Part of staying secure involves recognizing and rejecting bad advice

A couple of days ago, I came across a blog post by former Mozilla developer Robert O’Callahan that harshly criticized makers of antivirus software. “[I]t’s safe for me to say: antivirus software vendors are terrible; don’t buy antivirus software, and uininstall [sic] it if you already have it (except, on Windows, for Microsoft’s),” O’Callahan declared in his opening paragraph, going on to contend that many Internet security and antivirus suites don’t add value, are not themselves kept updated, and prevent the browsers and operating systems they’re supposed to protect from running smoothly.

By the time I got to the end of O’Callahan’s first paragraph, I was appalled. Urging people to avoid using or installing Internet security and antivirus solution is terrible advice. Left undefended, a typical Windows or Mac installation is susceptible to all kinds of threats, including viruses and ransomware. I make a point of telling my clients that having a best-in-class Internet security suite installed is one of the most important ways they can mitigate their risk.

Notice I said “best-in-class”. Contrary to what O’Callahan says in his post, not all antivirus and security products are created equal. Much of what’s available for sale or download would not earn my recommendation.

I advise clients that it’s not enough to just have any old Internet security product installed; it should be an application that independent testing has shown can actually offer a user valuable protection.

The two firms whose software has generally performed best in the the independent tests I’ve seen are Kaspersky and Bitdefender. I prefer Kaspersky’s Internet Security suite, and am a paying subscriber.

Kaspersky nowadays sells multi-computer subscriptions as part of a package deal for a reasonable price, which means you can get all your family’s computers protected by buying just one plan. Their suite includes a robust firewall and antivirus engine, plus some other extremely useful tools, including Safe Money, which can stop you from falling victim to phishing attacks.

The latest version of Kaspersky Internet Security for Windows has a killer feature that I absolutely love: it scans my Windows operating systems for outdated plugins and third-party applications and offers to update any it finds without my having to do anything.

I keep a lot of what I have installed updated with Ninite, but Ninite won’t update *all* the non-Microsoft software on my computer. Kaspersky is now flagging updates I can’t install through Ninite and allowing me to install them with a couple mouse clicks. I love that.

Kaspersky Internet Security is well-behaved and generally does not get in the way of my other applications. I do not use the Kaspersky add-on for Firefox because I already have NoScript, CookieSafe, RequestPolicy, Privacy Badger, uBlock Origin, HTTPS Everywhere installed. These add-ons collectively serve as my browser armor and help protect me as I surf on a daily basis. But I consider Kaspersky Internet Security essential, too.

In my own testing, the scanner and antivirus engine have done very well. If I mount a volume with malware specimens on a virtual machine Kaspersky is installed on, it will quickly notice the specimens and warn me that it’s found malicious objects that should be quarantined or deleted.

Kaspersky’s Alexey Malanov saw O’Callahan’s post too, and took issue with it here. His criticisms of O’Callahan’s criticisms are spot on, and worth reading.

“In 2016, Kaspersky Lab solutions repelled 758,044,650 attacks launched from online resources located all over the world,” Malanov notes. “Web antivirus components recognized 261,774,932 unique URLs as malicious and detected 69,277,289 unique malicious objects (scripts, exploits, executables, etc.). Encryptors targeted 1,445,434 computers of unique users. Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 2,871,965 devices.”

O’Callahan’s post includes a number of sweeping generalizations that are not backed up with any evidence, like this one:

AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security.

Towards the end of his rant, O’Callahan does link to a 2012 post by Nicholas Nethercote criticizing McAfee (now owned by Intel) for getting in the way of Firefox. But he never calls out McAfee specifically in his own post.

I am not a McAfee fan either, and would not suggest anyone use their products. Fortunately, there are superior offerings available from firms like Kaspersky and Bitdefender that have earned “Outstanding” ratings in independent tests due to their effectiveness in thwarting threats.

If you’re not happy with your current Internet security suite, you should look into getting a better one as opposed to going unprotected, as O’Callahan unwisely recommends. Merely installing updates from Microsoft and Apple as soon as they’re available won’t protect you from ransomware, viruses, or phishing attacks. But a best-in-class Internet security suite can. Be sure that you have one installed on your computers and those of your loved ones.

How *not* to patch a security vulnerability

If you’re a vendor… don’t do what Fiat Chrysler did:

Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.

In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.

The car firm has been criticised by security experts who say posting a USB stick is “not a good idea”.

It’s hard to believe a company as Fiat Chrysler could be this boneheaded about security. But somehow, this ridiculous plan to send USB sticks out to Jeep Cherokee owners got greenlit. Some 1.4 million Jeeps are said to be affected by the aforementioned vulnerability, which is a lot of vehicles.

Fiat is making a bad problem much worse, as Pete Bassill explains:

“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security.

“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.

“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”

He said that using a device like this had wider implications.

“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” he told the BBC.

Fiat did issue a voluntary recall, allowing owners to bring affected vehicles into dealerships to get their firmware upgraded. They should have left it at that — if pushing out updates over the air wasn’t possible. Perhaps Fiat went with USB sticks thinking it would be an inexpensive way to help their customers update their vehicles’ firmware. But in the long term, I imagine it’s going to be more expensive, because of the can of worms they’ve opened for themselves.