
Is McAfee's siteadvisor.com a scam? - naner
http://www.reddit.com/r/AskReddit/comments/ghal9/mcafee_is_running_a_scam_siteadvisorcom_is_just_a/
======
cdixon
I was the cofounder at CEO of SiteAdvisor before it was acquired by McAfee in
2006. I haven't had control over it since then and left McAfee 4 years ago but
my sense is that they are trying to rate sites correctly but just
understaffed/underfunded. I read the reddit article but couldn't find the URL
in question. When I was running SiteAdvisor we made mistakes but were also
accused of being a scam by the biggest spyware distributors etc who hated the
fact that we were calling them out. So I think it's important to take it case
by case.

~~~
naner
At the very least it appears improper to apply an unsolicited security rating
to sites while simultaneously selling a "hacker safe" badge.

Also (sorry, I know nothing about law) doesn't this put McAfee/SiteAdvisor at
risk for defamation suits?

~~~
trotsky
It's solicited. By McAfee customers. They're paying for various AV services
and this is one of them. The site will only be blocked for McAfee customers
that (I'm assuming) have this feature turned on. Clearly they couldn't run a
site operator opt-in only list of malware hosting sites... right?

~~~
naner
_Clearly they couldn't run a site operator opt-in only list of malware hosting
sites... right?_

Yes. :(

I'm just having a hard time coming to terms with the possibility that your
site can be improperly flagged for all McAfee users and you have virtually no
recourse because they happen to be understaffed.

------
d2
McAfee screwed our site over the same way with siteadvisor. It took 2 months
and us harassing their support team almost daily to get it resolved. Also hurt
revenue. I'd love to participate in a class action lawsuit.

------
trotsky
_Then one day it suddenly hit me.. You see the thing is McAfee siteadvisor.com
also sells these hacker-safe certificates to websites for $360 / year. With
that in picture, this whole fucking thing just makes sense. This is just a
ploy to sell those certificates._

That is some serious ass jumping to conclusions. I feel for the guy, his
situation sucks. BUT:

He just up and one day decided that they're doing it to sell him some snake
oil.

    
    
      - Nobody from McAfee suggested he buy the snake oil.
      - Nobody else told him, "oh that is a scam to get you to buy snake oil".
      - He didn't ask around to see if it's happening to a lot of other people.
      - He didn't try to buy said snake oil to confirm it would make a difference
    

Clearly McAfee siteadvisor sounds broken/underfunded/lazy/all of the above. It
sucks he can't get them to deal with it. But if it was some kind of cyber
protection racket it'd be happening to a lot of people with similar results.
And they'd have to give you some hints as to how to "get protected". I've
hosted a number of websites with executables throughout the years including
one that has a bunch and is active right now. I've never been on a McAfee
blacklist. I've never even heard of anyone I know being on a McAfee blacklist.
If it was some kind of protection racket wouldn't they just be mass flagging
things?

 _Never attribute to malice that which is adequately explained by stupidity_
\- Hanlon's razor

~~~
agj
It doesn't sound like the OP tried very hard to resolve this before deducing
this was all a scam that had to come to light. McAfee isn't going to resolve
this out of goodwill after several email complaints -- I wouldn't trust them
to. The OP needs to try harder to light a fire under someone's ass. McAfee has
little to nothing to gain from bending to the whim of flagged sites.

To say that the OP's experience would be different as a paying customer,
either as a mere AV subscriber or as a subscriber to their hacker-safe
service, is an unfounded assumption -- to say the next step is forking over
_protection_ money and that this is all a scam is pure sensationalist FUD.

I'm firmly in the skeptic camp. Without any evidence, the OP's site could be
legitimately flagged. Also, I sure as hell wouldn't let this linger for _2
years_. Maybe I missed something though, I gave up on the comments after a
minute, my tolerance to the reddit front page hivemind is very low.

Also - thanks for introducing me to Hanlon's razor, it's now posted in my
office.

------
acangiano
It sounds like the digital version of a protection racket:
<http://en.wikipedia.org/wiki/Protection_racket>

~~~
exDM69
Yep, it seems like a racket to me too.

Not only do these "security" companies have their 30 day trial versions pre-
installed in just about every PC computer that is sold today, but seems that
they have started harassing website admins too.

$360 is just low enough for someone doing business in the web to pay in order
to not lose more money to lost customers. But I can't help it, this sounds
like very dishonest extortion to me.

I used to think that these "security" companies were paying Microsoft in order
to keep their software buggy so virus scanners and firewalls would sell more.
Either Microsoft started fixing their software or stopped adding bugs on
purpose so the security industry has had to find new sources of revenue.

Btw, I've never had a virus scanner or a firewall software installed. Not even
on Windows, and not even on the worst Windows XP times around 5 years ago. A
simple NAT has kept all the hacking attempts at bay. At least I've never
experienced suspicious network traffic or computers slowing down or other
telltale signs of viruses/worms/hacking.

I feel sorry for anyone who pays protection money to the IT security racket
and I wish that everyone would just stop paying to this counterproductive
industry.

~~~
jarin
> I used to think that these "security" companies were paying Microsoft in
> order to keep their software buggy so virus scanners and firewalls would
> sell more. Either Microsoft started fixing their software or stopped adding
> bugs on purpose so the security industry has had to find new sources of
> revenue.

You honestly think software bugs are some kind of AV industry conspiracy?

------
bdclimber14
This parallels GetSatisfaction and how they display support pages for
companies that don't pay for their service as "uncommitted to customer
support" or something to that extent. I don't think there are malicious
intentions, but they do collect positive and negative feedback, and display it
on a public webpage stating that the company isn't responding to it.

Sorry for the slight change of topic.

~~~
jarin
Or Yelp and mysteriously removing 5 star reviews for companies who don't buy
their premium listings.

------
tzs
There are two problems I have seen with them. First, they are not good at
handling false positives. As the poster on Reddit found out, they are slow to
respond. Also, they don't seem to have a mechanism to recognize that their
scan does a poor job at certain sites. They should have some kind of internal
white list of sites that their scan can't handle well, and only let those
sites make it to the block list after human review whenever the scan purports
to find something.

The second problem is that there are many obvious people gaming the community
review system. I saw one reviewer, with a 9/9 reputation rating, that was
reviewing thousands of sites a day. I suspect that there were many more shill
accounts participating in this.

~~~
microarchitect

      The second problem is that there are many obvious people 
      gaming the community review system. I saw one reviewer, 
      with a 9/9 reputation rating, that was reviewing thousands 
      of sites a day. I suspect that there were many more shill 
      accounts participating in this.
    

Yup. Here are their top 3 reviewers:

    
    
      * pharmalert: http://user.siteadvisor.com/forums/member.php?u=19138 with 1400 posts per day.
      * Nodes: http://user.siteadvisor.com/forums/member.php?u=107161 with 750 posts per day.
      * DougW: http://user.siteadvisor.com/forums/member.php?u=1699 with 451 posts per day.
    

For me this is a pretty solid indicator that their review system is, at best,
useless.

~~~
tzs
Thanks. Pharmalert was the reviewer I was thinking of. "He" has posted 2359030
reviews since 2006-08-24.

------
nethsix
SiteAdvisor is a browser plug-in so it's user opt-in. I can empathize with you
but unfortunately the Internet is full of users that are not security-savvy
and thus they have to rely on a trusted entity, e.g., McAfee to make security
decisions for them. Unfortunately, perverse incentives can creep in like what
you experience; McAfee slow to aid your cause. I'm developing 'visible
security', a 'product' that provides information to a user for her to judge
the risks of visiting a site, e.g., number of 3rd party components/APIs a site
relies on, etc. and selectively control what she wishes to retrieve from a
site. For your particular case, 'visible security' can help in 2 ways: (1) a
user has control to not download that particular component but yet view your
site as per normal, and (2) even if McAfee flags your site as bad, with
'visible security' being vendor-neutral, other more responsive vendors or a
ton of registered Internet user may flag your site as good thus sending a
strong signal that McAfee may just be over-cautious, etc., thus liberating
sites from the mercy of a single security vendor that has a large user base.

------
seancron
It's siteadvisor.com not siteadviser.com

~~~
naner
Thanks. Hopefully someone can change the title.

------
lawnchair_larry
Never attribute to malice that which is adequately explained by stupidity.

------
teyc
I wonder if the ubiquity of SiteAdvisor (due to various freebie installation
offers) results in McAfee being perceived as an unwanted service rather than
as a necessary service.

------
iuguy
Having some experience of dealing with all sides of this type of situation, I
feel as though I should comment.

Is SiteAdvisor a scam? No. In a nutshell, it's something that's used by McAfee
customers - they paid for the service and no they don't have the ability to
make the decision for themselves as to whether or not a site is safe.

Is SiteAdvisor any good? No. As Cdixon pointed out, they're heavily
understaffed. It's full of false positives, it's a fairly crappy service.

Is McAfee AV any good? No. It's one of the easiest AV's to bypass. McAfee is
the most commonly found AV in the enterprise we come up against on penetration
tests and unless we're using something like metasploit we get past it
undetected _every time_ and have done for years.

------
byrneseyeview
It could be a scam, in theory. But this is also roughly how you'd expect a
legitimate company to behave. They have a system that uses some cheap
heuristics to guess whether or not you're a scam--and they do that for free.
To actually investigate gray areas, they need human intervention, and that
comes at a cost.

This is how, e.g., the legal system works. If you're accused of a crime, you
can cheaply plead out or expensively defend yourself. It's also how customer
service works: they can deal with ~95% of the problems people encounter by
reading off a script, and they have to escalate the last 5%, sometimes at a
cost.

