When Can You Trust a Known Bad Actor Again?

scottalanmiller

This discussion came up elsewhere and I think that it is a really important one for IT people to have. Companies make mistakes all of the time, this happens. Vendors like Microsoft or Red Hat will have bugs, and sometimes those bugs cause security exposures. That's not what we are asking about. We are talking about companies that have intentionally done unethical or outright illegal things and been an active enemy of their own customers: such as Barracuda or Lenovo. Companies that use their own power and influence to breach their customers' security either for personal corporate gain, or to make them accessible to others for whatever nefarious purposes.

Unlike companies that make mistakes, how do vendors like Barracuda or Lenovo, or in fact how to people who continue to convince their businesses to deploy them, ever regain trust? Since the failings are not technical, but ethical, there is no technical action that could ever be even relevant to a trust discussion. Sure, you can force them to remove backdoors or root kits or shims or malware, but you had to force them to do it, and you only know that they removed what you caught them with, which is unlikely to be everything.

It's like catching a thief who broke into your store and you find them taking money from the till. You force them, with the help of the police, to put the money back in. Then you hire them, right on the spot, to be your security guard. You know that seconds ago they were trying to steal from you, they were happy to be a thief, they didn't even apologize, they just got caught and forced to put the money back. In the real world, you'd never allow them in your store again, you'd press charges, you'd have their picture behind the counter for actual security guards to watch out for... you'd never, ever hire them to work for you, let alone hire them to guard against themselves!

In a case like Barracuda or Lenovo, what could ever make it excusable to put their equipment or products in a business? As they are known malicious actors, the very actors that IT is supposed to be protecting against, it is as if we the paid security guards would be inviting the known thieves in to look around, handing them keys, whistling and looking the other way and just "trusting that they won't steal anything even though we know they are remorseful thieves and we just invited them into a situation where they are free to rob us without likely getting caught."

scottalanmiller

Of course, if the shareholders or the board of a company like this truly didn't know that such malicious actions against customers was happening and they immediately fired and took legal action against the people who did it, then we could consider that a bit of remorse and maybe they could be considered again. But as no company having done something like this has ever done that, it's a theoretical situation at best.

scottalanmiller

The question came up offline of "but doesn't the government hire known bad actors all of the time?" And yes, of course they do. However this is wildly different for two key reasons.

First, the government itself is famously incompetent and insecure and has no idea how to do things in a logical or secure way. That the government's known bad practices result in bad things doesn't make things okay.

Second, this isn't what the government does. We were discussing hiring a thief as a guard. The government hires thieves to discuss being thieves. Very different things. Even the government doesn't use someone being a thief as a reason to then give the thieves access to the very things that they were trying to steal. "A" job, maybe, in some extreme cases, but the very job of protecting the things that they tried to steal, definitely not.

bbigford

Not everything is excusable; even with time and potentially gutting the beast. There's certain things that are just a death sentence in my book. I'm fully aware of what Lenovo has done, and I'm all done recommending them. Others may not feel the same about severity.

I'm not totally aware about Barracuda with intentional malicious action, there is some stuff with their VPN side of things that I've been iffy about regarding security (thinking of Java and their weird method for authentication to a browser redirect from the local client). All I've really heard is about negligence. Care to share?

popester

For absolute bald face intentional nefarious acts, the answer is never.

Obsolesce

Yup, never. Another example of "never": Yahoo.

CCWTech

Didn't Dell do a 'superfish' as well?

scottalanmiller

@ccwtech said in When Can You Trust a Known Bad Actor Again?:

Didn't Dell do a 'superfish' as well?

Dell did a Superfish as well. Dell did NOT pull a Lenovo and put it into the irreplaceable drivers. Looking at Lenovo's attack as being an issue of "deploying Superfish" hides the real issue of having put malware into drivers that came back even in a clean install. Dell had standard bloatware that no one following even a modicum of good practices would never have even seen. So totally different. Bad, but bad in a trivial only hurts people who hurt themselves, way. Whereas Lenovo had no means of working without you being compromised and was the first vendor to ever put malware into clean drivers.

https://arstechnica.com/information-technology/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/

So if you see Dell's as bad in any way, Lenovo's is literally a thousand times worse. People affected by Bell's Superfish would be similar to people getting ransomware because they didn't match. Could the vendor have done something better, sure. Was there any reason for Dell to worry about having bad bloatware that everyone is supposed to remove upon receipt of the box anyway? Not really.

So was it bad, yes. But it wasn't anything like Lenovo in reality, that was click bait headlines.

What Dell did was this: "Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website." Which is very bad, but not even slightly on par with Superfish itself, which was nothing compared to Lenovo building Superfish into the network drivers and getting those drivers to be the only ones out there. So yes, Dell did something bad, but it didn't do a Superfish.

CCWTech

@scottalanmiller said in When Can You Trust a Known Bad Actor Again?:

@ccwtech said in When Can You Trust a Known Bad Actor Again?:

Didn't Dell do a 'superfish' as well?

Dell did a Superfish as well. Dell did NOT pull a Lenovo and put it into the irreplaceable drivers. Looking at Lenovo's attack as being an issue of "deploying Superfish" hides the real issue of having put malware into drivers that came back even in a clean install. Dell had standard bloatware that no one following even a modicum of good practices would never have even seen. So totally different. Bad, but bad in a trivial only hurts people who hurt themselves, way. Whereas Lenovo had no means of working without you being compromised and was the first vendor to ever put malware into clean drivers.

https://arstechnica.com/information-technology/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/

So if you see Dell's as bad in any way, Lenovo's is literally a thousand times worse. People affected by Bell's Superfish would be similar to people getting ransomware because they didn't match. Could the vendor have done something better, sure. Was there any reason for Dell to worry about having bad bloatware that everyone is supposed to remove upon receipt of the box anyway? Not really.

So was it bad, yes. But it wasn't anything like Lenovo in reality, that was click bait headlines.

What Dell did was this: "Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website." Which is very bad, but not even slightly on par with Superfish itself, which was nothing compared to Lenovo building Superfish into the network drivers and getting those drivers to be the only ones out there. So yes, Dell did something bad, but it didn't do a Superfish.

But bad is still bad. So don't buy Dell either.

In other words, one person only beats women but one murders, both are still bad right?

scottalanmiller

@ccwtech said in When Can You Trust a Known Bad Actor Again?:

@scottalanmiller said in When Can You Trust a Known Bad Actor Again?:

@ccwtech said in When Can You Trust a Known Bad Actor Again?:

Didn't Dell do a 'superfish' as well?

Dell did a Superfish as well. Dell did NOT pull a Lenovo and put it into the irreplaceable drivers. Looking at Lenovo's attack as being an issue of "deploying Superfish" hides the real issue of having put malware into drivers that came back even in a clean install. Dell had standard bloatware that no one following even a modicum of good practices would never have even seen. So totally different. Bad, but bad in a trivial only hurts people who hurt themselves, way. Whereas Lenovo had no means of working without you being compromised and was the first vendor to ever put malware into clean drivers.

https://arstechnica.com/information-technology/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/

So if you see Dell's as bad in any way, Lenovo's is literally a thousand times worse. People affected by Bell's Superfish would be similar to people getting ransomware because they didn't match. Could the vendor have done something better, sure. Was there any reason for Dell to worry about having bad bloatware that everyone is supposed to remove upon receipt of the box anyway? Not really.

So was it bad, yes. But it wasn't anything like Lenovo in reality, that was click bait headlines.

What Dell did was this: "Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website." Which is very bad, but not even slightly on par with Superfish itself, which was nothing compared to Lenovo building Superfish into the network drivers and getting those drivers to be the only ones out there. So yes, Dell did something bad, but it didn't do a Superfish.

But bad is still bad. So don't buy Dell either.

No, bad is not just bad. These aren't comparable, at all. One is actively malicious malware against all customers. One is passively poor security against only customers that actively choose to be insecure already.

Unrelated, incomparable. One is bad, pure and simple. The other is not bad to anyone who didn't choose for it to be bad, making it not actually bad.

You are using a broad brush to paint unrelated things. Being actively evil isn't the same as not be perfect.

scottalanmiller

@ccwtech said in When Can You Trust a Known Bad Actor Again?:

In other words, one person only beats women but one murders, both are still bad right?

If this was comparable, yes. But we are talking about a VOLUNTARY bad thing in one case, the victim was a participant. We are talking about INVOLUNTARY in the other.

In your example, it is both involuntary, so not related to the Lenovo vs. Dell comparison.

CCWTech

@scottalanmiller said in When Can You Trust a Known Bad Actor Again?:

@ccwtech said in When Can You Trust a Known Bad Actor Again?:

@scottalanmiller said in When Can You Trust a Known Bad Actor Again?:

@ccwtech said in When Can You Trust a Known Bad Actor Again?:

Didn't Dell do a 'superfish' as well?

Dell did a Superfish as well. Dell did NOT pull a Lenovo and put it into the irreplaceable drivers. Looking at Lenovo's attack as being an issue of "deploying Superfish" hides the real issue of having put malware into drivers that came back even in a clean install. Dell had standard bloatware that no one following even a modicum of good practices would never have even seen. So totally different. Bad, but bad in a trivial only hurts people who hurt themselves, way. Whereas Lenovo had no means of working without you being compromised and was the first vendor to ever put malware into clean drivers.

https://arstechnica.com/information-technology/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/

So if you see Dell's as bad in any way, Lenovo's is literally a thousand times worse. People affected by Bell's Superfish would be similar to people getting ransomware because they didn't match. Could the vendor have done something better, sure. Was there any reason for Dell to worry about having bad bloatware that everyone is supposed to remove upon receipt of the box anyway? Not really.

So was it bad, yes. But it wasn't anything like Lenovo in reality, that was click bait headlines.

What Dell did was this: "Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website." Which is very bad, but not even slightly on par with Superfish itself, which was nothing compared to Lenovo building Superfish into the network drivers and getting those drivers to be the only ones out there. So yes, Dell did something bad, but it didn't do a Superfish.

But bad is still bad. So don't buy Dell either.

No, bad is not just bad. These aren't comparable, at all. One is actively malicious malware against all customers. One is passively poor security against only customers that actively choose to be insecure already.

Unrelated, incomparable. One is bad, pure and simple. The other is not bad to anyone who didn't choose for it to be bad, making it not actually bad.

You are using a broad brush to paint unrelated things. Being actively evil isn't the same as not be perfect.

I like my broad brush.

scottalanmiller

Should you avoid Dell because of it? That's a grey area. But you can't not use Dell based on the same logic that you can't use Lenovo. If you feel Dell can't ever be trusted because they did something that should not affect anyone, then you need (and potentially can) make a decent logical case for that. But you can't make that case based around the logic from the Lenovo case.

I have no concern with the Dell case and see it as "not bad", that's not the same as "good". It hurt no one that didn't actively do something I would consider wrong. Dell didn't install malware, they installed a certificate. It's not good, but a proper clean install makes it not exist. So is a bad action against no one still a bad action? The multiplier is zero. So a bad action that doesn't happen is still bad, in a zero degree manner.

Vendors do dumb things, vendors make mistakes. Making a mistake, that wasn't hidden, does not make someone a bad actor. Being actively, unremorsefully, and actively malicious does make a bad actor.

scottalanmiller

Also, Dell apologized and immediately fixed the issue, and didn't do it again. Lenovo never admitted it was a mistake, and did it again immediately afterward but in a more insidious way showing that they were sad they got caught, not that they did it. Dell's action was pretty obviously a mistake - it was sloppy, no effort was made to hide it, they fixed it as soon as they found out. Lenovo's was not a mistake - it was elegant, loads of effort was made to hide it (and to force it back on machines after it was removed), and instead of fixing it when found they worked to make it even harder to remove.