Schneier On Scareware Vendor Lawsuits

Bruce Schneier's blog says "This is good: Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of 'scareware' purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software. "

You are trying to file a lawsuit. Cancel or Allow?

[Hatta]

Microsoft is as big a culprit of this as anyone.

Microsoft is sueing themselves?

[El_Muerte_TDS]

scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software

Sounds a lot like an average Windows advertisement.

Unnecessary blog reference

[g051051]

Why does this even reference Bruce Schneier's blog? There's no added value from there. Why not just reference the original article?

Re:Unnecessary blog reference

[QuantumG]

Look at the name of the submitter.. this is blatant self promotion.

And, as is often the case, Schneier's blog doesn't add anything to the article either.

Re:Unnecessary blog reference

[nschubach]

Repeat after me: Ad revenue from hits/views.

Re:Unnecessary blog reference

[mcgrew]

Bruce Schneier has a lot more credibility in the security field than the Washington Post, the State of Washington, and Microsoft all put together.

Re:Unnecessary blog reference

[jimicus]

Bruce Schneier has a lot more credibility in the security field than the Washington Post, the State of Washington, and Microsoft all put together.

That doesn't mean much. My left arse cheek has a lot more credibility in the security field than the Washington Post, the State of Washington, and Microsoft all put together.

Re:Unnecessary blog reference

[LMacG]

Actually, Brian Krebs at the WaPo has a lot of credibility, and has been writing very good well-researched columns on computer security for as long as I've been reading that paper. What's your left arse cheek done lately?

What an awesome quote on his book cover

[DimmO]

http://www.schneier.com/images/book-sos-175w.jpg "The closest the security industry has to a rock star" Well, if that's the case, I'll believe anything he says then. I love rock and roll.

Re:What an awesome quote on his book cover

[Notquitecajun]

So put another dime in the jukebox, baby.

Scareware

[InspectorxGadget]

If Schneier wants to stop scaring people he should consider trimming his beard. That face-fro looks like it runs Crysis.

Re:Scareware

[Fred_A]

I don't know, add glasses and a crowbar and he could star in a videogame. Seems to me like the kind of guy you want talking about computing.

Re:Scareware

[Lobster+Quadrille]

Never!

I wouldn't trust a cryptographer without a beard.

Re:Scareware

[KGIII]

Hell. Now serving ice cubes.

Wasn't their a TV advert about this?

[MosesJones]

scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software

It was an Apple thing I think warning about some company who was pushing some "extra secure" version of its operating system which in fact gave you less performance and kept nagging at you the whole time. Yup I thought so.

Oh wait this is some OTHER companies who use security as a scare threat via nagging messages to get you to buy software.

FAKE security warnings, for Windows?

[wvmarle]

I'm truly impressed that people can come up with security warnings about Windows that are not true... after all, is there anything as insecure as Windows?

The only thing I think they may have a case with is of course the fake software, as in software that does not do what is advertised. And I'm not even thinking of Windows itself this time.

Re:FAKE security warnings, for Windows?

[sjwest]

If you run a linux os with a modern web browser, and you visit a site with the scareware it is mildly amusing to see that your registry is screwed up and the site looks like internet explorer in colour scheme but you can download an exe to fix.

Its happened twice to me, and i find them amusing.

Im quite sure this is how windows zombies get signed up, but my penguin knows better.

Re:FAKE security warnings, for Windows?

[MadJo]

Were those attack vectors directed at Linux or at packages running on Linux?
Apache != Linux
MySQL != Linux
etc

Re:FAKE security warnings, for Windows?

[gaderael]

...after all, is there anything as insecure as Windows?

Emo kids?

colors

[apodyopsis]

I'm confused, I don't use windows, but surely somebody could just change the desktop colors and then when a warning alert turned up in the old colors they would know it was a scam?

Is that too obvious?

Re:colors

[MBGMorden]

Too obvious for your normal user, yes. Your average geek isn't going to get fooled by these things anyways (heck with the way NoScript and my popup blockers are set I don't see them at all anyways). But to the guy who fumbles with the power button and whose eyes glaze over when you speak of "cut and paste", changing the window colors and then having the foresight to pickup on a different color showing up being bad, is way beyond their capabilities.

Re:colors

[_Sprocket_]

One of my insights doing a stint behind a helldesk was that some otherwise competent, intelligent people will disengage their thought process when sitting behind a keyboard. Sometimes I felt like psychiatrist - or at least what I suspect many of them do:

1. Listen to problem.
2. Restate problem as a question.
3. Confirm answer given by customer is correct.
4. Assure customer that while correct answer WAS somewhat obvious, we get it all the time and a lot of folks don't figure it out on their own. Add reassuring comment about their savvy in this situation.

Courts determining what's required for security?

[compumike]

The law referenced "makes it illegal to misrepresent the extent to which software is required for computer security or privacy." This is such a fishy thing that I'm not really sure if I want courts to determine what exactly is required and therefore whether it is being misrepresented.

Now, maybe there's a case for fraud if the program doesn't do what it purports to do in its advertising, but that doesn't seem to be what's at stake here.

There also might be a case for fraud if, perhaps, the advertising pop-ups are being confused for actual Windows messages. But I suppose in the "real world" advertisements mimic other things to be creative, but are still fairly obviously ads.

Just not sure I like the sound of a law that requires a judge or jury to determine what's required for computer security.

--
Hey code monkey... learn electronics! Powerful microcontroller kits for the digital generation.

Re:Courts determining what's required for security

[db32]

Sounds like it could be used for Microsoft to take a swing at all of the legitimate anti-virus/scumware/etc apps for advertising how critical their software is because Windows has so many problems.

all anti-virus companies

[Jessta]

"the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy,and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater."

lol, so all the anti-virus software companies(Norton, NOD32,VET etc) and anyone selling 'personal firewall software' is pretty much screwed.

More Government Regulation

[Jawn98685]

When will these ultra-liberal, extremist zealots realize that more regulation just doesn't work? It is no suprise to see that the term "worthless security software" should be bandied about by such out-of-touch elitist snobs. We all know that the free market should determine what is "worthless" and what is not. Why do socialist thugs like Microsoft and the Washington State Attorney General's Office get off, trying to bully patriotic, tax-paying, small computer security businesses this way?

Oh, it gets worse.

[RulerOf]

but surely somebody could just change the desktop colors...

It's worse than that, because it's even more obvious.

This is where the end-user epic fail really is:

Security Alert - Windows Internet Explorer

Or

Security Alert - Mozilla Firefox

End users have so trained themselves to not actually read dialogs that they simply can't tell something they've seen before from something they have not.

It doesn't take a genius to sit at a computer for hours, and hours, and hours on end, every day, at work and at home, to recognize that your "Security Alert - Windows Internet Explorer" causes the cursor to turn into a pointing finger, just like a hyperlinked picture does on the web.

It's the inability of people to grasp these kinds of subtleties, despite years upon years of on-hands experience, that makes security a nightmare and things like UAC such a necessity.... Of course, then we get back to the whole not reading dialogs bit.

Also, predatory software programmers really have culpability. [badanalogy] But to similarly say that it's not your fault you got mugged because you flashed $2000 in cash at 1:00 AM in a biker bar that you've been going to every night for drinks for the last 6 years makes you similarly sound like an idiot.[/badanalogy] Common sense has not much prevalence in the average end-user. Or mugging victim.

Re:Oh, it gets worse.

[RulerOf]

No.

I'm saying that if you're too ignorant to understand that you're asking for it because you feel it's not worth your time to learn anything from your hands-on experience, then it's your own damn fault that you put yourself in that situation. I never said there was anything right or just about crime.

It's about time

[jassa]

I'm glad someone is finally taking action against these malware scammers. I do tech support part time and 95% of my recent virus removal jobs have involved these nasty little programs.

Re:You are trying to file a lawsuit. Cancel or All

[tzhuge]

I'm actually not sure what you're trying to say... Your comment vaguely appeals to \. sentiment, but what exactly are you getting at? MS spreads FUD is somewhat off-topic...

Are you suggesting that MS scares users with security alerts into purchasing their software, which is legendary for being secure?

Re:You are trying to file a lawsuit. Cancel or All

[Hyppy]

An important update to your software is available! Please download and install "Windows Genuine Advantage" now!

Scaring consumers = basis of modern advertising

[kaltkalt]

Modern commercials rely on one of two things to sell a product or service. One, you will improve your chances of having sexual intercourse with a desireable mate if you purchase our product/service. Two, you are in danger and you need to purchase our product/service to be safe. Over the past couple of years the "scare" meme has turned into more of a direct threat. The best example is those horrible, evil free credit report dot com commercials, where they come out and say if you don't buy our product you'll lose all your money and have to work at a crappy seafood restaurant and drive a shit car (the fact that they're selling something is only to be discerned in the fine print at the bottom of the commercial and the last few words, quickly rattled off, at the end of the commercial). "Buy our product or be poor" is a threat. Auto insurance companies do this a lot too... I just saw an Allstate ad that showed a family losing all their money due to a car accident because they didn't have Allstate insurance. None of these threats is a legitimate concern for consumers. There's nothing different about saying consumers have a security problem on their computers and need to buy software to fix it. "Buy our product or hackers will destroy your computer and steal your private data." It should be illegal to threaten consumers. Such commercial speech should not be protected by the First Amendment.