McAfee's Website Full of Security Holes

Julie188 writes "The McAfee.com website is full of security mistakes that could lead to cross-site scripting and other attacks, researchers said in a post on the Full Disclosure site on Monday. The holes with the site were found by the YGN Ethical Hacker Group, and reported to McAfee on Feb. 10, YGN says, before they were publicly disclosed to the security/hacking mailing list. Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe."

Your own dog food...

[Locke2005]

Eat it!

Re:Your own dog food...

[WrongSizeGlass]

So McAfee's website is as secure as MySQL.com? This intertubes thing just keeps getting better and better.

Re:Your own dog food...

[Mr.FreakyBig]

Where I work, its called Flying Our Own Jets (FOOJ). No, we don't make airplanes.

Re:Your own dog food...

[0racle]

They might.

Re:Your own dog food...

[InsertCleverUsername]

But they make really awful dog food. I can see why they'd avoid it.

Re:Your own dog food...

Where i work its called sucking on our own cocks.

Re:Your own dog food...

[PsyciatricHelp]

Which would be as secure as RSA.

Re:Your own dog food...

[johnsnails]

I thought it was called... eating your own dog food?

Re:Your own dog food...

[Belial6]

Do they offer training on that? They just might get people to pay them for the opportunity. Of course, one the training is over, they will never leave their home, so the you'll need to train a whole new batch.

Re:Your own dog food...

[grcumb]

Eat it!

This is McAfee we're talking about. You're looking at the wrong end of the dog.

Re:Your own dog food...

[mwvdlee]

I wonder what they call it in the porn industry.

Re:Your own dog food...

Can't afford it... do you know how much that shit costs?!

Nice

[mrbcs]

Yup, there's some excellent credibility for you. Now can we get Norton to fall on their swords too?

McAfee and Norton. Are these not the two worst software companies?

Re:Nice

McAfee and Norton. Are these not the two worst software companies?

This being /. , someone's bound to mention Microsoft any minute now...

Re:Nice

[cobrausn]

Well, you just did. Does that count?

Re:Nice

Yup, there's some excellent credibility for you. Now can we get Norton to fall on their swords too?

McAfee and Norton. Are these not the two worst software companies?

Mcafee was just in here hocking their IPS as being superior to the competition in EVERY way, you barely have to touch it once installed!

Re:Nice

mcafee hawks mcafee.

smart users hock mcafee.

Re:Nice

[ArsenneLupin]

Does that mean that this thread is officially over now?

Re:Nice

[cobrausn]

... No?

Re:Nice

Yes it it, you Nazi.

Re:Nice

[Desler]

The only thing worse are the people who code Slashdot.

Re:Nice

[mrbcs]

Why would anyone steal that shit?

Re:Nice

Sorry, but Apple is the new Microsoft. They have become far more draconian than MS even.

minor

[Lord+Ender]

These are all minor security problems... some of which are so minor one could debate whether they should even be classified as security problems at all. Really, this is much ado about little. Any big website will have things like this. Even security experts make mistakes, and most of the staff at McAfee, as with all other big companies, aren't security experts.

Re:minor

[sconeu]

most of the staff at McAfee, as with all other big companies, aren't security experts

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be held to a higher standard.

Re:minor

[$RANDOMLUSER]

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be ridiculed as the useless twats they always have been.

Much as I hate "FTFY" posts, I had to Fix That For You.

Re:minor

[Lord+Ender]

Show me where the people who manage McAfee's marketing web site are referred to as "security experts." I'll wait.

Re:minor

[sqlrob]

Close enough?

Re:minor

[flosofl]

You seem to have a lack of understanding of how enterprise IT/IS actually works. You seem to think people in the marketing dept actually admin the web services for the company? In most modern medium to large (to ginormous) companies, there is a group in IT that is specifically tasked with managing the company's web presence including servers and software. A security group determines policies and practices that the Web group must follow. That same security group vets the services *before* going live and continually monitors and scans the web site for vulnerabilities. Other than content (and perhaps being the "owner"), the Marketing dept is probably not involved at *any* level of the web site.

I actually work in network security, and have for quite a while. It's been like this at every major company (Int'l bank and F500 companies) I've worked for since at least 1998. They most definitely *should* have been aware of these issues. The fact that they tout themselves as a "major security vendor" means these should have been remediated as soon as possible.

Re:minor

[donaggie03]

Why are you so adamant to absolve McAfee of their own stupidity? If a car is advertised as the fastest car ever, then that's ok because their marketing department isn't full of mechanical engineers?

Re:minor

[timeOday]

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be held to a higher standard.

Go ahead and hold them to whatever standard you like. The fact is, computer security in general is completely unmanageable. ALL solutions fix a certain set of problems while not fixing (or creating) others.

Everything I have seen points to an inescapable conclusion: you cannot protect any network of significant size from intrusions and leaks. Nobody has accomplished it for any significant amount of time. Even openbsd can't do it, and that's on a "default install" which is 0.0001% of the problem faced by any real enterprise.

My point isn't to destroy the important distinction between better and worse - there are important distinctions. But that distinction is lost with the simplistic assertion that "McAfee should know better."

Re:minor

[HungryHobo]

If they were just another big company that would be fine but when they can't even secure themselves while they're selling the service of securing others it deserves all the ridicule that the people here can dish out.

I can understand other companies not considering security to be a number 1 concern, they've got other things to worry about but a security company has no such excuse.

Re:minor

[zonky]

XSS is *not* a minor security problem.

http://en.wikipedia.org/wiki/BeEF_(Browser_Exploitation_Framework)

http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios

Re:minor

[tnk1]

McAfee shouldn't be absolved of their mistakes, but those mistakes should be put into perspective.

If McAfee did happen to make an awesome vulnerability checker (okay, I'll wait while you stop laughing....), then the fact that they simply did not use it on their own site doesn't mean that the product fails, it means that they don't understand how failures in their public presentation can be damaging.

Of course, I don't know if the site checker fails, because I won't go near a McAfee product unless my workplace rams it down my throat (my current one does not). Nevertheless, as embarrassing as having site issues are... and they ARE embarrassing... it only proves that their web team does not know how to plug its holes. Even then, a number of the holes are relatively minor.

I agree that this represents what the police would call "probable cause" to turn a critical eye towards their products, but if you have a good reason to believe their product is right for you, it should not replace a more scientific evaluation. They may well still suit your needs. Or they might be a bunch of corporate monkeys. The important thing is that you did the intelligent thing even if they did not.

Re:minor

[MobileTatsu-NJG]

Why are you so adamant to absolve McAfee of their own stupidity? If a car is advertised as the fastest car ever, then that's ok because their marketing department isn't full of mechanical engineers?

Welllll if you'll indulge me while I play Devil's Advocate for a moment...

It's more like Starbucks claiming that they make the best coffee ever, then having it scientifically proven that their tea is terrible.

It is humourous, but unless I'm really mistaken about the products they offer (and since their site is down I accept the risk that I may be corrected on this), you cannot install McAfee on a weberver and expect it to tell you that a cross-scripting vulnerability exists.

Again, this is just me being Devil's Advocate.

Re:minor

They have software that scans websites specifically for the crap that made it to their production webserver.

Re:minor

[MobileTatsu-NJG]

Do you mean like a cross-site scripting exploit?

Re:minor

[mysidia]

These are all minor security problems... some of which are so minor one could debate whether they should even be classified as security problems at all.

You think source code disclosure and XSS are MINOR security problems? Really?

Re:minor

[Lord+Ender]

You seem to have a lack of understanding of...

That is a lie.

You seem to think [some lie you made up]

Citation needed. Can't back up your lies?

I actually work in network security

So do I. And because I work in a place larger than a popsicle stand, I know that minor security issues like this are par for the course in marketing material. I also know that security analysis is expensive. And to top it off, I know that organizations, even security organizations, don't do well if they waste money on minor issues that could go to fixing more important ones.

But you go ahead and enjoy bankrupting your popsicle stand by applying inappropriate levels of security control to everything...

Re:minor

[Lord+Ender]

A scan? Are you kidding? Scanning can prove the existence of security problems; it can never prove that none exist. This is like IT 101, kid.

Re:minor

[Lord+Ender]

Yes. Slashdot's source code is "disclosed." Do you call that a threat?

Is XSS minor? Yes, this particular variety is the minor end of the spectrum. There are far more serious problems which are very common with web apps (injection, authentication, etc.).

Re:minor

[mysidia]

Yes. Slashdot's source code is "disclosed." Do you call that a threat?

First of all, no it's not. Slashcode's source code is disclosed, because it is an open source project. And Slashdot has code in common, but they aren't 100% equal.

Second, that's intentional disclosure, meaning the code has probably been reviewed to ensure it doesn't contain anything sensitive. There's a big difference between what goes in an intended disclosure and accidental leak.

Is XSS minor? Yes, this particular variety is the minor end of the spectrum. There are far more serious problems which are very common with web apps (injection, authentication, etc.).

No. At minimal the XSS issue is Severe, possibly Critical, given the abuse potential.

Just because more serious problems are known does not mean that what you see is minor. That's like arguing an intruder can install a keylogger, grab your bank account numbers, and format your hard drive, so if they only manage to break in and capture your SSN, address, and some photos, or hijack your machines a while to launch a DDoS and send a few hundred thousand spam messages, you have a minor intrusion, (whatever the hell that means).

Re:minor

[Lord+Ender]

So some of slashdot's code is available. The same is true of McAfee's marketing website. Minor.

You call XSS in a marketing site 'critical.' I would love to know what you don't think is critical. I would bet real money that such a problem is nowhere near the high end of the spectrum of most companies' security threat profiles.

what is the deal with intel

[jcombel]

it seems to me that intel has their stuff together on most things (market domination, monopolistic practices, aggressive vendor bullying, and making decent chips once in a while)
 
i never cared for mcafee's products, but i thought about giving them another shot: if intel thinks it's worth money, maybe it is, right?
 
yet every time i hear the name it's something bad. it was just last year that the false-positive on svchost.exe took down hospitals, schools, and even a few thousand of intel's own PCs that were still running WinXP.
 
what is intel thinking, putting so much money into mcafee? what do they know that we don't?

Re:what is the deal with intel

Chip level anti virus and I'm sure it was easier for them to just straight purchase Mcafee which has a "good" platform to work with already, than start from scratch.

Re:what is the deal with intel

svchost is a generic process name that a lot of background tasks, some of which are malicious, run under.

Re:what is the deal with intel

you don't understand: mcaffe had false-positived svchost -itself-. thousands went down. quality control heyoooooooooooooooooooooooooooooo

Those holes have purpose...

[bogaboga]

Those 'holes' are intentionally left there. They are for demo purposes as McAfee needs to constantly improve their product. Trust me.

They learn a lot from what users good intentioned and bad do via their site.

Mod parent up!

[khasim]

McAfee markets products to scan websites. At least use them on your own site!

If the scans didn't turn up the vulnerabilities ... well it looks like you have a problem with your products.

Re:Mod parent up!

[BagOBones]

I created a post on this already (probably while you were posting this) they DO scan the site, and it is McAfee SECURE CERTIFIED. Shows what it is worth.

Re:Mod parent up!

[jackdub]

Quis custodiet ipsos custodes?

Re:Mod parent up!

[aix+tom]

I guess they are kinda like consultants in that regard. They can find problems pretty quick, but they have no idea how to fix them. ;-P

Re:Mod parent up!

Posting AC for obvious reasons...

At my former employer, I was in charge of managing the McAfee Secure scans (but not remediation) for all of our external sites. The maddening thing for me was that we got a ridiculously large amount of time to remediate any vulnerabilities before the Certified logo would show any issues (30 days comes to mind). Additionally, the scans only took place once per month. You could have a vulnerability out there for up to 60 days without ever getting addressed and everything shows up as fine and dandy, McAfee Secure Certified (tm). IMHO this is unacceptable and gives a false sense of security to the end-user. It also makes it damn hard to motivate the people in charge of patching and shoring up their piss-poor system admin practices to actually get off their damn asses and do something about it. A typical conversation after discovering a vulnerability went something like this:

Me: McAfee Secure found these problems. *Sends scan report*
Joe Sixpack SysAdmin: Meh, I've got a whole month before I need to remediate these issues, so it's not really a vulnerability yet. I'll wait until day 29 and a half to look at it, then freak out and point the finger back at you when I can't get it fixed in under 10 minutes.
Me: *facepalm*

Needless to say, when I see a McAfee Secure Certified logo on any site, I basically ignore it at best or altogether avoid the site at worst. It's a joke. Only less funny.

On the positive side, the scan reports are very pretty. A hell of a lot better than McAfee Vulnerability Manager's sh*t reports.

Re:Mod parent up!

[kyuubiunl]

McAfee secures on the " si fecisti nega! " Principle.

Re:Mod parent up!

[Locke2005]

Apparently so does Bart Simson: “I didn't do it, nobody saw me do it, there's no way you can prove anything!”

Re:Mod parent up!

[Locke2005]

Can't you just say "Who watches the watchers?" like a normal person?

Re:Mod parent up!

[kyuubiunl]

Maybe it was an homage to Terry Pratchett? (Night Watch, Commander Vimes)

Re:Mod parent up!

What good is all those expensive classes learning a dead language when you can't use said language to look like an arrogant dick on the internet?

Re:Mod parent up!

[grcumb]

Can't you just say "Who watches the watchers?" like a normal person?

Quid?

Re:Mod parent up!

[Bacon+Bits]

No, this is SlashDot.

Re:Mod parent up!

[mwvdlee]

Latine scribere quivis Google translate...
http://translate.google.nl/#en|la|who%20watches%20the%20watchmen

Re:Mod parent up!

[geoffaus]

I wouldnt trust McAfee anyway - they havent made good software in a long long time At the IT services company I work for their software is banned

Re:Mod parent up!

I'm also a former employee and posting as AC for anonymous reasons. Note that all but two of the vulnerabilities are from the download site. That site is comprised of a number of servers that exclusively host the DAT files and updates. Not the website itself. The download servers are also supported by a development team that don't know anything about web security so it doesn't suprise me in the least that their site is the one with the vast majority of issues.

Thing is, McAfee new about the vulnerabilities of these set of servers when I worked there around 3-4 years ago. I know, because I was in the room with other managers reviewing the scans. I strongly avocated in favor of fixing the vulnerabilities but the senior exec told me to focus on the website ones only and not to poke my nose into another team's servers.. Now maybe they fixed the vulnerabilities in the last three years and those fixes got rolled back or something. I don't know as I can only speak to when I was there.

But there's no excuse for a security company to have security vulnerabilities on ony of their servers. Or for a group of developers to be utterly ignorant of the OWASP top ten, even if said team doesn't normally create & support websites.

Where's the $

If anyone has followed IT for these years they've learned how to sell protection. But where's the money in not?

McAfee SECURE CERTIFIED

[BagOBones]

Don't worry, I checked and the site is McAfee SECURE CERTIFIED
https://www.mcafeesecure.com/RatingVerify?ref=www.mcafee.com

Re: McAfee SECURE CERTIFIED

[navyjeff]

Does that make it a tautology? "It's secure; we even checked it ourselves."

Re: McAfee SECURE CERTIFIED

[machine321]

They tried to teach them, but they couldn't be taut.

Re: McAfee SECURE CERTIFIED

Does that make it a tautology? "It's secure; we even checked it ourselves."

nope, that it is not a tautology... keep trying and maybe someday you manage to use the word properly

Re: McAfee SECURE CERTIFIED

[Americium]

More like McAfee infected. One time I got McAfee on my computer, no idea how it happened, but it interfered terribly and was probably one of the hardest things to get rid of.

Safety

What this suggests is even supposedly safe pages/sites aren't always. if you have script blockers in your browser, for example NoScript in Mozilla firefox
then revoke permissions for this and other sites that are reported as dangerous.

@Nice: Norton frequently fell on their own swords at a local level when I had it installed on my laptop.... iy didn't even recognise not to block its own programs from working/connecting online for updates. #fail

Stay tuned...

...for the ritual shooting of the messenger.

Vulnerable != Unsafe

[nuckfuts]

the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe

There is a difference between whether a website is vulnerable to attacks and whether it's unsafe to view. If I'm going to open a page in my browser, I care whether or not the page is fact dangerous to view at that point in time, not whether it could potentially be made dangerous.

This is not to say I don't give a damn about XSS vulnerabilities and the like. It's simply a different (albeit related) topic.

Re:Vulnerable != Unsafe

[BagOBones]

Part of getting the McAfee SECURE Certification IS passing a vulnerability check, they pass there own check, so clearly their check isn't that good.

"With McAfee SECURE for Websites, your site is scanned daily for thousands of hacker vulnerabilities. McAfee, the largest dedicated security company in the world, does this remotely, without any need for expensive or complicated hardware or software. Once certified to this high standard of security, McAfee SECURE customers showcase their safety status by displaying the McAfee SECURE trustmark."

Re:Vulnerable != Unsafe

I'd say that something is unsafe to the degree to which it is vulnerable. Minor vulnerabilities probably don't make for a relatively unsafe site, sure... however, to try to push the separation between vulnerability and safety seems to be akin to saying, "But the unstable volcano isn't erupting /right now/."

Re:Vulnerable != Unsafe

[LodCrappo]

"There is a difference between whether a website is vulnerable to attacks and whether it's unsafe to view. If I'm going to open a page in my browser, I care whether or not the page is fact dangerous to view at that point in time, not whether it could potentially be made dangerous."

Sort of like saying you're perfectly happy to drive over bridges that have a decent chance of collapsing, so long as they haven't collapsed at that time? Isn't the issue that a site which is perfectly safe to browse but vulnerable to attack can become unsafe to browse in an instant, just as the unsafe bridge works fine.. until it doesn't?

Re:Vulnerable != Unsafe

[nuckfuts]

Sort of like saying you're perfectly happy to drive over bridges that have a decent chance of collapsing, so long as they haven't collapsed at that time?

No, it's not like that at all. A bridge that has "a decent chance of collapsing" is unsafe.

Isn't the issue that a site which is perfectly safe to browse but vulnerable to attack can become unsafe to browse in an instant,

In the case of web browsing, my main concern is whether a page is safe at the instant I view it, not whether it might become unsafe at a later time.

... just as the unsafe bridge works fine.. until it doesn't?

Again, I'm drawing a distinction between unsafe and vulnerable. The "unsafe bridge" is unsafe - period. I do not want to cross it, even if it's still "working fine".

If you want a bridge analogy, think of it like this: A bridge has a removable metal pin underneath. If someone removes the pin, the bridge will collapse when you cross it. Ideally, there should be a padlock on the pin that prevents removal. The question becomes, is the bridge "unsafe" if the pin is in place but not locked?

Getting back to McAfee, does their security scanner purport to tell you if the pin is in place, or if the pin cannot be removed? Another commenter has shown that McAfee was making both claims, and have therefore failed their own test.

Re:Vulnerable != Unsafe

[LodCrappo]

Maybe it's just semantics. I'd consider most website vulnerabilities to be "unlocked pins" in your example. The reality is that unlike a bridge that has just fallen over, a website which has just been compromised is not easy to spot. I don't trust any tool to detect a compromised website instantly, therefore the potential for compromise seems the most reliable indicator of danger. As for whether McAfee does an acceptable job of any of this, I doubt it.

The old days of McAfee's "secure" FTP site

[Nimey]

Back about ten years ago, you used to be able to log into McAfee's FTP server and download their latest for-pay products. IIRC the username was something like "mcafee" and the password was "321". My former boss was a warez puppy and I gather this was commonly known on the scene.

Re:The old days of McAfee's "secure" FTP site

The username was "licensed", and to my knowledge, still works (though they no longer have all of their products there, just things like virus definitions)

Re:The old days of McAfee's "secure" FTP site

FYI: That was not a mistake.

Re:The old days of McAfee's "secure" FTP site

[Nimey]

What leads you to believe that?

Misdirection

[SuperKendall]

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Re:Misdirection

[Bobfrankly1]

and virtualization being what it is, they could suffer an attack, log all the data, and swap in an HA clone in a matter of seconds. With appropriate monitoring it would be automated.

Re:Misdirection

[stumblingblock]

and virtualization being what it is, they could suffer an attack, log all the data, and swap in an HA clone in a matter of seconds. With appropriate monitoring it would be automated.

does ANYBODY believe that? do you suppose that they suggest this to corporate customers?

Re:Misdirection

[hercubus]

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Never attribute to competence that which can be adequately explained by stupidity. [ Krugman's Razor ]

Re:Misdirection

[virgnarus]

I'm pretty confident that the McAfee home page is a honeypot luring in the unwary...

Re:Misdirection

[TheRedDuke]

Pfft. Why would you ever use a virtual machine for security when you make the FINEST security products in the world?

Re:Misdirection

[islon]

How do you know the McAfee home page is not one giant honeypot?

Because it tastes like shit...

Re:Misdirection

[Just+Some+Guy]

That's what I'd do if I were them...

No you wouldn't. If you truly became McAfee, you'd run around screaming "LINUX IS DANGEROUS WITHOUT ANTIVIRUS! WE SLOW YOUR COMPUTER SO YOU DON'T HAVE TO! I EAT PAINT!"

Which is still an improvement over what you'd do if you were Norton.

Re:Misdirection

[Bobfrankly1]

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Never attribute to competence that which can be adequately explained by stupidity. [ Krugman's Razor ]

And we all know what happens when you use someone else's razor...

Re:Misdirection

[ReedYoung]

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Never attribute to competence that which can be adequately explained by stupidity. [ Krugman's Razor ]

And we all know what happens when you use someone else's razor...

Depends on whom you use it.

Re:Misdirection

[ReedYoung]

I'm pretty confident that the McAfee home page is a honeypot luring in the unwary...

I wonder why you're so confident of that, but that story seems like good marketing.

Curious

[Bobfrankly1]

In hockey, the goaltender will intentionally "show" a spot as open, usually the five hole (the space between the legs). The player with the puck, seeing this, will often shoot for the five hole, only to have the prepared goalie close the five hole and stop the puck.

McAfee being what it is, could it be that they are "showing" these security holes in an attempt to goad the black hats into trying their latest tricks and toys on McAfee, who could in turn use that data to reenforce their protection software?

Re:Curious

lol..google "honey pot" or read above posts

Re:Curious

[Bobfrankly1]

lol, check the time stamps on those comments and compare to mine. We all posted at approximately the same time. Shame on me for taking extra time to re-read my comment and make minor edits.

The XSS FAQ

http://www.cgisecurity.com/xss-faq.html

They've been sloppy and lazy for years

[Twon]

About 5 years ago, I contributed to a paper that brought up a particularly brain-dead thing they did with the auto-update mechanism for their then-current consumer version of VirusScan:

http://www.usenix.org/events/hotsec06/tech/full_papers/bellissimo/bellissimo.pdf

Long story short -- their ActiveX control exported a wrapper around the Win32 ShellExecute API. What could possibly go wrong? The XSS thing in their help here seems to be of the same "do the simplest thing, damn the consequences" variety; it looks like they've tried to patch the XSS issue but it's pretty weak sauce. Hint to McAfee: Did you know most browsers will load "HTTP://example.com" as readily as "http://example.com"?

Re:They've been sloppy and lazy for years

This is because the consumer team wears clown shoes.

Most of the core tech is pretty good but the consumer team never met a technology they couldn't completely screw up. I worked for McAfee (not consumer, thankyouverymuch) for quite a stint, the Enterprise and Core teams are decent, largely located in Oregon and the UK, with some in India. The consumer guys are not located in the same sites and their work seems to indicate they have the IQ of monkeys.

Hopefully Intel will split the wheat and chaff.

Re:They've been sloppy and lazy for years

[Twon]

That fits my limited observations pretty much exactly. We looked at their enterprise stuff during the same project and were completely confused why the straightforward, correct stuff over there didn't make it into the consumer version.

Rather unsurprising!

[pyrr]

McAfee's business model has been "security through rendering your computer nearly inoperative" for over a decade now, anyway. Just wait until the website gets pwned and stops working, and it will have been successfully "protected".

I don't know about you...

[CCarrot]

...but I love the smell of irony in the morning...afternoon...whatever.

It kinda reminds me of that NOMEX factory that burned down...well, isn't that odd. I remember hearing about that at a safety meeting a couple of years ago, but now I can't find any links to post, none at all...was it all a dream? A deliciously ironic dream?

(I could only wish my dreams were more exciting than creating my own safety meetings in my head...*sigh*)

Umm.. hello?

[NitroWolf]

This is news? McAfee hasn't been secure or even any good at anti-virus since... like... the DOS days. If they ever were. Wern't they the ones who put out a DOS anti-virus kit? Or am I thinking of someone else? If it's someone else, then McAfee has always sucked.

Re:Umm.. hello?

mcafee, norton, and symantec all had dos antivirus (symantec bought norton in 1990 iirc).

Re:Umm.. hello?

So you posted your opinion on a product, then you tell us your opinion is based on something you don't know about.

Why'd you post again? God I love the internet.

Re:Umm.. hello?

[NitroWolf]

Well, take your pick:

1) I was making the point that McAfee hasn't been worth a shit since before the turn of the millienium OR they haven't ever been worth a shit.
2) Aggravating douchebags like yourself who aren't smart enough to figure out number 1.

Complete lack of concern for security

This doesn't surprise me in the least. The latest McAfee virus scanners run with very high privileges, but don't turn on such basic protections as NXCOMPAT (the no execute bit) and ASLR (Address Space Layout Randomization). These protections are very cheap to enable, and make vulnerabilities much harder to exploit.

No kidding

Not surprising since McAfee software is a joke, and so is Norton.

hubris

[godel_56]

Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe.

HBGary, is that you?

How I live with it...

[dbcad7]

I'm not sure how you people live with this crap.. I get customers all the time whose prophylactic safety net has malfunctioned on them, leaving them without access to the web, or their email.. Yes, I guess not being able to surf and check your email is possibly the safest route for them anyway.. So now you got these dudes looking for problems that will make the next version of funware better, and more complicated, and prone to creating people who can't figure out how come they can't get to Facebook.. The whole security industry is a self perpetuating nightmare... So how do I live with it ? .. I live with it, but taking a chance that someday these hackers will waste their time on trying to make my unpopular OS the same living hell that the users of the popular OS's enjoy.. Someday, they'll get around to us.. but till we become "worth their time", I guess I just have to live with it.

SERVER NOT FOUND

Ahahahah Server not Found
That only took a few Hours ^_^

Good...

[CaptainDefragged]

...rot in hell McAfee.. after putting up with your crapware TPS at work all day.. f*ck you and f*ck your TPS garbage!

Hope they go bankrupt

[hesaigo999ca]

Sorry, with this last one I hope they go bankrupt....you should be held accountable for your actions, and when you say you are about security, and you do not do the work on your own website...i think it should bring their end. MHO