back to article An under-appreciated threat to your privacy: Security software

The very software that is supposed to protect your security is an under-appreciated threat to privacy because of the massive amount of data many products secretly gather on customers, according to F-Secure's Jarno Niemelä. Niemelä also told told The Register that despite the dismissive claim in the recent WikiLeaks' release of …

  1. Paul Crawford Silver badge

    Pays your money, places your trust...

    Same for many aspects of security & privacy, a lot comes down to who you can place some trust in to help keep your own stuff safe.

    When using a VPN then do you trust the provider more than your ISP? Maybe, depends on your ISP and gov of course. More than "free wif-fi"? Almost certainly if its a half-decent paid provider. But in every case you would still use an encrypted link like https or SSH, wouldn't you?

    When using any AV or end-point service capable of seeing inside your network and gathering data with admin privileges? It a much higher bar to meet, you really have to trust them to:

    1) Not screw up and bork the OS

    2) Actually stop malicious actors with a high probability

    3) Not to leak your secrets deliberately or through incompetence

    1. NonSSL-Login
      Facepalm

      Re: Pays your money, places your trust...

      4) Not introduce exploitable flaws to your network (Nearly all have had RCE problems before even getting on to the issues with parsing certain file types)

      5) Not let items through when they reach a timeout scanning them (so the product doesn't look bad when hanging or taking too long on scanning, but malware is sometimes designed to induce this situation which is not much different from the recycle bin trick of knowing which products have which issues)

      So many more but through all the waffle, the situation is exactly the same as before. Security products catch the background noise bulk nasties but will only be an annoyance or extra step for someone talented targeting you specifically. Doesn't matter if they have the APT label or no, it's still same shit, different day.

      It's all stating the obvious but security vendors gotta vend...

  2. Anonymous Coward
    Anonymous Coward

    "why are you collecting it in the first place?"

    "Because we may find a way monetize it in the future / Sell it to Spammers"

    * Its why AVG / Avast got in on the FB / Google Ad-Slinging / Slurping game.

    * Its the standard playbook. Its so wrong and yet so right in a corporations mind. So its never going to stop! You can't assume it will, especially for corporations that sell consumer products. Look at Samsung / LG / Vizio etc. They all got caught stepping over the creepy line and just hired PR firms and armies of bots to spin it away.

    * Time to unplug! No one has your back anymore. Certainly not AV firms, regulators, consumer agencies, politicians, corporations, start-ups etc... Every net user is a mark to them! But there's no way to totally unplug, right? Sure but you can definitely limit what services you sign up to, and certainly limit how much info you put out there, including switching to FOSS.

  3. patrickstar

    Standard AV company claiming they can protect you against a well-funded spy agency? Very funny.

    1. Crazy Operations Guy

      Half the time, I wonder if these AV companies aren't just working for the spy agencies..

    2. Anonymous Coward
      Anonymous Coward

      Get updated once in a while

      Companies grow and evolve over time, what was a standard AV company 5 years back can be a lot more nowadays.

      Of course if only thing you ever pay, or get for free, is the entry level package, the only thing that can still be called "AV". Well, you get what you pay for, protection against common criminals.

      1. patrickstar

        Re: Get updated once in a while

        So, what actually are these mystical features of say F-Prot that would save you from a well-funded and/or sufficiently stubborn adversary, who has access to exactly the same software you run?

        There actually is some value in doing (some of) the things AV/security suites do, as long as your attacker can't predict exactly what you're doing. Otherwise he'll just set up the exact same thing in his evil attacker lair and fiddle with his toys until they pass whatever checks are being done.

        I have never, ever heard someone say "Wow, we would've gotten hacked to pieces if it wasn't for *brand name AV/security suite*", or conversely "Damn, if it wasn't for *brand name AV/security suite* we would have hacked them so bad!"

        Hell, they don't even really protect you much against common criminals nowadays either, for exactly the same reason. Not anything geared towards consumers at least, for the reason that said common criminals are expecting it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Get updated once in a while

          >So, what actually are these mystical features of say F-Prot that would save you from a well-funded and/or sufficiently stubborn adversary, who has access to exactly the same software you run?

          Didn't you read the article?

          BTW: F-Secure has not made product named for F-Prot almost 20 years.

          ---

          While products can theoretically be bypassed “because when an attacker has theoretically infinite time and infinite budget sooner or later they'll find a mistake, when we're talking about premium services then they're much more difficult to bypass because the attacker doesn't know when he was caught — and he doesn't know why he was caught,” said Niemelä.

          ---

          1. patrickstar

            Re: Get updated once in a while

            I see lots of pretty words but no substance.

            What prevents the CIA from signing up to the same service themselves? Once that's done they are just a binary search away from bypassing it. That's all the information you need for that purpose - one bit, caught or not caught.

            In reality any competent attacker will have ready-made toolkits with varying degrees of stealthiness and under-the-radar-flyability so it's likely to just be a matter of picking the right one. If they simply don't compromise F-Whatevertheirnameistoday and use that to get into your network in the first place.

            Even without any access to the service you are at most forcing the attacker to be more conservative, which of course is good but not life-saving unless you have a properly layered setup and lots of in-house clue. Which isn't the type of organization that would sign up for F-Word to begin with.

            I repeat my question - when was the last time you ever heard of someone's bacon being saved by any of these companies?

            1. Anonymous Coward
              Anonymous Coward

              Re: Get updated once in a while

              >Even without any access to the service you are at most forcing the attacker to be more conservative, which of course is good but not life-saving unless you have a properly layered setup and lots of in-house clue. Which isn't the type of organization that would sign up for F-Word to begin with.

              If that's the level of your clue, I think think there is much point continuing this discussion.

              Of course organizations that do proper layered security include security products and services as part of the their layered protection. And more importantly use security consulting and auditing services and incident response services when needed.

              But whatever.

              1. patrickstar

                Re: Get updated once in a while

                So, care to cite a single case where someone was saved against a reasonably advanced attacker by any of these products?

                The idea that plucking something off-the-shelf (literally or metaphorically) is going to save you from a Three-Letter Agency out to get you is just... madness. WHY would someone think that?

                Mr. F-Something spokesperson isn't even claiming that their products could perhaps help a little bit. He's claiming that in a real-world slow-motion equivalent of the TV station battle in the movie Hackers, F-Something would win against a nation-state-level adversary. This is utterly ridiculous.

                (The outcome would be closer to the battle between The Plague and the hackers of the world, just without The Plague even knowing just how badly he was being hacked in the first place.)

  4. Anonymous Coward
    Anonymous Coward

    The entire internet seems to be predicated on

    - The Ponzi scheme assumption that there's always a supply of new gullible users and that everything can be scaled up indefinitely.

    - Will there always be dumb users for the slurpy Ad-tat that's sold, or will there be a revolution / rebellion against Facebook / Google / Uber / other slurpy services including AV etc...???

    - It'll be interesting to look back in the future and see if "There's a sucker born every minute" was true. Certainly the way AV and IoT is sold etc, is an easy bundle of lies many are swallowing...

    - Generally users don't seem to know, don't seem to be informed by sources they read, don't seem to care right now... They're either too busy or the false sense of security is sufficient to help them sleep at night.

  5. Anonymous Coward
    Linux

    Security as a service

    Security needs to be baked into the OS not added on as an after thought. Ideally an OS that cannot be compromised by clicking on a URL or opening an email attachment.

    1. patrickstar

      Re: Security as a service

      Care to name such an OS that's actually useful? So I can toss out Windows, Linux, Solaris, et al.

    2. Charles 9

      Re: Security as a service

      Security CAN'T be totally baked into the OS because it'll get in the way of productivity. And if you can't be productive, what's the whole bloody point of this exercise?

      1. patrickstar

        Re: Security as a service

        Well, atleast they could come with the feature of not exposing tens of millions of lines of fundamentally unsafe code to the attacker just by opening a web page or other document?

        1. Charles 9

          Re: Security as a service

          And how would they do that and be sure they got it right? Not even formal proofs are universal.

        2. Tom Paine

          Re: Security as a service

          Well, atleast they could come with the feature of not exposing tens of millions of lines of fundamentally unsafe code to the attacker just by opening a web page or other document?

          If you've a reference implementation of a DOM-based, UP-TO-DATE HTML rendering engine with Javascript engine, CSS, yadda yadda, in 5000 lines of Perl, I'm sure we'd all love to see the source.

          1. patrickstar

            Re: Security as a service

            I suppose the closest you realistically could get would be something that automatically opens awfully complicated formats from untrusted sources over a remote desktop connection or something...

    3. Tom Paine

      Re: Security as a service

      Ideally an OS that cannot be compromised by clicking on a URL or opening an email attachment.

      Yeah? And I want an Aston Martin. The chances are about the same -- five percent of fuckall.

  6. GrapeBunch

    When mankind conceptualized wood as a spear, a club, a spar, a stud, a post, a joist, a lintel, a fan, a stylus, a pencil, a shield, fuel, charcoal, spring, foundation, fertilizer, paper, a fork, a toothbrush, a toothpick, a wing strut ..., all sorts of miracles and mischief followed, over tens of thousands of years. I wonder if the concept of Internet-as-boon will survive its rapid weaponization.

    We wildebeests may defeat a lion or a crocodile in individual combat, but in the end we can't eat or otherwise profit from the defeated opponent (e.g., a criminal or a government). In the end, we are all prey. So what's the point in engaging in the Internet-battle-of-survival? To use a completely different analogy.

    1. Roj Blake Silver badge

      Re: Wildebeest v Lion

      The obvious survival strategy would be to herd together and let the lions take down the weakest.

      1. Alistair
        Windows

        Re: Wildebeest v Lion

        @Roj:

        I'll go for that so long as we put the trolls on the outside.

        .... and then my mind wandered off and tried to mash that phrase into "pass the dutchie....."

        'tis nigh on 1am here -- I think I should go get some sleep but this DRP plan wont write itself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like