So, clearly Google has too much power over the internet, it's arbitrary and opaque, etc. I agree. However, I think it is worth pointing out that:
1) malware is often very aggressive and fast-spreading, and once it's on a user's computer it's hard to get off, therefore...
2) the system to detect it and stop access to the site has to be automated, not a human-in-the-loop system that might take hours or days to shut off access to a site which is infecting many users per minute, and...
3) the more clarity there is on how exactly that automated system works, the more certain we can be that malware will be able to evade it; it's much like how spam detection or search page rankings are opaque, because the incentives to game the system are very great
I'm not saying Google's system is perfect, but I am saying it's a very hard problem to solve in a way that doesn't give us an even worse time stopping malware spread than we already have. So while it is hard to feel sorry for a company as wealthy and powerful as Google, I think the issue is not as clear-cut as some comments on this thread seem to suggest.
I absolutely agree, and the same applies to things like moderating YouTube and such. The scale is mind-boggling, and people will do anything to get past any measures you put in place. It's a hard problem to solve, and I feel people are too quick to jump to the "Google bad" bandwagon.
But that being said, by far the biggest problem is just the lack of recourse and communication. Compare this to email spam prevention and the like, which solves a very similar problem but if you accidentally get blacklisted you can just talk to the SpamHaus people or whatnot and get the problem sorted.
It's not hard to imagine how Google could improve here: send better notifications when something is blacklisted, provide a reason why, and offer a better procedure to get your problem fixed.
Yes, this will cost time and money due to the large scale of things. But if you have the ability to block parts of the internet for much of the population then you also have some responsibility here; you can quite literally kill companies with this. Email spam prevention usually step up to this responsibility. Google ... not so much.
Mistakes will still happen, and that's okay. I appreciate the hard job they're doing, which does provide a lot of value. It's how you deal with those mistakes that matters, and Google deals with them terribly across all of their products.
I think if Google is going to decide to police the web like this, they need to alert people more proactively. The first the OP should have heard of this was Google emailing them through uploader.win's Contact Us email address. It's easy and obvious to find on the site; seems like that should be part of the automated process.
Locating contact info for websites is not something that can be automated. Some sites provide an email address, some a form, some point people at twitter or facebook and some don't provide any contact information at all. None of this is arranged in any sort of standard way. Contact info may be under a link marked "contact" or "about" or "bio" or appear at the bottom of every page.
Legally, every web domain must have a contact point when you register. They shouldn't have to webcrawl for the contact info. Then again, they are already the kings of webcrawling....
Yeah; that was my original thought, but not sure how readily available that is without reaching out to the registrar. Certainly, the registrar could be reached out to.
of course it can. there have always been well known contact addresses: hostmaster, postmaster, webmaster, security, abuse, etc. addition now there is the .well-known URL which has an RFC.
Surely there is a better way to address malicious content than blocking the entire domain.
It also doesn't seem like sites like Facebook, Reddit, Youtube, Google photos, etc. run into this problem, even though they allow user uploaded content so there is some kind of bias against smaller companies.
You won't get away with uploading malware to your Google drive without Google noticing. The no-no here is that this guy is operating a demo site that allows anonymous file uploads without policing the content that goes there. That's just mind blowingly dumb and ripe for abuse.
> So you need a google quality malware detection filter to allow user content upload on your site? That's a pretty big barrier to entry.
No, but IF you allow people to anonymously upload malware to your site, Google-quality malware detection filters will absolutely do what they were designed to do and detect the malware on your site.
I just don't understand the people insisting on arguing that somehow this was a false positive. Google was right! This site was hosting malware! It's true it wasn't "intentionally" hosting malware, and that it was designed for benign purposes.
Which is to say, you are demanding that Google forgive this site automatically based on intent and not evidence. And sadly, while Google may have Google-quality malware detection filters, they haven't yet cracked the nut of thought crime detection.
my problem isn't that it flagged some user-uploaded malware, my problem is that the entire site is blocked without warning.
I am genuinely curious how you would prevent your site from being blocked like this? Sure in this case it was a demo, but what if it was an actual image hosting service that required login? What's to stop a bad actor from creating an account and uploading malicious content. Maybe you even have some filter that does image recognition on the images and tries to detect if it is phishing. But unless your filter is able to catch the exact same content that google's malware detector uses, there's still a chance that you'll miss something that google finds, and starts blocking your site.
Strictly that's not correct. The whole experience here was a "warning", though it was given to users of the site and not the owners directly. Chrome will allow access through that warning page via an override, and of course they have the option of using other browsers.
But even interpreting you narrowly: How much warning do you think Google should be expected to give before flagging sites with known malicious content? Would you apply that same logic to the sites you visit as a user?
I just don't see how the principle you want is going to work in concert with a world with rampant malware. Most of us very much want the trigger happy filers, because it keeps the problem manageable at the cost of some inconvenience and increased vigilance on the part of the content providers, which is IMHO exactly where it should be.
It would be individual users job to police what sites they go to. It would be hosting providers jobs to police the content of their hosters.
The person who makes the search engine, and the browser, and the black list should not be one in the same.
Do you know how many sites would be absolute minefields without google? They incentivise websites to commit to some clean standard so that the 'individual user' doesn't have to run a script every time they visit a website to make sure it's clean. And guess what: whatever script they run will just end up becoming a different google anyway.
We have enough history to know users can't self-police. This doesn't scale. Most users don't understand the internet nearly well enough to shoulder that burden.
At least in the Bay the police can't even stay in the confines of the laws they're sworn to uphold (stop signs, speed limits, not drunkenly swerving into the bike lane I'm inhabiting, ...). What reason do we have to believe they'd handle an unfamiliar problem domain with any better proficiency?
Police take reports from victims then what? How do police protect you from a site hosted outside their jurisdiction?
I think tech companies deciding what people can access is the most likely endgame no matter what. People will demand protection. Whether it's a great firewall, a whitelist-only internet, ...or just automated filtering like this, which may be the most liberal option we can realistically expect.
The police go and arrest them. This is true even for other jurisdictions. It's not as if there are no police in France or Australia.
What you're left with is things hosted out of uncooperative countries like Russia or China. But then shouldn't the block list consist entirely of things hosted out of uncooperative countries like Russia or China? How did this US-hosted business fall victim?
It's not just Google, Microsoft, Twitter and Facebook too. Our website was recently flagged by Facebook's ML [1], and the only way to "unban" it was to find ways to contact a human being inside.
PS. Twitter still does not allow me to share links to OP's website.
The things this situation posed in the article illuminate are that proper government oversight and distribution of concerns are a necessary part of balancing power. The tensions designed into a system help address its edge cases to varying degrees. And the article points out how to manage one of these situations generally--it's an excellent list of insights. Automation should be balanced with humans in the loop, automated systems are imperfect, humans are too. Balanced systems with separations of concerns yield good results. Discretion can be exercised and applied appropriately and the relationships with their respective concerns can sort out these edge cases and share that info when and where it furthers common interest.
>Now we run automated tests to monitor server uptime and check server for problems every 30 seconds. Unfortunately automated test scripts were happily getting HTTP/200 replies while people using the Chrome browser were being told this is a scam business trying to steal their bank account information.
I was surprised this wasn't part of the lessons learned. But it seems the monitoring basically failed but that wasn't a lesson.
I feel like majority of uptime monitors are falling for this same trap. One of the reasons why for my monitoring service I choose to do full page load monitoring via Chrome instead of just a http request via Curl or whatever. Main reason, people care if the webpage loads or not. People care how long it takes for their webpage to load. Having a website respond in 200ms is great but if it takes 8000ms for all the JS to load and process your website is still slow. I get why sites are just doing curl requests because it's way cheaper but really you're monitoring one part of the stack while really caring about all of it. If your website starts producing javascript errors you want to know, etc.
[1] https://www.ootliers.com (The landing page and everything are terrible and I'm working on improving that)
When talking about checks on the order of twice a minute, curl is probably the right approach. You can/should still do a full check, but that can be done at a lower frequency.
Not sure why you're getting downvoted, personally I agree.
For example:
- a frequent/simple check dealing directly (on the internal network) with the webserver ("does it work well yes/no, what's the raw response time, etc..."). Here is where I would definitely use "curl".
- another less frequent test involving as well the DNS and the external network.
- another end-to-end test (e.g. once every 10 minutes?) involving as well one or more real browsers (this would test as well for example revoked SSL certs).
=> all these infos/metrics should be quite helpful to identify problems, or at least to shrink the potential area that is causing it.
Yep, for sure. Fastmail still uses a once-every-10-minutes frequency for the full end-to-end "can log into the website, compose an email, receive the email, trigger an automated background fetch, receive that email too" tests, though the "can connect to service" tests run much more often.
To be fair, my page load checks aren't just is the site up and responding 200 but also page performance anomaly detection and stuff. So I want/need to see the performance minutely to be able to detectly in a quickish amount of time if the performance has degraded for the entire pageload. You could have a minute where it's slow and that is ok but if you have 5 minutes of it being slower than normal one after another then you have an issue. I feel if you're doing checks every few minutes your data won't be as good as doing it every 30 seconds. It is way more resources but honestly, I think it's the future of monitoring. Also, having multiple types of ways of calling a site via http to monitor it is way more complex.
The main offer is for order monitoring but I am in the middle of creating a just page load monitoring offer for others since I think that service by itself is super useful.
I wonder if there are page monitoring utilities that can download the full html payload, render the page via a headless chrome browser, and then perform a diff against the content? Most landing pages are quite static, and like you said, it's about full page load, so measuring how long the entire page took to load, along with each asset's network request and subsequent content paints, you could get a pretty good idea of your holistic page load health.
I've seen automated testing tools for that. I was thinking about it for the future once I get other monitoring I want. I'm literally building this to be a monitoring tool I want to use. But you would have to make the montioring system aware of deployments or design changes. But those are the things that generally break things.
But the key thing for me is the "goal" montioring. So for ecommerce it's orders but for other systems it's different. That's the thing I really want to monitor. If other things break they'll affect those so you can detect lots of failures. The only issue is finding out what the cause is. But first I'll improve the anomaly detection a bunch before looking into root cause detection.
It's certainly ok for things to break if it is a deliberate design change. Visual regression testing in your build/deployment pipeline already can flag a change to you as part of a github merge, I don't see why we can't have similar tooling in that pipeline that focuses on efficiency.
Why not run a fully functional monitoring job i.e. upload file with a monitoring account and check the results to validate that it is working end to end. Doing this even once a minute shouldn't put any load and is a much more reliable test.
It would have needed to be done through Chromium in non-headless (likely full Xvfb) mode, with step screenshots, and screenshot comparison (always flaky!), for the Safe Browsing interstitial to have generated an alert.
How about headless mode with validating response by parsing expected output? I don't have a lot of experience so not sure if what I'm saying is feasible.
FWIW, the Safe Browsing interstitials are managed by a slightly disorientating bunch of browser/renderer interactions mostly initiated by C++ that basically delivers chrome://interstitials/safebrowsing?type=malware instead of the page in question, IIRC with the renderer setup so you can't right-click and view source etc.
From a pure perspective, yes, you should be able to use headless mode and run some sort of validation on the HTML. That would make things really straightforward.
In practice... the easiest explanation is that I just spent about 35 minutes trying to find a live test/example safe-browsing trigger so I could check whether right-click is disabled, and I couldn't find one. Even after firing up a separate Chrome profile and verifying Safe Browsing was enabled at chrome://safe-browsing/, modifying /etc/hosts to point http://malware.testing.google.test/testing/malware/* anywhere did not work, none of the links https://testsafebrowsing.appspot.com/ generate any scary red warnings (and now my Downloads folder is full of EXEs), and I'm kinda sitting dazedly scratching my head a bit. Maybe all this requires some magic sauce I'm not aware of, or maybe it's just quietly bitrotted (doesn't seem to be the case?)... but the overwhelming lack of determinism is what makes trying to automate this next to impossible.
You just have to shove the website into a browser and screenshot the output. Because the chain between "load URL" and "user sees red" is that rickety, that there's no clean way to test it. D:
It's funny you read it that way, you may understand it correctly but I came away with a different interpretation, that they allow-listed the developer's IP and returned good non-phishing-warning responses to the monitoring check, but not to end-users.
They said their test scripts worked but people using Chrome got an error. So I take that as in their scripts weren't using Chrome at all.
To be fair, I've not had this happen yet so I am going to try and find a site that chrome won't let me visit and see what happens when I visit it programmatically.
When that warning page is thrown, is a 200 returned?
It could “load” ok, but be blocked by a flag for chrome that isn’t http flag.
Total guess.
Anyone have any insight on that page showing up?
After a bunch of searching I found a test URL. https://testsafebrowsing.appspot.com/s/malware.html via my Chrome script I get a 500. And when ignoring it in chrome manually it returns a 200 so the web url works.
This is totally an edge case I didn't even think of until I read that blog. Super happy that my monitoring approach picks up on it.
For others wanting to do the same I'm using chromedp. It does take up way more resources tho. I worked out I can do 90 per minute per 8-core 16gb server.
How would Google know that a site is curling another site?
Why would they flag that as a phishing site?
I’m just having a difficult time determining how this situation is not the fault of the site/app; we don’t even know that any of this is true and it looks more scripted than an offended rant.
The curl'ing is not necessarily bad (and can continue just fine), but rather its blind to these types of problems. A false positive in your testing framework (especially something like this) is the worst case scenario.
Google wouldn't know that someone is curling it which their script said everything was ok. While the website was basically down because Chrome and Firefox will both block a site based on Google's safe browsing list.
They could use Google's safe browsing api to check if they're on that list as well as curl.
Frankly, Google's Safe Browsing list is one of those things which should be broken out of Google and ran by an independent entity, much like the Let's Encrypt model.
1. Mozilla and the Chrome clones (Edge, Brave, etc.) partner to make an (open as possible) standard for blocking and reviewing, and start maintaining their own list upstream from Google.
2. When Google adds to their blocklist, independently check it according to the consortium's own standards.
3. Cut a deal with Bing or Yandex to scan for malware as part of their crawls, to get technology independence.
I still don’t understand what the problem is here.” With Google doing this.
We don’t know that this whole thing is not invented by the author or that they were indeed not doing anything malicious.
All of this, as credible as it may seem, could just be invented bad PR against Google, which if true should make us take a hard look at whomever is behind this.
Seriously, read the Lessons Learned again and tell me for certain this really happened. How in the world would it look so staged, with the bold words and thought-out structure. I’m not going to jump on the bandwagon everytime someone makes claims.
They can remove your YouTube account, app, entire Google account or even your website at any time and you can only make guesses why did that happen, because they always make the rules really vague and it's never clear what is or is not allowed. And even when they do admit the mistake and get you back up, they still won't explain anything and nothing is ever fixed. Thank you Google, very cool.
At this point they, and other giants, successfully demonstrated that they cannot regulate themselves over these random terminations and that the public needs to step in.
Rather than further secure their market positions by forcing them to treat their customers well, why not replace the entire company by competition from less insane providers?
In some countries(UK) regulators recognized that you cannot operate in the society without a bank account. So a rule was made that a bank cannot close down your bank account without a court order. They can block your access to nearly all other services, block all of your cards, but at the end of the day, you cannot lose access to your basic bank account and money in that account unless a judge says otherwise. The solution to the problem of "every citizen needs a bank account to function" wasn't "let the free market sort it out". It was to force banks to maintain access to a basic checking account no matter what until a court order is given.
In my opinion, Google should be forced to do exactly the same - no matter what, you should never lose access to your google account without a court order. It might be placed under severe restrictions(no new uploads, restriction to storage etc) pending review, but until a lawful court agrees that you broke the rules somehow and google is free to kill your account? They should be forced by law to keep providing their service.
> you cannot lose access to your basic bank account and money in that account unless a judge says otherwise.
"Losing access to the money in that account" is blatantly stealing from you. It's should be obvious that no company should be able to do this under any circumstances, but that is a separate issue from the question of adequate competition.
You still need competition because a monopoly can find an unlimited number of ways to abuse their customers and regulators can only address the ones they foresee ahead of time.
> The solution to the problem of "every citizen needs a bank account to function" wasn't "let the free market sort it out".
Which allows banks to remain an uncompetitive yet inherently necessary market. But how is that better than having enough competition between banks that anyone can find one willing to provide service?
> Which allows banks to remain an uncompetitive yet inherently necessary market. But how is that better than having enough competition between banks that anyone can find one willing to provide service?
Just because the market is regulated doesn't mean there is no competition.
It's better because the banks can't gang up on you like tech companies do. At least in the EU.
But regulation is being proposed as an alternative to competition. It can't do that. You need competition whether or not you have regulation.
Look at what a dumpster fire every regulated private monopoly is. "Success" is a stagnant inefficient bureaucracy that ossifies everything it touches. Failure is the F-35 wasting a number of public dollars with twelve zeroes after it.
As a solution to this particular problem, not banking overall. And we're not talking about central banks, but normal banks. The competition is still there.
Tell me, why shops are not allowed to discriminate on the basis of race? Why not just have competition deal with that?
> As a solution to this particular problem, not banking overall.
Competition would work as a solution to this particular problem and overall.
> And we're not talking about central banks, but normal banks. The competition is still there.
Banks have notoriously high switching costs and barriers to entry. What competition would look like is a regulatory environment that enabled switching banks to be as easy as switching wireless providers after number portability.
> Tell me, why shops are not allowed to discriminate on the basis of race? Why not just have competition deal with that?
Originally, because white customers would refuse to patronize shops that served black customers, effectively acting as a monopsony (lack of competition) and the law was needed to restore competition.
Today, mostly for historical reasons. Do you honestly think that a black person right now would have trouble finding a restaurant to eat in even if there was no law forcing all restaurants to serve them?
> Do you honestly think that a black person right now would have trouble finding a restaurant to eat in even if there was no law forcing all restaurants to serve them?
No. My point is that it's not as big of a deal as you make it out to be. Competition didn't suddenly disappear because of that.
In the EU we already have the laws we're talking about, requiring banks to provide you a basic bank account. The competition between banks didn't disappear here either.
Also banking is not exactly a free market one way or another.
>>Which allows banks to remain an uncompetitive yet inherently necessary market.
I'm really curious what you mean here. Banks(here in UK) are stupidly competitve, there's constant offers and incentives to switch, I cannot imagine anyone in this country thinking "oh I would switch but they can't close my account so I won't".
>>It's should be obvious that no company should be able to do this under any circumstances
Are you familiar with a small company known as PayPal? Where they can lock your account for 6 months without providing any reason whatsoever and you don't have access to your funds? You can't dismiss a real issue by just saying "it should be obvious". Sure, it's obvious but the only way we stop this from happening is through regulation.
> I'm really curious what you mean here. Banks(here in UK) are stupidly competitve, there's constant offers and incentives to switch, I cannot imagine anyone in this country thinking "oh I would switch but they can't close my account so I won't".
How competitive a market in is fundamentally a question of how hard it is to switch. So probably the most uncompetitive market in the world is iOS app distribution. Because if you don't want to use Apple to distribute your iOS app, you not only have to create your own app store, then you have to create your own OS, and hardware competitive with Apple's, and convince enough other developers to use your store that it can attract users, and then attract all of the users.
A great metric for how uncompetitive a market is would be how much profit the incumbent makes, and you'll notice that Apple as at the top of the market cap list. Because otherwise price competition would drive down margins. But you'll notice that banks are not exactly scraping by either.
Because switching costs are high there too. You want to switch banks? Go fill out HR paperwork at work to change your direct deposit to the new bank, otherwise the new bank charges a monthly fee. But wait, now the old bank charges a monthly fee without it, so you need to get everything else switched right away.
Everything else is quite a list. Every separate business you have recurring payments set up with. Mortgage lender, student loans, power company, water company, cable company, wireless company, car insurance, homeowners insurance etc. etc. You're going to be screwing with this for hours, might as well stick with the existing bank unless they're actively in the process of murdering your dog.
And then they don't have to compete with each other on the metrics that really matter. Notice that it's all up-front switching gimmicks and introductory rates, because once they've got you, you're stuck.
> Are you familiar with a small company known as PayPal? Where they can lock your account for 6 months without providing any reason whatsoever and you don't have access to your funds? You can't dismiss a real issue by just saying "it should be obvious". Sure, it's obvious but the only way we stop this from happening is through regulation.
And this is a failure of both regulation and competition. It's just another example of regulation without competition being insufficient.
Notice that competition could solve this, if it was present. But the switching cost for a merchant is even higher than it is for a buyer. You have to get all of your own customers to switch to a different payment provider, of which there are many more than your typical individual has utility bills, and with no guarantee that they would all even be willing to switch.
The primary goal of regulation should be to create a higher level of competition than this, because once you have that, the competition itself solves >99% of other problems.
How long do you think Paypal would be arbitrarily freezing accounts if it was trivially easy to move all of a merchant's own customers to a different payment processor, so that the first time Paypal froze a customer's money they lost two thirds of their merchants to a competitor?
Example of a regulation that would actually help in banking, because it would increase competition: Bank account routing number portability, so that if you move to another bank, you can keep your routing number and all of your recurring payments still work against the new account.
Or for Paypal, a standardized public vendor-agnostic money transfer API, so that vendors and buyers don't have to use the same payment processor and vendors can switch from one to another without their customers having to do anything.
>>And then they don't have to compete with each other on the metrics that really matter. Notice that it's all up-front switching gimmicks and introductory rates, because once they've got you, you're stuck.
Well, again, in the UK switching couldn't be easier. You basically tell your new bank who your old bank was, and they handle the transfer entirely without any bother for yourself. They move over all direct debits, regular payments, and for at least 6 months after the switch any money going into your old account is automatically routed to your new account. The only possible bother is yes, telling your employer that you changed accounts, but that's the only thing I can possibly think of. The cost of switching banks in UK is practically zero, or very close to it.
>>Or for Paypal, a standardized public vendor-agnostic money transfer API, so that vendors and buyers don't have to use the same payment processor and vendors can switch from one to another without their customers having to do anything.
It isn't this regulation that makes the bank uncompetitive, it's all the other regulations that make banks uncompetitive, i.e. hard to switch between and have high barriers to entry. Without that, this regulation would be unnecessary because you would find a dozen other banks willing to take your business and switching to them would be no more than a minor inconvenience.
> if push comes to shove, go to a branch and withdraw your money in person.
When I was starting out in my IT career, the nearest branch of my credit union was more than an hour away by car, and for much of that time I didn't even have a car. If my credit union had restricted my account to "thou must visiteth a branch and speaketh with a representative", I would've been screwed - on a level of "freezing and starving".
> transfer your money out through the mobile app or website;
Assuming this wouldn't be one of the first things shut off alongside the card.
When I first signed up for that credit union (right after I graduated high school) it was a 5 minute walk from where I lived. Then I moved, because I couldn't find work in my hometown.
I could've switched banks, but the only option in my new town was Bank of America, and after they screwed my folks over I'd sooner store my money in a mattress like my great grandma did in the Depression than trust my money with them.
One one hand I understand that any site can be hacked anytime and that that can have huge repercussions, therefore I'm happy if Google reacts quickly when it detects something like that (if I were the owner of such a site I would be even thankful to Google to limit the damage).
One the other hand it seems, based on this and many other posts, that there isn't much communication from Google to its "clients" to 1) explain what's wrong and 2) quickly/directly ask for a reevaluation (e.g. after the problem has been fixed, to question the validity of the problem, etc)?
I understand that there might be bad actors around doing everything on purpose on their website/app and that therefore #1 (basically telling the bad people why they got detected) would be a bit of a gray zone, but at least #2 should be a no-brainer (e.g. in the case of the previous ".ass"-files-case anybody in any support desk could have immediately whitelisted that "problem")?
Google doesn't need to explain to him anything because he is not their client. That's the problem we have now. Google have become judge and executioner. They are also decide what gets distributed because they own a browser used by most users. The solution to this is just stick to the basic, let the browser be a browser and the search engine just a search engine.
The reason it is made vague is because there are people who will set their site up so it technically passes the rules but it certainly does not pass the spirit of what was trying to be done by the rules. By making it opaque they do get to cast a wider net and keep those a$$hats from harming others but they certainly catch other fish with that net.
> there are people who will set their site up so it technically passes the rules but it certainly does not pass the spirit of what was trying to be done by the rules.
Then that's a problem with the rules, which need clarified to better encode the "spirit" thereof. Hiding the rules entirely is a poor substitute for that.
Anyone who thinks this is the functioning of a "normal" internet is mistaken. This is a symptom of a decades-in-the-making problem. It strongly appears those in charge of legislation are not technically minded and have no idea "how" the internet works. Or they do and they have data-sharing agreements with all the 'big tech' software and are okay to "appear" to legislate but cannot actually change anything substantial in fear of retaliation (losing access to all that juicy data they collect). Imagine the power Google wields in this scenario, to me they are more scary than any drug cartel boss. I genuinely can't see how this isn't akin to a Coup d'état of the internet as a means of transmitting information. We cannot shut down these tentacles because of how deeply ingrained they are (remember when FB's SDK was having issues? Hundreds of third parties apps just broke).
Google should have been regulated years ago, instead, they have been allowed to snap up every smaller company to solidify their position in the market and ensure they and only they are allowed positions of power, control and authority.
If Google dislikes you (or their baseless algorithms that are detached from reality) then you are toast. How long before Google's algorithm results in an actual human death? Doesn't seem totally far fetched and entirely plausible.
Yet, you let this happen, or rather, it seems this isn't concerning enough for it to warrant a massive protest, after all, Big Tech controls protest online and can just shut it down. Amazon seems to have been mightily effective at stopping any "union" movement, so we know the censor machines are fine tuned and ready to fire at any moment.
We need to be talking about this daily, in needs to be front and center for weeks and weeks, and we need to demand accountability. We are ruled and governed not by elected officials but by faceless, nameless and non-human machines. They do not Think. They do not Talk. They do not care.
Yet this thread will disappear in a few short hours, and this will be just another episode of the weekly "Google's systems are out of control and one developer got caught out, too bad I hope they are okay".
This is happening to thousands of others undoubtedly that do not make hackernews or have the resources/energy to fix it.
> It strongly appears those in charge of legislation are not technically minded and have no idea "how" the internet works.
Of course they know. Everybody knows, it's just a series of tubes.
But that's not the point. The people in charge also know:
> If Google dislikes you (or their baseless algorithms that are detached from reality) then you are toast.
Replace here Google with FAANG, and see how whole countries are completely depended on those companies. At this point those companies can blackmail any government on earth into almost anything they want. FAANG are actually even richer than most countries on this planet.
You’d think there would be a business opportunity for advocacy consulting, but I think the total lack of regulatory consequences for ruining people’s livelihoods renders that moot. FAANG can just ignore advocacy that isn’t backed by regulatory teeth.
I think if FAANG didn’t already control so much of our communications you might see such advocacy groups, but as it is...
Do you want to be the face of a campaign that will piss off FAANG?
Can someone explain to my why Google isn't being drowned in a torrent of lawsuits?
We are getting stories like this on a weekly basis now.
Google is clearly causing measurable harm to your company and you. And apparently to thousands before you.
Considering how much money patent trolls manage to extract from Big Tech with considerably weaker cases, how is it that everybody is treating Google like a fragile grandmother with dementia, going out of their way not to hold them responsible in court?
This is not a rhetorical question. I really don't get it.
America is the land of getting millions in settlement when McDonald's gives you coffee that is hotter than you anticipated. How the hell is Google getting away with their behavior?
The coffee was not merely "hotter than you anticipated" (although that's at least sort of right), it was near boiling: McDonald's required franchisees to hold coffee at 180–190 °F, much closer to actual boiling than what other establishments hold coffee at, which is typically twenty degrees below that in that area. She had third degree burns on six percent of her body, six rather sensitive percent. She needed an eight day hospital stay just for skin grafts. I once dug up the photos, by the way, they're rather unpleasant, and I say that as someone who has attended autopsies.
Of course, the temperature differences may not seem like much, but a ten degree drop at that point changes the time from "skin graft city" from three seconds to perhaps four or five times that.
Final verdict, before settlement, was $640,000, not "millions." The parties settled out of court for an undisclosed final amount less than $600,000.
Thank you! The whole "hurr durr McDonalds Coffee" thing is one of those stories that simply won't seem to die, no matter how often heroes like you show up and do the work of correcting it.
1. publishers want to be able to put content on the Web without undergoing background checks
2. everyone wants to be able to discover content with as little friction as possible
3. consumers don’t want to drown in unwanted crap
The incomprehensible Algorithm is the result of trying to square that circle. Give up any of those requirements, and the arms race would end:
Give up #1, and it’ll be possible to do all of the rules enforcement reactively, with no algorithms and no inhumane call centers, because when someone is banned, they’ll stay banned. The ban will be tied to a legal name and anyone caught ban-dodging can be sued.
Give up #2, and it won’t matter how much spam you make available on the web because nobody will fall victim to it. The web becomes less like a publishing platform and more P2P, because you basically only find content on there through your in-person social contacts.
Give up #3, and you don’t need Safe Browsing any more. Good luck selling that to everyone, though.
In order to sue them, you need to come up with something that they should’ve done but didn’t. Having a human review every web page that’s ever published is obviously dumb, so they’re going to have to go with the algorithmic approach.
> Give up #1, and it’ll be possible to do all of the rules enforcement reactively, with no algorithms and no inhumane call centers, because when someone is banned, they’ll stay banned.
This doesn't actually work because the people doing bad stuff are criminals with no qualms about committing crimes, like identity theft. Some large fraction of spam is sent from compromised but otherwise legitimate mail servers.
> Give up #2, and it won’t matter how much spam you make available on the web because nobody will fall victim to it. The web becomes less like a publishing platform and more P2P, because you basically only find content on there through your in-person social contacts.
This is the one you can actually fix because it's a spectrum rather than binary. It's also something that doesn't need to be a monopoly, and not being a monopoly would significantly reduce the consequences of mistakes.
Discovery is also fundamentally a search issue. Not putting something you suspect of being spam in the first page of your search results is a world away from shutting down some guilty until proven innocent third party's DNS or hosting.
> In order to sue them, you need to come up with something that they should’ve done but didn’t.
How so? If you sue for damages, you only have to prove you were harmed by Google's actions, no? And actively misrepresenting your website as dangerous and deceptive to your customers is sort of libelous and clearly damaging.
You’ll at least have to prove negligence if you want to sue for libel (assuming you count as a private figure).
Now, I’m not going to actually say that you’re wrong to claim that Google runs Safe Browsing in a negligent manner. But I will say that, if you’re going to go with that, then you’re going to have to say what they neglected to do. Have a human review all their entries? Apple does that, and they get just as many complaints. Get rid of Safe Browsing entirely? It was created to solve real problems, and those problems aren’t just going to go away.
Google has no obligation to list you on their search results or allow access to your site through their browser.
> ctively misrepresenting your website as dangerous and deceptive to your customers is sort of libelous and clearly damaging.
Except the OP even said someone uploaded a malicious file that was put in a place publicly accessible. Google was not being libelous. There was a malicious file.
Because Google has set things be up so that they have no legal responsibility & even if they do it's an enormous legal mountain to climb to a) prove it and b) get any kind of reasonable recompense out of them.
Currently they have all the benefits of their monopoly with none of the responsibility which is exactly the way they like it.
They're a frequent target of rhetoric and legislation by the republicans. Granted, nothing comes of it because the fundamental issue they have is that reality has a liberal bias.
In the UK at least, these consequences (website going offline / certificate warning / unsearchable in the search engine) would likely be deemed "pure economic loss" following Spartan Steel & Alloys Ltd v Martin & Co (Contractors) Ltd [1973] QB 27 and Murphy v Brentwood District Council [1991] 1 AC 398 where the Court of Appeal and House of Lords respectively held that unless some sort of physical harm was suffered to you or your property, the losses were held to be "purely economic" and so not recoverable in tort.
It's unlikely that any claimant would be able to show a contractual provision that enables them to claim for damages against Google (thus allowing them to sue in contract), so a cause of action for tort would be the usual way to sue Google - except unless Google makes you suffer some form of physical harm or damages your property, you're unlikely to be able to recover any damages for your website suffering these consequences, in the UK at least. I understand US law may be quite different.
There's a testable argument to be made about the requirement for "damage" to your property (the website) being inflicted by the certificate warning, but policy arguments on the matter of "ripple effect" liability makes it seem likely the courts would hold that Google isn't liable.
Also Google is probably far better placed to weather lawsuits than most ordinary people; they can probably afford to induce the other party to settle out of court, and presumably the relevant monopoly and abuse of market position laws only allow a regulator to take legal action (the ordinary consumer being restricted to contract and tort lawsuits).
I'm guessing the web site has telemetry and analytics and can show the conversion rate going down. If the web site sells something, you could even put a dollar amount on the damage.
I'm probably misunderstanding your argument here, but if, say, Google steals your bike that would be purely economic damage. Surely the UK legal system would still punish that...!?
Stealing your bike is an inherently illegal action, so the culprit is also liable for losses caused by that.
Having a browser you develop show "we don't like this site" is not illegal per se; and by default if something you have the right to do causes a loss to someone else, that's their problem - for example, if I put out a new excellent product for sale at a great price, that causes clear, measurable and provable economic damage to my competitors, possibly even bankrupting them, but that's their problem, not mine, because I did nothing wrong and did not owe them any duty to preserve their profits.
There is the concept of "tort" which may apply for such losses, but that generally requires specific intent (which is absent here), negligence (which requires the existence of some obligation or duty of care, which IMHO is absent here, Google has no obligation to show your site correctly in Chrome) or the narrow cases where strict liability applies, which also is absent here - the parent post goes into detail of why in this particular case a tort claim is likely to not succeed.
> if, say, Google steals your bike that would be purely economic damage. Surely the UK legal system would still punish that...!?
Yes, they would. This is because there is a specific Act of Parliament known as the Torts (Interference with Goods) Act 1977 which specifically addresses the tort of "trespass to goods" also known as "wrongful interference with goods".
You would need to prove that Google "deliberately" interfered with your bike, on the balance of probabilities. However, Google would have two defences:
- Consent (e.g. you trespass on to their land, and they clamp or detain your bike - you are seen as consenting to the consequences of your trespass, namely the clamping, so cannot argue wrongful interference with goods)
- Distress damage feasant (e.g. you trespass on to their land, Google is entitled to seize and detain any property you brought with you until you leave, or (if damage has been caused) until you pay for any damages).
There are no other specific defences to this tort, only general defences to a tort (such as limitation, illegality, etc.)
In your stated case, assuming you proved the tort on the balance of probabilities, you'd be entitled to damages per Section 3 of the Act.
> how is it that everybody is treating Google like a fragile grandmother with dementia, going out of their way not to hold them responsible in court?
Yeah, it's a really good question. We got all these fully staffed insanely rich companies causing measurable harm to people. They just insist there's nothing they can do to stop it. Why does everyone believe them?
Google provides the safe browsing API to the browsers. So if anything, websites will have to sue the browser makers. However, browsers don't have any contractual obligation to the websites. Seriously. It's a user agent. So if anyone is going to sue browsers, users have to sue or some government.
Users won't sue as long as there's no meaningful harm to the users. And there's essentially no meaningful harm to the users by dropping a single site. As a user, I don't care if any particular site hosts a malware and gets blocked - that's what I want. If that site gets back slowly, I don't care either. That's the website owner's loss.
Government doesn't have standing to sue, as long as there's no discriminatory effect - and as long as the selection criteria is fair (malware/phishing), and they are not negligent in fixing false positives, government will have hard time finding a leg to sue.
It comes down to - as a society, safe browsing APIs are critically important and they have been working reasonably well. You'll have to show they are mismanaging, or malicious, or doing damages to the users. There's no evidence for any of those.
Sure, but this is not a Google issue per se, this is a browser issue. If they f** up and put you on a phishing list and your business just evaporates because people's browsers literally stop working with your site, that goes far beyond what google does as a private company on its private platform. I think this is totally worth suing for and probably winning.
how are they not "being downed in a torrent of lawsuits?"
because nearly all would-be litigants believe they can't persevere against google's depth of resources. so they don't try.
Mcdonald's burned off a woman's labia after burning the flesh of several people with coffee tens of degrees hotter than is safe, and then refused to simply pay her medical bills, prompting a lawsuit.
Nah, Google offered a free browser and the author's customers' and their customers chose to use it.
Remember all the "best viewed in ie6" or "only works on netscape 3 or above" banners? There has never been universal accessibility on the web. The dominant browser changes over the decades and it causes problems for everyone when one becomes too popular.
This incident happened, however the initial post is highly misleading. "McDonald's" (a corporation) did not burn anything. An elderly woman was served a cup of coffee -- the same coffee their restaurants serve to millions of people every day, without incident -- and in this woman's case, she spilled it on herself which caused severe burns. Not claiming McDonald's is faultless, probably the coffee was in fact dangerously hot, however the OP makes it sound like the woman was assaulted with a blowtorch or something where an employee intended to harm the victim.
I'm wondering if this could actually be spun into being a good thing.
I just looked over the site a little more. The business idea seems to be to have a widget to add to your site that can be used to upload arbitrary files to it. The real advantage looks to be that they have a bunch of integrations set up with Facebook, GDrive, Dropbox, Instagram, etc so that all just works without you having to set up and manage developer accounts with 10 different services. Plus built-in image resizing and such things that all just works. Pretty cool, and I might use it if I built a site that needed to do that.
One way you can frame the point of this business is that they worry about the details of integrating with these other services so that you don't have to. As they found out, hosting external content is inherently dangerous, and it pays to have someone responsible for that who knows the risks and has experience in mitigating them. If a site owner wasn't using this service, they would have to take that responsibility on for themselves and re-learn these same lessons. So that's just another advantage of using this service - "we have experience in mitigating the risk of hostile users abusing upload services to serve malware, so you don't have to worry about it".
Site owner has not confirmed they screened all uploaded content for malware - this is a major issue these days and google and others will flag you if you host viruses and pump out malware.
And no - you cannot sue google to force them to allow users to be infected.
It’s not clear that all customer content is hosted on a separate domain, and each customer on a separate sub domain . Your reputation will be trashed pretty quickly if you host content on main domain blindly.
It’s not clear that all uploaded content is protected from being linked too or downloaded. Google admins and other virus vendors can setup screens on downloads.
Anyways - see plenty of shady / scam and incompetent website owners hosting malware - not much sympathy in most cases.
Something tells me that Google doesn't ban G Drive, Dropbox or MS's what ever it is named when those host malware. I rather not have only the giants host user generated content ...
First - most of these places are running pretty advanced virus / malware scanners. So when you go to download a file from drive etc, a scan is done (at least for files that are not enormous).
This is actually a big issue sometimes for folks who use google drive, because malware will infect their files, they will then be synced to google, then blocked from downloading them ever again!
Even if you pay the ransomeware fee, google WILL NOT let you access your own files again. So years worth of files - GONE.
They do use different origins for these services. Google DOES actively ban users (everything, youtube, drive and email) from their service even users using google services (vs a third party upload service). Ie, if you are going to run a phishing scam, host the image on this service, not google, or your drive account + a lot of other stuff is at risk. I've even seen google follow links to other accounts your google account is an admin on, so can have business impacts and more.
I don't know where the idea comes from that google is very hands off on this stuff, they run a major spam fighting op that blocks lots of even potentially legit email, they do tons of scans through chrome, they do advanced stuff for opt-in domains on their paid platforms (even more intrusive but let's them pick stuff up behind password locked pages etc).
This last one can really confuse site owners, when NON PUBLIC content results in site bans.
That's not what it's for. It's to prevent user content from being served from the same origin as Google services. If the content were to be served from the same origin, scripts loaded from that origin would be able to access your google cookies and therefore would be able to access your account data.
Google doesn't have a separate domain for Drive files, for example, nor do they have separate per-user domains under googleusercontent.com for photos etc
Is not about the viruses, a pdf that looks like phishing can be reported and you get your website blocked. If anyone knows of a way to scan pdfs please let me know(I think it would involve finding the links in the pdf, try to follow them and detect if are phishing but maybe the link is fine at the pdf upload time and it changes after)
I haven’t read all comments so I don’t know if anyone made this suggestion already, but for a demo uploader, you could probably just have all the file contents replaced with zeros, or stand-in data of the same content type (eg all videos turn into a video saying thanks for trying it out, padded with zeros to the original upload size)
Ironically I had the opposite issue a couple of weeks ago: I've found a phishing website (for Facebook) that was hosted on a Google server and was actively used. I sent an email to Google's abuse email address - got an automated reply back saying basically "use this other form instead". Did that, never got a reply back. I have reported the website to their SecureSearch (or whatever the name is) product, entered the URL and all the related infos: nada. The site is still up and running, phishing users, and no alerts are triggered for Chrome users... Sad, really sad.
Well, enjoy:
https://nbbdfxhqcc[ remove me ]fll.agilecrm.com/landing/6754083888234496#0.593636668875394
You are warned: the above link is a phishing website that when used will spam you whole Facebook friends with the same link via message. Google Chrome, still today, shows it as a normal website:
https://imgur.com/a/1bsFutr
So this sucks for the developer, but I have another story to share.
I was trying to buy a school bus to make a schoolie out of, the Craigslist add directed me to a seemingly innocuous eBay motors link that looks pretty close to the real thing. I was busy and clicked, totally intending to drop $5k. I got distracted and had to come back to it later, when I did, credit card in hand, the page showed the red screen with a huge warning. A closer look revealed the bad url.
Saved by google? Oh god, I think I need a shower now.
It kind of does though? Either people get scammed by broken URLs or google sometimes bans innocent sites. I would expect most chrome users prefer innocent sites occasionally banned.
Glad you got a resolution. Google recently banned my ad account for running ads to my landing page templates and I still don't know what was wrong with that. They just gave me a bs corporate answer and that was it.
I just ran ads with headlines like Nextjs + TailwindCSS Landing Pages
Apparently somehow I ran afoul of their Circumventing Systems policy. I don't know how this qualifies and when I appealed they came back saying the same thing.
I’ve been banned by the Circumventing Systems policy before (a few years ago), with no explanation of what system I circumvented or how the ban was triggered. Two appeals via the Google system failed (with generic responses) so I reached out to an ex-colleague who now works there and she escalated it internally, and I was magically unblocked, but still have no idea why it happened.
Recently launched a new startup and decided to look at Facebook ads, set up a brand new business account and page and the ad account was instantly banned. An appeal resulted in the message “your account has been consistently promoting ads that do not comply with our policies” but I’ve never run a single ad since they banned the account before I could even create one. The whole ecosystem feels like a bad joke at this point!
I think it's just coincidental, especially since the companies for which I was trying to run ads have no connection to each other (apart from me working there). It made me realise just how common these arbitrary automated bans are though.
I hope this attracts attention from someone who knows more than I do, but I can’t see anything wrong with that. The arbitrary and immense power FAANG wields is fucking terrifying.
FYI you’re also blocked by some lists on NextDNS, consequently I couldn’t view your site. I bet that’s a consequence of the google issue, best of luck solving this.
Check the webmaster tools on Google, Bing, and any other relevant search engine. If they've detected malware on your site, the webmaster tooling will highlight it.
Virustotal.com also supports URL scanning, of you're concerned about a specific payload.
Let’s not forget that the site probably was actually hosting malicious content. The problem is not Google blocking the site, that was the right decision. The problem is that Google is hard to reach in cases like this.
I believe it’s deliberate. A human-staffed support desk will be vulnerable to social engineering by fraudsters looking to get their site reactivated. A public list of very specific policies and disclosure of which one was violated will be vulnerable to engineering too, by making sites that are fraudulent/deceptive/harmful yet somehow fall between those specific policies.
Google is a monopoly and they destroy the lives of anyone that even dares to challenge them or their owners. It's time to break this big tech monopolies. Obviously, through make something better ... This is more of an inevitability than a question.
> But there are plenty of Google engineers and good helpful people on Hacker news.
> (from a screenshot) I work at Google [...] so I escalated your issue [...]
> I believe the HN thread getting on the homepage tremendously helped me and somebody from Google saw it and expedited the review after all
So, once more an issue with FAANG could only be fixed because somebody knew somebody else and went out of his way to get this to the right eyes.
This could easily have gone another way and OP would have received no help whatsoever and would have waited for days or weeks to get this issue cleared and lost his business.
Maybe it's only me but I find it unbearable that you'll usually not be able to reach any real person at all for issues like these and it's pure luck what happens to you.
I can't access my 13+ year old gmail account because Google now requires I verify I have access to a phone number I've never owned. There is no 2FA on this account, I know my password, and have access to the "Recovery Email" (which gets emailed a "Somebody knows your password" warning whenever I attempt to sign in to the account with my password).
I reached a real person at Google Domains and managed to get things escalated to "Specialist". Their response: "we can't help you, post about it on the community forums" (which I had already done 20 days prior).
This account "owns" digital goods, thousands of songs, and many domain names. Google is actively stealing these things, but they don't care and, "can't help".
I'm in a similar situation with Apple. I can't access my 10 years old account even though I know the password and control the email attached to it because I don't remember my security questions and I don't have my recovery email anymore.
I probably put rubbish data in the security questions as they weaken the security of the account.
Funnily enough that password leaked and someone managed to take over my account (I wonder how they manage to bypass the security questions, sounds like a security vulnerability on Apple) and they're using it to register (I assume) stolen devices and install software.
I get email notifications every time these people do something.
I reached Apple support but they're unwilling to help, they even refuse to nuke the account as a last resort.
> I'm in a similar situation with Apple. I can't access my 10 years old account even though I know the password and control the email attached to it because I don't remember my security questions and I don't have my recovery email anymore
I have an iPad that I let sit on a shelf for a while. During that time, Apple deleted the Apple account it was signed into. As a result, I cannot unlock the iPad or use it at all. I even made a new Apple account using the same username and password in an attempt to unlock it. No dice. Apple support won't help.
These sort of problems are so aggravating and seem to take a disproportionate amount of mental and emotional energy to the problem. I'm not exactly sure why, either. Perhaps it's because trying to explain the issue to anyone else (support, spouse, etc) and catch them up on where you are, what the issue is and what's been tried already takes so long and then in the end that person is powerless to help. And to make any progress forward you have to be relentlessly tenacious and still the problem will fall on deaf ears.
It's like the system is built against you to just force people to ultimately run out of steam trying to get it resolved and give up.
>I probably put rubbish data in the security questions as they weaken the security of the account.
I had a similar problem, where I had created an account so long ago there were no security questions. They later added the security question requirement, but since I had never filled them out and they refused to accept a blank answer and I was forever locked out.
Not useful for your current case, but I recommend using a password manager to fill random phrases for security questions. That way they’re easy to read out over the phone to CS reps, but are more secure than literal answers, which can often be derived from publicly available info.
I was in a similar situation 3-4 years ago. The app store kept asking for answers to my security questions which I did not remember to have set up, ever. I went various rounds with their phone support trying answers on the phone (there are only so many reasonable answers for "Who was your first manager?") to no avail. Then I just enabled 2FA and the security questions requirement went away immediately. Back then, the whole thing smelled like a bug on their side to be honest.
I had one recently where I was locked out of my medidata/Rave account for not knowing the answer for "Who was your best friend in 4th grade?" I seem to recall that I had a lot of different friends in 4th grade, and it was also blurring with crossover to 3rd and 5th grade etc.
After spending hours on hold and escalating through the support, they finally unencrypted my answer and told me what it was and I had put our cat! Totally did not remember that. Since then I've started paying attention to the questions I select when I set up the passwords and trying to idiot-proof myself to something I will actually remember in 7 years, not trying to be clever in the response.
As a bonus stick you in the ribs "revenge," when I finally was able to get it reset up and log in, I was gobsmacked to see that the customer support reps had assigned me mandatory extra remedial rave training to be completed before I could access the functional areas of the software! Lol. Touche.
I actually have the same issue with my Apple account I used back in the ipod days; they are now requiring that I answer my security question during log in. But I actually don't remember the answer to the security question, as I used to always put gibberish instead of a real answer. Back in those days these questions would only be used to reset your password, and I was confident I wouldn't forget the password. I've given up on getting that account sorted.
Furthermore, the answers to security questions aren't always stable. "What was your first pet?" Well, I know how I answer this question because one dog in particular I sort of consider my first pet. But I can remember dogs we had before that one so my answer is a somewhat arbitrary one.
By answering honestly, you also run the risk of having anyone that knows basic facts about your life being able to really make your life difficult.
It isn't just people you cross paths with that could get into those accounts, it's scammers that want to social engineer you or have access to the numerous database leaks that are accessible to anyone with the Tor Browser installed.
The answers to security questions are essentially passwords themselves, and they should be treated as such.
It's none of anyone's business! I generate one password for the password and a second password to break into 4 char random chunks for the security questions which I record in "notes" of the password manager.
Meanwhile, in practice, when I had to do a brokerage transfer a couple months back virtually, the brokerage had a long list of security questions that they had apparently assembled from various credit reporting and other sources that I had to answer to make the transfer. The identity of my first pet or my city of birth is simply not a big concern of mine compared to the information widely available on me from all sorts of sources that I have no control over.
Same thing with my Skype account. I have it logged in on both my phone and my laptop. One day it decides to automatically log me out on both and when I try to log in it insists on requiring sending a code to a phone number that I no longer have access to. So just like that I lost access to my long time Skype account even though I know the password, even though there's no 2FA setup, even though I'm trying to log in on 2 devices that I've logged in previously, from the same IP address. All support requests went nowhere.
I wonder how many people lost their account like me because of these overzealous security measures.
> This account "owns" digital goods, thousands of songs, and many domain names. Google is actively stealing these things, but they don't care and, "can't help".
I long for the day that they cross the wrong person with means to take them to court over their negligence.
My very-much-not-a-lawyer understanding is that their legal obligations and liabilities are minimal on account of Gmail being offered free of charge. Anyone know if that's true?
Say I offer my front yard for anyone to use for free.
You come and set up a bbq stand to have a picnic with your friends. You walk across the street to a lemonade stand, and when you return, you're confronted with a security guard who won't let you back into my yard.
You demand entry, saying your property is in my yard. You want to speak with me, but the security guard says you can't do that. What you can do is head over to the town square and ask if anyone there knows how you can regain access to your property.
Google incentivizes and encourages users to entrust and entangle important, and often financial, aspects of their lives with Google's services, and in exchange, Google gets to profit greatly by mining their data. They also charge users money for many of their services, too.
That doesn't sound right. If you charge money, you have to deliver a product that's fit for service. You can't take people's money then refuse to deliver.
At least here in the UK, EULAs that say You have no recourse if we completely fail to deliver are generally disregarded in court, as it should be.
Same thing happened to a Bitbucket account of mine. I know the email and password, but the primary email is under a domain I lost access to. At some point, Bitbucket decided I needed to verify my email in order to sign in. Support was utterly unhelpful.
I can't access my flickr account because it's tied to a Yahoo account which won't let me access unless I know the 2nd Yahoo account email address 2fa which is blurred out and yahoo won't let me access it because it's been locked even though I know all the info.
Flickr is no longer associated with Yahoo. It's owned by Smugmug. Even if you can log into Yahoo that probably won't give you access to Flickr any longer. (Smugmug also cut back significantly on what Yahoo provided for free accounts.)
Plus it is always a bad idea to give someone a code sent to your number. 99% of the time someone is trying to hack you and a necessary step is obtaining that code.
For me that actually ended up the only way to gain access back to an old account of mine. Luckily I was able to cooperate with the new owner of the number, and he was helpful enough to give me the code that was sent, otherwise I'd have lost a Google account with several hundred euros of purchases on it, despite having the password, control of the backup email, knowing all security questions, and knowing the exact date the account was registered (the only issue was that mobile carriers here re-issue phone numbers after 6 months without any calls, and I had put the SIM into a tablet).
The obvious issue with this is that the new owner of the number doesn't actually know if it's the owner of the old account trying to sign into it - it could be anyone trying to take over an account whos owner forgot to change the number for. And how do they know you're not trying to sign into their account? The text messages don't specify which account is being attempted or anything.
The worst part is that we are just conditioning people to accept this as normal. Just like EULA and cookie banners.
It's always the same story. Some guy gets on Twitter or HN who happens to get noticed, then FAANG releases a statement saying they made a "mistake". Mistakes in the aggregate that affect millions of people aren't "mistakes." That's deliberate malfeasance at scale.
Funny they never ask you that design question in interviews. "Design a system which will harm at most 5% of your users while scaling up to billions of people." Maybe if more people understood the sobering dark side of scale, they would stop gleefully promoting runaway scale-at-any-cost engineering.
Just kidding. Profit is God.
I'm also reminded of the dystopian movie Brazil. You're always at danger of getting eaten by the bureaucratic machine today, with only the most absurd recourse available. Just read the passive indifference of the email that Google sent this guy. "Google has received and processed...", "Google systems indicate...". This is one shit dystopia are are living.
A secret set of rules, a single party that is the judge, jury and executioner, an opaque resolution process that involves backchannels rather than merit, and no oversight ? Is that really something to accept as inevitable ?
Yes, networking is inevitable. Transparency and accountability are hedges against this, but incentives aren't there short of some sort of massive public pressure.
At least I would consider losing an important asset based on a whim of an algorithm without a possibility of appeal to humans quite a gross injustice, though within the limits of the law as it stands today.
This gentleman had a similar issue where his site was taken down without explanation at youtube. I intervened certain that we just needed to light some fires and get a human to look at it. He never got back into his account and to my knowledge never got a reply that was not a canned response. https://www.linkedin.com/posts/mohammedadam24_cybersecurity-...
This is the norm with FAANG and it really annoys me. How many of these cases never saw the light of day because of that?
Even with HN it's a complete lottery what contents reaches the front page, so getting issues like these resolved is a matter of extreme luck for a common person.
Probably naive idea: Would it be possible to set up an insurance fund for this? As in, the money would be used to sue FAANG for damages in cases when businesses are lost due to them being flagged/blacklisted by FAANG incorrectly.
If enough companies contribute to this, it might put some pressure on FAANG to take things seriously.
You're not the only one who finds it unbearable. Google acts like they own the internet. They cause massive damage to people and businesses when they unilaterally block them. They compound that damage by refusing to resolve the issue unless people somehow manage to reach some insider.
> So after a lot of brainstorming and ideas from HNers I finally figured out the culprit(s).
> We have a live demo on our home where people can upload a test file. [...]
> We also give all users a 20MB test storage. [...]
> I believe that somebody signed up for our service (it’s free to sign up) and then uploaded a malicious file on our test storage and abused this feature.
If that is correct, Google was completely in the right to flag the domain as malicious and warn visitors.
If you create a folder in GDrive, share it with "anyone with a link" and then publish that link on Twitter, you will instantly collect porn, piracy & generally malicious files from all over the world. And your account will promptly get blocked, as it should.
Thank you for the write up, I really appreciate how there were actionable suggestions within.
NodeBB does host a demo instance to allow people to kick the tires. I don't believe we allow people to upload images, but it is worth double checking just in case.
How do cdn providers (Cloudflare, Cloudfront etc.) avoid the subdomain blacklisting problem? Do they just have some agreement with browser vendors to whitelist their all of their subdomains because they're big enough?
The issue with this black lists is that all the antiviruses/security tools will immediately put you on their list but it can take days or weeks to have them remove you and you can still get some customer that uses some weird security program that he still gets the issue. One of the anti-viruses company has a form to submit a dispute but their form was broken for weeks.
Thanks for the writeup - I've learned some things. I have a site that allows user image uploads as well. I take each "image" and resize and compress it. If it's not an image after that, it get's rejected. Hopefully this is rejecting any malware.
I have gotten warnings from google multiple times about hosting NSFW images (that is not the purpose of the site) that have ads on the page. This isn't google disliking NSFW content - it's google not liking NSFW content and ads together. Due to multiple warnings, and worried about bans, I now actually manually review each image. This is actually easier than it sounds. I wrote myself a batch script and review in chunks before I allow google to view any images.
Website blacklists exist because of malware and phishing. Malware exists because our browsers and OS's are insecure. Phishing exists because our auth systems are insecure. Solving software security and auth will have wide positive effects on society.
Clicking the OP link I get a warning page from my ESET AV:
"Potential phishing attempt. This web page tries to trick visitors to submit sensitive personal information such as login data or credit card numbers."
I made a Wordpress site last year to start blogging that had this happen. The only reason I found out in this case was from visiting it in edge, which showed a warning pop up, so maybe it was a Microsoft flag instead of google in this case. I never figured out the cause or a way to remedy it and just took the site offline because it was invisible to all search engines. Pretty disappointing
So... The proposed mitigation is to use multiple top-level domains. At the same time, third party cookies probably won't be around much longer and already don't work for some browsers, so if you want to share state between pages, you need them to be on the same domain (but can be subdomains). There is no winning scenario here.
If you want to avoid this issue with a Drupal site, the file_public_base_url settings is helpful and you might -- or might not, given the latest comment there -- need the patch from this issue: https://www.drupal.org/node/2754273
Everyone in this thread is clearly stating how this is not a properly functioning system and there is story after story of the kafkaesque disasters to which Google is not responsible at all.
The question I have is what can anyone do to really change things? If we all agree this is a major issue why can't we find a reasonable solution to it.
Another idea could be to maybe have a separate dedicated companion domain (not a sub-domain) for communication which can be mentioned in the main domain. Atleast if the main domain is affected, you can still have a working channel that is a single place of truth for updates/communications.
To be quite honest, this seems like a case of Libel and possibly Tortious Interference on behalf of Google/Alphabet.
Especially if you can show damages/customers cancelling service, I think this would be a hill to die on. Google et al have too much power, even over people and orgs that aren't even customers. Its high time we reign their powers in, find them strongly culpable for what they do (and what they change and then refuse to do), and consider breaking up these monster companies up when they show they are against the public interest.
Were you, uploaderwin, given a notice prior (say to abuse@uploader.win , admin@uploader.win or other appropriate mails) to being effectively banned WRT google? I'd go on a limb and say you didnt. No, you have to be aware of the right page at Google, register you as an admin to the site, and hope they share what they consider abuse.
And frankly, you were lucky you got the social media escalation. You should have never had this happen... But here we are.
Based on what the article says, it sounds like the Google auto-blocking was correct.
The website owner's theory is that someone used their demo to upload a genuinely malicious file, and presumably then shared it to others. Adding the site to their blocklist immediately is a reasonable action taken in defense of Google's users. It's certainly not libel for them to truthfully say the website is hosting malicious content. Well, not in the US; other jurisdictions don't necessarily have truth as a defense. (Tortious interference is complicated, but typically requires that the person interfering knows about the business relationship they're obstructing, and is taking the action for the purpose of obstructing it. It seems like a stretch here.)
As always with Google, the real issue here is their awful communication and slow responses to people who can't find a way to go outside the normal channels.
EDIT: and the article has some useful suggestions for practices to follow if you need to let people upload files as a demo. I hadn't really considered the purpose of a separate domain for such things from this angle before.
> Based on what the article says, it sounds like the Google auto-blocking was correct.
Even it is correct, we can't assume it will be always correct.
> As always with Google, the real issue here is their awful communication and slow responses to people who can't find a way to go outside the normal channels.
Real problem is their slow repsponse can kill business (or may be people). If they are yielding this much power, there must be atleast some paid support service. I guess, it is time, all govs should look into this and regulate FAANG.
I think it's fairly easy to acknowledge the the following are all true:
1. The poster was hosting malicious content from their domain (user uploaded no doubt, but still on the domain they control).
2. On one hand, it is desirable that people who are not malicious be given enough information as fast as possible to rectify their sites.
3. On the other hand, this same sort of information can make it easier for malicious users to evade detection.
That is, it seems to me like there is an inherent tension between #2 and #3 that make a simple solution difficult.
Seems to me that:
1. As the poster discovered, user content should always be hosted on a separate domain. Google should recommend this as a standard good practice.
2. Perhaps I'm missing something, but when Google blocks an entire domain, I don't see the harm in telling the site owner which subdomain is causing the flag, which could let good users identify the problem faster.
If you're hosting lots of malware on different subdomains, there is harm in Google telling you which ones it detected. You could use that information to keep hosting the undetected malware, perhaps out of laziness.
Perhaps just telling the site owner a max of 1 compromised subdomain, e.g. "We detected malware on sub.yourdomain.com" or "We detected malware on sub.yourdomain.com and potentially other subdomains." Seems like that would provide a huge benefit to people trying to be compliant without much benefit to bad guys hosting lots of malware on different subdomains.
> On the other hand, this same sort of information can make it easier for malicious users to evade detection
I never bought that excuse. That sounds like saying we should be secretive about legal charges brought against a person, lest that information help criminals evade detection.
Although I didn't elaborate about the libel, I do believe there is a strong separation between a "malicious site" and a "site that has malicious content".
If someone encoded an image in an HN post encoded as base64, that could be definitely malicious content. But that would not make HN a malicious site. No reasonable person would argue that. I would argue that claiming it was a malicious site is the heart of this libel.
Now, as a converse, we've seen sites that are just textspam with links that are all .exe or .com or likewise. They have no legitimate purpose other than getting higher scores in search engines. And their content is full of malware of all sorts. This would be an example of a malicious site.
On top of that, nobody mentioned about my call to email the webmaster/abuse/admin contacts at a domain. Even an email and then 1h later would provide some sort of "whoops we didn't catch that" buffer. A legitimate site will respond quickly to warnings of malware or hacked site.
Of course, we all on HN know about the ills of contacting Google for issues like this. Unless you have a Social Media Escalation (aka: this type of post), you pretty much guaranteed will have no recourse. That is a whole another level of problem, especially if they control (they do!) the browsers of millions of people. Where are the checks and balances? There are none.
And we also come to the issue of secret charges, secret evidence, secret judges, secret punishments, and no appeals. The common saw here is "We dont want to tell bad people what they're doing bad". This doesn't fly with our government, and shouldn't fly with mega companies (read: monopolies or oligopolies). If I'm doing something wrong, I should be shown what I'm doing wrong, and a window of time to remediate. (And I'd argue that once something's detected, then enhanced scanning could be done.)
> If someone encoded an image in an HN post encoded as base64, that could be definitely malicious content. But that would not make HN a malicious site. No reasonable person would argue that.
I don't consider myself particularly unreasonable, but I would argue that.
I see what you're getting at in that you seem to be focusing on the intent of the site owner, but I don't think that's a hair worth splitting. If you have poor security on your site such that you allow upload, and more importantly hosting and distribution of malware, you are now the owner of a malicious site.
So it's ok to ban someone's account (which can be tied to any number of different services thanks to OAuth) but not tell them specifically why? Sorry, but I reject that as being necessary such that we hear about things like this on a quite regular basis.
Sounds to me like Google protected the Internet from your site after you got hacked, which alerted you to a severe security hole in your system, so what are you complaining about?
Keeping user content on a separate domain is something I'll Reber out of this. Suddenly it makes sense why social media sites have so many different domain names
This is another argument on why we shouldn’t be using Google Safe Browsing. It’s frankly unacceptable that for every 5 (or less!) bad sites it blocks, we get something like this.
From what I see Google should now be considered an active threat. You have to design your system knowing they will eventually act against you, either your domains or your accounts. And your chances to get it fixed are slim, unless you’re able to get some public outrage.
that's quite a strong word. For the average Joe, google has immesurably improved their internet experience. The vast majority of people are perfectly happy with google and love it for gmail, youtube etc. Just because they are good at destroying some peoples lives, most users don't really care at all. You might find it hard to recruit supporters just because google are horrible sometimes.
Other people may have a different opinion. I personally find the company disgusting. A horrible company can bring value to a lot of people. I would still find the company horrible.
What an uncharitable and strawman-y way of summarizing the events.. The fact that you felt the need to make a new account for posting this should've been a sign that the way you phrase it is uncool.
The discussion about what power Google, Apple etc wields are still worth having.
1) malware is often very aggressive and fast-spreading, and once it's on a user's computer it's hard to get off, therefore...
2) the system to detect it and stop access to the site has to be automated, not a human-in-the-loop system that might take hours or days to shut off access to a site which is infecting many users per minute, and...
3) the more clarity there is on how exactly that automated system works, the more certain we can be that malware will be able to evade it; it's much like how spam detection or search page rankings are opaque, because the incentives to game the system are very great
I'm not saying Google's system is perfect, but I am saying it's a very hard problem to solve in a way that doesn't give us an even worse time stopping malware spread than we already have. So while it is hard to feel sorry for a company as wealthy and powerful as Google, I think the issue is not as clear-cut as some comments on this thread seem to suggest.