Grandpa’s Guide to IT (offense two)

What Antivirus Should I Buy?

(Please bear in mind that the opinions expressed here do not reflect the opinions of Xiitec or its partners. They are solely the opinions of the author.)

Another question I dread is “What kind of antivirus should I buy?” I hate the question for a number of reasons. The first is that if you are asking me this question it’s because you have my home phone number and have probably interrupted me while I am eating, playing video games, sleeping, or plotting how to make my users lives a living hell. (During office hours, users know better than to call me, or disturb me, or even think about me, lest they incur the wrath of the IT department. There is even a legend that if you say my name three times, a spirit of wrath wearing a disgusting old hoodie and unwashed jeans will appear and reformat your hard drive while calling you horrible names and disparaging your ancestry and sexual preferences. Then murder you, which I am assured is rather horrifying. Most would prefer that I did the actual murdering first.)

The second reason is that in order to answer this question properly, I have to explain a lot of things to you and eventually give you an answer that you will not like. And, to be fair, no one in the IT industry likes to admit this either. Antivirus is a necessary evil, but not for the reasons you may think.

An antivirus as a preventative tool is about as useful as holding a twenty foot piece of copper pipe in your hand while debating your atheism with a Jesuit in the middle of a field, just as a torrential rain starts. You think you are fine, and that your position is unassailable and then suddenly, you are not fine anymore. You are, quite frankly – shocked.

There, I have said it. Antivirus programs are not capable of protecting you from getting infected by viruses. They can only protect you from older threats (threats that are mostly nullified by diligent software updates anyway) and remove a virus once you have caught one. In many cases, even if it can remove the virus it detects, it will not fix the damage that the virus has caused.

I have often said that an antivirus program is an excellent preventative tool for actually getting any work done.

However, I need to qualify that statement. There are good reasons for buying an antivirus, but again, not for the reasons that the security marketing machine has been telling us.

I will start with a truism that is becoming increasingly relevant as we realize that the sheer scope of technological advancements we make are merely refinements of old ideas. Technology does not matter; people do.

Take for example, graphene. It is an utterly amazing development that was discovered by accident and it has the potential to be an extremely disruptive game changer. A transparent material, one atom thick, with two hundred times the tensile strength of steel, and is possibly the best conductor of electricity that exists before you start cooling materials down to zero degrees Kelvin. And what do we suggest we do with it? We think about using it to make our phone batteries last a few hours longer. We could finally get started on the research to build a space elevator and instead we decide to get excited about playing Candy Crush a little longer on long, boring flights.

Our imaginations are limited and new technologies tend only to be used to reinforce current ideas and processes. Our culture is so full of protections for the financial status quo that new ideas could actually be disastrous to our way of life. This has been true for all of our history. As a result, our greatest advancements have only been achieved in wartime (When the instinct for self preservation overrides all other concerns) or completely by accident.

If you were to go back in time to give your caveman ancestor a bit of a break by handing him an AK-47 and telling him that it is the miracle weapon that will make hunting easier and safer for him, he will thank you very much, and likely make fun of your clothing and awful accent. He will then listen carefully to your explanation of how to use the weapon, decide he has no idea what you are talking about, and make up his own mind to throw this wonderful thing at the first mammoth his tribe sees. Later, he will review in his mind how badly this went and wonder if he has a hard enough rock to smash the round, hollow bit on the end into something pointy enough that would actually work when he threw it. He may even begin to conceptualize about the existence of aerodynamics and may one day have descendents that will be responsible for inventing the TSA. (Speaking as someone who hates airports in general, perhaps you should have shot your ancestor with that AK-47. Speaking as a bitter, cynical, people-hating IT guy, most of you should go back in time and shoot your ancestors. My network would run so smoothly with all of those empty seats.)

This is true for software as well. We want the new version of ‘Pornography Parser’ to do the same things the old ‘Pornography Parser’ did. We are ok if the developers slap a new coat of paint on it, but customers will lose their minds if the ‘with mustache’ filter is moved under the deviant toolbar. “I don’t want to have to go and look for nude photos of women with mustaches, that’s why I bought your software-to do it for me. Why do I have to click on all these extra buttons for my Sasquatch fantasies? Might as well just do a google image search and not worry that the nice lady from the NSA will judge me too harshly.” Our usage patterns do not change and we tend to be easy to predict. (Why do password cracking programs use a sweep of every birthdate since the ‘30s? Because it works a disappointingly large number of times. We warned you about using your birthday as a password and we know you don’t listen. IT people understand that we as a species are united only by the fact that once we shuffle ourselves into a nice, comfy rut, we will fight to stay there.)

Another issue is that developers and programmers are often pressed for time. Many programmers see themselves as artists and many people who pay programmers do not. A programmer who loses himself in creation will often see the bright light of his masterpiece overshadowed by the dark specter of Accounting. “You know, all that time between keystrokes is actually non productive time. Time we are not making the money necessary to pay your exorbitant salary. If those keys aren’t clicking, we have several immigrants with no understanding of our labor laws waiting at the airport who will click them for you.”

This is partly why many programmers have a copy/paste library. They do not develop new code for old functions. Why reinvent the wheel every time you need a piece of software to do what the previous dozen versions did? It also helps with production meetings that start with the pathetically self justifying statement, “Why yes sir, I did write five thousand lines of code this week, as you can see here.” The most modern, overhyped piece of brand new software will contain a lot of what is called ‘legacy code’- which is industry shortspeak for, “That was in the first version. It works, we don’t know how. The guy who wrote it years ago had no idea why it worked either, and he never wrote anything down anyway. Not even his phone number, so we couldn’t call him to ask him about it. And our patent lawyers say we have to have it in there in case someone claims the rest was clearly stolen from Sourceforge.”

This is how you end up with development shops whose star programmers’ best claim to fame is their ability with Ctrl-C and Ctrl-V. As well as their ability to nervously hit the space bar and backspace keys repeatedly whenever a member of the management team ambles past their workstations. Hollywood’s portrayal of programmers whose hands fly all over the keyboard is laughably inaccurate for this very reason.

The point is that nothing ever truly changes. The same old mistakes get made over and over again for perfectly understandable reasons. The same fundamental way of organizing and laying out these complicated tools is done in a repetitive and predictable fashion. The same people who tore apart version one years ago are perfectly capable of tearing apart this latest version with only a little screwing around. The more familiar you become with both sides of this coin, the more you may find yourself losing your certainty that the security measures you have put in place are sufficient.

General George Patton shared my opinion of internet security in his own way. He said, ‘Fixed fortifications are monuments to human stupidity.” (And no, I didn’t read Bill O’Reilly’s book on the man. If I get my facts wrong, I want to get them wrong by using Wikepedia, not by giving money to a racist, ignorant misanthrope.) I am given to understand that he was referring to France’s Maginot Line and there are certainly parallels between France’s choice of defense and your computer’s choice of defense.

The Maginot Line does not deserve the contempt heaped upon it by armchair generals today because its role and the thinking behind it was poorly explained. The Maginot Line was an engineering solution to a number of military problems. One was the necessity of having a military deterrent scary enough to give an increasingly belligerent neighbor pause. Second was to maintain that deterrent with a much smaller trained pool of soldiers than France was able to field twenty-odd years before. (The horrific loss of two million young men in just a few years tends to take a few generations to recover from.) It was well designed as a defense in depth and Germany paid it the highest compliment it has ever received. Rather than actually deal with the damned thing, they decided to plow through a thick forest in another country as fast as they could and attack France without having to deal with it at all.

From an engineering and cost perspective, this was a very effective defense. It was the best security solution possible without committing considerable time and resources to a constant, active defense. (Or compromising on the amount of money France stole from Germany on an annual basis.)The Maginot Line was such an impressive obstacle that the bad guys devoted ingenuity and incurred considerable risk to go around it. Is it not reasonable to assume that your antivirus shares many of the same philosophical drawbacks no matter how technically sound it is or brilliantly written? It’s not like you can easily run an active defense by going to the nearest cyber café, picking a likely lad (pale, sickly, probably smelly, and with obvious social difficulties) and beating him until he agrees that even if he stopped playing World of Warcraft long enough to learn code, he would never dream of hacking you.

The software industry itself has inadvertently created the economic conditions that encourage the subversion of security. Microsoft, very famously and for example, refused to pay bounties or even acknowledge the decency of people who spend their free time discovering security vulnerabilities in their software. This was a long standing attitude of the company that was only changed in 2013. As a result of this misguided policy (companies do not become as wealthy as Microsoft has by giving money away.) amateur security researchers or skilled hobbyists with an accidental discovery found that actually being a decent internet citizen simply wasn’t worth their time. This gave rise to the Black Hat Auction.

It turns out that a vulnerability in software with a customer base in the millions is a very valuable commodity to some people. It is most valuable to governments, criminal organizations, or criminal government organizations (You may assume I am hinting at the NSA if you wish, but that horror has already reached the status of a tired old gag. I am actually referring to a government agency that refuses to allow my friends to sell the pot brownies they bake in their home kitchens.). Surprisingly, they are willing to sit together and bid competitively on newly discovered vulnerabilities. The best way to make quick cash for a struggling programmer in an economically depressed part of the world is to forget decency and see what these guys will pay for that gaping hole in a popular firewall product he found while trying to get his favorite game working.

So how do you feel about your security software now that you know that the holes in it are hot commodities on the black market? If you are not sure about the implications of that fact, imagine how you would feel to know that someone took a wax impression of your front door key and auctioned if off at a meeting of your local chapter of “The Pawnshop Procurers League”? Rather than take the risk of robbing you himself, a clever thief decided to make quick cash by selling the means to rob you. This is what the software vulnerability culture has become.

The problem is not technology; the problem is people and the choices they have made in using that technology. An antivirus is not a preventative tool. Nothing online is inherently safe. The only ways to make yourself safer are to keep up with software patches and updates, browse the web with a little cynical caution, understand the etiquette of online transactions , and best of all, strive not to become wealthy or successful so no one feels the need to bother with you. (This last part is so surprisingly easy it looks like almost everyone is doing it.)

This is not to say an antivirus is completely useless. I have described how and why you should adjust your expectations and realize that having an antivirus is about the same as taking antibiotics every day, hoping you won’t catch a cold. (For you non doctors out there, this is a pointless activity and actually damaging in the long term) It cannot prevent infections. It can try, and sometimes it succeeds, but it is a Maginot Line, the bad people are just going to go around it. It is not that hard, as I said before, all of the patterns that are useful to a hacker are well known and haven’t changed since since first reared its ugly head.

The real benefit of an antivirus is its signature database. This is a collection of mug shots that tell the program where the virus hides, what it looks like and how to kill it. A good antivirus is the best tool to kill an infection once you have caught it. The best reason to buy an antivirus is to have access to this research. For the same reason you will buy an album from an artist you like, even though you can download it for free, you should buy an antivirus to help support the good work the security researchers do. Those guys are rock stars.

When you ask me “What kind of antivirus should I buy” I hear that as “Help me figure out the best and cheapest way to do what everyone is telling me to do.” and with my typical non answer, I interpret that in my mind as “Is there a technological solution to what is basically a people problem.” So of course I say no and I just spent at least twenty minutes of your time telling you why I said no. So I go back to my old standby of “Buy whatever you like” with the unspoken caveat, “It doesn’t matter anyway, but rest assured I can help you deal with the consequences of any choice you make.”

We are IT, we are most helpful when it sounds most like we are doing our best to avoid being helpful.