One problem with the internet is that anyone can set
themselves up as an expert. There's money to be made from convenient messages.
Examples abound in nutrition and health, as well as many other areas.
Despite widespread public ridicule,
such sites thrive and make their owners rich because they play into what people
already believe. The tendency being exploited is called confirmation bias,
and it can even exert enough power over us to compromise the online safety of
entire nations.
Take this post from the Above
Top Secret forum from 2008. The author began with the hunch that the biggest
beneficiaries of malware are the anti-virus (AV) companies themselves. However,
Google only returned stories explaining why this view was incorrect. This
raised the author's suspicions. Did anyone else have any information?
The ensuing nine pages of comments were a tour de force of ideas,
theories and claims, but a recurring theme was distrust. Many commenters simply
don't trust what they don't understand, and they don't understand computers or
AV.
It took a few seconds to find similar examples from other
forums, some dating
back to 2005 and even
2002. There are many more and they usually cover the same ideas, but a
common theme is still distrust. Compounding this, some commenters vaguely remember
something about John McAfee once claiming to have written viruses to create
demand for his first AV product, which of course proves everything.
That was a decade or more ago, but with phishing and
ransomware now firmly in the public eye, the benefit of online protection will
be obvious, right? Not necessarily.
In August 2016, the Daily
Mail reported that some AV products can fail to adequately secure your
computer. The
research being reported actually identified the potential for man-in-the-middle
certificate attacks. It's something our own Simon Edwards wrote about in a more
general context in his own blog over
18 months earlier.
As usual, the comment section of the Daily Mail's report was
far more revealing than the article:
And so on. Perhaps what's most disturbing is that despite
living in a world now publicly trying to cope with a grand cybercrime epidemic,
such uninformed views are so mainstream. There's even a certain pride to some
of them.
The McAfee virus-writing story is also still doing the
rounds. Mr McAfee hasn't helped matters by claiming to have planted
keyloggers in laptops he then gave away to government officials in Belize.
But did he really write malware to create demand for his own AV software?
In March 2014, McAfee went on the Alex Jones show to talk
conspiracies (what else?). A caller asked if he was indeed responsible for writing early
malware. Despite Jones talking over portions of his answer, this was the
nub of his reply:
"There were at the time thousands
of computer viruses," he said. "We could barely keep up with the viruses that
were out there, so we certainly had no time to build new ones. It would just be
a senseless thing to do. So I can categorically say, and you can talk to any of
the McAfee employees that were there are the time, that thought never crossed
anyone's mind."
Indeed, in his book Computer Viruses and Malware, John Aycock of the University of
Calgary in Canada also points out that if AV companies really are writing
malware and yet simultaneously failing to detect some of it, then what's the
point in all that effort being expended for zero gain?
So, how do you protect the distrustful, the misinformed, and
even the downright cynical online? One solution is to do it automatically, but
this demands that governments, their intelligence agencies, and the ISPs become
involved in actively blocking malicious content. Public reaction to any such
suggestion is predictably very bad.
So, we're at an impasse. Despite their poor reputations, governments
and the intelligence agencies they run are the only entities with the authority
and capabilities to attempt to protect entire nations online. However, the tools
they use are by their very nature shadowy, double-edged and closed to scrutiny.
The public at large worries that policing cyberspace means the erosion of freedom
and privacy. Nothing will convince us that this isn't the start of a dictatorship
or a new world order. Too much evidence of past lies and misdeeds confirms this
deep-seated bias.
If the public won't listen to the government, who will it
listen to? Who is it listening to?
Something about the caller who asked John McAfee if he wrote
early viruses keeps coming back to me. He seemed to remember being told
something by "some old OSS
guy". This idea of an unnamed source vaguely remembered is a common feature of
discussions where facts are scarce and conjecture runs free. It's a feature of
the threads I referenced above.
That being the case, maybe it's down to us, as infosec
professionals, to be those sources in future. Maybe it's down to us to engage friends
and family, to explain how cybercrime works, how it relies on them not
protecting themselves, and what to do about it.
But then again, I would say that wouldn't I. ;)