Software Security Suffers as Startups Lose Access To Google's Virus Data

Iain Thomson, writing for The Register: Security firms that use the Google-owned VirusTotal malware database but don't contribute to the silo are going to find themselves out on a limb. For the past 12 years, researchers have been feeding samples of software nasties into VirusTotal, allowing antivirus engines to check they can detect malicious code. But the site has seen an increasing number of security startups have been using the VirusTotal data without giving back. Now Google, and other contributors have had enough and have changed the terms and conditions of the website. Put simply, if you don't share samples, you can find your own malware elsewhere.From a Reuters report: The policy change at the information-sharing pioneer VirusTotal takes aim mainly at a new generation of security companies, some with valuations of $1 billion or more, that haven't been contributing their analysis. Older companies, some with market valuations much smaller than the upstart rivals, had pressed for the shift. "If they no longer have access to VirusTotal, their detection scores will drop," said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry.

It's how Open Data works

[cweber]

You cannot just consume and hope nobody cares that you don't give back.

Re:It's how Open Data works

No. That's specifically NOT how Open Data works.

Open Data is data that's made available, no strings attached, for public use and consumption. There are many reasons why someone would choose to share data in this way. Maybe it's for research. Maybe it's for third-party app developers (e.g. a municipality making transit data available). Maybe it's because they're required to provide the data by law (e.g. government datasets).

If the data is available only conditionally, then it's not Open Data. It might be data the public can potentially access, but that's not Open Data.

If (for example) Linux was ONLY available to people who actively contributed code back to the kernel, and blocked for everyone else, we wouldn't be calling it OSS.

Re: It's how Open Data works

[getuid()]

We're not. We're calling it Free Software.

Re:It's how Open Data works

[meerling]

The idea of a system like the one in the article is that everyone contributes, everyone benefits. They didn't think to write it in their rules because they didn't contemplate the possibility of the extensive leeching for profit that's going on. They are now correcting their posted rules to get the for-profit-leeches to participate or GTFO.

Re:It's how Open Data works

[CAIMLAS]

I think the point here isn't that they're using it and not providing anything back, it's that they're using 'open' technologies without improving them, and getting insane market evaluations for what amounts to marketing bullshit.

It'd like be re-theming RedHat and selling it with a Windows-like or MacOS-like theme, saying it's "Windows and Mac compatible Linux" or some such.

How many times do we need to say it?

[xxxJonBoyxxx]

Don't build your "startup" on other people's data/API/etc. unless you have a contract. They could change the terms tomorrow and then you're screwed.

Re:How many times do we need to say it?

[tnk1]

Really, these firms are leeches. They built a business out of nothing more than capitalizing on Virustotal, They can die and no one will miss them.

I don't disagree with the thought behind that, but even with wild inflation of value that is common these days, a company with a billion dollars of valuation is going to be missed when their customers end up with a crappier product, but no one mentioned to the already-sold customers that their provider is now sucking it because they have less ability to detect malware.

These companies will likely have to scramble to either contribute or find their own way of getting data, but you can bet that they will not call their customers and state that they are suddenly unable to detect as much as they used to.

In the end, this will fuck over customers who probably had no idea that their vendor was leeching. That could have a real effect on security in general, and making people less secure globally can have indirect effects on everyone else.

Hopefully, these companies do start contributing. Presumably they have the money to run a few honeypots and some security admins to watch them if they have a billion dollar valuation. If they don't... well they won't be the only ones who are paying for it.

Detection rates go down, products stop being used

[QuietLagoon]

... "If they no longer have access to VirusTotal, their detection scores will drop," said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry....

The people who use the products with the poorer detection rates should just switch to products that continue to provide good detection rates, and the hackers will then find entry to be more difficult.

.
If those a/v companies built a ~$1B business based upon the acquisition of free data for which they have no long-term contract to obtain, then those companies do not deserve to continue to be in business.

To put that much money at risk because the supply chain has not been properly vetted is not a good business practice.

Detection already negligible

[sinij]

Signature-based AV is already ineffective to the point of being useless. Trivial obfuscation techniques can and does fool every solution out there.

Re:Detection rates go down, products stop being us

[yodleboy]

why should these new companies be allowed to continue to use VirusTotal without giving back anything? The companies that do contribute have a cost associated with doing so, but they ALL benefit by contributing in good faith to the same pool. No one is saying these new companies have to lose access, they just won't be allowed to continue leeching the work of others for their own profit. Sounds like the greedy ones are not the contributors...

Re:Detection rates go down, products stop being us

[swb]

I'd love to hear a "explain it to me like I was 5" accounting-focused explanation of how a business like Twitter manages to lose money and still pay the bills.

Conceptually it makes sense when a business has been around for some time and had profitable years and then has a year where they lose money -- they might have cash reserves or access to credit to make up the shortfall.

But a shorter-lived business like Twatter that's maybe never made a profit -- they don't have a savings account with reserves built up from previous years' profit because they've never had it.

How does that work? People are willing to loan them the money because of their high valuation? The corporation holds some of its own stock and sells it to provide cash? It's all funny accounting math, and their "losses" aren't actually negative cash balances but a bunch of accounting gobbledygook that "add up" to a loss, but they're actually slightly better than break even in cash flow?

Re:Detection rates go down, products stop being us

[tnk1]

One wonders though. Why was VT set up? Was it made open to make it possible for more and more security vendors to get good data in order to increase global security? If so, then the failure to give back is a problem, but as long as that data is used, the goal of the project is satisfied. More security.

What is happening is that there appears to be some who are able to leech. Well... to some degree, that is merely an extreme use case of what VT was intended for. Even if they don't give back, they are improving global detection of malware to the collective benefit of everyone.

As for the competition... here is my question. Why is it that these "old school" contributors don't have the billion dollar valuations? Clearly, they've been doing this longer and they have experience. I can understand why they wouldn't want to feed their competitors who aren't sharing with them, but if this had been meant to be a security cartel to begin with, the rules would have started that way. To me, it is clear that these leechers are better at something than the sharers, either technically, or in marketing, or whatever. Admittedly, they're hitching a free ride, but couldn't it be argued that VT was basically set up to encourage the growth of good detection and these companies are pushing that forward?

I'm not totally defending these leechers. Without contributions, the database isn't going to go anywhere, and if the leechers put the contributors out of business, then not only is there no reason to contribute, but the leeches will end up killing themselves by out-competing those who actually make it possible for them to detect viruses and malware.

So for all the reasons above, I agree that a common sense contribution policy or at least a subscription rate for the data should be implemented which could be used to compensate contributors and Google for their efforts.

However, rather than slam the leeches for leeching, I think leeches should be *encouraged* until it gets to the point where they no longer need the help to get off the ground, and then they should either contribute, or alternately, pay for their data. We want to get new companies off the ground to add global security capacity and expertise. We just don't want the leeches to be parasites who kill the host in the process.

Re:Detection rates go down, products stop being us

[Immerman]

Except that's a horrible comparison since, as I recall, Red Hat is actually one of the single largest contributors to the Linux kernel, etc.. They do give back, and dramatically so, they just *also* include a lot of "value added" software and support to make their distro more attractive than the competition. If you don't want to pay for the value added stuff, then I believe CentOS is still offering the core Red Hat distro sans "secret sauce".