Schneier On Scareware Vendor Lawsuits

Bruce Schneier's blog says "This is good: Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of 'scareware' purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software. "

You are trying to file a lawsuit. Cancel or Allow?

[Hatta]

Microsoft is as big a culprit of this as anyone.

Microsoft is sueing themselves?

[El_Muerte_TDS]

scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software

Sounds a lot like an average Windows advertisement.

Re:Microsoft is sueing themselves?

[mrfriendly]

They're suing for patent infringement - not because they have a problem with scareware.

Re:Microsoft is sueing themselves?

[Jesus_666]

Not like the ones they show in my country. If the scareware authros operated like those ads they'd tell people that their software enables them to fly through the air with Madonna playing in the background. Or that some random people are personal computers. Or that some woman called Serena uses the internet. Or that Jerry Seinfeld is actually a shoe salesman.

The key difference is that the scareware authors actually give you a(n invalid) reason to use their software while Microsoft's ads are just random nonsense.

Re:Microsoft is sueing themselves?

[zonker]

Yep. Microsoft OneScare to the rescue.

Unnecessary blog reference

[g051051]

Why does this even reference Bruce Schneier's blog? There's no added value from there. Why not just reference the original article?

Re:Unnecessary blog reference

[QuantumG]

Look at the name of the submitter.. this is blatant self promotion.

And, as is often the case, Schneier's blog doesn't add anything to the article either.

Re:Unnecessary blog reference

[nschubach]

Repeat after me: Ad revenue from hits/views.

Re:Unnecessary blog reference

[mcgrew]

Bruce Schneier has a lot more credibility in the security field than the Washington Post, the State of Washington, and Microsoft all put together.

Re:Unnecessary blog reference

[jimicus]

Bruce Schneier has a lot more credibility in the security field than the Washington Post, the State of Washington, and Microsoft all put together.

That doesn't mean much. My left arse cheek has a lot more credibility in the security field than the Washington Post, the State of Washington, and Microsoft all put together.

Re:Unnecessary blog reference

[LMacG]

Actually, Brian Krebs at the WaPo has a lot of credibility, and has been writing very good well-researched columns on computer security for as long as I've been reading that paper. What's your left arse cheek done lately?

Re:Unnecessary blog reference

[MadMidnightBomber]

Mod parent up. Brian Krebs is about the only journo that I trust to report security stuff accurately.

Re:Unnecessary blog reference

[DerekLyons]

Mostly from pandering to other peoples political beliefs and indulging in scaremongering himself.

Re:Unnecessary blog reference

because Bruce Schneier makes everything awesome

Re:Unnecessary blog reference

Schneier's blog is automatically fed directly into the Firehose, along with several other sources. Usually, they ignore it (or wait for someone to write an actual submission), but I guess they accepted this one.

I'm not really sure whether he or Slashdot set things up to feed all the stories in there, frankly, but it's certainly automatic. You can't miss the piles of, say, Computerworld stories in there if you lower your threshold.

Re:Unnecessary blog reference

Are there web pages with Brian Krebs facts?

I didn't think so.

Bruce Schneier is reading all of your encrypted data even as we speak.

Re:Unnecessary blog reference

Hi Brian!

What an awesome quote on his book cover

[DimmO]

http://www.schneier.com/images/book-sos-175w.jpg "The closest the security industry has to a rock star" Well, if that's the case, I'll believe anything he says then. I love rock and roll.

Re:What an awesome quote on his book cover

[Notquitecajun]

So put another dime in the jukebox, baby.

Re:What an awesome quote on his book cover

[vadim_t]

Why?

I heard this claim several times already, but never seen an explanation. As far as I can tell, he's a pretty smart guy and what he says seems to make sense.

So what's the problem with him?

Re:What an awesome quote on his book cover

[I'm+not+really+here]

They need to update that song, though "Put another $1.25 in the jukebox, baby" just doesn't have quite the ring to it.

Re:What an awesome quote on his book cover

[Lobster+Quadrille]

It's like people who say "I love reggae. Bob Marley is awesome".

It is usually just them name-dropping, because he is the only security guy they know of. Not sure I'd call him the rock star of the industry though- Dan Kaminsky and Johnny Long have that covered.

That said, having read a lot of security literature, and all of Bruce's books, he is the best mind I can think of on high-level security theory- what works, what doesn't, and how to evaluate a solution.

Re:What an awesome quote on his book cover

[Miseph]

Yeah, not to mention that the advent of mp3 players and decent portable speakers means anyone who drops $1.25 into a jukebox to listen to whatever shitty music it has in rotation is a tool.

Hmm... do I want to pay through my nose to listen to Journey, or should I just whip out my cell phone and crank some Black Flag? Gee, this is a toughie...

Re:What an awesome quote on his book cover

[Hyppy]

So what's the problem with him?

There is none. "QuantumG" (I assume he thinks he is the indivisible entity of a gangster) is just angry that people don't shun the "obvious" names.

Re:What an awesome quote on his book cover

[I'm+not+really+here]

Um... some jukeboxes are now connected to itunes, so that $1.25 just bought that song for that jukebox. You can listen to practically anything, and it goes over the entire PA system, not just out of a crappy speaker on a phone. It's not worth $1.25, but it's a pretty cool idea.

Come on, slashdot! I'm not spamming. Why did I have to leave for lunch and come back before being able to submit this post? 30+ minutes is getting a bit offensive.

Scareware

[InspectorxGadget]

If Schneier wants to stop scaring people he should consider trimming his beard. That face-fro looks like it runs Crysis.

Re:Scareware

[mcgrew]

If Schneier wants to stop scaring people he should consider trimming his beard.

Halloween's coming up.

A state government and Microsoft both doing something I approve of? What's this world coming to?

Re:Scareware

[Fred_A]

I don't know, add glasses and a crowbar and he could star in a videogame. Seems to me like the kind of guy you want talking about computing.

Re:Scareware

[Lobster+Quadrille]

Never!

I wouldn't trust a cryptographer without a beard.

Re:Scareware

[KGIII]

Hell. Now serving ice cubes.

Wasn't their a TV advert about this?

[MosesJones]

scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software

It was an Apple thing I think warning about some company who was pushing some "extra secure" version of its operating system which in fact gave you less performance and kept nagging at you the whole time. Yup I thought so.

Oh wait this is some OTHER companies who use security as a scare threat via nagging messages to get you to buy software.

Re:Wasn't their a TV advert about this?

[ThePhilips]

Oh wait this is some OTHER companies who use security as a scare threat via nagging messages to get you to buy software.

You mean M$ "scares" users with UAC to buy Vista? You got some problem with your logic.

Last time I was checking that trick didn't fly.

If this are lawsuits we're talking, somebody should charge M$ with false advertisement: many end-users were made to think that thanks to UAC Vista is more secure than XP.

Re:Wasn't their a TV advert about this?

[bemo56]

Actually, that ad is pretty truthful and accurate. These other companies are making claims about something that doesn't exists. UAC can drive a sane man crazy.

FAKE security warnings, for Windows?

[wvmarle]

I'm truly impressed that people can come up with security warnings about Windows that are not true... after all, is there anything as insecure as Windows?

The only thing I think they may have a case with is of course the fake software, as in software that does not do what is advertised. And I'm not even thinking of Windows itself this time.

Re:FAKE security warnings, for Windows?

[sjwest]

If you run a linux os with a modern web browser, and you visit a site with the scareware it is mildly amusing to see that your registry is screwed up and the site looks like internet explorer in colour scheme but you can download an exe to fix.

Its happened twice to me, and i find them amusing.

Im quite sure this is how windows zombies get signed up, but my penguin knows better.

Re:FAKE security warnings, for Windows?

[Swizec]

There is a monster out there less secure than windows and it is called Internet Explorer.

Re:FAKE security warnings, for Windows?

last time i checked metasploit had at least double the attack vectors for linux than it did windows.

so, i would say linux is less secure than windows.

Re:FAKE security warnings, for Windows?

Yes, that would be Linux, MacOS and all the major OS designed for ease of use instead of security.

If you want security you have to switch to an OS designed for it. Good luck finding one. OpenBSD is the closest thing you will find on the open market.

Re:FAKE security warnings, for Windows?

[MadJo]

Were those attack vectors directed at Linux or at packages running on Linux?
Apache != Linux
MySQL != Linux
etc

Re:FAKE security warnings, for Windows?

[gaderael]

...after all, is there anything as insecure as Windows?

Emo kids?

Re:FAKE security warnings, for Windows?

[plague3106]

1998 called, they want their insecure windows jokes back.

Re:FAKE security warnings, for Windows?

[CSMatt]

WARNING! Your computer may have spyware. Click here for our FREE REGISTRY SCAN!

Re:FAKE security warnings, for Windows?

Both of those run on Windows, so if they are contributing to the (claimed) double vulnerability count (which is known vulns, not how many are present...), then they would contribute equally to both OSes.

Unless they only are vulnerable on Linux.

Re:FAKE security warnings, for Windows?

[wvmarle]

Yes I know, big strides have been made by Microsoft to improve it. The whole design of Windows unfortunately has never been with security in mind, this in contrast to Unix and it's clones and derivatives which is designed to be part of a network and multi-user.

Microsoft has a lot to do to really make it secure, and when seven years of development for a minor upgrade (XP to Vista) can't fix it, nothing short of starting from scratch can.

Win XP/Vista is a huge improvement over 98 and ME, however the number and sophistication of attacks against it have increased probably even more so, resulting in an ever increasing mess of zombies, connected to an ever increasing amount of bandwidth to dispatch their rubbish.

Re:FAKE security warnings, for Windows?

[wvmarle]

In that case you should say the same about Windows. Most of the attacks (particularly drive-by attacks related to surfing) are targeted at IE, an application. Oh bad example, according to MS it's an integral part of the OS. Never mind.

Then there are attacks directed at Outlook, ISS, and so on. Very few are directed at the Windows core. Same will account for Linux: unless the attack is done locally (most are over a network), it is always an application that is the first line of defense.

Re:FAKE security warnings, for Windows?

[fyoder]

I'm truly impressed that people can come up with security warnings about Windows that are not true... after all, is there anything as insecure as Windows?

Question of probablity. They might have had a chance if their warning had said "Your computer is probably infected", but it is conceivable that there exist Windows boxes recently installed from behind a firewall which are not infected at all, so they can't say "Your computer is infected".

Re:FAKE security warnings, for Windows?

[KGIII]

To be fair we'd call a vulnerability in Internet Explorer or Windows Media Player a "Windows" vulnerability even though those aren't actually Windows. Hell, the N version doesn't even ship with WMP and, I forget, may not eve ship with IE.

Re:FAKE security warnings, for Windows?

But Apache and MySQL don't come installed and running by default on Windows systems. Sun Solaris 10 is far more secure either of these, especially if you install it with its "network services restricted" mode (can't remember the proper name off hand). It only opens sshd by default. I think it does start sendmail, apache and some others, but they only listen locally.

The point is people are childish, who continue this Windows/Linux security/usability/reliability debates. Each product has its strengths and weaknesses. I have a co-worker that touts the reliability of Linux. My response was to tell about how I purchased a RocketRAID card. And guess what? Windows booted fine, though it didn't recognize the card (and attached disks). Even Solaris x86 booted fine. Boot to Linux, "Oops".

Re:FAKE security warnings, for Windows?

[sglewis100]

I had mod points yesterday, but alas not today... somebody throw this guy a +1, come on, that's pretty funny!

Re:FAKE security warnings, for Windows?

[marcosdumay]

That is because those come with Windows, and you can't uninstall them (Oh, yes, the EU justice can uninstall WMP. Nut most users are not as powerfull as the EU.) while most Linux distros don't come with MySQL and Apache running by default.

Re:FAKE security warnings, for Windows?

[savanik]

last time i checked metasploit had at least double the attack vectors for linux than it did windows. so, i would say linux is less secure than windows.

That would be because you need more attack vectors to gain access to a Linux box. In Linux, there's a dozen different ways to do any one thing, so any one attack vector won't neccessarily work. There's also different distributions, etc.

In Windows, everything configured exactly the same way, so a security hole in a service patch is always the same hole, and always will be punctured with the same attack. Therefore, you need fewer types of attacks in total.

Re:FAKE security warnings, for Windows?

[KGIII]

Then again Firefox ships with most versions of Linux that I have downloaded. There aren't a whole lot of exploits at the kernel level for most modern OSes. Those that do exist are often patched fairly quickly. The flaws that I typically see are at the application level regardless of the operating system. Which was mostly what I was saying in the first post but I wasn't very clear, my bad.

Re:FAKE security warnings, for Windows?

[marcosdumay]

Yes, I'd agree that a flaw of Firefox shlod be counted as a flaw of Linux, as should a flaw of Openoffice.

Re:FAKE security warnings, for Windows?

[Xtifr]

Then again Firefox ships with most versions of Linux that I have downloaded.

Really? I don't think a single one of the Linux servers in our farm has Firefox installed. On the other hand, I think all of our few remaining Windows servers have Firefox installed. :)

Re:FAKE security warnings, for Windows?

[plague3106]

Sorry, I really think you don't know what you're talking about. NT was designed as a multi-user OS with security in mind. It was originally built by the same engineers that built VMS.

As far as "sophistication" of attacks goes.. it's mainly users choosing to install viruses that cause problems. I fail to see any real sophistication in that. As for the numbers part... yes, there are more computers running Windows now than there were 10 years ago. Amazing.

Re:FAKE security warnings, for Windows?

[gparent]

That doesn't mean you're forced to use it.

Re:FAKE security warnings, for Windows?

[jonbryce]

They have warnings like

"Warning, your computer is broadcasting its IP address over the internet. With this information, any website you visit knows where you are".

Well of course it does. With out that information, how is it going to send the web page you asked for.

Re:FAKE security warnings, for Windows?

[jonbryce]

Does it list exploits for each distro separately? Does it list exploits for all the different mail servers etc you might choose to run on it?

Re:FAKE security warnings, for Windows?

[jonbryce]

Would you count a flaw in MS Word as a flaw of Windows? It doesn't ship with Windows, but most people buy it separately and install it.

Re:FAKE security warnings, for Windows?

[jonbryce]

Windows 2003 server has a pretty good track record. It is also pretty much unusable as a desktop operating system in its default setup.

It is the desktop offerings that have a problem, and that is because they have to run programs written in the Windows 9x days when there was no separation between program and data files.

Re:FAKE security warnings, for Windows?

[mvdwege]

NT was designed as a multi-user OS with security in mind.

And yet, for all the features Microsoft wasted years of developer time on, services still run as LOCALSYSTEM. One bug, and you're owned.

As I pointed out before, Unix has a more primitive security infrastructure, and was not really designed to be secure from the ground up, yet by the time Dave Cutler started on NT, years of hacks and exploits had taught the *nix community how to work around that. Microsoft, in all their NIH wisdom, decided that none of that experience really mattered, but ACLs on every system object could substitute for bad system design. And here we are in 2008, and finally they start to realise that implicitly trusting outside input might be a bad idea, and that running with more than necessary privileges might just be plain stupid.

Microsoft deserves every bit of scorn heaped upon them for ignoring what the rest of the computer industry had known for decades

Mart

Re:FAKE security warnings, for Windows?

[Alpha830RulZ]

Hm-m-m. So if Firefox on my windows box is exploited, Linux should be blamed? Maybe this should be attributed to the actual problem, firefox...

Re:FAKE security warnings, for Windows?

[Alpha830RulZ]

Microsoft deserves every bit of scorn heaped upon them for ignoring what the rest of the computer industry had known and ignored for decades.

Fixed that for you. You yourself note that *nix community has been designing hacks and exploits, which demonstrates that *nix has it's own issues.

Jeepers, folks. It's about the freaking user. My windows servers are as safe as my Linux servers, for the same reason - I keep peoples' privileges low, and don't run unnecessary services. 15 years, NO problems. It's not that hard.

Re:FAKE security warnings, for Windows?

[Mistshadow2k4]

it's mainly users choosing to install viruses that cause problems.

Oh, goodie, more "it's all the users fault!" crap. Suuuuuure, Windows itself isn't insecure. It wouldn't, say, have a service running in the background be default that lets remote computers alter the registry. It doesn't let viruses and trojans just install themselves when your computer connects to the internet without a firewall or antivirus, does it? Oh, wait, yes it does both of those things and more.

Of course, those who are so intent on shifting the blame from Microsoft will say that not having an AV, anti-spyware and firewall installed makes it the users fault. I use Windows and I use Linux and I will say this: It is fucking ridiculous to have to devote so much of your computer's resources to 3rd-party (or extraneous, in the case of MS's own security software) programs to protect the system because they designed it so shoddily to begin with. With any other operating system in the history of computing you just need a firewall and something to check for rootkits occasionally. Plus, you don't need to worry about what sites you visit. (Yes, that's another thing that bothers me: "don't do this or go to these sites and you'll be fine". Hey, pro-MS idiot, have you noticed that people using other OSes and go there and do this without their systems getting pwned?)

I've seen these statements here and at other sites and I'm sick unto death of this crap. I mean seriously, since you're peddling the only OS in computing history that has these vulnerabilities to begin with, or at least so many them, how dare you say it's the user's fault?

Re:FAKE security warnings, for Windows?

[KGIII]

Why yes. "That I have downloaded." I haven't tried them all though and the only servers that I use with Linux on them run CentOS and, to be honest, those don't even need a browser. Instead I have to keep Apache, PHP, WHM, cPanel, etc updated. OSes become insecure when we start piling applications on them.

Re:FAKE security warnings, for Windows?

[mvdwege]

First off, people who use 'fixed that for you' are complete and utter lusers.

Second, you cannot read. I specifically mentioned that the *nix community has worked on their security issues.

If you can't bother to read, don't bother to answer. I have better things to do than waste my time with idiots, thank you very much.

Mart

Re:FAKE security warnings, for Windows?

[KGIII]

Actually? Side note... I'd say no to your question but if there's a flaw in Firefox that allows the underlying OS to be rendered vulnerable the flaw resides with both for having allowed the application to perform functions not authorized by the user. The question then is how to fix it... I don't know the answer to the question unfortunately.

I have a bad analogy if you want/need it.

If I let a stranger into my home and he then murders my child then the fault is his. At some point, though, I made a choice to let him in knowing that I knew little to nothing about him.

It is kind of sort of like that but not quite.

Most OSes, in and of themselves, are really quite capable of being secure these days. It is when we stack applications on them that they start to fail.

Re:FAKE security warnings, for Windows?

[Alpha830RulZ]

Pot, meet kettle. Ad hominum doesn't advance your cause. Your own point was that unix has design flaws, which knowledgable users have worked on. Windows has design flaws, which knowledgable users have worked on.

Re:FAKE security warnings, for Windows?

[mvdwege]

An insult is not the same thing as an ad hominem. And I gave an example, which you didn't address

You're a moron.

Re:FAKE security warnings, for Windows?

[Alpha830RulZ]

Hm-m-m. It's a fine distinction. I'm pretty sure that the definition of ad hominum is attacking the speaker, rather than the idea, and an insult certainly seems contributory to that cause.

You've got a lot of hostility, I'm sorry to have offended you. Sounds like you've got a lot to carry.

Why did it take so long?

[uberlinuxguy]

I'm actually kind of surprised Microsoft has taken this long to take action against those "scareware" guys. It sort of makes one wonder how much of a legal leg they have to stand on. Any lawyers/other legal minds care to weigh in on that?

Microsoft bashing. Bored now.

Microsoft is as big a culprit of this as anyone.

We're all aware of MS' past and current business practices. Although, MS seams to have been cleaning up their act lately.

I bored a bit with the "MS has done worse." or the "M$ is evil." and etc. It's been done to death here on /. and it really doesn't add anything to the threads - it never did, actually. It was a cheap way to karma whore. And looking at your UID, I would think you're beyond the karma whore stage.

colors

[apodyopsis]

I'm confused, I don't use windows, but surely somebody could just change the desktop colors and then when a warning alert turned up in the old colors they would know it was a scam?

Is that too obvious?

Re:colors

[MBGMorden]

Too obvious for your normal user, yes. Your average geek isn't going to get fooled by these things anyways (heck with the way NoScript and my popup blockers are set I don't see them at all anyways). But to the guy who fumbles with the power button and whose eyes glaze over when you speak of "cut and paste", changing the window colors and then having the foresight to pickup on a different color showing up being bad, is way beyond their capabilities.

Re:colors

Intelligent users probably don't even need to do that to spot a fake alert.

Unfortunately, the majority of users are not intelligent, and will just click OK to get the annoying message to go away.

Re:colors

[reallyjoel]

Sad thing is, that's actually true. There are such people.

Re:colors

[Seakip18]

True Story:

After reformatting, one of the first things I do is go to AVG's website and download some virus protection. I google, and, thanks to a shitty mouse or my stupidity, accidentally click on another legitimate website. Adware, crapware, and more all taint the once pure machine via IE. All because AVG returned a couple of sites that are no where near legitimate.

No warning would have helped in that case.

Re:colors

[Tikkun]

True Story:

After reformatting, one of the first things I do is go to AVG's website and download some virus protection. I google, and, thanks to a shitty mouse or my stupidity, accidentally another legitimate website. Adware, crapware, and more all taint the once pure machine via IE. All because AVG returned a couple of sites that are no where near legitimate.

No warning would have helped in that case.

Fixed.

Re:colors

First thing you should have done was hit the Windows Update. It at least takes care of protecting you from the low hanging fruit.

Could be much worse. You could have done all that *after* spending an entire day installing all your other software.

Re:colors

I had something similar happen to me when looking for DaemonTools - except it was the legit site itself that was riddled with adware and spyware! I was even using Firefox with Avast! installed. I believe it had used that PDF vulnerability that was discussed on here a bit ago.

Re:colors

[oakgrove]

Something that may help you in the future is if you can't remember the exact site of a software vendor and have to search for it, instead of using google, try wikipedia. It's a lot harder to get thrown off there than it is in a google search page with something like 36 different variations of avgsoftware.com or whatever with only one of those being the actual one you are looking for. With Wikipedia, in just about every article for a piece of software, there is a little box on the right hand side telling the current version, the vendor and a link to the vendor's site. Obviously not fool proof but it hasn't let me down yet and it at least increases your chances of going to the right place the first time.

Of course, I'm not completely up on my Windows fresh install software hunt lore as I happen to use a little program called synaptic to do my post install goody searching but to each his own.

Re:colors

[CSMatt]

I've occasionally seen actual dialog boxes pop up with these warnings back when I used Windows and IE, so it isn't just graphics that look like boxes.

Re:colors

[Gothmolly]

Most Windows users never change the default colors, or even that stupid grassy knoll background image.

Re:colors

[_Sprocket_]

One of my insights doing a stint behind a helldesk was that some otherwise competent, intelligent people will disengage their thought process when sitting behind a keyboard. Sometimes I felt like psychiatrist - or at least what I suspect many of them do:

1. Listen to problem.
2. Restate problem as a question.
3. Confirm answer given by customer is correct.
4. Assure customer that while correct answer WAS somewhat obvious, we get it all the time and a lot of folks don't figure it out on their own. Add reassuring comment about their savvy in this situation.

Re:colors

[techno-vampire]

Most Windows users don't know that the default colors can be changed. As far as the background goes, I worked for four months in a small tech shop and was the only person there not using the default wallpaper. Not because everybody else was too busy to do it, just too lazy.

Re:colors

[thePowerOfGrayskull]

Sad thing is, that's actually true. There are such people.

That's the majority of people. At least some of them are quite intelligent - they just don't seem to want to use that intelligence on learning computers.

Re:colors

[Feanturi]

What I find effective when using Google to find a vendor, is to entirely ignore the sponsored links at the top of the result list. These will tend to have been bought by competitors of the vendor you are looking for. The next result down after the sponsored links is most likely to be the place you are looking for. They need to stick with pagerank and get rid of the "sponsored" crap, it can't be trusted.

Re:colors

[supernova_hq]

Actually, I do just this to people who's computer I fix on a regular basis. I then tell them "If the bar is blue, it's fake."

It works quite well.

Re:colors

[jonaskoelker]

I felt like psychiatrist

What you describe sounds more like what a psychologist/counselor; my understanding is that the job of a psychatrist is similar to that of your general care physician except applied to mental health: diagnose badness and suggest/prescribe interventions, and if the intervention is psychotherapy also carry it out.

In some cases, cognitive therapy may be as simple as you make it out to be, but there's more to psychiatry than meets the eye (I would think). OTOH, there may be not much more to psychquackery than that.

Re:colors

[_Sprocket_]

What you describe sounds more like what a psychologist/counselor; my understanding is that the job of a psychatrist is similar to that of your general care physician except applied to mental health: diagnose badness and suggest/prescribe interventions, and if the intervention is psychotherapy also carry it out.

Actually - you're quite correct. You caught me being lazy. I actually have had some exposure to those aspects of health care and have learned some of the differences. I suppose a real general way of contrasting the two is that psychiatrists use drugs while psychologists talk. Someone in the field could probably go in to considerable detail and outline how accurate but wrong that statement is. :)

It's all rather complex stuff. At the least, it appears to be sufficiently complex as to appear simple to the layman. I've gained more appreciation than I probably let on after having watched both psychiatrists and psychologists in action.

Courts determining what's required for security?

[compumike]

The law referenced "makes it illegal to misrepresent the extent to which software is required for computer security or privacy." This is such a fishy thing that I'm not really sure if I want courts to determine what exactly is required and therefore whether it is being misrepresented.

Now, maybe there's a case for fraud if the program doesn't do what it purports to do in its advertising, but that doesn't seem to be what's at stake here.

There also might be a case for fraud if, perhaps, the advertising pop-ups are being confused for actual Windows messages. But I suppose in the "real world" advertisements mimic other things to be creative, but are still fairly obviously ads.

Just not sure I like the sound of a law that requires a judge or jury to determine what's required for computer security.

--
Hey code monkey... learn electronics! Powerful microcontroller kits for the digital generation.

Re:Courts determining what's required for security

[db32]

Sounds like it could be used for Microsoft to take a swing at all of the legitimate anti-virus/scumware/etc apps for advertising how critical their software is because Windows has so many problems.

Bad Design cannot be hidden by lawsuits.

The issue here isn't so much the users getting taken by scam artists. It's bad bloody design. Windows alerting mechanism is so confusing and broken that users can't tell the real Windows alerts from the fake ones. This is MICROSOFT'S fault. Not the scam artists.

Suing the people who exploit Windows design flaws is not the solution. If you leave a door open, suing people for walking through it is not the right fix. The fix is to close the door.

So, yay for Microsoft recognizing the problem and at least doing SOMETHING. But this is simply not the right response.

Mismatch

[senor+mouse]

The legal 'teeth' for these actions is the RCW. Scumware purveyors are exactly that - scum. It will be fun to see a weasel in the ring with a tag team of 800 lb gorillas.

Re:Courts determining what's required for security

The law referenced "makes it illegal to misrepresent the extent to which software is required for computer security or privacy." This is such a fishy thing that I'm not really sure if I want courts to determine what exactly is required and therefore whether it is being misrepresented.

What, like WGA (windows genuine advantage) claiming to be a security update that is needed for the safe & secure operation of windows XP?

I smell a big lawsuit coming...

Re:Courts determining what's required for security

your nerdkits spam is getting really old...

all anti-virus companies

[Jessta]

"the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy,and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater."

lol, so all the anti-virus software companies(Norton, NOD32,VET etc) and anyone selling 'personal firewall software' is pretty much screwed.

Re:all anti-virus companies

[Coopjust]

Maybe not a geek. The average user, in my experience, can't keep viruses at bay without them.

While a lot of AV makers will try to convince you that you'll be screwed without the $100 security suite, they tend to sell what they say they are selling and don't have fake positives in the product in an effort to try to convince you to buy them.

And anyone that ran Windows XP RTM/SP1 knows that a firewall of some sort was required (hardware or non-Microsoft software) due to all the exploits. You could be owned while running the XP built-in Firewall.

Nowadays (SP2 and beyond, Vista, etc.) are built strongly enough where the included firewall is fine, unless you're looking for fine tuned outbound control. I like running a software firewall just so I can monitor new outbound programs.

I'm moving to Washington....

So, the State's Attorney actually understands and wants to do something about scareware. A judge recently ruled that under Washington law Cingular's forced arbitration concept was unconsionable.

A state with a clue!

Scareware?

[LiteralKa]

[...]scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.[...]

Isn't most computer security software useless anyway? I GOT NORTON YOU CAN'T TOUCH ME!

what gives them the right?

Obviously something needs to be done, but of all people to file a lawsuit, what gives Microsoft the right to do this? Either way i hope something gets done, such software is not only pointlessly malicious, but it also turns people away from computers and the internet. Maybe it is a good thing, if anyone has the resources to tackle this Microsoft does.

Garrett

Re:what gives them the right?

[Coopjust]

Microsoft may have a case in that it makes the OS seem bad. If fake programs lie and say you have 50 viruses, 120 pieces of spyware and 60 registry errors, it makes the OS look like a pile of junk.

Re:what gives them the right?

[matazar]

Combine that with the fact that some of them claim to be the OS telling you that you are infected and to buy some fake program. I can see Microsoft's point. They really can't prevent this kind of thing because you can't fix stupid.
A lot of user's trust the pop-ups from ads and end up installing a lot of this crapware.

good point

[QuantumG]

It kinda looks like this law is written almost exactly with WGA and other nasties in mind.

Re:Courts determining what's required for security

Or, you know, it could be used to take down the people behind malware software such as XP Antivirus.

This is bad

Understandable, exusable but bad nonetheless.

More Government Regulation

[Jawn98685]

When will these ultra-liberal, extremist zealots realize that more regulation just doesn't work? It is no suprise to see that the term "worthless security software" should be bandied about by such out-of-touch elitist snobs. We all know that the free market should determine what is "worthless" and what is not. Why do socialist thugs like Microsoft and the Washington State Attorney General's Office get off, trying to bully patriotic, tax-paying, small computer security businesses this way?

Re:More Government Regulation

And I'll tell you WHY I modded you TROLL...

You described Microsoft as "socialist".

Re:More Government Regulation

[nhtshot]

You're right!

But, I can tell from your message that you have a high level of contamination in your home drinking water. It's already affecting your speech. I'm from the Federated Department of Drinking Water Security. (Flashes badge that is a perfect knock-off) You have nothing to fear though, for a nominal fee, I can provide you with a water security solution that will keep your faucet from broadcasting it's location to the evil germs and heavy metals that are lurking just outside.

Re:More Government Regulation

[ExploHD]

This is to protect the consumer from fraudulent AV companies. Take a look at: http://en.wikipedia.org/wiki/Antivirus_2009
That one pops up with a fake "Security Center" screen that opens your browser to their site where you can buy their program for $49(US) or $72(US) depending on which version you'll think you need.

Re:More Government Regulation

I agree. I mean, look how better off we are without regulating the banking industry

Re:More Government Regulation

[Jawn98685]

The ability to grasp sarcasm is a remarkably effective gauge of intellectual capacity, it seems. Have a very nice day.

Oh, it gets worse.

[RulerOf]

but surely somebody could just change the desktop colors...

It's worse than that, because it's even more obvious.

This is where the end-user epic fail really is:

Security Alert - Windows Internet Explorer

Or

Security Alert - Mozilla Firefox

End users have so trained themselves to not actually read dialogs that they simply can't tell something they've seen before from something they have not.

It doesn't take a genius to sit at a computer for hours, and hours, and hours on end, every day, at work and at home, to recognize that your "Security Alert - Windows Internet Explorer" causes the cursor to turn into a pointing finger, just like a hyperlinked picture does on the web.

It's the inability of people to grasp these kinds of subtleties, despite years upon years of on-hands experience, that makes security a nightmare and things like UAC such a necessity.... Of course, then we get back to the whole not reading dialogs bit.

Also, predatory software programmers really have culpability. [badanalogy] But to similarly say that it's not your fault you got mugged because you flashed $2000 in cash at 1:00 AM in a biker bar that you've been going to every night for drinks for the last 6 years makes you similarly sound like an idiot.[/badanalogy] Common sense has not much prevalence in the average end-user. Or mugging victim.

Re:Oh, it gets worse.

[plague3106]

So... you're saying that the mugger should be penalized less, because the victim asked for it? Please, stop with this blame the victim nonsense.

Re:Oh, it gets worse.

[RulerOf]

No.

I'm saying that if you're too ignorant to understand that you're asking for it because you feel it's not worth your time to learn anything from your hands-on experience, then it's your own damn fault that you put yourself in that situation. I never said there was anything right or just about crime.

Re:Oh, it gets worse.

[KGIII]

I'm a fairly small guy and, well, to help pay my way through college I actually worked as a BOUNCER in a biker bar for a while. Media puts out the idea that bikers are tough and mean but, really, they're quite tame for the most part. I'm maybe 175 pounds and 5' 11" (I was a bit heavier back then) and I never had a problem. Most of the time it was just a matter of asking someone to leave. Yip... No muggings, not much fighting, no broken cue sticks, no broken bottles, no stabbings, no rapes, no murders, etc...

Those types of crimes seemed to take place at the nearby bar that catered to the college crowd.

Re:Oh, it gets worse.

[plague3106]

Well if you put yourself into a situtation that you are mugged, and you're saying "it's your own damn fault," you clearly are saying that the victim was at fault. If the victim really is at least partially at fault, then surely that relieves some of the guilt from the attacker. Maybe the mugee should spend say 90 days in jail as well? After all, his actions did help get him mugged..

In other words, you can't have your statement both ways.

Re:Oh, it gets worse.

[RulerOf]

Maybe the mugee should spend say 90 days in jail as well?

Getting mugged isn't against the law. Assault and theft are.

I don't understand why you think I'm insinuating that there's any degree of equality between doing something you know is stupid, and doing something you know is illegal.

There's something you should read about called assumption of risk. If you knowingly put yourself in a situation where you are injured--even if it is in no way your fault--the fact that you knew such injury was a probable outcome of the situation you explicitly agreed to be or put yourself in can be used to nullify your right to collect damages from the person or entity responsible for your injuries.

I know it doesn't apply directly to our mugging situation, as we're discussing something criminal and not civil, but the logic behind it is not flawed. The perpetrators of the mugging incident would and definitely should be jailed to whatever terms are considered standard. But if the victim found a culpable party to file a civil suit against (e.g. the biker bar owner) for the incident, his assumption of risk would likely cause his claim to fail at trial.

Nothing is or really should ever be considered as the fault of a victim, else I'd think one would lose claim to that title. But if you run in front of a moving bus because you can't wait for the pedestrian signal and you happen to get hit because the bus can't stop in time, you're still the victim of a tragic accident, but you're also an idiot.

Re:Omigosh enough

I wouldn't anger him... Bruce Schneier can get identity information from an unpowered, unconnected remote machine, just by glaring in its general direction. If he's feeling particularly good, he doesn't need the direction.

It's about time

[jassa]

I'm glad someone is finally taking action against these malware scammers. I do tech support part time and 95% of my recent virus removal jobs have involved these nasty little programs.

Re:It's about time

[Paco103]

You're so lucky. I hate having steady predictable work and income. It's just so monotonous.

Re:It's about time

[jassa]

Fair point, but I like to do the right thing by my clients and it's not right for them to have to spend $60-80 AUD to remove a program that's holding their computer hostage. Besides, there are plenty of other things that can go wrong with computers. I have no shortage of work at the moment.

Re:Courts determining what's required for security

[DarkHorseman]

What actually happens is a lot of these people will go to visit porn sites (or sometimes this is not even necessary). They'll get a pop up from the site saying that they're infected, and that they should download the program. That infection can then lead to more serious malware coming on to the computer, and in some cases, will load that fake BSOD with crap BSOD messages while the infection is doing it's bidding in the background. I think the main reason microsoft is part of this is because alot of what I see in the field is stuff like XP Antivirus 200x or Vista Antivirus 200x. Of course, simply uninstalling these programs does nothing. One would really need to get a program like ReVo Uninstaller to remove it, or remove the program manually. Then what happens when people, like some of my client's have done, call Microsoft complaining that microsofts program is not removing the viruses it found after they paid their money...

Re:Courts determining what's required for security

"makes it illegal to misrepresent the extent to which software is required for computer security or privacy."

Why stop with software?

A majority of the work of doctors and lawyers is just misrepresenting the extent to which their services are required. Why not make a law to stop them. Seriously, most business is just tricking someone ignorant of your expertise that your services are necessary.

Re:You are trying to file a lawsuit. Cancel or All

[tzhuge]

I'm actually not sure what you're trying to say... Your comment vaguely appeals to \. sentiment, but what exactly are you getting at? MS spreads FUD is somewhat off-topic...

Are you suggesting that MS scares users with security alerts into purchasing their software, which is legendary for being secure?

Re:You are trying to file a lawsuit. Cancel or All

[Hyppy]

An important update to your software is available! Please download and install "Windows Genuine Advantage" now!

Re:Omigosh enough

He's well known for his symmetric cipher work, but this is generally considered a hard subject by CS types and considered easy by mathematicians. AES is good, but there were lots of good runner ups, including Schneier's. But it's not that hard. It's basically the newspaper jumble. I agree he is a bit of an over rated blowhard, who's reputation rests largely on a terrible book that is popular with computer scientists who mostly don't know cryptography, only network security.

Re:You are trying to file a lawsuit. Cancel or All

[ameyer17]

You know, every new version of Windows gets advertised as "OMG SAFEST WINDOWS EVAR" and every new version of Windows seems to have more security holes than the previous version.
While not on the same level as the scareware vendors, it's certainly similar.

Re:You are trying to file a lawsuit. Cancel or All

Oh, did you pay for Windows Genuine Advantage? If so, please go buy a Mac ASAP.

I think the point is...

[mitchplanck]

That these programs claim to fix something for you but actually don't or even worse are Trojan Horses themselves. And yes, I know that some people think that Windows is a Trojan Horse, phlyambaeit away.

Re:Omigosh enough

[Dan+Ost]

Hmm...I've never heard anyone criticize Schneier's book before.

Please give us your recommendation for a book on cryptography that is highly regarded by people who know cryptography (perhaps in addition to knowing network security).

Re:Omigosh enough

[2.7182]

Stinson

Re:Courts determining what's required for security

[Akardam]

Sounds like it could be used for Microsoft to take a swing at all of the legitimate anti-virus/scumware/etc apps for advertising how critical their software is because Windows has so many problems.

In that case, can we use the bit that says "illegal to misrepresent the extent to which software is required for computer security or privacy" to sue Microsoft for advertizing "the most secure version of Windows yet" and claiming that the likes of XP and Vista are designed in a security concious way (implicit in the above) as opposed to implementing the likes of UAC?

Sort of like ...

[PPH]

... the one you got while trying to run Windows on DRDOS?

Re:Courts determining what's required for security

[Forbman]

Somewhere, Microsoft's explicit statements of non-warranty of fitness and non-warranty of merchantability for its products has got to come into play here (http://en.wikipedia.org/wiki/Implied_warranty).

In some ways, Microsoft uses its own lack of built-in security features in its products to sell its own other products that provide said security functionality...

This lawsuit seems to be bound a bit in circular logic, and I don't think really benefits the consumer in the end at all.

Microsoft making their products (i.e., Internet Explorer) resistant to the paths some of these popups, on-line ads, etc. use^h^hexploit to install their stuff "on behalf of" the user, well...would that benefit the customer? Yeah...

Re:You are trying to file a lawsuit. Cancel or All

[not+already+in+use]

every new version of Windows seems to have more security holes than the previous version.

Really? XP had more holes than ME? Vista had more holes than XP? You're clearly letting your opinion dictate the facts, and not the other way around.

Re:Omigosh enough

[lumenistan]

Actually, you're thinking of Chuck Norris, not Bruce Schneier. Don't feel bad though, people make that mistake ALL the time...

Finally

[pgn674]

I work at an IT Help Center at a university, and I see this as a method of infection and scam sales all the time. A whole ton of people install the trial ware that these advertisements push, and I've seen a few even buy the fake antivirus software. We offer virus cleanings, and one quick way to see if a machine is infected during an initial assessment is to see if there is fake antivirus trialware installed.

Scaring consumers = basis of modern advertising

[kaltkalt]

Modern commercials rely on one of two things to sell a product or service. One, you will improve your chances of having sexual intercourse with a desireable mate if you purchase our product/service. Two, you are in danger and you need to purchase our product/service to be safe. Over the past couple of years the "scare" meme has turned into more of a direct threat. The best example is those horrible, evil free credit report dot com commercials, where they come out and say if you don't buy our product you'll lose all your money and have to work at a crappy seafood restaurant and drive a shit car (the fact that they're selling something is only to be discerned in the fine print at the bottom of the commercial and the last few words, quickly rattled off, at the end of the commercial). "Buy our product or be poor" is a threat. Auto insurance companies do this a lot too... I just saw an Allstate ad that showed a family losing all their money due to a car accident because they didn't have Allstate insurance. None of these threats is a legitimate concern for consumers. There's nothing different about saying consumers have a security problem on their computers and need to buy software to fix it. "Buy our product or hackers will destroy your computer and steal your private data." It should be illegal to threaten consumers. Such commercial speech should not be protected by the First Amendment.

Re:You are trying to file a lawsuit. Cancel or All

[ameyer17]

Except the numbers seem to mostly back me up here.
Windows 2000 Professional: 182 Secunia advisories, 165 vulnerabilities. http://secunia.com/advisories/product/1/
Windows XP Professional: 219 Secunia advisories, 202 vulnerabilities. http://secunia.com/advisories/product/22/
Windows ME: 35 Secunia advisories, 21 vulnerabilities. http://secunia.com/advisories/product/14/
Windows XP Home: 199 Secunia advisories, 184 vulnerabilities. http://secunia.com/advisories/product/16/
I'd say it's too early to tell whether Vista has more holes than XP, but it certainly could. Currently, there are 40 Secunia advisories and 63 vulnerabilities.

Re:You are trying to file a lawsuit. Cancel or All

[Alpha830RulZ]

Except that you'd have to evaluate whether these are cumulative. Not saying they are, but does ME also have the holes that are shown for XP Home, but is simply not evaluated anymore? Does XP pro cure the ills of 2000 pro, and just have new, different holes?

I'm not any of this gets us anywhere, but I'm always suspicious of simple counts.

Re:You are trying to file a lawsuit. Cancel or All

"Your comment vaguely appeals to \. sentiment,"

There's a Slashdot equivalent for Windows fans?

Wrong party

being sued. Someone should sue M$ for selling such a shit OS that can't prevent this sort of stuff from happening in the first place. M$ should do the world a favor and get out of the software business. They clearly suck at it.