Saturday, January 24, 2009

Moving From Gray To Green

Cool! McAfee SiteAdvisor finally got around to checking this blog and I got a clean bill of health!

Which, if you're reading this and have no idea what I'm talking about, you probably could not be more bored to learn.

But, if you're still awake, here's the short version. McAfee SiteAdvisor is a service that checks websites for malware, spamming, and other bad behavior and maintains a database of the findings. You can visit the SiteAdvisor home page and check what they think of a site by typing a URL into the box labeled "Look up a site report."

Much more conveniently, they offer a free browser add-on for Firefox and Internet Explorer (and maybe some other others). The add-on does two main things. First, it displays a little button in the lower right corner of your browser's status bar:

McAfee SiteAdvisor button in browser status bar


This button turns green when you surf to a site that SiteAdvisor deems safe, yellow for risky, red for dangerous, and gray for no-frickin'-clue -- i.e., McAfee's robots haven't scanned the site yet.

Second, the SiteAdvisor add-on adds icons to search engine results, using the same color coding scheme. Here's a shot of my sexy new green check mark on a Google results page:

McAfee SiteAdvisor icon on Google results page


No more drab gray circle with a question mark!

It's hard to say, from the user point of view, whether the SiteAdvisor add-on is much more than a security blanket, at least with my surfing habits. It does tend to err on the side of caution, meaning a few "Danger Will Robinson!" false positives, but it seems lightweight enough to feel like it's worth having. I've occasionally link-hopped to a new site, seen the status bar button turn red, and been happy to leave right away. I've also been happy to avoid clicking on certain results returned by Google -- depending on what you search for, it's possible to get a red site on the first page (e.g.), or in the ads that get displayed on the search results page.

It's not a guarantee of safety, of course. A site could turn bad in between visits from McAfee's robot crawlers, for example, or existing bad behavior could go undetected. But, it seems better than nothing to me -- galoshes to go with the umbrella of antivirus software, perhaps, and also, a little more info about which sites I can feel comfortable giving my email address to.

If you're interested in the browser add-on, visit the SiteAdvisor home page, their Download page, and/or their Learn More page.

Finally, for bloggers and other site owners: If you're interested in making sure your site is okay in SiteAdvisor's eyes, visit their resources page. If they haven't already scanned your site, you can register for an account (free) and go through a fairly painless site ownership verification process. Let me know if you want details that you can't figure out from them.

5 comments:

Alastair said...

So they're collecting a complete browser history from each user who has the plugin installed? How do we know they aren't going to do anything nefarious with it like onsell it, mine it for marketing opportunities, or anything else like that?

I'm looking for them to go out of their way to say "trust us, really!" but a few moments clicking around the website does not make me especially reassured. I guess some people will look at the McAfee name and be reassured anyway...

I'm not a fan of AV products in general. The "better than nothing" argument doesn't take into account the pain of false positives (or the privacy invasion, as above). I haven't run AV software on my machines for years now, and not regretted it once.

As a webmaster I understand the need to be a good web citizen and reassure visitors to your site, but this just feels wrong to me.

I guess I just don't want an internet where we need to adopt the insanity of AV products. This may be a completely naive ideal, but either way I'd like to see more evidence of the value of these kinds of measures before adopting them myself.

Brendan said...

If I'm reading their privacy policy correctly, I think your concern is misplaced. They say, in part:

We never store information about where specific users go online or about what specific users do online. We do keep master anonymous logs of which sites our users visit so we can prioritize those sites for retesting. But these logs contain no information about which users visited which sites -- no personally identifying information, and not even users' IP addresses.

Now, maybe they're lying about that. We are, admittedly, taking them at their word. But we have to acknowledge the same thing about virtually every site on the Web -- that they could collect and use information that they say they don't. I'd add that you grant your ISP this trust regarding your complete surfing history, and that you grant Google (and other engines) an equivalent amount of trust concerning every one of your search queries.

One can even view this cynically. While the McAfee name does nothing to boost my estimation of SiteAdvisor (I started using it before McAfee acquired it), one thing I do think about them is that, as with any large company worried about its brand identity, I believe they consider the risk of being exposed for violating user privacy too high to make it worth the gains they might accrue from using personalized surfing information.

As to your view of A/V products, well, I just don't agree. Stipulating that one is using a Windows machine (i.e., without arguing for the moment about how irresponsible this may be in and of itself), there are just too many ways something can creep onto your machine even with safe surfing and email-reading habits. There's the human factor, for one -- none of us is 100% vigilant about which links we click. Indeed, even a miss with the mouse on a page full of links could happen. There's also the reality that even "good" sites can serve up malware. Seems like not a week goes by when I don't read of thousands of sites being hit by a MySQL injection, for example. There's also the route whereby malware can be served through ads, especially those that are displayed within an IFRAME.

To my mind, using A/V software is just common sense when one is running Windows, in the spirit of "it may not be perfect, but it's better than nothing," even if it's mostly a security blanket, given my online habits. There are times when I'd like to click a link where I have no a priori way to know about the site, whether it's a result from a search on a topic I'm just learning about, or a link provided by someone I don't know in a comment thread where the discussion is of interest to me.

Over the past few years, my A/V software has blocked something coming from an apparently benign site maybe five times. The way I look at it, any one of those could have been a real headache. Or worse, I could have gotten infected with a nasty whose actions from then on would be invisible to me, and I'd be yet another one of those Typhoid Mary machines that contribute to the redistribution of spam and more malware. In this light, then, I view using A/V software as part of being a good Netizen.

Ultimately, I should not be using Windows, I grant. I plead both inertia and the fact that a lot of the software that I use is developed either exclusively for Windows or at least first and foremost for the Windows platform. When this old machine (or its HDD) finally gives up the ghost, I'll move to Linux full time. Until then, using A/V software seems like the right choice.

And yes, I do think you're being naive when you say "I guess I just don't want an internet where we need to adopt the insanity of AV products." For better or for worse, most people use an operating system that is inherently insecure. For better or for worse, almost all software, independent of platform, is made available to the public before undergoing exhaustive security analysis. And finally, for better or worse, the very architecture of the Web prefers openness, accessibility, and convenience to safety and security.

By analogy, we like to be able to drive our cars the way we do. We know some accidents are going to happen and some people are going to get hurt or killed. We know that we could put an end to this, say, by restricting the number of cars allowed on the road at one time and by limiting the maximum speed to 20 mph (30 kph). Most of us don't want to put up with that, so we accept the risks and try to alleviate them by putting some restrictions on user operation, using seat belts, and preferring cars with airbags, crumple zones, and other crash-mitigating design features.

Finally, the number of false positives generated by my A/V software is not at all intolerable. I grant that some A/V software is far worse in this regard, especially the ones that cost money, ironically enough. To people who have such a complaint, I say, "avast!"

Alastair said...

Thanks for the pointer to the privacy policy - it was just surprising to me that it wasn't more a more prominent part of the pitch for the SiteAdvisor software. So yes I believe they'll do (or at least they intend to do) what they say, it's just more surprise that they didn't see the need to reassure people as part of the sales pitch. I guess we're all so attuned to having our surfing habits monitored and dissected, what's one more third party?

As for AV software, I'm still unconvinced.

Sure, there's plenty of malware out there and it's nice to know where it is before you start downloading it. But even if you do download it, the damage won't be done until you actually run the malware locally. And after that local countermeasures should be used.

(BTW SQL injection is something that happens TO websites, not an attack vector that a browser user would worry about, and definitely not something that would be prevented by AV products).

So it's absolutely crucial that you keep your OS and browser up-to-date and all your data backed up. That comprises 90% of the protective measures you need right there. The remainder is a modicum of understanding about what you're doing (eg not clicking on the punch the monkey banner ads, etc) and avoiding the seedier parts of the internet.

For novice or more (shall we say) adventurous users, plugging that 10% gap with AV software *might* be worthwhile. But it's not a total solution, and you have to understand what you're doing/downloading in any event because there are so many other threats out there which AV software doesn't (and can't) catch.

Like most people I have had AV products installed on my work Windows PCs. In fact, I've had them for the last 15 years at least (not always using Windows as a primary PC, but mostly). In that time there have been a handful of cases where it has detected an infection. Some of these were false positives, and of the remainder, *none* were significant threats because I wasn't about to launch the app in the first place. It's not hard to spot dodgy websites and bad-smelling email attachments that you should stay away from.

[Incidentally, there are (vaguely) legitimate software vendors out there who act like wankers when they distribute software in a similar manner to the bad stuff. This is an area that the Linux distros have a huge advantage - everything comes in through a big software repository that is signed and hence has no possibility of being tampered with.]

When I have had to deal with virus infections from less technically-included friends, they have more often been either spyware, which most AV software doesn't protect against, or not detected by the AV software. On the last occasion that the AV software failed, it was your recommendation Avast, and it also had a noteworthy UI metaphor failure...

At least that one got a laugh.

Brendan said...

Sure, there's plenty of malware out there and it's nice to know where it is before you start downloading it. But even if you do download it, the damage won't be done until you actually run the malware locally. And after that local countermeasures should be used.

I don't agree. I think it's better to keep it off your system to begin with. Some malware is quite difficult to scrub once it's on the local disk. Secondly, not all malware needs to be run by the user doing something explicit on the local machine. Some variants are ready to go as soon as they get on your system, particularly the kinds that make the machine into part of a botnet.

(BTW SQL injection is something that happens TO websites, not an attack vector that a browser user would worry about, and definitely not something that would be prevented by AV products).

Understood. But often, the injection approach is used to get malware onto a site for the purpose of infecting machines owned by users who then visit that site. Granted, there are other reasons for attacking websites with this method, and also granted, a/v software won't help when it comes to defeating the intent of the installed malware.

So it's absolutely crucial that you keep your OS and browser up-to-date and all your data backed up. That comprises 90% of the protective measures you need right there. The remainder is a modicum of understanding about what you're doing (eg not clicking on the punch the monkey banner ads, etc) and avoiding the seedier parts of the internet.

Almost completely agreed. Where we differ is in how we look at that last 10%. I think that a/v software can buy of those remaining percents; e.g., it may take me from being 90% safe to 93% safe, and buy me a little bit of a cushion if I do stray down a dark alley on the Web.

Also agree with you that:

-- No a/v package is 100% successful, and eliminating PEBKAC is required for satisfying that last 10%

-- The way that most major Linux distros handle software maintenance is a good thing

-- The skin on avast! is hideous and worse, counterproductive. When I began using avast, figuring out how to de-skin it was the first thing that I did.

Brendan said...

I meant to add that since no a/v software is anywhere near 100% successful, my criteria for picking a particular package is influenced by not only its rep for detection and prevention, but also its price and how many resources it consumes. As far as I can tell, avast's free version does about as well as anything I could buy, and it's also far less of a hog than many of the paid variants.

Also, agreed that spyware is a separate issue. I use a couple of different antispyware programs and do scans every so often; i.e., here, I don't see the need for a real-time program -- this is an area better handled by smart surfing. Using SiteAdvisor, in my view, is a little bit of an assist in this sense.

ShareThis