divestos.org website classified "dangerous / scam" by trend micro + lost security cert from macafee (edit: sites secure but the owner seemingly isnt)

[applyscience]

Edit:
The site owner has request a reclassification from trend micro and as of November 30th 2022, it is now classified as safe via https://global.sitesafety.trendmicro.com and the lost certification is related to being poor and too proud to just admit so. (ok, thats a low blow. 1k a month (per owner) on a cert that use to be free is BS on McAfees part but the road to get to this conclusion was just stupid)


I noticed this when accessing aurora store with that repo enabled (offered by default) they offer privacy focused alternative apps and as well as a android ROM. I am a tech privacy /android / ROM whore and never seen something in this realm of content genuinely concern me.


via https://global.sitesafety.trendmicro.com/result.php

Dangerous: The latest tests indicate that this URL contains malicious software or phishing.

and their detailed classification is...

Scam: Sites that attempt to defraud a person or group after first gaining their confidence, used in the classical sense of trust. They often play confidence tricks to exploit typical human characteristics such as greed, dishonesty, vanity, opportunism, lust, compassion, credulity, irresponsibility, desperation, and naivety.

I wanted to initially assume false-positive or even more tin-hat, like a security company abusing their trust to assist google sustain analytics but this is too unique / unpopular and yet a specific.block

Doesnt help that it also lost (not never had) its Trusted rating with McAfee Secure with requests the owrner contact them.

there is not too much chatter about it on reddit or here beyond old(ish) roms and current updates (nothing reassuring, sadly)

looked into the websites github and code but ithere is so little discussion/feedback about the consistent changes and im not specialized in web cert/security classification guru. All I do know is i go to a lot of privacy focused apps, install all the privacy/ foss f-droid repos and never seen this before.

 

[SkewedZeppelin]

This is my project and dates back to 2014:

History - DivestOS Mobile

divestos.org

News - DivestOS Mobile

divestos.org

I've numerous contributions in many other open source projects you are likely to already be using. See:

About - DivestOS Mobile

divestos.org

Build software better, together

GitHub is where people build software. More than 83 million people use GitHub to discover, fork, and contribute to over 200 million projects.

github.com

You can also see all of my many FOSS projects available at https://divested.dev

These two forum threads have over 1000+ comments combined:

DivestOS: long term device support with enhanced privacy and security

I am releasing DivestOS. It is an aftermarket system for many devices. Based on LineageOS with many security and privacy features. Unmodified F-Droid is included. Site: https://divestos.org Source: https://github.com/divested-mobile (also mirrored on GitLab) Credits...

forum.f-droid.org

Divested-WRT: No-nonsense hardened builds for Linksys WRT series

Hello! Here are my simple, no-nonsense, UNOFFICIAL builds of OpenWrt for the Marvell-based Linksys WRT devices. I've maintained these between 2015-2016 and again since mid-2020. Configs and patches are obviously included. Builds are here and via onion service here Changelog is here Git...

forum.openwrt.org

There also used to be a list of sites where people talked about it:

DivestOS-Website/wild-3p.txt at ac002b46e05fb255ed96adc787efe216085b9f24 · Divested-Mobile/DivestOS-Website

The DivestOS website. Contribute to Divested-Mobile/DivestOS-Website development by creating an account on GitHub.

github.com

DivestOS is also listed on PrivacyGuides (previously PrivacyTools) here https://privacyguides.org/operating-systems/#mobile_os

You are welcome to verify what you see, but please kindly don't spread FUD about a project I've spent many thousands of hours on these past years.

 

[applyscience]

You are welcome to verify what you see, but please kindly don't spread FUD

Poor choice to use FUD ("Fear, uncertainty, and doubt (often shortened to FUD) is a propaganda tactic used in sales, marketing, public relations, politics, polling and cults. FUD is generally a strategy to influence perception by disseminating negative and dubious or false information and a manifestation of the appeal to fear." - the wikipedia definition to defend your project, especially on things that bring up serious concern about it. That, paired with the info dump you gave that addressed none of the issues I brought up.

I am not qualified to "validate" anything you show me, which is why I brought it up here in hope professionals would be able to weigh in. I saw your name but didn't tag you because I was certain you would just get defensive and take it as an attack, which it is not. it is a concern. I also didnt do it because You really dont ask the one being labeled a scammer if they are one..

The fact you still took it as one and did nothing to address the the 2 major security companies showing valid concern over the website.

I've numerous contributions in many other open source projects you are likely to already be using

weird way to humble brag and again, nothing about them relate to the post I made. you not addressing anything i put forward just makes me even more concerned. Again, there are many similar projects (some much more popular in use) and none of them have the issue your website seems to have.

Why not address the claim by Trend Micro?
How could they confuse your link as a scam when that is not a false positive they do much, if ever?

Are you planing on contacting McAfee to get your sites cert back?
Why did you lose it in the first place?
They definitely seem interested in you contacting them, why not do so?

If you reply again, please address anything about the specific and valid issues brought up in the post and not just try to defend yourself by listing off your work history.

 

[SkewedZeppelin]

I honestly do not care at all what Trend Micro or McAfee's automated blackbox systems have classified my websites as.
Nor am I going to install Windows and install their anti-virus programs just to refute their claims.

McAfee literally charges minimum $1000 a month for that nonsensical "certification" https://www.trustedsite.com/certification/start if your site has "more than 500 visits a month". divestos.org is averaging between 20k and 35k page hits a month.

which is why I brought it up here in hope professionals would be able to weigh in

I'd gladly welcome a free audit of my work.

 

[applyscience]

"I don't care" isn't an answer to any of the questions. listen, I don't care. I don't use your stuff nor like or dislike anything related to you, your project. The only reason I even posted it is the fact this is the only website I've come across in my 25+ years of FOSS obsession to have 2 major security companies suggesting something is wrong.

the fact you still didn't answer the questions nor care doesn't bode well. you really should care

I'd gladly welcome a free audit of my work.

2 major security companies did and that's why this post was made. Hellloooo???!

 

[SkewedZeppelin]

"I don't care" isn't an answer to any of the questions. listen, I don't care. I don't use your stuff nor like or dislike anything related to you, your project. The only reason I even posted it is the fact this is the only website I've come across in my 25+ years of FOSS obsession to have 2 major security companies suggesting something is wrong.

the fact you still didn't answer the questions nor care doesn't bode well. you really should care


2 major security companies did and that's why this post was made. Hellloooo???!

No, they did not audit what I offer.
That is not at all what an audit is.

The Trend Micro is a false positive, and I've already asked them to reclassify it.

The McAfee certification is a *PAID* service, that costs over $1,000 a month and is for websites to have a silly badge on their website. Never have I paid for it or asked for it or can even afford it. Why would I in my right mind burn $1,000 a month for a badge.

Please stop wasting my time.

 

[GOOGLE_USER]

No, they did not audit what I offer.
That is not at all what an audit is.

The Trend Micro is a false positive, and I've already asked them to reclassify it.

The McAfee certification is a *PAID* service, that costs over $1,000 a month and is for websites to have a silly badge on their website. Never have I paid for it or asked for it or can even afford it. Why would I in my right mind burn $1,000 a month for a badge.

Please stop wasting my time.

Is it not you who is wasting your time?
Your input was neither requested nor required for the OP's stated purpose.
OP sought input from respondents -if any- and it would seem that it is your intent to waste his/her time.
Perhaps let this play out as it will. If you are confident in your truths then fear not the illuminations.

 

[SkewedZeppelin]

Trend Micro has since reclassified divestos.org as:
"Safe / Computers / Internet;Noteworthy"

 

[GOOGLE_USER]

Trend Micro has since reclassified divestos.org as:
"Safe / Computers / Internet;Noteworthy"

I see that.
A step in a positive direction for your endeavors, no?

Something you've changed or explained via a convincing communication with them?
Or do they just whimsically impose/rescind such judgments sans explanation to those affected?

 

[applyscience]

The McAfee certification is a *PAID* service, that costs over $1,000 a month

that makes sense to stop using it, especially when it use to be free, but why did it take your 3rd response to the topic to get to there?

Trend Micro has since reclassified divestos.org as:

"Safe / Computers / Internet;Noteworthy"

1. thats great.


2. so you DO care and requested a reclassify request. Why was that so hard to just admit to? Why did everything you reply with say one thing yet your actions do another? you could have just said "thats not good but i assure you its wrong and will request them to change it" hell, i even said mcafee was

Please stop wasting my time.

************, YOU came to ME. I brought up a concern and specifically didn't tag you because I was looking for input form others as you dont ask people labeled scammers if they are one.

You're whole reply could have been
"**** Mcafee, they want money now but ill put a request into TM. Not a concern for myself but it only takes 10 seconds and dont want any potential users to be concerned"

jesus christ