30 votes

Jumpshot, a subsidiary of antivirus company Avast, is selling users' web browsing data to many of the world's biggest companies

19 comments

  1. [6]
    patience_limited
    (edited )
    Link
    I really don't have enough expletives for this. I have used paid Avast products on personal devices for a very, very long time, as they've been consistently effective in AV testing. Admittedly,...

    I really don't have enough expletives for this.

    I have used paid Avast products on personal devices for a very, very long time, as they've been consistently effective in AV testing. Admittedly, that use came with a high enough index of suspicion that I never installed the browser "safety" plugin, and carefully combed through any permissions for "diagnostic" information.

    Edit: Spending a bit of time now uninstalling Avast and installing Bitdefender.

    Per the article, free Avast users are having their personal data harvested by the antivirus engine even if they don't opt-in to the browser plugin. This is so invasive that, to my mind, it justifies a perma-ban on all Avast products. Modern anti-virus/anti-malware products require permission to circumvent system component trust so that they can intercept and scan calls at the driver level, potentially including encryption module drivers. There's little or nothing the kernel does that AV software can't intercept.

    It's infuriating that Kaspersky AV could be banned in the U.S. as a national security threat, but Avast has been doing this under the radar.

    Before the usual tangent erupts, let me state that Linux users do have virus and malware problems. It's just that there isn't enough Linux desktop market penetration to justify as many consumer AV products for them.

    21 votes
    1. [2]
      blitz
      (edited )
      Link Parent
      The in-the-know security crowd recommends people stay away from antivirus products these days and instead focus more on keeping their devices up to date. Antivirus software seems to cause more...

      The in-the-know security crowd recommends people stay away from antivirus products these days and instead focus more on keeping their devices up to date. Antivirus software seems to cause more problems than it solves.

      Techsolidarity's advice for congressional campaigns specifically recommends uninstalling antivirus products, because it "is like putting a hole in your stomach to monitor for food poisoning".

      There have also been reports of exploits using the hooks that AV systems put into the OS to achieve privilege escalation or sandbox escape.

      27 votes
      1. patience_limited
        (edited )
        Link Parent
        Thanks for pointing this out. I've been aware of the issues for a while, but appropriately managing my own computers on a regular basis just slipped down the priority list. I updated regularly,...

        Thanks for pointing this out. I've been aware of the issues for a while, but appropriately managing my own computers on a regular basis just slipped down the priority list. I updated regularly, but it seemed like there was always another 0-day and AV had to be better than nothing. :-/

        It was also a situation where corporate rules required AV on all computers on the network, including personal ones connecting via VPN or Citrix (which has its own issues these days).

        7 votes
    2. [2]
      babypuncher
      Link Parent
      Honestly, as long as you're not an idiot, Microsoft's built in antimalware protection is probably more than enough. Windows isn't nearly the security disaster it was back in the days of XP.

      Honestly, as long as you're not an idiot, Microsoft's built in antimalware protection is probably more than enough. Windows isn't nearly the security disaster it was back in the days of XP.

      6 votes
      1. ali
        Link Parent
        I’d say you should always have an Adblocker as well. Something to block JavaScript it good, but you just have to always keep it in mind because it will break a lot of pages, so I wouldn’t...

        I’d say you should always have an Adblocker as well. Something to block JavaScript it good, but you just have to always keep it in mind because it will break a lot of pages, so I wouldn’t recommend it to everyone

        3 votes
    3. knocklessmonster
      Link Parent
      I jumped whey they kept advertising services after paying for premium. Did some research, and I consistently found the only issue with Defender was that it throws up false positives too often....

      I jumped whey they kept advertising services after paying for premium. Did some research, and I consistently found the only issue with Defender was that it throws up false positives too often. Having dealt with that in Avast, it was a trade I was willing to make.

      2 votes
  2. Deimos
    Link
    Wladimir Palant has done a lot of security research related to Avast, and posted a related article today as well: Avast's broken data anonymization approach

    Wladimir Palant has done a lot of security research related to Avast, and posted a related article today as well: Avast's broken data anonymization approach

    10 votes
  3. ubergeek
    Link
    No way. A company you pay to rootkit your machine does that, and then siphons information off to be sold. Kinda like the scorpion and fox, crossing the river.

    No way. A company you pay to rootkit your machine does that, and then siphons information off to be sold.

    Kinda like the scorpion and fox, crossing the river.

    8 votes
  4. [10]
    cwagner
    Link
    IMO AV has one use only: For technically illiterate people who are prone to click random links, download and execute them. Common sense and having updated software is a better protection while not...

    IMO AV has one use only: For technically illiterate people who are prone to click random links, download and execute them.

    Common sense and having updated software is a better protection while not slowing your system down and not introducing new security problems (just look at the horrible bugs Project Zero found in AV software over the years).

    For example my mother, I (a self-professed apple-hater) had to help her update her new iPhone and restore her backup even though apple is supposedly super easy to use (I hadn’t seen iTunes in years. Holy fuck, what a clusterfuck of a software. I thought apple products had good UX?). I would not want her to surf the web without AV.

    8 votes
    1. [9]
      patience_limited
      Link Parent
      "Technically illiterate" is a very unhelpful epithet in this context, and I wish people who have technical skills of some sort wouldn't engage in this kind of victim-blaming. If you went to a...

      "Technically illiterate" is a very unhelpful epithet in this context, and I wish people who have technical skills of some sort wouldn't engage in this kind of victim-blaming.

      If you went to a doctor, they probably wouldn't sneer at you for lack of epidemiology and infection control knowledge if you came down with 'flu; they might advise you to get vaccinated in future. They wouldn't expect you to become a doctor yourself to keep from getting sick; it's part of the basic exchange of specialized knowledge that keeps a complex society operating.

      Over the years, I've had to reverse-engineer malware, administer corporate patch management, mail systems, and firewalls, and try to train people in "secure" habits. There are so many ways vulnerabilities arise, not all of which are attributable to user behavior and knowledge.

      There's always going to be a valued application which still depends on an outdated Java or browser or even OS version that isn't being patched. (The FSF Windows 7 discussion is appropriate in this context.)

      In larger environments, there's always an open network share somewhere where permissions have been opened for a badly written package that can't handle cross-platform authentication. There's always an e-mail filter misconfiguration that lets some malicious attachments through. There's always a user who was so focused on doing their job that they didn't spend half an hour contacting support to verify the validity of that very authentic-seeming malicious message.

      There's always a user who installed an innocuous-seeming browser coupon plugin that suddenly starts downloading malware after years of harmless use. There's always the 0-day attack spread by an XSS implant on a legitimate website.

      The point of AV software isn't just to protect people from their own ignorant clicking and surfing behavior. It's to minimize damage as one layer of defense-in-depth (regardless of how competent users think they are) in an environment where everything, down to the hardware and networking protocol levels, has potential compromises. There are very skilled, motivated malicious actors probing for weaknesses; this is a classic evolutionary arms race.

      For Windows users, I've seen current advice that Windows Defender is adequate for signature and behavior-based detection/blocking. My experience has been, and some AV testers confirm, that other products are a little more effective, especially against mail attachment threats. There's also advice that Defender plus a dedicated anti-malware product (e.g. Malwarebytes) is effective.

      As to other environments, I've mainly been a casual user for the last few years and can't comment on state-of-the-art recommendations.

      9 votes
      1. [8]
        cwagner
        Link Parent
        I’m not blaming anyone (but maybe the education system and even that doesn’t apply to my mom), I’m not sneering and I would certainly call myself medically illiterate and my mom has called herself...

        "Technically illiterate" is a very unhelpful epithet in this context, and I wish people who have technical skills of some sort wouldn't engage in this kind of victim-blaming.

        If you went to a doctor, they probably wouldn't sneer at you for lack of epidemiology and infection control knowledge if you came down with 'flu; they might advise you to get vaccinated in future.

        I’m not blaming anyone (but maybe the education system and even that doesn’t apply to my mom), I’m not sneering and I would certainly call myself medically illiterate and my mom has called herself technically illiterate.

        Though now that I think of it, I should have used "computer illiterate"

        There's always the 0-day attack spread by an XSS implant on a legitimate website.

        Isn’t a 0-day still nothing that an AV actually catches?

        7 votes
        1. [6]
          ReapersGale
          Link Parent
          I would say for most consumer grade AV it wouldn't - maybe something like Cylance home would if it's using the same behaviour/execution chain analysis that the enterprise focused offering does....

          Isn’t a 0-day still nothing that an AV actually catches?

          I would say for most consumer grade AV it wouldn't - maybe something like Cylance home would if it's using the same behaviour/execution chain analysis that the enterprise focused offering does. I'm not aware of any of the other NGAV offerings filtering down to consumer grade products yet which is a shame as the sensors tend to be really resource light.

          2 votes
          1. [5]
            ubergeek
            Link Parent
            You do understand that "Next Gen AV" is really a root kit that ships your RAM contens off to the cloud, right? I'm not really sure how that is better?

            You do understand that "Next Gen AV" is really a root kit that ships your RAM contens off to the cloud, right?

            I'm not really sure how that is better?

            1. [4]
              ReapersGale
              Link Parent
              I manage a deployment of Crowdstrike and know others that run Cylance (which I also tested whilst deciding on a solution) so I'm well aware of what data it gets, where it goes and how long it is...

              You do understand that "Next Gen AV" is really a root kit that ships your RAM contens off to the cloud, right?

              1. I manage a deployment of Crowdstrike and know others that run Cylance (which I also tested whilst deciding on a solution) so I'm well aware of what data it gets, where it goes and how long it is retained for - I also know that the products as a whole are accredited for PCI, HIPAA, GDPR, etc.
              2. I wouldn't call all antivirus solutions rootkits - The free tier of Avast in this case maybe, though their reason for doing so is likely due to not having enough paying customers to remain viable and seems more within 'if your not paying for it, you are the product' and less 'what do you expect it's a rootkit'

              I'm not really sure how that is better?

              1. The sensor using significantly less resources, the crowdstrike sensor for example uses <10% of the resources than the previous solution we had deployed.
              2. Better coverage than the 'old guard' solutions via exploit prevention, behavior/execution chain analysis, etc - I've watched it prevent emotet getting a hold on a device whilst the remote Victorian hospitals entire networks were getting hosed by it (who have now rolled out cylance to help prevent a repeat of this).

              I trust NGAV more than I trust the average user avoiding banking trojans and ransomware and I trust those users more than the groups spreading the aforementioned

              2 votes
              1. [3]
                ubergeek
                Link Parent
                Antivirus software rootkits your machine, to intercept system calls. They are rootkits. So, you know all of your data is being shipped to the cloud? Ssh keys in memory, private keys for certs,...

                Antivirus software rootkits your machine, to intercept system calls.

                They are rootkits.

                So, you know all of your data is being shipped to the cloud? Ssh keys in memory, private keys for certs, password databases, etc etc.

                That makes it better?

                Oh, and Experian is PCI compliant, SOC2, GDPR compliant too. They leaked.

                I don't trust any rootkit on my machine. Even if the next gen root kit uses less local processing than prev gen root kits.

                1. [2]
                  ReapersGale
                  Link Parent
                  I think you define the scope of a rootkit much broader than most would - but I'll leave that as it is. You know they don't actually ship everything off to the cloud right? The data passed to the...

                  Antivirus software rootkits your machine, to intercept system calls.

                  They are rootkits.

                  I think you define the scope of a rootkit much broader than most would - but I'll leave that as it is.

                  So, you know all of your data is being shipped to the cloud? Ssh keys in memory, private keys for certs, password databases, etc etc.

                  You know they don't actually ship everything off to the cloud right? The data passed to the cloud is what it requires to work (binaries written, binaries run, registry changes, dns requests, IP addresses, etc) - it amounts to a few MB per day at most.

                  Oh, and Experian is PCI compliant, SOC2, GDPR compliant too. They leaked.

                  Experian's bread and butter isn't threat hunting, incident response, etc though is it? Though the reason I brought up accreditation was to contrast with Avast which as far as I can see make no such claim.

                  I don't trust any rootkit on my machine. Even if the next gen root kit uses less local processing than prev gen root kits.

                  Then don't - my initial comment clearly wasn't aimed at your use case.

                  1. ubergeek
                    Link Parent
                    Eh, I define it as any software that circumvents standard security controls built into your OS, and installs itself in between user space and the kernel, in order to inspect what the user is...

                    I think you define the scope of a rootkit much broader than most would - but I'll leave that as it is.

                    Eh, I define it as any software that circumvents standard security controls built into your OS, and installs itself in between user space and the kernel, in order to inspect what the user is doing.

                    I think that's a bog standard of a definition.

                    You know they don't actually ship everything off to the cloud right? The data passed to the cloud is what it requires to work (binaries written, binaries run, registry changes, dns requests, IP addresses, etc) - it amounts to a few MB per day at most.

                    That you know of. You cannot actually see what they are shipping off, like with Avast, we now learn they were shipping off your data, and you never knew prior.

                    Experian's bread and butter isn't threat hunting, incident response, etc though is it? Though the reason I brought up accreditation was to contrast with Avast which as far as I can see make no such claim.

                    You brought up certain standards that such and such NGAV vendor complies with. Experian complies with those same standards.

                    Then don't - my initial comment clearly wasn't aimed at your use case.

                    That's fine it's not aimed at my use case. The problem is: It shouldn't be anyone's "use case" to ship your data off to the cloud, where you have control over it.

        2. patience_limited
          (edited )
          Link Parent
          The point is, end users are still expected to be far more knowledgeable about defense than they should have to be for the most basic uses of computing tools. Malicious e-mail attachments, mail...

          The point is, end users are still expected to be far more knowledgeable about defense than they should have to be for the most basic uses of computing tools. Malicious e-mail attachments, mail sender spoofing, software signing certificate forgery, and a number of other evil tactics should be much harder to accomplish and less common than they are. Part of it is complacency; for instance, Intel knew about disturbance errors in the 1970's, and was warned about the possibility of Rowhammer-type exploits in 2012, but they're still being mitigated now.

          There's plenty of discussion lately about poor software craftsmanship, let alone engineering, and the factors which encourage this to continue.

          There are multiple mechanisms of zero-day exploit blocking in current antivirus products, usually based on malware behavior detection and hardening the most commonly attacked system operations. The Enterprise version of Windows Defender, Advanced Threat Protection has some of these features (it basically incorporates the older EMET hardening toolkit), but other products incorporate this in consumer versions, such as Bitdefender, Kaspersky, and Malwarebytes.

          Having worked in an organization that used a couple of different versions of enterprise endpoint security and whitelist-only tools (e.g. CarbonBlack), I can say that they're definitely better than Defender alone on an organization-wide scale, and probably required if you have to carry breach insurance. They will be a PITA to manage, and probably ding productivity a bit on false positives and support overhead when legitimate software installations take place.

          1 vote
  5. dblohm7
    Link
    Most AV is crap. If you’re on Windows, stick with Defender. The rest does more harm than good. I spent two years just working on undoing the crap they do to Firefox processes. Chrome devs have...

    Most AV is crap. If you’re on Windows, stick with Defender. The rest does more harm than good.

    I spent two years just working on undoing the crap they do to Firefox processes. Chrome devs have similar problems.

    4 votes