I was just about to give up my family, job, house and friends and become a Meth Amphetamine addict. Luckily I saw this and was pursuaded not to.
A few weeks ago Chris Dixon, CEO of Siteadvisor.com, wrote an email reply to my non-user review of SiteAdvisor. His reply and my subsequent replies are printed with his permission.
Thanks for taking time to write such a thoughtful review.
Let me try to address each of the main points you raise:
#1 - "low area web coverage". Note that (as of today) we have analyzed 1.5M _sites_, not _pages_. When sites like Google say they have crawled "5 billion pages," they are using a very different metric. A site like Wikipedia, for example, is (according to our nomenclature) 1 site but has about 144 MILLION pages (you can see this by typing "site:wikipedia.org" into Google). In fact, there are far fewer than 5 billion sites in the world. See http://www.whois.sc/internet
My Reply: I have been really trying to challenge you on this issue the last couple of days, and I cant:) Its very hard to find sites that are untested, especially in Google (Yahoo seems to have more). You claim of 97% seems to really match with the experience and testing I have been running through. It's fantastic:)
#2 - data freshness - actually, we have the capacity right now to analyze millions of sites quite frequently (multiple times per month). We have algorithms that adjust the frequency we analyze a site based on its popularity, threat level, frequency of updates, etc. We think this is quite sufficient to cover most cases when sites change their practices. Also, I should point out that in many cases we don't necessarily want to re-analyze sites TOO often. If a site had spyware yesterday and today didn't, would you trust that site today? We think that a web site's reputation should, in some sense, be "sticky."
My Reply: I'm not convinced on this, but who can know how much is sufficient; the task you are undertaking is so gargantuan. Also I imagine that aspects of SiteAdvisor will emerge (I allude to these below) that are not so specifically targeted at web based malware but more in terms of capturing the "ethos" of a website. And for these aspects (site birthdate, country etc) data freshness is not a priority.
#3 - "the flacidness of protection" I suppose if you think that the problems of spyware, viruses, spam etc have already been 100% solved by existing software, you won't find much use for SiteAdvisor. I've personally been infected by spyware that none of the popular spyware removers could remove. Most experts seem to think spyware removers are not nearly 100% effective today. We think the best way to avoid many of these problems is simply to prevent them. There is a long tradition in computer security of having multiple layers of defense. We definitely recommend that users have anti-virus, spyware removers etc, but think we can add an additional, valuable layer of security. Also note that we address issues like online scams (e.g. see our most recent blog entry on freedownloadhq.com at blog.siteadvisor.com) that no existing security products (that I know of) even attempt to protect against. We will also soon be rolling out exploit protection which will add an additional layer of protection against problems like the recent WMF exploit before patches are released.
My Reply: In essence my criticism is that the threat of web-based malware is significantly less significant than from P2P, Email or Network based threats. And I think going back 2 years the evidence really supports this. (Going back 7 years - happyhippo.com etc and yes, its different) The WMF exploit turned out to be a zero threat (Is there any conclusive evidence of a payload being delivered using it?) but I agree, if it could have been exploited then SiteAdvisor would have been the most effective layer of protection until patching.
#4 - "the problem of faith." Our goal is simply to build such a good database that users' faith in us will be justified. That said, as with any security product, there are all sorts of ways the bad guys might try to beat us. We have already addressed many of these ways and plan to address many more over time. Of course, whether we succeed or not remains to be seen, but we believe we've got a very good set of plans for this.
Thanks again for your comments. I wasn't sure from your review if you had tried the product yet. If not, I'd encourage you to, and, when you do, feel free to send/post additional comments. (If you don't like SiteAdvisor, I assure you it uninstalls quite easily).
My Reply: Agreed. As said, if SiteAdvisor is successful then there will/may be people who get scammed because of it. But the majority will gain a positively proportional amount of security and safety.
I have also been thinking about some things to do with SiteAdvisor that are loosely considered points and queries. I have put these at the bottom of the email if you are interested:)
Points and Queries: The SiteAdvisor Netmap
I think the real asset you have isn't the increased security layer you can offer but rather the fact you are mapping the web in a systematic, non-commercial way and the data is available for inspection and use under cc. That's the gem. The fact that you or others can use your netmap for all manner of useful, fun or funky reasons:) Nobody else is doing that.
- Imagine if stumbleupon.com augmented your plugin so that when you do a Google any highly "stumbledupon" sites can be flagged in the list so you can choose to visit them - without having to go through the actual activity of "stumbling".
- You do Yahoo, Msn, Google searches (maybe some others?), I would love a plugin that, in say a google search, showed the corresponding rankings for sites in Yahoo or MSN.
- Linking with Whois data. People in the web industry would love to know when sites expire. Actually I guess you must link with whois data already.
- Linking with contacts data. Imagine if you spideredout various email or phone number detail from sites and listed them as clickable in the popup. I want to contact Microsoft customer support, "onmouseover" I have the number there in my window. I don't need to navigate the site, its been done for me.
- The site advisor ratings are great, but you need to be enter them on site from the browser
- A plugin for email. If I could have the SiteAdvisor pop up its icon on my webmail messages or Outlook this could prove to be the best anti spam/phising solution possible.
Open Search Engine
I always think its good if you can imagine how an application can change the world – especially one of the scope of SiteAdvisor. SiteAdvisor's netmap could be used for something that until this week I thought was not possible.
This is an open source distributed search engine that can compete with Google, Yahoo et al. You have the web spidered, that's the really hard part, in many ways, of running a search engine. Google started in dark space, because of the SiteAdvisor data the web is illuminated for analysis. Isn't that fantastic? Is this something you have considered?
Google on censoring Chinese search results.
Was it good to do or bad? Are they evil or secret saints whose mission will emerge from the mire of post-communist decay? Can I really stop using Google when they have all my mails for the last few months on there evil servers?
I dunno, but here are the key points:
- If Google refused to do this it is assumed that the Chinese’s dictatorship would just block them from
. Which would mean less information to the Chinese population. China
- Is it the job of companies to pressure governments? Isn’t that what governments should do? We (The west) trade with
China, makes our stuff, it’s the biggest growing economy. Can you really criticise Google if you yourself are tacitly supporting the Chinese dictator ship with your MP3 player and T-Shirt. China
- The main thrust of the media against Google isn’t against Google per se but against their claim to be a righteous doer of negative evil (Or “good “, as its known in some of the more “fairy” circles).
- As Google say, to paraphrase, you cannot have perfect solutions in an imperfect world.
- This guy:
These are all fascinating avenues for discussion. However, what it seems people have been over looking is that Google is also censoring the search results it provides for us – about many things CHINESE.
That is correct, Google is censoring both ways.
There are many secrets to the Chinese world, cuisine, history, culture and geography that Google is not allowed to tell us about... but the Discovery channel can and does:
How do you make 1,000 year old eggs in just an hour? What really is Tofu and why doesn't it taste like it should? What is underneath that big hill with the terracotta army standing guard? (Discovery channel was only partially certain on this one (rivers of mecrucry, yada yada)). How can a guy who is older than my dad, and looks like my gran, lift me off the ground with his forearm? (ibid. on the Discovery). How do you make trainers that cost as much in my supermarket as a bag of apples? (Not on the Discovery channel in any sense)
Today I tried the brand new Messenger 8 beta
I expect things to get better as they evolve. Animals do it. Plants do it. Computers do it. We are all spending loads on this hardware to make things faster. Its easy to be flippant about the odd megahertz but, Time is the most valuable thing in existence. It is much more valuable than space and slightly more valuable than reason. It is significantly more valuable than money.
Software should always get better.
So you you are managing an evolving system say for example MSN Messenger 8 and you are thinking "how can we make this better?" one surefire way is to make it faster. Not slower. You might not make it faster, that's not essential, but it is essential you don't make it slower.
Messenger 8 is discernibly more sluggish.It just is. Blame it on the beta or whatever, it shouldn't be like this.
So, Messenger 8, it's better. Why then is it slower? It is discern ably slower. Sluggish.
Instead of fighting spam maybe we could reprogram people to be more interested in spam;)
I just responded to a post on the pretty cool www.threadwatch.org about spam. It gave me an idea for a way we could reduce spam:
Have a system that everyone agrees to that says in essence "If you want to send more than 1000 emails you have to sign up to a scheme that costs a few hundred a year, the profits of which go to charity"
You could be really strict on the extra measures or relaxed, I dunno, but it would reduce spam at no cost to users, little cost to legit companies and great benefit to charity. Its a lot less hassle than the standard pay-per-send anti spam measure.
I just wanted to get a job of thermometers on ebay. I did a search for "thermometer" and got 1336 hits. I thought that that was way too many to browse... my search must be refined.
Ebay has many advanced search commands that can be used to redefine your search:
- Adding a minus sign, eg. "-egg", means "dont show any items that contain "egg".
- Adding qutotaion "marks around a phrase" means find exactly that phrse.
- You want to find words that start with a certain sequence of letters use an asterix, eg chin* bud*
I did some reaseacrh and I found the answer. I am not going to say how but It involved no industrial espoinage or system hacking. This is a feature not documented or mentioned anywhere. Not on Ebay nor in the rest of the world wide web. A feature not mentioned on usenet, newgroups, the blogosphere, irc, msn, aol, compuserve, icq, icq, secondlife, cnn,bbc, msnbc, email or the radio.
This is its first documentation.
The ebay command to signify that you wish to search for more than one item of any given item is to append the term with the "s" character. For examples.
It is that simple.
Using the "s" command I reduced the "thermometer" search from 1336 to just 18. Awesome.
I just read this from Chris Pirillo, heavily recommending Siteadvisor.com.
Non-User Review; www.siteadvisor.com
A non-user review is not about using the thing but about the thing itself.
What is Siteadvisor?
In essence Siteadvisor is an addition to your web browser that puts either a green, a yellow or a red icon besides sites as they appear in search engine results (or grey if it knows nothing). It looks a bit like this in google:
The icons can then be used to link to more information about the site, either as an instant popup or by visiting the Siteadvisor website.
It works in Google and Yahoo searches and probably others as well.
What's the idea?
The idea is that Siteadvisor will make your use of the Internet much safer and hassle free because you get warned of sites that pose a perceived risk before you click on that site's link.
After quite a few goes, it does show potential and the actual "interface" to the Siteadvisor database is simple and good.
How does it do it?
The people who make it have spidered and analysed large chunks of the web (1 million plus sites so far). They also claim that they have "evaluated websites covering 90% of the world's web traffic" and "downloaded and tested more than 100,000 pieces of software" as well as other measures. These are all big claims and lead to some criticisms (below).
So they have a pretty huge database of sites, and the perceived threats associated with those sites. When you do a search, the results list is augmented by the relevant icons for each website in the list.
It's a great idea.
Does it work?
I'm not convinced it is offering any significant level of security right now...... Its all about the data. Read on...
Don't get me wrong, I think the system is great and shows some huge, netuse changing, potential. But there are drawbacks, there always are. Time will tell whether these drawbacks prevent the ultimate success of the system.
Drawback 1: Low web area of coverage.
They have 90% of the most common websites and that's great. But they have only a TINY fraction of the total number of websites that actually exists. There are many billions of websites (5, the last time I looked) and they have just 1 million of them. Assuming they want to gain a more significant area of coverage then they will need an exponential increase in their "web cartography".
Drawback 2 : Inherently low data freshness.
Data freshness is a measure of how up to date an entry in a database is. In the case of search engines, if you change a detail on your website it won't be reflected in Google et al until the engines have reanalysed your site. The longer the period between actual change and the database reflection of that change, the less fresh the data.
Siteadvisor has a necessarily low data freshness because:
Not only does it need to analyse websites, it needs to analyse many additional things: software and hashes and web scripts and test email adresses and so on. And what's more, every time it wants to make a site's data fresh, it has to do this all over again.. and that's a huge task.
It takes the might of Google's advanced distributed computing power to make it function reasonably, and Google doesn't have to download and analyse all the extra bits.
Drawback 3: The flacidness of its protection?
There are some big bad threats out there on the wild web internet. Actually, there probably aren't really that many big bad threats out there. But let's assume that there are. It's more exciting that way.
For these big bad threats we use virus checkers and anti-spyware and adware removers. That's what we do. At least that's what anyone who is worried enough to install Siteaider will do. So that takes care of the bad stuff. I'm guessing a virus company is going to be updating its virus database way quicker than Siteadvisor is going to updating its web database.
What exactly is left for Siteadvisor to warn me about? It seems phishing and fraud and identity theft is what they have left to warn me about. But all of these threats are threats overcome not by comparing checksums but by not being stupid. If you really do think your long lost uncle Borris wants your paypal details so he can pay for some "lovely vases, very pricey" then I am not sure you should be online.
I don't really worry about the websites I visit, I don't think. If I were to download pirate software I would be worried, so worried I would make absolutely sure I had my virus checker up to date.
Drawback 4 : The Problem Of Faith
One might argue that, if Siteadvisor took off in a big way, it would instil a misplaced faith in its results that would be more dangerous than the lack of the system. People will be much more susceptible to phishing and other "confidence tricks" if they are told by Siteadvisor that the site is good to go.
It would be easy to do as well. You set up a safe website a month and tell Siteadvisor about it: it then gets the green flag. Subsequently you turn it into a website of the utmost evil trickery to scam anyone who visits it (Rrrrrarrrrr). On the same day as switching sites you spam the 40 million mail addresses you bought on Ebay, even though they didn't take papal. In this scenario, the greater the success and ubiquity of Siteadvisor usage the greater the risk to the individual web user.
The more you think about it the correlation between success and risk becomes apparent and serious.
I think Siteadvisor has a number of issues that may hamper its success, perhaps critically. The first three drawbacks I list can be largely solved by technology, but I can't see a solution to the 4th Drawback, the Problem of Faith.
Even assuming all 4 drawbacks are not solved, the central question is, will people be safer if they use this system? Actually I think that the majority will be. I think that there will be cases where people are less secure (whatever that really means) if they use the system, but they will be rare.
The Business Model
The business model used is the now fairly standard "normal for nothing, premium for a premium" affair. I have totally no issue with that, but I am curious to see what the premium features would be.
Maybe they will sell us the ability to view when the domain expires, or who owns it or the support email etc. Maybe it will be linked in with geographical or web traffic data.
Whatever there premium features are, Siteadvisor will need to cut the right line between:
- Making it worthwhile for enough people to upgrade.
- Not allowing the premium version to be so far superior to the free version that it devalues it completely.
They are going to need money because this is really going to cost. They need an exponential upscaling of their system's processing, bandwidth and storage to tech it through the first three drawbacks I list.
Even given my criticisms (and I am sure there are others) what Siteadvisor is trying to do is great.
This is not a system that can survive in a backwater or with a low userbase. It needs people and it needs lots of computing power at a high cost.
It's never going to be infallible. At the start I imagine it will be pretty fallible. But as use and progress increase, if it can afford to pay for the increasing technology, it could become so useful as to be essentially a part of the web.
6 Years ago in a super market in Guatemala I brought a Gillette Mach 3 razor. And since then have been a convert. Converted in a way that is unusual - the adverts really do live up to he product.
Ask any man who has moved to the GM3 (As its called in high-tech barbershops the world over) and if they tell you:
"Using the Mach 3 was not a paradigm shifting experience that redefined my own understanding of the term "close shave" and I will never use one again"
Then, they are a liar.
It is that good. Men the world over know that. Its so good that the blade are the most stolen items in supermarkets and RFID tags are being used on these first. Sales pitch over, the GM3 is the big dogs kahunas.
In our Bigger Faster Better consumer culture it wasn't going to be long before the GM3 was usurped, either by Gillette or Wilkinson Sword or maybe Superdrug own brand (hmmmm..). And so... in a fanfare of TV ads, the Gillette Mach 3 Power Nitro was released. I waited over a year before I got one.
Notwithstanding my conviction in the GM3, the 'Nitro just seemed, a con.
"Just 'coz it vibrates, it don't make it better" Is an adage my old scoutmaster used to say. I thought he was right about 'Nitro.
Today I got one in the post. It looked like an alien sex machine. Even with my scepticism about its performance, looks-wise, this baby cruised in the outer lane of the facial hair highway. I had a shave. I wont go into to much detailed or prose, even with the gentle buzzing, it was after all, just a shave.
ANd you know, It was the closest shave I have had. It was so close that I look 3 weeks younger and feel more confident around women.
As I write this coda to a blog post somewhere in cyberspace, I should feel happy. Glad that I was not conned. Content that I have one of the smoothest faces in the room (for at least the next 2 hours until the hair grows or the Avon lady calls). Satisfied that product and placement can become well acquainted. But I don't really. I feel as if I am on a plateau.
That even when they bring out the "'Nitro Nano Mach 3 Plus" in 5 years all achievements made will be facile. Yes, its closer. "Whateva".
Now its closer than it was. And before was close enough. Stop telling me I need a smoother face. I don't need closer. I need cheaper. I want blades that don't have an 800% markup. I want blades that don't cost more than an MP3 player on Ebay.
Ohhh it is nice though.....
I have just pasted this into the blogger window to send.... and I think.... I need a picture of the Nitro. So I do an image search and **** me in the *** with a **** if there isnt now the Mach 3 Fusion Power with 5 Blades!! FIVE ******* Blades.
You utter *****.