McAfee.com sleeps through its nightmare scenario

About ten years ago, I met with the then CIO of McAfee.com, Doug Cavit (who later joined Microsoft as chief security strategist). The thing that most kept him awake at night, he told me then, was the risk of a third party piggy-backing onto McAfee's own trusted access into its customers' PCs.

As a long-term customer of the McAfee.com service and a big fan of automated updates delivered over the Web, I've often thought about that conversation. The quid-pro-quo for the convenience of having McAfee, Microsoft, Adobe and others automatically keeping our PC software up-to-date while we sleep is that we tacitly give them absolute power to mess with our machines. It's a heavy responsibility — we expect them to act swiftly to keep our devices protected against new threats as they arise, but always to do so without introducing surreptitious trojans or inadvertent bugs. Few of us realize just how complex and onerous a burden that is, and while Cavit clearly took it seriously, his successors let their guard slip badly yesterday.

When I first encountered the problem for myself yesterday, I thought it was down to a hard disk fault on my ageing laptop — or perhaps something my young son had unwittingly triggered in his eagerness to drive up his score at a newly discovered online math site. For whatever reason, the machine had rebooted without the use of any of its network capabilities. None of the network device drivers seemed to be accessible anymore.

Fortunately I have access to a second, newer laptop (my wife's) that runs Windows 7 and thus was still functioning. I quickly found Ed Bott's story about McAfee's huge mishap and recognised the symptoms I had experienced — except that my account is a consumer account, not a corporate one, so the problem seems more widespread than some of the coverage has been suggesting (here's another UK consumer who was similarly affected yesterday).

The nightmare for McAfee.com is that disabling network connectivity is the worst possible thing for a remote automated update system to do, as it renders itself instantly useless. Whatever the fix turns out to be, it can't be remotely implemented because the network access is down. This is an especially big problem for McAfee if it is affecting large numbers of consumers (the company says less than half of one percent of corporate customers and an even smaller proportion of its consumer customer base, but that's still a lot of individuals). The only way to resolve the problem is to download a fix, manually transfer it using a USB stick or similar, then run it on the affected machine and hope that it works. That's a hassle for the sysadmins at affected corporate customers — including hospitals, police authorities and others — but at least they're qualified computer technicians. For the average joe public punter, there's a good chance of making the problem worse when trying to fix it.

I haven't tried it yet, but from what I've read, the fix is rather daunting if you don't know what you're doing. Nor is McAfee pulling out all the stops to help afflicted customers, to judge by its website, which as at the time of writing has no special alerts or links on the home page that explain how to deal with the problem. In fact, the only way I know there's a fix is from reading the third-party coverage. After long hunting on the company's website, I found this blog entry with a link to an advice page for affected consumers that, believe it or not, tells me to have my computer update itself automatically. How that's supposed to work without any network access is beyond my comprehension.

One thing I'm picking up from that coverage is that McAfee is pretty much a spent force, especially in the consumer PC protection market, and I shouldn't be relying on the company to keep my PC safe anyway. What astonishes me is that it's still doing absolutely nothing to regain my trust. What I need right now is a nice, reassuring panic button on the company's home page that I can press and find out exactly what I need to do next to get my computer back up and running. But 24 hours after the problem occurred, there's still nothing there at all. First the company trashes my PC, and now it's happy to sit there and let its reputation get trashed without even lifting a finger to save itself.

UPDATE [added 9:05am PT]: I've now got my PC back in operation after following the straightforward instructions on this McAfee.com page. The company should put a clear link to these instructions on its home page to help other home users who are similarly affected before its reputation goes completely down the pan — and to push the scareware hackers out of the Google results pages that come up when searching for solutions to this problem.