Jon Alper's probably insufficiently humble opinion

[NOTE: See Peter from Intego’s comments below. I am electing only to respond to his correct observation that I’d conflated two security issues in this post and amend the post accordingly to address the valid elements of his critique. See prior comment thread here: http://blog.jonalper.com/2011/intego-untrustworthy/ for why I feel it both important to make the corrections Peter’s comment demand and that I not engage in discussion with him about the remaining content of this piece. Note that the updates below continue to reveal my original error alongside the corrections marked between [UPDATED] and [/UPDATED].

When you sell ‘security products’ you have a a responsibility to exercise an over-abundance of caution in how you communicate with your customers and potential customers. Failing to do this makes you part of the problem and, again, I think Intego is falling far short of that standard.

The issue, as I see it, this time starts with the headline “New Version of DevilRobber Trojan Found In Three Mac Apps” of yesterday’s Mac Security Blog.

The headline implies you might find this nasty malware and be in jeopardy in software you’re likely to be using today. The headline implies typical Mac users are at present risk without an anti-virus application.

Au contraire mon frère, you’re not. As of now, you’ll only find yourself infected with DevilRobber.D if you use BitTorrent to try and pirate software.

Deeper still, the unwritten message is “you need our product to protect yourself” is just not true in this case. To be fair to Intego, this implication is a ‘sin of omission’ rather than a overt misdirection but, as I keep trying to say, I think the core problem is Intego falling short of a very high standard of communication and behavior that I believe comes with selling ‘security’ products.

Why do I pick on Intego? Aren’t all of these antivirus companies are basically a protection racket? Well, it’s pretty simple. Intego is a Mac shop and, having met and chatted with several Intego team members, I think they’re basically good people and they ought to do better. I expect this silliness from the “My super zippy PC TV ad” companies. I don’t expect this from a “Mac Company”.

Here are four simple truths Intego’s article either only indirectly addresses or completely ignores.

1) They found an ‘in the wild’ exploit on a BitTorrent tracker of pirate copies of three Mac titles.
2) Mac users who don’t use BitTorrent to pirate their software are, so far, immune as far as we know.
[UPDATED Points three and four below are not relevant due to my error pointed out by Peter in the comments]
3) Mac users who use Preview to read PDF’s rather than Adobe Reader are immune.
4) Mac users who use Adobe Reader can configure Adobe Reader to block the attack with a preferences setting now.
[/UPDATED]

Worst of all, from a marketing perspective, (the likely motivation for the misleading headline and, indeed, the whole point of their blog) Intego don’t even seem to give themselves full credit for the fact that they already blocked it with existing virus definitions.

Here’s the same post re-written by me as if I worked for Intego:

New Variant of DevilRobber Trojan found in altered MacOS apps distributed via BitTorrent

Intego’s malware researchers have found a new variant of the DevilRobber Trojan horse, which they first discovered in October. The latest variant – DevilRobber.D (there have been two others in between) – has been spotted in three deliberately altered Mac applications (Writer’s Café, EvoCam and Twitterrific) distributed via BitTorrent trackers.

The original developers’ distributions are not infected. (The files you can download directly from the developers’ sites are clean.) The malware has only been found in altered files distributed via BitTorrent trackers. If you use these applications, and have purchased them from the developers, you do not have infected copies of these applications.

[UPDATED *** As Peter from Intego correctly pointed out in the comments, I foolishly conflated the DevilRobber Trojan with another security issue with trojans distributed via PDF and exploits of the Adobe security flaw in Reader. The Links below relate to the PDF issue and *NOT* to DevilRobber]
For more information about this exploit please see:
Adobe’s Security Bulletin: http://www.adobe.com/support/security/advisories/apsa11-04.html
Topher Kessler’s article for C|Net’s MacFixit: http://reviews.cnet.com/8301-13727_7-57338524-263/security-threat-in-reader-and-acrobat-poses-threat-to-macs/
[/UPDATED]

For more information about this exploit please see:
http://www.thesecurityblog.com/2011/12/devilrobber-gets-an-updated-version/

http://nakedsecurity.sophos.com/2011/10/29/devilrobber-mac-os-x-trojan-horse-spies-on-you-uses-gpu-for-bitcoin-mining/

VirusBarrier X6 definitions addressing the previous versions of the DevilRobber Trojan successfully blocked this new variant (and two others) but we have updated our definitions to specifically block this new version as well.”
-30-

If the headline is too long or insufficiently sensational for your marketing guys to sign off on, split it up: New Variant of  Mac DevilRobber Trojan Found and then lead the article with “Three Mac Apps altered to payload the Trojan have been found on a BitTorrent Tracker”.

My prior rant re: Intego’s behavior is here:  http://blog.jonalper.com/2011/intego-untrustworthy/

[UPDATED Due to my conflation of DevilRobber with the Adobe Reader vulnerability and this story: http://www.thesecurityblog.com/2011/10/mac-trojan-posing-as-a-pdf-file/ the irony is far less thick in this post but PLENTY thick if you look at that link.] (The irony that that last rant addressed a behavior that socialized users to trust a file described and badged as a PDF that was really an application and that now we’re seeing an actual PDF Trojan is not lost on this writer.) [/UPDATED]

Here’s the deal. If you sell security products, I think you have to:

– Tell the truth about the level of risk.
– Tell the truth about what your product can do to protect from specific attacks.
– Tell the truth about what alternative measures users can take to mitigate risk.
– Fall all over yourself to protect the reputations of legitimate developers unless and until they distribute infected files or ship software that creates an attack vector.
– Be ‘low key’ about how you characterize risks so users can be confident in the maturity of your products and your business practices so they either buy your products (good for you and your customers) and follow good practices to reduce their risks even without your products (good for everybody).

[UPDATED Again, due to Peter from Intego pointing out my conflation of two issues, this not relevant to the post though still true.] As a final note, yeah, it sure seems like Flash and Acrobat are getting exploited pretty regularly lately. Maybe not leaving these plug-ins enabled in our browsers would be a good idea. [/UPDATED]

– Jon

YouTube, for those who haven’t noticed is a Google owned and operated service wherein users can upload and share video and Google can sell advertising against it.

Now, beyond the obvious problems wherein Google can’t (and shouldn’t actually be forced to) police the uploaded content to ensure the rights exist for the user to upload it , the core issue is Google makes money off the ads and the content creators don’t.

(Yes there are limited ways a content creator can make some ad revenue by embedding the YouTube hosted video in their own page and other methods but YouTube’s purpose is to get ad impressions for Google, not the content creator. Arguing about the option to embed etc. is arguing a distinction without a difference.  People who want their video to be seen as a YouTube Phenom will give up the all or most of the financial benefit of ad impressions. Period.)

For essentially all cases Google is the collector and reporter of the usage data. Google chooses the ‘relevant’ advertisers. Google makes the money.

So, now, in an act of empty magnanimity, Google is enabling users to flag the content users upload as licensed under ‘Creative Commons’ but only under this specific license: Attribution 3.0 Unported (CC BY 3.0). which I’ll summarize as: Share it, change it, adapt it, remix it, do as you please commercial or not as long as you give the source(s) credit.

If you’re a creator and you see content an uploader has flagged CC on YouTube, don’t be silly and assume you’re indemnified from liability if you intercut that content with other things and try to sell it. I’m not a lawyer and I don’t play one on TV (though I have been a technical consultant to a few on these kinds of issues) but indemnified means you can’t be sued because the other guy, the uploader will take the heat. They won’t.

If you mash up Happy Birthday and Steamboat Willy with some Casey Kasem Dialog intercut with U2 concert footage and dollop of George Harrison’s My Sweet Lord I think you should expect to be in some deep yogurt lawsuit-wise.

Beyond that, though, is the simple fact that not only is Google going to sell ads against your original or remixed work but the second you click that button you are giving Google and anyone else the right to sell it, rent it, bend, fold, spindle or mutilate your work for money and money you’ll never get any of.

Now, I am a huge fan of freely sharing my creative work but I think any reasonable person would say I have the right to set conditions for how what I choose to share is used. Conditions like “use this however you like except to resell it (or usage of it) to make money if I don’t get a piece of the action”.

Several Creative Commons licenses actually help ensure this (and other things) but Google chose the one that requires the creator/remixer to give up the most rights.

There’s a reason most creators choose other more restrictive CC licenses. They either want to get paid if anyone else does or they want to insist that their contributions to the world are matched and equally shared by others.  And you can even expect this mutual sharing and still let everyone still be free to make money:  http://www.gnu.org/copyleft/copyleft.html There’s a company listed on the NASDAQ doing a VERY nice job of just that:   and even cooler is the NYSE actually runs the exchange on this ‘free’ product.

So, as I have said countless times before….

Want to watch great cat videos? Enjoy YouTube!

Want to watch pirated content with a thin veneer of protection because it’s not Limewire? Look for it on YouTube before it’s taken down. Enjoy YouTube!

If you make actual content. Material with intrinsic value? Put up a trailer on YouTube if you must but host the actual content yourself and sell your own ads against it.

Needless to say, I disagree with Janko Roettger’s impressions of Google’s CC support as written in gigaom.

Google’s implemention of Creative Commons licensing is entirely self serving. You decide if that’s OK with you. Meanwhile, remember, if you do have the rights to what you upload, you can still put a title card in the video and a copyright notice with any license terms you like. Heck, you could even have a license that says “Use of this video is conditional on your agreement to switch to Bing as your default search engine.” it’d probably be legal if unenforceable and it sure would be funny. The CC feature Google’s implemented is only meaningful to users if they use the YouTube Video Editor and that, well let’s say  iMovie’s better and leave it at that for now…

One of the most common forms of comment spam I get are robot generated trackbacks. The two most common, and we’re talking hundreds of them, are trackbacks intended to benefit SEO ‘consultants’ and sell Yankee Candle Company candles.

I’d like to suggest that when your product is tackily packaged comprised of more air than substance, and exudes a potent odor that befouls the atmosphere even for  adjacent businesses, no amount of  fleetingly improved Google rank can help.

Oh, and I don’t much like being in the malodorous wing of a Mall near a Yankee Candle Company shop either.