Thursday, 13 March 2008

It's a kind of magic.

HackerSafe is an external vulnerability testing service. If it is stated as such and they admit the limitations my issues with the service would be moot. However the reality is different.

The issue is twofold;

  1. “HackerSafe” implies to the average user of the service that it is Safe from Hackers.
  2. There is no requirement or need for other services. This service states that you will be compliant with PCI-DSS if you have no vulnerabilities. This is false and misleading.

The Australian Trade Practices Act (1974 - SECT 75AZC) mirrors many others in other juristictions and is similar to other provisions in the UK, EU and US.

It states:

False or misleading representations
(1) A corporation must not, in trade or commerce, in connection with the supply or possible supply of goods or services, or in connection with the promotion by any means of the supply or use of goods or services, do any of the following:

  1. falsely represent that goods are of a particular standard, quality, value, grade, composition, style or model, or have had a particular history or particular previous use;
  2. falsely represent that services are of a particular standard, quality, value or grade;
  3. falsely represent that goods are new;
  4. falsely represent that a particular person has agreed to acquire goods or services;
  5. represent that goods or services have sponsorship, approval, performance characteristics, accessories, uses or benefits they do not have;
  6. represent that the corporation has a sponsorship, approval or affiliation it does not have;
  7. make a false or misleading representation about the price of goods or services;
  8. make a false or misleading representation about the availability of facilities for the repair of goods or of spare parts for goods;
  9. make a false or misleading representation about the place of origin of goods;
  10. make a false or misleading representation about the need for any goods or services;
  11. make a false or misleading representation about the existence, exclusion or effect of any condition, warranty, guarantee, right or remedy.

So lets look at the issues.

  1. "HackerSafe" consittutes a service under thge provisions of the act.
  2. "HackerSafe" represents that it is a service that offers a 99.9% effective protection. In fact the quote is "HACKER SAFE - HACKER SAFE certified sites prevent over 99.9% of hacker crime." This is a represntation that the "service is of a particular standard, quality, value or grade". This is false. This is a breach of the act. This is an illegal claim.
  3. "HackerSafe" represents that their service has certain performance characteristics, and benifits (see 5 above). The claim is "HACKER SAFE sites are tested and certified daily to pass the Payment Card Industry (PCI) Data Security Standard requirements". This is a claim to benifits that they do not have. This is a false claim and illegal.
  4. I can go on - but this is enough for this post.

Claim - HACKER SAFE - HACKER SAFE certified sites prevent over 99.9% of hacker crime.

False
This is a blatently false claim. Scan Alert came into existance in a period where computer crime existed. This claim asserts that they have single-handedly stopped 999 in 1000 computer crimes. This would have to mean that -

  • The external scan is stopping internal attacks,
  • Fraud using computers has been curbed and significantly,
  • computer crime is on the decrease.

The US DOJ has statistics on crime. This is available here.

The statistics do not match the claim. There is no statistical correlation to the claim and the facts. This claim has to be rejected at ANY level of statistical accuracy. Basically this is puffery at best and an outright misrepresentation. This is illegal under the Australian Trade Practices Act.

Claim - HACKER SAFE sites are tested and certified daily to pass the Payment Card Industry (PCI) Data Security Standard requirements

False

As I stated in my last post, the PCI-DSS requires that several internal controls are in place. "HackerSafe" does not test internal controls. This there is a logical disjoint in their statement. This is at best a misrepresentation and a lie.

So, at the end of this they are spreading false belief in a secure system. They create delusion. They are doing the industry a misservice. Marketing lies are lies. There is no distinction. We may be used to puffery, but this does not excuse it.

No comments: