StillSecure, After All These Years

So we all woke up today and the world was still here. In fact the market is even up as I write this. So was all of this Conficker stuff much ado about nothing? Maybe, maybe not, but it has certainly captured the imagination of the mainstream media and the public. More importantly it has given the security industry a much need shot in the arm. I have not seen such buzz and working together in a long time.  Kudos to Dan Kaminsky and my friend Rich Mogull for facilitating a lot of that.

A good old fashioned worm is just what NAC was designed to stop.  This could turn out being a really big boost for NAC vendors.  Alas it may come too late for some. I heard yesterday about yet another round of RIF’s at a NAC vendor based up in the Northeast.

Here is a roundup of some other security industry – Conficker news:

1. eEye back to their old ways – Remember when eEye would always release a free scan for whatever the fear de jour was? I haven’t seen them do that in years.  But they released a free test for Conficker yesterday. I wonder how many people will download it.  Ross Brown used to tell us, not sure if we will find out now, but it was nostalgic to see.

2. McAfee fails the Conficker test.  Good blog on ZDNet by Ed Bott on what McAfee did wrong with Conficker. I don’t see where there NAC can do anything about it.

3. Bill Brenner applauds the industry.  Bill has a good article up on CIO Online commending the whole industry in not over reacting to Conficker and acting reasonably for a change.

In other news:

4. Symantec dealing with its own security incident.  Oh the irony!  What does it say when your security company loses the credit card numbers.  Tsk, tsk.

5. Please tell me your just stupid. This article in the SDTimes by David N. Kleidermacher asks if the lack coding more secure apps and OS, as well as adopting better security practices is the result of apathy or ignorance.  Probably a little of both.  But I think most of it comes down to coin operation.  Put the incentives in place and people will do things more securely.

Thats it for now, have a great day!

I read all of the blogs a-twitter the other day about Apple finally advising Mac users that they should use some anti-virus/malware product.  I thought it was a long time coming, but was glad Apple finally put the security of their users ahead of their marketing spin.  With the Mac gaining market share it is only reasonable that the threat of malware designed to exploit Macs would be greater.  In much the same way that Windows is a victim of its own success, the more people that use Macs, the bigger the prize for malware authors.  It has nothing to do with which is more secure or not.  Every OS is going to have holes that smart hackers can exploit.  Not having any anti-malware defenses in place is just arrogant.

So I was chagrined to read Preston Gralla's story in ComputerWorld today that Apple had pulled the knowledge base article that recommended Mac users install AV.  Though the Apple marketing guy seems to have given some sort of tacit recognition to using AV software, it is clear that Apple is still not comfortable and up front about the potential of Mac targeted attacks. 

I really think it is a case of their marketing ego being placed ahead of the security of their users. If their market share is going to continue to grow, the likelihood  of a Mac attack grows as well. I guess we will have to wait until the first bad one before Apple comes clean with their customers.

Note: Adam O'Donnell has a good article on this today at ZDNet here

Related articles by Zemanta

• Windows market share dips below 90%, report says
• Apple quietly recommends using antivirus software
• Apple quietly recommends using antivirus software
• Apple Takes Down Antivirus Support Recommendation
• False Alarm: Apple Mac OS X Anti-Virus Recommendation Is Old

". . . and Cisco NAC support is extended to cover all NAC versions, protecting the network from infected guest hosts." Beats the heck out of me.  It is in the last line of F-Secure's press release about their new endpoint agent/suite (when did we get to the point that an agent and a suite are interchangeable anyhow?).  It comes right before the "about F-Secure" paragraph. Is it the proverbial catch all? Do they really support all NAC versions? All versions of Cisco NAC? How? Did they just want to hit all of the buzzwords?  They were sure to mention my boy Hoff's new buzzword, "the cloud". But show me an AV vendor who isn't checking the cloud these days.  The cloud is the new black.

Guys if you are going to mention something you do in your press release at least explain it so people know what you are talking about.  Also, why be the 15th AV vendor to announce what you do in the cloud and make it like your unique.  Why not just say, "we are doing what everyone else is doing".  Of course you could say you did it first. you do it better, yours is bigger or faster. etc. Hey I guess size does matter.  But talk about me too releases, come on.

One of the European members of the Security Bloggers Network is Kai Roer. Kai asks in his blog "Do we really need Anti-virus in 2008". Kai says that it has been some time since we have had a good old fashioned virus outbreak like a Blaster. He also says,

Have the virus authors started to write smaller virus that stays below the radar - and thus are not detected by the AV-products? Are they now only targeting special targets - like particular banks, SCADA or singled out corporations? Or countries and causes? Or are they too busy writing malware to care about virus?

My answer is a resounding yes! Of course we still need AV.  But we don't need the AV of 2001, we need the AV of 2008 and beyond.  To me this argument of whether or not we need AV is like the recent controversy we had about should we continue to vaccinate children against many childhood diseases. As soon as the vaccinations stopped, the diseases came back.  The same is true with AV.  There is still plenty of older virus attacks out there that would infect our machines and networks pretty quickly without AV.  Also, without AV how long would it be until malware writers found that it was easy again to get a Blaster type of virus or worm going.  It would be just a matter of time.

Finally lets not forget that today's AV products are combined with anti-spyware and anti-malware products to form harder lines of defense than we have had in the past.  Abandoning them now would be like spinning down the armed forces after the war is over.  It just makes you unprepared for the next one.  When it comes to viruses, ever vigilant has to be a way of life!

Related articles by Zemanta

• Signature - and behavior-based protection technology.
• 5 Critical Steps to Protecting Your Computer on the Internet
• How to Protect Computers on the Internet

For a long time Symantec has enjoyed a great reputation as a the VARs best friend.  They were the ultimate channel friendly company with a large and deep channel.  As a result there is always a Symantec channel partner near by almost every customer.  In a case of biting the hand that feeds it this maybe changing. According to this article in Channel Web, Symantec is taking its largest 900 customers direct and moving all SMB renewals direct as well. 

The renewal business is viewed as a built in annuity by many of VARs and losing these follow on deals is not going to sit well.  Also by taking the largest 900 customers direct they are taking the top end or largest deals out of the channel.  The channel market is way to sensitive to this type of thing without repercussions taking place.  It just remains to be seen what they will be, but they will come.

These days every one wants to be seen as green.  Larry Seltzer over on PC Mag has an interesting story from McAfee Avert Labs that using anti-virus on your computer is green. The reasoning goes that by keeping your computer free of malware, your CPU usage stays lower, thereby using less energy and lowering your carbon footprint.  OK, I get it.  My question is what about all of the extra CPU cycles that some of the bloated endpoint security suites use on all of these machines they are installed on.  I would bet that they far outweigh any energy savings from clean machines. 

I guess in place of wrapping yourself in the flag, the thing to do now is wrap yourself in the green thing. How long will it be until some company hires Al Gore to hawk thier technology. In the meantime I would beware of Jolly Green Giants.

Over the last day I have had more of a chance to think on the Trend Micro-Barracuda patent war.  I have also done some more research and reading on this one.  In my earlier article I said that this is not about open source so much as it is about gateway anti-virus.  Upon further reflection though I am not as sure.  Here are some other facts to consider:

1. ClamAV may have as many as 1 million users downloaded updates daily. This makes them at least a potential formidable competitor to Trend.  One that I am sure Trend would like to see go away because they can't compete with them on price.
2. Going after individual users of Clam would be like herding cats.  There is no way you can hit them all.  At best you may get a few high profile cases.
3. Barracuda has deep pockets. Instead of herding cats go after one fat cat who has deep pockets to pay you the kind of money you want and send a message to the rest of the cats that they could be next, so either use another AV (like Trend for instance) or pony up some fee for patent use. 

In fact the above scenario is not terribly different than the recording industry going after napster. It was easy to go after one relatively fat cat, rather than herding and chasing a bunch of smaller cats.  In fact the recording industry has given themselves something of a black eye by going after poor grandmothers and children for illegal downloads. I think Trend tries to avoid the same type of black eye by saying this is not about open source but just AV. It is about open source.  They just don't want to be perceived as going after open source and don't want to chase the small fry. But do they want ClamAV as a competitor? Probably not.

4. Trend's decision to pursue this in the ITC seems abusive.  Barracuda does not import the ClamAV software. It is downloaded from servers here in the US. The servers are assembled here in the US as well.  This case does not belong in the ITC and should be thrown out of there. It may have served Trend well with Fortinet who was importing their products into the US, but it is the wrong venue for this suit.

All that being said, I think that this more than ever still demands that Sourcefire as the owners of ClamAV step up to the plate here. If I was a paying customer of Sourcefire for Clam and was subject to a patent infringement case, I would expect them to defend.  I think the fact that Barracuda does not pay them today evidently for the use of Clam is not reason enough to let Barracuda take the brunt of this battle on.

Also looking at the proof gathered, I think there is a better than even chance that this patent will be thrown out. If so Barracuda will have done the open source community and the gateway AV industry a huge service.

Just a little while ago I wrote about the Trend Micro - Barracuda Networks legal tussle where Barracuda is alleging Trend with patent trolling with its controversial patent '600.  I made reference to the fact that why didn't Trend go after the big boys. I wanted to know where was the calvary coming to the rescue here, not leaving Barracuda to fight this fight alone.  Well it takes a big man to admit he did not know all there was to know on the subject.  As several folks pointed out to me, Trend has in fact sued both McAfee and Symantec over this very same patent. Though I have not been able to find anything that points to the outcome of this suit, it makes the most sense that probably there was a quiet cross-licensing deal worked out with some cash changing hands. Symantec and McAfee were not the only ones to be sued either. According to this article, Fortinet actually had a disruption in its distribution as a result of ITC investigation instigated by Trend (the same tactic they are using here), and then totally redid their AV module to avoid any technology that could be deemed to violate the patent in question. This article claims that several companies have been sued in the past and have settled out of court, despite never admitting to the validity of the patent.

I guess that means that Trend must be working out reasonable terms with these companies and begs the question, why didn't Barracuda take a deal?  Dean Drako claims he was never able to speak to someone to work out a deal, but who knows at this point. What does seem clear is that Barracuda has done some real research in trying to have this patent overturned.  If Dean and Barracuda are successful in doing so, more power to them and another blow struck against silly patents. 

Now what about the rest of the calvary? It still seems to me that this is too important an issue for Sourcefire who owns Clam to be sitting on the sidelines.  I am still waiting for them to join the fray or has Trend already scalped them too?

For those who don't know, Barracuda is involved in a wicked patent fight with Trend Micro over the use of Clam AV gateway anti-virus. It seems according to a 1995 patent issued to Trend Micro, they claim that virtually all gateway AV that removes viruses as they move through a SMTP or FTP proxy servers are covered under this patent. Barracuda uses the popular, open source Clam AV product in their appliances and Trend says their use violates the patent.  Evidently this little tiff has been going on for some time, with Trend filing a complaint with the US International Trade Commission in addition to the conventional law suits. Trend also claims that their position here is well established and several previous suits and claims have been upheld including a settlement with Fortinet (does Fortinet use Clam AV too?).

My position is that this is a perfect case of why so much of this patent  stuff is just full of beans.  How can Trend have a patent on gateway AV. If they do why are they wasting time piddling around with the likes of Barracuda.  Why don't they go after the big boys like Symantec or McAfee? Something tells me there is a reason why Trend does not.  Either they are not as confident in their claim as they make out to be or Symantec and McAfee know something that the rest of us don't.  Maybe they have proof of prior use before the patent was filed. 

Many in the open source community including Richard Stallman (no surprise there) and Eben Moglen of the Software Freedom Law Center have joined in to support Barracuda in this legal battle.  Barracuda is in fact very much painting this as an attack on open source and looking to the community for support.  Trend for their part says that this is not about open source or even Clam AV, it is about filtering virus pursuant to the techniques they patented.  Again, my view is I don't think Barracuda is doing anything different than other ClamAV users.  Though Trend's claims may go to all gateway AVs, clearly this is about Barracuda using Clam and about Clam. 

So here is my question: Why haven't we heard from the owners of ClamAV. Sourcefire bought them in August I thought.  This could effect them as much as anyone. They are big supporters of open source and as a public company can bring resources to bear on this.  Why has Marty, Wayne and gang been silent on this.  I would think they should be leading the charge here and standing up for their product.  Leaving Dean Drako and Barracuda to fight this fight on behalf of the Clam community is not fair and also could have repercussions down the road to Sourcefire without them being involved. Is it that Barracuda is not paying for their use of Clam?  I don't know what the answer is but it will be interesting how this plays out.

Blogging this while waiting on the phone for a Microsoft Live One Care technical support person.  I have been on the phone for about 25 minutes, oops someone just picked up, hold on. OK I am back.  The friendly Microsoft technical person, David has me on hold while he researches my problem.  He doesn't sound like a Dave though.  I know that outsourced call centers like to have their people use Western sounding names to make us more comfortable, but frankly I always feel like I am talking to some dancer at a strip club who tells me her name is Kitty or something.  I would perfer they use their real name.  I am a big boy and can deal with it.

Anyway, back to the story. I had installed (and paid for) OneCare on Bonnie's computer a while back. For the most part it has been fine, but frankly Bonnie doesn't get into many high risk activities on line. I knew I was in trouble though a while back when I asked my youngest son Bradley (5 at the time) what he was doing on the computer and he told me he was "Googling".  Then just a few weeks ago, my oldest son Landon told me about this cool 3-D screen saver of fishes he can get for free.  I knew we were headed for trouble.

Anyway tonight I noticed the little green one care icon was no longer in the tray.  My security center was in the red with firewall and AV off. When I manually tried to start OneCare I got an error message that said to restart the machine.  I did that, same problem.  Then I uninstalled OneCare (another reboot) and installed it again.  Same problem.  When I tried to start the service I get another error message. So I log onto the OneCare help site and follow the automated FAQ, useless.  I then try to do a live chat with support after figuring out how to log in to my account (they don't make it obvious). The chat asks to run a diagnostic to help which takes another 10 minutes.  Then the chat client loads only half way and freezes.  Back to go, don't collect the 200 bucks!

Now I log back into help and pick 24 hour phone support.  Same diagnostic gathering takes another 10 to 15 minutes and they give me a phone number and case number.  25 minutes minutes I am on the phone on hold and finally Kitty, I mean Dave gets on to help.  Dave tells me he is going to log into my computer (BTW I find out Dave's name is Jesus, I would have been fine with that).  He logs in with my permission and after 3 or 4 or 5 reboots and checking he confirms it was a corrupted file that he had to reinstall which he did.  Bada bing, badda boom, we are all fixed and good to go. We than rechecked everything and its all good.  While we are on the phone I talk him into downloading Cobia and playing with it, hey ABC (always be closing).

So while the whole thing took over an hour and a half, Dave from Manilla did a heck of a job.  What started out as bitch rant about Microsoft's OneCare support doesn't end that way and as they say in Manilla we have a "happy ending".  Now lets hope it keeps the computer protected from the next thing my kids play with!