Thursday, June 17, 2004

"Certified virus free" = snake oil

have you seen that message appended to emails or newsgroup postings that says it's "certified virus free"? did you believe it?

well, it's snake oil... just as sure as claims of 100% protection from all past, present, and future viruses would also be snake oil...

think about what it means - it's basically guaranteeing that there are no viruses present... ignoring the fact that you can't prove a negative, in order to say with certainty that there are no viruses present the scanner would have to be able to find all viruses in the first place and that's just impossible... detecting all viruses is reducible to the halting problem, an intractable problem in computer science, and this has been known for nearly 20 years...

so that message you see getting attached to emails and newsgroup postings (whether your own or someone elses) is false advertizing... the company behind it is lying to you... however good the product may be, it is not capable of making the determination that message implies and the company behind it should know better...

now you might be thinking "but kurt, it's just a little white lie to help boost sales. it's harmless."... but it is not harmless, it creates a false sense of security... infected emails can and have been sent out with such messages on them - in fact a virus or worm can easily put that message at the end of emails it sends out and there would be no way to tell it from an authentic 'certification'...

i'm tempted to be moderate; to suggest, as others have, simply turning that feature off... but i'm not really known for giving in to temptation - the feature is dangerous, it promotes falsehoods that contribute to over-reliance on anti-virus technology instead of practicing broader secure computing habits (safe-hex)... the only thing i can suggest is dumping such a product in favour of one that is more intellectually honest - at least until the company changes it's ways (market pressure, after all, is what really promotes change in the industry)...

0 comments: