The other day Steven brought to my attention a new supposed security tool along the lines of SiteAdvisor andSiteHound.

It's called Web Of Trust or WOT as they like to be refered to.

They provide ratings to all sorts of sites based on community 'reviews' from Joe Internet users who install their software and rate sites on certain criteria.

What intrigued Steven and I and also disturbed both of us to some degree was a couple of isolated comments by a 'reviewer' and a suggestion to get around red ratings:
I would hope this 'reviewer' gets his account terminated or at the very least his 'credibility' rating is severely downgraded based on that comment alone. Imagine a security site who has some of their 'reviewers' using site design as a form of criteria to determine if the site was good or not.

What exactly does design have to do with security? Beats me.

And the red rating work around: Ok, this is something which is also done on the SiteAdvisor security community. But here is the big difference. You'll notice I have been using 'reviewer' in quotes. The reason I've been doing this is because there is no rating of trust or reference to whether or not these 'reviewers' have any credence to what they are rating. So you see, you're trusting a group (which appears very small, more later on that one tho) which has no way of showing if you can be trusted in what you comment on.

Another thing I found which I didn't like in how a 'reviewers' rating\activity score was based on: Emphisis mine. So if you send 'invitations' to people you can raise your leel of trust? Don't like that at all.

SiteAdvisor has a rating for each reviewer to determine how useful the info provided by reviewer is good or not.

Ok so there is one huge flaw IMHO.

I mentioned before about the amount of actual reviewers. I mention this because while perusing random sites I noticed a curious thing. Most of the review sources were things like 'Trusted blog', 'spam list' and 'malware listing'. Ok, now one would expect that perhaps there may be links to verify these sources. Nope. Not a one. So how can you tell what this link is? No idea.

Another set of sources were popular social networking sites such as Digg, reddit, Facebook and others. So what exactly do these sites have to do with any other sites particular reference as to where or not it is safe? Good question. I'd like to know. Because as far as I can tell, all that does is show how popular that particular site maybe be, which has no real bearing on site security.

If you remove all the social networking link to comments, which btw, don't even include the link specifics for the mention, only to that sites homepage, thereby not being able to verify if it was a good mention or not, then remove all the 'trusted blog' references, which, once again, provide zero details about claimed reference, you will have most of your sites with no actual ratings at all. Even some sites that have 3,4, 5 pages of 'reviews, contain very few actual 'human' comments\reviews.

With the lack of effort put into source verification, it looks like all that was done was a quick scanning of some security site somewhere and then added with the social networking links being the easiest to collect and the most in number to give each site some 'ratings\reviews'.

So while they claim to use the 'wisdom of the crowd' to protect users, I, for one, would prefer to know that the wisdom of said crowd has some sort of specific guidelines to become a member of said crowd and thereby perhaps lend some credibility to that crowd.

With the complete lack of 'source' information to verify reviews and comments, I cannot for the life of me see how anyone can recommend this software as a trustful way to avoid bad sites.

So what's your opinion? Would you trust a security review site that had no references for said ratings they applied to sites? Just having unrated reviewers drop comments and rate sites?

With SiteAdvisor and SiteHound, we know they have huge resources to pull from. I see no such database for WOT.

There is an ongoing thread over at COU as well.

I posted here so my users would get the info.

I found WOT, shortly after it went beta. I tried it and reviewed it for my newsletter.
http://freewarewiki.com/WotPlugin

I was impressed with what they were trying to achieve. I like the theory behind it. I envisioned it as a kind of wikipedia of surfing protection.

I can't speak for how accurate it is, but as I stated in my review, I've gotten comfortable with it.

I talked with Tom about it earlier and I said:
I don't know if the WOT service is better or worse (than SA or any other) ... it's an alternative. I did try it, and it did keep me out of bad sites.
It also works in email.

I see no reason to stop recommending it. The worst it could do is recommend that you don't visit a site that is not bad.

I saw the thread at COU and the people at WOT appear to be participating in the conversation. That's usually a good sign.

The WOT service is in it's infancy, I expect it to improve. Any criticism will surely help. I'm sure the COU thread has given them some things to think about.

Well I'm kind of surprised that you would recommend this to your readers Clif.

It's kind of like telling them install some no name anti-virus that you can't tell if they're accurate or not or if they'll get infected.

Would you just use any other app you could not verify what it was doing or how well it was doing it? Or at least get some reference point of how they come about the info they post in regards to rating sites. I'm not sure you would.

Lets hope these guys are listening to someone to implement changes which would give the tool some sort of references to where they cull their info from, because for all we know, they're just guessing.

And I'll certainly continue to recommend users stay away from the app until they do.

Lets see how they reply to that thread.

I'll be hitting their 50 worst sites later on tonite. See the list here.

Ok, well after looking at that list linked to above I decided not to waste time on them, most are relatively well known malware sites, some so old I can't really fathom why they're even on the list.

How dangerous is the coolwebsearch site? It's not. Granted, maybe all their affiliates are low life scumbags, but that actual site is not dangerous by any stretch.

But that's just another point in my ramblings about how they rate sites and what info the ratings are based on.

I found something else tonite which I need to get more info on as it relates to the latest blog entry by WOT, about a bunch of web stats about adult sites.

I hope to be able to get another party to review the info and confirm what I am thinking.

Hi TeMerc,
I'm not surprised that the list of "50 Most Dangerous Sites" has some sites that have disappeared, etc. That study was done in January, so on Internet time it's ancient! The "Internet's Red Light District" study is more current having been done this past March to May. I was on vacation 2 weeks ago and the guys here were still going through porn sites manually verifying the accuracy. (eew! I'm glad I wasn't around for that.) You might feel the same if you go trolling the web for those sites.

I wanted to address the trusted sources concern. One reason we don't put links to sources is that they may die quickly. Not all blog links necessarily die soon, but links on some of the other sources definitely might. Most of our sources just aren't really significant enough to deserve a mention. After much thought in the past, the conclusion was made that revealing the sources wouldn't help our credibility, because people who see the references have no idea how much they actually affect the ratings. A link on "a trusted blog" might not have any effect on the rating if we have enough user ratings. Like individual users, we assign a reputation for each source, so some are more reliable than others.

We are always on the lookout for new trusted sources, and on occasion a WOT member has made a good recommendation. Would you be willing to share which sources you'd like to see us use? We can add data from any number of sources combined with information from users and other sources to end up with a rating and a confidence value that tell you the reputation.

Best regards,
Deborah
http://www.mywot.com

Well to be honest sites will come and go, so that's why I decided it wasn't much of any use to run thru the list.

I actually do just that, searching for new bits of malware and bad sites dispensing said malware and cultivating them to a central forum where all of the major security teams have access to. I just have my browser set to not display images and animations.
Any half decent security resource is going to maintain their information in some fashion because this information is very well needed to keep a history of sites which switch themselves on or off via fast flux operation or just to throw researchers off the scent.

Without keeping at the very least a cached version of this info I wonder how you can maintain any level of trust of any site over time, beyond what your users rate.

I'd like to see what sites you reference for all you list. I've only seen one reference to any security site at all, and that's Phishtank. What other security sites or lists do you use?

This would go a long way in determining validity on why a site is rated.

Ok, well the other nite while I was researching your report I came upon some stats which eerily mirror yours.

From here:
Internet Pornography Statistics

• Pornographic websites 4.2 million (12% of total websites)
• Average age of first Internet exposure to pornography 11 years old
• Pornographic pages 420 million
• Received unwanted exposure to sexual material 34%

With exception of the phishing and malware one, which can partially be attributed to a recent Gartner report:
http://www.gartner.com/it/page.jsp?id=565125

Btw I sent an email to them asking when that page was posted.

They also make note of where they got some of their stats and mention the accuracy of them and I don't see WOT or their 'backers' listed.: Sources:

Can you comment on how stats which appear to be from 2006 on their site and your report which as you stated above are from 2008 are nearly identical to yours? Or perhaps they snagged them from you? If so, they neglected to list you as a source along with the other 30 odd references.

I'm sure this is something you'll want to clear up promptly.

Good morning TeMerc,
I got the stats from
http://www.familysafemedia.com/pornogra ... stics.html (which got them from the Internet Filter Review) and http://www.netnanny.com/learn_center/article/102. In our press release we called them Supporting Statistics. It's expected that any journalist who would choose to write a story would double check these facts, and perhaps even dig up more current ones. The actual study was done on websites from our reputation database and additional ones that our crawler, specifically made to ferret out new ones with adult content, had been working on for months.

Our database contains tens of gigabytes of data and it's updated constantly as more data comes in from users and other sources. Remember, we don't just have ratings for bad sites, we have ratings for good sites too.

I have enjoyed talking with you TeMerc. You are a sharp critic, but alas, my attention needs to go somewhere else. I am glad we are on the same side of the Internet Security battle, even if we are not exactly fighting on the same team.

Best regards,
Deborah
http://www.mywot.com/

So after months of your crawler doing all this research the best it could do was find 2 year old stats? Are there no fresher studies which have been done?

Well, at least you provided some links for references, which is good. But on the other hand, you say your crawler was

If this was my study I'd certainly have been looking for something that was recently found. After all, like you said in your other post: So two years is like 50 light years then.
While that sounds impressive, presenting two year old results does not make it a very relative study, as we both know how ancient that data is(by your own admission of time online) and the likelihood of it still being correct is low.

I'd love to find out if any newer studies have been done and will search on my own to find out if there are. Except I won't be using a crawler with complex algorithms.

I wish I could say I've enjoyed my time, but it has not been all that joyous. Imagine my dismay at a new security group joining to keep the Net safe but missing the point entirely by first saying they did research in one year, yet presenting info that is actually two years old, that they didn't even do themselves after bragging about their vast amount of data.

It's been sometime since I was so disappointed with a security vendors efforts.

Good luck with your venture.

Look to this thread over the coming days or perhaps weeks, with any new stats I find.

I voted but forgot to post a reply.
Since they are using good database - Phistank, and so far I'm seeing bad site and rogue sites that need to be blocked or marked as red is being done great and fast by WOT, my vote went to "Yes".

Other tool like that do not have many sources when they started so I see no problem if WOT have few sources for now. If they will add more sources or database then that's great.

Others have automated scanners and it's been years but until now the search result and rating is 'green'.

This products have their own bugs, failure, issues and flaws. If the vendors are willing to fix and improve, that's great.

Thanks for the poll Tom!

Thanks for dropping in Donna, appreciate it.

I have to say I find it odd that everyone more or less agrees with me about WOT needing to add source links with data to back up they're ratings but still recommend the product.

I'm not getting that. It all goes back to the analogy I gave. Why trust something that can't be verified?

If they get that part figured out it'd be great. I wouldn't have nearly as much of a problem with the tool at all.

Altho that research paper they did is still a little shaky. I found those stats and they may very well be the latest available(I'm still looking), but why didn't they list the sources originally like the other sites I found, and not later after I pointed it out? Too odd for me.

Should be interesting to see what pans out.

I think if you like to verify their sources, you need to request to WOT team but as far as I can see, they were "open" already on how where their database or sources came and coming from:
1. Phishtank: http://www.phishtank.com/blog/2006/11/1 ... tank-data/
http://www.phishtank.com/friends.php
2. WOT user ratings
3. Other sources: They mention on the site's scoreboard the sources e.g. malware listing, digg, wikipedia, blog etc.
I think though that it's not needed for WOT to include those 'other sources' because it's going to be hard for WOT users to scroll on many pages for 1 scoreboad to view the 'human' comment. And like I said in CoU discussion, this is an issue that I hope WOT team will consider removing. Adding the "other sources" in scoreboard is not necessary because raters or reviewers prefer to see 'raters' not other sources.
I find also though that even though they have these other sources in a scoreboard, the rating is correct.



hhmm I re-read the said press release http://www.mywot.com/en/press/wot-study ... t-district
It says:


The above, if I understand correctly is their own stat report which derived from their own database which is called "reputation database" using their WOT add-on for FF and IE.
I think if you are questioning that 'study' by them... you need to request to WOT some documents or database report whether there's really 19 millions sites that WOT users have been rated.

But then I see you mentioned in your earlier post that Deborah of mywot.com addressed the following:

If you are questioning the above, I think they did not claim in their press release that the above stats is theirs but "supporting" which means to me, not their study but will support their own findings, where they said 19 million sites were covered from their reputation database.

If they missed the part in adding where they got that supporting stats, I think that's normal Tom. I mean, there are some company who releases information but some information is not published unless requested to them via email or any type of communication that they gave.
It's good though that they now have it in the press release but again, I don't find it necessary unless they don't have permission from the said sources (familysafemedia, netnanny). If they have permission to share the info and they have agreement to show or not.. that's their 'deal'.
If they missed it only... then you've helped them because you pointed something out but again, for some... such info is not necessary or required because we don't know what is their 'permission' (whether they were given the permission to mention it or not without mentioning the sources of the supporting stats).

I prefer to use TrendProtect from Trend Micro, Mindblower!

I have been using WOT for a short while.
As with all things, it has both positive and negative aspects.

The 'wisdom of crowds' aspect is useful, but it would be folly to
use it as a dominant algorithm.

http://blog.brandingfire.com/2008/02/05 ... roupthink/
http://www.gutenberg.org/etext/24518

At the other end of the spectrum the 'fuehrerprinzip' has its own problems
- 'follow my leader' can be a defective algorithm - just ask the lemmings.

I thought I'd add this, re webs of trust:

Quoted from:
http://blog.washingtonpost.com/security ... mer_s.html

Wow, thanks for dropping those links. They bring some new angles to the conversation which are very interesting and spot on.

Yeah, I fully expect WOT to improve on it's mission and threads like these are always helpful in directing the developers to fine tune their applications.

They're already made one improvement by beginning to use hpHosts as a source of verification for rating sites as different categories of mischievous activities.

Seeing as the team over at WOT have not bothered to make any sort of 'official' announcement, here is a thread over at hpHosts forum about it.

hpHosts is also listed on their friends page

One would think this would be worthy of some mention, especially since it goes towards a much needed goal of resource verification beyond the wonderful algorithm. but hey, maybe it's just me...and Steven.

Even tho WOT now uses hpHosts as a 'source', they only use the RSS feed, which means:
As often as Steven validates the db I'm left to wonder how much value the feed offers to users.

I don't see much point in offering info which isn't properly updated. It's like creating an anti-spyware tool and only making additions, but never adjusting\removing threats if they no longer are as such.

And come on, what sort of company is worried about bandwidth? Are they on some shoe string budget or does the infamous algorithm suck it all up?

So there you are, a security vendor who uses some third party sources to supply security advice\ratings to be included in your product. Now, one would think that you would want said third party vendors to have something to offer which would aid in your product to be the best it can be.

Cost effectiveness can be one item, tho this is not always the case nor need it be.

Dependability comes to mind. What good is something if you can't rely on it? Not much.

Then there is always a matter of trust, which when it comes right down to it, trumps the other two. If you can't trust them or the service\product they offer, what's the point? In the end the one that suffers most is the end user.

Imagine now if you read the following, about a third party vendor, or rather all third party vendors who supply services to another product: WOT Forums
If you don't think they're reliable, why the hell are you using them? What sort of business uses resources\products\services it does not trust as reliable?

Can you imagine if McAfee, Symantec or any other security vendor said that about someone who provided them such service?

Symantec just bought PCTools, do you think they trust them enough to improve the reliability of their product line? Ya, you betcha.

Did AVG trust Exploit Labs when they bought them out, with their LinkScanner tech? I'm sure they did.

Oh sure, maybe in this case there is no money exchanging hands, but to me at least, the trust has a price on it that can't be calculated.

So, someone tell me how any security minded person can recommend a security tool from a company who gets something that is aided by third party vendors, when said security vendor does not trust the service it is geting from that third party?

Beats me.

On a side note, WOT was recently granted admission to ASAP organization. I don't have to tell you how I voted, do I?

.

I'm sorry, but if you use a third party source for a product\service you supply to people, a), you're an idiot if you use them and don't think they are fully reliable and b), you're a bigger idiot to admit such in an open forum.

Greetings Tom,

So, the folks running WOT are idiots? I'd expect to see threads like that in alt.comp, I didn't expect it here.

I think I said some of this earlier. I've used the WOT service and I have no beefs with how they collect or use their data. Maybe I don't care as much about methods as I do results. How can it hurt if I temporarily get blocked from a site that isn't bad? If they happen to miss a site that is bad and I get through, how is that any worse than any other app? No single app or service is perfect at blocking everything and I'd argue that WOT would be better than not using anything. I feel that it would be a decent recommendation for those who have no search filtering and are more or less net newbies. I also recommend SiteAdvisor and TrendProtect. Maybe WOT isn't as good as those two? I'd say running any one of those three is a step to safer surfing.

You have argued well and detailed all the reasons why you don't care for this service. What would you have people use instead?

Currently I'm only using OpenDNS and Scandoo search for a minimal hit to my system resources. Neither of those required an installation or a browser plugin. I've never spent much time keeping my hosts files updated with a service like hpHosts. I like stuff that is "set it and forget it". Sorry Mystery ;-)

This is good thread with lots of meat in it. Keep up the great work, I appreciate it and I wish more people knew about the stuff you do to help.

Answer me this Clif, can you tell me that you would ask me for advice on security if you thought I wasn't reliable? I would hope not. I would hope that anyone who does not think I'm reliable would have the common sense to find a source they would feel was reliable.

I get about 120 different feeds in my reader to supply me with info about any number of different topics related to security. If I didn't think every one of those were reliable, I'd drop them as a source in a second.

All the websites I frequent for malware help, sources of infections and tools made by people to help...every single one of them I consider totally reliable. How can I have any credibility if I can't trust my sources, regardless of what that source it? I can't. I expect the same from my software. Regardless of what type of software it is. but especially security software. It's at the heart of what I do and who I am as a person who puts himself out to the Joe Net users.

There are several threads in this forum where I've dropped recommending vendors for a whole lot less than reliability, but other issues I thought were just as important. Dropped them as affiliates too. And I'd have done that regardless of how many sales I'd gotten. Which, btw, is zero on all vendors you find on my recommended software pages.

If I didn't think an application was reliable, or a source I get my info on malware sites, infections and the like I'd move on to another source. Sometimes sites just can't keep up for whatever reasons. I stop visiting those sites or curtail my visits.

But you'd never hear me say 'xyz site or software is unreliable' or any such thing while I'm recommending it. I think the common term for that is 'talking out both sides of your '.

Open DNS is a good thing, as long as you don't want anything to censor your surfing, which I think they do by default, not 100% sure tho. I'm also unfamiliar with how quickly their lists are updated as it pertains to malware sorts of sites.

I recommend it for parents who have kids and who worry about them getting to the 'adult' type sites.

As for what you should use, this really depends more on how smart you surf than anything else. Surf with your head and you don't need much, just basics.

I stopped using any sort anti-spyware scanner a long time ago. I've got hpHosts, SpywareBlaster, Scotty on patrol, SA, which I use more for search site reliability than malware and firewall and av.

Hope that helps to explain what I've been ranting about.

This is fast becoming a way to get yourself infected.

These days almost every layer of security, save the firewall, needs constant updating to try to stay abreast of the latest threats.

But you likely surf smart and this saves you. Everyone else out there, get into your security tools to see how they work, don't set it and forget it.

Hi Tom,

I never questioned your reasons or your expertise. You have your reasons for not liking WOT. My biggest concern is how you protect people who have no interest in digging into security tools to find out how they work? By "set it and forget it", I simply mean that these applications should always work, always be up to date with no intervention. You mentioned SiteAdvisor, is that what you'd like to see people use for search filtering?

You and most contributors here can spot a scam coming. The vast majority of surfers can't. Recently you helped me clean up after my friend's teen-aged boy. He got fooled by the fake warnings at a website and installed Antispyware 2008 (nasty!). How can I keep him from doing that again?

All the big AV vendors have entire Suites that they advertise will give you "easy" protection. What do you feel are good free alternatives to having to lay out good money for a suite? I'd like to see stuff any newb can use without having to run weekly scans or manual updates. You and I both know that often people simply won't take time to run those scans or updates. Many don't even want to learn about why they get infected. I've seen this happen way too often to family and friends.

FYI: OpenDNS offers a few settings on what to block and lots of opportunity to fine tune it.
Here's a shot of my settings page there.
http://img295.imageshack.us/img295/1868 ... 029af0.png

You missed my point Clif. I wasn't implying you don't trust me or think I'm unreliable. I was getting to that if you did think I was, I'm quite sure you'd not be coming back here.

'Set it & forget it' is a thing of the past and users need to begin to understand that. In order for security tools to try and keep up, they need to be updated regularly, best case scenario being more than one time a day. Threats evolve too fast for a security tool to keep up.

Most avs will update at least once per day, some several times. If you check COU you can tell when there are more than one update as it will have a (2) or (3) next to it. Alot of the free stuff may not update as frequently tho and this could leave users exposed to threats that change regularly, sometimes several times per day. And I won't even get into Storm and FastFlux because that's like playing whack a mole with a putty knife on a football field.

I think that is it's strongest point. For malware they need to step up their reaction time to adjusting ratings for sites, there is no doubt they have much to go in that dept. Don't forget, it's one part of a layered security set up and can't be relied on to catch everything.

Couple of things here; firstly you almost can't keep up with the new sites\rogues that get spewn out every day. Check this forum and you'll see that many sites are added every day to the Zlob\Smitfraud\Rogues thread. And that's excluding the separate threads I post such as when DDanchev posts a 20 or 30 sites he's just found.

Secondly, you can't 'unteach' social engineering. People are not disciplined for the most part and that's where they get burned.

You've mentioned that you don't like to mess with HOSTs file, well that's one way to avoid those. But even then, they're only as good as they get updated. Steven is constantly, every single day adding sites and validating sites so that when he puts an update out, everything is as current as that very day. His validation process is listed here

They call it easy because most of them will update many times and quietly too. They usually have everything wrapped into one big package but very few of these will perform outstandingly, but I'm sure they are improving. I've not seen anything recently to suggest this tho.

You see, based on that, you're not nearly secure as you can be. And partially because they make the assumption that all adult content is harmful and it isn't. They lump it into 3 categories and yet I don't see anything there for malware\spyware.

Phishing sites go up and down in the blink of an eye or worse still, fast flux, so from one hour to the next, each site may be off or on or not delivering payload.

This is why I don't have any phishing filters employed by either IE7 or anything else I use. Wanna be sure you don't ever get phished? Don't ever click on any link from any institution no matter what. Same goes for social networking sites. You have a bookmark for the one(s) you're using, why would you assume one would pop up out of thin air or via an email?

Social engineering is a phishers dream. People are generally stupid and you can't protect against that.

It seems that no matter how often people are told, they always let their curiosity get the better of them.

If users made the 'Delete' button the most frequently used key on the keyboard, there'd be alot less infections floating around.

It's no wonder it's an uphill battle and the scammers are making so much money.