Initial thoughts on Malwarebytes versus IObit


Malwarebytes accusation that IObit has infringed on their intellectual property has received a bit of attention in news and and blogs, and a good deal more discussion about what happened—or did not happen, or may have happened—is occurring in various web forums and mailing lists. 

Having worked in the anti-malware industry for a number of years (even so far back as *gasp* when it was called the anti-virus industry) I had some small interest in the matter, however, I have more interest, frankly, in clearing up what I see as a lot of confusion.  So, just to be clear, the opinions expressed are my own, and not those of my current or any past employer.  If I got something right, or there’s a part you agree with, that’s probably because of something I learned from one of my smart co-workers.  If, on the other hand, I got something wrong, or you disagree with it, violently or otherwise, well, that’s probably my fault.

As I understand it, there seem to be several related issues:

  • Malwarebytes has accused IObit of copying a percentage (up to 100%, it appears) of MBAM’s threat signature database and including it in IObit Security 360.
  • Malwarebytes has accused IObit of identifying threats using the exact same names that Malwarebytes uses to detect those threats.
  • Malwarebytes has salted their threat signature database with signatures for nonexistent threats, and claims that IOBit Security 360 detects files containing those signatures, identifying them with identical (or nearly identical) names used by MBAM.
  • IObit has stated that the detection of one of the salted false positives occurred because it was sent to them anonymously and that they used the name of the file as it was uploaded to them to identify it in IObit Security 360.

The anti-malware industry shares samples, meta-data about samples and for high-profile threats may share information such as reverse-engineering and detection techniques.  Anti-malware companies even swap product licenses with each other:  It can be helpful to prioritize the incoming firehose of samples not just with your own internally-developed tools, but with a competitor’s products as well.  These relationships often extend back for years and decades, and they continue to go on, unabated.

There is, however, a difference between copying a competitor’s naming conventions in toto, which indicates many things about the copier, such as laziness and not having enough resources to properly conduct threat identification, and reverse-engineering a competitor’s product to decrypt their signature database and import it into yours, which may be a civil law or a criminal law (or both) matter.

There’s nothing particular novel or new about what Malwarebytes has done with salting their threat signature database.  When I was at my previous employer in the anti-virus field, we regularly added fake entries to our virus signatures, and when those signatures appeared in competitor’s products, we had discussions with them.  Generally, all it took was a phone call (or a fax) to stop that behavior.  Those were done privately, though, and never reached a point where lawyers (or the public) had to get involved.

One thing I hope everyone keeps in mind is that this is a very complex issue, not just from a technical and legal perspectives, but from cultural and perhaps even geopolitical ones as well.  I believe Malwarebytes is an American company and IObit is a Chinese one.  As such, it very possible that IObit’s employees do not communicate as effectively as people who are native English speakers. If you are a native English speaker and reading this, think about how difficult it might be for you to respond to message in Cantonese or Mandarin.

I suspect this is ultimately going to be settled in a court of law, or at least by lawyers, rather than in the court of public opinion, and would caution people to try and take a cautious and balanced view of the issue until then.


Aryeh Goretsky

Horowitz, Michael. ComputerWorld Blogs – IObit accused of stealing from Malwarebytes.
Kleczynski , Marcin. Malwarebytes blog – IOBit’s Denial of Theft Unconvincing.
Landesman, Mary. About.Com – IOBit Steals Malwarebytes’ Intellectual Property.
Mills, Elinor. CNet News – Malwarebytes accuses rival of software theft.
unknown. IObit blog – Declaration from IObit
unknown. Malwarebytes blog – IOBit Steals Malwarebytes’ Intellectual Property.

REV. 2009105.2312

Leave a comment

Filed under Computers and Internet

Back from Gnomedex 2008; or, there’s no place like gnome

Oddly enough, I shall start my report of Gnomedex 2008 not with how it began, not with how it ended but with what happened after I returned home to California.
I missed my flight back at 7:00AM, but was able to get on a later one at 9:30AM without a problem.
My baggage did not arrive on the flight.
Nor did it arrive on the 2PM flight.
Or on the 4PM one.
A little after 4PM I received a call on my business cellular phone from a number with a 512 area code. 
For those unfamiliar with that area code, it is for Austin, Texas.  Presumably, it is for the surrounding metro area as well, but in this case, the caller was from Austin.
It turns out, though, that she was in California, too.  Except 120 miles away from me.
She had mistakenly grabbed my bag and driven away without checking the luggage tag.  Or the claim ticket put on my bag by Alaska Airlines.  She flew Southwest, by the way.  The claim ticket is the thing which airports tell you to check with signs that say "bags look alike, check the tag before leaving" on signs above the baggage claim carousels.
Anyways, she asked me if I would drive back to the airport, pick up her bag and drive out to meet her boyfriend half-wayish.  I had gone back to the office to await calls from and to place calls to the baggage claim office at the airport, which is near the office.
Wanting my luggage as quickly as possible, I went to the airport, collect her luggage and began the drive east.
A funny thing now:  The luggage I had purchased was a Tumi Ducati Expandable Wheeled Packing Case Suiter.  It was actually not my first choice for a bag, because it is black (which I like) with red panels and silver trims (which I didn’t particular care for) but after a while, I had grown fond of it precisely because it did not look like other people’s luggage; I could rest assured that when my bag came off the conveyer belt to the carousel that the one that looked like that was mine, all mine.  I still always look at my luggage tag, though.  It’s a reassurance thing.  If I turn it over and can see my business card, I know it is mine.
It turns out the woman who took my luggage probably felt the same way.  Her bag was smaller than mine, though.  A lot smaller.  And it didn’t have a luggage tag on it; or at least it did not have a luggage tag on it like mine where I had placed mine (they anchor to a grommet on the side, not on the top).
I met her boyfriend about 30 miles out of town—he said he was enjoying driving their rented car—and performed the exchange of prisoners on the side of a highway on the border of the Sonoran Desert.  He was very apologetic and even gave me some gas money, which was very kind.
On the way home, and through today (this happened yesterday) I reflected on the maxim of the "many backs look alike" signs one sees at airport carousels.  Many bags do look alike, but perhaps the most deceptive ones are those that appear not to at all.  Luggage is a commodity item, and unless you’ve handcrafted or customized your own luggage, it is likely there is another piece out there that the looks the same somewhere.
Yesterday, I learned that appearances are pretty superficial, especially for luggage. 
The larger lesson in life is to not be too trusting of the familiar; that was a lesson I observed was again, this time today at work but in a much different context.  But that’s another story for another day.

Leave a comment

Filed under Uncategorized

Before you install Vista SP1…

An acquaintance of mine who is a prolific vlogger collects user-submitted tips and records them. 
Normally, I do not do those kinds of things—I am more of a web-based forum-kind-of-guy—but I thought it might be fun to share (and perhaps expand a little) on the email I sent him.

A quick run down on things one might want to do before installing Microsoft Windows Vista Service Pack 1 on your computer:

  1. Before making any major changes to your system, it is always a good idea to back up your valuable data files.  Vista includes a backup utility you can access by clicking on the Start Orb and typing "backup" into the Search field, or by using a Vista-compatible backup program such as Acronis True Image, NovaStor Novaback or Symantec Ghost.
  2. Download and install the latest device drivers for your computer’s hardware. Device drivers are small programs that allows your computer’s hardware to talk with the operating system.  When a service pack is released Microsoft sometimes makes small changes to the operating systems that can cause some device drivers to perform slowly or not work very well.  Check with your computer manufacturer or hardware vendor to see if any of the following have updated device drivers:
    • hard disk drive controller (especially if you use an add-on SATA or SCSI expansion card)
    • fingerprint reader (very important if you use one to login to your computer or protect the information on it)
    • network interface card
    • motherboard chipse
    • sound card
    • video card

    and so forth. Also, if you have an OEM-branded computer from a company like Dell, Hewlett-Packard, Lenovo, Toshiba and so forth, check with them to see if they have any prerequisites for installing the service pack.

  3. Any software which interacts with Vista at low level may need an update as well.  Examples of software that might need to be updated include backup, CD and DVD creation software, disk defragmentation and security software such as antimalware and firewall.  Be sure to check with the authors of these to verify compatibility with Service Pack 1.
  4. Check your hard disk drive for errors before installing the Service Pack.   To do so, double-click on the Computer icon on your Desktop to view the hard disk drive, right-click on it to make the context menu pop up, and select Properties to open the properties window for the hard disk drive.  The command to check the hard disk drive for errors is located on the Tools tab.
  5. Defragment your hard disk drive before installing Service Pack 1 for Windows Vista.  Installing a service pack can be a lengthy and disk-intensive process as the service pack updates the all of the files which make up the operating system.  Defragmenting the hard disk drive reorders the files on the hard disk drive which can speed up access to them.  Vista includes a disk defragmentation utility you can access by clicking on the Start Orb and typing "defragment" into the Search field, or by using a Vista-compatible defragmentation program such Diskeeper’s Diskeeper, Golden Bow VOpt or Raxco PerfectDisk.
  6. If you do need to disable your security software before installing Service Pack 1, remember to re-enable after the service pack is finished.  Normally, this is not an issue since modern security software tends to co-exist with installing a service pack and the Windows Security Center should notify if your security software is disabled, but it is a good idea to keep track of such things, just in case.

Remember, it may take some time for the service pack to finish installing, especially if you have an older computer or many files on yours.  Be patient as it may take several hours to complete.

This list is just something I put together and is far from complete.  What tips do you have for preparing a system for service pack installation?

Leave a comment

Filed under Computers and Internet

It is not every day that you have an epiphany…

It is not every day that you have an epiphany… even if it is kind of just a small one, the type you can have every day and carry around in your pocket.
There was a phone book sitting on my doorstep this morning as I left my apartment.
At least, I assume it was a phone book.  It was a plastic bag with the familiar AT&T logo on it, and it was definitely filled with something about the size of a phone book.  When I moved it little bit more out of the way with my toe as I exited my dwelling, it felt like a phone book, weighed as much as one.  It even moved like one—slowly, they way you would expect a dense, weighty book crammed into a plastic bag.  When it settled after I had moved it out of the way so I could leave, it even sounded like what I thought one would sound like:  A thump of a noise, felt as much as heard as it shifted off my doorstep and onto my doormat.
It wasn’t that I was so much late for work—it was only 10:45AM or so (I do odd things, so must work odder hours in order to Get Things Done)—but it was in the way, and I needed to get to work then (or now, as I thought it was when this occurred). 
Anyhow, I got home around 11:00PM or so after an interesting and exciting but yet otherwise unremarkable day, and on my way into the apartment, lifted the phone book off the doormat and placed it down as quickly as I could inside, which, in this case, meant next to a floor lamp next to the door. 
Almost on top of another bag:  One of the same size, with the same (or at least, very similar) AT&T phone company logo on it.  The colors were right on, but I didn’t check to see if the typfaces or messages on either bags were different from each other.  And didn’t really stare at the logo at all.
I ended up angling the bags so the first one lay half-atop the other, like big, phone book-in-a-bag-shaped dominoes.  That was because that suited my particular need for symmetry.  I wanted them to look like that, otherwise it would just look like a stack of probably-phone books (in bags).
It wasn’t until I walked into my kitchen area (it is only a few steps away) that I realized what I had done—not just what I had done, but, how, at the moment, everything had changed, and it just kind of clicked at that moment.
Growing up, through my life, the Phone Book was a wonderful thing.  Not just a wonderful thing, but a marvelous thing.  Through the Phone Book, you could access any sort of information at all.  You could call Toys"Я"Us and find out what time they were open ’til.  Or a hobby shop.  That is a very important thing to know when you have a birthday.  Or it is the holiday season (which some people vulgarly refer to by holiday name).  Not only could you call any store and find out their hours, you could get driving directions, too.  It was not just limited to calling stores:  Through the Phone Book, you could call libraries and find out what hours they are open if they had certain books in stock, even ask the Librarian a Reference Question.  Or Reference Questions.  There were also state and national maps, information on what to do in case of an emergency (earthquake, fire, invasion) and the phone numbers for all of the important government agencies, like City Hall, the Fire Department and the Secret Service, plus all the unimporant ones, as well.
As I grew up, the Phone Book remained a valuable tool:  Through it, I could obtain everything I needed, be it hardware, software or office supplies.  Even though I got business cards from the companies I dealt with (which I kept in little boxes like little miniature filing cabinet drawers, organized by people’s names, companies and phone numbers), there was always the Phone Book to fall back upon.  Oh, the business cards were useful, too, since we didn’t have every phone book, especially out-of-state ones.
The Phone Book was just a way to get access to any sort of information, anytime, and then get more information if it was during business hours.
At some point, this must have changed.  I don’t remember when.  The mid-to-late 1990s, perhaps?
I remember, back at home—my home, not the place I happen to live right now—I have my telephone with integral answering machine sitting on top of a phone book to make it easier to reach.  That particular phone book is probably approaching ten years old, now.
But, flash back to my apartment, the current place that I live, with its floor lamp by the door and its Phone Books sitting like knocked-over dominoes.  At least I assume they are Phone Books.  I didn’t really look inside the bag at this new one, and if I did for the last year’s, than I have long forgotten what was inside of it. 
I guess that kind of makes them Schrödinger’s Phone Books, doesn’t it?  I won’t really know whether or not they are phone books (let alone Phone Books) unless I look inside, but, frankly, I can’t see any reason to.
With the Internet, with search engines like Google and Yahoo! and even Microsoft Live, not to mention things like the Verizon Super Pages and AT&T AnyWho, which really are Internet-enabled Phone Books (or Phone Book-enabled inter-networks, I forget which), there does not seem to be that same pressing need to have a Phone Book, anymore.  To see what’s new and what’s gone, who’s moved and who has new hours and new phone numbers.  Or to pore over this year’s (or next year’s) new area code charts.
I mean, I supopse they are useful if the power is out or you need to look up some emergency information in case of an earthquake, fire or an invasion, but, well, you don’t necessarily do those things that often.  And in the case of a power outage, well, these days I have VoIP service from my cable provider as part of their "triple play" package, and I’m not sure how long their CO (or its equivalent) will stay up.  My cable modem has its ATA built-in, and both it and my residential gateway are on their own, dedicated UPS (~600W/1000VA) so I’m not too worried about them, but cable is a good eight or nine decades younger than telco, so I don’t have high hopes for its reliability.  Then again, you never know.  Anyways, I digress…  the point of this is not to talk about my phone sevice.
So, now I have two Schrödinger’s Phone Books, not just one, and the point of that is that what once had a great deal of relevancy and importancy in my life no longer does, and that has so many applications on so many different levels it is just frightening:  I can’t imagine I’m the only person who felt that way about the Phone Book, although I don’t know if there others who saw it the way I did.  What happens to the phone book industry and the people in it, and does anyone care?  On a more macro scale, this is just one of a nearly infinite numbers of skirmishes between the old new-old Bell System and the new Internet companies, as exemplified by Google.  Fundamentally, circuit-switched network economies don’t scale to packet-switched ones [network economies], and while, right now, it seems the telcos have the upper hand, I do not expect it to stay that way forever.

1 Comment

Filed under Uncategorized

One of the Randy’s has a blog.

I know several people named Randy.  One of them is my friend and co-worker Randy Abrams. 
I just found out today that he has his own personal blog called In The Unlikely Event… .  Unsurprisingly, much of the recent content is devoted to travelling.  Randy spends far too much time on planes.  He also puns too much (yes, pun can be a verb, and the verb can be abused), but that is a separate issue.  Randy has had—and continues to have—a very interesting experiences, and I am sure some of that will come through as he writes more entries. Recommended reading, especially since he’s been keeping the puns at a minimum, so far. *grin*
Now I guess it is up to some of the other Randy’s to start blogging.

Leave a comment

Filed under Uncategorized

Back from Virus Bulletin 2006

I spent last week in Montreal, Quebec Canada at Virus Bulletin 2006, which, as the name implies, is run by Virus Bulletin magazine, the anti-virus industry’s trade journal.  Despite having worked in the anti-virus industry from 1989-1995 and now from 2005 onwards, this is the first time I had ever attended this event, which made it, well, special, to me. Interestingly enough, what we define as a "classical" computer virus, a parasitic, replicating computer program, account for well under 10% of the threats we see and protect against these days, but there is little agreement within the industry about the definitions for Trojan horses, spyware, adware, dual-use tools which can be used for criminal purposes and so forth, that it is easier to say "virus." Besides, malicious software just doesn’t sound as sexy.
This was also the first time I had travelled outside the United States since 9-11, and while I had visions of things like endless lines, overzealous customs officials going through my luggage and ripping it to pieces and being interrogated by border guards under bright lights, I have to say it was totally uneventful and didn’t take long at all to go through customs in either direction.  All the agents were nice and professional and I think the most I waited in a line was about five or ten minutes.
While I had been to British Columbia and the Yukon when growing up and have fond memories of Vancouver and Victoria, this was the first time I had visited a province that wasn’t on the west coast and I wasn’t sure what to expect.  I have heard many horror stories about tourists and non-French speakers getting ignored by locals in Quebec and especially in Montreal, and was expecting I might even have some trouble getting around town, but everyone I spoke to was fluent in English and very helpful to boot.  Also, while I had most of my meals in the hotel, the food we had about town was excellent.  One night we went for dinner at Cafe Alexandre, and while I am not very familiar with French cuisine, it was excellent.  There was also a restaurant we went to that served Czechoslovakian (or perhaps it was Czech and Slovak) food one night that was wonderful as well.
But, if you are reading this, it is not because you are interested in my travelogue of Montreal (which, alas, I did not see much of anyway), but because you are interested in the happenings at . As much as I do not want to keep you in suspense, though,  that will need to wait until a future blog entry.

1 Comment

Filed under Computers and Internet

What we learn from our customers; what we learn from our coworkers

In the past two days I have had a pair of reminders that the way I think about and use computers may be different than the way others think about and use them.
In the first case, I had replied to a message left by a member of an online forum where I volunteer some of my time.  Around the end of April/beginning of May, the old forum software finally crashed after a long series of unresolvable problems.  It was several weeks before the forum was once again operational and running smoothly, this time using different software which meant changes not just to how the forum looked to members, but in the functionality they had with the previous forum software.  Now (at the beginning of June) the member had inquired about were the changes caused as a result in the switch and if there would be some sort of official announcement from the staff telling former members how to re-join the system.
I had explained what happened in the simplest way I could, explaining what had happened and closing with a sentence explaining that I did not think a notification was necessary, since the majority of forum members had continued to access the site.
Big mistake.
The forum member was very upset because with he felt I had implied he was not a participant in the forum.
Which, of course, is where things get interesting.
While I have never tried to measure it, I have noted over the past couple of decades that online communities  (BBSes, CompuServe, mailing lists, web-based forums, et cetera) follow an "80/20" rule:  Around four-fifths of the messages are created by one-fifth of the user base.   It may actually even be higher; as I said, I haven’t tried to measure it.
In the case of the web-connected world, and by "web" I mean visible from search engines and other aggregation technologies, the number of people who consider themselves participants in an online community is probably much, much higher.  I envision a series of matryoshka dolls:  People who visit a community to read a single message or message thread and never join it, people who join to write one message and never return once it is answered, people who join and read all the messages but never write one and so forth.
The folks who are readers probably consider themselves part of the community; they read the messages, learn whatever community-specific jargon exists (which is a subject for another post, er, blog entry, in and of itself) and even find humor in the in-jokes and banter in the messages which make up this virtual community.  Let’s call these folks participants, but classify them as passive ones.  By making a decision not to participate in the community, though, they become a sort of ghost or spectre or haunt—present yet unable to interact with the community they observe.  I’m not going to say they are "breaking the implied social contract" or that what they are doing is even wrong in any sort of way.  After all, there are a lot of very good reasons not participate in online communities.  For one thing, after a community reaches a certain size, it’s bound to attract a nitwit or two.  People who are argumentative, are blow-hards or are otherwise so utterly convinced of the rightness of their beliefs that it is incapable to have any sort of meaningful dialogue on those subjects.  You know, nitwits.
But to the rest of the community, particularly those who live inside it, those people simply don’t exist.  They literally are not not there.  For that matter, someone who is an active participant in a community may not think of the people who chose to passively participate in the community as being a major part of it.  But they are.
And now you see the error of my ways.

Flash forward a day and now I’m in a meeting with my staff.  The VP of marketing pops in to ask us about what are pain points are with the marketing department. which, when you think about it, is incredibly cool since most VPs of marketing aren’t exactly known for their consideration and concern for what’s going on in technical support, and we take him up on his request.

One of the things which annoys the heck out of me is long, unspeakable URLs.  You know, the ones you can’t tell someone over the phone and expect to type them in to the Address: field of their web browser because they are all filled with "slashes" and "dot pea aitch peas" and "slash question mark eye dee equals doubleyou ee bees."  It might be easy to type those things, but over the phone, especially with someone who is non-technical, a slow typist or both, it can be pretty painful to get those URLs typed in.

So, the VP gives me a thoughtful look and asks my staff how big of an issue this is with them.

Not very much, it turns out.  They just have the customers go to the home page and then tell them what to click on from there.


My whole concept of technical support revolves around giving people the information and tools they need to solve a problem and a little education about the underlying technology, why something happened, what they can do to avoid it in the future and so forth.  All pretty good, and all pretty basic.  But I’m also used to working with people who are, well, they may not be PC-savvy, but can be given a set of instructions and will be able to follow them successfully.  I guess what I’m thinking of is that they are more confident in how to use a computer.  They may not understand how it works, but they feel comfortable using a computer and following a technical support engineer’s instructions.

Part of that is me, I suppose:  I first entered the anti-virus industry in 1989 and stayed in it for five-and-a-half years until early 1995, when I left just before Microsoft Windows 95 and NT 4.0 would appear and make their mark on the world.  During this DOS and Windows 3.1 era, computers were a lot simpler to operate and it was relatively easy to remove viruses from them, uninstall and re-install anti-virus software and troubleshoot various issues.  I was used to working in a higher call volume environment in which I currently find myself, but with much shorter calls on average.  Most just lasted a few minutes, long enough to tell the person what they needed to type in to solve the problem, an alternate step or two if they came across a common stopping point, and how to get back in touch with me if what I told them didn’t work.

Things are a lot different now.  There are a lot fewer calls, for one thing—which, for one thing means that anti-virus software has gotten a lot better in the intervening decade—but the calls you get can be a lot longer.  And the people whom you speak to know a lot less about computers—which, by the way, has nothing to do with them and is through no fault of their own:  computers are just so much more complex these days—and they have to go through many more steps.  And the steps they have to go through aren’t simple "type in" ones.  They are complex ones involving navigating a GUI and finding programs and shortcuts and clicking on them with this and that mouse button followed by selecting this or that to accomplish whatever goal it is they are trying to reach.

Computers have gotten so much more complex and complicated these days (and powerful, inexpensive and easy to use when it comes to day-to-day tasks) that most people know less about how their computers operate then they did when they were simpler, more expensive and had less functionality a decade ago.

There are times when I feel old. 


Tags: technical support, anti-virus, computer literacy

1 Comment

Filed under Uncategorized