Software Security Suffers as Startups Lose Access To Google's Virus Data 74
Iain Thomson, writing for The Register: Security firms that use the Google-owned VirusTotal malware database but don't contribute to the silo are going to find themselves out on a limb. For the past 12 years, researchers have been feeding samples of software nasties into VirusTotal, allowing antivirus engines to check they can detect malicious code. But the site has seen an increasing number of security startups have been using the VirusTotal data without giving back. Now Google, and other contributors have had enough and have changed the terms and conditions of the website. Put simply, if you don't share samples, you can find your own malware elsewhere.From a Reuters report: The policy change at the information-sharing pioneer VirusTotal takes aim mainly at a new generation of security companies, some with valuations of $1 billion or more, that haven't been contributing their analysis. Older companies, some with market valuations much smaller than the upstart rivals, had pressed for the shift. "If they no longer have access to VirusTotal, their detection scores will drop," said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry.
Re: (Score:2)
Contribute back or you can't use our stuff (Score:1)
Sounds like the GPL dialed up a notch. Aren't the big guys always pushing the BSD licenses? Do as I say, not as I do, hmmm?
It's how Open Data works (Score:3, Insightful)
You cannot just consume and hope nobody cares that you don't give back.
Re: (Score:2)
No, it's how the world works. You cannot just consume and hope nobody cares you're not paying for a product such as music or movies.
Re: (Score:2)
There's a difference between watching a movie and running a movie theater which competes with the producers of the film. A rather important difference, one might say.
Re:It's how Open Data works (Score:5, Insightful)
No. That's specifically NOT how Open Data works.
Open Data is data that's made available, no strings attached, for public use and consumption. There are many reasons why someone would choose to share data in this way. Maybe it's for research. Maybe it's for third-party app developers (e.g. a municipality making transit data available). Maybe it's because they're required to provide the data by law (e.g. government datasets).
If the data is available only conditionally, then it's not Open Data. It might be data the public can potentially access, but that's not Open Data.
If (for example) Linux was ONLY available to people who actively contributed code back to the kernel, and blocked for everyone else, we wouldn't be calling it OSS.
Re: It's how Open Data works (Score:4, Informative)
We're not. We're calling it Free Software.
Re:It's how Open Data works (Score:4, Insightful)
Re: (Score:3)
I think the point here isn't that they're using it and not providing anything back, it's that they're using 'open' technologies without improving them, and getting insane market evaluations for what amounts to marketing bullshit.
It'd like be re-theming RedHat and selling it with a Windows-like or MacOS-like theme, saying it's "Windows and Mac compatible Linux" or some such.
Re: (Score:2)
I suppose it's like GPL vs BSD.
Re: (Score:2, Interesting)
Seems like a pretty apt analogy to me. They were in BSD mode - give everything away with few (no?) strings attached. Then high-revenue parasites began to exploit the gift to the point that the givers could no longer compete effectively. So they switched to a sharealike license that requires downstream distros to contribute their own assets if they want to integrate the collective assets.
Of course the analogy breaks down since we're talking about a data collection used for pattern recognition, rather than
Re: (Score:1)
Re: (Score:2)
Then it would be a life size model rather than a scale model, still not an actual train. Models, by their nature, are not the real thing. Typically they're non-functional, or only have very limited functionality to test/demonstrate one or more aspects (though then you're starting to get into prototype territory) . If you build a fully functional model, it's no longer a model - it's the real thing.
Re: (Score:2)
How many times do we need to say it? (Score:5, Insightful)
Re: (Score:1)
Oh, and "when a service is based 100% on data contributions in order to function, don't expect your business model of 100% consume/0% contribute to be very sustainable"
Really, these firms are leeches. They built a business out of nothing more than capitalizing on Virustotal, They can die and no one will miss them.
Re: (Score:3)
Really, these firms are leeches. They built a business out of nothing more than capitalizing on Virustotal, They can die and no one will miss them.
I don't disagree with the thought behind that, but even with wild inflation of value that is common these days, a company with a billion dollars of valuation is going to be missed when their customers end up with a crappier product, but no one mentioned to the already-sold customers that their provider is now sucking it because they have less ability to detect malware.
These companies will likely have to scramble to either contribute or find their own way of getting data, but you can bet that they will not c
Re: (Score:2)
A company with a billion dollars of valuation and a product that's another company's repainted product is a scam, plain and simple. Good riddance.
Re: (Score:2)
Fixed that for you. It makes sense that a startup would use other people's data to up their valuation. If they need to replace it later, at least they'll have more cash/equity to do so with.
Now, investors should price that into the valuation, but they don't seem to.
Re: (Score:2)
Especially when that third party is Google. Speaking of which, since when did Google own VirusTotal?
Re: (Score:2)
I'm pretty creeped out Google owns VirusTotal. Not that they bought it, that's fine^W an example of the epidemic of Google consolidating the internet in a distinctly evil way. That they did, and I didn't know it.
Detection rates go down, products stop being used (Score:5, Insightful)
... "If they no longer have access to VirusTotal, their detection scores will drop," said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry....
The people who use the products with the poorer detection rates should just switch to products that continue to provide good detection rates, and the hackers will then find entry to be more difficult.
.
If those a/v companies built a ~$1B business based upon the acquisition of free data for which they have no long-term contract to obtain, then those companies do not deserve to continue to be in business.
To put that much money at risk because the supply chain has not been properly vetted is not a good business practice.
Re: (Score:3)
Except that's a horrible comparison since, as I recall, Red Hat is actually one of the single largest contributors to the Linux kernel, etc.. They do give back, and dramatically so, they just *also* include a lot of "value added" software and support to make their distro more attractive than the competition. If you don't want to pay for the value added stuff, then I believe CentOS is still offering the core Red Hat distro sans "secret sauce".
Re: (Score:2)
Re: (Score:2)
Yes..... Also; I do think I am going to immediately cease submitting the hundreds of undetected malware samples I get a month to VirusTotal, and look for another venue that is truly open.
It feels to me like this move is totally disingenuous on the part of VirusTotal cutting off their nose to spite their face / intended to harm players in the industry to the benefit of some companies more than others..... The motivation is obviously greed by companies losing some market share who influence VirusTo
Re: (Score:3)
Re: (Score:3)
One wonders though. Why was VT set up? Was it made open to make it possible for more and more security vendors to get good data in order to increase global security? If so, then the failure to give back is a problem, but as long as that data is used, the goal of the project is satisfied. More security.
What is happening is that there appears to be some who are able to leech. Well... to some degree, that is merely an extreme use case of what VT was intended for. Even if they don't give back, they are im
Re: (Score:2)
why should these new companies be allowed to continue to use VirusTotal without giving back anything? The companies that do contribute have a cost associated with doing so
The problem is they mean something very specific by "Giving back"; They have to adapt their scanner, so their scanner is one of the scanners that VirusTotal checks samples against. And VirusTotal in their own words admits why this is not applicable to all scanners..... VirusTotal's antivirus engines are commandline versions, so dep
Re: (Score:2)
I would point out that VT concealing their data is detrimental to companies that consider purchasing security products; it erodes vendor trust from the market, which affects everyone, And it reduces malware detection rates for everyone, which can only hurt the public and society at large.
That assumes that none of the freeloaders changes their business model and decides to contribute back. It only takes one firm to decide to do so to make the net result improved malware detection for most people.
Re: (Score:2)
The motivation is obviously greed
Um, what? Asking / requiring people to contribute and share is now considered greed?
Re: (Score:2)
Asking people to contribute back would not be greed, But (1) That's not what they are asking, And (2) I am implying an ulterior motive driven by other companies who have a reason for pursuing this which is not what it is stated.
If an antimalware vendor has not integrated their tool into VT, because their methodology doesn't lend itself to a program that "scans a specific file", then VT provides them no chance of participating.
It's not like VT offers them a chance to pay for it or make a do
Re: (Score:2)
If those a/v companies built a ~$1B business based upon the acquisition of free data for which they have no long-term contract to obtain, then those companies do not deserve to continue to be in business.
I'm interested to know what you think a $1B business actually means?
Remember that $1.8B business called twitter? Did you know that business never made a profit? In fact the same quarter it was valued at $1.8B they made a net loss of $23M.
A valuation is something someone thinks about you, and in the tech industry that is completely devoid of any resemblance of reality. Unfortunately those same unicorn farts that power the valuations can't be used to pay your suppliers. Good business practice really doesn't c
Re: (Score:3)
I'd love to hear a "explain it to me like I was 5" accounting-focused explanation of how a business like Twitter manages to lose money and still pay the bills.
Conceptually it makes sense when a business has been around for some time and had profitable years and then has a year where they lose money -- they might have cash reserves or access to credit to make up the shortfall.
But a shorter-lived business like Twatter that's maybe never made a profit -- they don't have a savings account with reserves built up
Re: (Score:2)
How does that work? People are willing to loan them the money because of their high valuation?
Exactly. Cashed up VCs chasing unicorns with the hope of a part of the pie of a multi-billion dollar IPO. What wallstreet maketh silicon valley vapourises into the ether.
Re: (Score:2)
And I get that with VCs and startups before they go public, and the spend money to make money concept. I've been around too many under-capitalized businesses and totally get the idea of losing money building up a foundation for future growth.
But Twitter as an example already has done an IPO and in theory is past the point at which VCs sink money in -- the stock is already issued.
I'm guessing at Twitter's scale the idea that they are losing money is mostly nominal, and that the business isn't absolute, neg
Re: (Score:2)
I'd be more worried about the programmer who thinks of a clever new way to detect viruses while in the shower, but can't easily test how effective it is because there's no large public database of viruses. He can't afford the time or several tens of thousands of dollars to get a dataset just to test out a
Re: (Score:2)
You're assuming that the end user will correlate their detection rate with this sort of thing. If they didn't happen to read this story, they might continue on blissfully unaware that their vendor now suddenly sucks. You can be sure the vendor won't say a damn thing about it, unless prompted by the customers first.
Re: (Score:2)
You don't seem to understand logic.
Let's accept the unstated axiom that those who willfully download pirated media are largely the same group who has no problem with Google doing this. That is still not hypocritical, because even those who download such media acknowledge that the producers have a right to prevent it.
Re: (Score:2)
this is /. please stop making sense and include musk/disrouption at least twice per line.
Re: (Score:2)
This maybe so, but we're not turning around and trying to make mad money off said movie. Most of us anyway.
loose analogy (Score:2)
Given that the malware detection software companies are more like pure competitors to Google, and that software engineers generally are neve
Detection already negligible (Score:5, Insightful)
Google facilitating hackers? (Score:1)
By not sharing their own evaluations these companies are also facilitating the hackers, are they not. Does software evaluation firm AV-TEST contribute their own evaluations to VirusTotal?
CrowdStrike (Score:1)
CrowdStrike has been all over my local ISSA the last year pimping their crapware. This is pretty ironic considering VirusTotal is a Google service and CrowdStrike has been selling themselves on the fact Google gave them 100 million in capital.