Transitioning from Malware Fighter to Director of Compliance and Security

Ken Betchel
Director of Compliance & Security
October 5, 2023

Introduction:

In this blog post, I want to share my journey from a 35-year career spent fighting malware to becoming the Director of Compliance and Security for a software startup called Massive. I'll delve into why I made this transition and how Massive is pioneering a new approach to monetization that prioritizes user privacy, security, and integrity. Along the way, I hope to offer insights and ideas that may inspire you as well.

The Transition:

Around two years ago, a colleague approached me with an intriguing opportunity. A startup was searching for someone with a strong background in combating malware, but the catch was that the role was Director of Compliance. At first, I was puzzled. What did compliance have to do with anti-malware? As I delved further into the company's operations, it became evident that Massive was dedicated to developing a monetization model that prioritized the security and privacy interests of its users.

Their idea was simple yet groundbreaking – much like the SETI at Home model – they aimed to enable software vendors to subsidize their products by allowing users to opt-in to use the Massive Software Engine. The "product" would be the idle resources of users, not the users themselves.

Navigating the Security Landscape:

The landscape of malware had evolved into a profit-driven industry, and Massive's engine incorporated some similar features. Massive's novel approach to recruiting computers and harnessing their idle resources isn't new. Botnets do exactly the same thing and therein lies a significant challenge. How do we differentiate ourselves from the bad guys, particularly in the eyes of the anti-virus industry? My role was to ensure that we operated in an open, ethical, and secure manner. This involved vetting business partners and software features rigorously. Unlike the stereotypical corporate "Mr. NO" compliance officer, I saw my role as safeguarding our reputation.

Working with the Anti-Malware Industry:

One of our initial challenges was to collaborate with the anti-malware industry. Many host security products were inherently skeptical about monetization, considering it insecure and abusive. So, our first task was to engage with the industry, seek their input, and collaborate with both sales and engineering to set new standards. This included implementing built-in throttles and eliminating user-adjustable limits (limiting resource use to enabled or disabled) to ensure minimal impact on the end-user experience.

Enhancing Product Security:

We also paid close attention to how and when we displayed notifications and sought user consent. We improved our product security by adding protections against unauthorized copying of registry entries and file directories to prevent silent installations without consent. We even had to rectify an unauthorized distributor who bundled our legitimate app with questionable software. Throughout this process, we collaborated with AppEsteem to ensure compliance with their certification standards and have our apps certified.

The Role of Director:

During my interviews, I learned that my role as Director would have a dotted line to the CEO, independent of Sales, Marketing, and Engineering, with veto authority. This demonstrated the company's strong commitment to ethical practices, which was a significant selling point for me.

The Pitfalls of Traditional Monetization:

Reflecting on traditional monetization methods like adware, I saw their inherent insecurities. These models exposed users to potential malvertising and drive-by infections, compromising user privacy and security. Massive aimed to do things differently.

The Massive Approach to Monetization:

For Massive, monetization was ever-evolving. Partner services were rigorously vetted to ensure legitimacy and ethics. We started by offering cryptocurrency mining and management services, but due to profitability limitations, shifted to a distributed proxy service. To enhance security, we implemented strict limitations and filtered access to specific website categories.

Diverse Applications:

Our model had diverse applications, from cybersecurity intelligence to monitoring network health. We partnered with organizations like the Anti-Malware Testing Standards Organization (AMTSO) to enable website scraping for testing purposes. This allowed us to identify malware and phishing websites, measure time to detection by Host Security products, and more.

The Power of a Supercomputer:

The question that intrigued me the most was, "What would you do with the power of a supercomputer and a global network at your command?" This concept underscored the enormous potential of Massive's approach.

Conclusion:

Transitioning to Director of Compliance and Security at Massive was an easy decision for me. It combined my developer's desire for monetization, the end user's aversion to intrusive ads, and a security researcher's need for ethical reconnaissance. The potential for this groundbreaking monetization method was clear, and I wanted to be part of the team that brought it to fruition.

In upcoming blog posts, I'll delve deeper into specific aspects of Massive's journey and explore the broader implications of ethical monetization in the software industry. Stay tuned for more insights and updates!

Read More