To Customer Support To Customer Support
  • EN
Solved

Webroot - bastion for former spooks?

K
Rank
Rumor has it awhile back WR was working with the US Govt on systems security.
 
Now with the latest hiring of a former NSA official, and rumos of other intelligence officer hirings, where does that put Webroot? What's the privacy policy? I know F-Secure has said they will never, ever, even under court order betray their customers - a very strong statement. But what about Webroot?
 
I have read the Prism reports that state US-Based AV companies have been working WITH the NSA to help put in place backdoors, to avoid detection of US-Sponsored Malware, and in some cases to provide backdoors. Norton and McAfee included on that list.. But WR? I've read that most overseas firms, and companies, avoid using US-Based security products due to potentials of compromising.
 
http://www.reuters.com/article/2013/02/21/co-webroot-cmo-idUSnPnLA63927+160+PRN20130221
Duncan began his career with the U.S. Air Force, spending 10 years assigned to
the U.S. National Security Agency as an airborne cryptologic linguist performing
intelligence collection operations and cryptographic analysis. Duncan also
designed and implemented highly secure and classified government information
systems for FEMA, the U.S. Army and the U.S. Air Force.
icon

Best answer by MikeM 17 January 2014, 20:49

View original

15 replies

explanoit
Rank
Userlevel 7
Badge +6
Yes, I'm sure Webroot is hiring ex-NSA people and sending out press releases about it so they can build in backdoors for the US government. "Lets pay this guy 160 grand a year to help us compromise our product."
 
If you're going up against the highest levels of the US government what the heck are you doing using Windows anyway?
---------------------------------------- Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester Find me on Twitter!
K
Rank
This is a ridiculous reply, and I am unsure why you even bothered to type it.
 
It's not about 'going against' anyone, it's about the core fundamentals of privacy. Most us are concerned with absolute privacy as a basic right of life, and fight for that right. Including the right to do, say, and be who we want without worry of the NSA Gestapo listening in, or cracking down. Many people simply want to assert their basic rights, and do no harm.
 
They key thing here is we need to be a bit cautious when a company begins hiring former spooks. We need to question why, and to what level is this relationship.  Prism taught us that many companies will willfully compromise their customers in the face of NSA pressure. (Google, Norton, McAfee, Microsoft, and what not) We also know some companies will refuse under immense pressure (F-Secure, Lavabit, etc). I think it is crucial to know where a company stands.. Prior to Prism revelations, many noted Google was 'quietly' hiring ex-spooks. Now we know why - those were insiders working to help 'orchestrate' a close relationship.
 
Given the corruption, and downright evil nature of our govt I think these are relevant questions. As of now I have begun migrating my systems, and client systems away from Webroot until we get some answers on these things, and I can be assured my clients won't be compromised. ( and yes many of them are Arabic business men)
JimM
Userlevel 7
Kindle2013, Dunk hasn't worked for the NSA in 22 years.
 
Here is a statement from Dunk on the subject:
"I appreciate your concern.  I left government work in 1991 and have not had affiliation with the NSA since then.  Like many folks in the security industry, I started in government/military service.  Webroot is a great company with great products and my hiring by Webroot as Chief Marketing Officer was based on my marketing experience with security products and nothing else."
 
Here is some additional information on Dunk.
And this topic contains a similar discussion, though let's not derail it again please.  🙂
/// JimM /// /// Former Community Manager - Now Humble Internet Citizen/// /// Also Formerly a Technical Support Escalations Engineer ///
K
Rank
Thanks for the reply.
 
Does WR have an official stance on privacy in regards to govt/le gaining access to their data? Also regarding backdoors, or 'ignoring' state sponsored threats specifically?
Cat
Userlevel 7
Badge +4
We take pride in keeping our customers and their data protected. While I don't have a statement to share outlining details (and we tend to stay out of politically-fueled conversations on the Webroot Community), know that if we do take the privacy of customer data very seriously. Other than that, we don't have any additional specifics.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . New to the Community? Here's tips for getting started.
S
Can we get an official response, stating that Webroot will not cooperate with the NSA, or whitelist any state sponsored Malware threats?

Seems that most AV companies are either ignoring requests for this data, or answering with no. Ignoring it is largedly a statement of that they would in fact whitelist state sponsored malware. While strong statements that they would not are self explanatory.
 
As per this thread;
http://www.wilderssecurity.com/showthread.php?t=358503
 
and this article about letters sent to all AV vendors, and a few vendors went 'silent' on the response;
 
http://www.informationweek.com/security/vulnerabilities-and-threats/do-antivirus-companies-whitelist-nsa-malware/d/d-id/1112911
More recently, meanwhile, Avira CEO Travis Witteveen reported, in a letter to Trail of Bits, that his company likewise had no time for state-sponsored malware, and said the company would change its headquarters to a foreign country if the German government ever ordered it to ignore any type of malware. Likewise, the CEO of BitDefender, speaking by phone, said that his company had never received a copy of the letter from Bits of Freedom, but that his company would never -- and had never -- whitelisted any form of malware. The company plans to soon publish a more detailed statement on its website. 
 
So really, this is a serious question.. Would Webroot whitelist state sponsored threats, and if not, then can we get a firm declaration, from a Webroot official that they would do no such thing?  Any silence, or pandering about this is really an indicator of guilt to be honest. This is a crucial question as deployment of many dozens, perhaps hundreds of systems is largely based on whether or not we can secure the systems from NSA intrusion/whitelisting.
 
Thank you.
Rakanisheu Retired
Userlevel 7
I find it odd that just because a person worked for the US goverment nearly 2 decades ago is automatically assumed to be up to no good? I also find it odd that people just automatically assume companies are guility without any evidence?? To quote:"Any silence, or pandering about this is really an indicator of guilt to be honest").I doubt anybody would be happy if they were arrested and were assumed guilty before they even had a chance to defend themselves (innocent until provence guilty and all that)
 
Due to the wide range of skills that people in the military aquire (esp with the growth of military cyber warfare divisions) I would expect many to go into the IT industry after they finish there career. 
 
Putting on my tinfoil hat on for a moment if Webroot used a piece of goverment sponsored malware they wouldnt tell me about it (above my paygrade) and thus if I ran into it I would mark it bad kinda negating the entire idea. Plus marking malware good is a terrible idea in anycase it would increase ticket and call volume not to mention we have many very technical customers that would eventually find the malware themselves manually. 
 
As I have said before on many occasions all the data that is collected from a customers PC regarding malware is all encryped and I wouldnt be able to indentify a person based on such data. In fact I have imported my own logs from my home PC and I wouldnt be able to identify it. 
 
It also worth noting that Webroot has offices all around the world and not just the US
 
Please note the above is just my opinion and isnt to be taken as a formal statement!
S
Nobody is saying anyone is guilty at this point.
 
What we are saying is quite simple - a lack of response of any company, can, and generally does indicate there may be some level of cooperation with the entities in question.
 
Why? Because frankly, any company cooperation is likely legally prevented from revealing they are. National Security Letters sent out by our government contain a notice that any admittance, or denial (yes, even a denial) are illegal. Which is why Lavabit was prevented from saying anything, and simply shut down the company rather than comply.
 
Snowden files(of which only 1% are released), show us we are under a dangerous situation in this country. Privacy is being breached on a massive scale, and the US Govt is involved in crimes against it's people. So finding out the 'status' of all companies we do business with is crucial right now - Webroot included. If we cannot get at least a cursory statement from Webroot - stating at some level they will not, and do not whitelist state sponsored/used malware, then how else are we to assume?
 
http://www.cnsnews.com/mrctv-blog/matt-vespa/nsa-official-we-are-now-police-state
“These slides give the policy of the DOJ/FBI/DEA etc. on how to use the NSA data. In fact, they instruct that none of the NSA data is referred to in courts – cause it has been acquired without a warrant.” “So, they have to do a ‘Parallel Construction’ and not tell the courts or prosecution or defense the original data used to arrest people. This I call: a ‘planned programed perjury policy’ directed by US law enforcement.”
Baldrick
Rank
Userlevel 7
Hi sadachara
 
Appreciate your points but how far do we go with this?  Do we get to the point that your past completely governs your future & present?  Do we start checking that our doctors have not smoked pot in their youth...lest they give us bad advice, etc.?
 
appreciate that people are possibly running scared but lets remember that this did not start with Snowden but most probably has been going on since time immemorial...just we did not know about that aspect.  There is no proof that the individual concerned is anything other than a legitimate businessman with a public past...after all it is not as if he worked for the government undercover and tried to hide the fact from anyone (least not to my knowledge).
 
IMHO, and it is MINE, I think that we should all just get some perspective and stop looking for trouble...as there is enough out there already.
 
Just my two cents worth...for what it is worth.
 
And before anybody asks...I am not a Webroot employee...or in any way affliated to Webroot.  I am just a volunteer.
 
Regards
 
 
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
M
Userlevel 5
Hi,
Webroot does not participate in any data sharing program with any security agency. We do not "spy" on our customers nor do we enable any third party to do so. We do not steal files or personal information from customer machines. Webroot's mission as a company is to create products that help consumers and businesses protect themselves from cyber crimes such as data theft, identity theft, and data loss. That is our only mission. The people we hire are dedicated to that mission. We hire them because they're smart and share our passion for stopping cyber crime.
Mike Malloy
Webroot EVP of Products
Mike Malloy Webroot EVP Products and Strategy
S
THANKS for the official reply.

I was getting a bit annoyed with these unofficial ones from community advocates, which I believe do more harm than good on these forums. I'm all for promoting products, but this pied piper mentality with them is nauseating.
 
Nevertheless, appreciate the reply, and will forward it to relevant security researchers, and media outlets.
ProTruckDriver
Rank
Userlevel 7
Thank you Mike. Bookmarked 😉
Late 2015 ~ 5K ~ 27 inch iMac ~ macOS Catalina 10.15.7 ~ Clone & Backup with: SuperDuper - Time Machine & iCloud. PWM: RoboForm.  "An Apple a Day, Keeps Microsoft Away." 
Shran
Rank
Userlevel 7
Thank you, Mike 😃 Bookmarked and kudo'd!
Download (PC) | Download (Best Buy Subscription) | Submit Trouble Ticket | Account Console | User Guides | BrightCloud URL lookup
cohbraz
Rank
Userlevel 7
Thanks!
 
That's reassuring to hear.
M
Rank
I wish I could remain silent on this topic but it seems it is impossible.

I started in the malware game back in the early 2000s, way before it became a true menace to society, so this lands in a place to make a pretty full and fair opinion on this subject.
 
Ill start with this, I do wish this was the first time this topic has landed on my desktop but it far from that, I can recall atleast 4 different and totally unrelated instances where this very thing happened and that was before 2004, when the landscape of malware began to change in a way that I think we all knew was going to be a very bumpy and interesting road to modern computing, as time went on, companies that were already established and some well know already, stopped all the public announcements, that they had hired an individual, either from the goverment or even from the opposite side of the fence, what I would call, greyhats, as they would be known to jump back and forth as it best suited themselves.

It definitly went quiet for a long time, it would be 2009-2010 before the actual topic would make highlights again, I recall one instance where an AV company hired a individual with some seriously questionable morales and ethics, the individual Im referring to had put on some shows that ended following him until they themself eventually ran him out of the entire industry.

I actually dont recall the guys name but somehow, he managed to convince another upcoming AV company, that all that was in the past and he was ready to do the good guy role, that should have been the first clue, something didnt smell quite right.

Eventually, he showed his real colors and pulled several of his stunts, no fair warning to his employer, they were greeted by law enforcement and were almost forced to close shop.

Ofcourse this is an isolated incident and this thread does not warrant any further details, I simply use it as an example of a worst case scenario, understand, some of these individuals are quite clever and incrediably intelligent, usually there most relevent vice as well, they are far from dummies.

2011 brought the exact opposite of the previous scenario, atleast for me it did, I met several individuals at a security gathering in the city I live in, soon to discover that there was as many people there that got thier start in this industry while in high school, definitly not doing the right thing, often caught in the act and labeled a cyber threat to the nation, in short, a genius without direction.

As well, there were many who were college grads and did it all the right way, found thier place in the industry and continue to work in it today, still doing the next right thing.

I think its safe to say that it takes all types of people to make any security solution work, even more to make it work efficiently. It is also safe to say, judgement without undeniable proof, is not exactly Judgement at all but more like name calling, judgement doesnt belong to us as people, not something we can handle properly.

I can assure everyone without any doubt, you look hard enough, you can find parnoid driven fuel in almost every industry, and not just the AV Industry, do not misunderstand, paranoia is actually a very useful tool, when used in moderation to the situation at hand, call it healthy paranoia, questioning a companies practices, simply to clarify thier position should not be a problem for any respectable company, transparency to the public as a whole, not just a companies user base, benefits the company in more ways than one, worthy trust is earned through actions, not words, not an individual but the companies actions. Actions are hard to fake and never lie or try to mislead.

Lastly, I have seen the absolute worst this industry has to offer and seldom seen many actually do it right, Webroot has accomplished such a feat, without a doubt, any doubters, need only look at the industry today and remember, the Cloud AV was esentially a hoax, non existent until around 2006-2007, In 2008 the Industry got to see what all said could not be done.

I dont think it could have been done if the creators of the original program, that became WSA, were strapped by some hideous, invisible rule of the industry, that made hiring real talent, some sorta demented psychological event, they would have never hired anyone, who would be able to survive under such scruples?

So, in all seriousness, how many cloud based antivirus or security solutions are out there now? I really dont know.

Your faith in Webroot is well-founded, it works because of the teams constructed to develop, manage and support it are as solid as it gets in the entire Computer Security Industry, this part Im 100% sure of, never doubted it for a moment.

Save your worries for something more deserving, I assure you all, your in the right place.

Thanks

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.