48 comments

[ 2.9 ms ] story [ 93.3 ms ] thread
The intersection between people that buy their product and the people that has powerful machines that can mine crypto seems small
I think the target market is rubes who are 36-48 months or more late to crypto mining, think they can get rich quick, and desire to hop on board the bandwagon.
I simply cannot get over the haphazard rebranding effort. They literally took their logo into mspaint and appended "LifeLock" to the right side of it.
I took a double take at this because it seemed like a headline from The Onion. But then I realized this might actually be a real thing? Overall it left me with a very gross and icky feeling.

If I were to make a ranking of businesses that I consider highly ethical and reputable, the lifelock company would be somewhere towards the bottom.

https://www.google.com/search?channel=fs&client=ubuntu&q=lif...

This is actually hilarious if you read the article.

They created a problem of their antivirus software flagging crypto miners, and instead of fixing that, they made their own crypto miner that is exempt from their flagging and said "see look, now its simpler and you don't have to disable your antivirus!"

And then they said its more secure and even simpler because all your crypto and keys get stored in the cloud, so you keep your crypto even if your harddrive/storage crashes.

Server side crypto hack incoming in..... three... two....

(double facepalm)

Now that’s a name I haven’t heard in a decade.
Apologies for a crass and unsophisticated reaction comment here but....this is the dumbest shit ever.
If ever there was a technology press release that was deserving of a response consisting simply of a facepalm emoji, this is it.
That's more polite than my immediate reaction.
I hope Peter Norton got paid enough to be worth enduring this running of his once good name into the ground.
I remember both him and McAfee staring at me from software boxes back in the day, and both products being considered scammy even back then.
I assumed this would be an append-only/timelock backup solution for ransomware.
> select Norton 360 customers in Norton’s early adopter program will be invited to mine for Ethereum.

Wait, what? I thought this was going to be a ransomware product. What in the world is going on here?

Snake-oil company realises there is a new and poorly tapped market they can go for.
My bet is in the long term a distributed crypto mining scheme where it uses the powers of everyone's grandmother's computer that still has norton installed.
Yeah, presumably computers will come with a "free trial" of a Norton Suite, which, after the trial period expires:

1. will not even pretend to improve your security,

2. will nag you for credit card information to extend the service, and

3. will continue to mine cryptocurrency in the background, to be "safely" stored in Norton's cloud wallet, which Norton will periodically reap "expired" coins from.

Ethereum is moving from PoW to PoS, will this even be usable after the transition?
Isn't lifelock the thing where the CEO bro said "here is my social, try to hack me" and then he was immediately hacked?

Wow, can't imagine any sane person who would use this. Galaxy brain move to release it though.

LifeLock only advertises in media channels popular with the ignorant, vulnerable, and/or paranoid. People who don't know that story and definitely don't know better.
Just like Protonmail if we're being fair

Except with that one, a lot of otherwise tech savvy people just refuse to acknowledge the limitations and inability to verify privacy claims at any given point in time

Has protonmail's advertising been misleading? I'm a happy user myself, but I don't think I've ever looked into their marketing.
People believe it is private and uncompromisable because of their use of client side encryption and claims of server side encryption and that their Switzerland location means they exist in a land where intelligence agencies won't coerce them or find a way to leak data.

The reality is that they are forcing users to use client side javascript which can have anything in it. And Swiss privacy laws do not do what users claim. There is no way to verify the claims of privacy.

Not contradicting you in any way, but you can check out the javascript. Javascript deobfuscation is pretty sophisticated nowadays (maybe not) from my naive perception.
I think the complaint is that it takes a lot of work to check, each time you visit the site, that the JavaScript your browser downloads is really the same as the published (and assumed secure) source code (plus obfuscation, as you mention).

Ideally there would be a mechanism in browsers to pin a specific version of a web app, and only let that app update (to a version with a specific hash) if the user explicitly gives it permission to.

The nearest thing we have to that right now is the SRI-bookmarklet trick: https://news.ycombinator.com/item?id=17776456

EteSync (an open source, end-to-end encrypted contact and calendar syncing service) developed a browser extension called Signed Pages to validate the integrity of its web app. This mechanism also works for any other website that implements it.

https://github.com/tasn/webext-signed-pages

HTML pages are PGP-signed by the website developer, and all of the resources embedded in the pages are validated by the browser using the Subresource Integrity feature:

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

Oh I see. Yeah the "Swiss" thing is probably more folklore than anything, but admittedly for the client-side encryption you can use their IMAP bridge that's open source and therefore technically auditable and not quite as easy to modify on-the-fly.

But any claim of security for emails will be contingent to a huge number of factors anyway lest you use end-to-end encryption so I see where you're coming from. Less technical people would probably have a hard time understanding the true security and privacy implications of protonmail.

A lot of the implied security benefits are like the “100% fat free” labels on Swedish Fish. True, but of dubious value.

People equate it with Swiss bank accounts, based on what they learned from James Bond movies.

anecdotal, of a number of people I know who run the SMTP (and IMAP, etc) infrastructure for some mid to large sized ISPs, none of them are protonmail customers. email was never meant to be secure in the way that they market it as.
the worst offenders by far are VPNs. Their advertising is usually shady and litters youtube, and there is simply no way of verifying their privacy claims. They don't log or monitor traffic? Okay fine I'll just take your word for it I guess.
exactly, they are all just internet resellers, and every single review site is affiliate marketing.

"oh wow the blogger disclosed that they're paid to advertise them, that makes me trust the service even more!"

people just need to understand there are just limitations with that concept. don't rely on them for doing anything criminal anonymously. but its fine to hide activity from the people in your house and ISP and circumvent geofenced streaming services.

If I see one more freakin' nordvpn sponsored youtube video... grrrrrrr
the one started by the guy who is now the crowm prince of the defunct Joseon dynasty?
It can be very informative (and slightly scary, if you know how some of this stuff really works) to look at print magazines targeted at the age 65+ crowd to see how certain categories of technology products are marketed and sold to a certain demographic.
I use it and was notified of a new mobile phone subscription that was opened in my name out of state without my knowledge. The next month it happened to my wife. They were the only ones to notify us.
It's only a matter of time before bloatware shipped on OEM devices and "free subscriptions" for antivirus, warranties, etc. pay for themselves by doing a little mining in the background.

And then, of course, it's only a matter of time before they're doing a lot of mining, and they're subsidizing the cost of the device, and a contract will require you to run the miner until it's been paid off.

I’m curious if it even makes sense to manufacture a computer and sell it, as opposed to renting it for whatever the highest value compute happens to be at the moment.
Apologies for whatever, but thanks for this post; one more thing to look for to uninstall on relatives/acquaintances computers.

Reason: products having "Crypto" or "Secure" in the name are usually a bag of bugs, doing much more damage than anything else. Why this is so is kind of a riddle to me; I don't know any product promising to secure a PC that isn't buggy and insecure, with the only exceptions being the inherent security of operating systems (windows, MacOS, Linux in ascending order).

Odd they still using the Norton branding - it has been a while.
What is the sound of one bubble popping? :)
LifeLock is, of course, known best for:

1. Having their CEO be the target of multiple effective identity thefts, despite claiming to be protected by their signature product[1].

2. Their previous CEO being an identity thief himself[2].

3. Being fined by the FTC for outright lying about the efficacy of their product, and then being fined again for operating in contempt of the original FTC agreement[3].

Given their shady history, this foray into cryptocurrency is no particular surprise.

[1]: https://www.wired.com/2010/05/lifelock-identity-theft/

[2]: https://www.wired.com/2007/06/lifelock-founde/

[3]: https://www.ftc.gov/news-events/press-releases/2015/12/lifel...

Yes, those were some antics there... LifeLock was acquired by Symantec back in 2016 and integrated into their Norton 360 product.

The Norton division was spun off as NortonLifeLock when Symantec sold the enterprise part of the business to Broadcom.

NortonLifeLock is a completely different company now.

Aside from the branding and history problems here, actually kind of surprising its been this long before a mainstream brand came up with a "vetted" crypto miner. Interesting.

Press release is extremely vague, but I read this to be they have implemented their own eth mining client to set up their own pool? Normally miners and pools take a small cut, there is no mention of that here. Surely they are going to do the same? Are they going to cover their own payout transactions, or charge end users?

Its possible this could actually be a bit compelling if they're not taking a cut, although way too late to the party, and ironically their reputation is starting out far worse than anonymously developed miners on popular pools.

Seriously, why do CEOs talk like the following in press releases:

As the crypto economy continues to become a more important part of our customers’ lives, we want to empower them to mine cryptocurrency with Norton, a brand they trust,” said Vincent Pilette, CEO of NortonLifeLock. “Norton Crypto is yet another innovative example of how we are expanding our Cyber Safety platform to protect our customers’ ever-evolving digital lives.”

Every time I hear words like "empower" and "innovative" I turn off.

Perhaps that's the goal though? Because I read further and it says one of their risks are:

matters arising out of our completed Audit Committee investigation and the ongoing U.S. Securities and Exchange Commission investigation)

Holy crap, it's worse than I thought...

Shortly after Greg Clark took the reins in November 2016, Symantec acquired consumer credit protection company LifeLock for $2.3 billion. Combined with the Norton consumer AV business this represented $2.2 billion in annual revenue for the consumer division. [1]

So basically, this has gone from consumer credit protection to... Ethereum mining?!?

1. https://www.forbes.com/sites/richardstiennon/2020/03/16/the-...

Antivirus and stupid power-hungry Proof-of-Work in a single product. Geeez....