free good or bad

Free – good or bad?

It’s always nice to get something for free. Or is it? There are really some free lunches on the net. But what appears to be free can have a hidden price, which often is paid by other means than money.

Internet did for a long time lack payment models and everything on the net was truly free. This was fine on a net that was an academic tool and playground for enthusiasts. Our Internet of today is totally different, and to a large extent business driven. But the culture of getting stuff for free on the net is deeply rooted. People are used to free stuff, or are hesitant to use payment on the net in fear of fraud. This has created a lot of new business models based on free products and services. Either genuinely free or with a hidden compensation. One of the important skills for today’s cybercitizens is to recognize these business models and understand the hidden risks and compensations. Read on to learn how.

Before you take the bait you should always ask yourself: Why is this thing offered for free? That’s the key questions as the vendor’s motives dictate if the product or service is safe to use. First look for info about who made the product and why. Then try to place it in one of the categories below. Now it will be a lot easier to make an educated guess about how safe it is.


A very common way to provide free products or services. Ads are showed to you and the vendor gets money from the advertisers. Be careful with ad-ware your children are using. You have no control over the ads and some content may be unsuitable. Otherwise these are mostly legit if you don’t find the ads too annoying.

User profiling

“If you don’t pay for the product, then you ARE the product.” This is taking ad-ware to the next level. Big data companies like Facebook and Google offer their services for free, but create extensive profiles over their users and utilize them for marketing purposes. This is a privacy problem as you have no control over what data they collect and how it is (mis)used. Intelligence agencies are on top of that also eager to tap into your data. If Facebook knows something about you, then NSA knows too. The problem here is that it is very hard to know what price you really pay for the “free” service. You should consider if the privacy risk is worth taking for the value you get in return.

Hobby and ideological

Many create programs and web services for fun. Giving it away and seeing that people really use it is part of the joy. Some may also have ideological motives, like fighting corporate dominance, guarding peoples’ privacy or defeating net espionage. Products in this category are genuinely free and there’s no hidden compensation. The Firefox browser is an excellent example. The Linux operating system is another.

This “business model” is safe for the customer, but the products and services may not always be the safest choice technically. Providing safe software is a tough task and requires constant maintenance. Hobbyists are not always professional enough for this. In this category you will find a wide range of products with technical security ranging from excellent to very poor. It’s also futile to expect good support services in this category, unless the product has a well-working user forum that provides peer-support.

Donation financed, “begware”

This is a variant of the previous class. Some providers of free software ask for donations openly. This is like a product with a voluntary payment. A lot of people will use the product for free, but some will contribute a couple of bucks to cover the vendor’s expenses. Wikipedia is a good example. BTW, have you ever donated to them? I have and I think it’s very well spent money. The value I get in return is far greater.

Taxpayers’ money

Some free services are provided with tax-payers’ money. These are typically OK to use. Quality might vary tough, as the public sector often lacks the culture of customer service and competitiveness.

Upselling or service fees

Many vendors provide a basic product or service for free, and more functionality or capacity for a price. This is a nice way to let customers try it out and decide later if they need the paid version. Sometimes the product is entirely free and the business model is based on selling support services for it. There’s nothing wrong with this business model and the products are usually OK if the vendor is trustworthy.


Getting something for “free” when buying something else is a common marketing trick. It’s not really a free product, the pricing scheme is just set up to hide its true cost. A common example is receiving a “free” mobile phone or 4G-dongle when signing up for a 2-year subscription. Hardware prices are declining and many people have a misconception that these bundled items are worth more than they really are.

Pirated content

Some content is offered to you free of charge and with no strings attached, but the distributor lacks the right to distribute it. Distributing stuff without permission is illegal practically everywhere, but your status as receiver is not as clear. Whether it is a crime to download the stuff depends on your country’s legislation. Also remember that the common peer-to-peer sharing networks, like BitTorrent, both download and share at once. It’s also common to distribute malware masqueraded as pirated software. The safest way is to look for the content’s original vendor or distribution point, and download it from there. Then you will learn if it really is free, and lose the malware as an extra bonus.

Scams and malware

Malware and scams are often masqueraded as free offerings. Be extremely careful if you are tempted to sign up for anything that sends you “free” information as text messages. Your mobile phone number is a payment method and scammers can charge you for bogus messages sent to your mobile. It can be next to impossible to get them cleaned off the bill. What you think is a handy utility program may also turn out to be malicious software. If you can’t figure out why the tool is free, the real reason may be to plant malware in your computer or mobile device.

Let’s finish with a checklist for people considering using a free service or product:

  1. Find out who made it. Check if the vendor declares openly why the product is free.
  2. Check if the vendor offers paid alternatives to the free version and how they differ.
  3. Try to figure out what category the free offering belongs to.
  4. Is the vendor trustworthy? You shouldn’t use software from untrusted sources even if it’s free.
  5. Finally consider if the free offering really is what you want. Sometimes it’s a great alternative to expensive products, sometimes you pay a high hidden price just to save a couple of bucks. And sometimes the free alternatives just aren’t up to the task and you would be better off with a professionally made product. Consider if it really is smart to save a couple of dollars and insert potentially unreliable code in the system with all your irreplaceable content?
  6. If you still are uncertain, search for user opinions on the net. The true free gems, like Firefox and Linux, have huge user bases and you can find a lot of info about them. Be careful if you have problems finding independent opinions about a free product you consider.

Safe surfing,

More posts from this topic


Tricks Not Treats: The 5 Scariest Online Threats

The first known use of the term "trick or treat" was found in a November 1927 edition of Blackie, Alberta's Canada Herald: Hallowe’en provided an opportunity for real strenuous fun. No real damage was done except to the temper of some who had to hunt for wagon wheels, gates, wagons, barrels, etc., much of which decorated the front street. The youthful tormentors were at back door and front demanding edible plunder by the word “trick or treat” to which the inmates gladly responded and sent the robbers away rejoicing. "No real damage" from "youthful tormentors?" Sounds a lot like the early days of hacking. Unfortunately those days are long over. “It’s a business,” F-Secure's Chief Research Officer Mikko Hyppönen told Wired UK. “There’s a whole structure there that’s needed,” F-Secure's "Cyber Gandalf" Andy Patel told ITPRO. “An individual can’t just go in and do this now; it’s not a one man job… these are companies.” The cyber crime "industry" has raked in hundreds of millions and possibly even billions of dollars. And it does it, in general, by counting on people to make mistakes. “People do stupid stuff,” Mikko explained. “You cannot patch people.” The first step to avoiding a threat is knowing it exists. So this Halloween as you search for treats online, look out for these tricks. Ransomware F-Secure Labs has warned about malware that holds your digital files hostage to demand a ransom for most of the last decade. But it's in the last year that the threat has burst into the mainstream and become something you can't go a few weeks without hearing about it on the news. How do you avoid this trick? Keep your system software updated and run security software at all times. Make regular backups of every file that matters on your computer and never click on attachments and links in emails that you weren't expecting. Find My iPhone Scam This scam answers the question, "How can losing your iPhone get any worse?" People who use the "Find My iPhone" app have been targeted by criminals who've gotten ahold of their phones with a scam that allows the crooks to gain access to the device and -- possibly -- the owner's most intimate financial details. How do you avoid this? Check the URL before entering any confidential data. Or as Apple says, "You should never enter your Apple account information on any non-Apple website." Phishing Scams As cyber criminals have gone pro, they've gotten better at using old tactics that we thought had faded away -- like email attachments and phishing scams. Like the trick that gives crooks access to stolen iPhones, a phishing scam just tricks you into entering your private credentials into the wrong site. And it then uses those credentials to hack your email, financial accounts, etc. Checking URLs before entering data is crucial because with the explosion of photo editing software and skills, it's now easier than ever to make a fake site look real. Experts believe that one wrong click to a fake site led the chair of a major presidential campaign to expose his entire inbox to the world. Having someone else leak your password Millions and millions of passwords have been leaked in 2016, some from breaches of data that took place years ago. It might not sound scary that your Yahoo! password from 2005 is now public, except if you are still using that password today on a critical account. This is why you need to use strong, unique password for each important account. Yes, remembering all that is almost impossible. So consider using a tool like F-Secure's KEY to manage your passwords. KEY is free to use on one device. Haunted IoT devices As our homes are getting smarter by connecting almost everything to the internet, they're also getting haunted -- by cyber criminals. A botnet is a network of computers that have been hacked and "enslaved." Security expert Brian Krebs was recently hit by a monster attack on his site that he believes was powered by a botnet powered by "'Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords." What can you do? So much of this problem requires manufacturers to improve their security. But you can help by keeping every device updated with the latest software from the manufacturer and always changing your default passwords.  [Image by Daniel Lewis | Flickr]

October 21, 2016
dead end

Should We Stop Thinking of Email As Private?

When he was still working in cyber security for the Finnish government, Erka Koivunen met a NATO diplomat that there was "nothing new" about the era we now live in. Foreign envoys have always lived with the constant awareness that their private communications could be "leaked" for their enemies to exploit. "Anything that was written down could eventually be discovered," Erka, who is now an F-Secure Cyber Security Advisor, told me. "So the most sensitive conversations never took place in writing." Given the massive email leaks that have now hit the worlds of business, with the Sony hacks, and politics, with the leaks of U.S. political figures, is this how we should all start thinking? Does everyone alive in the twenty-first century have to operate like a NATO diplomat? Or a C-level executive who knows any word she types could be subpoenaed? Or the campaign chair of a presidential campaign? The answer, unfortunately, seems to be increasingly clear. "Whatever you write, you may need to defend your position in public," Erka said. Relying on an insecure medium The problems with email begin with the general insecurity of it as a means of communication. It's more like sending a postcard than sending a sealed letter, Erka explains. "As soon as the message goes out of your or your company’s systems, you lose control of it," Erka explained. "This is by far the biggest problem of the good-ole-email. Messages can be eavesdropped, altered, delayed, replayed or dropped altogether without you ever knowing." To actually spy on email as it's being transmitted generally requires legal access to telecommunications infrastructure or extraordinary technical knowhow and resources. Think law enforcement or intelligence agencies. Since these groups have a vested interest in cloaking their activities, they had little incentive to engage in the massive sort of leaking of gigabytes of private data we've seen from Wikileaks. However, we appear to be at the end of the era of "the gentleman's agreement" between countries, as cyber policy expert Mara Tam explained on a recent episode of the Risky.Biz podcast. This agreement went something like: "Gentlemen read each other's email, but they don't leak it to the public." The leaks from former CIA contractor Edward Snowden helped make the public aware of how much information the government potentially could access. But the exposure of a private individual's digital communication to the world presents a stark new reality for anyone who conducts business online. "Personal mailboxes store gigabytes’ worth of conversation history that will be a treasure trove for attackers for multiple reasons," Erka said. "There are sensitive discussions about business strategy, customers, competitors, products. There is also internal gossip, badmouthing and other damaging stuff." Activist Naomi Klein told The Intercept that "this sort of indiscriminate dump is precisely what Snowden was trying to protect us from." And we don't yet have a full sense of the potential ways this mass of data can be used against us. A competitor could use private information to tarnish someone’s reputation and hackers can mine the data to prepare for future cyber intrusions or to gain access to your other accounts through password resets. Letting the public decide what's private Leaks have already cost some executives their jobs and could swing the U.S. presidential election. But in a sense, we're all victims of this new risk to all of our privacy. "Whatever you write in an email you have to consider, are you ready for your boss, your spouse, your business partners to read it?" Erka asked. This new reality leads inevitably to the tragedy of self-censorship. Zeynep Tufekci -- a "techno-sociologist" -- ‏has been doing a running commentary on the Wikileaks revelations and is very disturbed by what she's seeing. "People gossiping in internal conversation is not a scandal—but destroying public/private boundaries will paralyze dissent, not the powerful," she tweeted. Wikileaks is releasing more documents than it could ever sift through in the hopes that the newsworthy information will be discerned by interested researchers around the world. But along with potentially relevant items, intensely private information has been revealed. "For example, a suicide attempt was publicized through Podesta indiscriminate dump (Wikileaks tweeted it out)," she noted. "Who will want to be political?" This makes the loss of email seem dire, but perhaps it speaks to a not just a flaw in the medium's security but the medium itself. "The deeper problem with email is that it has never quite settled on a social mode," The New York Times Farhad Manjoo wrote. "An email can be as formal as a legal letter or as tossed off as drive-by insult. This invites confusion." What can you do? So, should you be like that NATO diplomat content to keep all of your deepest secrets out of writing? Can you expect yourself to remove all snark and potentially offensive thoughts from your emails? Should you assume that your email box is like a box of letters in your attic, vulnerable to anyone who can get access to it? These answers are ultimately up to you and how you use -- or don't use -- email. F-Secure security advisor Sean Sullivan has found that young people he's interviewed are increasingly abandoning email as communication tool. "They only have an account -- typically Gmail -- in order to sign up for stuff," he said. If this continues, email is on its way out, whether it's private or not. For now, lawyers, doctors and other professionals with explicit legal responsibilities, email has a much more defined role that cannot be easily abandoned or circumvented. As far as your work email goes, consult your IT staff for guidance as you may be under legal obligation to preserve your data. But for your personal email, Erka suggests you have to at least be aware of how likely you are to be a target and what you can do to contain any potential damage -- besides using a strong unique password for every email account you have and only entering your account information on the secure webpage of your email provider. If you are involved in international politics, for instance, there's no question. You are a target. Hackers are either after your emails or are trying to get access to powerful people in your contacts. If you're someone with no power, no tumultuous relationships and no interest in politics, you're likely not to be on anyone's radar... yet. The problem is no one knows where you'll be in a few years and our inboxes are big enough to last a lifetime. "When everyone is using cloud-based emails like Gmail, there's no need to save space," Erka said. "That's the whole selling point of those services: Never delete anything." If you see the potential for enough damage, you many want these recent leaks as an inspiration to launch a serious spring cleaning of your personal online inboxes, including email and social media. "You may want to delete the messages you don't need and sort the stuff you do want into folders that you take off the web and can store on a secure backup," Erka suggested. Yes, you will lose the convenience of being able to search your Gmail box through a simple interface, but so will potential hackers. He also recommends sharing documents through sharing platforms and cloud services such as Sharepoint, Salesforce or Dropbox. "These links can require separate authentication upon opening and the sender can control how long it will be valid," Erka said. "If the email gets stolen and leaked years later the chances are the link will be invalid by that time." For quick conversations, Sean suggests Wickr, which offers self-destructing messages through a mobile app or a desktop client with easy encryption, something that just doesn't exist for most email. "For professionals, Wickr has a paid service which will retain messages for a legal requirement, and will then securely delete them post-requirement," he said. Regardless of policy, employers have a vested interest in moving their staff away from an over-reliance on email for more than privacy reasons. "Actual phone calls and face-to-face discussions that get out of your chair are probably more useful than email or chat threats," Sean said. "So rather than swap from one to the other – just learn to better utilize what you work with best." These leaks offer a sobering reminder that email is not secure. But, perhaps, the more important message is that it as a means of communication, it was never very smart. [Image by Alan Levine |Flickr]

October 20, 2016