17 comments

[ 5.2 ms ] story [ 61.2 ms ] thread
This is great but I think we’re heading towards a world where we just have to assume our devices are compromised. Maybe I’m alone in that, but I feel like it’s only a matter of time before we all get there.
if your security people are not doing this already, they are decades behind the curve.
While this is very cool and I hope it succeeds, I find myself worried that Malloc's dependence on ML makes it extremely vulnerable to adversarial attacks.

Though at the same time, it's probably much harder to change software behavior than it is to modify a bunch of pixels on a photo, so it might be hard to do adversarial attacks with spyware. I wonder if there's research on stuff like this.

Cat and mouse in an asymmetrical playing field. The problem is that the bad guys can use this app to fine-tune their malware.
> The rising threat of spyware has prompted both Apple and Google to introduce indicators when a device’s microphone or camera are used. But some of the more elusive and more capable spyware — the spyware typically used by governments and nation states — can slip past the hardened defenses built into iOS and Android.

> That’s where Malloc says Antistalker comes in. Malloc’s co-founders Maria Terzi, Artemis Kontou and Liza Charalambous built the app around a machine learning (ML) model, which allows the app to detect and block device activity that could be construed as spyware recording or sending data.

That's a bit of a non sequitur, right?

If sophisticated malware is bypassing the OS-level "open mic" warning, that's presumably because it's bypassed the OS security model. As such, it should just as easily be able to avoid detection or simply disable any other detection mechanism, ML-driven or otherwise.

(If the issue is sophisticated malware that does not involve privilege escalation, e.g. by executing code inside the sandbox of a trusted app, I could see how an improved detection approach would help, but e.g. NSO and similar tend to use sandbox escapes + privesc, AFAIK.)

Threat model is the business model on this. Notable that the founders are women, and though it shouldn't be remarkable at all, and perhaps it's sexist to speculate they're going to leverage that, but it's a useful indicator because antistalker tech by/for women is an influencer channel for other products. They're a consumer app company and gender doesn't matter to the tech itself, except from a product perspective, it's really a potential advantage in this case.

The generic threat model for most security tools (which, suck) has been the individual vs. the state or various generic criminals, whereas the threat actor in a mostly feminine threat model would be the much higher likelihood/impact scenario of stalkers, who are as likely to be co-workers and IT admins as they are classmates, neighbours, or internet followers. Few want to even say this out loud because just verbalizing it is off-brand and comes with an ick factor. Hence no good products for it, yet. Stalkers get away with it because acknowledging them as part of your story at all elevates them to the level of peer or factor, and so the product discussion itself is often too gross to want to get into.

Solving for that is technically much more focused and useful from a secuirty perspective than say, taking on the universe of bad cops and spies. Plus, women are more likely to leverage recourse to law enforcement (instead of physically beating a stalker), and so security tech that has to be designed to keep out a nation state to get security influencer adoption isn't helping most of them.

Nobody in the security companies I worked for wanted to talk about these issues seriously because of the ick factor and a bunch of nerdy white knights diverting all uncomfortable discussions to blockchains, but it's also what creates the opportunity. This seems like a really smart play.

Hey, I am new to this site. I want to talk to you. How can I send you a message?
As you have recognized:

> Plus, women are more likely to leverage recourse to law enforcement (instead of physically beating a stalker)

Isn't the issue then that your business model is competing with law enforcement, which has far greater resources and the ability to levy criminal penalties against stalkers and hackers? I'm struggling to see why a woman would want to pay for some random app versus preserving the evidence intact and presenting it to law enforcement for use in civil or criminal proceedings.

The other issue is that if they do manage to come up with a successful approach, there's nothing stopping Google and Apple from integrating a similar solution into the OS, with more engineers and privileged access to the underlying system.

It's an interesting idea, but I can understand the lack of VC enthusiasm.

Interestingly, (imo) Apple wouldn't do it themselves because it's off brand for them. They need a 3rd party provider for anything that doesn't reinforce the brand.

Similarly, MSFT could have rolled over and put every antivirus company out of business, but they don't because they can't. It's not economical for them to do it.

I'd be enthusiastic about this company, and as soon as they get conversions via social channels from influencers, I'd bet on it taking off.

The business model comment seems like a misunderstanding, as you absolutely want to know if there is spyware on your device, the IT guy is rifling your files, if your partner is going through your phone, or if someone picked up your device and plugged in a cable to it when you left it on your desk, or your weird tinder date sideloaded malware on your phone when you left the table. My point about law enforcement is that you don't have to build an FBI-proof product to meet the antistalker market need, and I think that's what other security companies have tried and failed.

It took Microsoft a little while, I suspect due to lingering antitrust fears, but they have cannibalized the consumer AV market with Windows Defender. Hardly anyone I know uses, let alone pays for, a third-party AV product at home. Also, mainstream sources like the NYT's tech blog are recommending against third-party AVs. https://www.nytimes.com/wirecutter/blog/best-antivirus/

And the best defense against most of those attack vectors you mentioned is simply a decent passcode, fingerprint scanner, etc. The vast majority of modern phones don't allow apps to be installed or debugging activated while the phone is locked.

Just to expand on why I think the business model isn't there, on the one side you have giants like Google and Apple that can crib your best features, and on the other snake oil apps that offer a shiny UI and very little security. To make a quality product profitable, you're stuck trying to keep ahead of the behemoths in terms of engineering, while simultaneously being undercut by competitors with near-zero R&D costs throwing money into ads and paid endorsements. The fact that AV companies with strong existing brands have had so little success in this space makes me skeptical of whether a viable market exists.

I'm bullish on cybersecurity when it comes to enterprise offerings, but the consumer market largely seems like a dead end.

I think this is the category of comment that I've seen downvoted in the past, but it needs to be said:

I wouldn't name a company "malloc".

The meaning is very specific, its usage well established and old, and it would seem to me this company has nothing to do with it and shouldn't claim the name.

I feel the same. I don't like when companies use a word that already exists.
I think a word that already exists is probably fine a lot of the time. But an unrelated technical term with a 50+ year history...
You're right, that's a better way to put it.
yup, especially with so many warnings against using the original malloc, its an interesting choice
It seems like a super bad choice, and people will have a hard time googling for the company, because there's no way the company is going to surpass the decades of results for "malloc" the syscall name.

I feel that you did a good service in warning them about this. But then again, this is what venture capital is all about. Try every permutation of things and eventually you'll hit on a unicorn idea. Maybe naming a company after the most common syscall on the most common OS on the planet is a winning strategy after all?