe the swan song for the once dominant vendor." The scheme was discovered in 2000, and the billion dollar loss of capitalization occurred at that time. Since then, the stock has recovered virtually all of the lost capitalization, and had you purchased the stock in 2001 you would be ecstatic with the performance since then. Check out the following stock price summary from Yahoo: http://finance.yahoo.com/q/bc?s=MFE&t=my [yahoo.com]

So

The CEO of McAfee will get a slap on the wrist, if that?

Corporate execs are getting away with everything and not being held accountable for their actions. They are frauding stockholders, thats a crime, period. Yet someone with millions in assets can walk away from these issues without so much as reprimand.

From Nortel to WorldCom, Exxon, etc, these companies are being run by crooks aiming to get themselves richer at the expensive of stock holder just trying to invest in something to pay for their retirement.

In Canada, NO LEGAL ACTION has been taken against Nortel execs that drove the stock price over $100 and then allowed the stock to plunge to less then $5.00. The execs in charge simply walked away from Nortel with millions in compenstation while tens of thousands of people lost their jobs, pension, and stock holdings not to mention countless stock holders that lost their shirts investing in Nortel. Then, a few years after their stock price drop, Nortel was caught cooking the books AGAIN with no penalties!

This just proves the legal system and politics are corrupt, if you have enough money you can get away with anything, even murder, if you throw enough money into the system.

SENSATIONALISM

This story is being spun into sensationalistic crap. The story is, the fine is being levied by the SEC for, and I qtfa, "securities fraud ... during the period between 1998 and 2000." I used to work for McAfee, and I want to educate the community.

All of what you know as McAfee used to be called Network Associates up until about 2004. It was formed in 1998 by a massive buy-up of various software firms, including Network General and McAfee Associates - hence the name, "Network Associates." During this reign, the CEO committed the fraudulent acts, including the channel stuffing as indicated, and was eventually fired in 2000 or 2001 for fraud. The new CEO, George Samenuk, took over and has since been credited with turning the company around, reestablishing the McAfee brand identity, focussing on the core products, cutting loose various deadwood (including, unfortunately, the research group that I worked for), and returning the company to legitimate profitability. At an all-hands (the one time Samenuk braved a visit to us research dweebs), he explained that the old regime consisted of "crooks," and that he vowed to be forthright with the SEC and do his personal best to fly straight. To my knowledge, he has done a good job of that ever since.

This fine being reported today is a result of the SEC, acting in good government swiftness, merely enforcing a punishment for deeds done in the past, under different leadership. Take this news as no indication of the current state of the company or its leadership, but view it merely as a capstone to an unfortunate period in McAfee's history.

line them up against the Great Wall

This is one of the situations where I wish the US took a page from China's book on dealing with criminals. Take the executives, try them, execute them. Rinse, repeat. Maybe after a few executions corrupt executives would get the idea that destroying the financial lives of hundreds of thousands of people carries a stiffer penalty than, say, punching a cop.

That explains that math

Now I understand why their software used to tell my computer it had two viruses but could never do anything about them. The software was following the coorporate policy of overstating results.

what about the resellers?

Anyone know if anything happens to the 'compliant re-sellers'?
If they were getting paid to buy product on that scale - certainly that is a red flag that something is questionable. If it was deliberate participation on their part, seems there should be some repercussions for their collusion in this fraud. (or maybe just not covered by this article)

If law doesn't cover this for some reason, with that many resellers involved, amazing it didn't get exposed earlier on.

Just converted...

...the single Windows machine in the house (my girlfriend's) to Trend Micro's PC-cillin a few nights ago. The box had been using McAfee for over a year, and I really didn't like how it seemed to refuse to auto-update, and manual update's often buggy use of Active X controls (i.e. IE). I really liked their Scanmail for Exchange product, and I'm glad to use it for client use now, as they appear to have worked out some kinks that were present in earlier versions.

Yes, I can tell that PC-cillin also appears to use Active X for manual updates (would love to be corrected), but, in my case, the auto update works well, so there is no need to use the manual update. And I personally believe that the Trend Micro labs are quicker on the draw on new viruses and trojans, which, in the end, is what I pay for.

My recollections of those times

I was an employee on the inside watching this happen.

It was hard to say that McAfee actually defrauded anybody. It was quite clear in their quarterly reports that they were stuffing the channel. The problem was the Internet bubble when everyone was disregarding such things. Indeed: everyone was doing it, and McAfee was under enormous pressure to do the same sorts of things to inflate their numbers simply so that they wouldn't appear to be falling behind everybody else.

It also helped that Bill Larson, the CEO, was a crook. The press release pointed to some lower-level flunkies (the CFO of the time), but the real direction came from Bill Larson. He basically fired or drove from the company anybody with ethics. That meant that such abuses continued even after Larson left, because that's the culture that he created.

In one case, we were working on a product that wasn't finished yet. It didn't work. Bill Larson told us to ship it anyway, which we did. He record millions of dollars from it because it was in the channel (unsold). He then acquired a company, and wrote off the product in the channel as a "one-time writeoff". This sort of stuff is visible in the SE fillings, and people should have treated been able to see how much McAfee was writing-off for each acquistion, but analysists refused to look at those sorts of numbers. They, too, were under tremendous pressure to give every stock a glowing recommendation. The bubble was fragile: outing companies like McAfee by correctly interpretting their fillings ran the risk of bringing the entire bubble crashing down -- and their enormous fees.

Only M$50

fine for a billion in illegal gains - not a bad scam...

Old old old old news

This settlement pertains to actions taken in 1998 to 2000. The summary makes it sound like McAffe just got caught with their hand in the cookie jar, when in fact this is the compan