Sophos: If You'd Like A Copy Of Our Free AV Software, You'll Need To Prove You're Not A Terrorist
from the the-trickledown-effect-of-post-9/11-paranoia dept
The US hasn't officially adopted its proposed rewrite of the Wassenaar Arrangement, but it looks as though its plan to regulate certain software like guns and bombs is already pushing some businesses to start treating potential users like enemies of national security.
John Leyden at The Register is reporting that one of the site's readers has been denied permission to download Sophos' free antivirus software, apparently because the name "Hasan Ali" is setting off "terrorist" alarms at the software maker's headquarters.
Ali brought the issue to our attention, complaining that Sophos had applied an "anti-Muslim name filter” that places hurdles in the way of his attempts to download the security software firm’s freebie Mac malware detection tool.A screenshot of the attempted download shows Sophos asking Ali to jump through a bunch of additional hoops to gain access to the free AV software. According to the text displayed, Sophos "must" conduct further "compliance checks" (which include asking Ali for additional personal information) before allowing him to download the software.
Sophos has confirmed that it does, indeed, block certain users from downloading its software.
We are sorry Mr Ali has had difficulty downloading our free Mac Antivirus software. Like many companies operating on a global scale, Sophos is required to adhere to the export laws and regulations of the United States, European Union, and every country in which it conducts business.Sophos claims that less than 0.05% of potential users are subjected to these compliance checks, so it's really kind of a non-issue. Not so, claims Ali, who points out his name is extremely common, as would be any number of other "foreign-sounding" names. Running a verification process that starts with only a name is a terribly inefficient way to run a verification process. For that matter, consumer-grade antivirus software really isn't subject to the majority of export restrictions.
As such, we screen all requests for software downloads in accordance with a number of export lists, such as the US Export Administration Regulations, which affects all companies trading in the US and includes the requirement to ensure that the requester is not included on any US government denied persons list.
Like many companies, we used a third party to check all requests. Because this particular request only included the requester’s name, which matched with a number of names and aliases on the denied persons list, it was flagged as something we needed to check.
Our policy, in accordance with the US Export Regulations and other similar EU and UK regulations, is to ask for additional information to check if it is a true match or if it is, as in almost all cases, a ‘false positive’ match.
At that point we can clear the requester to be able to access the software.
On top of that, Ali and The Register point out that downloading this software directly from Sophos isn't the only way to acquire it. Other services provide copies of the AV software, but without all the "compliance" chicanery.
"Sophos also makes its software available on CNET (here), and possibly other download sites without mandating this process," he said.Sophos responded to this seeming disparity with an answer that only raises further questions… mostly about Sophos' strict adherence to regulations that seems more arbitrary than mandatory.
In response, the company said: "All our download products go through the same screening process as highlighted in our previous statement. We can’t really comment on why Mr Ali doesn’t experience the same situation with other vendors, or when he downloads our software from third party sites such as CNET. Sophos adheres strictly to US, EU and other jurisdictions' export regulations, and complies with all requirements. Companies can be heavily fined for non-compliance."Ali points out that this verification process -- which asks for information like date of birth and passport numbers -- could be used by third parties as phishing scams. All someone would have to do is host the free software and start asking personal questions via email of the potential downloader. Goodbye, AV protection. Hello, identity theft.
If Sophos is being extra-cautious because of the impending Wassenaar Arrangement adoption, it's somewhat understandable. The proposal by the US government looks to outlaw the export of plenty of security-related software and will turn security researchers' work into regulated "weaponry." But clamping down on downloads of consumer-grade AV software isn't going to do much more than push potential customers away. If the entities targeted by these regulations want security-related software, they'll find a way to get it, and they'll find much more potent stuff. Flagging names from a database that likely sees only occasional vetting (like any "terrorist/criminal" database the US maintains) does nothing more than irritate legitimate users.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anti-virus software, filter, fud, questions, terrorism
Companies: sophos
Reader Comments
Subscribe: RSS
View by: Time | Thread
Stupid or worrisome, take your pick
Either they're trusting that people will provide their real name, which is a laughable 'obstacle' if the aim is to prevent 'dangerous' people from using their software, or they're requiring verification of personal information for a simple download, which is more than a little absurd and intrusive.
[ link to this | view in chronology ]
Re: Stupid or worrisome, take your pick
No. They SAY it's a name check. Sophos deals with some very tight encryption and other software.
They're using a "third party" (which could very well be NSA, CIA, or DHS) to check who is accessing their systems.
I suspect it's NOT a simple name check. Something about either the information the guy entered, or his IP/MAC, route to server, etc. threw up flags.
[ link to this | view in chronology ]
Re: Re: Stupid or worrisome, take your pick
Even so the result seems to be no less stupid!
[ link to this | view in chronology ]
Re: Stupid or worrisome, take your pick
...
- The Individual's Name has been highlighted as a potential 'denied person'
[ link to this | view in chronology ]
Re: Stupid or worrisome, take your pick
If my name and personal information happens to have landed in a terrorist's database, I, for one, would like my personal information protected from criminals and government agencies that attempt to hack into that database.
There could be information about children in there - come on man, think of the children!!
[ link to this | view in chronology ]
Re: Stupid or worrisome, take your pick
So obviously there is another component to the filter. For the record I created accounts each for an ordinary person with a New Zealand address.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I believe the point is that "Ali" and "Hasan" are names mainly associated with middle-eastern descent.
So basically the "terrorist list" Sophos is using stems from a list of common arabic names.
My question is, given that shining example of blacklisting, how their actual software operates...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Excuses
The law does not require the use of a "third party" scape goat, so that excuse just doesn't fly. At all.
"...the denied persons list."
What "denied persons list"? A list of persons you have denied?
[ link to this | view in chronology ]
Re: Excuses
You might recall an earlier discussion regarding the Right To Be Forgotten? Well, those people have been forgotten...
[ link to this | view in chronology ]
LL
[ link to this | view in chronology ]
Re: LL
[ link to this | view in chronology ]
Re: LL
[ link to this | view in chronology ]
Uriel238 IS my real name.
I identify with it as much as I do my social security number.
[ link to this | view in chronology ]
Actually complicates terrorism search
I'm already doing that to complicate identity theft....with Apple and Facebook. I wasn't actually born on 1/1/00, you know!
[ link to this | view in chronology ]
registration forms ,
People have been hacked from putting their birth date on
facebook.
Why make it easy for id theft ,hackers .
do Sophos sell your data , email ,birthdate , to other companys and advertisers .
Theres american companys and uk websites hacked
every week ,
why give them your real birth date just to get one product.
Theres some names which are very common ,eg ali hussain ,
1000,s of people might have that name .
[ link to this | view in chronology ]
Age gates
That way any human being that sees it pretty much gets the secret message intended for them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I don't think Sophos is to blame on this.
Whether (currently industry standard) encryption should be considered as a type of sensitive technology or not should be the story, not Sophos having to follow stupid rules it didn't create.
[ link to this | view in chronology ]
Re: I don't think Sophos is to blame on this.
[ link to this | view in chronology ]
Re: Re: I don't think Sophos is to blame on this.
[ link to this | view in chronology ]
Re: Re: Re: I don't think Sophos is to blame on this.
[ link to this | view in chronology ]
Re: Re: Re: Re: I don't think Sophos is to blame on this.
For anyone who would actually like to read up on exporting encryption hardware or software, read the following from the Dept. of Commerce:
https://www.bis.doc.gov/index.php/forms-documents/doc_download/951-ccl5-pt2
I'm fairly sure one of the exceptions is not met by their software, or Sophos needs to fire their Regulatory Compliance head.
Realistically, and back to my original point: the rules are stupid and need to be changed. Sophos has business reasons for doing what it does or it wouldn't do it. My company (not Sophos, a subsidiary, or anything of the sort) has to jump through similar hoops with our products. I sincerely doubt Sophos is going through all the trouble to hire a third party and do any type of verification for shits and giggles, that would be too much work and too much money for no good reason.
[ link to this | view in chronology ]
Maybe Sophos and your company should use ones that cannot be plausibly regulated by the Department of Commerce.
Or move your distro offshore.
Cooperation with United States agencies is not necessarily a good thing, since they have made public their fondness for backdoors, kill switches and control over other people's software.
I now have cause not to trust Sophos.
[ link to this | view in chronology ]
Re:
You have cause not to trust anyone, so why bother singling anyone out?
[ link to this | view in chronology ]
Encryption restrictions on US exports in the post Snowden era sounds fishy.
It would give offshore software a considerable edge that they were allowed to use larger keys where US-developed applications could not. Even then, US-developed applications that could plug in external encryption mods would provide an awkward workaround.
Maybe this is a mechanism in order to keep small businesses out of the software market, since larger houses could create offshore sites by which to develop their international versions.
[ link to this | view in chronology ]
Re: Encryption restrictions on US exports in the post Snowden era sounds fishy.
They are valid. The export restrictions were eased, but not eliminated.
"It would give offshore software a considerable edge that they were allowed to use larger keys where US-developed applications could not."
US-developed apps can use very strong encryption. They just can't export it. And yes, it does give offshore software a considerable advantage, which is how it came to be that the really cutting-edge crypto development is not done in the US.
[ link to this | view in chronology ]
Re: Re: Encryption restrictions on US exports in the post Snowden era sounds fishy.
That sounds like another economic Whoops, kinda like when ICE shut down Megaupload without any consideration for its clients.
Sucks to be Sophos then.
[ link to this | view in chronology ]
Re: Re: Re: Re: I don't think Sophos is to blame on this.
The encryption export restrictions apply to all use of encryption, no matter how it is used by the software and no matter how its use is restricted. If the software contains encryption code, it's subject to the restrictions.
[ link to this | view in chronology ]
Re: I don't think Sophos is to blame on this.
AES-256 begs to differ.
"Sophos, as a company that deals with strong encryption is subject to stringent controls on what they, as a company, directly distribute, where they distribute it, and to whom they distribute to."
And so their use of what appears to a wiki entry on common arab names as a blacklist should mean they should be forbidden to handle encrypted software at all on basis of extreme incompetence in security matters coupled with stupidity?
Let me wager a guess that had Ali actually been a bad man and stated his name to be John Doe his download would have proceeded without a hitch.
[ link to this | view in chronology ]
Re: Re: I don't think Sophos is to blame on this.
[ link to this | view in chronology ]
Re: Re: I don't think Sophos is to blame on this.
[ link to this | view in chronology ]
Re: Re: Re: I don't think Sophos is to blame on this.
John Hunter
Betty Smith
Amber Clinton
Roger Bach
Christine Lee
Joseph Spalding
Mary Wilson
Peter West
James McCoy
Leonard Nelson
Anne Miller
Francis Costner
I could go on and on and on.
[ link to this | view in chronology ]
Re: I don't think Sophos is to blame on this.
The 1990's ended 15 years ago you know....
[ link to this | view in chronology ]
Re: Re: I don't think Sophos is to blame on this.
[ link to this | view in chronology ]
Re: Re: I don't think Sophos is to blame on this.
Also, you need to register (but not get a license) with BIS if you are exporting mass market commodities or crypto exceeding 64 bits.
[ link to this | view in chronology ]
Re: Re: Re: I don't think Sophos is to blame on this.
[ link to this | view in chronology ]
Re: Re: Re: Re: I don't think Sophos is to blame on this.
I don't think that's clear at all.
However, if they are tripping a restriction, then the next obvious question is "what the hell are they doing?"
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: I don't think Sophos is to blame on this.
several products, like their Cloud Security and FDE software. That might be where the hang up is, if they have to do something for a substantial part of the product line they may simplify the business processes by doing the same validation described in the article.
Kaspersky has similar restrictions on their 'strong encryption' versions. I'm not terribly familiar with many others, but I'd be surprised if the U.S. based commercial vendors behaved in a different fashion (strong/weak encryption versions, etc, etc.) Also, Sophos is a British company, so there may be rules/regs we just aren't aware of.
But again we're getting well off the discussion point I tried to raise and running around in the weeds of the issue; why are these rules still in place for software, specifically basic security software?
[ link to this | view in chronology ]
Re: I don't think Sophos is to blame on this.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Unlimited possibilities!
Oooooh. Instead of an anti-Muslim name filter, how about a Gamer Gate refusing to provide game downloads to persons with a male name?
Maybe the necessity to identify as female for game access will make certain gamers more compassionate?
Just like the necessity to identify as Christian in order to get virus protection will make certain Muslims swear off terrorism?
This sounds like a foolproof plan.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Me: If you want me to use your Free AV Software...
[ link to this | view in chronology ]
Re: Me: If you want me to use your Free AV Software...
[ link to this | view in chronology ]
Making the world less secure
Of course, that is assuming that AV products really work.
[ link to this | view in chronology ]
Part of some botnet...
[ link to this | view in chronology ]
That leaves out all US citizens
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Antivirus for Mac? Why?
[ link to this | view in chronology ]
Re: Antivirus for Mac? Why?
[ link to this | view in chronology ]
Get what you deserve.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Spread your legs and place your hands in the yellow circles, please.
Citizen, you have been selected for Compliance testing.
Would you like to exercise your Constitutional rights?
[ ]no [✓]yes
COMPLIANCE CHECK FAILED
A SWAT team has been dispatched to your location for "enhanced" Compliance testing.
[ link to this | view in chronology ]
Stallman was right
[ link to this | view in chronology ]
This is another fine example of security gone crazy. A sort of "We'd rather have you unprotected because you live in the wrong country or have the wrong name. One of those, "We can't do things that would prevent our third party from checking you".
If you ever needed an example of why weakening security for all computer users is such a bad idea, you're looking at it right here. The idea that no one should be protected because the state should have the right to infect your computer to see what's in it. The same mentality that leaves the door open for any hacker to just waltz right into your computer. The same reason and mentality of why magic golden keys don't work, are an extremely bad idea, and are useless in practice to the general public.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Ah, yes, and "Muslim" is synonymous with "terrorist".
[ link to this | view in chronology ]
Re: Re:
How horrible that politically incorrect label Muslims as terrorists when it's not all of them . Just a lot of them.
[ link to this | view in chronology ]
There's a cure for islamic hatred of the US.
[ link to this | view in chronology ]
Re: There's a cure for islamic hatred of the US.
Innocent people died on both sides in WWII but who was more to blame, the allies or the Nazis? I served in the army stationed in Germany in the 70's and many older Germans told me that the majority of the people hated Hitler and even when our bombs fell on their cities they blamed him for the destruction and death.
[ link to this | view in chronology ]
Re: Re: There's a cure for islamic hatred of the US.
Fifty civilian casualties for every person of interest is the average for our drone strike program. I call bullshit.
And incidentally, pinpoint bombing in WWII still only dropped less than 30% of the bombs into designated target zones, to speak nothing of massacres like Dresden.
Why is it that we armchair historians have to remind hawks of the timeless truth that War. Is. Hell.? Why is it that our leaders resort to military action like it's this weeks beer-bong party and everyone is going to get laid?
War and killing should always be a last resort, and since WWII we've pretty much jumped over thwarting enemy plans or preventing them from unifying straight to seiging their cities.
No, we pretend that Islam peoples hate us for our freedoms or our perversity or our affluent, when we'd never be able to tell if those are issues because they have plenty of cause to hate us for attacking them relentlessly.
And the answer to your question is no. We don't do anything defuse their radical elements. Rather we help the moderate elements modernize and industrialize and westernize. And watch the recruits into their radical groups dwindle. We haven't tried that, and I bet you it'd be cheaper than our protracted military campaign in the middle east.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
GNU/Linux users are terrorists
We might as well be in a War on Zombies*.
* Philosophical zombies at that.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Denied persons list? That sounds an awful lot like a black list of persons being compiled by the US government.
[ link to this | view in chronology ]
Its a conspiracy
[ link to this | view in chronology ]