RTFS (Read the “Fine” Screens)

It gets a little frustrating dealing with certain “software developers”. These “software developers” want to be “quickly and fairly” identified by the Anti-spyware community. Great. No problem.

We think, “How about putting a place on our website for them to contact us in a non-contentious way, so that we can give them a fair review and, if warranted, change how we classify, identify, label, etc. their programs?” Sounds rough, right?

How do some “software developers” respond? A cease and desist letter. Nice. I guess they just couldn’t read the “fine” screens……

What does this mean? Well, instead of having my research group look at the proposed name changes and releasing a definition update with these changes in just a few days (with the new names), we have to go through lawyers and red tape and bureaucracy. Fun.Fun.Fun.

The Net Result?

It took longer for the “software developer” to get their changes implemented, it cost both them and us money in lawyer fees, and they did not make us feel intimidated, but rather we became less likely to think kindly of them in the future.

Just because they didn’t read the “fine” screens we had put up for them.

Dave Bove
Manager of Spyware Research

An advance peek at Project Ninja

(TM)

A while back, I blogged on a major new project we’ve been working on for a long time at Sunbelt, code-named “Ninja”.

Well, the code name stuck and is going to be the actual product name — Sunbelt Messaging Ninja. We’re releasing it in a few weeks.

We’re going to be showing the product at Microsoft Tech.Ed next week, but I figured I’d give you an advance look at some screen shots.

Ok, so I know I’m not really supposed to hype stuff on our corporate blog, but this product is just a beauty. Dual-engine AV protection, dual-engine antispam protection, attachment filtering. An elegant plug-in architecture.

And (to my knowledge), the world’s first policy based enterprise messaging security product.

If you want an understanding of what this means, take a look at this picture:



Click to enlarge

Each user is getting their own policy, for antispam, or antivirus.

You can see screen shots of Ninja here. Note that this is pre-release stuff, so not everything is all perfect. But you get a good idea looking at the screens what we’re doing.

Also, here is a preliminary datasheet.


Click to enlarge


Click to enlarge

Click to enlarge

Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge


Click to enlarge

More details are at the show and will be published in the coming weeks.

Alex

Hotbar Truste Certification revoked

Click here . Note that this may only be a temporary measure.

Ben Edelman documented some of their practices with Truste here and here.

To wit:

The TRUSTe ‘Click-to-Verify’ seal was placed throughout the site, and, where it appeared on the privacy statement, had not been properly implemented. TRUSTe requires that the ‘Click-to-Verify’ seal may only be placed at the top of the privacy statement and must link to the TRUSTe validation link.

The site was violating restrictions on the TRUSTe seal appearing on any pages offering downloadable software.

Finally, when used on a Web page, the TRUSTe Trust Mark must always link to the TRUSTe-approved privacy statement. On this Web site this was not always the case.

Alex
(Thanks to Ben Edelman)

New antispyware coalition

A new antispyware coalition has been announced.

Before reading anything more, remember that the primary people screaming for standards in defining spyware are the adware vendors.

I was immediately suspicious at the spyware conference a few weeks ago when all the spyware vendors were talking about “the need to create standards”, and a journalist I met kept saying to me that there needs to be standards. “Oh no,” I thought. “They’d gotten to him.”

Ok, so this one doesn’t have any spyware/adware guys in it, thankfully (unlike the past attempt at a coalition, COAST).

But I’m concerned. One reason is that spyware/adware vendors don’t like to be listed in antispyware product databases. It means end-users uninstall their stuff. They do legal threats against people like us. And if there is some new standard that has been agreed to, all they have to do is simply point to the standard. It gives them a way out.

It’s also what’s a bit unnerving about some of the upcoming legislation. Same reason. “Your application listed us as spyware but we don’t fall into the definitions in the law”.

The idea of a democratic process defining something as sensitive as spyware is dangerous. Spyware fighting is not a consensus-based approach.

So their charter:

…the Anti-Spyware Coalition, plans to publish proposed guidelines later this summer that define spyware, best practices for desktop software development, and a common lexicon, people involved with the group told CNET News.com.”

Is this a path to hell?

We are presently standing aside on this coalition. We are concerned about our ability to serve our consumer and enterprise customers the way they want to be treated–not based on agreements between other antispyware vendors.

They want standards? Read our listing criteria , arguably the best set of standards in the business. I mean it. Read them and see for yourself. We’ve covered the bases. Just copy and paste, you’ve got your standards. Move on.

This isn’t Betamax vs. VHS. If I label abetterinternet as “directrevenue.abetterinternet” vs. “dr.abetterinineter”, who cares? It’s not important. It’s just a naming standard.

Or a better example: If my database flags Hotbar as a threat, but another vendor doesn’t, who is the better vendor? The consumer, armed with independent reviews by authoritative publications, makes that choice.

The problem is spyware/adware definitions have a lot of gray areas. It’s not like viruses, which are black and white.

Here’s an example. Look who has delisted Hotbar (according to Hotbar): Microsoft. Lavasoft. SpywareDoctor. McAfee. Panda.

Then look at the comments from users when we got our Cease and Desist letter from Hotbar. These people are pissed (and see our response to Hotbar here.)

Who served their customers best by giving in to Hotbar’s pathetic threats?

Then look at who is on the new antispyware coalition:

Members:
Aluria Software
America Online
Computer Associates International (PestPatrol)
EarthLink
Hewlett-Packard
Lavasoft (Ad-Aware)
McAfee
Microsoft
Safer Networking (Spybot)
Symantec
Tenebril
Trend Micro
Webroot Software
Yahoo
Business Software Alliance
Cyber Security Industry Alliance

Also involved:
National Consumer Law Center
Canadian Internet Policy and Public Interest Clinic
Berkeley Center for Law & Technology
Consumers Union
Center for Democracy & Technology

Missing are some of the major superstars of antispyware research. Ben Edelman. Eric Howes and Suzi Turner of Spyware Warrior. Wayne Porter. Andrew Clover of Doxdesk . Paperghost. Dave Methvin of PC Pitstop. Jan 2006 update: A lot has changed since I wrote this post. Many of these folks mentioned will be panelists at the upcoming ASC conference in February 2006. See the ASC webpage for all the latest news.

Now, that’s not to invalidiate all the people who are members. There are some major league players that I have tremendous respect for, people like Ari Schwarts of the CDT, and the people at Webroot. But is this just it?

Maybe I’m too much of a hardliner. Yes, this fight is very real and very visceral for me. I don’t know how many other software company CEOs have spent late nights de-infesting a friend’s machine. I have and I’m pissed. And my primary business is selling to the enterprise, and they have decidedly hard views on security threats.

I wish the best to any group trying to solve the mess of spyware. We will stand by the side and see what happens.

Alex Eckelberry

Annenberg study on how misinformed internet consumers are

An interesting and somewhat depressing report by the Annenberg Public Policy Center . Read it here.

The study, entitled “Open to Exploitation: American Shoppers Online and Offline“, has tidbits like this:

The study indicates that many adults who use the internet believe incorrectly that laws prevent online and offline stores from selling their personal information.

They also incorrectly believe that stores cannot charge them different prices based on what they know about them. Most other internet-using adults admit that they simply don’t know whether or not laws protect them.

The survey further reveals that the majority of adults who use the internet do not know where to turn for help if their personal information is used illegally online or offline.”

Then check these stats out:

• 75% do not know the correct response—false—to the statement, “When a website has a privacy policy, it means the site will not share my information with other websites and companies.”

• 64% of American adults who have used the internet recently do not know it is legal for “an online store to charge different people different prices at the same time of day.” 71% don’t know it is legal for an offline store to do that.

(If you’ve ever shopped at Dell, you know what I mean. We had one situation recently where I was shopping a laptop with a co-worker, who happened to be on another machine. His price was $50 higher than mine!)

• 68% of American adults who have used the internet in the past month believe incorrectly that “a site such as Expedia or Orbitz that compares prices on different airlines must include the lowest airline prices.”

• 49% could not detect illegal “phishing”—the activity where crooks posing as banks send emails to consumers that ask them to click on a link wanting them to verify their account.

• Consumers are also vulnerable to subtle forms of exploitation online and offline.

• 72% do not know that charities are allowed to sell their names to other charities even without permission.

• 64% do not know that a supermarket is allowed to sell other companies information about what they buy.

They suggest three policy initiatives:

• The Federal Trade Commission should require websites to drop the label Privacy Policy and replace it with Using Your Information.

• U.S. school systems—from elementary through high school—must develop curricula that tightly integrate consumer education and media literacy.

• The government should require retailers to disclose specifically what data they have collected about individual customers as well as when and how they use those data to influence interactions with them.

Worth a read. And as always, caveat emptor.

Alex Eckelberry
(Thanks to BeSpecific)

REAL ID act redux

An update of my prior blog on this issue.

The LA Times recently wrote (reg. required) about more privacy consequences of this law which will have a significant effect on your privacy.

From the article:

“But once the law takes full effect three years from now, it will also give many more bureaucrats access to personal information on people nationwide. And it will add more data to each file — including digital copies of documents with birth and address information.

“It’s a gigantic treasure trove for those who are bent on obtaining data for the purpose of creating fake identities,” said Beth Givens of the nonprofit Privacy Rights Clearinghouse. Armed with a stranger’s name, Social Security number and date of birth, it’s not hard for fraudsters to take out bogus loans that can wreck a victim’s credit record.

Critics predict the standardization will prompt many more merchants to scan customer licenses and then pass on the information to such data brokers as ChoicePoint Inc. and LexisNexis. The databases of both ChoicePoint and LexisNexis have been exploited by identity thieves.”

The large amount of personal information that has already been compromised through the LexisNexis and Choicepoint breaches is disturbing enough. So we have a law which might, ironically, make it easier for these breaches to occur.

To the commenter on my prior blog who extolled the benefits of ID cards, I urge you to enjoy life in your country. In the States, privacy advocates are actually trying to hold on to the last of our rapidly disappearing freedoms.

Alex