Tag Archives: Internet security

Getting Paid for Doing Bad Things (12″ version)

This is the extended version of my earlier blog post. The BBC finally ran my commentary so for those of you who want more info, here it is:

Think of it as product placement for the Internet. It’s been around a while, but I just figured out how it works, and it made me realise that the early dreams of a blogging utopia on the web are pretty much dead.

Here’s how this kind of product placement works. On the Internet Google is like a benevolent dictator: it creates great stuff we love, and with which most of the net wouldn’t work. But it also wields great power–at least if you’re someone trying to make money off the web. Because if you don’t show up in Google’s search results, then you’re nobody. It’s the equivalent of exile, or solitary confinement, or something.

A lot of money is spent, therefore, in gaming your website’s position in Google’s rankings. But you have to be careful. Google also spends a lot of money tweaking its algorithms so that the search results you get are not gamed. Threat of exile is usually enough to keep most web players in line.

But because Google doesn’t issue a set of rules, and doesn’t explain why it exiles web sites, the gray area is big. And this is where the money is made.

One of the mini industries is something called link building. Google reckons a site with lots of links to it is a popular site, so it scores highly. So if you can get lots of sites to link to yours, you’re high up in the results.

Now it just so happens that some of the pages on my modest decade-old blog score quite highly here. So I suppose it was inevitable that link building companies would seek me out.

A British company, for example, called More Digital offered me a fixed upfront annual fee for a “small text-based ad” on my website. As intriguing was the blurb at the bottom of the email:

You must not disclose, copy, distribute or take any action in reliance on this e-mail or any attachments. Views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of More Digital.

Clearly these guys mean business, I thought, so I wrote back to Alicia Ross. She was excited to hear from me, and offered two options: one was a simple link in my collection of recommended web sites. The idea would be that I would include a link to their client’s website–whoever it was–alongside my real recommendations.

The other was “one page simple text”:

The advert will be text, not a visual banner It will appear in the content, and only on a single page of your website. Our writers will provide you with a copy that will fit naturally into your existing content.

(I think she means “copy” rather than “a copy”). For this I would earn $200 a year per ad if the client was a poker, casino or bingo site;

Now in Internet terms this is big money. It would take me a month or so to make that kind of dosh on simple Google ads on my website. Now they’re talking about one simple text link and I get the cash in two days!

But hang on a minute. There’s that ethics thing in the back of my mind. I have to listen to it a second.

The first one I’m not crazy about: What’s the point of a collection of recommended links if I don’t actually recommend them myself?

But the second one took some getting my head around. I couldn’t figure out what she had in mind, so I asked her. And this is when I started to get really depressed.

Basically what they’re after is me inserting a sentence into an existing blog post that links to their client. These guys are not interested in a new post. That would take time to rise up through the ranks of Google; they want to tap into my micro-Google fame. And remember this is not an ad. It’s a plug. It’s product placement. In a piece that is supposed to otherwise be straight, authentic and, well, me. I like to think that’s why it has Google juice.

By the time I got back to Alicia the offer was off the table as all the spots had been picked up. Clearly this is a well-oiled business. But then I got another, from a different company. Mayra Alessi was contacting me on behalf of a U.S. company selling identity theft protection, which she wanted me to link to in a piece I wrote two years ago about a privacy problem with Facebook. For $30 a month.

Mayra, if it was she, proposed I add a sentence at the end of a paragraph on how Facebook needs to fix the way they handle friendshipt requests as follows:

Mistakes like these from Facebook, make us more and more vulnerable to identity theft, that is why it is important to understanding identity theft in the USA.

Clearly Mayra hasn’t made her way in the world based on her copyediting, grammar or punctuation skills.  And the irony hasn’t escaped me of a company peddling identity theft protection is at best unaware that companies operating in its name are paying websites to mislead their readers, and Google.

What’s wrong with all this? Well, I guess the first thing is the seediness. A company is basically hiring another company to fiddle its rankings on Google–instead of just producing the kind of kick-ass content that it should be building it leeches off my kick-ass content.

And it’s not just seedy, it’s illegal. Well, as far as Google is concerned. Only the other day someone complained on a Google forum after getting his sites bumped off Google’s index. The reason, he suspects, is that he took $75 from one of the companies that contacted me for linking to a site about bikes. And these companies must know that. I guess that’s why the fees seem quite high for the chicken feed that niche blogs like ours are used to earning.

The point is, that the companies apparently funding this kind of activity–those whose websites benefit from the link love–are not necessarily sleazy gambling sites. I was invited to link to were an Internet security company. Among companies willing to pay me $150 for a link are, according to one of these link building outfits trying to get me aboard, are those selling mobile phones, mobile phones, health and fitness, travel, hotels, fashion, Internet services, insurance, online education and, somewhat incongruously, recycling companies.

To me this is all the more sleazy because these are real companies with offices in the UK and US and they’re clearly proud of what they do. We’re not talking Ukrainian spammers here. But their impact, in a way, is worse, because with every mercenary link sold they devalue the web. I’ve been doing a blog for nearly 10 years now, and the only thing that might make my content valuable is that it’s authentic. It’s me. If I say I like something, I’m answerable for that. Not that people drop by to berate me much, but the principle is exactly the same as a journalistic one: Your byline is your bond.

All in all, a tawdry example of where the blogosphere has gone wrong, I reckon. Keep your money. I’d rather keep the high ground.

A Patch in Time?

Further to my earlier post about what I felt was Symantec’s somewhat tardy and insubstantial public response to the discovery of a serious vulnerability in its own Antivirus software, I don’t feel much more at ease after an email exchange with their PR folk. First off, Symantec has, by midday in the Asian day, come up with a fix which can be downloaded here.  “Symantec product and security teams,” the media statement says, “have worked around the clock since being notified of this issue to ensure its customers have the best protection available.”

That’s good. And quick. But not, I fear, good enough in PR terms. Why has Symantec worked around the clock to find a solution but not made the same effort to let interested people know of the problem in the first place? There’s been no press release on the web site, for example, only a media statement emailed to those journalists who enquire. When I asked Symantec’s PR about this. and requesting a comment to my original post, all I got was a copy of the media statement and a link to the original security advisory. So I where I could find the “media statement” online, where customers, readers, users and the media could find it? Their response: “Symantec posts security advisories [here]. Please contact Symantec Public Relations for any information you need.”

Sorry, but I don’t think this is sufficient. Security advisories are for specialists. This is not a specialist problem. It’s a vulnerability that affects everyone who uses the software, and people need to know about it. (A Google search throws up more than 130 stories on the topic.) Symantec, I feel, needs to be upfront about the problem and blanket everyone with information, not bury it. Symantec occupies a hallowed position in the Internet world, since journalists, users and others turn to it for supposedly objective views on the state of Internet security. Symantec makes the most of this position, straddling telling us about the problem and selling us the solution for it.

Perhaps I’m overstating things here, but I feel Symantec has let us down. I need to know that if I’m entrusting Symantec with defending my valuable data and office network, it’s going to tell me if there’s a problem with that defence. It’s no good hiding, as Symantec PR does in its response to my email that “There are no exploits of this vulnerability. Symantec strongly recommends customers to follow best practices and apply the patches as soon as they become available from Symantec.” First off, there are no known exploits. I don’t see how Symantec can be 100% sure of this. One has to assume that if there’s a hole in your defensive wall, someone is going to see it. Especially if it’s been publicised. Now the world has known there is a problem with Symantec’s software since Thursday. It’s now Monday. I’m assuming the bad guys too read these websites and news agencies.

So while the argument that you should throw all your effort into plugging the hole and then telling your customers you’ve built a plug might work if the vulnerability wasn’t publicised, this wasn’t the case. It was splashed all over the shop. Symantec’s position on this process is “that we are responsible for disclosing product vulnerabilities to our customers, but in general, no vulnerability should be announced until we have developed and thoroughly tested a patch and made it available to licensed customers.” (For a list of all Symantec product vulnerabilities, look here.) This clearly wasn’t going to happen here, because the vulnerability was already made public, for better or worse. And the process of “disclosing product vulnerabilities to our customers” seems to be somewhat weak here; if the vulnerability is an obscure one, perhaps an advisory might work. But more people than just a sysadmin needed to know what was happening and yet no one, unless they really looked on Symantec’s site, was any the wiser. Still aren’t, actually, since no press release is available.

Some lessons in here. Sometimes just keeping readers, journalists, bloggers, customers in the loop helps, even when it’s bad news.

ZoneAlarm’s Sneaky Spyware Scare?

(See a more recent post on this for an update. ZoneAlarm no longer has this ‘feature’.)

I’m a big fan, and user, of ZoneAlarm firewalls. Their interface is clean, clear and I like the system tray icon which doubles as a traffic monitor. But sometimes they do things that don’t, in my view, help educate and simplify things for the ordinary user. After all, Internet security is already baffling enough.

I use the free version of ZoneAlarm firewall and usually it works fine and unobtrusively. But just now I got a popup window like this:

Za

At first glance it looks like an ordinary update reminder, which would be fine. But it’s not. It seems to suggest, to the casual user, that something bad is happening to your computer. To the more experienced user it looks like one of those naff anti-spyware ads that appear on websites with a faux Windows-dialog suggesting you’re infected with spyware. (Notice there’s no option along the lines of ‘Never remind or show me this popup again. I have enough on my plate, thanks.’)

Click on ‘update now’ and you’re taken, surprise surprise, to a ZoneAlarm promotions page. To be fair to ZoneAlarm, if you’re running IE a scan will kick in (it won’t if you’re using Opera, Netscape or Mozilla as it’s an ActiveX application). Once spyware is detected, it’s not quite clear what you’re supposed to do next. Click on a ‘Remove Spyware Now’ link and you’re faced with a pop-up link pitching a ‘featured bundle’ of ZoneAlarm Internet Security Suite and TurboBackup for $50. Click on a red button marked ‘REMOVE SPYWARE with ZoneAlarm’ and you’re taken to the same pop-up (Yes, they seem to somehow get around the builtin IE popup blocker.) As far as I can see there is no other way to remove the alleged spyware.

This is all, I believe, part of ZoneAlarm’s new product,  ZoneAlarm Anti-Spyware, which it launched recently. I just wish that ZoneAlarm, which I’ve had quarrels with before, didn’t stoop to such befuddling scare tactics to tout a new product.  

The Future: Software on a Stick

Why isn’t more software sold on sticks these days?

F-Secure sent me their latest offeing, F-Secure Internet Security 2006, on a USB dongle. I don’t know if this how you buy it in stores but it makes a lot of sense. Why isn’t all software delivered like this, instead of on CD-Roms? Or is it and I’ve just missed it?

Advantages:

  • Coolness: It would be much more fun to have a drawer full of colorful dongles than a boring sleeve-book of CDs. Handing freebies out at expos would be easier too.
  • Piracy. I’m sure it would be crackable, but how about if the key were stored on the USB drive? You wouldn’t want to get into having to have the USB drive inserted in the computer for the program to run every time, but if it was possible for the key drive to leave its fingerprint on the computer this could perhaps be used as a way of making software harder to crack. I have no idea how this might be done.
  • Portability. With the rise of USB drive-based applications via the likes of U3, wouldn’t it be great if you could take your Adobe Photoshop or whatever with you? Say you have to work on another computer, you just insert your USB drive and run all your favourites from there. No installation, no more serial numbers, no infraction of EULAs. This is the U3 idea, but so far that idea doesn’t seem to encompass bigger programs, nor does it embrace the idea of using both USB drive and computer in tandem. Say I’m using Photoshop on my desktop, with all my settings and plugins there, why couldn’t I tell the software ‘OK, now I’m hitting the road with my USB drive. Load all my recent stuff onto the drive along with any relevant serial numbers until I tell you otherwise.’
  • Flexibility: You could run the software from the USB drive if you preferred, before actually installing it.

And just in case you haven’t seen it, check out this list of software that can be run off a stick.

Is Antivirus Software Still Up To The Job?

How often do antivirus manufacturers admit that their products are not really up to the challenge anymore?

The only folks I know who do this are those from Trend Micro. I interviewed Steve Chang, its founder, a couple of years back, and he made it clear that antivirus software can’t keep everything out. But it doesn’t always come across quite as frankly as it should. This BusinessWorld piece today makes clear, in an interview with Ah Sin Ang, Trend Micro Incorporated’s regional marketing manager for South Asia, asks the important question, (is there) yet no antivirus software than can protect us from phishing?

Ang’s reply could be more thorough, but it’s probably more honest than some of Trend Micros’ competitors: If you are aware that banks don’t send you these types of emails, you’ll be protected. That’s why Trend Micro emphasizes public education.

He also makes the valid point that ‘antivirus’ is not a particularly useful term anymore: Although anti-virus is a general term for Internet security, we like an antivirus software to clarify what that software means – does it include protection against Trojans, spyware, adware and hackers? Does it block unhealthy sites? Once you get infected, there may be a lot of pop-ups featuring pornographic and gambling sites. A good integrated software must also allow filtering. When you filter, it must also be able to filter spam and phishing.

I think the bottom line is that antivirus software is not doing what its customers think it’s doing. Most of us can’t tell the difference between a worm and a Trojan, and tend to assume that antivirus software will also protect us if we click on something in an email that takes us to an infected site. This is no longer true, if it ever was. Instead, the software gives us a false sense of security. Would we better off not having it, and instead educating ourselves about threats?

Spyware? Not My Problem, Says Business

Maybe the problem of Internet security isn’t educating users to be more vigilant, it’s about persuading companies that there is a problem.

A survey (PDF file) released today by California-based Secure Computing Corporation found that that “only 25 percent of businesses recognized spyware as a major problem”. This despite studies that show spyware is a problem: A study by EarthLink, for example, showed that the average PC has 28 spyware programs, while a report by Dell found that spyware accounts for 12 percent of all PC desktop support calls. Today’s survey, meanwhile, reported that 70 percent of respondents saw spyware as either no problem or a minor problem.

The same with file-sharing: 90 percent of businesses saw file-sharing software as not a major problem, and a surprising 40 percent saw it as “no problem.” Same results with instant messaging and personal e-mail accounts 90 percent saw IM as no problem or a minor problem, and 80 percent felt personal e-mail accounts were no problem or a minor problem.

(I tend to see IM and personal email as not so much a security problem as a productivity one, and even then it depends what they’re doing on it. IM can be an excellent way to share information that benefits the user professionally, as can email. But there do need to be security safeguards in place.)

Anyways, it does seem pretty shocking that companies still don’t understand the dangers of spyware. Maybe when more targeted spyware brings a rival company to its knees through massive corporate data loss, espionage or draining its accounts they’ll take more notice.

The Price of Worms

How damaging are worms?

Very, says Sandvine Inc, a Canada based Internet security company. It says that the main damage is on ISPs who lose bandwidth to them, and face daily Denial of Service attacks. “In fact,” Sandvine says in one new report (PDF, registration required), ”Internet worms and the malicious, malformed data traffic they generate are wreaking havoc on European service provider networks of all sizes, degrading the broadband experience for residential subscribers and imposing hundreds of millions in unplanned hard costs directly related to thwarting attacks.”

Worms, Sandvine says, consume “massive amounts of bandwidth as they replicate. And depending on the number of vulnerable hosts in a given network environment, a worm can create hundreds of thousands of copies of itself in a matter of hours.” The company’s research shows that between 2 and 12% of all Internet traffic is malicious. Even on a well-run ISP network, that figure is about 5%. And if that doesn’t sound very much, consider the warped effect worms have on processor power, when they propagate and probe for weak spots.

All this means that residential subscribers are going to feel the hurt, partly because it’s their Internet connections that are being targeted by worms, and partly because their connections are going to slow down with all this extra traffic, Sandvine warns. Then of course there are infections: The dirty secret of worm infections is that if you’ve got one, the only sure way to get rid of it is to reinstall everything.

For now, ISPs keep quiet about these things; they don’t want to scare off subscribers, and they don’t want the bad guys to get any fresh ideas about their vulnerabilities. But it seems to me that worms and bots are a topic that needs to be researched, reported and resolved more than it is.

 

More On URL-shortening Services And Security

It’s not necessarily a gloomy outlook for URL-shortening services like TinyURL and SnipURL.

In my previous post I explored the possibility that these services might be used, or might already have been used, by scammers to disguise a malicious link. The fear is that as they get more popular, and users unthinkingly click on them, they are used to conceal links to websites downloading malicious code, or containing dodgy material. But is there a possible happy ending to this?

Is there a way of turning the URl-clippers into services that help make the Internet more secure? Perhaps one way round this is for the services to offer ‘secure linkage’ where every link they process is vetted first for any or all of the above — fraud, malware, illegal or offensive material. Only then is the link passed onto the recipient.

Either the recipient or the sender could pay for this process: The recipient because they want to know that every email, or chat message, or even webpage they access has been thoroughly vetted, or sender because they want to reassure the recipient their content is safe and clean. The service itself runs every link through the same anti-virus, anti-fraud, anti-suspicious activity filters that Internet security companies use, and only then do they shorten it. That way the brand of the URL-clipper becomes a stamp of reliability.

Or is someone already doing this, and I just haven’t noticed?

MyDoom Is Nasty, So Beware

Further to my earlier posting, this MyDoom worm looks nasty.

I’ve received three already in the past hour, all with different subject lines (or no subject at all), different attachments, but usually with the same content (‘The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.’ This could be automatic, of course.)

Internet security provider MX Logic said said it is propagating nearly as fast as the infamous SoBig.F worm, infecting 1,200 emails per second at its peak (I’m not quite clear what this means, and there’s no comparison, but it sounds a lot).

The worm arrives in an email inbox as a .zip file, is 22,538 bytes in length and has an “.exe,” “.pif,” “.command,” or “.scr” attachment. When the included attachment is executed, the worm propagates by harvesting victim email addresses from ten different file types.

Usual rules apply: Don’t click on attachments, update your virus software daily, and brush your teeth at least twice a day.