BitDefender sells an Internet security suite that offers “proactive protection from viruses, spyware, hackers, and other e-Threats.” Well, their website got hacked. Now in all fairness, their product lines might not protect web servers … but you still gotta love irony.

Normally we’d just shrug at this irony and go about our day. This one, though, deserves attention over the company’s (mis)handling of the affair. Quoting from an updated story in The Register:

“It was only after this article first appeared that the anti-virus company even owned up to the breach, and yes, it potentially exposed Portuguese customers’ names, email addresses and possibly their physical addresses as well… Amazingly, BitDefender offered customers no details about the extent of the damage for more than a day and went so far as to suggest the breach at a site bearing its corporate name isn’t its fault.”

Reporter Dan Goodin goes on to say “we saw a similar reluctance from Kaspersky to share what it knew during the first 36 hours after its security lapse was exposed.” Situations like this constitute a lie by omission. I quote myself from an ancient column when I say “the very experts we pay to protect our PCs will all too often lie, even if they know it will harm their clients’ best interests.”

“Amazingly, BitDefender offered customers no details about the extent of the damage for more than a day…”

Goodin then mutters “this is unacceptable for companies entrusted to keep their customers safe.” {sigh} Only here do I differ with him — because after watching this industry for twenty years, I’ve come to realize the court of public opinion never prosecutes virus experts for their lies. Society gets some sort of taboo satisfaction from lying virus experts. These people get rewarded, not punished.

I insist virus experts ultimately lie to us because society wants them to do it. Why? Four words: “addicts need their pushers.” A double standard exists because people can’t give up their addiction to antivirus updates. Society lets its pushers get away with things they’d never let Microsoft get away with…

I enjoy reading the opinions of Sophos technovangelist Graham Cluley. I can always count on him to offer a level-headed view of the virus scene from his British perch.

I asked Cluley why his survey didn’t include “antivirus software” as a choice. He slapped his forehead…

Yet Cluley is all too human. In this case he overlooked the obvious in his latest unscientific survey on the Downadup worm that now hogs the media spotlight. When he asked “who is most to blame” for the spread of the worm, his readers responded as follows:

• 53% blamed “the hackers, who wrote the worm in the first place”;
• 30% blamed “system administrators, for not rolling out the Microsoft security patch quickly enough”; and
• 17% blamed “Microsoft, it was their security vulnerability that allowed the worm to spread.”

My longtime readers already know what’s missing in this survey: “Antivirus software, for not detecting it in the first place.” I mean, come on — would Cluley forget “airport security guards” when asking “who is most to blame” for aircraft hijackings?

Cluley certainly knows my opinions on this topic, so I asked him by email why he didn’t include “antivirus software” as a survey choice. He slapped his forehead. “That would have been fun,” he admitted in his reply.

Cluley went on to answer my next question before I asked it. “Our proactive behavioural stuff detected [the Downadup worm] before we saw it in our labs.” Of course, my longtime readers know he made an obvious statement — Sophos has a very long history with heuristic virus detection techniques. Cluley said much the same in a column I wrote waaaaay back in the previous millennium:

“The fact is that Sophos started with this [heuristic] approach years ago before we had a virus-specific product. We had (and indeed still have) a utility called Vaccine. What we found was that customers don’t like generic anti-viruses. It’s actually the customers who have insisted on virus specific protection rather than the [antivirus] companies.”

“It’s actually the customers” who insist on using inferior antivirus software, Cluley said in the 1990s. Computer users to this day — especially the U.S. government — cling to an addictive update model that ironically helps rather than hinders the spread of Downadup and its ilk.

Society has never demanded better antivirus technology up to this point. Right now, though, I don’t think the Downadup worm will convince society to give up the addictive update model. It’ll take a global network catastrophe of some sort, and Downadup just doesn’t look like one in the making.

Yet I do believe that day will come, and my longtime readers will recall what I’ve said for years:

When society finally demands better antivirus technology, I predict the global antivirus cartel will stand up as one and shout “eureka, the state of the art has advanced, and just in the nick of time!” I’ll back the industry 110% when their marketers lie to [society] about the “sudden” technological advancement in antivirus software…