Tags:



malicious security suites?
October 27, 2007 11:22 AM   RSS feed for this thread Subscribe

How do we know that highly regarded secuity suites are not surreptitiously malicious?

I've grown tired of running/maintaining mutliple security products (free and paid) for anti-virus, anti-spyware, firewall, etc. So now I'm on a trial version of kaspersky internet security suite with intent to install on three computers.

Kaspersky, and similar products, come from the former SU or eastern block countries. My concern is that that part of the world is rampant with mob type crime, and the source of much computer crime (spam, botnets etc.).

What assurance is there that the security suites themselves are not criminally and cleverly corrupt?

Examples: (1) During security scan extract and phone home with identity and financial information; (2) plant botnet client for future use.
posted by Kevin S to computers & internet (14 comments total) 2 users marked this as a favorite
The market tells us. If they were such, competitors and purchasers would become aware, the news would spread like wildfire and the company would go out of business.

Some folks would get burned.
posted by Ironmouth at 11:40 AM on October 27, 2007


The short answer is that the security vendors are operating on their good name. If that name gets sullied by shenanigans, they're out a lot of business and money, given the competition in the space.

How is it possible to call shenanigans? Using other security tools like Wireshark, tcpdump et al it's possible to snoop in on what your computer is sending to the outside world. While it's not necessarily simple, it's not that hard to tell what a program is sending to remote servers. If there's any substantial amount of encrypted information, or the information is obviously suspect, the blogosphere and computing media would be in an uproar about what's being sent from the package -- just as there have been uproars about things like carriers of the storm worm, the Sony rootkit, Gator/Claria at the beginning of the spyware trend, or even what Windows activation/Windows Update sends. While shenanigans of this sort may have a short-term effect (they do take a little bit of time before being discovered), the chance of the botnet client and/or information extraction being discovered with other security tools in the near future would seem to be rather high. Once that happens, the name of the security vendor is toast, and other security tools will begin blocking the threat.

This is an issue, honestly, with any network-enabled software at all on any of the three platforms -- not just the security suites. However, as I'm sure you've heard before, the amount of time on security maintenance you need to spend on a Mac or a well-managed distribution like Ubuntu is ultimately less than on Windows in today's computing world. Security is always a concern and time is always necessary, but you may want to consider a switch.
posted by eschatfische at 11:43 AM on October 27, 2007


Security researchers are a pretty clever bunch. It would be the making of an incredible career if you could be the first to publish that a widely used security suite was not what it claimed to be. I am willing to assume there are smart people right now working on and they'll tell us if they find anything.

Also, computer security is a relatively small world. I imagine newcomers to the security suite game tend to already have contacts in that world who believe them plausible, else it would be hard to get your product reviewed anywhere.
posted by crinklebat at 11:44 AM on October 27, 2007


I would be more worried about American products.


That said, I think it's a question of trust. Trust in the product creators to tell us the truth, trust in the product competitors to detect lies from them and trust geeks to discover whatever they can in their free time.

Besides, one can always use other software to check what the security suit is doing at any moment. Are you worried about what the security suite is sending home or about being a botnet client? Use a sniffer and a hardware firewall (which, of course, has the same trust issues).
posted by Memo at 11:52 AM on October 27, 2007


Well, "malice" covers a lot of territory, so I doubt you'd get any assurance worded that way. If you have something specific in mind, then it gets slightly easier.

The short version is: You don't have any assurance. Most of the Cartesian evil-genius arguments apply to software also.

Even if you trust the author not to do anything evil, you can't be certain he isn't mistaken or incompetent in some tiny facet of his business or code that could be exploited. Or that the CD presser or FTP site isn't compromised. Additionally, there are hundreds or thousands of 0wnable defects in the stuff you already use that aren't normally a cause of ask-mefi concern.

Open source is one way to be a tiny bit more sure you're safe. But in general, it's nigh impossible.

Perhaps a better question to ask is: Would this particular author get much out of having only his downloaders hax0red? Where's his break-even point for investing that time and effort?
posted by cmiller at 11:58 AM on October 27, 2007


What if Kaspersky-like software deliberately ignores or delays cleaning Storm or a Storm-like equivalent? The infection could act as a cover for free utilities to scan your system for confidential/sensitive material and pass it on through the worm. Why risk it?
posted by Blazecock Pileon at 12:12 PM on October 27, 2007


Agreed that economic and cost/benefit issues would deter a major AV company from going bad. I was thinking more of renegade employee(s) taking advantage of an existing product & infrastructure. Don't know how hard it would be to secretly extract client data as part of ongoing product/definition updates, and virus reporting back to hq.

Memo, thanks for the thought that there are probably geek watchdogs out there.

Yes, I would switch to Linux except windows required for work compatibility.
posted by Kevin S at 12:24 PM on October 27, 2007


If you're really serious about security, you'll rip apart your security suite when each new version arrives until you're sure what every byte of the distribution does. That's what the intelligence agencies would do.

Not that serious? Then you're going to have to depend on the market. If there are two equivalent products with different prices, the market is telling you that it thinks there's more risk in the cheaper product. The market may not correctly price those risks, but, unless you take the serious route, you have no better way of judging the products.
posted by backupjesus at 12:30 PM on October 27, 2007


Backupjesus, agreed that ripping it apart would make sense but of course not practicable (or possible) for most of us. If it were reasonably practicable then surprising that an "independent testing agency" doesn't rip product apart and provide seal of approval for a fee (to be reflected in product price).
posted by Kevin S at 12:47 PM on October 27, 2007


Uh, I put all of my faith in AVG and the firewall that comes with Windows XP (and the port-blocking functionality of my router). Seems much better than letting Symantec muck around with innards of my machine. I hate those guys.
posted by KokuRyu at 2:13 PM on October 27, 2007


I hate those guys. Was that from Indiana Jones?

Symantec fouled up my operating system. When I tried to upgrade Norton Antivirus, it never worked, and now XP prompts me at random intervals to insert a disk in my never-used Zip drive. I hate those guys too.

Sorry for the derail. Why do you hate them?
posted by JimN2TAW at 8:09 PM on October 27, 2007


I think it was because Symantec would not let me renew my license (it...just...wouldn't) and then I could not remove the stupid program. I ended up having to phone up India and work with the guy to manually remove Norton from my registry.
posted by KokuRyu at 2:58 PM on October 28, 2007


IANAcomputer-adept, but it sounds like our cases are similar. Good luck.
posted by JimN2TAW at 6:02 PM on October 28, 2007


If it makes you feel any better, the entire security industry was built on former (and occasionally not-so-former) black hat hackers. So you're screwed on that count no matter who you go with.
posted by scalefree at 7:22 PM on October 29, 2007


« Older Is it moral to have a backup g...   |   Has there been a work of liter... Newer »
This thread is closed to new comments.