Thursday, March 30, 2006

flexispy vs. the anti-malware industry

if you haven't heard about flexispy (the first spyware trojan for symbian cell phones) then i'd suggest reading about it here and here...

i don't really think it's all that interesting that someone has finally made spyware for cellphones - what i think is amazing, however, is that a member of the commercial spyware industry (vervata) seems to actually not understand why their product (flexispy) is being called a spyware trojan by f-secure...

imagine, you make software that you yourself call a "spy application" and then don't understand why people call it spyware... hello!?!? it's software that spies on you, what do you think people are going to call it?... are these guys for real? well, either they really don't get it, or they think that there are enough other people who don't get it that it's worth it to bother making such a ridiculous argument...

but why is that? well, i think it serves as a stong indication that the anti-malware industry/community in general, and the anti-spyware industry/community in particular, have failed the public in an important way... they've failed to make the threats understandable to ordinary people... look at the anti-spyware coalition's glossary, is their definition of spyware as straight forward as 'software that spys on you'? no, in fact they have 2 separate and contradictory definitions, one of which makes spyware an umbrella term... i've already blogged about stopbadware.org's use of a colloquialism from wikipedia as their definition for spyware, and then there's sunbelt's listing criteria that i was recently made aware of and which is about as easy to read as an end user license agreement unless you already have some familiarity with the malware field...

how are people suppose to get this stuff with literature like that? if it were common knowledge that spyware is software that spies on you then vervata would have no reasonable way to claim ignorance, much less argue the fact... and if it were common knowledge that trojans were programs that do bad things that you thought they didn't do then vervata also should have known that their product (which fails to disclose it's true nature) can be made into a trojan simply by saying it's something good or by installing it on someone's phone and leading (or leaving) them to believe that everying on the phone is normal...

of course, i'm not all about pointing the finger at other people here... while writing this i've realized that even my own definitions could stand some improvement in this area... as much as i try to make the definitions themselves short and sweet (with explanations afterwards for those interested in more detail) they could still be simpler and retain their correctness at the same time... i think we need to compose our definitions like we were talking to 4 year olds, not because people are stupid but because most simply don't have enough of a foundation here to grasp our meaning when we write for other people people in the anti-malware field... i think if we really understand what we're talking about then that shouldn't be too difficult a task... so i guess i'll be tweaking some existing blog entries in the not too distant future..

0 comments: