Late nights at VB2023 featured intriguing interactions between security experts and the somewhat enigmatic world of grayware purveyors
10 Oct 2023
3 min. read
Late night at VB2023 is when the goblins come out – crafted visages of carefully-played fans cum lures foisted by the industry of potentially unwanted application (PUA) vendors, sponsored- and pay-per-click application installers, and other download monetizers that form up a multibillion dollar ecosystem. And in case you are wondering what they want, it is to entice the unblocking of borderline – really borderline – creepy software that they want reputable security software vendors to ignore and stop blocking. We know, because we are frequently asked by them to do so.
But back to the late-night Novotel lobby – eventually the love turns into hate in a bipolar exhibition; apparently, we sometimes put dents in their business plans.
Surrounding the VB2023 conference are a smattering of ad hoc (or more organized) get-togethers aimed at legitimizing the clutch of pseudo-shady (but always allegedly reforming) software purveyors, desperate to try to soft-sell security software vendors here that they really are reformed, and therefore are somehow worthy of unblocking.
To sell it, they employ “compliance” staff, typically lovely chatty folks happy to spend time under the pulsing lights in the bar until way too late when we really should be sleeping. Drenching vendors in booze may have some allure to the more fermentation-motivated amongst us, but not so much as to remove our brains; but we’ve been at this awhile, and warning new hires of these attempts at social engineering is a time-honored tradition.
ESET is not alone in this respect, there are lots of other security software vendors who get this same special treatment: No one’s arguing that flattery (and fermentation for some) is a nice touch, but in the end we work for our customers, not these PUA vendors or their shareholders. It’s our customers that pay us, and they do so in order to receive less and less white noise on their computing devices, not more.
More recently, the purveyors of PUAs and their friends who make money throughout this ecosystem have swarmed to form certification bodies aimed at more precisely determining just how far is too far to still be classified as clean. They believe that by creating certifications they can amplify résumé-building goodwill and that their mark of trust will signal (hopefully) to third parties their trustworthiness in good stead. But those organizations don’t tend to agree with each other long, let alone with outsiders, and the binding glue tends to dissolve, forcing them to splinter. Herding cats can be as difficult as it is unrewarding.
Trust in the security industry is a long game, and one that very few PUA-aligned vendors have lived long enough to play well. It takes time and gobs of money to do security properly, and no small smattering of tech talent willing to lean into the daily grind of the thanklessly unsung part of keeping software working, let alone secure.
As the stakes in protecting people’s data become higher – in light of the growing numbers of health records, financial transactions and basically most of what makes our daily digital and physical lives work – so too does the importance of getting security software right, erring on the side of caution. PUAs and caution aren’t often found in the same sentence.
It’s very late night now (I wrote this on Thursday night) and the bar finally turned down the ambient pulsing of muted techno tunes (or is that my head?) as people start to fade out into the hotel hallways to rest briefly in preparation for another (lovely) conference day. Here at London’s VB2023 it was lovely to see the people who are doing the hard work of protecting what everyone values, including ourselves. I get one final wave from the compliance staff as they fade away down the hallways. I’ll probably see them again at the next conference.
We will always have good and bad tech, and many shades of grey. The grey is the hard part.