My tell-all about my encounter with “Computer Maintenance Department” was a little heavy on the jargon yesterday. It occurs to me that explaining what some of the terminology means, and the problem with their reasoning, may be helpful. I’ve also heard a few questions through various channels, and I think those are worth answering.
Why didn’t I attack them/infect them with a virus? Ethics. I discussed this with another, more experienced security professional the day before the call occurred. I really wanted to see if they would steal some data from me, so I wanted to plant an infected document on my machine–something that looked like a tax return, perhaps–that would “phone home” if they stole it and opened it. I started to run the idea by him, and he interrupted me with a three-word answer: “Never go offensive.”
Since planting something that would let me know if they stole it crossed the line, infecting them with viruses or hacking back would cross the line even further.
As good as it might make people feel to infect them with something, I think by soiling their reputation by calling attention to their practices and pointing out how poor they are, I stand to do more damage to them than I could ever do with an offensive attack anyway–without crossing any legal or ethical lines.
Why weren’t you meaner? I think I can safely call them incompetent, and scammers, because I can back up that opinion–it’s a professional opinion, but still an opinion–with my own training and experience.
Want my honest opinion? These are salespeople following a script. They have procedures that tell them just enough to pull up something that will scare people. They’re very comfortable delivering a sales pitch and very comfortable arguing with you. They are what they are–salespeople with a little bit of training but not a deep knowledge of computers. It’s possible that they believe their scripts and procedures make them good, but I don’t think they realize how incompetent they are, honestly. I’m also not convinced they realize they’re scammers. When I try to engage them in a technical argument, they very clearly give off an air that they think they know something that I don’t know.
I worked in sales briefly, myself. I was exceptionally good at selling extended warranties, but only because I believed they were better than they really were. My manager told me one thing about the warranties, and the customer service manager told her reps something different. Whether this was intentional or unintentional, I don’t know, but the end result is that I was lying, and I was a really good liar because I didn’t know I was lying.
I tell you this story because I suspect these callers are salespeople, probably paid on commission, trained to work from scripts, and may very well not even realize they’re scamming. I think their managers have managed to convince them that they are providing a good service.
Now, the one thing I won’t cut these people any slack on is their deception. If they’re providing such a great service, why do they have to be so misleading at first about who they are and where they’re calling from? “Roy” was 30 minutes into his script when I finally learned the name of the company he was working for and a working phone number. The previous night, when I had an issue that prevented the caller from connecting to my computer, I explicitly asked for a phone number and he evasively said, “I’ll call you back.”
So, here’s my question: If your service is so great, why can’t you just tell me right up front, “Hi, my name is Roy. I’m calling from techsupportangel.com. Is your computer running slow? I can help you if it is.”
Of course, the answer is because the service is, to put it way too politely, rubbish. That’s why it’s a scam. It’s a bunch of superficial work with a true value of somewhere between $25-$40, cloaked in deception and doubt.
What should a consumer expect for $175? Here’s what I would be comfortable delivering for that amount of money: I would check out the antivirus, install a competent antivirus program if needed, run a good virus scan, run a secondary virus scan (ideally with a live CD, which can’t be done remotely), run a spyware scan, install a good defragmenter such as MyDefrag and perform a thorough defragmentation, and install all of the relevant updates for the operating system and all major applications. And, depending on what I found while all of that was going on, I’d probably do one or two more things.
Or, better yet, I could do a rebuild of the system, including installing security software. That would take more time, and it’s not something you can do remotely either, but I think I probably could do that for $175 and do fine for myself. I could do two builds in a day, easily, and if you do the math, $350 a day makes for a nice yearly income. You can live on that almost anywhere.
Jargon. OK, with that out of the way, let me define some of the jargon I used yesterday.
Safe Mode. This is a special mode, intended for troubleshooting, that provides reduced functionality. The upside to it is that it almost always boots up successfully. Think of loading up just enough Windows to fix a problem. Theoretically, this reduced-functionality mode could make a virus’ life more difficult, and theoretically an infected system running in safe mode would be running fewer infected files than one in normal mode, but contrary to these callers’ claims, it does not disable all viruses.
I sometimes perform virus scans in safe mode because there will be fewer things running to interfere with the scan. But describing safe mode as something that disables all viruses just illustrates the limits of these callers’ knowledge.
Remote access. This is special software that allows someone to use your computer from afar. Years ago, I used this feature to control and maintain computer systems in Kansas, Hawaii, England, Germany, and Japan from my desk in St. Louis. There are certainly valid uses for this capability, but these callers seem to be abusing them.
Event viewer. This is a system log, where Windows records information that a technician or developer may need to analyze the system’s behavior. In my desktop support days, I spent a lot of time looking at these logs, in search of clues to figure out what was going wrong. Contrary to what these people say, some events are perfectly normal. And viruses do not write to the log, because that makes them easier to detect.
Let me repeat: A good virus does not record system events, because that would make them easier to detect. A good virus will do anything it can to escape detection, because that’s one of the things that makes it successful.
This is just a case of using something that most people have never seen, and therefore don’t understand, and using the unknown to scare people.
Like I said yesterday, most of my system events were related to me re-enabling a network card. The reason they were there was so that if the network card didn’t work, I could examine it and see what worked and what failed.
Antivirus software. This is software designed to keep undesirable software off your computer. That’s all. Now, experts disagree on just how effective antivirus software is, but the most optimistic estimate I’ve seen is that the very best antivirus software blocks about 95% of undesirable software at any given moment in time. These callers will talk trash about whatever you happen to have loaded–it’s part of their sales pitch–but realistically, the difference between the best and worst is likely to be around 10%.
Any credible security expert wants you to be running antivirus software. Any credible security expert won’t care all that much which one you’re running, because even the very worst one–and nobody agrees which one is the worst–is much better than running nothing.
Security+. A certification that requires passing a 100-question multiple-choice test in (I think) two hours. It’s a fairly low-level certification, although I know a good number of moderately experienced IT professionals who couldn’t pass it. These callers give a fair bit of misinformation that anyone with a Security+ certification would quickly jump on.
CISSP. A certification that requires passing a 250-question multiple-choice test in six hours. This is the standard by which all other security certifications are judged. The CISSP is a generalist exam, designed to prove that a practitioner knows good security practices when he or she sees them. A good practitioner can create and execute practices in at least one of the 10 areas of specialty but, as I learned in my last job search, that’s not what every employer is necessarily looking for.
It’s not a stretch at all to say that any of my employers or clients would expect me to be capable of conducting a job interview for someone who would clean viruses off remote systems. And I would not hire any of these people I’ve spoken to over the phone. And yes, you may quote me on that all you like.
Five-nines. This means that over the course of a year, a computer system was available 99.999% of the time. That means the system was unavailable no more than 5.26 minutes over the course of 365 days. In 2005 when I started running that computer system it was extremely difficult to do, and requires excellent system design and planning to achieve. It’s easier today, but when someone tells me he or she achieved it, I still extend my hand. It’s still an achievement.
CompTIA A+. This is a general computer exam, administered by the same company that administers Security+, that certifies the competency of a computer technician. Someone with this certification can do work like cleaning off a virus, putting a computer on a network, or installing Windows with minimal thought or effort.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.