Competing and Cooperating (Don’t Attack the Customer)

In the security industry there is fierce competition. At least in the anti-malware segment there is also tremendous cooperation. I am writing from the 3rd annual CARO workshop where researchers from several anti-malware companies are sharing important information with their competitors.

Quite a while back there both PCTools and ESET had false positives on each other’s products. Some users thought that there was a fight going on between the two companies. Behind the scenes ESET and PCTools employees engaged in friendly conversations to get the problems fixed. We don’t like to false positive and we certainly don’t want to harm our users. Disabling a competitor’s product is a really stupid and probably illegal activity. When a security company triggers on a competitor’s product, the only people who know about it are the company’s own customers. You don’t attack your customers, it should be obvious.

Well, to most people it is obvious, but two developers of Firefox extensions missed the obvious and took their battle to their users. The two Firefox extensions are NoScript and Adblock Plus, with Easylist taking sides with Adblock Plus. For a summary I recommend reading Dan Goodin’s article at http://www.theregister.co.uk/2009/05/04/firefox_extension_wars/

In a nutshell, Giorgio Maone, the developer of NoScript modified Wladimir Palant’s Adblock Plus (APB) add-on so that APB would not block the ads on the NoScript website. This was a really bad thing to do as it was done on user’s computers without their knowledge or consent. Effectively, NoScript behaved as malware. In retaliation APB enlisted the aid of Easylist to block access to the NoScript web site, ensuring that users of both ABP and NoScript could not update their version of NoScript. Where NoScript’s “damage” was causing users to see advertisements, ABP actually prevented users from getting security updates. Palant has his explanation of the events at http://adblockplus.org/blog/attention-noscript-users. Maone has his explanation and profuse apologies at http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

Both authors really messed up big time and only one has admitted wrong doing. In reading the comments in response to Maone’s apology I found something truly unexpected. Several comments were made about making donations to one or both of the authors. These two guys take their personal differences out on their mutual users and the victims reward them with PayPal donations!!! I think I’ll put a link to donate to my PayPal account up on the blog and pick a fight with a competitor :)

I really appreciate working in an industry where competitors are friends and help each other, rather than taking squabbles out on their customers.

Randy Abrams
Director of Technical Education

UPDATE: I was notified by Giorgio Maone that my timeline is a little off. The sequence of events is according to Giorgio…

1. AdBlock Plus had a publicly known bug, which allowed any web site to work-around is blocking and which I often indicated as the main reason why Adblock Plus could not be considered a security tool, opposite to what Wladimir Palant advertised (spreading on his part the notion that NoScript was not a security tool)
2. At a certain point my web sites (not my program) started to exploit this bug to work-around Easylist’s filters, while still allowing end-user to block my ads using their own custom filters.
3. This pissed off Palant, who retaliated as soon as the new Easylist maintainer proved to be more malleable to adopt extreme techniques against relatively small sites than the previous one (who passed away some weeks ago)
4. When Easylist’s retaliation came to disable essential functionality such as installing NoScript builds from my sites, I retaliated in the mindless way I did, and the rest is known

Author , ESET

  • Jeff Broido

    Congratulations to ESET for the highest ranking in the June 2009 “Consumer Reports” for commercial anti-malware products and the only AV solution to get the highest grade for malware detection which, to me, makes it the only product worth considering in this highly-competitive field.

    • Randy Abrams

      Update… I’ll explain a bit more about my harsh reaction below.

      Two years ago, Consumer Reports decided to test the effectiveness of an antivirus products heuristics by crating variants of viruses. This may seem logical, but only if you know little or nothing about testing heuristics. At the time ESET was not tested by Consumer Reports and I lambasted them for their unprofessional testing methods. The entire industry told them why the test was not ethical, or even useful as a measurement, but they wouldn’t listen and would not disclose their methodology.

      Last year Consumer reports did the same test, again ESET was not tested, and again I lambasted them for incompetent and shoddy testing.

      This year ESET was tested, and they repeated their meritless test and ranked us number 1. ESET had provided Consumer Reports with some of the AMSTO best practices and encouraged Consumer reports to participate in AMTSO. Consumer reports refused to participate and obviously doesn’t care about the quality of their testing.

      In a nutshell, here is the problem with them creating new variants. I won’t go into the ethics. They are not creating what the bad guys are creating. They are not testing the real world effectiveness of heuristics against real world threats. Consumer Reports does not disclose how the samples to be replicated were chosen, why they were chosen, or what the samples are. It is a far stretch to think that they actually have a representative sample set.

      Sorry, but determining what bazooka blows up the most tricycles is a useless metric for determining the effectiveness of bazookas against tanks. In the near future, I write very detailed blog about the errors of their testing and how they could do it right and have deliberately chosen not to. The fact that ESET came in first does not alter my view that they performed incompetent testing.

      —–

      Thanks for the congratulations. It is a pity the award comes from one of the least competent tests imaginable. Consumer Reports has demonstrated a total aversion to learning how to do effective software testing and there isn’t a single software expert in the world that places any trust in their ability to test software. Your average cadaver is far more educable than the software testers at Consumer Reports.

      Don’t get me wrong, I’m not arguing with their conclusions, but based on their testing standards, the results cannot be attributed to anything more than an incredibly lucky guess. Out of sheer ignorance, gross incompetence and a blatant aversion to intellect, Consumer reports remains one of the least competent software test organizations conceivable. It is really sad. It is far more rewarding to get third place by a great test than first place by an imbecile, regardless of how well they guessed instead of tested.

  • Jeff Broido

    Randy,

    Oh, I know all about CU’s testing methods. I’ve been reading “Consumer Reports” since I was a child in the fifties; absorbing is more like it, and the quality of their test most definitely isn’t nearly as high as it was in those days. I believe their decline began in the late 1960s. Around that time, they started to formalize their testing procedures. They became more methodical and consistent whilst abandoning eccentricity, insight and originality. The end result is that their ratings are more defensible and a great deal less useful. A few years ago, my wife and I bought a Bosch dishwasher that CU liked. Apparently, they liked the feature set, measurably quiet (oh, they love those metrics!) operation and good results.

    But the thing had a fatal flaw, one they would surely have uncovered with their old-style, thoughtful testing. We fought for nine months to get the retailer to take it back, receiving much abuse and bad advice from the Bosch service manager for the entire USA.

    Still, still… The magazine is accessible, and despite the objections that both of us have raised, there is still value in their ratings. To test anti-malware solutions, they fed a standard stream of infected content to systems via e-mail, http and by attempted hacking. So, when they claim that ESET’s products were the only ones to excel at malware detection, they were probably simply counting positives, false positives and false negatives. As you say, at least they came to the right conclusion!

    Regards,
    Jeff

Follow us

Copyright © 2016 ESET, All Rights Reserved.