Schneier On Scareware Vendor Lawsuits 148
Bruce Schneier's blog says "This is good: Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of 'scareware' purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software. "
You are trying to file a lawsuit. Cancel or Allow? (Score:2, Informative)
Microsoft is as big a culprit of this as anyone.
Re: (Score:3)
I'm actually not sure what you're trying to say... Your comment vaguely appeals to \. sentiment, but what exactly are you getting at? MS spreads FUD is somewhat off-topic...
Are you suggesting that MS scares users with security alerts into purchasing their software, which is legendary for being secure?
Re: (Score:3, Insightful)
Re: (Score:2)
every new version of Windows seems to have more security holes than the previous version.
Really? XP had more holes than ME? Vista had more holes than XP? You're clearly letting your opinion dictate the facts, and not the other way around.
Re: (Score:2)
Except the numbers seem to mostly back me up here.
Windows 2000 Professional: 182 Secunia advisories, 165 vulnerabilities. http://secunia.com/advisories/product/1/ [secunia.com]
Windows XP Professional: 219 Secunia advisories, 202 vulnerabilities. http://secunia.com/advisories/product/22/ [secunia.com]
Windows ME: 35 Secunia advisories, 21 vulnerabilities. http://secunia.com/advisories/product/14/ [secunia.com]
Windows XP Home: 199 Secunia advisories, 184 vulnerabilities. http://secunia.com/advisories/product/16/ [secunia.com]
I'd say it's too early to tell whether
Re: (Score:2)
Except that you'd have to evaluate whether these are cumulative. Not saying they are, but does ME also have the holes that are shown for XP Home, but is simply not evaluated anymore? Does XP pro cure the ills of 2000 pro, and just have new, different holes?
I'm not any of this gets us anywhere, but I'm always suspicious of simple counts.
Microsoft is sueing themselves? (Score:5, Funny)
Sounds a lot like an average Windows advertisement.
Re: (Score:1)
Re: (Score:2)
The key difference is that the scareware authors actually give you a(n invalid) reason to use their software while Microsoft's ads are just random no
Unnecessary blog reference (Score:5, Insightful)
Why does this even reference Bruce Schneier's blog? There's no added value from there. Why not just reference the original article?
Re:Unnecessary blog reference (Score:5, Insightful)
Look at the name of the submitter.. this is blatant self promotion.
And, as is often the case, Schneier's blog doesn't add anything to the article either.
Re:Unnecessary blog reference (Score:4, Funny)
Repeat after me: Ad revenue from hits/views.
Re:Unnecessary blog reference (Score:5, Insightful)
Bruce Schneier has a lot more credibility in the security field than the Washington Post, the State of Washington, and Microsoft all put together.
Re: (Score:3, Funny)
Bruce Schneier has a lot more credibility in the security field than the Washington Post, the State of Washington, and Microsoft all put together.
That doesn't mean much. My left arse cheek has a lot more credibility in the security field than the Washington Post, the State of Washington, and Microsoft all put together.
Re:Unnecessary blog reference (Score:5, Informative)
Actually, Brian Krebs at the WaPo has a lot of credibility, and has been writing very good well-researched columns on computer security for as long as I've been reading that paper. What's your left arse cheek done lately?
Re: (Score:2)
Re: (Score:2)
Mostly from pandering to other peoples political beliefs and indulging in scaremongering himself.
What an awesome quote on his book cover (Score:3, Funny)
Re:What an awesome quote on his book cover (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
Yeah, not to mention that the advent of mp3 players and decent portable speakers means anyone who drops $1.25 into a jukebox to listen to whatever shitty music it has in rotation is a tool.
Hmm... do I want to pay through my nose to listen to Journey, or should I just whip out my cell phone and crank some Black Flag? Gee, this is a toughie...
Re: (Score:2)
Why?
I heard this claim several times already, but never seen an explanation. As far as I can tell, he's a pretty smart guy and what he says seems to make sense.
So what's the problem with him?
Re: (Score:2)
It's like people who say "I love reggae. Bob Marley is awesome".
It is usually just them name-dropping, because he is the only security guy they know of. Not sure I'd call him the rock star of the industry though- Dan Kaminsky and Johnny Long have that covered.
That said, having read a lot of security literature, and all of Bruce's books, he is the best mind I can think of on high-level security theory- what works, what doesn't, and how to evaluate a solution.
Re: (Score:2)
So what's the problem with him?
There is none. "QuantumG" (I assume he thinks he is the indivisible entity of a gangster) is just angry that people don't shun the "obvious" names.
Scareware (Score:2, Funny)
Re: (Score:2)
If Schneier wants to stop scaring people he should consider trimming his beard.
Halloween's coming up.
A state government and Microsoft both doing something I approve of? What's this world coming to?
Re: (Score:3, Funny)
Hell. Now serving ice cubes.
Re: (Score:3, Funny)
I don't know, add glasses and a crowbar and he could star in a videogame. Seems to me like the kind of guy you want talking about computing.
Re: (Score:3, Funny)
Never!
I wouldn't trust a cryptographer without a beard.
Wasn't their a TV advert about this? (Score:3, Funny)
scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software
It was an Apple thing I think warning about some company who was pushing some "extra secure" version of its operating system which in fact gave you less performance and kept nagging at you the whole time. Yup I thought so [youtube.com].
Oh wait this is some OTHER companies who use security as a scare threat via nagging messages to get you to buy software.
Re: (Score:2)
Oh wait this is some OTHER companies who use security as a scare threat via nagging messages to get you to buy software.
You mean M$ "scares" users with UAC to buy Vista? You got some problem with your logic.
Last time I was checking [google.com] that trick didn't fly.
If this are lawsuits we're talking, somebody should charge M$ with false advertisement: many end-users were made to think that thanks to UAC Vista is more secure than XP.
FAKE security warnings, for Windows? (Score:4, Insightful)
I'm truly impressed that people can come up with security warnings about Windows that are not true... after all, is there anything as insecure as Windows?
The only thing I think they may have a case with is of course the fake software, as in software that does not do what is advertised. And I'm not even thinking of Windows itself this time.
Re:FAKE security warnings, for Windows? (Score:5, Interesting)
If you run a linux os with a modern web browser, and you visit a site with the scareware it is mildly amusing to see that your registry is screwed up and the site looks like internet explorer in colour scheme but you can download an exe to fix.
Its happened twice to me, and i find them amusing.
Im quite sure this is how windows zombies get signed up, but my penguin knows better.
Re: (Score:2)
Re: (Score:1, Interesting)
last time i checked metasploit had at least double the attack vectors for linux than it did windows.
so, i would say linux is less secure than windows.
Re:FAKE security warnings, for Windows? (Score:4, Insightful)
Were those attack vectors directed at Linux or at packages running on Linux?
Apache != Linux
MySQL != Linux
etc
Re: (Score:2)
In that case you should say the same about Windows. Most of the attacks (particularly drive-by attacks related to surfing) are targeted at IE, an application. Oh bad example, according to MS it's an integral part of the OS. Never mind.
Then there are attacks directed at Outlook, ISS, and so on. Very few are directed at the Windows core. Same will account for Linux: unless the attack is done locally (most are over a network), it is always an application that is the first line of defense.
Re: (Score:2)
To be fair we'd call a vulnerability in Internet Explorer or Windows Media Player a "Windows" vulnerability even though those aren't actually Windows. Hell, the N version doesn't even ship with WMP and, I forget, may not eve ship with IE.
Re: (Score:2)
That is because those come with Windows, and you can't uninstall them (Oh, yes, the EU justice can uninstall WMP. Nut most users are not as powerfull as the EU.) while most Linux distros don't come with MySQL and Apache running by default.
Re: (Score:2)
Then again Firefox ships with most versions of Linux that I have downloaded. There aren't a whole lot of exploits at the kernel level for most modern OSes. Those that do exist are often patched fairly quickly. The flaws that I typically see are at the application level regardless of the operating system. Which was mostly what I was saying in the first post but I wasn't very clear, my bad.
Re: (Score:2)
Re: (Score:2)
Would you count a flaw in MS Word as a flaw of Windows? It doesn't ship with Windows, but most people buy it separately and install it.
Re: (Score:2)
Hm-m-m. So if Firefox on my windows box is exploited, Linux should be blamed? Maybe this should be attributed to the actual problem, firefox...
Re: (Score:2)
Actually? Side note... I'd say no to your question but if there's a flaw in Firefox that allows the underlying OS to be rendered vulnerable the flaw resides with both for having allowed the application to perform functions not authorized by the user. The question then is how to fix it... I don't know the answer to the question unfortunately.
I have a bad analogy if you want/need it.
If I let a stranger into my home and he then murders my child then the fault is his. At some point, though, I made a choice to l
Re: (Score:2)
Then again Firefox ships with most versions of Linux that I have downloaded.
Really? I don't think a single one of the Linux servers in our farm has Firefox installed. On the other hand, I think all of our few remaining Windows servers have Firefox installed. :)
Re: (Score:2)
Why yes. "That I have downloaded." I haven't tried them all though and the only servers that I use with Linux on them run CentOS and, to be honest, those don't even need a browser. Instead I have to keep Apache, PHP, WHM, cPanel, etc updated. OSes become insecure when we start piling applications on them.
Re: (Score:2)
Re: (Score:2)
Does it list exploits for each distro separately? Does it list exploits for all the different mail servers etc you might choose to run on it?
Re:FAKE security warnings, for Windows? (Score:5, Funny)
...after all, is there anything as insecure as Windows?
Emo kids?
Re: (Score:1)
1998 called, they want their insecure windows jokes back.
Re: (Score:2)
Yes I know, big strides have been made by Microsoft to improve it. The whole design of Windows unfortunately has never been with security in mind, this in contrast to Unix and it's clones and derivatives which is designed to be part of a network and multi-user.
Microsoft has a lot to do to really make it secure, and when seven years of development for a minor upgrade (XP to Vista) can't fix it, nothing short of starting from scratch can.
Win XP/Vista is a huge improvement over 98 and ME, however the number
Re: (Score:2)
Windows 2003 server has a pretty good track record. It is also pretty much unusable as a desktop operating system in its default setup.
It is the desktop offerings that have a problem, and that is because they have to run programs written in the Windows 9x days when there was no separation between program and data files.
Re: (Score:2)
And yet, for all the features Microsoft wasted years of developer time on, services still run as LOCALSYSTEM. One bug, and you're owned.
As I pointed out before, Unix has a more primitive security infrastructure, and was not really designed to be secure from the ground up, yet by the time Dave Cutler started on NT, years of hacks and exploits had taught the *nix community how to work around that. Microsoft, in all their NIH wisdom, decided that none of
Re: (Score:2)
Microsoft deserves every bit of scorn heaped upon them for ignoring what the rest of the computer industry had known and ignored for decades.
Fixed that for you. You yourself note that *nix community has been designing hacks and exploits, which demonstrates that *nix has it's own issues.
Jeepers, folks. It's about the freaking user. My windows servers are as safe as my Linux servers, for the same reason - I keep peoples' privileges low, and don't run unnecessary services. 15 years, NO problems. It's not
Re: (Score:2)
Pot, meet kettle. Ad hominum doesn't advance your cause. Your own point was that unix has design flaws, which knowledgable users have worked on. Windows has design flaws, which knowledgable users have worked on.
Re: (Score:2)
Hm-m-m. It's a fine distinction. I'm pretty sure that the definition of ad hominum is attacking the speaker, rather than the idea, and an insult certainly seems contributory to that cause.
You've got a lot of hostility, I'm sorry to have offended you. Sounds like you've got a lot to carry.
Re: (Score:2)
Oh, goodie, more "it's all the users fault!" crap. Suuuuuure, Windows itself isn't insecure. It wouldn't, say, have a service running in the background be default that lets remote computers alter the registry. It doesn't let viruses and trojans just install themselves when your computer connects to the internet without a firewall or antivirus, does it? Oh, wait, yes it does both of those things and more.
Of course, those who are so intent on s
Re: (Score:2)
WARNING! Your computer may have spyware. Click here for our FREE REGISTRY SCAN!
Re: (Score:1)
I'm truly impressed that people can come up with security warnings about Windows that are not true... after all, is there anything as insecure as Windows?
Question of probablity. They might have had a chance if their warning had said "Your computer is probably infected", but it is conceivable that there exist Windows boxes recently installed from behind a firewall which are not infected at all, so they can't say "Your computer is infected".
Re: (Score:2)
They have warnings like
"Warning, your computer is broadcasting its IP address over the internet. With this information, any website you visit knows where you are".
Well of course it does. With out that information, how is it going to send the web page you asked for.
Why did it take so long? (Score:1, Insightful)
colors (Score:4, Interesting)
Is that too obvious?
Re:colors (Score:5, Insightful)
Too obvious for your normal user, yes. Your average geek isn't going to get fooled by these things anyways (heck with the way NoScript and my popup blockers are set I don't see them at all anyways). But to the guy who fumbles with the power button and whose eyes glaze over when you speak of "cut and paste", changing the window colors and then having the foresight to pickup on a different color showing up being bad, is way beyond their capabilities.
Re: (Score:1)
Re: (Score:3, Insightful)
One of my insights doing a stint behind a helldesk was that some otherwise competent, intelligent people will disengage their thought process when sitting behind a keyboard. Sometimes I felt like psychiatrist - or at least what I suspect many of them do:
1. Listen to problem.
2. Restate problem as a question.
3. Confirm answer given by customer is correct.
4. Assure customer that while correct answer WAS somewhat obvious, we get it all the time and a lot of folks don't figure it out on their own. Add reas
Re: (Score:2)
I felt like psychiatrist
What you describe sounds more like what a psychologist/counselor; my understanding is that the job of a psychatrist is similar to that of your general care physician except applied to mental health: diagnose badness and suggest/prescribe interventions, and if the intervention is psychotherapy also carry it out.
In some cases, cognitive therapy may be as simple as you make it out to be, but there's more to psychiatry than meets the eye (I would think). OTOH, there may be not much more to psychquackery than t
Re: (Score:2)
What you describe sounds more like what a psychologist/counselor; my understanding is that the job of a psychatrist is similar to that of your general care physician except applied to mental health: diagnose badness and suggest/prescribe interventions, and if the intervention is psychotherapy also carry it out.
Actually - you're quite correct. You caught me being lazy. I actually have had some exposure to those aspects of health care and have learned some of the differences. I suppose a real general way of contrasting the two is that psychiatrists use drugs while psychologists talk. Someone in the field could probably go in to considerable detail and outline how accurate but wrong that statement is. :)
It's all rather complex stuff. At the least, it appears to be sufficiently complex as to appear simple to the
Re: (Score:2)
True Story:
After reformatting, one of the first things I do is go to AVG's website and download some virus protection. I google, and, thanks to a shitty mouse or my stupidity, accidentally click on another legitimate website. Adware, crapware, and more all taint the once pure machine via IE. All because AVG returned a couple of sites that are no where near legitimate.
No warning would have helped in that case.
Re: (Score:1)
True Story:
After reformatting, one of the first things I do is go to AVG's website and download some virus protection. I google, and, thanks to a shitty mouse or my stupidity, accidentally another legitimate website. Adware, crapware, and more all taint the once pure machine via IE. All because AVG returned a couple of sites that are no where near legitimate.
No warning would have helped in that case.
Fixed.
Re: (Score:1, Interesting)
Re: (Score:1)
Re: (Score:2)
Oh, it gets worse. (Score:2, Insightful)
but surely somebody could just change the desktop colors...
It's worse than that, because it's even more obvious.
This is where the end-user epic fail really is:
Security Alert - Windows Internet Explorer
Or
Security Alert - Mozilla Firefox
End users have so trained themselves to not actually read dialogs that they simply can't tell something they've seen before from something they have not.
It doesn't take a genius to sit at a computer for hours, and hours, and hours on end, every day, at work and at home, to recognize that your "Security Alert - Windows Internet Explorer" causes the cursor to turn into a pointing finger, just like a hyperli
Re: (Score:1)
So... you're saying that the mugger should be penalized less, because the victim asked for it? Please, stop with this blame the victim nonsense.
Re: (Score:2, Insightful)
I'm saying that if you're too ignorant to understand that you're asking for it because you feel it's not worth your time to learn anything from your hands-on experience, then it's your own damn fault that you put yourself in that situation. I never said there was anything right or just about crime.
Re: (Score:2)
I'm a fairly small guy and, well, to help pay my way through college I actually worked as a BOUNCER in a biker bar for a while. Media puts out the idea that bikers are tough and mean but, really, they're quite tame for the most part. I'm maybe 175 pounds and 5' 11" (I was a bit heavier back then) and I never had a problem. Most of the time it was just a matter of asking someone to leave. Yip... No muggings, not much fighting, no broken cue sticks, no broken bottles, no stabbings, no rapes, no murders, etc..
Re: (Score:2)
I've occasionally seen actual dialog boxes pop up with these warnings back when I used Windows and IE, so it isn't just graphics that look like boxes.
Re: (Score:1)
Most Windows users never change the default colors, or even that stupid grassy knoll background image.
Re: (Score:2)
Re: (Score:2)
Actually, I do just this to people who's computer I fix on a regular basis. I then tell them "If the bar is blue, it's fake."
It works quite well.
Courts determining what's required for security? (Score:5, Insightful)
The law referenced "makes it illegal to misrepresent the extent to which software is required for computer security or privacy." This is such a fishy thing that I'm not really sure if I want courts to determine what exactly is required and therefore whether it is being misrepresented.
Now, maybe there's a case for fraud if the program doesn't do what it purports to do in its advertising, but that doesn't seem to be what's at stake here.
There also might be a case for fraud if, perhaps, the advertising pop-ups are being confused for actual Windows messages. But I suppose in the "real world" advertisements mimic other things to be creative, but are still fairly obviously ads.
Just not sure I like the sound of a law that requires a judge or jury to determine what's required for computer security.
--
Hey code monkey... learn electronics! Powerful microcontroller kits for the digital generation. [nerdkits.com]
Re:Courts determining what's required for security (Score:4, Interesting)
Re: (Score:2)
Sounds like it could be used for Microsoft to take a swing at all of the legitimate anti-virus/scumware/etc apps for advertising how critical their software is because Windows has so many problems.
In that case, can we use the bit that says "illegal to misrepresent the extent to which software is required for computer security or privacy" to sue Microsoft for advertizing "the most secure version of Windows yet" and claiming that the likes of XP and Vista are designed in a security concious way (implicit in t
Re: (Score:2)
Somewhere, Microsoft's explicit statements of non-warranty of fitness and non-warranty of merchantability for its products has got to come into play here (http://en.wikipedia.org/wiki/Implied_warranty).
In some ways, Microsoft uses its own lack of built-in security features in its products to sell its own other products that provide said security functionality...
This lawsuit seems to be bound a bit in circular logic, and I don't think really benefits the consumer in the end at all.
Microsoft making their prod
Re: (Score:1)
good point (Score:2)
It kinda looks like this law is written almost exactly with WGA and other nasties in mind.
Mismatch (Score:1)
all anti-virus companies (Score:3, Insightful)
"the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy,and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater."
lol, so all the anti-virus software companies(Norton, NOD32,VET etc) and anyone selling 'personal firewall software' is pretty much screwed.
Re: (Score:2)
While a lot of AV makers will try to convince you that you'll be screwed without the $100 security suite, they tend to sell what they say they are selling and don't have fake positives in the product in an effort to try to convince you to buy them.
And anyone that ran Windows XP RTM/SP1 knows that a firewall of some sort was required (hardware or non-Microsoft software) due to all the exploits. You could be own
Scareware? (Score:1)
Isn't most computer security software useless anyway? I GOT NORTON YOU CAN'T TOUCH ME!
More Government Regulation (Score:3, Funny)
Re: (Score:2)
You're right!
But, I can tell from your message that you have a high level of contamination in your home drinking water. It's already affecting your speech. I'm from the Federated Department of Drinking Water Security. (Flashes badge that is a perfect knock-off) You have nothing to fear though, for a nominal fee, I can provide you with a water security solution that will keep your faucet from broadcasting it's location to the evil germs and heavy metals that are lurking just outside.
It's about time (Score:2, Interesting)
Sort of like ... (Score:2)
Scaring consumers = basis of modern advertising (Score:3, Interesting)
Re: (Score:2)
Re: (Score:1)
Combine that with the fact that some of them claim to be the OS telling you that you are infected and to buy some fake program. I can see Microsoft's point. They really can't prevent this kind of thing because you can't fix stupid.
A lot of user's trust the pop-ups from ads and end up installing a lot of this crapware.
Re: (Score:1, Funny)
I wouldn't anger him... Bruce Schneier can get identity information from an unpowered, unconnected remote machine, just by glaring in its general direction. If he's feeling particularly good, he doesn't need the direction.
Re: (Score:2)
Hmm...I've never heard anyone criticize Schneier's book before.
Please give us your recommendation for a book on cryptography that is highly regarded by people who know cryptography (perhaps in addition to knowing network security).
Re: (Score:2)