Slashdot Mirror
Unsticking Yourself From Your Security Application
Ant writes "In Scott Dunn's Windows Secrets, he describes his informal tests of well-known computer security vendors when it comes to subscriptions and renewals. These days, most antivirus and other security products come with a subscription to update your virus definitions. He also explains ways to opt-out, users' comments, etc.
Seen in EGeezer's Broadband/DSL Reports security forum thread. Always read those end user license agreements (EULAs)."
Maybe I'm an old stick in the mud. But I've had far, far more trouble CAUSED by most of these applications than I've seen prevented.
When I get a new computer, the first thing I do is Nuke ALL of these things from the hard drive. I also tell Windows not to auto update. Never had a virus or infection.
I do keep my machines behind a double firewall, and I do use the default Windows firewall in XP, or the free ZoneAlarm on my older machines.. And I do frequently scan using one of the many free adware and virus checkers just to be safe. But perhaps most importantly, I'm really, really careful about opening email attachments and what web sites I go to. As for the updates, occasionally I go to Windows update and review the "fixes" and install those that look interesting or benign.
But Symantec, Norton, McAfee and the like I do not allow anywhere near any machine of mine, and I heavily discourage friends and family from using them.
Safe computing is NOT blindly installing some "security package" and going to sleep.
Stony
Yes, better read them EULAs - you never know when you'll end up getting a $1000 reward!
He also explains ways to opt-out
This is quite sad if he has to explain it. And those are the same companies that wine that Vista may make their products unnecessary, so how about leaving a hole here and there.
to opt out, call and ask to be transferred to billing. tell them you revoke authorization for recurring charges. if they continue billing you call Visa and they will take care of it.
Snowden and Manning are heroes.
* Can you feel free to download and run any EXE file from the net just because you have antivirus software?
* Without antivirus software, you can still get a very very high security level by running those suspicious EXEs in a virtual machine.
Therefore, antivirus software is one of the biggest lies in computer history, and it's sole purpose is to slow down your computer and charge you subscription fees...
I have a trick I use every time I buy a limited-term subscription, or a service, if I suspect the company will try to stick me with an unwanted renewal. I just pay with whichever card I have that expires before the subscription term. I find that to be the path of least resistance. Usually I have one or two cards whose expiration dates are coming up.
Many US credit card companies also offer a service where they give you a separate credit card number that goes to your account, but that automatically deactivates as you as you put one charge through, after which it is no longer valid. That's also one way to beat this racket.
Then there are always a small number of obnoxious companies that supposedly renew you, bill you, and then go after you with dunning letters. I suspect that once a lot of people are on to the trick of giving them single-use charge numbers, that'll be the next popular tactic. Still, it's easier to handle that, then once your card is already dinged.
A way to stay relatively safe is to use a dedicated card. Here in Poland banks with online presence will supply you with what some call an "e-card". It looks like a Visa and is recognized as a Visa when you buy stuff online, but:
a) it can ONLY be used for online transactions (it does not double as an ATM card)
b) the card has its own virtual account with the issuing bank. You need to transfer money from your main account to the card before you make a purchase. Doing go takes authentication and a couple of clicks.
Yes, it takes a minute or two more, but no-one will be able to charge you repeatedly, and any loss due to fraud is limited to the amount you charged the card with. If you suspect anything untowards, you can clear the card with a single click. As a side effect, it helps prevent impulse buying, since it adds that additional step.
You could, of course, charge the card with a hefty sum and keep it over a long period, which would cancel much of the protection, but that's like installing a virus scanner and then running it disabled. In addition, if you charge the card in excess of about $1000 (depending on the bank), the transaction must occur within three days, otherwise the amount automatically reverts to your main account and the e-card is cleared.
There is a chance that a seller will coincidentally attempt a repeat charge just when you have charged the card for an unrelated purpose, but the likelihood of that is small, reduced further by the fact that an e-card is valid only for a year. It is re-issued annually (at no cost or at a minimal charge) with the same number but different expiration date. So a vendor from whom I am buying today will not be able to charge the same card next year. (If I do want to give them that option, I can always use my regular Visa - but I've never had to in six years.)
I don't know if US banks provide this kind of service as a rule; if they don't, you guys should raise bloody hell. It goes a long, long way to keep you safe, and will prevent any underhanded attempts like these.
"Only the small secrets need to be protected. The big ones are kept secret by public incredulity." - Marshall McLuhan
I have found that Zone Alarm would sometimes block ALL traffic on a whim.
No explanation from the software, no warning, and damned difficult to figure out what to to correct it.
There were other odd issues that resolved themselves after uninstalling.
I tried Kerio because they took over an awesome product (TinyPF 4) .
I was pleasantly surprised to find that Kerio is the nicest firewall software I have ever used.
Includes pop-up blocking, application level permissions with MD5, and is very configurable. Nice looking (very important to style conscious surfers;). Columbia alum Jack Shephard (CC'89) tries to call Kate in flash-forwards off the island. Low resource usage.
ZoneAlarm is gonna have to knock my socks off to get me to switch.
p.s. Has anyone tried TinyPF 5 ?? Im wondering how it compares.
I normally cancel my sub as soon as I've gone through all the bother of signing up for it. But it's still extremely annoying and insulting that any company does this. Codemasters are not alone here. All it does is make me less inclined to renew than if they just let me choose myself.
I actually tried to read one of those endless scrolling EULAs.
After about 30 minutes reading through the excessive EULA, and clicking Accept, the application timed me out and wouldn't let me "Accept", so I gave up.
That way, you may not sign up on so many things after trying to ready the EULAs.
That's how I handle subscription services when I want to try them out. I just generate a temporary credit card number for x months, good for the amount I need to cover that timeframe, and use that. Once the time is up, no more autorenewals, no cancellation hassles, no fuss, no muss. They can't bill me anymore, so they ax the subscription. If I find something I want to stick with, I change my billing to a permanent card before the temporary card dies.
I imagine you could also do the opposite if you become dissatsified with a subscription service, and easily cancel by changing your billing method from a permanent credit card number to a temporary one, though I've never had to use that tactic.
~Philly
I wouldn't consider myself mis-led by any of these products, and actually would have assumed that when I purchase a "subscription" it will be renewed annually using my credit card information.
Most absurd though was the author's complaint that he wasn't immediately offered an option to suspend the use of his credit card info for renewals, but still have the service remain live.
Lord folks, do we really need to go this far to find something to complain about?
Three Squirrels
"Problem is there isn't enough backlash from consumers to change this rotten practice."
Darn tootin'!! Subject closed.
What?
I mostly use software licensed under the GNU General Public License, so I don't have to read EULA's and stuff.
Most absurd though was the author's complaint that he wasn't immediately offered an option to suspend the use of his credit card info for renewals, but still have the service remain live.
I've run into this multiple times, and it pisses me off every time.
If I buy six months worth of a service, I've already paid for ALL SIX MONTHS. If I decide that I don't want MORE THAN six months, that doesn't mean I want you to rip me off for the remaining three months I've paid for.
This is not just annoying, it's a scam. I mean, legally, this should be treated just as seriously as any other scam.
It should be flat out illegal to terminate service like that. As in, not only should that option have been on the front page, but cancelling the service immediately should require an explicit extra step so you can't do it accientally.
I use Avast for my anti-virus/spyware needs and, for home use, it is absolutely free. Not only is Avast free, but it has a lower memory footprint than McAfee, Symantec, Panda, and others. Unlike the aforementioned, I do not notice any appreciable performance changes. I remember trying McAfee and my system became less responsive. Thus far, Avast has stopped everything thrown at it.
It is 2007.
Virtually every company out there has a website, some means of emailing its staff, and where they provide a service to the general public, a published telephone number to contact them. These "automatic subscription" security services are a prime example.
Why, then, is it quicker and easier to write a letter to the head office to get something done?
I can dash out a letter saying "thanks for the service, now please cancel it" in 10 minutes. I can get it stamped and posted in another 10-15 minutes. That's 25 minutes, after which I don't have to worry any more. If I really think the company I'm sending the letter to is going to try and screw me, I send it recorded delivery and I then have proof of receipt once they get it.
Compare this with spending 20 minutes on hold being told that "my call is important", 10 minutes explaining that I want to cancel to some call centre drone who's not allowed to deviate from their script (and whose script doesn't include a "Customer wishes to cancel" section), another 10 minutes on hold after my call is transferred to the "right department", the line being cut off as soon as it's answered, then calling up again to spend another 20 minutes on hold before finally giving up.
Alternatively, email them (or use the form on the website). Of course, the form offers a drop-down to select which department to send the message to, but it's not clear which department you need to cancel so you send it and hope for the best - much the same as you did when you pressed 3 for customer services with the call centre. Only instead of waiting on hold for 20 minutes you wait for 3 days only to get a reply saying "you've emailed the wrong department". If you're lucky, they have the good grace to forward your email to the right department, which then completely ignores your email. You're pretty certain the right person's got it, but you've got no hard receipt and blaming the technology is so easy these days that nobody will bat an eyelid if someone claims "not to have received" your email. Certainly pointing out that emails seldom just disappear into computer land never to be seen again won't help you.
...or you could just upgrade to Linux.
From my perspective, the biggest problem with security applications is the licensing... The contracts are rigid, inflexible things. You buy in increments the vendor dictates--no more, no less. You are steered to the suites as a way to "maximize the value of your investment"... true, the software is sold a la carte, but the prices... They're so high you could buy the whole suite for "not that much more."
And the "premium support" that we've gotten hasn't really been great... Yet it is usually touted as the chief reason to buy a suite by anybody touting the monolith of security applications from Vendor X.
I had a specific incident with a security vendor's SMTP Gateway/AV/Antispam software earlier this year where we tried to get the "new and improved upgrade" version up and running and after troubleshooting our test server for about 2-hours with their support staff we told them in-passing that the 2nd NIC hadn't been installed when we setup the server, we had added it and then installed drivers after the fact to support the funky way it handles send/receive and reconfigured thinking it would be no big deal. The manual does not specify that its a problem, so we just installed it and moved forward. When it still couldn't send mail with the new NIC in place, we took extensive troubleshooting steps, then uninstalled/reinstalled the software to try and get it to recognize it. This didn't work either, and led to the support call after a few more things were tried...
"Oh," says the support guy. "Then you'll have to reinstall the whole OS and start over with both NICs already in place."
Not just the software... the whole OS--he says that "our uninstall sometimes fails... It is just safer to redo the OS." SO I ask him--what happens if a NIC fails in a server? If the vendor sends the same hardware to me and installs it, will the software function? "Probably not"--I'm told. Effectively, they've released a bunch of OSS tools but they've failed to do anything besides kludge them together in one web-interface. "Any" change to the hardware will require you to reinstall the software... possibly the OS if it doesn't work after re-install.
This is a part of the solution that we've paid about $30k for... It's the worst value I've ever seen... Other parts of this "enterprise suite" are just as wonderful, if not more so. So I've finally gotten support to go a la carte for better spam control... I'm buying a Barracuda ASAP to replace this clunker...everybody I know who uses one says after it learns your white-list it just sits there and sifts mail quietly with very-few false-positives and no problems. We finally got this anonymous security vendors "product" into a state I would call "operational," but the spam protection is not as good as the "older" version that it replaced. We now hear complaints every day about how much more spam is getting through...
Who did what now?
Why not just install the OS from scratch instead of using Dell's OEM and go from there? This is assuming you have the OS CD/DVD. I know it takes longer to find drivers, etc. I know Dell provides CDs with XP and 2K drivers a few years ago when I got a Dimension 8250 machine. I have friends who do this too.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
What's wrong with adding a note in your calendar to log back in at 5 months and 29 days to cancel?
What's wrong with NOT STEALING?
If I've paid for six months of service, I've paid for six months of service. The fact that I can come up with a workaround that should keep from getting ripped off for the remaining three months, albeit with a risk of getting charged for another six months, doesn't justify ripping me off.
You might as well say it's OK to steal my car if you can get away with it.
(and before you get on your high horse about copyright violation, in case you were going to try and bring up that hoary old "slashdotters can't make up their mind" schtick, I bought my music collection instead of collecting it over file sharing networks, and I've consistently argued against the bogus "Robin Hood would have ripped off Microsoft" meme)