Microsoft gives adware pusher an MVP award

Microsoft gives adware pusher an MVP award

Summary: Since when did the criteria for being named a Microsoft MVP include pushing adware, spyware, and malware? That's what a couple of longtime MVPs want to know after seeing a controversial software developer receive official recognition from Microsoft despite longstanding complaints about his product.

SHARE:
TOPICS: Security
34

Update 7-Oct 2:30 PDT: In the Talkback section below, Microsoft MVP Carey Frisch reports:

Mr. Paciullo's MVP Award has been revoked. Once the MVP program learned and investigated the extent of the connection, they took action today (Oct 7th) to revoke the MVP Award from Mr. Cyril Paciullo. The vital importance of maintaining the integrity and confidence of the MVP Award was paramount in making the decision.

Around this time every year, Microsoft publishes its new list of Most Valuable Professionals (MVPs). MVPs are unpaid volunteers, not Microsoft employees, and the official criteria for being named an MVP are based on their willingness to participate in technical and product communities.

So how did a guy whose primary business involves installing adware become an MVP? That's what Christopher Boyd, a Microsoft Security MVP better known as Paperghost wants to know:

Well, step right up Patchou AKA Cyril Paciullo, creator of Messenger Plus! I first heard about this while stopping over at his website, and was surprised to find him lurking in the Windows Live Developer section on the MVP site. That's him, down at the bottom of the page.

For anyone who doesn't know about the controversy surrounding this program, its an add-on for Windows Messenger / Live / whatever they're calling it this week. Problem is, it comes bundled with LOP, a major source of annoyance and anger for web-users since, oh, ages ago. Yeah, it now gives you an option as to whether you want to install it or not - but that's hardly the point, is it?

Boyd isn't the only MVP who has a history with Patchou. Sandi Hardmeier, a current MVP in the Internet Explorer category who specializes in the fight against malware, has written three long, angry pages about the messy adware that "sponsors" Patchou's product. In an April 2006 post, she went through Patchou's Messenger Plus in excruciating detail, concluding:

Patchou has a new "distributor" for his sponsor, called "Circle Development Ltd", but don't be fooled into thinking that Patchou's turned into one of the good guys... NO HOW, NO WAY!!!  It's still malware, and even worse, it pushing betrayware/rogueware... fake or disreputable antispyware applications, and advertisements that are entirely unsuitable for an underage audience ...

NOTE: I RECOMMEND THAT YOU **NOT** INSTALL THE SPONSOR PROGRAM.  THE POP UP WINDOWS GENERATED BY THE SPONSOR PROGRAM WILL, IN MY AND OTHER'S EXPERIENCE, TRY TO DOWNLOAD AND INSTALL MALWARE ONTO YOUR SYSTEM.

Microsoft has made extraordinary strides in security over the past couple of years. The Microsoft Security Response Center has been widely praised for its work, and the teams working on consumer security products like Windows Defender and Windows Live OneCare have gotten generally positive reviews.

But dumb decisions like this one are enough to undo years' worth of work.

Last year, when Microsoft was on the verge of buying Claria, the company wised up and scotched the deal.

Whoever made that decision should step in here and click the Undo button. Pronto.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

34 comments
Log in or register to join the discussion
  • There are two issues involved here

    One is the reality of Patchou's software, which is questionable at best.

    Even more important is the perception. This is a PR disaster for Microsoft and it's also a breakdown in its vetting process for MVPs. It took me less than five minutes with Windows Live Search to find the nexus between unhappy MVPs and Patchou's product. Whoever is in charge of the MVP program didn't do their homework.
    Ed Bott
    • Makes you wonder....

      If this episode is indicative of the vetting procedure in place for new MVPs it isn't going to inspire people with confidence in the suitability of existing MVPs.
      nmh
    • Mr. Paciullo's MVP Award has been revoked.

      Once the MVP program learned and investigated the extent of the connection, they took action today (Oct 7th) to revoke the MVP Award from Mr. Cyril Paciullo. The vital importance of maintaining the integrity and confidence of the MVP Award was paramount in making the decision.
      cnfrisch
      • Thanks, Carey

        I appreciate the update.
        Ed Bott
      • So A Mistake Was Made, Caught, And Fixed

        Yes, clearly someone did not adequately investigate Mr. Paciullo's qualifications.

        But the mistaken award of MVP to Mr. Paciullo was caught, investigated, and appropriately revoked.
        Cardhu
  • When bad guys do good.

    If nothing else, good deeds assuage consciences and look good on pre-sentence investigations.

    Suppose you were running a non-profit organization and selected one of your most dependable and effective volunteers for an award in gratitude for his service.

    And suppose that after the designation but before the ceremony, this person pleaded guilty to providing liquor to 18 year-old-minors and was sentenced to accelerated rehabilitation.

    Would you withdraw the award?

    (I set up the example to help raise the issue of how serious an offense has to be. Is there anything which could help make the offense better or worse?)

    This is not an easy issue, and it happens more often than one would prefer.
    Anton Philidor
    • Aaah but

      The point here is that this behaviour occured and was documented long before the award was made. Plus the behaviour is directly related to the context of the award.

      In your example what if the the NPO dealt with assisting people with alcohol dependancies. Would it still be suitable for that individual to receive that award?
      nmh
      • Making repairs.

        Many casinos provide money for the study and treatment of gambling problems. Many liquor companies are advocates of responsible drinking, and are members of organizations intended to improve behavior.

        Staff of these companies frequently contribute, either separately or as part of a company-sponsored program.

        Sometimes the good deeds do have a connection to the "bad" deeds. (Leaving aside whether providing an opportunity for access to something which can be abused should be considered a bad deed.)

        That's not the case we're considering, but I wanted to show that gray encroaches on black and white conclusions in similar situations.
        Anton Philidor
    • Don't see the relevance of this example

      In this case, the bad deeds go back for years. Lots of people participate in Microsoft technical and product forums (good deeds) without being recognized as MVPs.

      If this were a longtime MVP who made one mistake, I could understand. Or if this person had abandoned his old business and had spent the last two years living a squeaky clean life, fine.

      But when members of the MVP community are writing detailed analyses of your company's behavior and documenting its status as spyware. In fact, when Microsoft's own security products flag it as a suspicious product, why offer any award?

      This isn't an ethical quandary. Yes, there are gray zones, but sometimes the issues really are black and white.
      Ed Bott
      • Tunnel vision.

        Not everyone who participates in or contributes to Microsoft's technical or product forums is made an MVP, as you say. The ones who are selected have been providing benefits to users reliably and over a period of time.

        Let's assume that those who selected this recipient of the honor have a good case. Sufficient that you would say, knowing only that information, he deserves the reward.

        The situation could be resolved more happily if there were mitigation of the offense such as you describe, but as it is, a (presumably) expected, well earned reward is being denied because of other factors.


        In this case, I agree with you, the reward should be denied. Microsoft would be saying that malware making is not a disqualification for the company's approval, and that's absurd.


        But if this information had been discovered after the award had been given, what do you think should happen?
        Anton Philidor
        • Can't answer that hypothetical

          If this information - that the individual in question had been actively promoting malware for years, publicly and to apparently great profit - had not been discovered until after the award was made? Inconceivable.

          The hypothetical doesn't work. Now, let me try to reconstruct the hypothetical. Let's say someone is added to the MVP roles, and afterwards it is discovered that he has surreptitiously been running botnets and installing spyware and Trojan horses on the computers of innocent people. If I ran the MVP program, that person would be off the list within 30 seconds after I confirmed the facts.

          In this case, it's the brazen nature of the activity that is mind-boggling. It's not like Patchou has gone to any lengths to hide his activities. And they're probably legal. But that doesn't make them right, nor does it make it proper for MS to have fallen down on basic due diligence.
          Ed Bott
          • Keeping up.

            Just trying to follow your argument.

            Your first paragraph says it's inconceiveable for anyone (presumably) to receive an MVP award without having a past as a spreader of malware known prior:

            "If this information - that the individual in question had been actively promoting malware for years, publicly and to apparently great profit - had not been discovered until after the award was made? Inconceivable."

            Or perhaps you're discussing only this particular individual, who used the same alias, apparently, for both malware and MVP-winning activities.

            Why would it be inconceivable that such a person might use different aliases, or that his connection to malware might not appear until after the MVP award had been won?


            Then in the second paragraph, you recast the hypothesis as the after-award discovery that someone has committed acts which were very obviously illegal.
            You said you'd remove that person's award would disappear in 30 seconds after confirmation.

            That reminds me, has the Pulitzer been taken from that (late) New York Times reporter who knowingly lied on Stalin's behalf?

            Justice sometimes takes awhile.


            Then in the third paragraph you confirm that the individual in question has been open about his activities and that they are probably not illegal.

            Yes, they were wrong, and it is surprising Microsoft did not know about them when considering the award. Definitely tunnel vision, looking only at award qualifications.

            But isn't this the case - subsequently withdrawing the award for less than illegal offenses - that you said you couldn't answer in the second paragraph?

            Does that mean that you're saying here that you're not certain whether he should keep the award?


            I know saying one is not following can be a rhetorical device. This isn't.
            And gray does encroach quickly on decisions about awards. I've seen how difficult such decisions can be.
            Anton Philidor
          • Read the last paragraph

            Yes, I am discussing this particular individual.

            There is nothing about this guy's "alias" that was anonymous. He is well known and he uses his real name in both venues. Sandi Hardemeier's articles about him used his real name. If you google his full name in Windows Live Search, which a Microsoft employee presumably would use, Sandi's article is #1 on the list. That's the reasons the hypothetical is invalid, IMO.

            In the last paragraph, I think I made my feelings clear. He should never have received this award in the first place, and it should be revoked now. When one arm of the company is busy trying to protect customers from his activities, it's absurd and colossally stupid for another arm of the company to be praising him.
            Ed Bott
          • don't bother

            Ed, there is no way you will ever persuade Anton you are right. He is impervious to logic, and no matter what you say, he will reply to it with further illogic.

            You don't need to reply to him because everyone here knows he is nuts. The best thing to do when he posts something crazy is to just ignore him, and go spend you time on something more rewarding. By responding you just reinforce his behavior.
            Eduardo_z
          • Read the thread.

            I was clarifying.
            Also, I know situations in which bad guys have done good things, and the recipients of those services have a real problem when they discover who has been providing essential help.

            This case isn't that ambiguous, and the reward can be rescinded fairly easily. But I did take the chance to make a useful general point, though admittedly it'll be more useful another time.
            Anton Philidor
  • Years of Effect

    I can think of another company that has been found to be
    involved in consumer harm. So the maker of adware is not to be
    celebrated but what about the convicted monopolist? You know,
    the one that provides the vehicle for these artificial economies?
    these security rackets, and yes these "watchdog" forums? Let's
    write them a cheque?

    Moral outrage from the Windows proponent is hypocracy.
    Double standards allow the adware maker to be put in the
    stocks. Double standards allow the self righteous indightment of
    the "sponsor and carrier" of the adware. Double standards
    percieve the criticism as white knight duty and street cred.
    Double standards write Microsoft the cheque at the end of the
    day.

    Please spare us the noise. All these arguments sound like a
    massive affront until the logic loops back and bites your rear.
    Then "it's not so bad after all". Certainly not worth ditching
    Windows and that $1500 pad of paper.

    Microsoft gives awards to adware makers because they are cut
    from the same cloth. If this is the moral outrage you would have
    us believe it is. Put up, or ----up and switch. See how much
    adware crops up on your new Mac.
    Harry Bardal
    • Once again, you distort

      "Microsoft gives awards to adware makers..."

      Clever how you turn that into a plural. And not an accident either. It's your whole MO, Harry.

      What makes this a news story is that it is a singular example. I can not think of a single other adware pusher ever who has been honored by Microsoft.

      Part of your point is valid, but then again, you can, and with monotonous regularity do, make the same argument for every post on this site. Microsoft is evil. Microsoft is a convicted monopolist. All hail Apple.

      Your distortions make it impossible to have an honest debate or discussion.
      Ed Bott
      • Awards

        Ed

        Microsoft doesn't have to give awards to Adware makers.
        Through the sloppy architecture of their platform, they created
        the industry. The tribute is implicite, both from adware makers
        to Microsoft and from Microsoft back to the adware makers.

        If your asking why your argument somehow starts holding water
        by vitue of the fact that Microsoft doesn't support the Annual
        Adware Awards Dinner? I would have hoped you'd know why.
        Harry Bardal
        • I rest my case

          Instead of actually correcting your distortion and engaging in a legitmate debate, you pile on more distortions.

          Bye.
          Ed Bott
    • Doesn't make things right

      You see through rose colored glasses, Microsoft did not create the adware/malware/virus community. Hackers have been around since the first main frames. MS doesn't have a particularly secure OS unless you make it secure yourself, but they did not tell anyone to try to exploit the holes.

      That was done by the low life scum black hats, and people with nothing better to do than cause regular folks a lot of problems. You don't have to do anything you don't want to in regards to exploiting security holes. It's the criminals that take that path.

      Your arguments make no sense, especially when you consider this example:

      I leave the door unlocked to my car, the keys are under the seat. Bad security, but in all realism, no one should be going into my car but myself. If they do they have done so without my consent, and it's against the law.

      Ask any criminal, or even a hacker; they feel the same way when/if someone invades their house, computer, car or any other personal possesion.

      So, in summing up, I didn't create the criminal by leaving my car open, they made the choice to become one. No matter what I do, they made the choice.
      k12IT