'We don't think of antivirus as a money maker in any way'

Quotw This was the week when Symantec declared that its whole reason for being was dead, kaput, totally and utterly over.

Senior veep for information security Brian Dye declared that antivirus software, the same stuff that his firm has been a leading purveyor of for the last quarter of a century – and made oodles of money from – is dead and buried. He said:

We don't think of antivirus as a moneymaker in any way.

Dye claimed that modern antivirus software is only stopping around 45 per cent of attacks on computer systems. Yet even though it was still worth it for individual devices, Symantec was going to start focusing on security as a service instead. The firm will stop trying to stop attacks and instead track them, try to protect data and find out who’s behind the hack. He said:

It's one thing to sit there and get frustrated. It's another thing to act on it, go get your act together and go play the game you should have been playing in the first place.

If customers are shifting from protect to detect and respond, the growth is going to come from detect and respond.

Speaking of hacks, dark corner of the interwebs 4chan now has a bug bounty - worth a paltry $20 in “self-serve ad spend” or a free 4chan membership. Wow. Tempting stuff.

The site no doubt reckoned it was a good idea to have some sort of incentive after it, and another website created by founder Chris Poole (aka moot), were compromised. Poole blogged that he woke last week to a load of missed calls…

Waking up to a string of missed calls is rarely a harbinger of good, and this time would prove no different. Upon returning the calls I was greeted with a simple “You’ve been hacked.” Great.

No fewer than six security slip-ups granted the miscreant access, allowing him to log onto the site as moot and use Poole’s DrawQuest Amazon cloud account to spin up 100 heavyweight virtual machines, possibly to mine Bitcoin. Poole said:

On one hand I’m frustrated we made such simple mistakes that resulted in very real consequences, but also grateful that it provided us an opportunity to learn from those mistakes, and share them with the world.

There’s no silver bullet when it comes to security, and the only way to stay ahead of it is constant vigilance. Don’t rely on any one method to protect your service, assume the methods you already have in place don’t work, adhere to best practices, and make it a point to revisit security on a regular basis—not just when something goes terribly wrong.

To that end and in keeping with our ongoing commitment to security, I’m pleased to announce the launch of 4chan’s Vulnerability Disclosure Program.

In security news of the national variety, Brit spook service MI5 has warned that foreign spy agencies are targeting IT workers in big companies to gain access to sensitive data.

Grooming high-placed sources to get them to spill to state secrets used to take a lot of martinis and a fair few call girls (or boys). Now, all the spies need is a low-level IT grunt with the right kind of privileged access to company info. Paul Stockton, a former US assistant secretary of defence, told the Daily Mail:

Insider threats are a growing challenge... the highest risk employees, they're not necessarily those at the highest levels of an organisation. Rather it is the systems administrators and others who hold the keys to the IT kingdom that pose such significant potential threats.

Paul Ayers, VP EMEA at enterprise data security firm Vormetric, said:

This warning confirms something that we’ve been saying for a while now – that the abuse of privileged credentials is the next frontier for cyber crime against enterprises.

Part of the complexity stems from the changing nature and definition of a ‘privileged user’. What was once a traditional insider with legitimate access rights has now become almost anybody with appropriate credentials to view and modify data across corporate networks – from contractors to system engineers to network maintenance workers.

In addition, as cyber criminals become more sophisticated and determined, a further threat comes from privileged user accounts being compromised as these users become increasingly lucrative targets.

As the MI5 warning reminds us, once hijacked, these credentials can be used as a way for outside hackers to infiltrate corporate networks.

Meanwhile, Apple is probably doomed, according to venture capitalist Fred Wilson. Speaking at a tech conference, Wilson said he didn't expect the iPhone-maker to be the super-coolest tech firm in the world anymore in 2020:

[Apple is] just too rooted in the hardware, they don't have anything in the cloud. They don't think about data.

Twitter is also ripe for a stumble, according to Wilson, although it won't fall too far:

Twitter maybe will be maybe four, five, six, seven -- but I'm not sure they'll be one or two.

Google and Facebook would be the firms in the top three, along with some company that no-one has heard of yet, he added.

Speaking of Google, the firm's own devs seem unsure what to think about a new feature of web browser Chrome that is aimed at helping to stop phishing. The "origin chip" cleans up Chrome's omnibox – or address bar – by removing lengthy URLs and replacing them with just the domain name, without the "http://" and "www". There's also an origin chip that produces the full URL.

The Choc Factory tested the feature in beta versions of Chrome, but users weren't too keen. That feeling seems to be backed up by Google Chrome's own front-end developer Paul Irish, who said in a forum post:

We're looking at a few key metrics to see if this change is a net positive for Chrome users. I imagine it may help defend against phishing.

My personal opinion is that it's a very bad change and runs antithetical to Chrome's goals. I hope the data backs that up as well.

But fellow Chrome dev Jake Archibald is a fan:

Find someone who doesn't work in tech, show them their bank's website, and ask them what about the URL tells them they're on their bank's site. In my experience, most users don't understand which parts of the URL are the security signals.

Browsers stopped showing the username / password part of URLs because it made phishing too easy. This is a natural progression.

Are you worried about the advent of Artificial Intelligence? Well, physicist and damn smart guy Stephen Hawking says that the creation of a machine or software program that can think for itself could well be the “greatest event in human history”. On the other hand, it could destroy the entire world, so swings and roundabouts, we guess.

In an op-ed for The Independent, Hawking said:

With the Hollywood blockbuster Transcendence playing in cinemas, with Johnny Depp and Morgan Freeman showcasing clashing visions for the future of humanity, it's tempting to dismiss the notion of highly intelligent machines as mere science fiction. But this would be a mistake, and potentially our worst mistake in history.

Artificial-intelligence (AI) research is now progressing rapidly. Recent landmarks such as self-driving cars, a computer winning at Jeopardy! and the digital personal assistants Siri, Google Now and Cortana are merely symptoms of an IT arms race fuelled by unprecedented investments and building on an increasingly mature theoretical foundation. Such achievements will probably pale against what the coming decades will bring.

Things to look forward to include the potential eradication of war, poverty and disease using the tools that AI could provide. In the less sunny column, the military is already playing around with autonomous weapon systems and technology is being used right now to make a small number of people exceedingly rich:

One can imagine such technology outsmarting financial markets, out-inventing human researchers, out-manipulating human leaders, and developing weapons we cannot even understand. Whereas the short-term impact of AI depends on who controls it, the long-term impact depends on whether it can be controlled at all.

The answer, according to Hawking, is to do more research on the implications of artificial intelligence and to do it now.

And finally, readers were moved to various states of annoyance by the news this week that the Star Wars Episode VII movie could be subtitled “The Ancient Fear” and former Disney brat Zac Efron was still being linked with the project. Nick Ryan said succinctly (all comments verbatim!):

Please no, not Zac Efron or any other largely talentless Disney "child star or teen-idol". And no ****ing time travel either - although I'll accept that there's a chance that an actor like Zac Efron might not ruin the film totally, adding time travel to it will.

Though Efron is not without his defenders among the Reg commentards, as Tom 11 proved:

Obviously you've not seen him in recent titles where his character has actually got a proper brief rather than make the girlies squeal. Most stuff he's done in past 2 or 3 years where he is clearly trying to move away from this type-casting have been great. Watch 'The Paperboy' he's pretty damn good in that, and I for one am looking forward to seeing what he can do in Starwars!

And readers also had their own suggestions for a subtitle for the new instalment. Geoff Campbell put forward this proposal:

"Episode VII: Ja Ja Binks, The Musical."

It would fit the Disney ethos perfectly, and open up a whole new audience. Perfect!

While TitterYeNot said:

Am I the only one thinking the film title should be 'Star Wars Episode 6 1/2: The Smell of Fear'...

Ryan chimed in with:

It should be "Spaceballs 2: The Search for More Money"

...perhaps followed by "Spaceballs 3: The Search for Spaceballs 2"

And theblackhand prayed that the film could at least live up to the title it was given:

The Ancient Fear isn’t that bad… Particularly if the final release becomes known as “The Disney Disaster”. ®