Maybe I’m getting too wary, but when I received a press release from something called the Internet Security Foundation, I wasn’t convinced. And I’m still not.
The email was provocative enough: The headline ran “Microsoft’s Policy Leaves Millions Open to Identity Theft; Internet Security Foundation Releases Free Protection Tool”. An explanation followed that users were vulnerable because they erroneously believed that their stored passwords in Windows were safe because they appeared in asterisks. “The truth is,” the release said, “that such passwords are not normally protected in Microsoft Windows and can be easily reviewed by using software like SeePassword (www.SeePassword.com).”
This is true. And a good point. But who is the Internet Security Foundation? The email suggested that I visit their website for more information about the foundation. I did, and all I found was one page, which was a virtual re-run of the press release. No ‘About’ page or anything, at least when I visited it. The only couple of links led to a download file, and to SeePassword, the software mentioned in the release and an external webpage which didn’t load at the time of visiting. So who are these guys, and is this for real?
I checked their whois data, which will at least tell me who registered the site. It was KMGI Corp., a New York-based advertising agency whose website design bears uses distinctive fonts — indeed the same fonts as the Internet Security Foundation. KMGI, I read elsewhere, is also a software company (although no mention is made on their website) and are the guys behind SeePassword, the software the ISF website suggests I use — “If you first need to look up any forgotten passwords, you can use SeePassword software available at www.SeePassword.com“. SeePassword, according to the PCMag article, costs $20.
Now I’m suspicious. Has KMGI set up a spurious foundation to try to sell a product? The only online references to the Internet Security Foundation I can find are in the NYT. But if you look closely at the story, there’s a correction at the bottom which corrects the reference to the organisation. “The group is the Information Security Foundation, not the Internet Security Foundation.” (If you do a Google search, such references are all to the NYT article.) So now I’m getting very suspicious. What is going on?
I tried calling the public relations number on the press release and left a message. If I get any clarification I’ll post it. But my feeling is: If this ISF is kosher, it should make clear who it is and its interest, if any, in a company that sells a product it recommends. And while pointing out the asterisk security issue is a good one, it’s not exactly a new problem. To me the whole thing smacks of promotional gimmick, rather than a clean and well-intentioned issue-raiser. But maybe I’m getting too wary.
After seeking comment from KMGI, I received this from their CEO, Alex Konanykhin. I will write in more detail about this response in a separate post:
Hi Jeremy,
After reading your reaction to our news release in your blog posting, I realized that it was a mistake to limit our Internet Security Foundation site to the discussion of the password vulnerability and not include a page on what compelled me to establish the Foundation.
I am CEO of KMGI – the detailed information and past media coverage of our company is attached. We also publish consumer software – and some of our software titles are actually discussed on our main web site http://www.kmgi.com. However, kmgi.com site concentrates on our primary business – B2B service to major corporations and ad agencies, so we also have separate B2C sites related to each software
title: http://www.eliminatespam.com,
http://www.popupbuster.net,
http://www.kmgi.com/attach/, etc.
A couple months ago, our company released a SeePassword software, which got nice reviews in a number of publications. Despite my satisfaction from brisk sales of that program, the understanding that nothing precludes criminals from harvesting people’s passwords by breaking into their computers via Internet made me very concerned. (SeePassword does not include this online harvesting functionality so that it could not be used as a hacker’s tool. SeePassword’s only purpose is to help people who forgot passwords their used on their own computers).
We researched this issue further and found that 86% of Internet users believed that the passwords hidden behind the asterisks are securely protected. As we opined in our press release, this false perception may result in criminals and terrorists unlawfully obtaining passwords of unsuspecting Internet users, gaining access to bank records, and other private information such as bank accounts. So, I urged Microsoft to fix this security hole (even thought it would kill our revenues from sales of SeePassword), but Microsoft refused to do it.
I was surprised by Microsoft’s position which leaves hundreds of millions of Windows users at risk of identity theft. So, I felt compelled to fight on – and founded the Internet Security Foundation. I allocated a significant portion of our proceeds from sales of SeePassword to informing computer users about the grave but largely unknown risk they are facing. The press release you received was the first step of this campaign which, I hope, will minimize the risks to the Internet users.
Another initiative the Foundation has financed (using the KMGI endowment) was release of a free AsteRisksT program which is available for free download for all Internet users. Distributing even free
software cannot be done without incurring cost. It costs us about 8
cents/download, so distributing 10 million copies would require $800,000
budget, which exceed the amount KMGI could donate to ISF. SeePassword is mentioned on the site of Internet Security Foundation and I do hope that the resulting sales may at least partially offset our Foundation-related expenses and allow us to donate more funds to the Foundation.
I hope you will agree that the Foundation provides free benefit to the public: not only it informs the public about the risk of identity theft, but it also provides a free software solution to eliminate that risk.
Sincerely, Alex Konanykhin
I shared Jeremy Wagstaff’s suspicions after reading the same online warning & following the links on the page. But, after reading Alex Konanykhin’s reply I’m convinced that although his motives are likely personal profit, he is also providing a public service. So, if he can benefit whilst users also benefit; no harm, no foul.
Bill Blackburn, Ukiah, California