Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Google

Software Security Suffers as Startups Lose Access To Google's Virus Data 74

Iain Thomson, writing for The Register: Security firms that use the Google-owned VirusTotal malware database but don't contribute to the silo are going to find themselves out on a limb. For the past 12 years, researchers have been feeding samples of software nasties into VirusTotal, allowing antivirus engines to check they can detect malicious code. But the site has seen an increasing number of security startups have been using the VirusTotal data without giving back. Now Google, and other contributors have had enough and have changed the terms and conditions of the website. Put simply, if you don't share samples, you can find your own malware elsewhere.From a Reuters report: The policy change at the information-sharing pioneer VirusTotal takes aim mainly at a new generation of security companies, some with valuations of $1 billion or more, that haven't been contributing their analysis. Older companies, some with market valuations much smaller than the upstart rivals, had pressed for the shift. "If they no longer have access to VirusTotal, their detection scores will drop," said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry.
This discussion has been archived. No new comments can be posted.

Software Security Suffers as Startups Lose Access To Google's Virus Data

Comments Filter:
  • by Anonymous Coward

    Sounds like the GPL dialed up a notch. Aren't the big guys always pushing the BSD licenses? Do as I say, not as I do, hmmm?

  • by cweber ( 34166 ) <cwebersd AT gmail DOT com> on Tuesday May 10, 2016 @11:26AM (#52083991)

    You cannot just consume and hope nobody cares that you don't give back.

    • No, it's how the world works. You cannot just consume and hope nobody cares you're not paying for a product such as music or movies.

      • No, it's how the world works. You cannot just consume and hope nobody cares you're not paying for a product such as music or movies.

        There's a difference between watching a movie and running a movie theater which competes with the producers of the film. A rather important difference, one might say.

    • by Anonymous Coward on Tuesday May 10, 2016 @11:55AM (#52084201)

      No. That's specifically NOT how Open Data works.

      Open Data is data that's made available, no strings attached, for public use and consumption. There are many reasons why someone would choose to share data in this way. Maybe it's for research. Maybe it's for third-party app developers (e.g. a municipality making transit data available). Maybe it's because they're required to provide the data by law (e.g. government datasets).

      If the data is available only conditionally, then it's not Open Data. It might be data the public can potentially access, but that's not Open Data.

      If (for example) Linux was ONLY available to people who actively contributed code back to the kernel, and blocked for everyone else, we wouldn't be calling it OSS.

      • by getuid() ( 1305889 ) on Tuesday May 10, 2016 @12:23PM (#52084433)

        We're not. We're calling it Free Software.

      • by meerling ( 1487879 ) on Tuesday May 10, 2016 @01:06PM (#52084853)
        The idea of a system like the one in the article is that everyone contributes, everyone benefits. They didn't think to write it in their rules because they didn't contemplate the possibility of the extensive leeching for profit that's going on. They are now correcting their posted rules to get the for-profit-leeches to participate or GTFO.
      • by CAIMLAS ( 41445 )

        I think the point here isn't that they're using it and not providing anything back, it's that they're using 'open' technologies without improving them, and getting insane market evaluations for what amounts to marketing bullshit.

        It'd like be re-theming RedHat and selling it with a Windows-like or MacOS-like theme, saying it's "Windows and Mac compatible Linux" or some such.

    • by pr0nbot ( 313417 )

      I suppose it's like GPL vs BSD.

    • PLS SEED
  • by xxxJonBoyxxx ( 565205 ) on Tuesday May 10, 2016 @11:33AM (#52084065)
    Don't build your "startup" on other people's data/API/etc. unless you have a contract. They could change the terms tomorrow and then you're screwed.
    • by Anonymous Coward

      Oh, and "when a service is based 100% on data contributions in order to function, don't expect your business model of 100% consume/0% contribute to be very sustainable"

      Really, these firms are leeches. They built a business out of nothing more than capitalizing on Virustotal, They can die and no one will miss them.

      • by tnk1 ( 899206 )

        Really, these firms are leeches. They built a business out of nothing more than capitalizing on Virustotal, They can die and no one will miss them.

        I don't disagree with the thought behind that, but even with wild inflation of value that is common these days, a company with a billion dollars of valuation is going to be missed when their customers end up with a crappier product, but no one mentioned to the already-sold customers that their provider is now sucking it because they have less ability to detect malware.

        These companies will likely have to scramble to either contribute or find their own way of getting data, but you can bet that they will not c

        • a company with a billion dollars of valuation is going to be missed

          A company with a billion dollars of valuation and a product that's another company's repainted product is a scam, plain and simple. Good riddance.

    • They could change the terms tomorrow and then you're funded at a high valuation.

      Fixed that for you. It makes sense that a startup would use other people's data to up their valuation. If they need to replace it later, at least they'll have more cash/equity to do so with.

      Now, investors should price that into the valuation, but they don't seem to.

    • Especially when that third party is Google. Speaking of which, since when did Google own VirusTotal?

      • I'm pretty creeped out Google owns VirusTotal. Not that they bought it, that's fine^W an example of the epidemic of Google consolidating the internet in a distinctly evil way. That they did, and I didn't know it.

  • by QuietLagoon ( 813062 ) on Tuesday May 10, 2016 @11:34AM (#52084075)

    ... "If they no longer have access to VirusTotal, their detection scores will drop," said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry....

    The people who use the products with the poorer detection rates should just switch to products that continue to provide good detection rates, and the hackers will then find entry to be more difficult.

    .
    If those a/v companies built a ~$1B business based upon the acquisition of free data for which they have no long-term contract to obtain, then those companies do not deserve to continue to be in business.

    To put that much money at risk because the supply chain has not been properly vetted is not a good business practice.

    • by sinij ( 911942 )
      This might go sideways in more ways than VirusTotal realize. For example, consumers might realize that all end-point AV products are highly ineffective and stop buying them.
      • by mysidia ( 191772 )

        Yes..... Also; I do think I am going to immediately cease submitting the hundreds of undetected malware samples I get a month to VirusTotal, and look for another venue that is truly open.

        It feels to me like this move is totally disingenuous on the part of VirusTotal cutting off their nose to spite their face / intended to harm players in the industry to the benefit of some companies more than others..... The motivation is obviously greed by companies losing some market share who influence VirusTo

        • why should these new companies be allowed to continue to use VirusTotal without giving back anything? The companies that do contribute have a cost associated with doing so, but they ALL benefit by contributing in good faith to the same pool. No one is saying these new companies have to lose access, they just won't be allowed to continue leeching the work of others for their own profit. Sounds like the greedy ones are not the contributors...
          • by tnk1 ( 899206 )

            One wonders though. Why was VT set up? Was it made open to make it possible for more and more security vendors to get good data in order to increase global security? If so, then the failure to give back is a problem, but as long as that data is used, the goal of the project is satisfied. More security.

            What is happening is that there appears to be some who are able to leech. Well... to some degree, that is merely an extreme use case of what VT was intended for. Even if they don't give back, they are im

          • by mysidia ( 191772 )

            why should these new companies be allowed to continue to use VirusTotal without giving back anything? The companies that do contribute have a cost associated with doing so

            The problem is they mean something very specific by "Giving back"; They have to adapt their scanner, so their scanner is one of the scanners that VirusTotal checks samples against. And VirusTotal in their own words admits why this is not applicable to all scanners..... VirusTotal's antivirus engines are commandline versions, so dep

        • by Shimbo ( 100005 )

          I would point out that VT concealing their data is detrimental to companies that consider purchasing security products; it erodes vendor trust from the market, which affects everyone, And it reduces malware detection rates for everyone, which can only hurt the public and society at large.

          That assumes that none of the freeloaders changes their business model and decides to contribute back. It only takes one firm to decide to do so to make the net result improved malware detection for most people.

        • The motivation is obviously greed

          Um, what? Asking / requiring people to contribute and share is now considered greed?

          • by mysidia ( 191772 )

            Asking people to contribute back would not be greed, But (1) That's not what they are asking, And (2) I am implying an ulterior motive driven by other companies who have a reason for pursuing this which is not what it is stated.

            If an antimalware vendor has not integrated their tool into VT, because their methodology doesn't lend itself to a program that "scans a specific file", then VT provides them no chance of participating.

            It's not like VT offers them a chance to pay for it or make a do

    • If those a/v companies built a ~$1B business based upon the acquisition of free data for which they have no long-term contract to obtain, then those companies do not deserve to continue to be in business.

      I'm interested to know what you think a $1B business actually means?

      Remember that $1.8B business called twitter? Did you know that business never made a profit? In fact the same quarter it was valued at $1.8B they made a net loss of $23M.

      A valuation is something someone thinks about you, and in the tech industry that is completely devoid of any resemblance of reality. Unfortunately those same unicorn farts that power the valuations can't be used to pay your suppliers. Good business practice really doesn't c

      • by swb ( 14022 )

        I'd love to hear a "explain it to me like I was 5" accounting-focused explanation of how a business like Twitter manages to lose money and still pay the bills.

        Conceptually it makes sense when a business has been around for some time and had profitable years and then has a year where they lose money -- they might have cash reserves or access to credit to make up the shortfall.

        But a shorter-lived business like Twatter that's maybe never made a profit -- they don't have a savings account with reserves built up

        • How does that work? People are willing to loan them the money because of their high valuation?

          Exactly. Cashed up VCs chasing unicorns with the hope of a part of the pie of a multi-billion dollar IPO. What wallstreet maketh silicon valley vapourises into the ether.

          • by swb ( 14022 )

            And I get that with VCs and startups before they go public, and the spend money to make money concept. I've been around too many under-capitalized businesses and totally get the idea of losing money building up a foundation for future growth.

            But Twitter as an example already has done an IPO and in theory is past the point at which VCs sink money in -- the stock is already issued.

            I'm guessing at Twitter's scale the idea that they are losing money is mostly nominal, and that the business isn't absolute, neg

    • If those a/v companies built a ~$1B business based upon the acquisition of free data for which they have no long-term contract to obtain, then those companies do not deserve to continue to be in business.

      I'd be more worried about the programmer who thinks of a clever new way to detect viruses while in the shower, but can't easily test how effective it is because there's no large public database of viruses. He can't afford the time or several tens of thousands of dollars to get a dataset just to test out a

    • by tnk1 ( 899206 )

      You're assuming that the end user will correlate their detection rate with this sort of thing. If they didn't happen to read this story, they might continue on blissfully unaware that their vendor now suddenly sucks. You can be sure the vendor won't say a damn thing about it, unless prompted by the customers first.

  • A few years ago, when there was a US hops shortage, Samuel Adams (the big beer brewing company) made the gesture of selling significant amounts of its hops stock at cost to small craft brewers, to help keep the industry afloat. This helped a significant number of small businesses stay alive and the talent in those companies make a living until the shortage was over.

    Given that the malware detection software companies are more like pure competitors to Google, and that software engineers generally are neve
  • by sinij ( 911942 ) on Tuesday May 10, 2016 @11:56AM (#52084209)
    Signature-based AV is already ineffective to the point of being useless. Trivial obfuscation techniques can and does fool every solution out there.
  • "On Wednesday, the 12-year-old service quietly said it would cut off unlimited ratings access to companies that do not share their own evaluations of submitted samples" ref [venturebeat.com]

    By not sharing their own evaluations these companies are also facilitating the hackers, are they not. Does software evaluation firm AV-TEST contribute their own evaluations to VirusTotal?
  • CrowdStrike has been all over my local ISSA the last year pimping their crapware. This is pretty ironic considering VirusTotal is a Google service and CrowdStrike has been selling themselves on the fact Google gave them 100 million in capital.

Heard that the next Space Shuttle is supposed to carry several Guernsey cows? It's gonna be the herd shot 'round the world.

Working...