
Year one: progress in the fight against Unwanted Software - anand-s
https://googleonlinesecurity.blogspot.com/2015/12/year-one-progress-in-fight-against.html
======
Shank
I've been on some websites that have had the unwanted software warnings, only
to find the site admins posting on the forums saying that the site is safe.
They even give instructions on how to turn off the unwanted software warnings
in Chrome (which in turn turns off /all/ of Chrome's red security pages).

I think it would be more helpful if the warning page at least described what
Google detected. As it stands, if people can be socially engineered into
turning off warnings because they don't believe them, then it's failed as a
security product to a certain degree.

~~~
praseodym
Google Search Console (previously Webmaster Tools) will send an alert with
details when unwanted software is detected by Google. Of course, this requires
the webmaster to sign up with Search Console, but that is quite useful for
other features as well.

[https://support.google.com/webmasters/answer/163634?hl=en](https://support.google.com/webmasters/answer/163634?hl=en)

------
r1ch
Being on the false positive end of this system, it's incredibly frustrating
having my site repeatedly flagged and not being able to do anything about it.
There doesn't appear to be any way to contact a human except through the
"Search Console" where the UI doesn't tell me what it thinks the problem is
([http://i.imgur.com/LWrBINe.png](http://i.imgur.com/LWrBINe.png)), and
Google's safe browsing list is the only thing that thinks there's a problem
(100% clean on virustotal).

~~~
eps
Ditto here.

Ended up banging head against the wall for nearly a month, submitting review
request after review request only to discover that the damn _request
submission form in WMT console was broken and was failing silently_. Fucking
hell. If you take on responsibility of (mis)labeling other people work as
dangerous crapware, you should probably test the hell out of false positive
submission mechanism, shouldn't you? If it weren't for another person
discovering and sharing this on WMT Google group, god knows we might've been
still wondering why G is so damn incompetent.

To add to the insult, a formal promoted "answer" from a resident "expert" of
the WMT group was to the tune of "let me google that for you, you imbecile".
So, it was a fascinating experience all around.

The lack of clear way of communicating with Google directly on this sort of
matter was absolutely infuriating.

~~~
eru
It seems the most reliable way to talk to a human at Google (if you don't
already know one working there), is to complain on twitter or your blog or
similar.

------
jakobegger
Thank you, for your efforts, but there's still a long way to go.

I occasionally need to tell non-technical users to install WinSCP. Assume
someone told you to download the software from the following page:
[http://i.imgur.com/1HoyMWz.png](http://i.imgur.com/1HoyMWz.png) Where is the
ad, and where is the download link?

It's better than last time I looked, since the ad is no longer a big green
button labelled "download", but it is still misleading.

~~~
scrollaway
I keep thinking this fight is just a game of whack-a-mole. It's nice to reduce
the impact but there's some really core issues with the model in the first
place:

 _Embedding ads means embedding dynamic content from a third party server that
was submitted by other people_.

On top of that, Windows users having to download software off websites instead
of common software being distributed through a repository doesn't help. The
repository (aka "store") model has shown itself to work really well even in
the mainstream, unfortunately the Windows store is atrocious.

------
jimrandomh
> We started disabling Google ads that lead to sites with UwS downloads.

Google still has a long way to go on that front. A good place to start would
be making sure Google's ads always have the option to report them, which
currently they mostly don't. I recently came across one of these as a text ad
on YouTube, it was quite obviously intended to mislead and give people UwS,
and decided to try to report it.

There was no way to do it on the page. There was no way to do it elsewhere, at
least that I could find through googling. I eventually reported it to the
security team, on a form intended for reporting vulnerabilities, as "whatever
malicious-ad-filtering you have can't be working at all if it let this
through".

------
niilzon
According to their criteria, Windows 10 totally falls in the UwS category ! :)

~~~
neerdowell
Chrome meets their criteria too, when bundled with other software, example:
[https://i.imgur.com/MakuHWC.png](https://i.imgur.com/MakuHWC.png)

It deceptively claims to increase web speeds, piggybacks on CCleaner's
installation, doesn't inform the user about what it does, replaces the default
web browser by default, "collects or transmits private information without the
user’s knowledge", and it is bundled with other software.

The only characteristic that Chrome doesn't have is being difficult to remove.

------
ocdtrekkie
About time. Based on malware cleanup work I've done in people's homes and
asking how they got to them (unscientific, I know), Google AdWords seems like
the primary method of malware distribution.

Google has gone out of their way to make AdWords look more and more like a
normal search result, and particularly among seniors, it's common to expect
that first link is legitimate. It usually isn't.

~~~
dhimes
They need to go back to being quite clear about what are ads and what aren't.

~~~
mschuster91
The problem is that then noone would click on the ads any more

~~~
ocdtrekkie
Acquiring ad clicks by deceiving people into thinking they aren't ads isn't an
ethical business model.

~~~
vmateixeira
I appreciate your effort on trying to putt the words 'google' and 'ethical' in
the same sentence. It just doesn't fit. It's business. Who cares about the
user any longer?

------
duncan_bayne
How about all the crapware that is installed along with Android on most mobile
devices these days? Any plans to do something about that?

~~~
benplumley
That's not under Google's control, it's under the OEM's or (in the US) the
carrier. A phone bought directly from Google (the Nexus line, Google Play
edition, etc) doesn't have crapware of any kind unless you extend the
definition to any app you don't personally use.

~~~
ocdtrekkie
There's two categories of bloatware, both of which Google can control:

\- Google's bloatware. Google insists OEMs include like 20 Google services on
every phone. Get rid of it. All of it. People want the Play Store, and if they
want any other Google service, they can download it themselves.

\- Third party bloatware. Google places dozens of branding and so-called
'quality' restrictions on how Android is shipped. At the very least, all pre-
installed software should be uninstallable, and that's a reasonable consumer
protection they could insist upon in the MADA. As another commenter said
though, Google only uses the MADA to protect it's illegal monopoly, not to
protect consumers.

~~~
Brotkrumen
Google only contols manufacturers as far as they want to ship google
playstore. Android itself is gpl and apache license, so oems could just roll
it themselves or go to a group such as cyanogenmod if google gets too
restrictive.

~~~
ocdtrekkie
That's really not shockingly relevant. It's nearly impossible to sell a
successful Android product without the Play Store. If it was, most companies
would already be doing it to avoid Google's bloatware.

------
mahouse
>Here are a few specific examples

[shows a few screenshots of things that would never happen with an ad blocker]

~~~
benplumley
Not only could ad injectors not work, they probably wouldn't have been
installed in the first place because the ad blocker would block any links to
them. Not sure if that was your point; if so, I agree.

------
comex
Just for fun - in this image:

[https://2.bp.blogspot.com/-fP2f-Ru84xk/Vmdt_a1ebLI/AAAAAAAAA...](https://2.bp.blogspot.com/-fP2f-Ru84xk/Vmdt_a1ebLI/AAAAAAAAAMg/fpw1XCXs5U8/s400/pasted%2Bimage%2B0%2B%25283%2529.png)

I'm pretty sure the domain is appspot.com, aka Google App Engine. I wonder how
hard it would be to recover the rest...

~~~
praseodym
It's
[https://testsafebrowsing.appspot.com/](https://testsafebrowsing.appspot.com/)

------
blakesterz
>> We reduced the number of UwS warnings that users see via AdWords by 95%,
compared to last year. Even prior to last year, less than 1% of UwS downloads
were due to AdWords.

That 95% drop is great! That 1% number must still be quite a large number
though, ~1% of the ads they show must be well into the millions?

~~~
lorenzhs
It says "less than 1% of UwS downloads were due to AdWords.", not "less than
1% of AdWords shown where UwS". What they're saying is: <1% of those who
download UwS get there by clicking on an AdWords ad.

------
vmateixeira
I knew google was controlling email and labeling which email servers are
"safe" or not.. with a lot of false positives! Didn't knew they were already
doing the same to websites. Nasty google.

~~~
Brotkrumen
While i also would like a world where i could host my own email server, you
have to realize that the "nasty" labeling google is doing is the only
reasonable way for a free service. My prof told me about the university
receiving about a terrabyte spam mail a day. Imagine what gmail gets with 90%
of mail traffic being spam.

~~~
vmateixeira
I understand your point of view but still would prefer google to blacklist
instead of whitelisting. As a single user, I don't honestly care but this is
making it more difficult for companies which find it more difficult to have
their own mail servers. Imagine that all their emails end up on their
customers gmail spam folder by default, without any proof of being spam. This
makes companies to loose business/money.

