I wonder if anybody has estimations of the contribution of anti-virus software to global warming. They run on almost all desktop computers, are generally large and bloated applications that consume tons of cpu for their continuous scans, I would not be too surprised if was far from negligible.
To be fair, they also are responsible for some reduction in carbon output. I have seen people just get a new machine if their computer gets too compromised with viruses so any level of virus protection will end up keeping computers out of landfills.
I think this is an example of the 3rd party crapware that is more frequent a reason for a user to needlessly replace hardware that would have functioned correctly, quickly and more securely with a vanilla install, but a vendor accepted payment to market some security theatre or other feature that is hard to remove. Of course the vendor is all to happy if you think you need a new computer.
A computer that is compromised with viruses is easily remedied. Anyone can just reinstall the operating system from the OEMs supplied OS installation media or the user can provide their own operating system. I don’t buy this argument that anti-virus leads to fewer people throwing their assets out. Furthermore, viruses do not affect the underlying hardware, which is what people would be throwing away. The economics don’t make sense, why would an individual dispose of an asset they bought with their personal money when there’s nothing fundamentally wrong with the part of the asset that was purchased?
"Anyone can just reinstall the operating system from the OEMs supplied OS installation media or the user can provide their own operating system."
A careful examination of who that "anyone" is will reveal that as "anyone"s go, it's not very "anyone". It's certainly less than 50% comfortable doing that, and even less willing (e.g., I know how but that doesn't mean I want to).
> … and they think that malware can harm their computer.
To be fair, it actually can — there’s plenty of writable flash on motherboards and in peripherals where malware could persist across OS reinstallation.
I think that in the days before good windows security, it's true that more people threw out their assets due to malware. I've seen plenty of family members do it, reinstalling an operating system is sadly not something "anyone" can do.
It doesn't make sense to throw hardware out because of some software, but most don't have such a distinction.
> I think that in the days before good windows security,
"Before"‽ Windows still sets every file as executable by default (just an example). If it had good security you wouldn't need anti-malware tools always running in the background looking for stuff that has already broken through (to some extent). Basically, Windows security has been and probably always will be absolute garbage.
A big reason why Microsoft won't (and can't, really) fix the security of Windows is backwards compatibility... If they fixed the "everything is executable by default" problem it would 100% for sure break a ton of stuff.
The code base for Windows is both old and enormous. They don't employ enough developers to constantly review and re-write all that code all of the time. Most of it--even today's Windows 10 core code--was written at a time when Microsoft didn't really give a rat's ass about security.
Just look at the past few years of Windows 10 vulnerabilities:
Looking at last year, in 2021 Ubuntu had 29 CVE-listed vulnerabilities, four of which were "code execution" (the worst).
In that same period Windows 10 had 485 CVE-listed vulnerabilities, 112 of which were "code execution"!
Now consider for a moment that the scope of Canonical/Ubuntu CVE list includes vastly more software than what comes with Windows. I just looked (Ubuntu 21.04) and there's 6,080 packages in Ubuntu's "main" software repository which is what's in scope for those CVEs (I'm pretty sure anyway).
Whereas the scope of Windows 10 is just what comes with the OS which isn't much! If you drill down into the Windows 10 code execution vulnerabilities you'll see that it's all in the core stuff that comes with Windows like the print spooler, media services libraries, remote desktop, file system, etc. It's not obscure extras like bundled games or the snip tool or whatever.
> OEMs supplied OS installation media or the user can provide their own operating system
I haven't received install media of any kind from an OEM in over a decade. Commonly they're using a hidden disk partition to reinstall the OS. This can just as easily be compromised as the boot partition. So "just reinstall" skips a number of laborious or impractical steps.
> I don’t buy this argument that anti-virus leads to fewer people throwing their assets out
Just because you think people shouldn't behave a certain way doesn't necessarily mean they don't behave that way, though. There are definitely people out there who toss their laptops when they get cluttered with malware
My CPU fan is screaming next to me right now because of my employer's overly paranoid, inefficient scanning shitware (yep I checked the list of processes). Not only is it warming the globe, it's warming this room. If I put my hands near the exhaust ports it'll warm those as well.
Since it is winter it probably doesn't matter but if it were summer you'd probably then spend even more energy attempting to move that heat from inside to outside. (Unless you're in the Southern Hemisphere, but statistically you're probably not :) )
So, we’re doing whataboutism for this now? You don’t have some answer like “using as much electricity as Argentina to mine bitcoins is the price of freedom”?
Ugh.. do you think AVs are useless or something? Why do people think this. Shit AVs are shit, end of story. Reading memory and is not cpu intensive the disk i/o intensity if windows vs linux alone is very drastic if you want to evaluate that as a baseline instead.
It's like asking the carbon footprint of freeway guardrails. I mean, norton sucks, sure but at least turn on defender (which is really good btw). The amount if lives not ruined and money not lost due to cybercrime thanks to AVs alone is staggering imo
They would be shitty guardrails if they did just like shit AV is shit. I am not asking you to buy norton but to at least leave defender turned on windows. It stops very real and serious threats. Like i have seen attackers move laterally and they only suceed on hosts where people turned off defender or it isn't updated.
I have a challenge for any of you who disagree: write basic malware that you can use to monitor keystrokes and browser creds/traffic. Easy right? Ok, now use it in windows with defender turned on for a day and keep defender from stopping it for a week! Even better if you turn on all defender features.
I mean come on! I heard this misninformation many times before. Not once from a person whose day job is incident response. Not even once!
No, what's staggering is the number of my family members that simply cannot use their computer because it's bogged down by an AV. Also, your analogy is completely wack.
Actually, I meant a "honest" protection racket that protects against actual rival gangs. The point is that replacing something bad (malware) with something bad (AV software) isn't always a gain.
This is one of thise silly things I see only among those with just enough knowledge to shoot their own feet.
The amount malware I see stopped by defender alone is very significant. Just write mediocre malware and send email , 10-15% infection rate. Checkout the loot the emoter gang had accumulated when they got raided or any if the ransomware gangs.
A little learning does much harm!
Most people don't run Linux (Aand most Linux desktop users don't harden). I mean, I could be very lazy and make bank without AVs on windows or Mac.
Speaking to you as someone who only discovered several serious intrusions after every layer of security was defeated except defender complained!
People come up with all sorts of silly ideas rather than actually addressing the real issue.
Addressing virus software will save the world exactly 0 days.
UPDATE
Coal usage is at record usage for power generation. It emits over twice as much CO2 as natural gas
while these silly little ideas about optimizing your website to use less electricity or using a different computer language are a fun way to waste the day, all the coal we keep burning is costing us significant time.
Anything else is better. Waiting for the windmills isnt working.
Anyway, just the occasional reminder that we keep squandering valuable time and now we need a bigger miracle.
Good luck with the shaming to address the problem.
UPDATE 2
"Stop all economic growth"
No one said that. That is a right wing sound bite simply meant to add noise to the discussion.
I disagree with doing that even in the most developed countries, I've no idea how you imagine selling that to the least developed countries. Or by force?
However, I agree we aren't really able to do enough - that there's a lot of virtue signalling so we feel a little better about ourselves - and a technological solution is what's required.
In the .com era, everything was about the sale and pitch of the new .com that would storm the world with its new economy features. It was everywhere and you had to be “in”
Not much has changed with crypto. Everyone and everything has to go “in” on crypto. Next up! Texas Calculator adds Crypto Miner “Calc-a-Coin”. Buy now or miss out!
Its just waiting for the next crash when people decide they want “out”
It looks like your Norton 360 subscription has not been renewed. The contents of your disk are therefore encrypted. In order to obtain the decryption key, please submit your subscription payment within the next seven days. For your convenience, we accept Visa and Mastercard -- unlike some of our competitors that require payments only in BTC!
I could see an "encryption as a service" being added, where you can use it fine after you stop subscribing, but if you forget your info and want to recover/reset your password you need to pay ...
They'll harvest AV computer resources for DDOS attacks and give a portion of the proceeds from selling that service on the dark web to customers. It's clearly a win/win!
An interesting aspect that I've seen missing from discussions on this is the dark growth pattern at play here.
All across the world, there are millions of languishing enterprise/educational fleets (generally Windows) administered by a single or a few "IT folks". In my experience, these people are often the only technologically aware people in the organization. This is Norton cutting them in on the grift. Install acclaimed "Norton Antivirus", which is likely already a line item on procurements, mine crypto on the sly for yourself on idle fleets at night, and give Norton a slice of the pie while you're at it.
Nobody's likely going to look twice at Norton running on a machine, we've already collectively conditioned ourselves to think of antivirus software as "slowing the machine down", and as a bonus: unless the next person in is as up to speed as your are, your grift can keep running long after you've moved on.
It wasn’t a big thing when it was disabled by default and now it is because the default flipped?! I think this is a big issue regardless - it’s like selling a bike rack with every new car. It doesn’t seem right and enforces the wrong behavior.
Maybe I’m missing something, but what’s so wrong with selling a bike rack with every new car? Seems a bit silly, but I’d expect it would encourage cycling while slightly raising the price of cars which are already under priced relative to the externalities they cause.
It's more like selling a bike rack with a new car, that you have to pay $15 to the car company every time you use. The biggest issue I see is that Norton is charging their users a fee to use their own hardware to mine crypto.
The ethereum crypto minor for many would be a reoccurring net loss (or a negative externality on the person paying for electricity).
> “Norton is pretty much amplifying energy consumption worldwide, costing their customers more in electricity use than the customer makes on the mining, yet allowing Norton to make a ton of profit,” tweeted security researcher Chris Vickery.
Which is unlike a bike rack which if enabled/purchased but never used would be a one time loss. And for some one likely to transport bikes the bike rack would probably be beneficial.
Edit: After doing some calculations for profitability with say the RTX 3070 with a hash rate of 60.5 MH/s and a power consumption of 160 W [0] at both the min and max average US state electricity prices of .1038 $/KWh and .3428 $/KWh respectively [1] is currently profitable with a return of $2.86/day and $1.94/day respectively [2] (ignoring all other costs).
So for some this would be profitable for them with a potential reduction in the lifetime of their hardware.
Modern operating systems (windows has done this particularly dramatically) have made a lot of efforts to incorporate most of the obvious wins of AV software directly into the OS. I think the only real thing of value is occasionally running system-wide scans - but serious infections are getting better at hiding themselves so you'll probably only find the cheaply written ad-spyware that way.
The huge disregard for environmental issues, I suspect that Norton customers who allow this feature will see an increase in energy costs that eat into any profit they might receive from the work the mining activity
Holy crap. I'm assuming this company is utterly filled with sleazebags to allow something like this to actually get past the joke-at-a-brainstorming-meeting phase.
Honestly, I think more companies will do this as long as the law allows them and as long as they incentivize their customers by sharing the profits. It's sad that the massive computing power of billions of idle PCs/Macs will be used to mine something (e.g., Bitcoin) with no intrinsic value.
> Are there charges or fee associated with coin mining?
> Norton Crypto is included as part of Norton 360 subscriptions. However, there are coin mining fees as well as transaction costs to transfer Ethereum.
> The coin mining fee is currently 15% of the crypto allocated to the miner.
What I would be curious about, is how the wallets are bound to the users, are they connected to the license/subscription or when you format, if you are unaware of the AV mining, you just donate it all to Norton?
At this point you’re paying for malware. Do we really need antivirus software, or is there something you can setup yourself that’s just as good? (ie a firewall and some open-source option)
Interested in the specifics, Norton must be running their own Ethereum mining pool? Might provide a way to estimate the amount of running Norton miners out there.
This was already discussed on HN 7 months ago [0]. I'll repeat what I said about it last time:
It's a mistake to focus on Norton in this context. The "correct" way of reading of this headline should be something like "reputable company puts an Ethereum wallet and mining software in the hands of millions of users".
Now imagine if tomorrow Microsoft decided to add a crypto wallet and mining tools to Windows, or Google to Chrome.
But for a fee. You paid for software that is letting you mine to benefit Norton, because most people's computers are not going to break even on electic cost.
If it were all that altruistic then they shouldn't need to collect 15%, give them the miner they could download for free.
> Now imagine if tomorrow Microsoft decided to add a crypto wallet and mining tools to Windows, or Google to Chrome.
People keep saying this as if crypto isn't already mainstream. Exchanges have hundreds of millions of customers. A significant portion of the world has traded crypto. And 99.99% aren't doing anything else with it but speculate.
It's not as if magically bundling a wallet on millions of machines will suddenly cause a bunch of usecases to materialize.
What exchange has 100 million users? Coinbase has 6 million users. Even the largest banks barely crack that count. For example, Bank of America only has 46 million customers.
Last stats i just saw pegged the world wide number around 100 million. Lets be generous and say 500 million, versus 7.9 billion world pop puts you at a generous 6%, not exactly mainstream.
This is based on on-chain data. A huge number of people never actually interact with the underlying chains of the tokens they trade (which is my entire point). The article you link to notes this.
But 100m people isn’t mainstream? Coinbase has 73m (mostly American) customers itself, and undoubtedly there are many many more who know of Coinbase but aren’t customers. The Super Bowl commands fewer than 100m viewers. Crypto companies are sponsoring sports teams and stadiums. Matt Damon is doing commercials for them.
So there is no data for off-chain, so nobody knows?
In the world, no 100m is not mainstream, particularly by its definition, "the ideas, attitudes, or activities that are regarded as normal or conventional; the dominant trend in opinion, fashion, or the arts." Crypto is not normal or conventional yet, traditional money is still dominant; its more a curiosity.
You make a good argument about the superbowl, but parallel your first sentence - viewership was only at the time of, and doesn't account for people present or who watched at a later date (ie., many). It's also been around for decades as part of American culture, maybe crypto will do this eventually. I don't see statistics for coinbase by country, but 73m is their total userbase.
It's bold to say that this is the "correct" way of interpreting this information. I for one, think it's infuriating. Part of being the best at anything, means doing one thing, and doing it really well. With respect to cybersecurity software, to compromise this ideal at all is highly questionable. To do it to mine cryptocurrency is just ludicrous.
The next PC/device you buy contains a security chip that prevents you from expunging Microsoft/Google.
After that it's, your bank doesn't allow you to log on except with an approved device with the security chip.
Then it's, your government imposes misdemeanor charges for not checking in on your COVID quarantine app (which runs only on security-chipped phones). Due to COVID restrictions, your arraignment hearing will be held on Zoom, which in its latest update, only runs on security-chipped hardware.
None of this will seem especially draconian in today's "green bubbles = breakup" society.
https://news.ycombinator.com/item?id=29795910