so now tha bad guys
can easily find out if they are on the bad guys list...
Software export controls are being applied to blacklisted people as well as countries: and these controls apply to routine security packages such as freebie antivirus scanning software, as well as more sensitive technologies, El Reg has concluded. We've come to this way of thinking after investigating why Reg reader Hasan Ali …
What gets me is that providers are continually allowing themselves off the hook with the excuse 'not our fault guv' (much as ISPs do with the internet filtering whenever anything goes tits up there too).
Enough of that bullshit. The service providers *chose* to use these lists, and they should be made to answer for any mistakes that result from that choice.
Perhaps if that happened they would be putting more awkward questions to the list providers before using their products and these frequent 'false positives' - which in turn suggest sloppiness on the part of those providing the lists - might happen less frequently.
Service providers don't "choose" to use these lists. The denied persons and denied entities lists are published by the US Government and are mandatory if you are a US company or use/sell US technology. Quite why Sophos believe they have an obligation for a basic AV program, only Sophos can say. These denied parties lists are notoriously poor quality with little to distinguish between names. So I can understand what Sophos are doing because it fulfills compliance rules issued by the US Government (similar rules apply to UK as well). But why ? Anybodies guess..
Agree: technically anyone dealing with "foreigners" has to check that their customer is not on any government-published sanctions lists. The lists, however, mainly consist of names and addresses, so that's all you have to go on. The potential for false positives is huge.
@Fonant - Interesting lists.
At least the UK version has some activity details, so they could use a follow-up question that doesn't require sensitive personal information... like,
"In approximately 2005, did you run a 'basic training' camp for Al-Qaida in Pakistan?"
"We're all good, carry on with your download"
> Quite why Sophos believe they have an obligation for a basic AV program, only Sophos can say
Because they maintain an encrypted communication channel between the AV client and the Sophos update server.
There is (now) a generic exemption for medical data and for entertainment: The generic exemption doesn't cover the software I write, and it doesn't cover Sophos.
The evil-doers need to start using aliases such as Smith, MacDonald, Jones, Cameron, etc.
I've read that these sort of screening systems also use the prehistoric 'Soundex' algorithm, which was designed for English pronunciation rules, applying it gleefully even on foreign names.
This "problem" exists because Sophos wants Mr. Ali's personal info like his name & email address. They could be in full compliance with export controls by not asking for any personal info and simple filtering by IP address of the downloader. That is what most companies do, which is why Mr. Ali never has this problem downloading from other places.
Well it's all pretty stupid. Names are hardly unique. There are multiple Charles Mannings in the small city I live in and that's hardly a common name.
The name pool for Muslim names is far smaller than for English names.
If you found John Smith on the list, which John Smith would it be? Now take that problem and multiply by a factor of 100 or so and you get the idea how hopeless a Muslim naughty-name list is.
Because of Whattaboutery?
Not only are they hating muslims, men, people with hands & internet connections, but they also apparently look like they are trying to commit identity theft..
or at the very least how dare they try to comply with legislation relating to embargoed countries and persons.. don't they realise that they should let everyone get their products and take the massive fines from not having a suitable framework in place / breaking embargoes as a good-will gesture?
I am shocked, shocked I tell you at this blatant disrespect of all that we rich running dogs in the glorious west hold holy.
This post has been deleted by its author
One of my relatives with a WASP name was taken into a small room on the way into the U.S. because someone with the same name was on the FBI wanted list. Never mind that criminals on the FBI wanted list are local criminals: it took them an hour to decide that my relative is "not black".
Kasperky would be an absurd AV choice though, you might as well just go with Clam AV and have done with it. My experiance with V8 was that it had a much lower detection rate of threats than any other system I have used. It was also rather crap in other ways: especially in continually blocking connections to/from the print server and random devices for no reason, regardless of whitelists or even having the firewall/everything other than AV disabled.
Unsurprisingly, we are now using another product.
I'm a sophos reseller. I needed a copy of their software for a standalone machine. UK company, UK client, UK reseller, UK broadband connection.
I had to go though the page dealing with US export regs to download it.
Makes you realise it's very much back covering.
What matters (from Sophos's point of view) is not whether or not it's legal to give antivirus software to someone called Hasan Ali. What matters is whether their lawyer says it's legal. Which is subtly different - the lawyer could get into a lot of trouble if they say something is legal when it isn't, but they're unlikely to get into any trouble for claiming something 'might be problematic' when it isn't. Hence everyone 'errs on the side of caution'. And everything gets made more general and vague a few times in the interests of 'simplicity', making the eventual rules even less connected to the original law.
The same principle causes health and safety to go mad, and it needs to be better appreciated. A law should be considered faulty if it has consequences like this even if anyone reading the actual law can clearly see that, in this situation, it shouldn't apply.
I don't know if the following the the case at Sophos, but in a previous job I worked with setting up new customer relationships.. all new customers were run through checks to see if they were in massive debt / weren't paying their bills / had court injunctions against them, and yes, if they were based in a generally embargoed country (which we couldn't trade in/with without getting fined) or if they were an embargoed person (known terrorist / wanted by the ICC for war crimes, etc).
It is more likely that he shares his name with an identified miscreant, rather than that Sophos now has a filter to catch brown people.
This post has been deleted by its author
This post has been deleted by its author
"I strongly suspect that filtering out Muslim names is against the law, especially if the company is based in the UK."
I would be really curious what percentage of British muslims have a name that is on the list. In this case, Mr. Hasan Ali's name wasn't just on the list, it was on the list several times, so most of those (and hopefully all of them) were false positives. If there are several people with that name on the "bad guys" list, then there are probably hundreds of perfectly nice and innocent people with that name in the UK.
Especially when it seems to be very easy to get on the list and impossible to get off it (like if you know someone who has the same name as someone who knows someone who has the same name as a completely unrelated person who has been suspected of having done something wrong). And also considering that apparently there is less variation with muslim sounding names, so there are more people with same names.
"The only reason to make free AV unavailable to certain people is if the software is able to detect the government's own spywa"
No, there are many reasons, the most obvious being Sopho's lawyer being lazy and simply advising them to blanket check the lists for every product, rather than investigating whether or not the law even requires it for the free AV.
And the laws are not so much intended to keep terrorists from acquiring free AV software, but rather as a legal basis for busting companies that they catch selling high tech goodies like centrifuges (or real security software) to sanctioned entities.
Up next - terrorists changing their names to avoid blacklists.
Next week - terrorists changing their names to those of minor celebrities, journalists, aid workers, etc. to cause as much damn nuisance as possible.
Until some idiot realises that a list of names is basically USELESS for this purpose.
And, as several prominent American politicians have pointed out - an export ban on software is basically pointless as they can easily download in other ways (false names, etc.), get it from torrent sites, and there's literally NOTHING that you can do to ensure they don't get hold of it. And, pretty much, if they want to hide data they aren't going to be using off-the-shelf US software in order to do so (well, some might, but let's put those in the "Too stupid to be classed a real threat" box).
Security theatre, all over again.
The sanctions lists already try to keep up with terrorists using pseudonyms. The problem is that this merely makes false positives more likely.
But, yes, it's simply security theatre so the politicians can be seen to be doing something, when in practice there is almost nothing they can do.
We can send man to the moon.
We can have instant video conversations with people over 5,000 miles away.
But when a man with a foreign sounding name wants to download some anti-virus, people get all bitchy and say "You can't be having that"?
No wonder alien life hasn't contacted us. How will we treat ET if we can't treat our neighbours with respect?
No wonder alien life hasn't contacted us.
Maybe it has tried but the communication was blocked because the name sounded odd and 'Alpha Centauri' is clearly not a valid nationality. And imagine if they tried to visit in person. They'd do okay at an airport right up until they were asked for their passport..
"Maybe it has tried but the communication was blocked because the name sounded odd and 'Alpha Centauri' is clearly not a valid nationality. And imagine if they tried to visit in person. They'd do okay at an airport right up until they were asked for their passport.."
I just hope they didn't try to download any anti-virus software.
What would happen here in the Netherlands. Requesting someone's ID is forbidden by law, unless the requestor has a legal right to do so (I can guarentee you that software vendors do not have that right).
Their comments seem to be ambiguous at best and it feels like simple racism to me.
I assume the reason AV software is sensitive is because it can potentially detect malware planted by law enforcement. So obviously you wouldn't want any old crim getting his hands on it (rolls eyes), especially not one with a foreign-sounding name (smacks head).
Although this does pre-suppose that Sophos' AV software detects government-produced malware in the first place. Given that US and UK AV vendors don't seem to be targets for NSA/GCHQ hacking or reverse engineering, that's not so certain, of course.
Or it could just be that if the powers that be don't like you they don't want you to have any software at all. But surely even they can see the futility of that?
I wonder how it would go over if Sophos cited some obscure research that said that (insert your favorite minority here) is more likely to commit a crime and banned everyone of that ethnicity from downloading. In the USA at least, there would be people lined up with pitchforks and torches. As soon as the sensationalist media got involved, you wouldn't be able to even mention the company's name in public without getting a dirty look.
What makes this even more absurd is that in the IT community, there is a large proportion of Muslim developers and general IT workers compared to other general professions, probably second only to the medical sphere.
> "I wonder how it would go over if Sophos cited some obscure research that said that (insert your favorite minority here) is more likely to commit a crime and banned everyone of that ethnicity from downloading. In the USA at least, there would be people lined up with pitchforks and torches."
Unless the person who said it was (oh, I dunno, someone like Donald Trump, for example, just to pick a celeb/politician at random and not a company like Sophos).
Then the pitchforks might get pointed the other way, and there'd be quite a few flags being waved too...
The "Specially Designated Nationals" sanction lists are quite public, and are an interesting read, Download as a big PDF of names, or as a CSV file (warning: much duplicated data!).
Download a list of names, and psuedonyms, of people the USA don't like. If you are in the USA, you are not allowed to do business with any of these "people" or "organisations".
Filtering on just the person's name is clearly a ludicrous idea, and yet that is what is done very often.
In this particular case, "HASAN ALI" is not in the sanction list, but "ALI HASAN" is in the list as a pseudonym for a few entries.
Similar but fictitious
There was an episode of Boston Legal where Denny Crane found out he was on the US no-fly list and was blocked from, well, getting on a plane. He then took the government to court because the only detail on the no-fly list was the name, not the sex age or any other identifying figures - so he took thirty other Denny Cranes with him so when the judge said "Would Denny Crane please stand" the whole room got up.
Just look at this register article to see what happens if you don't comply:
Intel fined $750,000 for software downloads
It doesn't leave a company any choice in the matter - do it or get fined.
This is what happens when your society becomes more and more litigious. Concepts of law and national borders have absolutely no impact on connected bits and bytes. And yet it is the legislators & lawyers that hold sway. They legislate and litigate away and then wash their hands of the consequences. Everyone has to comply, but in an internet-connected world, the gaping holes are so obvious as to make the whole charade ridiculous.
Sophos only care that they comply with some regulation (see comments about CNET and download.com). So long as they avoid litigation, all is well.
Step 4 is when you have to prove that you are who you say you are by showing ID such as a passport, or some other method of authenticating that you are who you say you are.
As an example, make up a name that isn't on those lists, buy a plan ticket with that name (+ a false passport number if necessary), then try to board the flight you booked without any valid ID. Bonus points if you act aggressively and try to force your way through security while shouting that your name isn't on any no-fly lists.
Some things are more secure than others.. Signing up for a GMAIL account I can give pretty much any name I want. However, if I for instance wanted to import firearms I would need a fair bit more documentation and authorisations.. (and papers that said I wouldn't sell them on to nations hostile to the country I was buying them from etc)... telling them my name is James Earnest and that I am not on the embargoed persons list wouldn't cut it.
In this case, someone has signed up for a product (antivirus, which may or may not be on the list of embargoed products, can't be bothered to check - I know encryption software used to be) using a name that he shares with an embargoed person, and as a result has been asked to prove that he is not the embargoed person before the product is released to him.
No, the Koran does not.
It does suggest killing the idolators, if they do not repent and pay the Zaggat, which when taken in context of the rest of the chapter still does not mean infidels, no matter how much US right wing Christian crazies wish it did.
If you're going to argue against anything, it helps if you make some effort to understand it first.
And James Holmes was convicted today... how many gun nuts have attacked unarmed innocents? Perhaps no free AV software is the price one pays for being an NRA member?
Personally, I prefer controls that i) are easy to apply, ii) address the actual problem iii) are effective and avoid unintended consequences.
(Anon coward because…)
I recently manually downloaded an update for our Sophos installation, and was presented with a form asking for lots of details (name, address, business type, etc). I completed it not just with false information, but with information that couldn't possibly have passed even the most cursory validation. It let me through to download it just fine.
Useless waste of time for everyone.
So Apple sold this bloke a Mac, with an operating system and access to iTunes along with other software including Virtualisation Technology so that he could run a copy of Windows 10 on it... And Microsoft let him download a 'free' version of Windows 10 so he could run it under the Virtualisation Technology provided by Oracle[?] having previously bought a copy of Windows 7 or similar from Microsoft which he was running under the Virtualisation Technology given to him by Oracle so he could upgrade it.
Then it takes Sophos to flag him as being 'suspect'. FFS.. Are Apple, Microsoft and Oracle asleep at the wheel?
Camilla Farquhar Farthington Smythe
1. My brother in law has a 'Muslim' last name. Yes, totally arabic sounding.
2. He travels through airports a lot on his business as tv editor, but a bit scruffy, sporty casual.
3. One-day beard.
He gets all kinds of look-once-over in customs. Takes 2 hours.
1. He still has a Muslim last name.
2. He is now dressed in suit
3. Beard neatly shaved.
He gets in right away. Barely bat an eye on him.
My sister suggestions paid off. PREJUDICE MUCH? This is not hearsay, she actually timed 2 different travels returning home. Same flight, same day of week, through Heathrow.
Presentation is everything!
Sophos are not *trying* to do anything. No, they're almost going out of their way to *not* do it. They clearly don't give a damn about this check. It is so trivially sidestepped that even a mollusc could do it. It doesn't even represent a token attempt to comply with anything. It feels a lot more like they're sticking two fingers up at whoever is making them do this.
I tried a series of names, like Saddam Hussein, Nonny Mouse, and Sleeping Beauty, all using fake e-mail addresses from non-existent, unregistered domains. A whole batch even used the same address multiple times with different names. Every one of them let me successfully download the package (except Hasan Ali, obviously).
So who is making them do it?
Besides, who, in possession of more than two brain cells, ever puts their real name or address on a web form anyway?
Just give us your date of birth, and ID number, and your passport number, and your drivers licence number, and while you're at it, your bank details would be nice too.
Don't worry, this is not a scam, we are Sophos, just trust us, we know what we're doing.
After reading this article, I went to the Sophos website and signed up for a trial under the name "Osama Hussein" from Egypt who works for the Muslim Brotherhood. I got the download in spite of the fact that it's not just names, but apparently organisations and countries that can be denied Sophos software.
I wonder whether the whole of Iceland (country not shop) was banned from downloading their products after Iceland was declared a terrorist organisation?
To be fair to Sophos I have seen these lists passed around by email at a previous place of work (hence knowing about Iceland) and the warnings accompanying them suggest that dealing with anybody on the list without proving they are not a terrorist can end up with jail time for the employee and the CEO (or equivalent) so I tend to blame the morons in government for thinking that a name used on the internet is any kind of a way of identifying anyone.
Anyhow, back to writing articles and shagging Yvonne... ;)
I feel for the guy. I'm US (Army) vet with the first name of Tcat. (T CAT).
Every couple years Quora bounces me for not using my Real Name
However I will say the double edge has helped me nip in the bud, trouble.
Anytime I hear "What's your real name?" I walk. Really borkes a class when your the instructor.
And yes, the outcome is not pretty. Worse is trying to run a class with an openly hostile student.