[HN Gopher] Leaked documents expose Avast antivirus subsidiary s...
___________________________________________________________________
Leaked documents expose Avast antivirus subsidiary selling web
browsing data
Author : jeremiahlee
Score : 556 points
Date : 2020-01-27 14:17 UTC (8 hours ago)
(HTM) web link (www.vice.com)
(TXT) w3m dump (www.vice.com)
| smrtinsert wrote:
| This just feeds my conspiracy that all antivirus companies are
| worse than the viruses themselves.
| [deleted]
| [deleted]
| tomc1985 wrote:
| I wish there was a way to punish all the people participating in
| these data sharing things. Because it is endemic, a gold rush
| even, with every single individual involved lacking scruples as
| they sell their fellow man out
| 1000units wrote:
| Many people who post here are involved.
| ryuukk_ wrote:
| that's what every VPNs are doing
|
| that's what every firefox/chrome extentions are doing
|
| that's what every mobile apps are doing
|
| Time to wake up slaves of the modern world
| detcader wrote:
| I just tried to uninstall the Avast desktop software, but
| "avast.hub" and avast "worker" processes remained running even
| after the "Uninstall Avast" process quit.
|
| Probably just incompetence... Probably!
| js8 wrote:
| I work in Prague and I know some people who work for Avast. It's
| an open secret that the company got pretty rich on selling
| customer data from their antivirus (that was before GDPR,
| though). I am glad that somebody confirmed the rumor.
| Joeri wrote:
| I'm not surprised. The antivirus sector seems to prey on people
| as much as the virus makers. I had my PC infected accidentally by
| norton antivirus a few years ago. They snuck it onto my system by
| hiding themselves in an oracle java update. They didn't install
| right away, waited a bit so I couldn't immediately link it back
| to what caused it. The uninstall function in programs and
| settings was a misdirection and threw an obscure error. The
| uninstaller downloadable from their website would pretend to
| uninstall, require a reboot, and after the reboot the malware
| would reseat itself on my system. Eventually I had to start up in
| safe mode and painstakingly go through my system file by file,
| and registry key by registry key, to root it out. They know all
| the techniques the viruses use, and they use most of them.
|
| That was when I decided to stop using Oracle Java on all my
| personal systems and minimize my use of Oracle products on a
| professional basis. Learning they were a malware distributor was
| the drop that tipped the bucket.
| mschuetz wrote:
| Glad I'm not the only one. I was a Java dev for many years and
| also used it for private projects. When they started shipping
| unwanted malware together with Java was when I decided to
| remove Java from my toolset.
| lousken wrote:
| Eset and Windows Defender is pretty much the only two antiviruses
| left that I still kinda trust. The rest has become either
| bloatware or straight up spyware.
| tomaskafka wrote:
| Why would you trust Eset? Once they can monetize the user data
| (and every AV/browser company can), their shareholders will
| compel them to do it.
| alibert wrote:
| They do only paid AV and, for what it's worth, Google has
| included the Eset AV engine in Chrome (Win only).
| inkeddeveloper wrote:
| Is it bad that my first reaction is, "Of course."
| zentiggr wrote:
| Nope, just confirms you're seeing reality.
| nif2ee wrote:
| Most B2C privacy/security based companies are either snake oil or
| outright scams.
| sagunsh wrote:
| I don't use any antivirus software now a days. They basically
| seems to slow down the computer (I am not quite sure about this)
| but here I got one more reason not to use one. I guess qindows
| defender is okay and sufficient for most of the cases and you can
| always switch to Linux.
| rafaelvasco wrote:
| Yeah, I stopped using AV in Win7. Never looked back;
| beart wrote:
| I've often felt that antivirus software is like the rock that
| keeps the tigers away. I haven't used it since the AOL days, and
| that's also the last time I was actually hit with Malware
| (something from Kazaa I would guess.)
|
| It's also worth noting that every corporate IT department I've
| ever seen installs antivirus software on employee machines, so it
| must be good for something? I'm curious what the actual
| statistics are for caught viruses.
| johngalt wrote:
| Sysadmin here. We install AV to tick the box. It doesn't add
| much to the security equation, and hasn't for years.
|
| For prevention, limited roles/access and patching does all the
| heavy lifting.
|
| Detection happens on the server and network side. Otherwise we
| are expecting a compromised device to know/report itself.
|
| Remediation is a wipe and reload from known sources. When
| properly automated it is faster than running a full AV scan,
| and much more reliable.
| notyourday wrote:
| > Sysadmin here. We install AV to tick the box.
|
| Ding! Ding! Ding!
|
| Does your company need to accept credit cards? Guess what?
| You must have AV as there are only two choices in a self
| assessment form:
|
| [ ] Anti-virus and anti-malware software is deployed on all
| systems used by the company staff.
|
| [ ] Anti-virus and anti-malware software is not deployed on
| all systems used by the company staff.
|
| Selecting the 2nd makes one fail self-assessment which in
| turn denies company's ability to accept credit cards.
|
| Security is a charade.
| donmcronald wrote:
| That industry seems like a dumpster fire. I once saw an
| assessment that includes a regular firewall scan.
| Apparently everyone locks down their firewall, triggers the
| scan, re-opens their firewall.
|
| I guess as long as everyone's getting paid...
| gruez wrote:
| would windows defender count as antivirus software?
| notyourday wrote:
| We were provided with a very large list of AV software
| (~2 printed pages long). Windows Defender was not on it.
|
| It was decided the risk of using software not on the list
| was not worth it.[0]
|
| [0] It was the 2nd annual assessment/audit I was involved
| in -- during the first one the sticking point was that
| our user-facing website was exposed to users via a CDN
| that was detected by the vulnerability scanner as some
| PHP application, which caused us to fail that test.
| Needless to say we did not want to deal with such mess
| again.
| Spooky23 wrote:
| For corporate IT, it's a compliance requirement. It is the
| equivalent of putting a sign in the bathroom that says to wash
| your hands, only less effective. AV does almost nothing and
| costs almost nothing.
|
| The newer products are different and more effective, and come
| with an appropriate price tag. (The Microsoft solution costs as
| much as O365!)
| guelo wrote:
| Comply with what?
| Spooky23 wrote:
| If you do any business with the US federal/state/local
| government, healthcare, criminal justice, Tax collections,
| most financial institutions, you've signed a contract where
| you agreed to do a bunch of stuff, including this.
|
| AV minimally checks a box.
| freehunter wrote:
| For those that might not understand the compliance
| requirement, PCI compliance is a good example. If you process
| credit card payments, you need to be PCI (Payment Card
| Industry) compliant. And PCI DSS Requirement 5.1 [1] states
|
| > _Deploy anti-virus software on all systems commonly
| affected by malicious software (particularly personal
| computers and servers)._
|
| So most enterprise companies have to have AV on their
| workstation and servers (yes Mac and Linux too) in order to
| keep processing credit card payments.
|
| [1] https://www.pcisecuritystandards.org/documents/PCIDSS_QRG
| v3_...
| mywittyname wrote:
| Sounds like there's an opportunity for micro AV: the
| smallest possible compliant antivirus software.
| Spooky23 wrote:
| That's called Windows Defender.
|
| Before that, you could drive down the big vendors, alot.
| I think I paid like $2/pc/year for McAfee back in the
| day.
| LMYahooTFY wrote:
| Does this apply to things like Square card readers plugged
| into an iPhone?
| freehunter wrote:
| In that case Square is the payment processor. The vendor
| using the Square reader is not required to be PCI DSS
| compliant, only Square is. Same for accepting Paypal,
| Stripe, etc.
| notyourday wrote:
| > Same for accepting Paypal,
|
| Definitely not the case for Paypal.
|
| As soon as the charges cross certain rolling dollar
| amount, one needs to complete a security assessment that
| requires AV in addition to a pile of other idiotic things
| - such as a specific set of signatures returned by the
| web servers in a scan by TrustWave. Unrecognized
| signature? Failed!
|
| Source: first hand experience.
| freehunter wrote:
| Is that Paypal's requirement, or a PCI DSS requirement?
| notyourday wrote:
| PCI DSS.
|
| Paypal told us it applied to us and we either had to do
| it or they would block our seven digit monthly charges.
| bradknowles wrote:
| I've done PCI/DSS consulting. For the biggest provider of
| online loan servicing, in fact. Over 80% of all online
| loans are processed through their system, mostly done as
| a white-label service for virtually every big bank,
| credit union, or other financial services provider in
| existence.
|
| The reality of PCI/DSS is a bit more ... complex.
|
| What it really comes down to is whatever your auditor
| says you have to do in order to meet the requirements.
| And history has already taught us that if your auditor is
| one of the Big Accounting firms, then they can be ...
| flexible ... if you're a big enough customer.
|
| So, there's the letter of the law, and then there's what
| you actually have to implement in your code. And the two
| may have relatively little to do with each other.
|
| Just make sure that you document everything you do within
| an inch of your life and the life of the code in
| question, so that when there is a breach (and there WILL
| be a breach), you're not the one that is being left out
| in the cold.
| 52-6F-62 wrote:
| > _For corporate IT, it's a compliance requirement. It is the
| equivalent of putting a sign in the bathroom that says to
| wash your hands, only less effective. AV does almost nothing
| and costs almost nothing._
|
| Corporate IT at my previous employer even allowed and aided
| us in _uninstalling_ the resource-hogging McAfee installation
| that comes default with a company machine. That stuff was
| _crippling_ our machines.
| magduf wrote:
| >It's also worth noting that every corporate IT department I've
| ever seen installs antivirus software on employee machines, so
| it must be good for something?
|
| Yes, it absolutely is good for something. Antivirus software is
| excellent for making companies like McAfee highly profitable,
| and it's also really good for slowing down your computer.
| lotsofpulp wrote:
| It's to let the higher ups cover their ass by being able to
| say they tried to do prevent malware.
| saiya-jin wrote:
| Owners of the Avast, 2 Czech guys, are ranked among the
| wealthiest Czechs ever. I mean one has net worth over 1
| billion USD, the other at least the same.
|
| I had some respect for them some time ago, but these days
| their product is shit and worse than having nothing. Plus
| with Windows defender, who still actually pays for it?
| finnh wrote:
| It's good for meeting compliance requirements.
| jcranmer wrote:
| Antivirus was more necessary back in the days when firewalls
| and security elevation privileges were rarely enabled on
| consumer machines. But more modern security software has rather
| weakened the value proposition for AV, and they've started
| branching into areas that aren't really helpful at all and
| sometimes counterproductive (e.g., web browsing protection--
| your AV does a much, much worse job of validating TLS than
| browser vendors do).
|
| Given the dirty things that AV does to "work" correctly, you
| can characterize modern AV as malware that tries to keep other
| malware out.
| avh02 wrote:
| probably for checking various compliance tickboxes
| flir wrote:
| Well... do you want to stand up in court some day and explain
| why you _didn 't_ install A/V software? It reduces risk, just
| maybe not the risk we expect it to.
| coldcode wrote:
| The power of customer data making money is hard to resist.
| asasidh wrote:
| If you are using a product that dials home, paid or otherwise,
| you have to assume it is collecting and selling your data.
| d-c wrote:
| They entice us with free products, meanwhile they're biting...
| jammygit wrote:
| Anything named an antivirus should be possibly to sue for this
| sort of thing, right? It could not possibly be more misleading
|
| It's like a locksmith company monetizing by sneaking people into
| your home when you're asleep
| rkagerer wrote:
| The article seems a little sensationalized, but even viewed in a
| generous light it's still downright creepy.
|
| _...clients include Google, Yelp, Microsoft, McKinsey, Pepsi,
| Sephora, Home Depot, Conde Nast, Intuit, and many others._
|
| _It is possible to determine from the collected data what date
| and time the anonymized user visited YouPorn and PornHub, and in
| some cases what search term they entered into the porn site and
| which specific video they watched._
|
| _Although the data does not include personal information such as
| users ' names, it still contains a wealth of specific browsing
| data, and experts say it could be possible to deanonymize certain
| users._
| vatueil wrote:
| For context, the sentence starts with:
|
| > _Some past, present, and potential clients include..._
|
| Keyword "potential".
| nabakin wrote:
| Exactly. That word makes me discredit the entire list.
|
| Although, the subtitle does say
|
| > Its clients have included Home Depot, Google, Microsoft,
| Pepsi, and McKinsey.
| adossi wrote:
| Yeah it's creepy, but I wonder how that data is used? Like,
| what ads will Google show me depending on the type of porn I
| watch?
| mikejb wrote:
| IIUC, porn is used as an example to highlight that these are
| very personal details that are being sold, and porn
| preferences are things people often fear more of leaking than
| - for example - their financial data.
|
| John Oliver, in his work on the NSA scandal had Snowden
| explain individual NSA programs based on "dick picks", to
| help people visualize and clarify the consequences of what
| otherwise is just generically described as "selling/stealing
| your data".
| freehunter wrote:
| Yeah people always assume the buyers of the data are
| companies like Google, and not some group who wants to
| blackmail you if you don't give them five Bitcoins.
| nonbirithm wrote:
| > porn preferences are things people often fear more of
| leaking than - for example - their financial data
|
| I remember this being the opposite - for nude pictures
| instead of porn preferences at least.
|
| Avast did a study where 77% of US respondents said that
| between nude pictures and financial data they would rather
| have nude pictures of them leaked[0].
|
| Maybe it's because financial data is directly tied to one's
| well-being but except for certain professions nude photos
| aren't.
|
| Then again nude photos aren't necessarily the same as porn.
|
| [0] https://thenextweb.com/insider/2015/11/17/study-
| smartphone-u...
| _jal wrote:
| Why concentrate on intended use? More interesting is what,
| er, unanticipated value-add might be there.
|
| Could a malicious actor create a blackmail-bot? It wouldn't
| even need to be that great - just something a little more
| believable than the "I took over your computer and videoed
| you masturbating" spam.
|
| Could more subtle, targeted blackmail operation involve this
| data? There is a _lot_ of this sort of thing in politics.
|
| We know PIs, bail-bonders and other folks on the fuzzy
| LE/commercial coercion industry line were heavy users of
| realtime cellphone tracking. I imagine the more creative ones
| have considered the value of these data pits, too.
| nexuist wrote:
| Dating sites, for one.
| inkeddeveloper wrote:
| Hard to find a dating site that specializes in ... _looks
| up his profile_ ... oh boy, that 's some weird stuff.
| _jal wrote:
| Kind of amusing that this is currently the #2 story, while #1 is
| "Trust Is at the Core of Software Marketing".
|
| If you had told me five years ago that I would stand up exfil
| monitors on my home network because commercial and criminal
| surveillance was so pervasive, I would have said that would be
| crazy talk. And yet here we are.
| dredmorbius wrote:
| What are you using for this, what is blocked / how do you
| construct blocklists?
| ropiwqefjnpoa wrote:
| Does this include AVG for Business? I dropped them just over a
| year ago.
| tomaskafka wrote:
| It's amusing to watch how slowly is this becoming a common
| knowledge - company I worked for at the time has been buying
| complete Jumpshot url logs 4 years ago, and everyone knew where
| the data is coming from.
| dessant wrote:
| Here's the rejected Firefox blocklist request for Avast
| extensions: https://bugzilla.mozilla.org/show_bug.cgi?id=1600600
|
| Blocklisting the extensions would disable existing installations
| and stop ancillary data collection, which is prohibited by
| Firefox Add-on Policies.
|
| https://extensionworkshop.com/documentation/publish/add-on-p...
|
| > Mozilla expects that the add-on limits data collection whenever
| possible, in keeping with Mozilla's Lean Data Practices and
| Mozilla's Data Privacy Principles, and uses the data only for the
| purpose for which it was originally collected.
|
| There are a number of browser extensions maintained by antivirus
| companies that use security as a disguise to collect and monetize
| user data. It is time for Google and Mozilla to act on this issue
| and protect users from these predatory practices.
|
| Benign extensions that are genuinely useful and don't have a
| company behind them do not get this treatment [1], they are
| blocked whitout preliminary contact with developers [2].
|
| [1] https://www.jeremiahlee.com/posts/page-translator-is-dead/
|
| [2] https://www.ghacks.net/2019/11/05/mozilla-bans-all-
| extension...
| bagacrap wrote:
| isn't this generally true of every extension/app/smart
| appliance? Everything wants to collect and sling your data on
| the side. Browser and phone vendors do try to protect users
| with permissions controls in addition to the store curation
| that you point out is imperfectly executed. How do you propose
| they enact a perfect system of vetting for the long tail of
| benign extensions?
| monadic2 wrote:
| Well they could start by banning extensions that make the
| news for sending all of their visited urls to a third party.
|
| Ultimately we need to give the user more control over what
| software on their system is doing. None of these entities
| (mozilla, google, apple, microsoft, amazon, facebook) can be
| trusted to act in our best interest
| dessant wrote:
| Equally enforcing policies regardless of who's the publisher
| of an extension would be a good start.
|
| This is how the Avast blocklisting request should have been
| handled:
|
| - Immediately blocklist [1] the extension because it harvests
| personal data without user consent, notify Avast
|
| - Offer to reenable the extension for the existing user base
| when Avast reaches out and stops data collection in an
| extension update
|
| Because the extension was not blocklisted, but temporarily
| removed from the store, personal data was siphoned off
| without the consent of existing users for weeks, with the
| knowledge and implicit approval of Mozilla, until Avast has
| released an update.
|
| Users that have configured Firefox to update extensions
| manually may continue to use an extension version which
| steals personal data, despite Mozilla being capable of
| disabling those extension instances, and despite their recent
| commitment [2] to use blocklisting more proactively when an
| extension is circumventing user consent or control.
|
| Mozilla did not respect its own policies and has put the
| interests of Avast before the privacy and safety of its
| users.
|
| [1] https://blocked.cdn.mozilla.net
|
| [2] https://blog.mozilla.org/addons/2019/05/02/add-on-policy-
| and...
| horsawlarway wrote:
| I want to second this sentiment and EXPLICITLY call out
| Mozilla.
|
| I am the lead dev for a relatively small Firefox extension. We
| do not do ANY tracking.
|
| We were rejected and removed for simply including the sdk for
| Microsoft outlook addins as a script in one of our html pages
| (we share the codebase for an outlook addon as well). This
| script is well documented and published by Microsoft.
|
| I find the hypocrisy here staggering.
|
| I know that Firefox gets a lot of love, particularly on HN
| because it _feels_ like Mozilla is still a trustworthy company.
| I want to clearly express that I no longer believe this. They
| want addons in the store that they can use for marketing and
| sales. Period.
| gnicholas wrote:
| Thanks for posting this. I have had similarly odd experiences
| recently with the Firefox addon store, which my startup has
| been in since 2013. All of a sudden we got yanked, among
| other things because we modify third party libraries.
| Apparently we would have been fine if we did exactly the same
| thing but wrote the code ourselves, but since we used a
| library, and then modified it, we were in violation. To be
| clear, we provide all our source code in the review process,
| so it is 100% clear what we are doing. And we don't do
| anything that is remotely privacy- or security-compromising,
| which is very clear from the code.
|
| We tried to understand this bizarre no-modifying-third-party-
| libraries policy and see how we could fix it, but they
| stopped responding and eventually even deleted our extension
| from the browsers where our users had previously installed
| it. (Even Apple doesn't do this when it yanks apps -- only
| rarely if there is proven bad behavior will the pull an
| already-installed/paid-for app from a device.)
|
| I happen to know a couple very high-up people at Mozilla, and
| one of them was able to flag our mistreatment, and the
| reviewers now seem to be walking back the previously-
| described global ban on modifying third-party libraries, but
| we're still not back in the addon store (it's been months).
|
| The (alleged?) policy makes no sense to me, and I also don't
| understand why Mozilla is now blocking users from installing
| any addon that hasn't been blessed by Mozilla. I understand
| that they want to vet addons that are listed in their store,
| but they've assured me that users can't even install off our
| website unless Mozilla signs off. That seems very un-Mozilla-
| ish to me. What happened to the open web?
|
| For the record, I used to love Mozilla/Firefox, and have used
| their browsers for decades. I now use Brave, both because of
| experiences like this one, and because it's much faster on my
| Mac.
| minewastaken wrote:
| https://digdeeper.neocities.org/ghost/mozilla.html
|
| This article, along with some other sites and my own digging
| made me leave Firefox for good. It's a good read if you value
| privacy and think Mozilla is the good guy in a field
| dominated by evil corporations. At first it might seem
| biased, but the author makes very good points and backs them
| up with tons of sources that can't be really argued - most of
| the article is reviewing privacy policies and terms of
| service agreements that are available publicly to check.
|
| For now I stuck with Pale Moon, but I'm considering some
| other browsers like Ungoogled Chromium for my daily private
| and work use. Pale Moon feels kinda janky and old-school in a
| not good way. But it's fast and (with some minor tweaking:
| https://spyware.neocities.org/guides/palemoon.html) respects
| your privacy 100%.
| vkou wrote:
| I've read through the first bit of it, and the author comes
| off as a huge pedant.
|
| They spend most of the introduction ranting about browser
| features being removed in updates - because their
| expectation seems to be that once Mozilla ships a feature,
| it must forevermore be a part of the latest version of the
| browser, from now, until the heat death of the universe...
|
| Disclaimer: I don't actually use Firefox, I don't have a
| hobby horse in this race.
| aasasd wrote:
| Funny how the design of that article borders on typical
| insane unreadable looks of conspiracy theory sites.
| rmist wrote:
| > Avast was collecting the browsing data of its customers who had
| installed the company's browser plugin, which is designed to warn
| users of suspicious websites.
|
| I have never really felt the need of antivirus plugins. Firefox's
| built in features (https://support.mozilla.org/en-US/kb/how-does-
| phishing-and-m...) has always been good enough in my experience.
| m-p-3 wrote:
| And you can also help flagging those pages or malicious files
| by either submitting a phishing report[1] or uploading a
| potentially malicious file[2]
|
| [1]:
| https://safebrowsing.google.com/safebrowsing/report_phish/?t...
|
| [2]: https://www.virustotal.com/
| jacquesm wrote:
| AV software acts like and treats your computer pretty much the
| same way that malware does, it should not be surprising the
| companies do the same.
|
| They're in Prague, would be nice to see the teeth of the GDPR
| used to put the fear of god into parties in this space. Maximum
| penalty times the number of clients they had should do the job
| nicely.
| catalogia wrote:
| Is there any chance what they're doing might fall under some
| sort of 'unauthorized access' computer hacking criminal law?
| Something that could get individuals sent to prison rather than
| just getting the company fined? There is no way they had
| meaningful informed consent for any of this.
|
| I don't think shit like this will stop unless executives and
| the engineers who humor them start getting their lives
| justifiably destroyed.
| acvny wrote:
| Haha, you wanted free antivirus?
| s_dev wrote:
| Can we discuss how ridiculous PCI compliance is to require anti-
| virus softare? Particularly in mac OS where anti-virus software
| is the primary surface area for introducing viruses.
|
| Why hasn't this requirement been updated to somthing more
| sensible?
| reaperducer wrote:
| From your mouth to God's ear.
|
| IT installed freaking Norton on all of my new Macs. Now I feel
| less safe, _and_ I get the software nagging me all the time.
| GordonS wrote:
| Keep in mind that PCI requirements only apply to machines
| _within the cardholder environment_ - everything else is out of
| scope.
|
| What this means is that as long as you isolate your cardholder
| environment, you don't need to deploy AV across your whole
| company - only on those in scope.
|
| I'm not a huge fan of AV, but I do advocate for a layered
| approach to security, and have to concede that AV may have some
| value as a "last chance" layer if malware somehow manages to
| get past your other defences.
| klohto wrote:
| The data is heavily anonymized and aggregated before selling.
| Avast is a Czech company under GDPR with regulators breathing on
| it's neck. "Selling data to Google" is true as much as when my
| github project is cloned by Google guy and I claim it's used by
| Google :)
|
| It's a free product and it's written in T&S, why is Vice so
| sensational?
|
| EDIT: Calm it, I was proven wrong about the EULA
| tastroder wrote:
| We regularly call out random browser extensions doing the same
| thing, it's not sensationalized to call out a top 10
| manufacturer in the "security" space on this behaviour.
| Anonymization of search histories has, time and time again,
| been shown to be largely ineffective.
|
| https://www.avast.com/eula does not mention Jumpshot and
| grepping around does not indicate any sensible anonymization
| and aggregation efforts, just the default legalese whereas the
| demo video on
| https://www.jumpshot.com/solutions/industry/retail leads me to
| believe that while they might not tie histories to a single
| user, they show statistics like "XX% of users shopping at A,
| went on to buy at B" which indicates at least some level of
| unaggregated data / tracking.
|
| If the Vice article is to be believed, that's certainly enough
| to at least raise an eyebrow. The opt-in the article talks
| about is likely to be an underspecified mess that's intended to
| decieve the user, this functionality has simply no place in an
| AV package. Let's not act like it's hard to get users to press
| a shiny green button these days. That might be found GDPR
| compliant in court, it's still not morally right.
| speedgoose wrote:
| No way this is GDPR compliant.
| klohto wrote:
| You're correct about the EULA, any idea when it was last
| changed? I'll look into this and correct myself but since I
| know few people working there, I heard stories about the
| process and how regulated it is.
| tastroder wrote:
| The top of that page says "Version 1.11 (Revised April 1,
| 2019)", the history seems to be this (linked at the
| bottom): https://www.avast.com/eula-legacy
|
| I'll give them the benefit of the doubt but if the Vice
| report is accurate, the business practice needs changing,
| not their terms of service.
| stordoff wrote:
| > The data obtained by Motherboard and PCMag includes Google
| searches, lookups of locations and GPS coordinates on Google
| Maps, people visiting companies' LinkedIn pages, particular
| YouTube videos, and people visiting porn websites.
|
| > "It's very granular, and it's great data for these companies,
| because it's down to the device level with a timestamp," the
| source said, referring to the specificity and sensitivity of
| the data being sold
|
| > Jumpshot gave Omnicom access to all click feeds[...] The
| product includes [...] "the entire URL string"
|
| > A set of Jumpshot data obtained by Motherboard and PCMag
| shows how each visited URL comes with a precise timestamp down
| to the millisecond, which could allow a company with its own
| bank of customer data to see one user visiting their own site,
| and then follow them across other sites in the Jumpshot data.
|
| How can you _possibly_ anonymise that at scale? Maybe someone
| searches an email address, or searches a unique phrase, such as
| a nickname, that identifies them. If someone makes multiple
| searches for directions from/to a particular place, it's
| probably their home or work. If you are logged in to a
| company's site, they likely know exactly who you are, and can
| correlate their logs with the Jumpshot logs (URL+millisecond
| timestamp could very well be unique) to follow you across other
| sites. The article notes that some products include "inferred
| gender" and "inferred age" - what _else_ can you infer from the
| provided data that may be enough to ID you?
|
| Even if they _aren't_ directly selling it, it's a uncomfortable
| amount of information for a company to have (at best).
| pbhjpbhj wrote:
| I can see how the data could be anonymised but when Google get
| it the access time, coupled with the referer (sic.) info could
| completely de-anonymise some data for Google, eg you arrived
| there from a Google search.
| dgaudet wrote:
| > Some past, present, and potential clients include ...
|
| i'm having a hard time reading past the word "potential". that
| suggests exaggeration to me.
| Mtinie wrote:
| It could be exaggeration, or "potential" in this case could
| include data from people and companies who expressed interest
| in the product captured during lead generation.
| partiallypro wrote:
| Until Windows 10 (which just has a great built in virus detection
| system,) I would always push people to Avast. I am shamefully
| disappointed that they've fallen this far.
| chinathrow wrote:
| Avira Free just installed Avira VPN while updating a client to
| Win 10 recently, I assume that they're after data collection too.
|
| That was the last straw - Windows Defender only at this point of
| time.
| skocznymroczny wrote:
| Most antivirus software feels sketchy in general (snake oil).
|
| The only antivirus I run at the moment is Windows Defender. For
| me the main reason is that Microsoft actually benefits from a
| virus free system because it improves Windows as a platform.
| Antivirus software vendors benefit from viruses spreading around
| because it improves sales of their products.
|
| Also Windows Defender is fairly non-intrusive, it doesn't
| advertise a sketchy VPN, a sketchy adblock, a sketchy torrent or
| any other tool that usually anti-virus vendors try to bundle
| together.
| KumarAseem wrote:
| What is there to prevent Microsoft from not having Defender
| monitor and report the traffic back to MS once it has gained a
| big foothold? MS with Win10 forcefully collects a lot of data
| and adding a little bit of data through Defender will give them
| a really huge(complete) picture.
| duxup wrote:
| The non-intrusive factor was huge for me.
|
| I remember when it came out and it would scan away and do it's
| thing and it was pretty much noticeable. I was "yeah this is
| it" uninstalled whatever I was using at the time and never
| looked back.
|
| That was a big plus in a market where as you say everything
| feels sketchy.
| Ansil849 wrote:
| > For me the main reason is that Microsoft actually benefits
| from a virus free system because it improves Windows as a
| platform.
|
| From the article:
|
| > Some past, present, and potential clients include Google,
| Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde
| Nast, Intuit, and many others.
|
| Microsoft doesn't need its AV products to do shady data
| collection because it outsources this to third-party shady AV
| products, therefore keeping its own reputation clean as your
| post demonstrates.
| chapium wrote:
| Microsoft can collect information through their OS, why
| bother with doing it in AV.
| Ansil849 wrote:
| Well, for that matter why bother purchasing it from this
| third party? Ostensibly for the same reason as not doing it
| in AV.
| CPLX wrote:
| The word potential is doing a ton of work in that sentence.
| Ansil849 wrote:
| From further in the article:
|
| > Microsoft declined to comment on the specifics of why it
| purchased products from Jumpshot, but said that it doesn't
| have a current relationship with the company.
|
| Which seems to indicate that Microsoft is in the list of
| past, not potential clients.
| bsharitt wrote:
| > Also Windows Defender is fairly non-intrusive
|
| Microsoft and antivirus vendors have very different goals.
| Microsoft wants to quietly protect your computer without making
| a big deal out of viruses, while antivirus vendors always want
| to let you know that they're hard at work protecting you and
| that the world is a dangerous place so keep giving them
| money(or in the case of free versions, keep it installed so
| they can keep vacuuming that data).
| blablabla123 wrote:
| > the world is a dangerous place
|
| True, as long as keeping outdated software/practices is
| facilitated. The attack surface is relatively small if
| someone installs only apps from an App Store - no matter
| which one that is - and from well-known vendors.
|
| That said, Microsoft has created a nice breeding ground for
| viruses by keeping all the software backwards compatible but
| accepting that users might need to get new hardware for every
| major update. At least the major updates have become quite
| cheap...
| Brave-Steak wrote:
| I think one of the worst parts of this kind of stuff is that
| paying for the product doesn't mean they stop selling all
| your data. It just means they make even more money off of
| you.
| simias wrote:
| That's the standard these days unfortunately. Why turn
| these options off when most users won't even notice and you
| get more money in the end?
|
| I wish that my various "premium" subscriptions to services
| like Spotify or various other apps meant that my privacy
| will be respected but I have absolutely no illusions about
| it. That's why I'll never ever consent to turning off
| u-block, I want the freemium/ad-driven model to die, it's
| the original evil that makes all these practices
| worthwhile.
| reaperducer wrote:
| _Why turn these options off when most users won 't even
| notice and you get more money in the end?_
|
| Because it's the right thing to do? Why is it so hard for
| people in technology to simply do what's right?
|
| I don't buy the hackneyed HN arguments about "A company
| is required to maximize profits for the shareholder!" or
| high school thought exercises like, "Who gets to decide
| what is right?" It's simply not that hard.
|
| I wonder if software engineers had to pass ethics classes
| like other types of engineers if the world would be a
| different place today.
| mywittyname wrote:
| > I wonder if software engineers had to pass ethics
| classes like other types of engineers if the world would
| be a different place today.
|
| I had to take one as part of my ABET program. I highly
| doubt it made a difference. If anything, it demonstrated
| how much ethical behavior varies between people. I
| distinctly remember conversations about how awesome
| computer-aided sniper rifles would be (before these
| became a literal thing). That seems completely unethical
| to me, but I went to a college full of people getting
| back from tours in Afghanistan, so they had a very
| different perspective on the topic.
| salawat wrote:
| They do in some universities. Even when I was going. Most
| just treat it as a "Yup, okay fine" course, and many
| instructors are really bad about making it clear just the
| kind of heinous things to watch out for.
|
| Example:
|
| What is an acceptable use case:
|
| A) Utilizing photo manipulation to place an individual
| somewhere they haven't been before.
|
| B) The same except for them to enter in a contest.
|
| C) The same, for some one who just wants the picture to
| flesh out a personal scrapbook with a picture of them and
| their SO having done something they wanted to do, but the
| SOwasno longer alive for somehow.
|
| They don't do a great job at preparing you to understand
| how industry gets you to actually do unethical things, or
| how to react when they do.
|
| I.e. It's rarely, in my experience, "Hey, do blatantly
| unethical thing." Though that happens. I've had some
| snuck by my filters in the form of
|
| >Hey welcome aboard! <Several months of innocuous work
| later>. Okay guys, time for <skeevy thing>. Business
| really needs this, so it's pretty high visibility.
|
| Generally it escapes your notice because for once you're
| just happy to have clear requirements, and to not be
| getting jerked around, so you do it. Minimal complaint is
| encouraged, or will at least be pretended to be
| entertained, relying on the cushy salary and in-house
| benefits to carry you through to job completion.
|
| But the ball keeps rolling regardless. You can decide to
| not work on certain stuff, but that generally gets
| shluffed off to another team that doesn't share your
| ethical proclivities.
|
| The sad thing is, you almost need a labor or professional
| organization like structure to be capable of keeping
| major divergence from the ethical straight and narrow in
| check, because otherwise you can pay lip service to
| higher ethical and moral standards, but when it comes
| paycheck time, most are going to go with that phat
| paycheck.
|
| I'm working on considering my next link in the career
| chain, and ethical implications are strongly influencing
| my choice. I'm sick and tired of being someone else's
| money vacuum mechanic. I'd like to work on software that
| actually helps people.
|
| And I'll stop anyone who suggests "but those systems are
| capital pumps, and help people because the free market."
| No they don't not in any but the most indirect of ways.
| If people overall weren't having all their siphoned off
| them, I'dwager there would be a much higher degree of
| actualization or entrepreneurial development in the hands
| of less capital starved people.
|
| I know a positive feedback loop when I see one, and you
| can damn well bet that's why every tech company is
| scrambling to become a fintech in one way or another.
| simias wrote:
| To be clear I wasn't condoning this behavior at all, it
| was just a statement of fact. I also wish people valued
| ethics over short term profits but here we are. Like my
| grandmother used to say, there is no such thing as
| ethical consumption under capitalism.
| acdha wrote:
| There's an argument that growing awareness will lead to
| backlash, some of which will carry legal weight. I'm not
| sure how compelling long-term brand reputation is to most
| CEOs, however -- Apple has been doing well but that's a
| single data point with lots of confounds.
| JohnTHaller wrote:
| In the case of free versions, keep updating it so they can
| sneak Google Chrome onto your system using dark patterns
| (which Google pays them to do).
| zojirushibottle wrote:
| funny, i said the same thing before but it came off wrong and
| people didn't get it or something. i only run windows defender
| too, not because it's efficient -- i don't know, i have never
| seen it catch anything -- but because it's the less sketchy of
| the bunch!
| the8472 wrote:
| One issue with all antivirus on windows, including defender, is
| the performance impact. It seems to be dreadfully single-
| threaded, or at least make single-threaded workloads even
| worse. Monitoring CPU use during updates easily shows this,
| there are periods where a single core is busy with the defender
| service and nothing else is happening.
|
| Another issue that while microsoft's incentives may be better
| aligned it still fundamentally is an antivirus and thus an
| increase in attacksurface. There have been exploits against
| it[0] and it turned out that it did things with SYSTEM
| privileges and no sandboxing.
|
| [0] https://bugs.chromium.org/p/project-
| zero/issues/list?can=1&q...
| safog wrote:
| I think there's several different underlying causes to Windows
| feeling more secure (not needing antivirus) these days:
|
| 1. Security on desktops has been improved quite a bit. You can
| no longer simply email someone a .exe file that's the
| equivalent of `sudo rm -rf /` and have it work, multiple levels
| of safeguards (from the browser, to the email virus scan to
| windows defender catch it). OS's also simply won't run unsigned
| binaries anymore unless you force them to which is (maybe?) a
| good thing.
|
| 2. Piracy has been on a downtick, and people seem to be more
| open to paying for software since App stores made it somewhat
| more acceptable. Less likelihood that people download sketchy
| binaries off the internet and run them on their PCs.
|
| 3. More hours spent on mobile OSes which are inherently more
| secure. casual PC usage at home is declining.
| silicon2401 wrote:
| speaking of this, is there a recommended way to run a windows
| binary within Ubuntu 18.04? I don't want to dual-boot windows
| because I read that installing windows after ubuntu isn't
| recommended, but I don't have experience running a windows
| environment within Ubuntu either.
| cyberbanjo wrote:
| Wine is an emulation layer for Win32 on Linux. You can
| install Windows in a virtual machine if you have enough
| resources.
| silicon2401 wrote:
| Thank you.
| abtinf wrote:
| > Wine is an emulation layer
|
| Wine literally stands for "Wine is Not an Emulator".
| dredmorbius wrote:
| Other than Wine, you can run any virtualisation system
| (qemu, VirtualBox, VMWare, Xen, ...) which will effectively
| give you a Windows (or other) OS running within your Linux
| system.
|
| It won't have direct local OS access, but files and
| networking can be shared through most emulation systems,
| generally as SMB/CFS shares.
| ticmasta wrote:
| This is the same logic motivating me to (infrequently) buy
| Windows computers from the Microsoft store. They don't benefit
| from a brand-new Windows PC that runs like molasses so they
| don't have any bloatware* or other performance slowing software
| like a Dell PC or worse, your typical Best buy computer. The
| prices are on-par despite not getting the kickbacks where most
| manufacturers generate the majority of their profit.
|
| * except for that which is or comes with Windows. Unfortunately
| this has grown substantially - Windows 7 seems like something
| of a high-water mark for performance/polish/lean...
| rapind wrote:
| Except that M$ was bundling ads and apps in Windows 10 (a
| paid OS) themselves. It's a sad state where other actors are
| so terrible that MS starts to look like a savior.
| cypressious wrote:
| Agree with the non-intrusive part. However Defender does slow
| down programs that do a lot of filesystem IO. I tend to disable
| it when I update bigger programs or run other IO heavy tasks.
| tiernano wrote:
| As a dev house, I agree on the io, but our solution is to add
| our dev folders to the exclusion list. One of our build times
| went from 10min to start a debug to less than 1min...
| nesky wrote:
| Doubling down on this, I do the same and have had maybe 1
| instance where Defender didn't catch something in what seems
| like the last 10 years I've used it almost exclusively for
| 'virus' protection.
| lawnchair_larry wrote:
| How would you know if it didn't catch something?
| penagwin wrote:
| More often then not you'll find some "helpful" changes to
| your browsing experience, and/or "team.bitcoinz" running at
| 100% cpu, or your files are encrypted.
|
| Most viruses aren't stealthy, although a few are, and
| you're right, those you'll have a hard time with if they're
| well hidden and undetected.
|
| IMO - Something like Glasswire + Windows Defender is pretty
| robust. Nearly any virus will need network connectivity
| after all.
| clarry wrote:
| > Most viruses aren't stealthy
|
| Do you have data?
| penagwin wrote:
| Yes? But most viruses don't lay dormant waiting for you
| to type in a bank account password and quietly send it
| off (some do for sure).
|
| A lot of viruses sell "installs" - where other less moral
| software devs will pay per installation of their
| software. Or they spam ads across your entire computer
| etc. Or they encrypt your files and demand a ransom. None
| of these things are quiet or stealthy - anybody with
| decent IT experience will notice them pretty fast.
|
| It's kinda like regular crime. Sure every once in a while
| there's a thief that quietly lockpicks his way into
| somebodies home after spying on them and knowing they've
| left on vacation, leaving little evidence they took
| anything at all. Most of the time somebody just does a
| smash-and-grab, quick and dirty.
| clarry wrote:
| You don't want to share that data?
|
| I keep running into the same phenomenon everywhere;
| everyone thinks they know whether they've been infected
| or not. I suppose everyone is a malware expert, so
| there's no need to share the data with anyone. I'm quite
| out of the loop here.
| penagwin wrote:
| > I keep running into the same phenomenon everywhere;
| everyone thinks they know whether they've been infected
| or not.
|
| I mean I get what you're saying. My point is that most
| viruses aren't trying to be hidden, so they're rather
| obvious. Of course there's a chance they try to be
| sneaky, and you're right you have no way of knowing if
| those are present and well hidden.
|
| But anti-virus only does so much, if you're past Windows
| Defender you're past a bunch of other tools too. A lot of
| anti-malware software is very generic, and relies on some
| rather dumb techniques.
| nesky wrote:
| Don't recall what specifically I was doing at the time but
| was maybe 7 or 8 years ago my computer got a virus and took
| me close to a week to fully gain control of my machine
| again. Only time I got actual warnings from Defender about
| something it couldn't erase.
| scott_s wrote:
| I think that has been the conclusion for a while. I went poking
| around for old stories, and the best I could find was a thread
| from 2016: "AV is my single biggest impediment to shipping a
| secure browser," https://news.ycombinator.com/item?id=13079569
|
| And a follow-up, "Avoid Non-Microsoft Antivirus Software",
| https://news.ycombinator.com/item?id=13489100
|
| I believe there have been academic studies on the non-
| effectiveness of antivirus software, but I can't find them. (If
| others can, I'd like to read them.) I find the argument that
| antivirus software _increases_ attack surface compelling
| because it 's third-party software that tries to get into
| everything. This is not the '90s anymore; all of the big
| players care about security. I think that the engineers at
| Microsoft, Google, Apple and Firefox are more qualified to
| secure their own software than outside vendors are.
| sct202 wrote:
| My dad had me remove Avast (that he paid for) from his laptop
| over Christmas because he started to get mailers based on his
| browsing activity. It literally locked up his computer for an
| hour uninstalling and giving prompts that would try to get you to
| accidentally cancel the uninstall.
| AJ007 wrote:
| You should send this to the Vice authors.
|
| I emailed some journalists about Jumpshot a few years back.
| It's good that everyone now understands what is going on.
| ThePhysicist wrote:
| Funny, just today I looked at their analyst presentation, which
| mentions that 17 % of their revenue comes from user data
| monetization: https://investors.avast.com/Document-
| Download/Analyst%20Teac...
| ggregoire wrote:
| How are the AV companies still alive with Windows Defender
| installed on every Windows since like Windows 7 or 8?
| reaperducer wrote:
| _How are the AV companies still alive with Windows Defender
| installed on every Windows since like Windows 7 or 8?_
|
| Apparently by selling your information.
| kijin wrote:
| Windows Defender is a little too understated IMO. Most people
| don't even know that it's a decent antivirus.
|
| I wouldn't mind if better marketing for Windows Defender made a
| bunch of shady antivirus companies go bankrupt, but Microsoft
| probably doesn't want to get into another round of antitrust
| lawsuits.
| mywittyname wrote:
| Computer salesman have talking points about how WD doesn't
| catch 95% of virus out there. Of course, they leave out the
| part about how WD focuses on the 5% of viruses actually found
| in the wild, as continuously surveyed by Microsoft, not the 30k
| variants of known viruses that are not relevant to a Windows 10
| machine.
|
| My go to is to say, the security lead for Google Chrome once
| tweeted, "the biggest impediment to implementing a secure
| browser is AV software."
| alibert wrote:
| I saw that quote being posted quite often in HN. I always
| smile at this because Google Chrome (on Windows only)
| includes a cleanup tool based on an popular AV engine.
|
| https://www.blog.google/products/chrome/cleaner-safer-web-
| ch...
|
| https://www.eset.com/int/google-chrome-cleanup/
| mywittyname wrote:
| I think his original criticism was that the OS hooks that
| typical AV install are a source of vulnerabilities and
| bugs.
|
| I don't think he took issue with the idea of a well-
| maintained database of signatures used to identify
| malicious code, just most vendors implementations that
| check against such.
| markosaric wrote:
| Avast/Jumpshot data is bought by many marketing companies too and
| packaged as SEO tools, market research/analysis. They've been
| really proud to talk about their ability to collect all this data
| in the past [1]. But recently it became clear that all the data
| is stolen without user permission.
|
| [1] "Jumpshot Knows What You're Buying, Browsing, Searching"
| https://www.cmswire.com/digital-marketing/jumpshot-knows-wha...
| jannes wrote:
| I don't use Avast myself (for obvious reasons), but how do they
| get around HTTPS encryption? Do they install a self-signed root
| certificate into the OS/browser? Wouldn't that be easily
| detectable?
| RL_Quine wrote:
| If you're injecting into the browser you don't need to worry
| about SSL- that's handled for you.
| stordoff wrote:
| They can instruct the browser to log/leak HTTPS keys:
| https://textslashplain.com/2019/08/11/spying-on-https/
|
| NB this article also notes the selling of data - from the
| article it cites:
|
| > Jumpshot is the data arm of Avast[...] This suite of
| products, in order to function, must collect and analyze every
| URL visited by every browser of every machine on which its
| installed. [...] Because Avast has to see and process all these
| URLs anyway (in order to serve their function of providing web
| security), they anonymize, aggregate, and remove any
| personally-identifiable information from the browser URL visits
| and then provide them to Jumpshot, who then makes estimates
| about broad web usage behavior. In my opinion, this is both an
| ethical way to gather crucial data about what's happening on
| the web[...]
| tomaskafka wrote:
| They aren't "making estimates about broad usage behavior",
| they just sell the raw clickstream. Amd lie.
| [deleted]
| whatsmyusername wrote:
| Avast also portscans your local network. I kept getting alarms on
| my Symantec laptop and couldn't figure out why. Took running
| TCPNetView on the two avast machines full time and waiting for
| the alarm to fire to figure it out.
| drewrem11 wrote:
| PCMag article talks about how Avast's 'de-identification' of the
| collected browser histories can fail and be used to by third-
| party companies to link your web clicks to your real identity
| https://www.pcmag.com/news/the-cost-of-avasts-free-antivirus...
| [deleted]
| annoyingnoob wrote:
| I thought this was well known. I wrote code to ingest Jumpshot
| data years ago. You have to wonder about the quality of the data
| though - maybe those using Avast aren't the best measure of all
| things web related.
___________________________________________________________________
(page generated 2020-01-27 23:00 UTC)