The security software racket

13 thoughts on “The security software racket”

1. I have had a number of friends who got whacked with viruses that propagated by AIM. The key, however, is that they got tricked into clicking on a link that propagated the virus.

2. Look at my statement this way, Ed: IF I had a serious need for IM software THEN it would be worth dealing with the malware risk. In the case of networking and email, the need if the technology is worth the trouble of dealing with malware.

   Maybe I’ve been duped by the security folks, but tell me: isn’t it true that IM can be used to send executables? And I know for a fact that any executable can contain a virus, rootkit, or trojan horse. Given that I’m not that familiar with IM software (something that I mention in the post) and that IM would be used mainly by my young daughters (something I didn’t mention), isn’t it prudent to simply not give malware another route onto my systems?

3. When the current distribution of IM malware is low, it’s easy to have a 500% increase in the threats detected. It’s a growing threat but at present I don’t see it being a serious risk.

4. “1. If you don’t need a particular class of software, don’t install it.”

   This is an overly simplistic decision criteria. What is need? It’s certainly not an all-or-nothing thing. For example, I don’t need iTunes, but I install it because I like it and it makes me happy. (Even my iPod does not require iTunes – there are other ways of getting music on and off an iPod.)

   I prefer to make my decisions in terms of advantages and disadvantages. If the advantages of installing a particular class of software outweight the disadvantages, then I proceed. You can see this in my statement about IM: I have little “need” of it – few advantages – and it’s a security risk – big disadvantage. So I choose not to install it.

   (However, the ability in Live Messenger to turn off unsafe attachments may be enough mitigation of the security risk that I’ll take a chance on it. I need to research that point some more.)

   As for the parenting issue, I’m 100% in agreement. At my house we deal with email, web browsing, and everything else from that point of view as well as from a security point of view. And we are rather strict. I mentioned my children only because they are less likely than Mom or me to recognize malware. Even if we let them use IM and can restrict them to IM only their friends, we still don’t know what those friends will pass along in the form of trojans, worms, etc.

   Regarding the magnitude of the security risk from IM, I did a search at the SANS Internet Storm Center, and it appears that indeed there is no rash of IM worms, viruses, and trojans making the rounds. However, IM malware is not all hype; I did discover a few reports of worms like Oscabot-F IM making the rounds last year. So I’m still going to take a paranoid, if somewhat enlightened view, of Instant Messaging.

5. Jim, you’re the one who initially said you didn’t need IM software, so I’ll stand by my point: If you don’t need it, why should you install it? You do, on the other hand, need music-transfer software, unless you want your iPod to be a pretty paperweight. So you have to research which piece of software is best, and as part of that research I hope you look at security issues.

   My objection to your original post is that you repeated an unfounded talking point from the fear-mongering security industry without bothering to research it. IM viruses are not a major security issue, and at least in this case there are strong ways to mitigate the threat. People reeading the Chron blog are going to get the message that IM software is dangerous and they should stay away. Even though you readily acknowledge that you haven’t done enough research to say that.

6. “My objection to your original post is that you repeated an unfounded talking point from the fear-mongering security industry without bothering to research it.”

   Well, if you’ll go back and read what I wrote, I was presenting my perception of the security situation, not issuing a statement of Fundamental Truth. However, your point about the TechBlog readers is a good one, and one I will take to heart. I’ve already been thinking of working our entire exchange into a future blog post. (In fact, I already referenced your post in an update to my original post.) I’m not sure what form that post will take, but I want to highlight the points you’ve raised about fearmongering and IM software.

7. It is not just a fear-mongering with IM software issue. Fear-mongering has become the number two tool behind sex in the salesmans bag of tricks. In some areas, it has become the number one tool (Bush administration).

   People tend to recognize that TV/Radio/Newpapers/Magazines are commercial ventures driven by advertising. What they sometimes fail to recognize is that there are also many blogs that are also commercial ventures also driven by advertising.

   I find it amazing that people agree with the concept of having laws against yelling fire in a crowded theater yet they allow the rampant use of fear-mongering daily in all forms of the media. The only thing I can make of it, is that people assume that it is an acceptable practice because it also comes from the top of our government on a frequent basis also. We do have many truth in advertising laws on the books which could be used to tone things down but with fear-mongering being a frequently used tool of the government I would not anticipate them using these laws against others anytime soon.

   P.S. No relation to Jim that I know of. Just coincidence that we share the same last name.

8. The sad thing is when this type of information becomes a mythical shared memory. I’ve known people that talked about the “virus they got using IM” but when I press for details they either don’t really have any facts or after a detailed back-tracking we discover what they are calling a “virus” was the advertising that is built directly into some IM clients or some other very non-virus annoyance.

   Slightly off topic it’s this same type of fear and mis-information marketing that Apple is using with their “Hi, I’m a PC, Hi, I’m an Apple” ads. I always chuckle when I see the ad that tries to imply that the Mac can talk to “latest digital camera” straight out of the box and Windows can’t, which is of course a big fat lie.

   Technology is one of the easist things to market with fear and the promise of safety because many people, even those that use it daily, still don’t really understand it.

9. In all my years of using different IM programs and supporting IM users (and their “I’ll click on anything” kids) I have never seen a virus born from or coming through directly via an instant message.

   I personally hate Yahoo IM software because in the past it has appeared to be loaded with spy/mallware and sucks system resources. I cannot say the same for AOL or Messenger. I also have received a lot more phony IMs from spambots on Yahoo than the other services.

   What I think is the bigger problem with IM is how quickly users pass around links to websites with malicious software on them. The end user will just keep clicking “yes” to warning prompts until they get to see that cool video of a kid falling off a roof onto the burning table.

   I think that current anti-virus and anti-spam software is the best defense against these kinds of threats – having an IM-anti-whatever would simply provide more prompts with more questions that many users just simply ignore for the instant gratification of clicking through.

10. OMG!!! It’s worse than I thought! According to “IM Security: A Threat or Just Marketing Hype?”, “Research conducted by FaceTime Security Labs found a 2,200% increase in IM security incidents between 2004 and 2005.” Sheesh. Where do they come up with these numbers?!

    Oh, coincidentally, the author of that article is a senior director of Mirapoint, a company whose slogan is Secure Messaging Simplified(TM).

11. If you don’t need the software don’t use it.

    The problem is that ANY social software (IM, email, FTP, WWW, P2P) can be fraught with bad guys trying to do bad things to you.

12. OK, I’ll throw a fact in here. I do security work at a big university, and our #1 “virus” problem is bots propogating via links in IM. Although I’m not going to post the details, we use a managed anti-virus program that is tracking over 10,000 computers, so I have evidence to back up this statement, I’m not just making it up or basing it on what I’ve seen on my own computers.

    So I think there’s some validity to the statement that IM is a source of viruses and other malware. One can argue that clicking on a link that says, “Look at my neat MySpace pictures”, or “Did you see this picture of you at the party last weekend?”, where the link actually downloads a bot or spyware or some other malware instead of pictures is not a virus because of the way it spreads, but the distinction is a subtle one, and the problem is a real one, at least in some environments.

    I don’t consider warnings about viruses in IM to be fear-mongering. We have gone through an educational effort to convince members of the university community to pay attention to their IM, and not trust links, even if the message appears legitimate and from a friend, and the number of infections via this vector dropped by a factor of at least 4 following the educational effort.

    I suppose the above is somewhat at a tangent from the discussion of inappropriate shilling of the latest threat, which certainly happens, but nonetheless, the particular instance being cited is a real threat, and I have facts to back it up across thousands of machines in the real world, not some study, so I thought I’d add my $0.02.

13. This malware thing is way overblown. Yes, it is out there but with a few simple precautions one can enjoy computing without all this scary hype. At home we have 4 desktops and 2 laptops, all running ZoneAlarm, and AVG anti-virus. All run AdAware and Spybot at least a few times a week, and all have utilities to clean out temp folders, Internet cache and cookies (EmptyTemp Folders, ISystem Wipe, CCleaner). Not hard to do and with these basic precautions we have not had any problems with Trojans, malware or the likes. Our system are used daily for personal and business use.

    We all use AOL IM, to communicate with distant family members and friends. We even use it to transfer files. Never a problem.

    The folks who have the problem (like one of our kids) are those who run without a firewall (said it slowed down his system), without virus protection and/or out of date virus protection, and AdAware is a foreign word. Plus they are usually downloading everything under the sun. But even when my kid’s system finally got hosed with viruses and malware and he was connected to our home network, it never got past his PC. He learned the hard way.

    So yes security has become a racket and there are many like Symantec sucking in the dollars by scaring everyone to death and offering expensive poor quality products. For most people, a few simple (and usually free) precautions should keep them out of trouble. I would add common sense when opening mail attachments and forget the free mail clients – get an industrial strength mail client (like Outlook) that can dispose or quarantine almost everything that may do harm to your system.

Comments are closed.