Comment by sethherr
5 years ago
I think another take away from this article is “don’t allow users to upload malicious files that you then host from your domain”
This seems easier to do than jumping domains.
5 years ago
I think another take away from this article is “don’t allow users to upload malicious files that you then host from your domain”
This seems easier to do than jumping domains.
> I think another take away from this article is “don’t allow users to upload malicious files to your domain”
I disagree, at which point did we all accept Google's role as defacto regulator and arbiter of the Internet? Why should we tacitly accept the constraints they deem as appropriate and modify the way we build the web?
In other words, those are our domains, our apps, our systems and we'll do as we please; that includes worrying about content moderation, or not.
When and why did we accept google as the Internet's babysitter?
Apologies if this sounds aggressive, but your takeaway reflects an appalling and quite fatalistic mindset; one which I sadly believe is increasingly common: big corporations knows best, big corporations say and we do, big corporations lead the way.
On the other hand, probably I'm just biased and tired considering how tiresome it's been to explain to my friends and family why Signal is the better alternative after the WhatsApp/Facebook fiasco.
/EndRant
When you installed their browser.
I didn’t install their browser.
5 replies →
Sorry, but you don't get to tell me I am obligated to browse your site without being notified if you have malware.
You are not obligated to browse anything. In fact, you as a human is obligated to very little. Perhaps keeping yourself alive (which somebody might even oppose as an obligation).
If you enter at site that hosts articles on malware and it allows you to download the malware assets to play with for yourself, you should be a fool for not understanding that the site hosts malware and is not adversarial.
Assuming that this site "serving malware" isn't doing it purposely.
What if someone made a site that inspected malware and went in depth on how it worked and allowed you to download the malware to inspect yourself so you desire. Google would flag this site as bad and blacklist it, but in reality it's a research site.
3 replies →
Might have, judging from this story.
Pretty sure the main point was a private company can effectively delist you from the internet without any rhyme or reason. Most of us have heard Google horror stories when you use their products the fact you can be free of them and have any new customers bounce from your sight in terror is uh, terrifying.
I would like to emphasize of course they have good stated reasons for warning users before accessing websites. The issue is that they are a private company whose behavior affects all major browsers and (for kicks) they have an extremely opaque review process.
If you ran a "divest from Big Tech" website which started gaining steam they could delist like this and the only real force stopping them is public backlash. If you think you can effectively sue Google to stop them I have a bridge to sell you.
Author here.
That is definitely a good idea, and I recommend it. But that should not be the main takeaway.
In our particular case, that was not found to be the problem (we think it was some sort of false positive), and there are valid reasons for users to do that anyway (upload a phishing email attachment onto an IT support ticket, for example).
I think the author highlights the main issue at the end of the article. This is where pressure needs to be applied. I get it, Google’s process probably protects a lot of end users from malicious sites. Getting a real business added to this blocklist by a bot though is not cool. Perhaps a process to whitelist your own domains if this power can’t be wrangled from Google.
> Google literally controls who can access your website, no matter where and how you operate it. With Chrome having around 70% market share, and both Firefox and Safari using the GSB database to some extent, Google can with a flick of a bit singlehandedly make any site virtually inaccessible on the Internet.
> This is an extraordinary amount of power, and one that is not suitable for Google's "an AI will review your problem when and if it finds it convenient to do so" approach.
> Getting a real business added to this blocklist by a bot though is not cool.
Real businesses can (and often do) host malware too. There was a notable event where php.net was hacked and hosting malware, which Google flagged. The owner of php.net was pretty mad at first and claimed it was a false positive. It wasn't.
Not to mention thousands and thousands of unsecured Wordpress and other similar systems which were turned into malware delivering botnets.
At my local faculty there were at some point not less than 6 different malware serving sites (Wordpress, Drupal and some similar unpatched sofware), which were happily delivering all that data from a university domain.
Right, I’m not saying they aren’t a risk. I’m suggesting that if a real business is whitelisted that a automated process shouldn’t be allowed to blacklist it without some type of human interaction.
Easier?
What's the easy way to distinguish between "malicious" and "non-malicious" files?