Ask Leo! #633 – What if My Security Software Vendor Gets Hacked? (and more)

New Year, New Look!

Happy New Year! and welcome to 2017.

You might notice this newsletter looks a little different.

As I mentioned last week I've been working on streamlining a few things, and the newsletter itself is one of those things. My hope is that it will be more readable, and ultimately more valuable to you.

The big changes include:

  • Most weeks the first article will be a full article. No "read more", you can read the whole thing right here. There'll still be a link to the article's official home on for your comments, of course.
  • I've dramatically simplified the formatting. The newsletter never specified a font size (that's always been up to you and your email program), but now I don't even specify a specific font. Again, that puts all of the control for how things look into the hands of your email program or service. (I'll admit that's a scary change for a control-freak such as myself.)
  • I've removed several sections that didn't appear to be generating much interest.
  • I've moved more of the boilerplate administrative text to the newsletter administration page.

There'll still be a single ad in the newsletter each week.

Speaking of ads, much of this change has been brought about by typical end-of-year reflection, and the growing acceptance that advertising is becoming less and less of a source of support. That's a serious problem. But you might as well benefit from it, hence my putting a full article in the weekly newsletter for the first time in 13 years. (It's been a fairly common request during that time.)

Naturally that means I continue to need your direct support, but aside from the ad I'll try not to nag you too much about it.

Like what you see? Think it's all a horrible, horrible mistake? (I sure hope not!) Hit reply and let me know. Smile

Thanks, as always, for being here. Onward into the new year!


What if My Security Software Vendor Gets Hacked?


What do you think about the possibility of security/privacy compromise ensuing from the use of security software? What if my anti-virus, VPN, or security extension (e.g. https everywhere) software or software vendor gets hacked?

This concern has me waffling over whether to use the https everywhere extension (which, by the way, is also available for the Opera and Vivaldi browsers, which you didn't mention in your video on the subject).

Similar concern with password management software…

Those are good and important concerns.

In fact, we need to apply that thinking to every bit of software installed on your machine, as well as every online service you use.

Not limited to security software

While understanding the risks of your security software is important, it's equally important to realize that this concern applies to any and all software you might choose to install on your computer.

These days, almost all software has an online component, even if it's just to check for updates. Should that online component be hacked, it could be used to download malicious software onto your machine, which can then do anything. While it might be obvious that hacked security software would be a bad thing, in reality, any software vendor that gets hacked runs the risk of causing damage in the form of malware being installed on the machines of all current users.

So, absolutely be aware of your "anti-virus, VPN, or security extension" vendor, but be just as concerned about the software not necessarily related to security as well.

Not limited to software

The same thinking is important to consider when selecting online services. You mention VPNs specifically – again, where security is an obvious part of the mix – but actually, the concerns are just as valid for any and all online services you might consider using, including your ISP.

Should an online service be compromised, anything you do with the service is at risk. Your private information, as well as any data you store there, could be made public. In an extreme case – say an ISP getting hacked – you could find yourself directed to malicious sites, or downloading malicious software, without realizing it.

Taken to the extreme

As I said, it's a concern for every single service you use, and every single bit of software you install on your machine, right down to the operating system.

Should Microsoft (or Apple, or your favorite Linux distribution) ever be hacked, absolute chaos could result.

It's all about trust

Life is not without risk, and one of the ways we manage risk is to make sure we do business only with entities we trust. That's not to say we necessarily agree with their actions, but that their actions are transparent in such a way that we can trust them to do what they say they will, and do it with an appropriate level of security in mind.


We begin by trusting that the services and software we use don't have malicious intent. We're assuming they're not out to "get" us; they're not explicitly out to exploit, harm, or otherwise take advantage of us.

To be clear, not everyone agrees on who does or does not have malicious intent. There are plenty of people who seriously distrust Microsoft, for example. As a result, they may seek out alternatives they find more trustworthy than Windows and other Microsoft software.

The bottom line is, we each need to believe the entity we're dealing with is at least trying to do the right thing.1


Protection from malicious software is one thing; what about protection from legal attempts to access our data?

For example, even without being hacked, how easily will your ISP expose your information to local authorities? The same holds true for VPN services; they are, in a sense, acting as a kind of proxy ISP (moving the location of your eventual direct internet access to one of their servers instead of your ISPs directly).

This kind of protection is exceptionally complex, as laws and legal realities vary from one place to another, and companies may not always be in a position to defend themselves, or you, in areas outside of your location.


We also trust the services and software we use to know what they're doing, particularly when it comes to security. We assume they understand the security ramifications of their tools, and have taken appropriate and sufficient measures to ensure our privacy, safety, and security.

This is difficult to judge objectively. For obvious reasons2 software vendors and online service providers don't specify their full range of security measures publicly. We need to decide how much we're willing to trust them with our information and activities based on reputation and track record.

Track record

One way to evaluate whether or not a vendor is worthy of our trust is to review their history. Specifically, we can research:

  • Have there been issues in the past?
  • How were those issues handled?

I might claim the second is more important than the first. There's no such thing as bug-free software, and there's no such thing as perfect security. In the face of security-related issues, how did the vendor respond? Was it with quick transparency, or ponderous obfuscation? Did it become apparent that their systems had been designed with security in mind, or was it clear they'd made some boneheaded decisions leading to eventual compromise?

Who do you trust?

It's unrealistic for every computer user to have a detailed understanding of the security issues and risks associated with all the different kinds of software and services, online or off. As a result, it all comes down to trusted referrals and reputation.

For example, I trust Microsoft's intent and qualifications. Admittedly, I have a small window others might not have3 into how Microsoft operates on which to base my opinions. But, I'm also in a position for others to choose to trust my thoughts on the matter. Or not, as the case may be.4

Perhaps more objectively, I trust the EFF – the suppliers of https everywhere. My trust is based on my understanding of the organization's goals, their history, and their online reputation. Will they have perfect software developers? Of course not – there's no such thing. But I do trust them to understand the security ramifications of their efforts – perhaps better than most – and to take appropriate steps to ensure that what they provide is solid and secure. I also trust them to react appropriately should an issue ever become apparent.

Those are the same qualifications I apply to any software or service I use. It's one reason I haven't yet endorsed a specific VPN – I don't have enough of a track record with any of them to feel my opinion is worth anything. If pressed to make a decision, I'd defer to other resources I do trust – like the EFF, in this case – for their recommendations.

Sleeping well at night

As you can see, there are a lot of issues to be considered once we start down this path – so many we could lose all hope!

For most people, things aren't nearly as bleak as this picture might paint. Most major vendors are reputable and trustworthy, and will do what they can, within the limits of technology and the scope of the law, to keep their services safe and secure from hackers or other types of intrusions.

As long as you focus on getting reputable software from reputable sources, and maintaining your own security hygiene, it's not something the average computer user need lose sleep over.

Related Links & Comments: What if My Security Software Vendor Gets Hacked?

To Video? Or Not to Video?

How much value do you receive from Ask Leo! video blogs? You can tell me.

Continue Reading: To Video? Or Not to Video?

Become a Patron on Patreon

Is There a Way to List All Programs Installed on My Computer?

Can you recommend/suggest a software program that will show me exactly all programs (showing or hidden) installed on my laptop??

Surprisingly, the answer is no.

Even more surprisingly? There's really no single definition of what an "installed program" is.

Continue Reading: Is There a Way to List All Programs Installed on My Computer?

From Ask Leo! On Business:

Add Google Search to Your Site

Make your site searchable with the Google search engine.

Read: Add Google Search to Your Site

The Ask Leo! Tip of the Day

A feature exclusively available to Ask Leo! Patrons.

More Ask Leo!

Become a Patron
Books - Business - Glossary
Facebook - YouTube - More..

Help Ask Leo! Just forward this message, in its entirety (but without your unsubscribe link below) to your friends. Or, just point them at for their own FREE subscription!

Newsletter contents Copyright © 2017,
Leo A. Notenboom & Puget Sound Software, LLC.
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC