Sophos: If You'd Like A Copy Of Our Free AV Software, You'll Need To Prove You're Not A Terrorist
from the the-trickledown-effect-of-post-9/11-paranoia dept
The US hasn’t officially adopted its proposed rewrite of the Wassenaar Arrangement, but it looks as though its plan to regulate certain software like guns and bombs is already pushing some businesses to start treating potential users like enemies of national security.
John Leyden at The Register is reporting that one of the site’s readers has been denied permission to download Sophos’ free antivirus software, apparently because the name “Hasan Ali” is setting off “terrorist” alarms at the software maker’s headquarters.
Ali brought the issue to our attention, complaining that Sophos had applied an “anti-Muslim name filter” that places hurdles in the way of his attempts to download the security software firm’s freebie Mac malware detection tool.
A screenshot of the attempted download shows Sophos asking Ali to jump through a bunch of additional hoops to gain access to the free AV software. According to the text displayed, Sophos “must” conduct further “compliance checks” (which include asking Ali for additional personal information) before allowing him to download the software.
Sophos has confirmed that it does, indeed, block certain users from downloading its software.
We are sorry Mr Ali has had difficulty downloading our free Mac Antivirus software. Like many companies operating on a global scale, Sophos is required to adhere to the export laws and regulations of the United States, European Union, and every country in which it conducts business.
As such, we screen all requests for software downloads in accordance with a number of export lists, such as the US Export Administration Regulations, which affects all companies trading in the US and includes the requirement to ensure that the requester is not included on any US government denied persons list.
Like many companies, we used a third party to check all requests. Because this particular request only included the requester’s name, which matched with a number of names and aliases on the denied persons list, it was flagged as something we needed to check.
Our policy, in accordance with the US Export Regulations and other similar EU and UK regulations, is to ask for additional information to check if it is a true match or if it is, as in almost all cases, a ‘false positive’ match.
At that point we can clear the requester to be able to access the software.
Sophos claims that less than 0.05% of potential users are subjected to these compliance checks, so it’s really kind of a non-issue. Not so, claims Ali, who points out his name is extremely common, as would be any number of other “foreign-sounding” names. Running a verification process that starts with only a name is a terribly inefficient way to run a verification process. For that matter, consumer-grade antivirus software really isn’t subject to the majority of export restrictions.
On top of that, Ali and The Register point out that downloading this software directly from Sophos isn’t the only way to acquire it. Other services provide copies of the AV software, but without all the “compliance” chicanery.
“Sophos also makes its software available on CNET (here), and possibly other download sites without mandating this process,” he said.
Sophos responded to this seeming disparity with an answer that only raises further questions… mostly about Sophos’ strict adherence to regulations that seems more arbitrary than mandatory.
In response, the company said: “All our download products go through the same screening process as highlighted in our previous statement. We can’t really comment on why Mr Ali doesn’t experience the same situation with other vendors, or when he downloads our software from third party sites such as CNET. Sophos adheres strictly to US, EU and other jurisdictions’ export regulations, and complies with all requirements. Companies can be heavily fined for non-compliance.”
Ali points out that this verification process — which asks for information like date of birth and passport numbers — could be used by third parties as phishing scams. All someone would have to do is host the free software and start asking personal questions via email of the potential downloader. Goodbye, AV protection. Hello, identity theft.
If Sophos is being extra-cautious because of the impending Wassenaar Arrangement adoption, it’s somewhat understandable. The proposal by the US government looks to outlaw the export of plenty of security-related software and will turn security researchers’ work into regulated “weaponry.” But clamping down on downloads of consumer-grade AV software isn’t going to do much more than push potential customers away. If the entities targeted by these regulations want security-related software, they’ll find a way to get it, and they’ll find much more potent stuff. Flagging names from a database that likely sees only occasional vetting (like any “terrorist/criminal” database the US maintains) does nothing more than irritate legitimate users.
Filed Under: anti-virus software, filter, fud, questions, terrorism
Companies: sophos
Comments on “Sophos: If You'd Like A Copy Of Our Free AV Software, You'll Need To Prove You're Not A Terrorist”
Stupid or worrisome, take your pick
If they’re blocking people from downloading their software based upon names, there’s two possibilities I can see.
Either they’re trusting that people will provide their real name, which is a laughable ‘obstacle’ if the aim is to prevent ‘dangerous’ people from using their software, or they’re requiring verification of personal information for a simple download, which is more than a little absurd and intrusive.
Re: Stupid or worrisome, take your pick
“If they’re blocking people from downloading their software based upon names”
No. They SAY it’s a name check. Sophos deals with some very tight encryption and other software.
They’re using a “third party” (which could very well be NSA, CIA, or DHS) to check who is accessing their systems.
I suspect it’s NOT a simple name check. Something about either the information the guy entered, or his IP/MAC, route to server, etc. threw up flags.
Re: Re: Stupid or worrisome, take your pick
I suspect it’s NOT a simple name check. Something about either the information the guy entered, or his IP/MAC, route to server, etc. threw up flags.
Even so the result seems to be no less stupid!
Re: Stupid or worrisome, take your pick
This must be what they’re doing. Look at the screenshot again: they even suggest the workaround. “If you think you may have entered incorrect information, please re-submit your request with the correct details:
…
– The Individual’s Name has been highlighted as a potential ‘denied person’
Re: Stupid or worrisome, take your pick
I’m even more concerned that they are stopping the download of anti-virus software to terrorists.
If my name and personal information happens to have landed in a terrorist’s database, I, for one, would like my personal information protected from criminals and government agencies that attempt to hack into that database.
There could be information about children in there – come on man, think of the children!!
Re: Stupid or worrisome, take your pick
I tried a couple of ‘Muslim names’ and had no problem downloading AV software (not that I need any on my computers, but that’s another story).
So obviously there is another component to the filter. For the record I created accounts each for an ordinary person with a New Zealand address.
What list are they comparing names to? Why does Sophos or its third party screener) get access to a list of terrorist names?
Re: Re:
More to the point, who is this mysterious ‘third-party screener’?
Re: Re:
“Why does Sophos or its third party screener) get access to a list of terrorist names?”
I believe the point is that “Ali” and “Hasan” are names mainly associated with middle-eastern descent.
So basically the “terrorist list” Sophos is using stems from a list of common arabic names.
My question is, given that shining example of blacklisting, how their actual software operates…
Because we can’t have terrorists using AV technology, then they we couldn’t keep spending billions on buying zero days and spying on them, other governments, citizens, corporations.
Excuses
“Like many companies, we used a third party to check all requests.”
The law does not require the use of a “third party” scape goat, so that excuse just doesn’t fly. At all.
“…the denied persons list.”
What “denied persons list”? A list of persons you have denied?
Re: Excuses
LL
Lesson Learned: When they ask for your name, you are John Smith.
Re: LL
How would Hussain Obama fare?
Re: LL
Seriously. Who gives their actual names in the first place?
Re: Re: Uriel238 IS my real name.
My meatspace name is what I go by for pedestrian reasons. Work, taxes, medical records and so on.
I identify with it as much as I do my social security number.
Actually complicates terrorism search
Why does Sophos think, after they set off my personal, gray-matter-based phishing scam filter that any answers I provide them aren’t one-time throwaway random answers?
I’m already doing that to complicate identity theft….with Apple and Facebook. I wasn’t actually born on 1/1/00, you know!
I Never put my real date of birth on websites ,
registration forms ,
People have been hacked from putting their birth date on
facebook.
Why make it easy for id theft ,hackers .
do Sophos sell your data , email ,birthdate , to other companys and advertisers .
Theres american companys and uk websites hacked
every week ,
why give them your real birth date just to get one product.
Theres some names which are very common ,eg ali hussain ,
1000,s of people might have that name .
Re: Age gates
I’m quite fond of December 7th, 1941.
That way any human being that sees it pretty much gets the secret message intended for them.
I can see upswing in torrents…
I don't think Sophos is to blame on this.
Sophos, as a company that deals with strong encryption is subject to stringent controls on what they, as a company, directly distribute, where they distribute it, and to whom they distribute to. Forms of encryption with keys larger than 56 bits are restricted. Sophos wouldn’t want to put itself out of the running for government contracts or on the ‘bad side of the law’ by breaking any rules concerning the export of encryption software.
Whether (currently industry standard) encryption should be considered as a type of sensitive technology or not should be the story, not Sophos having to follow stupid rules it didn’t create.
Re: I don't think Sophos is to blame on this.
And just what has strong encryption to do with anti-virus software?
Re: Re: I don't think Sophos is to blame on this.
Parts of the software are encrypted and decrypted, naturally. Almost all AV has this built in in some fashion or another, otherwise it would be trivial to defeat (not saying it isn’t by other means, but this would be a base-level protection.)
Re: Re: Re: I don't think Sophos is to blame on this.
Other than public key signing of definitions, the encryption they use in useless for any other purposes. Whether the NSA have the signing key or an agreement with Sophos to allow them to misuse the protection is a separate question, as is that of whether they are the third party doing the checking of people.
Re: Re: Re:2 I don't think Sophos is to blame on this.
You’re arguing against the wrong person here; I’m simply stating that the software doesn’t meet export restrictions for one reason or another. What it does internally isn’t visible to me and frankly I don’t care. Whether or not what it does with encryption is useful to any third party could be debated, but that’s not what I’m trying to get at.
For anyone who would actually like to read up on exporting encryption hardware or software, read the following from the Dept. of Commerce:
https://www.bis.doc.gov/index.php/forms-documents/doc_download/951-ccl5-pt2
I’m fairly sure one of the exceptions is not met by their software, or Sophos needs to fire their Regulatory Compliance head.
Realistically, and back to my original point: the rules are stupid and need to be changed. Sophos has business reasons for doing what it does or it wouldn’t do it. My company (not Sophos, a subsidiary, or anything of the sort) has to jump through similar hoops with our products. I sincerely doubt Sophos is going through all the trouble to hire a third party and do any type of verification for shits and giggles, that would be too much work and too much money for no good reason.
Re: Re: Re:3
There are plenty of effective, open source, internationally available encryption schemes.
Maybe Sophos and your company should use ones that cannot be plausibly regulated by the Department of Commerce.
Or move your distro offshore.
Cooperation with United States agencies is not necessarily a good thing, since they have made public their fondness for backdoors, kill switches and control over other people’s software.
I now have cause not to trust Sophos.
Re: Re: Re:4 Re:
Following the law as written/enforced and “cooperation” with government agencies are not equivalent terms of engagement.
You have cause not to trust anyone, so why bother singling anyone out?
Re: Re: Re:5 Encryption restrictions on US exports in the post Snowden era sounds fishy.
I’m pretty sure these export restrictions are not valid anymore, or couldn’t possibly be enforced.
It would give offshore software a considerable edge that they were allowed to use larger keys where US-developed applications could not. Even then, US-developed applications that could plug in external encryption mods would provide an awkward workaround.
Maybe this is a mechanism in order to keep small businesses out of the software market, since larger houses could create offshore sites by which to develop their international versions.
Re: Re: Re:6 Encryption restrictions on US exports in the post Snowden era sounds fishy.
“I’m pretty sure these export restrictions are not valid anymore, or couldn’t possibly be enforced.”
They are valid. The export restrictions were eased, but not eliminated.
“It would give offshore software a considerable edge that they were allowed to use larger keys where US-developed applications could not.”
US-developed apps can use very strong encryption. They just can’t export it. And yes, it does give offshore software a considerable advantage, which is how it came to be that the really cutting-edge crypto development is not done in the US.
Re: Re: Re:7 Encryption restrictions on US exports in the post Snowden era sounds fishy.
Oh.
That sounds like another economic Whoops, kinda like when ICE shut down Megaupload without any consideration for its clients.
Sucks to be Sophos then.
Re: Re: Re:2 I don't think Sophos is to blame on this.
It does not matter.
The encryption export restrictions apply to all use of encryption, no matter how it is used by the software and no matter how its use is restricted. If the software contains encryption code, it’s subject to the restrictions.
Re: I don't think Sophos is to blame on this.
“Forms of encryption with keys larger than 56 bits are restricted.”
AES-256 begs to differ.
“Sophos, as a company that deals with strong encryption is subject to stringent controls on what they, as a company, directly distribute, where they distribute it, and to whom they distribute to.”
And so their use of what appears to a wiki entry on common arab names as a blacklist should mean they should be forbidden to handle encrypted software at all on basis of extreme incompetence in security matters coupled with stupidity?
Let me wager a guess that had Ali actually been a bad man and stated his name to be John Doe his download would have proceeded without a hitch.
Re: Re: I don't think Sophos is to blame on this.
Send something that uses AES256 to Iran with the customs forms filled out and see how far it gets.
Re: Re: I don't think Sophos is to blame on this.
No, the name John Doe would have triggered a check as well. Something about dead people without ID.
Re: Re: Re: I don't think Sophos is to blame on this.
How about:
John Hunter
Betty Smith
Amber Clinton
Roger Bach
Christine Lee
Joseph Spalding
Mary Wilson
Peter West
James McCoy
Leonard Nelson
Anne Miller
Francis Costner
I could go on and on and on.
Re: I don't think Sophos is to blame on this.
Sophos, as a company that deals with strong encryption is subject to stringent controls on what they, as a company, directly distribute, where they distribute it, and to whom they distribute to. Forms of encryption with keys larger than 56 bits are restricted. Sophos wouldn’t want to put itself out of the running for government contracts or on the ‘bad side of the law’ by breaking any rules concerning the export of encryption software.
The 1990’s ended 15 years ago you know….
Re: Re: I don't think Sophos is to blame on this.
The government doesn’t seem to think so.
Re: Re: I don't think Sophos is to blame on this.
Crypto export controls were eased after that, but not eliminated. You still need an export license for “military grade equipment”, tempest-approved electronics, custom crypto, and crypto consulting services.
Also, you need to register (but not get a license) with BIS if you are exporting mass market commodities or crypto exceeding 64 bits.
Re: Re: Re: I don't think Sophos is to blame on this.
See my reply to another person above, linking to the 5d002 exceptions; there isn’t an across the board lifting of restrictions, that’s an oversimplification. There are still restrictions. I think it is clear the software in question trips one of those or we get back to ‘why would they bother if they don’t need to?’
Re: Re: Re:2 I don't think Sophos is to blame on this.
” I think it is clear the software in question trips one of those or we get back to ‘why would they bother if they don’t need to?'”
I don’t think that’s clear at all.
However, if they are tripping a restriction, then the next obvious question is “what the hell are they doing?”
Re: Re: Re:3 I don't think Sophos is to blame on this.
Whatever they’re doing, it seems like a lot of AV companies do the same. Also, Sophos has a history of integrating
several products, like their Cloud Security and FDE software. That might be where the hang up is, if they have to do something for a substantial part of the product line they may simplify the business processes by doing the same validation described in the article.
Kaspersky has similar restrictions on their ‘strong encryption’ versions. I’m not terribly familiar with many others, but I’d be surprised if the U.S. based commercial vendors behaved in a different fashion (strong/weak encryption versions, etc, etc.) Also, Sophos is a British company, so there may be rules/regs we just aren’t aware of.
But again we’re getting well off the discussion point I tried to raise and running around in the weeds of the issue; why are these rules still in place for software, specifically basic security software?
Re: I don't think Sophos is to blame on this.
Most of you don’t seem to realize it isn’t just the Wassenaar Arrangement, there is also ITAR and the USML. I don’t see those mentioned in the article but they probably should be.
Are authorities and their corporate arms going to start needing identification before you can buy a rabbit’s foot or pick a four-leaf clover now?
Unlimited possibilities!
Oooooh. Instead of an anti-Muslim name filter, how about a Gamer Gate refusing to provide game downloads to persons with a male name?
Maybe the necessity to identify as female for game access will make certain gamers more compassionate?
Just like the necessity to identify as Christian in order to get virus protection will make certain Muslims swear off terrorism?
This sounds like a foolproof plan.
Guess I’ll be sticking to Avast then.
Sophos = 3 Letter agency?
Me: If you want me to use your Free AV Software...
…You’ll Need To Prove That It Works!
Re: Me: If you want me to use your Free AV Software...
Just try to log in as “Hasan” to your computer after installing the software. It’s as sophosticated as that.
Making the world less secure
When everyone that lands on some kind of “blacklist” isn’t able to protect its own machine, then we might assume that their machines are soon part of some botnet, making everyone else less secure. Stupid gits.
Of course, that is assuming that AV products really work.
Re: Part of some botnet...
Sounds conspicuously like Windows 10.
That leaves out all US citizens
After all, we’re all being investigated by the NSA as possible terrorists. All 321,477,519 of us……..
I don’t have any crApple devices myself, but I’m going to warn people I know who do to avoid Sophos software on the basis that entering the wrong thing can trigger a phishing attempt. If Sophos wanna pull this shit, then they’d best be prepared for the consequences. ;D
Antivirus for Mac? Why?
The user could avoid this issue by not attempting to use antivirus software on a Mac. It causes more trouble than its worth. The safest way to use a Mac is to keep it updated to the latest version and leave Gatekeeper with the default settings.
Re: Antivirus for Mac? Why?
The two most common reasons are dumb corporate policies and to protect surrounding windows machines from viruses being passed through without infecting the Mac (which is what the person in TFA wanted it for).
Get what you deserve.
Sophos will get what it deserves – lower revenues and negative profits. I hope their CEO gets his just deserts as well!
Why would anyone trust security software from a company like this?
Spread your legs and place your hands in the yellow circles, please.
WARNING
Citizen, you have been selected for Compliance testing.
Would you like to exercise your Constitutional rights?
[ ]no [✓]yes
COMPLIANCE CHECK FAILED
A SWAT team has been dispatched to your location for “enhanced” Compliance testing.
Stallman was right
Free software is necessary more than ever.
How nice, the start of a no-fly list for A/V downloading. So I gotta wonder, what are they trying to sneak into the anti-virus? Some sort of zeroday for those on the list? You know, just to check the contents of your computer to make sure you’re not a terrorist.
This is another fine example of security gone crazy. A sort of “We’d rather have you unprotected because you live in the wrong country or have the wrong name. One of those, “We can’t do things that would prevent our third party from checking you”.
If you ever needed an example of why weakening security for all computer users is such a bad idea, you’re looking at it right here. The idea that no one should be protected because the state should have the right to infect your computer to see what’s in it. The same mentality that leaves the door open for any hacker to just waltz right into your computer. The same reason and mentality of why magic golden keys don’t work, are an extremely bad idea, and are useless in practice to the general public.
Re: Re:
Yeah, I was wondering why they’re blocking downloads for ‘terroristy’ names. It’d be a lot more productive for the TLAs (I guess GCHQ is a FLA) if Sophos let the download proceed, but with a ‘special version’ of the AV software that’s chock full of backdoors.
Hang on, I’ve just had a thought. What if the ‘third party’ Sophos mentioned is one of its subsidiaries?
Muslims seem to only allow a couple dozen names and the most popular is Muhammad. There are only so many combinations and the chance of many duplicates are very likely. It’s like Smith, Jones or Brown in many countries.
Re: Re:
“Muslims seem to only allow a couple dozen names and the most popular is Muhammad.”
Ah, yes, and “Muslim” is synonymous with “terrorist”.
Re: Re: Re:
Only about 15 to 20% of them. Of course it is the largest religion in the world so that’s still millions that want to kill us and don’t care if our women and children die. I still remember the massive celebrations of hundreds of thousands of Muslims in the streets all over the middle east on 9/11. There have been cases of pregnant Muslim women strapping on bomb vests. The families of “martyrs” who die in suicide attacks receive permanent financial support from the Muslim leadership. Kindergarten age children are taught songs about the honor of dieing for Allah.
How horrible that politically incorrect label Muslims as terrorists when it’s not all of them . Just a lot of them.
Re: Re: Re: There's a cure for islamic hatred of the US.
STOP BOMBING THEM!
Re: Re: Re:2 There's a cure for islamic hatred of the US.
Yes, many mistakes and collateral damage has been caused by drones and other anti terrorist actions. At least an attempt is made on our part to go after after guilty individuals and not just indiscriminate murder of bombing crowded market places and transportation like the terrorists. Are we to take no action to take out the leadership of these organizations?
Innocent people died on both sides in WWII but who was more to blame, the allies or the Nazis? I served in the army stationed in Germany in the 70’s and many older Germans told me that the majority of the people hated Hitler and even when our bombs fell on their cities they blamed him for the destruction and death.
Re: Re: Re:3 There's a cure for islamic hatred of the US.
An attempt is made on our part to go after after guilty individuals and not just indiscriminate murder of bombing crowded market places and transportation like the terrorists.
Fifty civilian casualties for every person of interest is the average for our drone strike program. I call bullshit.
And incidentally, pinpoint bombing in WWII still only dropped less than 30% of the bombs into designated target zones, to speak nothing of massacres like Dresden.
Why is it that we armchair historians have to remind hawks of the timeless truth that War. Is. Hell.? Why is it that our leaders resort to military action like it’s this weeks beer-bong party and everyone is going to get laid?
War and killing should always be a last resort, and since WWII we’ve pretty much jumped over thwarting enemy plans or preventing them from unifying straight to seiging their cities.
No, we pretend that Islam peoples hate us for our freedoms or our perversity or our affluent, when we’d never be able to tell if those are issues because they have plenty of cause to hate us for attacking them relentlessly.
And the answer to your question is no. We don’t do anything defuse their radical elements. Rather we help the moderate elements modernize and industrialize and westernize. And watch the recruits into their radical groups dwindle. We haven’t tried that, and I bet you it’d be cheaper than our protracted military campaign in the middle east.
And if you use GNU/Linux – to avoid antivirus – you are a terrorist too.
Re: GNU/Linux users are terrorists
Which is what happens when we ambiguously define the enemy as we do in the war on terror.
We might as well be in a War on Zombies.
Philosophical zombies at that.
NSA backdoor software love affair.
I wonder if the name Sophos is on the no fly list. I hope Mr. Hasan Ali knows better than to trust an outfit that conducts business in such a manner. “Free” my proverbial ass, about as free as Windows X. Try Avast or Avira, personally I don’t use an Anti-virus, flash, Java, and at times java script on any but one machine, and yes Windows is the OS on that lone wolf.
“to ensure that the requester is not included on any US government denied persons list.”
Denied persons list? That sounds an awful lot like a black list of persons being compiled by the US government.
Its a conspiracy
The location of this location is classified information. – The Simpsons