I was the cofounder at CEO of SiteAdvisor before it was acquired by McAfee in 2006. I haven't had control over it since then and left McAfee 4 years ago but my sense is that they are trying to rate sites correctly but just understaffed/underfunded. I read the reddit article but couldn't find the URL in question. When I was running SiteAdvisor we made mistakes but were also accused of being a scam by the biggest spyware distributors etc who hated the fact that we were calling them out. So I think it's important to take it case by case.
Several years ago my site was red flagged by SiteAdvisor because I linked to Plimus, who I used as a payment processor at the time. According to my site's review on siteadvisor.com, other "bad sites" linked to Plimus, and therefore my site also must be bad. A lot of small software companies use and link to Plimus, and it turned out those bad sites were companies that sold PC monitoring software. I think it's unethical for companies to install monitoring software on employee computers, but that's a very tenuous relationship to flag my site as bad. I wrote to SiteAdvisor and finally got the status changed about 3 weeks later. I was left with a very bad opinion of SiteAdvisor because of its guilty until proven innocent nature. The legal saying "It is far better that 10 guilty men go free than one innocent man is wrongfully convicted" obviously didn't play into their business ethics.
I'm having flashbacks to the days when people sued the DNS blacklists, or threatened them, called them Nazis, etc.
I'm not commenting on whether these services (like SiteAdvisor and the DNSBLs) are good or bad, and in what contexts. I'm just saying these arguments have been made before. And, I believe the real good guys (as much as anybody is a good guy) are the ones who want people to have the right to design their own Internet experience and possibly have help from third parties in doing so. Companies have no right to make people browse their sites, even if they've made it to the top of the googleranks by hook or crook; those users are not theirs by rights. The user owns their own eyes and time. If there is something a user might find objectionable on the site, whether it be spyware or pictures of cats, the user has a right to turn around and go elsewhere when those things appear on your site. If they want to install a tool that warns them when they're about to see a lolcat or be exposed to spyware, they should have that right and the tool vendor is definitely not in the wrong for trying to provide that service (even if they make mistakes now and then).
The warnings have been worded by their legal department to avoid litigation.
A similar "blacklist" by Google (safe browsing) exists and they define what language you should use if you use their blacklist to warn users (see End-user visible warnings @ http://code.google.com/apis/safebrowsing/developers_guide.ht...).
An excerpt: These guidelines help protect both you and Google from misunderstandings by making clear that the page is not known with 100% certainty to be a phishing site or a distributor of malware, and that the warnings merely identify possible risk.
It's solicited. By McAfee customers. They're paying for various AV services and this is one of them. The site will only be blocked for McAfee customers that (I'm assuming) have this feature turned on. Clearly they couldn't run a site operator opt-in only list of malware hosting sites... right?
Clearly they couldn't run a site operator opt-in only list of malware hosting sites... right?
Yes. :(
I'm just having a hard time coming to terms with the possibility that your site can be improperly flagged for all McAfee users and you have virtually no recourse because they happen to be understaffed.
McAfee screwed our site over the same way with siteadvisor. It took 2 months and us harassing their support team almost daily to get it resolved. Also hurt revenue. I'd love to participate in a class action lawsuit.
Then one day it suddenly hit me.. You see the thing is McAfee siteadvisor.com also sells these hacker-safe certificates to websites for $360 / year. With that in picture, this whole fucking thing just makes sense. This is just a ploy to sell those certificates.
That is some serious ass jumping to conclusions. I feel for the guy, his situation sucks. BUT:
He just up and one day decided that they're doing it to sell him some snake oil.
- Nobody from McAfee suggested he buy the snake oil.
- Nobody else told him, "oh that is a scam to get you to buy snake oil".
- He didn't ask around to see if it's happening to a lot of other people.
- He didn't try to buy said snake oil to confirm it would make a difference
Clearly McAfee siteadvisor sounds broken/underfunded/lazy/all of the above. It sucks he can't get them to deal with it. But if it was some kind of cyber protection racket it'd be happening to a lot of people with similar results. And they'd have to give you some hints as to how to "get protected". I've hosted a number of websites with executables throughout the years including one that has a bunch and is active right now. I've never been on a McAfee blacklist. I've never even heard of anyone I know being on a McAfee blacklist. If it was some kind of protection racket wouldn't they just be mass flagging things?
Never attribute to malice that which is adequately explained by stupidity - Hanlon's razor
It doesn't sound like the OP tried very hard to resolve this before deducing this was all a scam that had to come to light. McAfee isn't going to resolve this out of goodwill after several email complaints -- I wouldn't trust them to. The OP needs to try harder to light a fire under someone's ass. McAfee has little to nothing to gain from bending to the whim of flagged sites.
To say that the OP's experience would be different as a paying customer, either as a mere AV subscriber or as a subscriber to their hacker-safe service, is an unfounded assumption -- to say the next step is forking over protection money and that this is all a scam is pure sensationalist FUD.
I'm firmly in the skeptic camp. Without any evidence, the OP's site could be legitimately flagged. Also, I sure as hell wouldn't let this linger for 2 years. Maybe I missed something though, I gave up on the comments after a minute, my tolerance to the reddit front page hivemind is very low.
Also - thanks for introducing me to Hanlon's razor, it's now posted in my office.
They don't have to tell him. He is watching his customers disappear and business is hurting. He is spending all this time trying to figure out a solution. He did come around to the realization that for money, they will probably fix his problem that they created in the first place.
Not only do these "security" companies have their 30 day trial versions pre-installed in just about every PC computer that is sold today, but seems that they have started harassing website admins too.
$360 is just low enough for someone doing business in the web to pay in order to not lose more money to lost customers. But I can't help it, this sounds like very dishonest extortion to me.
I used to think that these "security" companies were paying Microsoft in order to keep their software buggy so virus scanners and firewalls would sell more. Either Microsoft started fixing their software or stopped adding bugs on purpose so the security industry has had to find new sources of revenue.
Btw, I've never had a virus scanner or a firewall software installed. Not even on Windows, and not even on the worst Windows XP times around 5 years ago. A simple NAT has kept all the hacking attempts at bay. At least I've never experienced suspicious network traffic or computers slowing down or other telltale signs of viruses/worms/hacking.
I feel sorry for anyone who pays protection money to the IT security racket and I wish that everyone would just stop paying to this counterproductive industry.
> I used to think that these "security" companies were paying Microsoft in order to keep their software buggy so virus scanners and firewalls would sell more. Either Microsoft started fixing their software or stopped adding bugs on purpose so the security industry has had to find new sources of revenue.
You honestly think software bugs are some kind of AV industry conspiracy?
"Btw, I've never had a virus scanner or a firewall software installed. Not even on Windows, and not even on the worst Windows XP times around 5 years ago. A simple NAT has kept all the hacking attempts at bay."
How do you know that, if you never scanned for a virus or for spyware? How do you monitor network traffic?
Most Windows system I have examined (Behind NATs, behind corporate firewalls, both with and without A/V and spyware detectors) had spyware or a virus. If the user thought there was a problem, there was almost always some malware involved.
I have often suspected that virus scanner companies funded some secret offshore teams to write viruses. Until the recent spam zombie botnets, most viruses were surprising benign (but scary enough to garner media hype and virus scanner sales). If a virus writer was truly malicious, it would be trivial for their virus to delete the user's hard disk (after first propagating itself, of course).
This parallels GetSatisfaction and how they display support pages for companies that don't pay for their service as "uncommitted to customer support" or something to that extent. I don't think there are malicious intentions, but they do collect positive and negative feedback, and display it on a public webpage stating that the company isn't responding to it.
There are two problems I have seen with them. First, they are not good at handling false positives. As the poster on Reddit found out, they are slow to respond. Also, they don't seem to have a mechanism to recognize that their scan does a poor job at certain sites. They should have some kind of internal white list of sites that their scan can't handle well, and only let those sites make it to the block list after human review whenever the scan purports to find something.
The second problem is that there are many obvious people gaming the community review system. I saw one reviewer, with a 9/9 reputation rating, that was reviewing thousands of sites a day. I suspect that there were many more shill accounts participating in this.
The second problem is that there are many obvious people
gaming the community review system. I saw one reviewer,
with a 9/9 reputation rating, that was reviewing thousands
of sites a day. I suspect that there were many more shill
accounts participating in this.
Yup. Here are their top 3 reviewers:
* pharmalert: http://user.siteadvisor.com/forums/member.php?u=19138 with 1400 posts per day.
* Nodes: http://user.siteadvisor.com/forums/member.php?u=107161 with 750 posts per day.
* DougW: http://user.siteadvisor.com/forums/member.php?u=1699 with 451 posts per day.
For me this is a pretty solid indicator that their review system is, at best, useless.
SiteAdvisor is a browser plug-in so it's user opt-in. I can empathize with you but unfortunately the Internet is full of users that are not security-savvy and thus they have to rely on a trusted entity, e.g., McAfee to make security decisions for them.
Unfortunately, perverse incentives can creep in like what you experience; McAfee slow to aid your cause.
I'm developing 'visible security', a 'product' that provides information to a user for her to judge the risks of visiting a site, e.g., number of 3rd party components/APIs a site relies on, etc. and selectively control what she wishes to retrieve from a site.
For your particular case, 'visible security' can help in 2 ways: (1) a user has control to not download that particular component but yet view your site as per normal, and (2) even if McAfee flags your site as bad, with 'visible security' being vendor-neutral, other more responsive vendors or a ton of registered Internet user may flag your site as good thus sending a strong signal that McAfee may just be over-cautious, etc., thus liberating sites from the mercy of a single security vendor that has a large user base.
I wonder if the ubiquity of SiteAdvisor (due to various freebie installation offers) results in McAfee being perceived as an unwanted service rather than as a necessary service.
Having some experience of dealing with all sides of this type of situation, I feel as though I should comment.
Is SiteAdvisor a scam? No. In a nutshell, it's something that's used by McAfee customers - they paid for the service and no they don't have the ability to make the decision for themselves as to whether or not a site is safe.
Is SiteAdvisor any good? No. As Cdixon pointed out, they're heavily understaffed. It's full of false positives, it's a fairly crappy service.
Is McAfee AV any good? No. It's one of the easiest AV's to bypass. McAfee is the most commonly found AV in the enterprise we come up against on penetration tests and unless we're using something like metasploit we get past it undetected every time and have done for years.
It could be a scam, in theory. But this is also roughly how you'd expect a legitimate company to behave. They have a system that uses some cheap heuristics to guess whether or not you're a scam--and they do that for free. To actually investigate gray areas, they need human intervention, and that comes at a cost.
This is how, e.g., the legal system works. If you're accused of a crime, you can cheaply plead out or expensively defend yourself. It's also how customer service works: they can deal with ~95% of the problems people encounter by reading off a script, and they have to escalate the last 5%, sometimes at a cost.
