Month: April 2008

Sunpoll: Majority believe Windows is in trouble

Interesting results from our non-scientific poll here (you can vote yourself on the front page of our site). This is after Gartner basically said that the End is Nigh. Certainly, videos like this don’t help the cause.

I could wax lyrical on the good and bad about Windows, vs. Mac, vs. Linux, but that’s a long post which I don’t have time for.

However, I will make the observation that Apple has no chance of making real gains on Windows without decoupling their OS from their hardware. Why Apple won’t do this is beyond me. Who cares about higher revenue from selling hardware? It’s the profit that matters — I’d rather sell something with a 99% gross margin (like Windows), than sell hardware at a gross margin of 35%. And I’d rather take over the world than be satisfied with single-digit, albeit growing, market share. (Fill me in if you know more — I’m certainly not an expert on Apple’s internal thinking, although I may need to become one.)

Is the end really near for Windows? Let me know your thoughts.

Alex

Blue Jeans Cable — maybe all the rest of us can learn something from this

Having been the recipient of my fair share of cease and desist letters, I can only admire Blue Jean Cable’s CEO Kurt Denke’s response to a cease and desist letter from Monster.

Denke is a former litigator, and his closing paragraph is pretty much the Way Things Should Be:

After graduating from the University of Pennsylvania Law School in 1985, I spent nineteen years in litigation practice, with a focus upon federal litigation involving large damages and complex issues. My first seven years were spent primarily on the defense side, where I developed an intense frustration with insurance carriers who would settle meritless claims for nuisance value when the better long-term view would have been to fight against vexatious litigation as a matter of principle. In plaintiffs’ practice, likewise, I was always a strong advocate of standing upon principle and taking cases all the way to judgment, even when substantial offers of settlement were on the table. I am “uncompromising” in the most literal sense of the word. If Monster Cable proceeds with litigation against me I will pursue the same merits-driven approach; I do not compromise with bullies and I would rather spend fifty thousand dollars on defense than give you a dollar of unmerited settlement funds. As for signing a licensing agreement for intellectual property which I have not infringed: that will not happen, under any circumstances, whether it makes economic sense or not.

I say this because my observation has been that Monster Cable typically operates in a hit-and run fashion. Your client threatens litigation, expecting the victim to panic and plead for mercy; and what follows is a quickie negotiation session that ends with payment and a licensing agreement. Your client then uses this collection of licensing agreements to convince others under similar threat to accede to its demands. Let me be clear about this: there are only two ways for you to get anything out of me. You will either need to (1) convince me that I have infringed, or (2) obtain a final judgment to that effect from a court of competent jurisdiction.

Pwned.

Link here.

I subscribe to exactly the same philosophy, and we’ve responded in the same fashion to the C&D’s we’ve received. If we’re wrong, we’ll fix it immediately. But if we feel we’re in the right, and that there are real business or customer issues at risk, we won’t propitiate and we’ll fight back hard.

What’s sad is when lawyers call the shots in a company. Nothing against lawyers (really, I even have one in my family), but they often don’t have the broad business sense to look at something from the bigger picture. They unnecessarily scare people in a company (especially those who aren’t experienced). And that results in sometimes mindblowingly terrible business decisions. And sometimes, taking a friendly and reasonable approach to a potential legal issue can win you serious props.

Alex Eckelberry
(hat tip)

PC Tools slams “top threat” lists

Our friends down under don’t like lists:

The problem, according to the Australian company, is that the lists — which are now regularly issued by almost every security software company — measure volumes rather than the underlying danger of a particular type of malware.

PC Tools, itself an anti-malware vendor in the same space, dismisses them as being “of no practical use for the security industry or consumers,” and, not surprisingly, advocates its own ThreatExpert analysis system that cross-references volume with other factors such as the design complexity of a threat, its innovation, and its payload.

Examples of threats that regularly turn up on some lists but which pose relatively little danger include the four year-old Netsky, and the packer NSAnti, which itself is merely a means of hiding malware, and shouldn’t even appear on such lists at all, the company said.

“Threat analysis is highly complex. There was a time when volume alone was an acceptable indicator of the level of threat. But the threat landscape has changed significantly and there are a number of additional parameters, besides volume, which are equally, if not more important in identifying and classifying top threats,” said PC Tools CEO, Simon Clausen.

They have a point. But irritating pieces of malware, like Srizbi (315,000 bots active) and Storm (85,000 bots active), have great exposure in security circles but aren’t nearly as widespread as, say, fake codecs. Fake codecs are a plague, and frankly, probably provide a lot of bread and butter money to security companies.

So what do we do? I suppose categorizing based on complexity is a reasonable idea. But these “top 10” lists are useful, to gauge prevalence, and they should not be thrown out. Look, would we want Billboard Magazine to list “most complex or interesting bands” rather than “most sold bands”? There’s room for both.

Alex Eckelberry

People still give passwords for chocolate

Phot_5
Hmmm… if I give her my password, I’ll get chocolate… but maybe a phone number too…

Now, considering chocolate in Europe is about 100x better than American chocolate, this may come as no surprise:

A survey by Infosecurity Europe of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.

This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy. The researchers also asked the office workers for their dates of birth to validate that they had carried out the survey here the workers were very naïve with 61% revealing their date of birth. Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)

Link here.

Alex Eckelberry

Bill of Responsibilities? Err, I don’t like the sound of that at all

If you carefully parse this article, you might get a bit concerned. Comcast is proposing a new “Bill of Rights and Responsibilities” for p2p file sharing.

As Jeff Nolan astutely observed: “How much you want to bet that at some point the responsibilities include ‘verifying your (ISP) customers have rights to the content they are distributing’?”

Link here.

Alex Eckelberry

Blogged to death

This is silly. A New York Times article talks about the unbearable stress of being a blogger.

A growing work force of home-office laborers and entrepreneurs, armed with computers and smartphones and wired to the hilt, are toiling under great physical and emotional stress created by the around-the-clock Internet economy that demands a constant stream of news and comment.

So, are we now going to have yet another disorder proposed for the DSM, of Blogging Anxiety Disorder? I’m glad Battelle concurs (with counterpoint here).

People work themselves to death in all industries. Blogging just happens to make the process far more enjoyable (and sometimes, even lucrative).

Alex Eckelberry

Robert Preatoni speaks about his arrest, his future

Back in November, you may recall that WabiSabiLabi founder Robert Preatoni was arrested in what can only be described as mysterious (or even bizarre) circumstances.

He’s finally talking (a bit) about the arrest.

The case for which I was arrested it’s actually a huge case and believe me, no single news agency was able to picture it completely right. Probably, nobody will ever be able to picture it completely right as it’s a case involving a hundred of arrested people, the Italian Secret Services, the US Secret Services, some Italian corrupted police and financial police officers, some Italian and US investigation companies, a multi-billionaire struggle between Telecom Italia and Brasil Telecom, an extraordinary rendition (kidnapping) of a presumed Islamic terrorist, and last but not least, the suicide (but many say murder) of a Telecom Italia Security top manager. Aside this, the various attempts of the Italian government to take over the control of the Italian main telecommunication carrier.

Link here (via NetworkWorld through Donna).

Alex Eckelberry

Google Groups continues to be inundated with malware-pushing porn

As we’ve seen before, this continues to be a problem on Google Groups: Fake posts pushing porn that pushes malware (fake codecs).

A simple search of Google Groups using the search term “porn” shows just an extraordinary number of these sites (you can try it if you like, but realize the risk).

For example, here is a search looking for posts with the keywords “porn video” in the last month, showing 256,000 hits (warning: graphic content):

Porngooglegroups

A spot-check shows that the vast majority of these are posts pushing malware (fake codecs).

Porngooglegroups1

Porngooglegroups2

And so on.

This really needs to get cleaned up. There’s a reason why so many of the threats that we see users getting infected with are invariably fake codec related.

Alex Eckelberry

Anonymity and Dirty Tricks

I’ve seen fair amount of this stuff in my career. Just always be careful when reading community reviews on sites like Amazon.com…

With this context in mind, last week we ran across a couple of negative user reviews on Amazon.com that seemed out of character. They seemed especially out of character given that both posters had posted 5-star reviews of Parallels Desktop for Mac, prior to posting less-than flattering reviews of VMware Fusion. After a little investigation via LinkedIn, based on the user names that the reviewers posted under, we found that these reviews were not from actual users but from employees of a competitor, Parallels.

More here.

Alex Eckelberry

Heads-up: Dangerous new customized IRS scam steals data

This afternoon, we got a highly customized email purporting to come from the IRS, which of course, does nothing more than load malware.

The email is made out to a key financial contact here at Sunbelt (name obfuscated for this post).
As you can see, it’s quite convincing. (Incidentally, “Sunbelt Software Distribution, Inc.” is no longer our company name, it was recently changed to simply Sunbelt Software. But that’s a side note.)

Irscam1238888

Attached to the email is a zip file, which has a .scr file in it:

Taxrefundimage12388

Once clicked, the.scr file downloads several other files and reaches out to several servers including the “Office of the Attorney General – California Department of Justice” – where a PDF file is downloaded from and opened using your default PDF viewer. In this case, we got a PDF from the following location:

http://ag(dot)ca(dot)gov/cms_pdfs/press/n1478_complaintat&tunauthorizedchargesfinal_tbf2.pdf?id=1594

Odf123777778

The entire purpose of this PDF is to make things look official. Otherwise, it’s meaningless, and does not appear to be malicious.

Interestingly, the id parameters for the PDF change with each install (increase in number) and the link is not indexed and the name of the PDF corresponds to the nature of the attack. And, interestingly, the malware set’s its user agent to:

Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en;) Gecko/30060309
Firefox/1.5.0.7

This raises the question: Is this California .gov website compromised in some fashion to serve the pdf? We simply don’t know at this juncture, but this does look suspicious.

Then, a number of other URLs are contacted to download malware, and the user is left with keylogger on their system. It also appears that malware is downloaded from a number of compromised sites.

Alex Eckelberry
(Additional credit to Sunbelt’s Adam Thomas for his invaluable help)

Why you don’t launch a big press release on April Fools’

We announced our new Unlimited Home Site License yesterday.  We had some trepidation on launching on April 1st, but due to a variety of internal timing issues, we needed to get the release out.

Of course, it turns out that some thought it was an April Fools joke.    

Just to make it clear, it’s not a joke — it’s real.   Here’s the link to the blog post, and the press release.

Alex Eckelberry

Offensive Computing… yeah, it’s a joke

I suspect quite a few people in the malware research space got pretty unnerved when they first saw Offensive Computing’s site today:

Aprilfoolsoffensive

In case you don’t recognize the image, that is the exact image you get right now when going to a storm worm site. In fact, the source on the site is identical to the source used in the storm sites.

But, of course, it’s a joke. The exes pushed on the site are harmless. Worse, it’s a rickroll — there’s a link in the binary to a Rick Astley video.

Alex Eckelberry
(hat tip to Nick Fitzgerald)

A new licensing model for home software: The Unlimited Home Site License

Today, we’re introducing something completely new: An unlimited home site license. This will be an option on all of our consumer products.

Here’s the backstory:

Sunbelt is a research-intensive organization — we are constantly doing surveys.

Back in February, we were doing a survey for our upcoming security product, VIPRE (shipping later this month), and our head of marketing noticed something interesting: On average, about 35% of the respondents had more than 3 PCs in their household. (21% responded with three computers, 28% responded with two computers and 17% responded with one computer, out of 1009 respondents, obtained from Sunbelt’s database.)

The lesson was clear: a large group of users out there are getting to a point where a typical 3–user license just doesn’t cut it. That got our marketing head thinking about a whole new idea, taken from the enterprise software space: An unlimited home site license. I really liked the idea.

So, after further discussion and some testing, we’ve formally launched our new Unlimited Home Site License program. All of our consumer products have this in place right now, but it will also be available for VIPRE.

This is an unlimited license — it works for as many computers as you have at home, whether 3, 10, 50 or 100 computers. No guilt, no BS. No limits.

Here’s how the pricing breaks out:

iHateSpam ……………………………………………….. $39.95
CounterSpy……………………………………………….. $39.95
Sunbelt Personal Firewall ………………………….. $39.95
VIPRE™ Antivirus + Antispyware …………….. $49.95

The annual subscription provides protection for unlimited PCs and includes one year of software updates and upgrades, any relevant threat definitions, and live US-based toll-free technical support.

You can read more about the new program here.

Alex Eckelberry

Japan: Microsoft bundles OneCare with Vista in a pink box

51m1yoimddl_ss500_The text on this site promotes a bundle of Vista Premium, OneCare for free, and a book.

I assume that in the US or the EU, bundling the OS with their antivirus product would raise the ire of the gubmint (no, I never hinted at this before).

But the bigger news? It comes in a PINK BOX (with flower petals, of course)!

I think the Symantec team needs to get their Super Sentai fighters ready!

Alex Eckelberry
(Thanks Donna)