I think the target market is rubes who are 36-48 months or more late to crypto mining, think they can get rich quick, and desire to hop on board the bandwagon.
I took a double take at this because it seemed like a headline from The Onion. But then I realized this might actually be a real thing? Overall it left me with a very gross and icky feeling.
If I were to make a ranking of businesses that I consider highly ethical and reputable, the lifelock company would be somewhere towards the bottom.
This is actually hilarious if you read the article.
They created a problem of their antivirus software flagging crypto miners, and instead of fixing that, they made their own crypto miner that is exempt from their flagging and said "see look, now its simpler and you don't have to disable your antivirus!"
And then they said its more secure and even simpler because all your crypto and keys get stored in the cloud, so you keep your crypto even if your harddrive/storage crashes.
Server side crypto hack incoming in..... three... two....
My bet is in the long term a distributed crypto mining scheme where it uses the powers of everyone's grandmother's computer that still has norton installed.
Yeah, presumably computers will come with a "free trial" of a Norton Suite, which, after the trial period expires:
1. will not even pretend to improve your security,
2. will nag you for credit card information to extend the service, and
3. will continue to mine cryptocurrency in the background, to be "safely" stored in Norton's cloud wallet, which Norton will periodically reap "expired" coins from.
LifeLock only advertises in media channels popular with the ignorant, vulnerable, and/or paranoid. People who don't know that story and definitely don't know better.
Except with that one, a lot of otherwise tech savvy people just refuse to acknowledge the limitations and inability to verify privacy claims at any given point in time
People believe it is private and uncompromisable because of their use of client side encryption and claims of server side encryption and that their Switzerland location means they exist in a land where intelligence agencies won't coerce them or find a way to leak data.
The reality is that they are forcing users to use client side javascript which can have anything in it. And Swiss privacy laws do not do what users claim. There is no way to verify the claims of privacy.
Not contradicting you in any way, but you can check out the javascript. Javascript deobfuscation is pretty sophisticated nowadays (maybe not) from my naive perception.
I think the complaint is that it takes a lot of work to check, each time you visit the site, that the JavaScript your browser downloads is really the same as the published (and assumed secure) source code (plus obfuscation, as you mention).
Ideally there would be a mechanism in browsers to pin a specific version of a web app, and only let that app update (to a version with a specific hash) if the user explicitly gives it permission to.
EteSync (an open source, end-to-end encrypted contact and calendar syncing service) developed a browser extension called Signed Pages to validate the integrity of its web app. This mechanism also works for any other website that implements it.
HTML pages are PGP-signed by the website developer, and all of the resources embedded in the pages are validated by the browser using the Subresource Integrity feature:
Oh I see. Yeah the "Swiss" thing is probably more folklore than anything, but admittedly for the client-side encryption you can use their IMAP bridge that's open source and therefore technically auditable and not quite as easy to modify on-the-fly.
But any claim of security for emails will be contingent to a huge number of factors anyway lest you use end-to-end encryption so I see where you're coming from. Less technical people would probably have a hard time understanding the true security and privacy implications of protonmail.
anecdotal, of a number of people I know who run the SMTP (and IMAP, etc) infrastructure for some mid to large sized ISPs, none of them are protonmail customers. email was never meant to be secure in the way that they market it as.
the worst offenders by far are VPNs. Their advertising is usually shady and litters youtube, and there is simply no way of verifying their privacy claims. They don't log or monitor traffic? Okay fine I'll just take your word for it I guess.
exactly, they are all just internet resellers, and every single review site is affiliate marketing.
"oh wow the blogger disclosed that they're paid to advertise them, that makes me trust the service even more!"
people just need to understand there are just limitations with that concept. don't rely on them for doing anything criminal anonymously. but its fine to hide activity from the people in your house and ISP and circumvent geofenced streaming services.
It can be very informative (and slightly scary, if you know how some of this stuff really works) to look at print magazines targeted at the age 65+ crowd to see how certain categories of technology products are marketed and sold to a certain demographic.
I use it and was notified of a new mobile phone subscription that was opened in my name out of state without my knowledge. The next month it happened to my wife. They were the only ones to notify us.
It's only a matter of time before bloatware shipped on OEM devices and "free subscriptions" for antivirus, warranties, etc. pay for themselves by doing a little mining in the background.
And then, of course, it's only a matter of time before they're doing a lot of mining, and they're subsidizing the cost of the device, and a contract will require you to run the miner until it's been paid off.
I’m curious if it even makes sense to manufacture a computer and sell it, as opposed to renting it for whatever the highest value compute happens to be at the moment.
Apologies for whatever, but thanks for this post; one more thing to look for to uninstall on relatives/acquaintances computers.
Reason: products having "Crypto" or "Secure" in the name are usually a bag of bugs, doing much more damage than anything else. Why this is so is kind of a riddle to me; I don't know any product promising to secure a PC that isn't buggy and insecure, with the only exceptions being the inherent security of operating systems (windows, MacOS, Linux in ascending order).
Isn't Ethereum going to migrate to PoS in the near future anyway? Not that it's the only red flag here, but it seems like this product is going to have a short shelf life lest they migrate to other coins.
1. Having their CEO be the target of multiple effective identity thefts, despite claiming to be protected by their signature product[1].
2. Their previous CEO being an identity thief himself[2].
3. Being fined by the FTC for outright lying about the efficacy of their product, and then being fined again for operating in contempt of the original FTC agreement[3].
Given their shady history, this foray into cryptocurrency is no particular surprise.
Aside from the branding and history problems here, actually kind of surprising its been this long before a mainstream brand came up with a "vetted" crypto miner. Interesting.
Press release is extremely vague, but I read this to be they have implemented their own eth mining client to set up their own pool? Normally miners and pools take a small cut, there is no mention of that here. Surely they are going to do the same? Are they going to cover their own payout transactions, or charge end users?
Its possible this could actually be a bit compelling if they're not taking a cut, although way too late to the party, and ironically their reputation is starting out far worse than anonymously developed miners on popular pools.
Seriously, why do CEOs talk like the following in press releases:
As the crypto economy continues to become a more important part of our customers’ lives, we want to empower them to mine cryptocurrency with Norton, a brand they trust,” said Vincent Pilette, CEO of NortonLifeLock. “Norton Crypto is yet another innovative example of how we are expanding our Cyber Safety platform to protect our customers’ ever-evolving digital lives.”
Every time I hear words like "empower" and "innovative" I turn off.
Perhaps that's the goal though? Because I read further and it says one of their risks are:
matters arising out of our completed Audit Committee investigation and the ongoing U.S. Securities and Exchange Commission investigation)
Shortly after Greg Clark took the reins in November 2016, Symantec acquired consumer credit protection company LifeLock for $2.3 billion. Combined with the Norton consumer AV business this represented $2.2 billion in annual revenue for the consumer division. [1]
So basically, this has gone from consumer credit protection to... Ethereum mining?!?
48 comments
[ 2.9 ms ] story [ 93.3 ms ] threadIf I were to make a ranking of businesses that I consider highly ethical and reputable, the lifelock company would be somewhere towards the bottom.
https://www.google.com/search?channel=fs&client=ubuntu&q=lif...
They created a problem of their antivirus software flagging crypto miners, and instead of fixing that, they made their own crypto miner that is exempt from their flagging and said "see look, now its simpler and you don't have to disable your antivirus!"
And then they said its more secure and even simpler because all your crypto and keys get stored in the cloud, so you keep your crypto even if your harddrive/storage crashes.
Server side crypto hack incoming in..... three... two....
(double facepalm)
Wait, what? I thought this was going to be a ransomware product. What in the world is going on here?
1. will not even pretend to improve your security,
2. will nag you for credit card information to extend the service, and
3. will continue to mine cryptocurrency in the background, to be "safely" stored in Norton's cloud wallet, which Norton will periodically reap "expired" coins from.
Wow, can't imagine any sane person who would use this. Galaxy brain move to release it though.
Except with that one, a lot of otherwise tech savvy people just refuse to acknowledge the limitations and inability to verify privacy claims at any given point in time
The reality is that they are forcing users to use client side javascript which can have anything in it. And Swiss privacy laws do not do what users claim. There is no way to verify the claims of privacy.
Ideally there would be a mechanism in browsers to pin a specific version of a web app, and only let that app update (to a version with a specific hash) if the user explicitly gives it permission to.
The nearest thing we have to that right now is the SRI-bookmarklet trick: https://news.ycombinator.com/item?id=17776456
https://github.com/tasn/webext-signed-pages
HTML pages are PGP-signed by the website developer, and all of the resources embedded in the pages are validated by the browser using the Subresource Integrity feature:
https://developer.mozilla.org/en-US/docs/Web/Security/Subres...
But any claim of security for emails will be contingent to a huge number of factors anyway lest you use end-to-end encryption so I see where you're coming from. Less technical people would probably have a hard time understanding the true security and privacy implications of protonmail.
People equate it with Swiss bank accounts, based on what they learned from James Bond movies.
"oh wow the blogger disclosed that they're paid to advertise them, that makes me trust the service even more!"
people just need to understand there are just limitations with that concept. don't rely on them for doing anything criminal anonymously. but its fine to hide activity from the people in your house and ISP and circumvent geofenced streaming services.
And then, of course, it's only a matter of time before they're doing a lot of mining, and they're subsidizing the cost of the device, and a contract will require you to run the miner until it's been paid off.
Reason: products having "Crypto" or "Secure" in the name are usually a bag of bugs, doing much more damage than anything else. Why this is so is kind of a riddle to me; I don't know any product promising to secure a PC that isn't buggy and insecure, with the only exceptions being the inherent security of operating systems (windows, MacOS, Linux in ascending order).
1. Having their CEO be the target of multiple effective identity thefts, despite claiming to be protected by their signature product[1].
2. Their previous CEO being an identity thief himself[2].
3. Being fined by the FTC for outright lying about the efficacy of their product, and then being fined again for operating in contempt of the original FTC agreement[3].
Given their shady history, this foray into cryptocurrency is no particular surprise.
[1]: https://www.wired.com/2010/05/lifelock-identity-theft/
[2]: https://www.wired.com/2007/06/lifelock-founde/
[3]: https://www.ftc.gov/news-events/press-releases/2015/12/lifel...
The Norton division was spun off as NortonLifeLock when Symantec sold the enterprise part of the business to Broadcom.
NortonLifeLock is a completely different company now.
Press release is extremely vague, but I read this to be they have implemented their own eth mining client to set up their own pool? Normally miners and pools take a small cut, there is no mention of that here. Surely they are going to do the same? Are they going to cover their own payout transactions, or charge end users?
Its possible this could actually be a bit compelling if they're not taking a cut, although way too late to the party, and ironically their reputation is starting out far worse than anonymously developed miners on popular pools.
As the crypto economy continues to become a more important part of our customers’ lives, we want to empower them to mine cryptocurrency with Norton, a brand they trust,” said Vincent Pilette, CEO of NortonLifeLock. “Norton Crypto is yet another innovative example of how we are expanding our Cyber Safety platform to protect our customers’ ever-evolving digital lives.”
Every time I hear words like "empower" and "innovative" I turn off.
Perhaps that's the goal though? Because I read further and it says one of their risks are:
matters arising out of our completed Audit Committee investigation and the ongoing U.S. Securities and Exchange Commission investigation)
Shortly after Greg Clark took the reins in November 2016, Symantec acquired consumer credit protection company LifeLock for $2.3 billion. Combined with the Norton consumer AV business this represented $2.2 billion in annual revenue for the consumer division. [1]
So basically, this has gone from consumer credit protection to... Ethereum mining?!?
1. https://www.forbes.com/sites/richardstiennon/2020/03/16/the-...