• United States



Lightning-Rod Men

Nov 21, 20069 mins
CSO and CISOData and Information Security

What happens when vendors fight over your desktop security

I cant say for sure, but heres what I think happened to my home PC. One day, Windows updated itself, and the update seems to have automatically turned on Windows Security Center

the program that controls Windows Firewall and other security settings. I had long ago turned off this feature, because I use other security products and, frankly, I got tired of a pop-up bubble telling me my computer might be at risk when I knew it was notat least not more than any other machine connected to the Internet.

When I logged in after this update, the red shield with an X in itthe icon used when Windows has decided your PC security needs attentionwas back in my task bar, and a balloon popped up informing me that my computer might be at risk. Click this balloon to fix the problem, it said, but it also included an X in the corner to close the window. I Xed out.

But at the same time, a dialog box from Norton popped up. The Symantec alert read: Your computer is at risk in the following areas: Firewall protection is turned off. This was not true. I had a firewall running, just not Nortons or Microsofts. The note instructed me: Open your Norton product to resolve this issue. I opened my Norton product, which showed me in bright green which Norton products were turned on, and, in bright red, which ones were disabled. It urged me to buy an update to its antivirus service and turn on features I had chosen to turn off. I closed my Norton product without making any changes.

But I couldnt X out of the warning message, which was still on my screen. At the bottom of the warning, there was an unchecked box next to another message: To prevent duplicate status alerts, use my existing Norton product alerts and turn off redundant Windows Security Center alerts (recommended). The vendors, it seemed, were fighting over who got to tell me my PC was insecure, even though it wasnt!

I checked the box to prevent duplicate alerts and clicked the OK button at the bottom, the only way to remove the box from my screen.

But the same message popped up again. I hit OK. It popped up again. I hit OK. It popped up again. Every five seconds the box popped up. So I left it there, and disabled Norton Auto-Protect (antivirus) in my task bar, hoping it would stop the message from popping up. Five seconds later, the warning popped up again. I huffed, and the Windows balloon popped up again. I Xed out again and tried to right click on the red shield icon in the task bar to disable it, but no such option was available. The Windows balloon popped up again. I grunted. Your computer might be at risk, Anti-Virus Software may not be installedbecause I had just disabled it. Click this balloon to fix this problem. Peeved, I clicked the balloon, hoping I could find a way to disable something, anything long enough to check my freakin e-mail.

In retrospect, its funny. Programs ostensibly trying to protect me were driving me to dispense with security so I could get something done!

Anyway, it went on. I ended up on in a box that said, in an alarming amber color, Check Status [Name of firewall I use] Status Unknown, even though my firewall was sitting there in my task bar, running fine. Still, I played along and clicked Check Status, which didn’t actually check its status but rather brought me to a box for Windows Firewall that said, Your PC is not protected: Turn on Windows Firewall. Underneath that I had two options; one had a bright green shield with a check mark inside it: ON (Recommended). This option was preselected for me. The other option had the red shield with the X in it. OFF (Not recommended) Avoid using this setting. Turning off Windows Firewall may make this computer more vulnerable to viruses.

I growled and went back to the previous screen with the amber Check Status alert, where I could also Click recommendations to learn how to fix this problem.

The recommendation was to Make sure your firewall is turned on. IT WAS!

But Im a reasonably savvy user. Those not in the know got no other information on ways to pursue that course of action. The second option said, Turn on Windows Firewall for all network connections with a button next to it, ready to be clicked, which read Enable Now. Under that, an unchecked box sat next to the message, I have a firewall solution that I’ll monitor myself… That was the box I had checked months ago to stop those pop-up balloons from appearing. Why was it unchecked? And the Norton message was still popping up. I slammed my mouse hard!

In 2003, in Lafayette, Colo., a man named George Doughty reportedly walked into the bar he owned, put his laptop computer on the floor, announced to patrons that he was going to shoot it and suggested that they cover their ears. Doughty then unloaded four rounds from his Smith & Wesson on the hapless Dell and hung its carcass on the wall like a prize buck. Later he apologized (to his patrons, not his PC), but he never said what had provoked him, only that shooting his computer seemed appropriate at the time. A half-hour into my battle with security products, I understood Doughty’s impulse. I actually fantasized about hurting my computer. Hey, it seemed appropriate at the time.

But unlike Doughty, I will say what provoked me: competitive forces in security. Many, many companies large and small can offer you similar commodity desktop security services: firewall, antivirus, antiphishing and so forth. But their success relies on your choosing to use their products, or more precisely, on their ability to get you to choose their products whether you know you are or not. In the fight for your allegiance they will employ ever more Machiavellian tactics. The idea is to use whatever means necessary to make you uncertain enough that you’ll click on the button that will automatically switch you over to a single vendor’s firewall, or antivirus or whatever.

To nab you, the vendors will use the tricks of the marketing and advertising trades: visual cues, fuzzy language, product placement and outright lies, all of which could be found in my 30-minute battle with my PC. Start with the lies: I was told by a product that Firewall protection is turned off when it was not, and Your PC is not protected when it was.

But they also tried to instill doubt in me by stretching the truth. Configuration settings were consistently labeled a problem, and my computer was said to be at risk when in reality neither was true. The problem was that I was using someone elses software, which was Not Recommended. Inevitably, the recommended product or configuration was the one that involved products from the vendor whose dialog box had popped up. At any rate, recommended configurations were made easy to execute, with an Enable Now button or a check box that turns off the competitors product, while alternative configurations were made difficult.

Whats more, the security configuration I had chosen for my computer (not recommended) was represented by a dangerous and negative-looking red shield with an X in it, versus a recommended configuration represented by the safe and positive-looking green shield with a check in it. Despite the fact that my configuration was valid and not provably less secure, it was being made to look less secure, indeed insecure.

Such tactics certainly are not new; companies with warring multimedia formats battled for years this way, trying to coax, lure or flat-out dupe users into making one media player and its format default on a PC, thus blocking out competitors audio and video software and formats. For an even earlier version of such tactics, one that fits the security market well, see Herman Melvilles parable The Lightning-Rod Man. In that story, a gravely hysterical salesman arrives at a mans door during a thunderstorm selling lightning rods.

Only one rod, sir; cost, only twenty dollars. Hark! There go all the granite Taconics and Hoosics dashed together like pebbles. By the sound, that must have struck something. An elevation of five feet above the house, will protect twenty feet radius all about the rod. Only twenty dollars, sira dollar a foot. Hark!Dreadful!Will you order? Will you buy? Shall I put down your name? Think of being a heap of charred offal, like a haltered horse burnt in his stall; and all in one flash!

The narratorthe prospective customeris having none of it, though, and sends the man off into the dreary storm without being scared into buying a lightning rod. If only it were so easy on your computer. What the software vendors have in addition to the lightning-rod mans fear play is automation and technical arcana that make it hard for the customer to control the sales process. Imagine if there were three or four lightning-rod men, and they carried out a battle in the narrators house, and even used his house to demonstrate their products, and planted their rods in his roof without permission or by coaxing his permission without his realizing it. And then one said that the way his competitors rod was affixed was not recommended and said you were thus not protected even if you were.

The security vendors, one suspects, will be more successful co-opting PC users allegiance than Melvilles antagonist was co-opting the sale of a lightning rod. It will get worse as the competition over desktop security gets more intense with the release of Windows Vista next year. Already other vendors are carping about antitrust implications of more security features being rolled into the OS. So have no illusions. As Melvilles narrator says, But spite of my treatment and spite of my dissuasive talk of him to my neighbors, the Lightning-rod man still dwells in the land; still travels in storm-time, and drives a brave trade with the fears of man.

Let me know what you think about this topic at