July 25, 2006
CA's Right on the Money
Computer Associates slapped F-Secure the other day for hyping up phone-borne malware when no real threat exists. Check it out; CA's Simon Perry had this to say:
"While F-Secure's bankers and owners may be pleased with the cash flowing into their coffers from the deal, every security professional should be appalled by the perception this creates of our market. Industry and vendors are now more consultative and honest about risks, not just beating something up to sell it. F-Secure has done the industry a disservice.
And he's right. Despite what McAfee told us about 2006 being the "year of mobile malware", we still have yet to see any significant traction from phone-borne malware. F-Secure's retort acknowledged this:
It's not a global epidemic, but there are real people who have got it. There have been several tens of different viruses — this is early days for mobile virus writers
Several tens? You mean about the same number of people as contract bubonic plague in the US per year? Against the backdrop of PC-borne malware, saying this is "not a global epidemic" is one whopper of an understatement. And I'm all for CA calling them on it - especially since they have skin in the game (they have an AV line for mobile platforms like PDA's.)
I'm not sure I'd go so far as CA as to say that F-Secure's actions are irresponsible. After all, consumers heed the advice of vendors at their own peril; for example, Subway claims that their subs are 1) fresh and 2) will cause me to lose weight if eaten exclusively. While I don't claim to have knowledge that either statement is explicitly false, I do tend to take them with a grain of salt. Needless to say, I won't be eating nothing but Subway in the near future (nor will many others I don't guess) but is it irresponsible for Subway to make their claims? I don't know many who would say that it is. I think the same is true of F-Secure; consumers can decide for themselves (there's data out there for consumers to read on mobile virus prevalance) but they need to take vendors with a grain of salt. Once we stop expecting vendor research to be authoritative, this will become much easier for consumers to do. In the meantime, kudos to CA for calling this out and helping consumers know what's up.
Posted by Ed at July 25, 2006 12:11 PM | TrackBackso here's what i don't get... how is it that CA can claim that f-secure is making it out as a huge threat when f-secure is quoted in the media as saying the opposite (from the same article "This is not a mass problem for all consumers,") and yet CA gets patted on the back and told essentially 'good call'...
mikko hypponen (of f-secure) gave a talk about mobile malware in september 2005 available on the f-secure weblog (http://www.f-secure.com/weblog/archives/archive-042006.html#00000850) where he clearly represents mobile malware as NOT being a huge threat (the vast majority of cell phones [96% i think?] are immune, most of the viruses can only spread to other phones in close physical proximity, etc)...
f-secure are not making it out as a huge threat, they actually agree that it isn't a huge threat (so far)... CA seem to be actually smearing f-secure here, not acting as a watchdog on our behalf...
Posted by: kurt wismer at July 26, 2006 10:23 AMKurt,
You make a good point. Honestly, my contention has less to do with F-Secure and more to do with general phone-malware hype (read: McAfee.) CA, although they probably have reasons of their own for doing it, is right to say that phone-malware is overhyped; although I agree with your assertion that F-Secure isn't as big an offender as someone like McAfee (maybe not an offender at all depending on who at F-Secure you pick.)
What irritates me are statements like "2006 is the year of phone malware" (McAfee) or "when the phone is the universal method for payment, phone-borne malware will be a huge issue" (paraphrase, McAfee).
From a rhetorical perspective in terms of defusing this whole thing, I think F-Secure should emphasize the point that you made (their message that it's not a huge catastrophe) rather than adhering to the reaction that they have had so far (for example, today's entry in their "news from the lab") where they keep hammering on how real the problem is...
Posted by: Ed at July 26, 2006 12:07 PMtoday's entry includes the words "This means that the vast majority of phones are safe against current malware"...
there's a distinction to be made here - it's one thing to say that it's not a huge threat, it's quite another to say that there's no threat at all... f-secure are not going to say that there's no threat at all because the data they (and their customers) have says otherwise... also downplaying the threat too much could be an even bigger problem than hyping it up would be...
they're being moderate... they talk about the threat and acknowledge it's real without saying everyone is in danger - even in today's rant by mikko hypponen...
as for mcafee, i haven't looked closely at their claims - they may only be referring to the number of malware samples rather than the number of incidents... or not - they've been fairly contraversial lately...
Posted by: kurt wismer at July 26, 2006 01:28 PM