Unsticking Yourself From Your Security Application

Ant writes "In Scott Dunn's Windows Secrets, he describes his informal tests of well-known computer security vendors when it comes to subscriptions and renewals. These days, most antivirus and other security products come with a subscription to update your virus definitions. He also explains ways to opt-out, users' comments, etc. Seen in EGeezer's Broadband/DSL Reports security forum thread. Always read those end user license agreements (EULAs)."

But why do we need these in the first place?

[StonyCreekBare]

Maybe I'm an old stick in the mud. But I've had far, far more trouble CAUSED by most of these applications than I've seen prevented.

When I get a new computer, the first thing I do is Nuke ALL of these things from the hard drive. I also tell Windows not to auto update. Never had a virus or infection.

I do keep my machines behind a double firewall, and I do use the default Windows firewall in XP, or the free ZoneAlarm on my older machines.. And I do frequently scan using one of the many free adware and virus checkers just to be safe. But perhaps most importantly, I'm really, really careful about opening email attachments and what web sites I go to. As for the updates, occasionally I go to Windows update and review the "fixes" and install those that look interesting or benign.

But Symantec, Norton, McAfee and the like I do not allow anywhere near any machine of mine, and I heavily discourage friends and family from using them.

Safe computing is NOT blindly installing some "security package" and going to sleep.

Stony

Re:But why do we need these in the first place?

[Aladrin]

Exactly. This software isn't for the tech-savvy. It's for all those people that don't even understand what a firewall does. Those people need an automated click-n-go solution for their security. Unless they've got tech-savvy family, and then it's handled for them anyhow.

For the record, I use AVG and a properly configured firewall, and I haven't had a virus or spyware on my Windows system for years.

Re:But why do we need these in the first place?

[StonyCreekBare]

Well, I have agonized over this point.

Last year I set up a system for a newbie, a retired history teacher who didn't know a browser from a word processor. He had used the web a little under the school IT umbrella, but was mostly clueless. Not exactly my parents, but close.

After spending several hours explaining malware, adware and the like to him, and cautioning him about what to avoid, I nuked Symmantic and it's relatives.

A year later, he is computing along nicely, no viruses, no problems.

Shortly after, I set up a computer for my daughter, a 30-something who is fairly computer literate, but not exactly an engineer, if you get my drift. She insisted on installing the full suite of security protection. When I tried to give her some pointers about safe computing, I got that glazed look and a "yes dad I know how to use computers"

Three times in the last year, I have had to "fix" her machine. Two other occasions I had to fiddle with her firewall as it was blocking something it shouldn't for no reason.

Give me a clueless newbie who will listen and nor Norton every time!!!

Stony

Re:But why do we need these in the first place?

[doodleboy]

Maybe I'm an old stick in the mud. But I've had far, far more trouble CAUSED by most of these applications than I've seen prevented.

Ain't that the truth.

I bought a couple of Dulls last year, a desktop for me and a laptop for the wife. I turned mine on long enough to ensure that it worked, then wiped the drive and installed Ubuntu. The wife wanted XP, so the first thing I installed was the Dell De-crapifier, an earlier version of the PC De-crapifier. Off came gigabytes worth of crapware, including the McAfee internet security suite, as bloated a POS as you will ever find. (Except for maybe the Norton internet security suite.)

Then I installed the free versions of AVG Antivirus, Ad-Aware and Spybot. AVG works well and is much less bloated than McAfee and Norton. Other than all the screwing around to make it stable and secure, we have never had a problem with the laptop.

However it is annoying to have to delete tons of garbage no sane person would ever want. It is annoying that Windows is so insecure. It is annoying to have to depend on Windows Update when Microsoft uses it frogmarch their users onto new software (e.g. IE 7, WGA) that has nothing to do with security. It is annoying having to go to so many different websites for software updates.

I have three linux boxes, 2 Ubuntu and one Ipcop firewall. That one Windows laptop requires more babysitting than all the linux boxes put together.

People complain about computer viruses, computer worms, computer trojans, computer instability, computer insecurity, computer crapware, computer bloatware. Et cetera.

To that I say :%s/computer/Windows/g

Re:But why do we need these in the first place?

[StonyCreekBare]

And we're NOT already? And exactly how are these bloatware apps stopping it?

Virtually every infected machine I've seen has Symantec or similar running. Improperly, true, but my point is that clueless people putting their trust in some "security suite" they don't understand and ignoring the issue is exactly the wrong prescription.

I would be all for a "security suite" that actually worked. But in my experience, they work poorly or not at all, give a false sense of security to the uneducated, and drain your bank account and slow your machine, and often cause problems of their own.

Far far better to nuke this trash from the machine and spend your efforts on things that actually work. i.e. A few good tools that are useful and educating users in how to use them.

People who refuse to take the responsibility to learn a few basics about keeping their machines bot-free should not be allowed on the net. Just as you have to learn some basic rules of the road to drive a car, you should have some elementary security awareness to get on the net.

Now enforcing that is a whole nother can of worms. But I for one do NOT encourage people (my mother, for one) who are not up to a minimal level of awareness to get on the net. And when I set up a new user, I insist they allow me to give them a bit of training. I have set up a number of clueless new users, and when I am through with them they know how to surf safely.

The ones who "already know how to use computers" and won't take my class are the ones who install the bloatware security apps and then load their machines up on malware.

Stony

Yes!

[nlitement]

Yes, better read them EULAs - you never know when you'll end up getting a $1000 reward!

to opt out:

[Lehk228]

to opt out, call and ask to be transferred to billing. tell them you revoke authorization for recurring charges. if they continue billing you call Visa and they will take care of it.

Antivirus software is simply a lie

* Can you feel free to download and run any EXE file from the net just because you have antivirus software?
* Without antivirus software, you can still get a very very high security level by running those suspicious EXEs in a virtual machine.

Therefore, antivirus software is one of the biggest lies in computer history, and it's sole purpose is to slow down your computer and charge you subscription fees...

Foolproof way not to get autorenewed

[mrsam]

I have a trick I use every time I buy a limited-term subscription, or a service, if I suspect the company will try to stick me with an unwanted renewal. I just pay with whichever card I have that expires before the subscription term. I find that to be the path of least resistance. Usually I have one or two cards whose expiration dates are coming up.

Many US credit card companies also offer a service where they give you a separate credit card number that goes to your account, but that automatically deactivates as you as you put one charge through, after which it is no longer valid. That's also one way to beat this racket.

Then there are always a small number of obnoxious companies that supposedly renew you, bill you, and then go after you with dunning letters. I suspect that once a lot of people are on to the trick of giving them single-use charge numbers, that'll be the next popular tactic. Still, it's easier to handle that, then once your card is already dinged.

Re:Foolproof way not to get autorenewed

[Ph33r+th3+g(O)at]

Actually, if the companies doing this are subscribers to credit reporting agencies (e.g. Equifax), they can cause you lots of grief in that situation. If you "agreed" to a EULA that allowed automatic rebilling and gave them a card number that wasn't good at renewal time, they have a nice hammer in the form of credit reporting: you'll need that $39.95 AV renewal collection trade line on your credit report cleared up before you buy your next car or refinance your home.

I think the next line of defense in that sort of thing, provided it isn't shut down by TPTB as facilitating "terrorist money laundering" is to buy gift cards from credit card issuers that look just like regular debit cards to an online merchant but are actually pre-paid debit cards. These can be issued in any name (so far) and don't require identity verification for that name. So if they put a collection on the credit report of Mickey Mouse, so be it.

Use a dedicated card for online shopping

[cicho]

A way to stay relatively safe is to use a dedicated card. Here in Poland banks with online presence will supply you with what some call an "e-card". It looks like a Visa and is recognized as a Visa when you buy stuff online, but:
a) it can ONLY be used for online transactions (it does not double as an ATM card)
b) the card has its own virtual account with the issuing bank. You need to transfer money from your main account to the card before you make a purchase. Doing go takes authentication and a couple of clicks.

Yes, it takes a minute or two more, but no-one will be able to charge you repeatedly, and any loss due to fraud is limited to the amount you charged the card with. If you suspect anything untowards, you can clear the card with a single click. As a side effect, it helps prevent impulse buying, since it adds that additional step.

You could, of course, charge the card with a hefty sum and keep it over a long period, which would cancel much of the protection, but that's like installing a virus scanner and then running it disabled. In addition, if you charge the card in excess of about $1000 (depending on the bank), the transaction must occur within three days, otherwise the amount automatically reverts to your main account and the e-card is cleared.

There is a chance that a seller will coincidentally attempt a repeat charge just when you have charged the card for an unrelated purpose, but the likelihood of that is small, reduced further by the fact that an e-card is valid only for a year. It is re-issued annually (at no cost or at a minimal charge) with the same number but different expiration date. So a vendor from whom I am buying today will not be able to charge the same card next year. (If I do want to give them that option, I can always use my regular Visa - but I've never had to in six years.)

I don't know if US banks provide this kind of service as a rule; if they don't, you guys should raise bloody hell. It goes a long, long way to keep you safe, and will prevent any underhanded attempts like these.

Re:Use a dedicated card for online shopping

[DrXym]

A way to stay relatively safe is to use a dedicated card. Here in Poland banks with online presence will supply you with what some call an "e-card". It looks like a Visa and is recognized as a Visa when you buy stuff online, but:

Ireland has something similar called 3V which is supposed to be an online-only Visa card that you top up. So in theory you can use it without fear that someone will run up huge bills or cause you hassle trying to get a card reissued. The only problem (and this is a massive problem) is that it's ONLY online. I find the concept enormously handy but I want a physical card that I can use anywhere and hold onto for an emergency situation (e.g. my regular card is lost).

I think the US has proper Visa Gift / Debit cards but they're very difficult to find and some charge "maintenance" or topup fees. I think the idea would be enormously popular, especially with teenagers if they do away with fees and just take their skim from the 1-2.5% they slap on all transactions anyway.

MMPORGs do this too

[DrXym]

I bought The Lord of the Rings Online. A good game, but has the same extremely irritating automatic subscription behaviour. The very first thing that happens after you activate your game is that it asks you for your credit card and what plan (monthly, three monthly etc.) you wish to subscribe to. At no point did I see an option such as "No thanks, I just want to use the 30 days I got with my purchase", at no point did I see a checkbox that says "I will manually renew each month". Once you activate you're set up with automatic renewals whether you like it or not.

I normally cancel my sub as soon as I've gone through all the bother of signing up for it. But it's still extremely annoying and insulting that any company does this. Codemasters are not alone here. All it does is make me less inclined to renew than if they just let me choose myself.

Tell me about it!

[Karl+Cocknozzle]

From my perspective, the biggest problem with security applications is the licensing... The contracts are rigid, inflexible things. You buy in increments the vendor dictates--no more, no less. You are steered to the suites as a way to "maximize the value of your investment"... true, the software is sold a la carte, but the prices... They're so high you could buy the whole suite for "not that much more."

And the "premium support" that we've gotten hasn't really been great... Yet it is usually touted as the chief reason to buy a suite by anybody touting the monolith of security applications from Vendor X.

I had a specific incident with a security vendor's SMTP Gateway/AV/Antispam software earlier this year where we tried to get the "new and improved upgrade" version up and running and after troubleshooting our test server for about 2-hours with their support staff we told them in-passing that the 2nd NIC hadn't been installed when we setup the server, we had added it and then installed drivers after the fact to support the funky way it handles send/receive and reconfigured thinking it would be no big deal. The manual does not specify that its a problem, so we just installed it and moved forward. When it still couldn't send mail with the new NIC in place, we took extensive troubleshooting steps, then uninstalled/reinstalled the software to try and get it to recognize it. This didn't work either, and led to the support call after a few more things were tried...

"Oh," says the support guy. "Then you'll have to reinstall the whole OS and start over with both NICs already in place."

Not just the software... the whole OS--he says that "our uninstall sometimes fails... It is just safer to redo the OS." SO I ask him--what happens if a NIC fails in a server? If the vendor sends the same hardware to me and installs it, will the software function? "Probably not"--I'm told. Effectively, they've released a bunch of OSS tools but they've failed to do anything besides kludge them together in one web-interface. "Any" change to the hardware will require you to reinstall the software... possibly the OS if it doesn't work after re-install.

This is a part of the solution that we've paid about $30k for... It's the worst value I've ever seen... Other parts of this "enterprise suite" are just as wonderful, if not more so. So I've finally gotten support to go a la carte for better spam control... I'm buying a Barracuda ASAP to replace this clunker...everybody I know who uses one says after it learns your white-list it just sits there and sifts mail quietly with very-few false-positives and no problems. We finally got this anonymous security vendors "product" into a state I would call "operational," but the spam protection is not as good as the "older" version that it replaced. We now hear complaints every day about how much more spam is getting through...