Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Schneier On Scareware Vendor Lawsuits 148

Bruce Schneier's blog says "This is good: Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of 'scareware' purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software. "
This discussion has been archived. No new comments can be posted.

Schneier On Scareware Vendor Lawsuits

Comments Filter:
  • Microsoft is as big a culprit of this as anyone.

    • by tzhuge ( 1031302 )

      I'm actually not sure what you're trying to say... Your comment vaguely appeals to \. sentiment, but what exactly are you getting at? MS spreads FUD is somewhat off-topic...

      Are you suggesting that MS scares users with security alerts into purchasing their software, which is legendary for being secure?

      • Re: (Score:3, Insightful)

        by Hyppy ( 74366 )
        An important update to your software is available! Please download and install "Windows Genuine Advantage" now!
  • by El_Muerte_TDS ( 592157 ) on Thursday October 02, 2008 @08:33AM (#25232061) Homepage

    scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software

    Sounds a lot like an average Windows advertisement.

    • They're suing for patent infringement - not because they have a problem with scareware.
    • Not like the ones they show in my country. If the scareware authros operated like those ads they'd tell people that their software enables them to fly through the air with Madonna playing in the background. Or that some random people are personal computers. Or that some woman called Serena uses the internet. Or that Jerry Seinfeld is actually a shoe salesman.

      The key difference is that the scareware authors actually give you a(n invalid) reason to use their software while Microsoft's ads are just random no
  • by g051051 ( 71145 ) on Thursday October 02, 2008 @08:34AM (#25232073)

    Why does this even reference Bruce Schneier's blog? There's no added value from there. Why not just reference the original article?

  • by DimmO ( 1179765 ) on Thursday October 02, 2008 @08:34AM (#25232075)
    http://www.schneier.com/images/book-sos-175w.jpg [schneier.com] "The closest the security industry has to a rock star" Well, if that's the case, I'll believe anything he says then. I love rock and roll.
    • by Notquitecajun ( 1073646 ) on Thursday October 02, 2008 @08:51AM (#25232267)
      So put another dime in the jukebox, baby.
      • They need to update that song, though "Put another $1.25 in the jukebox, baby" just doesn't have quite the ring to it.
        • by Miseph ( 979059 )

          Yeah, not to mention that the advent of mp3 players and decent portable speakers means anyone who drops $1.25 into a jukebox to listen to whatever shitty music it has in rotation is a tool.

          Hmm... do I want to pay through my nose to listen to Journey, or should I just whip out my cell phone and crank some Black Flag? Gee, this is a toughie...

  • If Schneier wants to stop scaring people he should consider trimming his beard. That face-fro looks like it runs Crysis.
    • by mcgrew ( 92797 ) *

      If Schneier wants to stop scaring people he should consider trimming his beard.

      Halloween's coming up.

      A state government and Microsoft both doing something I approve of? What's this world coming to?

    • Re: (Score:3, Funny)

      by Fred_A ( 10934 )

      I don't know, add glasses and a crowbar and he could star in a videogame. Seems to me like the kind of guy you want talking about computing.

    • Re: (Score:3, Funny)

      Never!

      I wouldn't trust a cryptographer without a beard.

  • by MosesJones ( 55544 ) on Thursday October 02, 2008 @08:35AM (#25232085) Homepage

    scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software

    It was an Apple thing I think warning about some company who was pushing some "extra secure" version of its operating system which in fact gave you less performance and kept nagging at you the whole time. Yup I thought so [youtube.com].

    Oh wait this is some OTHER companies who use security as a scare threat via nagging messages to get you to buy software.

    • Oh wait this is some OTHER companies who use security as a scare threat via nagging messages to get you to buy software.

      You mean M$ "scares" users with UAC to buy Vista? You got some problem with your logic.

      Last time I was checking [google.com] that trick didn't fly.

      If this are lawsuits we're talking, somebody should charge M$ with false advertisement: many end-users were made to think that thanks to UAC Vista is more secure than XP.

  • by wvmarle ( 1070040 ) on Thursday October 02, 2008 @08:36AM (#25232101)

    I'm truly impressed that people can come up with security warnings about Windows that are not true... after all, is there anything as insecure as Windows?

    The only thing I think they may have a case with is of course the fake software, as in software that does not do what is advertised. And I'm not even thinking of Windows itself this time.

    • by sjwest ( 948274 ) on Thursday October 02, 2008 @08:56AM (#25232331)

      If you run a linux os with a modern web browser, and you visit a site with the scareware it is mildly amusing to see that your registry is screwed up and the site looks like internet explorer in colour scheme but you can download an exe to fix.

      Its happened twice to me, and i find them amusing.

      Im quite sure this is how windows zombies get signed up, but my penguin knows better.

    • by Swizec ( 978239 )
      There is a monster out there less secure than windows and it is called Internet Explorer.
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      last time i checked metasploit had at least double the attack vectors for linux than it did windows.

      so, i would say linux is less secure than windows.

      • by MadJo ( 674225 ) on Thursday October 02, 2008 @09:32AM (#25232763) Homepage Journal

        Were those attack vectors directed at Linux or at packages running on Linux?
        Apache != Linux
        MySQL != Linux
        etc

        • In that case you should say the same about Windows. Most of the attacks (particularly drive-by attacks related to surfing) are targeted at IE, an application. Oh bad example, according to MS it's an integral part of the OS. Never mind.

          Then there are attacks directed at Outlook, ISS, and so on. Very few are directed at the Windows core. Same will account for Linux: unless the attack is done locally (most are over a network), it is always an application that is the first line of defense.

        • by KGIII ( 973947 ) *

          To be fair we'd call a vulnerability in Internet Explorer or Windows Media Player a "Windows" vulnerability even though those aren't actually Windows. Hell, the N version doesn't even ship with WMP and, I forget, may not eve ship with IE.

          • That is because those come with Windows, and you can't uninstall them (Oh, yes, the EU justice can uninstall WMP. Nut most users are not as powerfull as the EU.) while most Linux distros don't come with MySQL and Apache running by default.

            • by KGIII ( 973947 ) *

              Then again Firefox ships with most versions of Linux that I have downloaded. There aren't a whole lot of exploits at the kernel level for most modern OSes. Those that do exist are often patched fairly quickly. The flaws that I typically see are at the application level regardless of the operating system. Which was mostly what I was saying in the first post but I wasn't very clear, my bad.

              • Yes, I'd agree that a flaw of Firefox shlod be counted as a flaw of Linux, as should a flaw of Openoffice.
                • Would you count a flaw in MS Word as a flaw of Windows? It doesn't ship with Windows, but most people buy it separately and install it.

                • Hm-m-m. So if Firefox on my windows box is exploited, Linux should be blamed? Maybe this should be attributed to the actual problem, firefox...

                  • by KGIII ( 973947 ) *

                    Actually? Side note... I'd say no to your question but if there's a flaw in Firefox that allows the underlying OS to be rendered vulnerable the flaw resides with both for having allowed the application to perform functions not authorized by the user. The question then is how to fix it... I don't know the answer to the question unfortunately.

                    I have a bad analogy if you want/need it.

                    If I let a stranger into my home and he then murders my child then the fault is his. At some point, though, I made a choice to l

              • by Xtifr ( 1323 )

                Then again Firefox ships with most versions of Linux that I have downloaded.

                Really? I don't think a single one of the Linux servers in our farm has Firefox installed. On the other hand, I think all of our few remaining Windows servers have Firefox installed. :)

                • by KGIII ( 973947 ) *

                  Why yes. "That I have downloaded." I haven't tried them all though and the only servers that I use with Linux on them run CentOS and, to be honest, those don't even need a browser. Instead I have to keep Apache, PHP, WHM, cPanel, etc updated. OSes become insecure when we start piling applications on them.

            • That doesn't mean you're forced to use it.
      • Does it list exploits for each distro separately? Does it list exploits for all the different mail servers etc you might choose to run on it?

    • by gaderael ( 1081429 ) <[moc.liamg] [ta] [learedag]> on Thursday October 02, 2008 @09:33AM (#25232785)

      ...after all, is there anything as insecure as Windows?

      Emo kids?

    • 1998 called, they want their insecure windows jokes back.

      • Yes I know, big strides have been made by Microsoft to improve it. The whole design of Windows unfortunately has never been with security in mind, this in contrast to Unix and it's clones and derivatives which is designed to be part of a network and multi-user.

        Microsoft has a lot to do to really make it secure, and when seven years of development for a minor upgrade (XP to Vista) can't fix it, nothing short of starting from scratch can.

        Win XP/Vista is a huge improvement over 98 and ME, however the number

    • by CSMatt ( 1175471 )

      WARNING! Your computer may have spyware. Click here for our FREE REGISTRY SCAN!

    • by fyoder ( 857358 ) *

      I'm truly impressed that people can come up with security warnings about Windows that are not true... after all, is there anything as insecure as Windows?

      Question of probablity. They might have had a chance if their warning had said "Your computer is probably infected", but it is conceivable that there exist Windows boxes recently installed from behind a firewall which are not infected at all, so they can't say "Your computer is infected".

    • They have warnings like

      "Warning, your computer is broadcasting its IP address over the internet. With this information, any website you visit knows where you are".

      Well of course it does. With out that information, how is it going to send the web page you asked for.

  • I'm actually kind of surprised Microsoft has taken this long to take action against those "scareware" guys. It sort of makes one wonder how much of a legal leg they have to stand on. Any lawyers/other legal minds care to weigh in on that?
  • colors (Score:4, Interesting)

    by apodyopsis ( 1048476 ) on Thursday October 02, 2008 @08:46AM (#25232217)
    I'm confused, I don't use windows, but surely somebody could just change the desktop colors and then when a warning alert turned up in the old colors they would know it was a scam?

    Is that too obvious?
    • Re:colors (Score:5, Insightful)

      by MBGMorden ( 803437 ) on Thursday October 02, 2008 @08:57AM (#25232349)

      Too obvious for your normal user, yes. Your average geek isn't going to get fooled by these things anyways (heck with the way NoScript and my popup blockers are set I don't see them at all anyways). But to the guy who fumbles with the power button and whose eyes glaze over when you speak of "cut and paste", changing the window colors and then having the foresight to pickup on a different color showing up being bad, is way beyond their capabilities.

      • Sad thing is, that's actually true. There are such people.
      • Re: (Score:3, Insightful)

        by _Sprocket_ ( 42527 )

        One of my insights doing a stint behind a helldesk was that some otherwise competent, intelligent people will disengage their thought process when sitting behind a keyboard. Sometimes I felt like psychiatrist - or at least what I suspect many of them do:

        1. Listen to problem.
        2. Restate problem as a question.
        3. Confirm answer given by customer is correct.
        4. Assure customer that while correct answer WAS somewhat obvious, we get it all the time and a lot of folks don't figure it out on their own. Add reas

        • I felt like psychiatrist

          What you describe sounds more like what a psychologist/counselor; my understanding is that the job of a psychatrist is similar to that of your general care physician except applied to mental health: diagnose badness and suggest/prescribe interventions, and if the intervention is psychotherapy also carry it out.

          In some cases, cognitive therapy may be as simple as you make it out to be, but there's more to psychiatry than meets the eye (I would think). OTOH, there may be not much more to psychquackery than t

          • What you describe sounds more like what a psychologist/counselor; my understanding is that the job of a psychatrist is similar to that of your general care physician except applied to mental health: diagnose badness and suggest/prescribe interventions, and if the intervention is psychotherapy also carry it out.

            Actually - you're quite correct. You caught me being lazy. I actually have had some exposure to those aspects of health care and have learned some of the differences. I suppose a real general way of contrasting the two is that psychiatrists use drugs while psychologists talk. Someone in the field could probably go in to considerable detail and outline how accurate but wrong that statement is. :)

            It's all rather complex stuff. At the least, it appears to be sufficiently complex as to appear simple to the

    • True Story:

      After reformatting, one of the first things I do is go to AVG's website and download some virus protection. I google, and, thanks to a shitty mouse or my stupidity, accidentally click on another legitimate website. Adware, crapware, and more all taint the once pure machine via IE. All because AVG returned a couple of sites that are no where near legitimate.

      No warning would have helped in that case.

      • by Tikkun ( 992269 )

        True Story:

        After reformatting, one of the first things I do is go to AVG's website and download some virus protection. I google, and, thanks to a shitty mouse or my stupidity, accidentally another legitimate website. Adware, crapware, and more all taint the once pure machine via IE. All because AVG returned a couple of sites that are no where near legitimate.

        No warning would have helped in that case.

        Fixed.

      • Re: (Score:1, Interesting)

        by Anonymous Coward
        I had something similar happen to me when looking for DaemonTools - except it was the legit site itself that was riddled with adware and spyware! I was even using Firefox with Avast! installed. I believe it had used that PDF vulnerability that was discussed on here a bit ago.
      • Something that may help you in the future is if you can't remember the exact site of a software vendor and have to search for it, instead of using google, try wikipedia. It's a lot harder to get thrown off there than it is in a google search page with something like 36 different variations of avgsoftware.com or whatever with only one of those being the actual one you are looking for. With Wikipedia, in just about every article for a piece of software, there is a little box on the right hand side telling t
        • by Feanturi ( 99866 )
          What I find effective when using Google to find a vendor, is to entirely ignore the sponsored links at the top of the result list. These will tend to have been bought by competitors of the vendor you are looking for. The next result down after the sponsored links is most likely to be the place you are looking for. They need to stick with pagerank and get rid of the "sponsored" crap, it can't be trusted.
    • Oh, it gets worse. (Score:2, Insightful)

      by RulerOf ( 975607 )

      but surely somebody could just change the desktop colors...

      It's worse than that, because it's even more obvious.

      This is where the end-user epic fail really is:

      Security Alert - Windows Internet Explorer

      Or

      Security Alert - Mozilla Firefox

      End users have so trained themselves to not actually read dialogs that they simply can't tell something they've seen before from something they have not.

      It doesn't take a genius to sit at a computer for hours, and hours, and hours on end, every day, at work and at home, to recognize that your "Security Alert - Windows Internet Explorer" causes the cursor to turn into a pointing finger, just like a hyperli

      • So... you're saying that the mugger should be penalized less, because the victim asked for it? Please, stop with this blame the victim nonsense.

        • Re: (Score:2, Insightful)

          by RulerOf ( 975607 )
          No.

          I'm saying that if you're too ignorant to understand that you're asking for it because you feel it's not worth your time to learn anything from your hands-on experience, then it's your own damn fault that you put yourself in that situation. I never said there was anything right or just about crime.

      • by KGIII ( 973947 ) *

        I'm a fairly small guy and, well, to help pay my way through college I actually worked as a BOUNCER in a biker bar for a while. Media puts out the idea that bikers are tough and mean but, really, they're quite tame for the most part. I'm maybe 175 pounds and 5' 11" (I was a bit heavier back then) and I never had a problem. Most of the time it was just a matter of asking someone to leave. Yip... No muggings, not much fighting, no broken cue sticks, no broken bottles, no stabbings, no rapes, no murders, etc..

    • by CSMatt ( 1175471 )

      I've occasionally seen actual dialog boxes pop up with these warnings back when I used Windows and IE, so it isn't just graphics that look like boxes.

    • Most Windows users never change the default colors, or even that stupid grassy knoll background image.

      • Most Windows users don't know that the default colors can be changed. As far as the background goes, I worked for four months in a small tech shop and was the only person there not using the default wallpaper. Not because everybody else was too busy to do it, just too lazy.
    • Actually, I do just this to people who's computer I fix on a regular basis. I then tell them "If the bar is blue, it's fake."

      It works quite well.

  • by compumike ( 454538 ) on Thursday October 02, 2008 @08:46AM (#25232221) Homepage

    The law referenced "makes it illegal to misrepresent the extent to which software is required for computer security or privacy." This is such a fishy thing that I'm not really sure if I want courts to determine what exactly is required and therefore whether it is being misrepresented.

    Now, maybe there's a case for fraud if the program doesn't do what it purports to do in its advertising, but that doesn't seem to be what's at stake here.

    There also might be a case for fraud if, perhaps, the advertising pop-ups are being confused for actual Windows messages. But I suppose in the "real world" advertisements mimic other things to be creative, but are still fairly obviously ads.

    Just not sure I like the sound of a law that requires a judge or jury to determine what's required for computer security.

    --
    Hey code monkey... learn electronics! Powerful microcontroller kits for the digital generation. [nerdkits.com]

    • by db32 ( 862117 ) on Thursday October 02, 2008 @08:49AM (#25232243) Journal
      Sounds like it could be used for Microsoft to take a swing at all of the legitimate anti-virus/scumware/etc apps for advertising how critical their software is because Windows has so many problems.
      • by Akardam ( 186995 )

        Sounds like it could be used for Microsoft to take a swing at all of the legitimate anti-virus/scumware/etc apps for advertising how critical their software is because Windows has so many problems.

        In that case, can we use the bit that says "illegal to misrepresent the extent to which software is required for computer security or privacy" to sue Microsoft for advertizing "the most secure version of Windows yet" and claiming that the likes of XP and Vista are designed in a security concious way (implicit in t

        • by Forbman ( 794277 )

          Somewhere, Microsoft's explicit statements of non-warranty of fitness and non-warranty of merchantability for its products has got to come into play here (http://en.wikipedia.org/wiki/Implied_warranty).

          In some ways, Microsoft uses its own lack of built-in security features in its products to sell its own other products that provide said security functionality...

          This lawsuit seems to be bound a bit in circular logic, and I don't think really benefits the consumer in the end at all.

          Microsoft making their prod

    • What actually happens is a lot of these people will go to visit porn sites (or sometimes this is not even necessary). They'll get a pop up from the site saying that they're infected, and that they should download the program. That infection can then lead to more serious malware coming on to the computer, and in some cases, will load that fake BSOD with crap BSOD messages while the infection is doing it's bidding in the background. I think the main reason microsoft is part of this is because alot of what I
  • The legal 'teeth' for these actions is the RCW. Scumware purveyors are exactly that - scum. It will be fun to see a weasel in the ring with a tag team of 800 lb gorillas.
  • by Jessta ( 666101 ) on Thursday October 02, 2008 @08:59AM (#25232377) Homepage

    "the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy,and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater."

    lol, so all the anti-virus software companies(Norton, NOD32,VET etc) and anyone selling 'personal firewall software' is pretty much screwed.

    • Maybe not a geek. The average user, in my experience, can't keep viruses at bay without them.

      While a lot of AV makers will try to convince you that you'll be screwed without the $100 security suite, they tend to sell what they say they are selling and don't have fake positives in the product in an effort to try to convince you to buy them.

      And anyone that ran Windows XP RTM/SP1 knows that a firewall of some sort was required (hardware or non-Microsoft software) due to all the exploits. You could be own
  • [...]scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.[...]

    Isn't most computer security software useless anyway? I GOT NORTON YOU CAN'T TOUCH ME!
  • by Jawn98685 ( 687784 ) on Thursday October 02, 2008 @09:20AM (#25232601)
    When will these ultra-liberal, extremist zealots realize that more regulation just doesn't work? It is no suprise to see that the term "worthless security software" should be bandied about by such out-of-touch elitist snobs. We all know that the free market should determine what is "worthless" and what is not. Why do socialist thugs like Microsoft and the Washington State Attorney General's Office get off, trying to bully patriotic, tax-paying, small computer security businesses this way?
    • by nhtshot ( 198470 )

      You're right!

      But, I can tell from your message that you have a high level of contamination in your home drinking water. It's already affecting your speech. I'm from the Federated Department of Drinking Water Security. (Flashes badge that is a perfect knock-off) You have nothing to fear though, for a nominal fee, I can provide you with a water security solution that will keep your faucet from broadcasting it's location to the evil germs and heavy metals that are lurking just outside.

  • It's about time (Score:2, Interesting)

    by jassa ( 1092003 )
    I'm glad someone is finally taking action against these malware scammers. I do tech support part time and 95% of my recent virus removal jobs have involved these nasty little programs.
  • ... the one you got while trying to run Windows on DRDOS?
  • by kaltkalt ( 620110 ) on Thursday October 02, 2008 @03:36PM (#25238187)
    Modern commercials rely on one of two things to sell a product or service. One, you will improve your chances of having sexual intercourse with a desireable mate if you purchase our product/service. Two, you are in danger and you need to purchase our product/service to be safe. Over the past couple of years the "scare" meme has turned into more of a direct threat. The best example is those horrible, evil free credit report dot com commercials, where they come out and say if you don't buy our product you'll lose all your money and have to work at a crappy seafood restaurant and drive a shit car (the fact that they're selling something is only to be discerned in the fine print at the bottom of the commercial and the last few words, quickly rattled off, at the end of the commercial). "Buy our product or be poor" is a threat. Auto insurance companies do this a lot too... I just saw an Allstate ad that showed a family losing all their money due to a car accident because they didn't have Allstate insurance. None of these threats is a legitimate concern for consumers. There's nothing different about saying consumers have a security problem on their computers and need to buy software to fix it. "Buy our product or hackers will destroy your computer and steal your private data." It should be illegal to threaten consumers. Such commercial speech should not be protected by the First Amendment.

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...