PUA Bulletin Virus – a love letter


Digital security

The evenings of VB2023 were marked by fascinating interactions between security experts and the somewhat enigmatic world of grayware vendors.

PUA Bulletin Virus – a love letter

Late night at VB2023 is when the goblins come out – carefully-played fan-designed faces and music industry-imposed lures. potentially unwanted application (PUA) providers, sponsored and pay-per-click app installers and other download monetizers that form a multi-billion dollar ecosystem. And in case you’re wondering what they want, it’s to incentivize the unblocking of borderline – really borderline – scary software that they want reputable security software vendors to ignore and stop blocking. We know this because they frequently ask us.

But customers would prefer to have fewer PUAs than more of them. ESET products have the ability to ban PUA software. Customers have a choice, and it’s up to them to decide.

But back to the nighttime lobby of the Novotel: love ends up turning into hate in a bipolar exhibition; Apparently, we sometimes put obstacles in the way of their business plans.

Around VB2023 Conference there are a handful of ad hoc (or more organized) meetings aimed at legitimizing the group of pseudo-shady (but still supposedly reform-minded) software vendors, desperate to try to quietly sell to security software vendors that they really are reformed, and therefore deserve to be unblocked.

To sell it, they employ “compliance” staff, usually charming, chatty people happy to hang out under the pulsing lights of the bar until path too late when we should really be sleeping. Showering alcohol vendors may have some appeal for the more fermentation-driven among us, but not so much that it blows our brains out; but we’ve been here for a while, and warning new recruits about these social engineering attempts is a time-honored tradition.

ESET is not alone in this regard, there are many other security software companies that get the same special treatment: no one disputes that flattery (and fermentation for some) is a good idea, but ultimately , we work for our customers, not for these PUA sellers or their shareholders. Our customers pay us, and they do it to receive less and less white noise on their computing devices, not more.

More recently, PUA providers and their friends who make money in this ecosystem have come together to form certification bodies aimed at more accurately determining how far is too far to still be classified as clean. They believe that by creating certifications they can amplify resume-building goodwill and that their mark of trust will (hopefully) signal their trustworthiness to third parties, which will be helpful to them. But these organizations don’t tend to get along for long with each other, much less with outsiders, and the bond that binds them tends to dissolve, forcing them to break up. Herding cats can be both difficult and unrewarding.

Trust in the security industry is a long game, and very few PUA-aligned vendors have lived long enough to play well. It takes considerable time and money to properly do security, and many tech talents are willing to dedicate themselves every day to the thankless and little-known part of making software work, let alone keeping it secure.

As the issues around personal data protection become more important – in light of the growing number of health records, financial transactions and, fundamentally, much of what makes our daily digital and physical lives function – it It is also important to have adequate security software, avoiding errors. on the cautious side. PUAs and caution are not often found in the same sentence.

It’s very late at night now (I wrote this Thursday evening) and the bar has finally turned down the ambient beat of muffled techno tunes (or is that my head?) as people begin to disappear into the corridors of the hotel to rest briefly in anticipation of another (beautiful) conference day. Here at VB2023 London, it was nice to see people working hard to protect what everyone values, including ourselves. I get one last wave from the compliance staff as they disappear into the hallways. I will probably see them again at the next conference.

We will always have good and bad technologies, and many shades of gray. The gray is the hardest part.

Leave a comment