Techdirt. Stories about "symantec"

The Stats Used To Support Cybercrime 'Threats' Just As Bogus As Hollywood's 'Loss' Claims

Mike Masnick — Thu, 2 Aug 2012 12:53:25 PDT

While the latest attempt to pass a cybersecurity bill may be on ice for now, it'll be back... and with it there will be a lot more hyperbole about how urgent this is because of various massive "losses" already happening due to cybersecurity problems. Of course, nearly all of the numbers and claims you hear will be 100% bogus.

For years, we've highlighted stories about how the claims of "losses" from the entertainment industry due to infringement are completely fictitious. In the past, we've seen Julian Sanchez go on a hunt to find the origin of some of the numbers being thrown around, and come up with evidence that they're based on nothing. For example, claims of $200 billion in losses due to counterfeiting... came from a 1993 Forbes article that just makes that claim with no citation and no backing info. But it became gospel among those arguing there was as problem.

With Congress and the President continuing to insist that we need a cybersecurity bill, politicians have been tossing around all sorts of questionable numbers. Just a few weeks ago, we noted that General Keith Alexander, the head of the NSA, had tossed out some numbers and claimed that cybersecurity was the "greatest transfer of wealth in history." Considering that we're living through the aftermath of a financial meltdown that involved a massive transfer of wealth, I find the original claim difficult to believe. Plus, as we noted, he seemed to only cite studies from McAfee and Symantec, two companies who have a massive vested interest in keeping the cybersecurity FUD going, because it helps them sell stuff.

Thankfully, the folks over at Pro Publica decided to take a much closer look at the numbers politicians are relying on in support of the massive "harm" that is already being caused by online security issues... and discovered that the numbers are completely and totally bogus. In fact, the full story (which is fascinating) parallels (very closely) the story with "piracy" stats from the industry.

One popular number is "$1 trillion" in losses due to cybersecurity breaches. That number gets thrown around a lot by politicians (and many in the press who merely parrot such numbers unquestioningly, even as that gives those politicians more cover to claim that there's a reputable source supporting the number). Yet, the Pro Publica report highlights that, not only is this number bogus, but the (quite well respected) researchers who put together the original report for McAfee did not use that number and, more importantly, many of them spoke out publicly with surprise that McAfee put out a press release with such a number -- which they thought was questionable and not supported by their data.

In fact, there were a number of methodological problems, including that the data was based on a self-reported "average" amount of the "worth of sensitive information stored in offshore computer systems." Who knows if the respondents are being accurate, first of all, but even more to the point, the "worth" of such information is a highly subjective number. People can find something "worthwhile" without paying for it, but by focusing on the "worth," they obscure the fact that the market price may be quite different than what people think something is worth. And, what people think something is worth has zero impact on any actual losses. But, from a very small number, McAfee just sprinkled some magic pixie dust on the already questionable number, and proceeded to extrapolate, massively:

“The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone, and spent approximately $600 million repairing damage from data breaches,” the release said. “Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion last year.” The release contained a quote from McAfee’s then-president and chief executive David DeWalt, in which he repeated the $1 trillion estimate. The headline of the news release was “Businesses Lose More than $1 Trillion in Intellectual Property Due to Data Theft and Cybercrime.”

The trillion-dollar estimate was picked up by the media, including Bloomberg and CNET, which expressed no skepticism.

Now, remember, this $1 trillion number is just in the press release. It's not in the report at all. And the report's researchers were just as baffled (and even more concerned) about this:

Among [the study's researchers] was Ross Anderson, a security engineering professor at University of Cambridge, who told ProPublica that he did not know about the $1 trillion estimate before it was announced. “I would have objected at the time had I known about it,” he said. “The intellectual quality of this ($1 trillion number) is below abysmal.”

.... The company’s method did not meet the standards of the Purdue researchers whom it had engaged to analyze the survey responses and help write the report. In phone interviews and emails to ProPublica, associate professor Jackie Rees Ulmer said she was disconcerted when, a few days before the report’s unveiling, she received a draft of the news release that contained the $1 trillion figure. “I expressed my concern with the number as we did not generate it,” Rees Ulmer said in an email. She added that although she couldn’t recall the particulars of the phone conversation in which she made her concerns known, “It is almost certainly the case that I would have told them the number was unsupportable.”

...The news stories got the worried attention of some of the report’s contributors because McAfee was connecting their names to an estimate they had no previous knowledge of and were skeptical about. One of the contributors, Augusto Paes de Barros, a Brazilian security consultant, blogged a week after the news release that although he was glad to have been involved in the report, “I could not find any data in that report that could lead into that number.... I’d like to see how they found this number.”

I don't know about you, but when a super well respected security researcher tells you that the basis of a particular claim is based on a number whose "intellectual quality ... is below abysmal," that's the point at which you should probably stop using the number. But, instead, politicians and the press continue to parrot the line over and over again.

The slightly smaller number, from Symantec, is still equally questionable. They go with $250 billion... but the number has almost no support. It does come from a real Symantec report, but not from Symatec employees. Instead, they hired another firm to magically come up with the number, and it sounds like magic would have been equally as effective as what was eventually done. It raised concerns from actual experts in the field:

“Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population.”

Furthermore, even if we take these numbers at face value, the original reports on both of them say these numbers represent the value of the attacks in question, and not what was actually "lost" or how much it cost to deal with. However, when a politician quotes them, they almost always do so by at least suggesting that these made up "values" are very real "losses" to companies. In other words, the numbers (shocker, shocker) are being twisted by cybersecurity law supporters. For example, just recently, Senator Collins said that General Alexander "believes American companies have lost about $250 billion a year," but that's not true. Already, we know the number is suspect -- but even if we accepted the number, it only represents the "value" that various companies have put on things harmed by security issues, not any sense of actual losses. Claiming that these are losses isn't just misleading, it's wrong.

We've argued for years that actual data should inform the debate on these things -- but that data needs to be accurate and supportable. Unfortunately, with cybersecurity threats, the claims that are being thrown around have no basis in reality. If politicians really want to discuss the "threat" of cybersecurity, the least they can do is get some accurate research on the scope of the problem. Trusting a number from a McAfee press release is not credible and it's certainly no basis for passing a law that wipes out privacy rights of the public.

Permalink | Comments | Email This Story

NSA Chief Says NSA Doesn't Need Access To Your Info... As Whistleblowers Say They're Already Getting It

Mike Masnick — Wed, 11 Jul 2012 09:25:00 PDT

The American Enterprise Institute (AEI) recently held an event about cybersecurity and cybersecurity legislation. The keynote speech was from NSA boss General Keith Alexander. He of course talked about why he supports cybersecurity legislation, such as CISPA and other proposals that will make it easier for the NSA access private content from service providers -- much of which, reports claim, they're already capturing and storing. Alexander has claimed that the NSA doesn't have "the ability" to spy on American emails and such, and reiterates that claim during the Q&A in this session, insisting that the Utah data center doesn't hold data on Americans' emails (and makes a joke about just how many emails that would be to read). That's nice for him to say, but so many people with knowledge of the situation claim the opposite.

In fact, in a story that has received almost no attention, the EFF was able to get three whistleblowers to speak out on the NSA's massive spying infrastructure:

In a motion filed today, the three former intelligence analysts confirm that the NSA has, or is in the process of obtaining, the capability to seize and store most electronic communications passing through its U.S. intercept centers, such as the "secret room" at the AT&T facility in San Francisco first disclosed by retired AT&T technician Mark Klein in early 2006.

So it's interesting to pay attention to what Alexander has to say in pushing for cybersecurity legislation. You can watch the full video below, if you'd like: Much of what he talks about online involves basic malware and hack attacks. These are definitely issues -- but are they issues that we need the military (which the NSA is a part of) to step in on? His "quote" line is that these attacks represent the "greatest transfer of wealth in history." That is a pretty broad statement, and there's almost no evidence to support it. He points to studies from Symantec and McAfee on the "costs" of dealing with security issues -- but remember, those are two of the biggest sellers of security software, and have every incentive in the world to inflate the so-called "costs." Also, seriously? The "greatest transfer of wealth in history"? Has he paid absolutely no attention to what's happened on Wall Street and the financial world over the past decade? Does anyone honestly believe that the amount of money "transferred" due to hack attacks is greater than the amount of money transferred due to dodgy financial deals and the mortgage/CDO mess? That doesn't pass the laugh test.

He does insist that worse attacks are coming, but provides no basis for that (or, again, why the NSA needs your info). In fact, according to a much more believable study, the real risks are not outside threats and hackers, but internal security screwups and disgruntled inside employees. None of that requires NSA help. At all.

But it sure makes for a convenient bogeyman to get new laws that take away privacy rights.

Alexander, recognizing the civil liberties audience he was talking to, admits that the NSA neither needs nor wants most personal info, such as emails, and repeatedly states that they need to protect civil liberties (though, in the section quoted below, you can also interpret his words to actually mean they don't care about civil liberties -- but that's almost certainly a misstatement on his part):

One of the things that we have to have then [in cybersecurity legislation], is if the critical infrastructure community is being attacked by something, we need them to tell us... at network speed. It doesn't require the government to read their mail -- or your mail -- to do that. It requires them -- the internet service provider or that company -- to tell us that that type of event is going on at this time. And it has to be at network speed if you're going to stop it.

It's like a missile, coming in to the United States.... there are two things you can do. We can take the "snail mail" approach and say "I saw a missile going overhead, looks like it's headed your way" and put a letter in the mail and say, "how'd that turn out?" Now, cyber is at the speed of light. I'm just saying that perhaps we ought to go a little faster. We probably don't want to use snail mail. Maybe we could do this in real time. And come up with a construct that you and the American people know that we're not looking at civil liberties and privacy, but we're actually trying to figure out when the nation is under attack and what we need to do about it.

Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability. Seems to be there's a great approach there.

Now all that's interesting, because if that's true, then why is he supporting legislation that would override any privacy rules that protect such info? If he really only needs limited information sharing, then why isn't he in favor of more limited legislation that includes specific privacy protections for that kind of information? He goes back to insisting they don't care about this info later on in the talk, but never explains why he doesn't support legislation that continues to protect the privacy of such things:

The key thing in information sharing that gets, I think, misunderstood, is that when we talk about information sharing, we're not talking about taking our personal emails and giving those to the government.

So make that explicit. Rather than supporting cybersecurity legislation that wipes out all privacy protections why not highlight what kind of information sharing is blocked right now and why it's blocked? Is it because of ECPA regulations? Something else? What's the specific problem? Talking about bogeymen hackers and malicious actors makes for a good Hollywood script, but there's little evidence to support the idea that it's a real threat here -- and in response, Alexander is asking us all to basically wipe out all such privacy protections... because he insists that the NSA doesn't want that kind of info. And, oh yeah, this comes at the same time that three separate whistleblowers -- former NSA employees -- claim that the NSA is getting exactly that info already.

So, this speech is difficult to square up with that reality. If he really believes what he's saying, then why not (1) clearly identify the current regulatory hurdles to information sharing, (2) support legislation that merely amends those regulations and is limited to just those regulations and (3) support much broader privacy protections for the personal info that he insists isn't needed? It seems like a pretty straightforward question... though one I doubt we'll get an answer to. Ever. At least not before cybersecurity legislation gets passed.

Permalink | Comments | Email This Story

Bogus Stats Again: BSA Puts Out Its Yearly Propaganda About Software Piracy

Mike Masnick — Wed, 16 May 2012 14:58:00 PDT

For the 9th year in a row, the Business Software Alliance (BSA), an organization that mainly represents Microsoft's interest, has put out its ridiculous "Global Software Piracy Study", which argues that tons and tons of software is being pirated, and if only people paid for it, there would be $63.4 billion more going to software companies. We've been criticizing the ridiculously laughable methodology of the report since it began, and even have seen the company that does the research, IDC, admit that the BSA exaggerates what the report actually says. We've done multiple detailed analyses of how the BSA's stats are misleading (or just flat out bogus). And yet, because there are magical numbers involved, the press just loves to parrot the claims without any skepticism.

This year's report is no different. It's more of the same ridiculousness, with a clueless press reporting (totally inaccurately) that the study says that software piracy "costs" the economy $63.4 billion. That's simply not true. What the report did find was not actually surprising or even very interesting. It's that people in developing countries tend to infringe more often. You probably knew that already, but if you wanted evidence for that, you shouldn't look to the BSA and its bogus stats, but a thorough, comprehensive and independent review of the market, such as the one done by Joe Karaganis and SSRC last year. That report found the reason that there was increased piracy in developing markets was because clueless companies don't realize that people aren't going to pay a month's salary for a single digital good.

Of course, rather than recognize it's their own business model failings at issue, the BSA is once again using this report to call for "tougher penalties" for infringement. This despite the fact that no study has ever shown that such penalties actually drive more people to buy.

Thankfully, at least some people are calling the BSA out on its bogus report, such as by noting that it's political propaganda designed to get legislation like SOPA and PIPA passed. The reality, of course, is that it shows how out of touch the BSA is with the innovation economy today, instead working to lock up and protect the interests of its major funders: Microsoft, Symantec and Intuit. Those companies are threatened by upstarts with better business models, and the best they can do is to support legislation that will lock down the internet, causing more harm than good for true innovation.

The "Bogus Stats Again" report from the BSA isn't about dealing with piracy. It's a way of white washing an agenda of protectionism for some large software companies who don't want to compete or to adapt.

Permalink | Comments | Email This Story

Intellectual Ventures Files Its First Lawsuits; Giant Patent Troll Awakened

Mike Masnick — Wed, 8 Dec 2010 16:35:00 PST

For years, Intellectual Ventures has avoided suing companies directly, while building up a portfolio of tens of thousands of patents (mostly bought -- though it likes to get PR from the wacky and usually useless patents it files directly). Its business model, to date, has been about shaking down giant tech companies for hundreds of millions of dollars in exchange for letting those companies use IV's patent portfolio either defensively or offensively against others. However, as part of an attempt to avoid the dreaded "troll" label, the company had avoided suing others directly for quite some time -- though, it's always hinted that it would eventually. About a year ago, we started to see IV patents showing up in lawsuits, but they had been licensed to other companies first. The notoriously secretive company would never comment on whether or not it had any stake in the results of such lawsuits.

However, Intellectual Ventures has finally stepped up and filed three separate patent infringement cases against nine companies, including Symantec, McAfee, Trend Micro and others. Of course, some of these companies have a history of questionable patent activity themselves... Still, this seems like IV and Nathan Myhrvold stepping things up a notch. Consider it a warning to other tech companies: if you don't agree to pay hundreds of millions of dollars to Intellectual Ventures, the company might sue you too.

That's not how innovation is supposed to work.

Still, perhaps this will convince more people just how problematic our current patent system is today and how we need to move towards fixing it.

Permalink | Comments | Email This Story

Microsoft Realizes No One Wants To Pay Microsoft To Fix Its Own Security Flaws

Mike Masnick — Wed, 19 Nov 2008 07:11:00 PST

Back in 2005, when Microsoft was first mulling the idea of offering security software, we noted that the company was between something of a rock and a hard place. If it decided to charge for the software, people would accuse the company of trying to get people to pay to protect themselves from the security vulnerabilities in Microsoft's own software. Yet, if they went free, then they would face screams about antitrust violations for undercutting competitors in the security software market. We also suggested a third option: design better software that doesn't need security software. But, failing that, Microsoft chose what I think was the worst of the three options: selling security software. Perhaps not too surprisingly, not too many people took Microsoft up on the offer. It could be a combination of reasons why. First, Microsoft just doesn't have a good reputation when it comes to security. Second, that whole issue of paying the same company that created the security holes in the first place. Finally, it might just be inertia. People buy from McAfee or Symantec because they're two names that have been around forever and are recognized (and, most importantly, bundled on many brand-name computers).

So, after a couple years of failing to make much of a dent in the market, Microsoft has abruptly shifted to option number two. It will no longer be selling its OneCare security software and, instead, will be offering a free security suite for users, though with fewer features than the old OneCare offering. The various security software companies put out statements saying, of course, that this is no big deal, but you have to believe they're now doing whatever possible to stir up some complaints out of the Justice Department that this is an antitrust violation. Maybe a few years down the road Microsoft will simply move on to option three, and make software that doesn't require separate security software.

Permalink | Comments | Email This Story

How Do You Enforce An EULA On Malware?

Mike Masnick — Tue, 29 Apr 2008 20:16:35 PDT

We've written about all sorts of crazy things that software companies do in their EULAs (End User License Agreement), but it really says something about how ingrained the concept of an EULA has become that malware companies are starting to offer such draconian EULAs on their products (found via Ars Technica). Among the more amusing features of the EULA is a guarantee to buy any future upgrades. How's that for lock-in? Of course, EULAs are barely enforceable as is, and when you're selling to scammers and crooks they become even less so. Most EULAs are backed up via the power of copyright law, but that obviously doesn't work in this case. So how are the malware authors enforcing it? In typical organized crime fashion: with threats to destroy everything else you've got. Specifically, if it catches anyone violating the terms, it promises to send their botnet code to various antispyware companies -- effectively handing over the location of their secret hideout to the malware police. Who knew that honor among thieves now has taken on an EULA angle? Of course, we already know that almost no one reads normal software EULAs, so I somehow doubt that the online scammers using this software are bothering with the fine print either.

Permalink | Comments | Email This Story

Symantec Cries Wolf About ThreatCon 4: Imminent Global Internet Failure

Dennis Yang — Mon, 24 Sep 2007 15:34:00 PDT

Symantec's DeepSight threat warning system sent out an erroneous "ThreatCon 4" warning on Friday caused by an errant product test. ThreatCon 4 is the highest level of warning that can be issued by the DeepSight system, and is supposed to indicate times where "extreme global network incident activity is in progress." The level 4 warning has never been issued; the last time level 3 was reached was back in 2004. Symantec issued a retraction of the false alarm approximately an hour after it was issued, and so far, no reports of harm from the false alarm are apparent. Actually, it doesn't even seem like anyone took this warning that seriously at all, considering the lack of any sort of response. And without any sort of response, doesn't that make the early warning system, well, not that useful? After an hour without much of a response, they should have just said: "This was a test of the DeepSite early warning system. Had this been a real warning..."

Permalink | Comments | Email This Story