Saturday, April 26, 2008

Symantec Horror Story : "The Symantec Experience"

After a 6 months hiatus in the antivirus subscription of one of the laptops at the house, I finally decided to bite the bullet and either get the upgrade or subscribe to the antivirus updates. I was quite reluctant to do it for quite a bit ( I just absolutely hate being blackmailed into buying a product), but after listening to Security Now, I finally decided that it's not worth risking a security breach of the windows machine (btw, I'm entirely embarrassed to admit that I do own a Windows machine) . My Better Half is too attached to her ICQ client (despite the million better alternatives) and a few other pieces of software that she never uses, and so far I haven't been able to convince her to switch to Linux. On the positive side, my son has been a Linux user since he's 3 years old and he's happily playing a whole bunch of nice games like SuperTux, PPRacer, and many more others..).

Anyway, I digress. So, I finally decided to bit the bullet and part with 50 of my hard earned dollars. So, I go to the Symantec website (I did have a trial version that came with my access point), and here my woes really started.

First, while I'm ordering the software, they try to sell me "A Service" where they'd keep my download for a year. I figured, hey, I could download it and burn it to a CD, and I don't need to shell out $10. So , I happily click on the link and download an executable, I get a setup.exe and I start it up. Lo and behold, it's not the software, it's a "Download Manager" !!! In a later part of the saga, I asked their tech support what the service is all about and I can store the little download manager and reinstall the software 6 months from now, and they gladly told me that I could just download the trial version and use my registration code and I'd be good. So, WHY did they recommend the "Download Service" for 10 bucks ??? Hm, first signs of fishiness start showing...

Alright, so I downloaded the software, and started it up. As I mentioned before, the download manager started doing its job and in about half an hour the whole deal was downloaded. Now, while I was waiting for half an hour for the download to finish, why not make myself useful and see if I can clean up some of the old software from the machine. At one time the Norton Internet antivirus decided that it was done downloading and it has to start installing now! Well, as bad luck would have it, at the same time I was uninstalling an older JRE version. So, Norton decides to die and tell me that it can't install while something else is installing. I said fine, continued w/ my JRE uninstall, thinking that, stupid me, I'll just restart the Download Manager and it will resume the install.

Not that easy !!! I start the setup.exe again and it just tells me that the download is finished and just closes. WHAT?!!??? Did I just pay fifty bucks for this?? I didn't exactly order a download manager, I just wanted the damn software, but hey, they're smart and decided to give me a download manager instead. Alright, that works too, but at least make sure that the download manager knows how to start the installer, puh-puh-please !

So, next action. What can I do ? Phone, internet suport forum, online chat ? I decide to go with the online chat. However, Symantec decides to be fresh again ! Instead of just firing up some AJAX little gizmo to just exchange a couple of words with their technician, what do I have to do ? Of course, I have to download and install an application, that would install and register an ActiveX in my system, so that when I go into their "live chat" feature, it can look as if it is running in the web browser. Not only that, but the little piece of crappy software only happens to work in Internet Explorer !!! Is this coming from a company that is claiming that will protect my security ? "Oh, just install this little piece of software, we're just going to chat, disregard all the security warnings about ActiveX and such". What a bunch of losers !!

So, I once again stoop to their level and download the ActiveX and install the thing. By now, I'm quite pissed, I'm running IE, allowing ActiveX garbage on my machine. I finally get to the chat page, and you'd think with the ActiveX it would be something really fancy and slick. Nope. Just a text field for me to enter my comments, and a text area for the current conversation. The crown jewel of this work of art are three radio buttons to select what the technican can do "Nothing", "View Only" and "Full Control". You might think that a security company would be concerned and would give the users some choice to protect themselves . No such luck. The default is on "Full Control". And I thought that best practice in security would have been to give the user a choice and let them choose if someone else would poke around their machine, and worse off, I thought Symantec would have thought of that. Another level of disappointment reached !

So, I start talking to the dude (Krishnan) who takes his sweet time to answer my questions. I type in 5 things, wait for 10 minutes and only then he decides that I'm worth his attention. First, I ask him a couple of things about how disappointing the experience is so far, and then I get to the meat of things : I ask him why I can't install the product. The solution turns out to be "easy" : I just go to the Symantec site and download and run a tool (yup, an .exe), and what do you think it does ?? Ta-da !! It cleans up whatever the Download Manager downloaded so that I can start the Download Manager again and let it download for another half hour. Isn't this brilliant ?? Anybody with a brain stem would have figured this out : hey, why not include the "Download Cleanup" functionality into the Download Manager ? I mean, it's not like they shipped the product to me 6 months ago and don't have a chance to patch in this functionality : I downloaded the Download Manager 10 minutes ago !

Alright, next phase in the saga. I clean up my download, start the download again (yep, another 30 minutes down the drain) and I'm chattling w/ Krishnan about how I can leave some feedback to Symantec to help them improve their product. I could certainly just bitch about it (like I'm doing now) and and let them continue having a crappy product, but hey, I decided I'll give them a shout. So, while I'm still chatting w/ the dude, I went to their feedback page (of course still in IE7) and then... IE CRASHES and BURNS !!! Now, I'd guess it wasn't just a fault of IE, for some reason it's the ActiveX that I was using (of course, this is just speculation, I was so mad I didn't go digging through logs and such). Now I'm just flipping out : I'm using IE, ActiveX running, with a product that just goes out of its way trying to prevent me from using it, after being blackmailed for fifty bucks to run a shitty OS on my sweetheart's laptop, and it just died !!!

At this point, I'm lost for words. On one side, I could go and talk to tech support again, and possibly lose another hour dealing with them, or I could just try doing it on my own. But I'm suffiiently disappointed and I really want to try and ask them if I can cancel my order. Note, I said "ask them if I can", not "tell them to cancel". So, I go back into their online chat support center (ActiveX and all), and I start talking to a new dude (hm, was it Prasad??). I explained the problem that I had and I ask him to tell me what the options are to cancel my order. I specifically told him "Don't cancel the order yet, just tell me what the options are". I give him address and order number to look up the info. Once again, Dude takes his time, no hurry for him, he's getting paid for his time. Just as I'm about to ask him what's going on, he cheerfully informs me that... I'm all set, my order is cancelled and that it might take a few days for the refund to process. WHAT ???!!?? I specifically told the dude, DON'T cancel the order. Just as I'm explaining to the dude that I didn't want to cancel the order, he disconnects and reconnects from the chat session a couple of times, not mentioning a thing about it (no sorry, I got disconnected, nothing).

So, let me recap here. I'm working in Windows, that sucks. I part with my money to fix the crummy OS and prevent it from being 0wn3d every other day, and the antivirus company tries to take my dough for a useless download service (by default), so I'm even more bummed out. Then, I try to install something that should be a total no brainer, it doesn't care about installing the software, it cares about downloading it only. Hm... I'm fuming ! Then, the security company makes me jump through 100 insecure hoops including installing ActiveX-s who want full control by default of my desktop, running executables just downloaded from the web (albeit from their site, supposedly secure), and giving full remote control to a dude I don't know sitting somewhere in India. I'm starting to flip out now !!! How many times did I give somebody a chance to r00t my machine, I wonder ? Somewhere along the way, the antivirus company's software crashes my browser, and to top it off, the customer support people just blow me off, take their sweet time in addressing my issues, and in the end just cancel the order despite the fact that I told them not to !!!!

So, I ask , WHY ? I can see that my fifty bucks are not going to break a billion dollar company (or however big it is, it is big). But is that a reason to totally dis me and let it be known that they don't care ? Is that a reason to introduce glaring security issues along the way (ActiveX, executables, giving full control to my box by default) just based on the fact that they are "the security experts" - e.g. what if someone compromised THEIR site, how many of their customers would be compromised along the way ? Is that a reason for the customer support to not pay attantion to what I'm saying and disrespect me by just answering once every 5 minutes ?

Anyway, that's my story. I just blows me away that such a large industry is built on the side of a bug ridden OS, and to make it all more perverse, the culprit of the whole situation is also in the same industry (e.g. Microsoft OneCare product charges for services that prevent attackers from exploiting bugs in the OS that Microsoft itself built). Now, wouldn't it make sense that if one bought a Microsoft product, such protection would come as a part of the OS, instead of selling you a faulty OS, and then selling you a service to fix it. It's an interesting conflict of interest : would Microsoft make more money if they fix the OS and make it less exploitable (thus losing money on Antivirus support), or would they make more money selling a crummy defect-ridden OS and then selling Antivirus products for it ?

This is the end of my story. My conclusion : I'm so glad I use Linux !! Rock on Fedora, I'm looking forward to Fedora 9 !!