free good or bad

Free – good or bad?

It’s always nice to get something for free. Or is it? There are really some free lunches on the net. But what appears to be free can have a hidden price, which often is paid by other means than money.

Internet did for a long time lack payment models and everything on the net was truly free. This was fine on a net that was an academic tool and playground for enthusiasts. Our Internet of today is totally different, and to a large extent business driven. But the culture of getting stuff for free on the net is deeply rooted. People are used to free stuff, or are hesitant to use payment on the net in fear of fraud. This has created a lot of new business models based on free products and services. Either genuinely free or with a hidden compensation. One of the important skills for today’s cybercitizens is to recognize these business models and understand the hidden risks and compensations. Read on to learn how.

Before you take the bait you should always ask yourself: Why is this thing offered for free? That’s the key questions as the vendor’s motives dictate if the product or service is safe to use. First look for info about who made the product and why. Then try to place it in one of the categories below. Now it will be a lot easier to make an educated guess about how safe it is.


A very common way to provide free products or services. Ads are showed to you and the vendor gets money from the advertisers. Be careful with ad-ware your children are using. You have no control over the ads and some content may be unsuitable. Otherwise these are mostly legit if you don’t find the ads too annoying.

User profiling

“If you don’t pay for the product, then you ARE the product.” This is taking ad-ware to the next level. Big data companies like Facebook and Google offer their services for free, but create extensive profiles over their users and utilize them for marketing purposes. This is a privacy problem as you have no control over what data they collect and how it is (mis)used. Intelligence agencies are on top of that also eager to tap into your data. If Facebook knows something about you, then NSA knows too. The problem here is that it is very hard to know what price you really pay for the “free” service. You should consider if the privacy risk is worth taking for the value you get in return.

Hobby and ideological

Many create programs and web services for fun. Giving it away and seeing that people really use it is part of the joy. Some may also have ideological motives, like fighting corporate dominance, guarding peoples’ privacy or defeating net espionage. Products in this category are genuinely free and there’s no hidden compensation. The Firefox browser is an excellent example. The Linux operating system is another.

This “business model” is safe for the customer, but the products and services may not always be the safest choice technically. Providing safe software is a tough task and requires constant maintenance. Hobbyists are not always professional enough for this. In this category you will find a wide range of products with technical security ranging from excellent to very poor. It’s also futile to expect good support services in this category, unless the product has a well-working user forum that provides peer-support.

Donation financed, “begware”

This is a variant of the previous class. Some providers of free software ask for donations openly. This is like a product with a voluntary payment. A lot of people will use the product for free, but some will contribute a couple of bucks to cover the vendor’s expenses. Wikipedia is a good example. BTW, have you ever donated to them? I have and I think it’s very well spent money. The value I get in return is far greater.

Taxpayers’ money

Some free services are provided with tax-payers’ money. These are typically OK to use. Quality might vary tough, as the public sector often lacks the culture of customer service and competitiveness.

Upselling or service fees

Many vendors provide a basic product or service for free, and more functionality or capacity for a price. This is a nice way to let customers try it out and decide later if they need the paid version. Sometimes the product is entirely free and the business model is based on selling support services for it. There’s nothing wrong with this business model and the products are usually OK if the vendor is trustworthy.


Getting something for “free” when buying something else is a common marketing trick. It’s not really a free product, the pricing scheme is just set up to hide its true cost. A common example is receiving a “free” mobile phone or 4G-dongle when signing up for a 2-year subscription. Hardware prices are declining and many people have a misconception that these bundled items are worth more than they really are.

Pirated content

Some content is offered to you free of charge and with no strings attached, but the distributor lacks the right to distribute it. Distributing stuff without permission is illegal practically everywhere, but your status as receiver is not as clear. Whether it is a crime to download the stuff depends on your country’s legislation. Also remember that the common peer-to-peer sharing networks, like BitTorrent, both download and share at once. It’s also common to distribute malware masqueraded as pirated software. The safest way is to look for the content’s original vendor or distribution point, and download it from there. Then you will learn if it really is free, and lose the malware as an extra bonus.

Scams and malware

Malware and scams are often masqueraded as free offerings. Be extremely careful if you are tempted to sign up for anything that sends you “free” information as text messages. Your mobile phone number is a payment method and scammers can charge you for bogus messages sent to your mobile. It can be next to impossible to get them cleaned off the bill. What you think is a handy utility program may also turn out to be malicious software. If you can’t figure out why the tool is free, the real reason may be to plant malware in your computer or mobile device.

Let’s finish with a checklist for people considering using a free service or product:

  1. Find out who made it. Check if the vendor declares openly why the product is free.
  2. Check if the vendor offers paid alternatives to the free version and how they differ.
  3. Try to figure out what category the free offering belongs to.
  4. Is the vendor trustworthy? You shouldn’t use software from untrusted sources even if it’s free.
  5. Finally consider if the free offering really is what you want. Sometimes it’s a great alternative to expensive products, sometimes you pay a high hidden price just to save a couple of bucks. And sometimes the free alternatives just aren’t up to the task and you would be better off with a professionally made product. Consider if it really is smart to save a couple of dollars and insert potentially unreliable code in the system with all your irreplaceable content?
  6. If you still are uncertain, search for user opinions on the net. The true free gems, like Firefox and Linux, have huge user bases and you can find a lot of info about them. Be careful if you have problems finding independent opinions about a free product you consider.

Safe surfing,

More posts from this topic

Secure Wordpress site, mobile blogging, tablet by the bay

This is why you need to protect your WordPress username and password

If you run a Wordpress site, you know that criminals around the world would love to use it to spread malware. Last month, F-Secure Labs spike in "Flash redirectors" that automatically redirect the visitor to a site with the goal of infecting them with malware, in this case the Angler exploit kit. The source was compromised websites -- specifically Wordpress sites. This isn't a new find for the Labs but what is unique is one of the tactics of the attack -- seeking out Wordpress usernames. Why? "After obtaining the username, the only thing that the attacker would need to figure out is the password," Patricia from The Labs explains. "The tool used by the attacker attempted around 1200 passwords before it was able to successfully login." If you happen to have one of those passwords, bam. You site is serving up malware, which is not only harmful to your visitors, it can cost you tons of traffic as Google delists you. Keeping your server and plugins up to date is essential for avoiding most attacks. Beyond that, this attack points to the need to both protect your Wordpress username AND always use a unique, strong password. "Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything," Patricia notes. You can also protect your server from enumeration attacks that discover the usernames of your bloggers. To see how to do that, visit our News from the Labs blog. It's pretty amazing what people can figure out about you with just your login and password. But when you're running a website, which can be part or all of your livelihood, the only way to keep from handing criminals the key to your front door is to make sure your password can't be figured out by anyone but you. And turn on two-step authentication if you haven't already. Cheers, Jason

November 26, 2015

POLL – Is it OK for security products to collect data from your device?

We have a dilemma, and maybe you want to help us. I have written a lot about privacy and the trust relationship between users and software vendors. Users must trust the vendor to not misuse data that the software handles, but they have very poor abilities to base that trust on any facts. The vendor’s reputation is usually the most tangible thing available. Vendors can be split into two camps based on their business model. The providers of “free” services, like Facebook and Google, must collect comprehensive data about the users to be able to run targeted marketing. The other camp, where we at F-Secure are, sells products that you pay money for. This camp does not have the need to profile users, so the privacy-threats should be smaller. But is that the whole picture? No, not really. Vendors of paid products do not have the need to profile users for marketing. But there is still a lot of data on customers’ devices that may be relevant. The devices’ technical configuration is of course relevant when prioritizing maintenance. And knowing what features actually are used helps plan future releases. And we in the security field have additional interests. The prevalence of both clean and malicious files is important, as well as patterns related to malicious attacks. Just to name a few things. One of our primary goals is to guard your privacy. But we could on the other hand benefit from data on your device. Or to be precise, you could benefit from letting us use that data as it contributes to better protection overall. So that’s our dilemma. How to utilize this data in a way that won’t put your privacy in jeopardy? And how to maintain trust? How to convince you that data we collect really is used to improve your protection? Our policy for this is outlined here, and the anti-malware product’s data transfer is documented in detail in this document. In short, we only upload data necessary to produce the service, we focus on technical data and won’t take personal data, we use hashing of the data when feasible and we anonymize data so we can’t tell whom it came from. The trend is clearly towards lighter devices that rely more on cloud services. Our answer to that is Security Cloud. It enables devices to off-load tasks to the cloud and benefit from data collected from the whole community. But to keep up with the threats we must develop Security Cloud constantly. And that also means that we will need more info about what happens on your device. That’s why I would like to check what your opinion about data upload is. How do you feel about Security Cloud using data from your device to improve the overall security for all users? Do you trust us when we say that we apply strict rules to the data upload to guard your privacy?   [polldaddy poll=9196371]   Safe surfing, Micke   Image by  

November 24, 2015
Cartoon, online banking, online crime

One click too fast

This is the seventh in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. "If I weren’t a lawyer, I probably wouldn’t have survived today”, Kate thought, as she opened a bottle of whiskey. She had earned it. It was a hard day, a disaster. Well, not a total disaster. When she had closed down her law firm and joined Mordor, Inc., she thought she would finally get a little peace of mind… She could not have been more wrong. * * * [The same day, 12 hours earlier] As every morning, she got into her white BMW slightly late and drove to work through the city streets. Caught in the traffic jam, she had time to do the makeup and swipe through some photos on Tinder. “I can't wait to add my skydiving picture and fill in my height,” she thought. “My profile is too polite and too boring. But that's going to change...” A few days ago she had ordered a new parachute. A gift for herself her 50th jump. It was red and went very well with her blonde hair. Unfortunately, the Tinder crowd would have to wait for the parachute picture. As usual, the Post Office was still holding up the package. She spent the first few hours at work doing what she always did. She checked some outstanding contracts, adding comments. Her golden rule: at least one note per page to justify her existence. Then she moved on to writing proposals. This was her favorite task. She could do it quickly, using templates she had dating all the back to law school. Copy-and-paste time. She was finishing adding few words the last sentence of the document when she heard that happy sound indicating that a new e-mail had arrived. FROM: TO: SUBJECT: Poczta Polska S.A. Order update Your package could not be delivered to the delivery address on October 27, 2015, because no one was at home. In order to obtain information regarding your shipment, click the link. You can pick up the shipment at the nearest Poczta Polska office by presenting the printed ADVICE NOTE: Your ADVICE NOTE WARNING! If the package is not picked up within 7 days, a storage fee will be charged. After another 7 days, the package will be sent to the warehouse in Koluszki and destroyed or auctioned under supervision of a committee. Kind regards, Poczta Polska. "Damn. I should have picked the thing up," she thought. But then she remembered that a few days back the company hired her an assistant. “Wonderful. Someone else will stand in line for me.” She forwarded the message to her assistant, adding one sentence to appropriately prioritize the matter: Yvonne, no one will hold it against you if you can’t pick it up today, but I hope you can go to the post office ASAP. What was Yvonne to do? She set aside the invoices she'd been assigned to pay online when the accountant called in sick and clicked the link to download Kate's claim note. Because ASAP means ASAP. On the page that appeared, she immediately saw a large “View details” button. She clicked again to download the file named awizo.pdf. After saving the file on the disk, she opened it and printed the notice. She locked her computer screen just as IT had instructed her during her orientation. What Yvonne didn't know is she had downloaded an awizo.pdf.pif file. PIF is a very interesting extension. Even if Windows has been configured to display file extensions, the PIF extension does not show up. The icon does not look like a PDF file, but icons are constantly changing. So who knows? It was too late. Her computer was infected. The antivirus did not react because… there was no antivirus. To cut costs, Mordor Inc. had not renewed the license. The company calculated that it will be cheaper to train the employees that “bad file formats that cannot be opened in any circumstances." Still PDF files were allowed… It was almost lunchtime. To get to the post office as soon as possible, Yvonne couldn't let the elevator open for each of the building's 20 floors. She pressed both the “ground floor” and “close the door” buttons and held them down for three seconds. This trick enabled “fast travel mode.” It was often used by security staff to get to the selected floor without stopping. It worked only on elevators made by OTIS, like this one. Before the elevator got to the ground floor, malware known as VBKlip was installed on Yvonne’s computer. It worked in a very simple way. If a bank account number appeared in the infected computer's clipboard, e.g. copied from an invoice, VBKlip changed it into another one. This way the victims were oblivious to the fact that by using copy and paste they were helping online criminals rob them. * * * “Let me explain it again. We don’t have your package and we do not send emails to customers. This is Poczta Polska! Stamps and date-stamps are sacred! Any notice without a stamp is invalid. OK? Now, would you like to buy some Wite-Out or Exorcist Guide magazine? We have also candles”. Yvonne, who had waited in the line for 30 minutes, was not happy. But there was nothing she could do. She got back to the office and finished paying the invoices. An hour later the lights in her office suddenly turned off. * * * “You had a very simple task. Pay the invoices. How tough is that?” In the dark, the CEO looked more threatening than ever. “Rent. That's pretty important, in case you didn't notice. You see, Mrs. Yvonne, it's hard to work without power”. “But...” Yvonne stared, but the CEO would not let her talk. “You will now go down to the building’s manager office and convince the building manager that we didn't mean to deceive him. And promise him that this time we were willing to pay on time. And do it quickly." “But I paid all the invoices… I have confirmations here." Yvonne logged into the bank's website. But after entering the login and password, she saw a message: her computer was likely infected. The bank had cut off access for security reasons. "Hmmm," she said. "One of the accounts she paid must have marked as 'suspicious' by the bank." IT came and quickly confirmed the infection. A quick phone call to the bank dispelled any doubts. The money had already gone and could not be recovered. To make matters worse, in addition to VBKlip, another Trojan had been discovered that targeted credit card numbers. Yvonne had written the company’s credit card data in the text file so she could easily paste it into other sites. The Trojan had located the file, and the credit card number had been immediately put up for sale on the carder forum. The credit limit (PLN 20,000) has been used up in just one hour to purchase electronics... Yvonne was heartbroken. To cover all the losses, it would be PLN 75,000, out of her own pocket. With tears in her eyes, she began searching for similar cases of theft on the online. She wished she had found the article that warned against such attacks and explained how to safely perform money transfers earlier, before it was too late. * * * Kate felt partly responsible for Yvonne’s troubles. After all, she told Yvonne to print the fake mail claim. So she decided to do what lawyers do. After many phone calls to the bank, she obtained information about the accounts and banks the money went to. Another batch of calls ensured that the money was blocked on dummy accounts. It was a matter of time before it would be returned to Mordor’s account. She did not have much trouble recovering the funds from the credit card, either. Kate decided to use an effective, though little-known chargeback procedure offered by banks in cooperation with payment organizations. She simply had to ask an agent to send the appropriate form, in which she would describe the circumstances of the event and indicate fraudulent transactions on the bank statement. After several days, the money would be back in Mordor's account -- but all the whiskey would be gone.  

November 17, 2015