1) malware is often very aggressive and fast-spreading, and once it's on a user's computer it's hard to get off, therefore...
2) the system to detect it and stop access to the site has to be automated, not a human-in-the-loop system that might take hours or days to shut off access to a site which is infecting many users per minute, and...
3) the more clarity there is on how exactly that automated system works, the more certain we can be that malware will be able to evade it; it's much like how spam detection or search page rankings are opaque, because the incentives to game the system are very great
I'm not saying Google's system is perfect, but I am saying it's a very hard problem to solve in a way that doesn't give us an even worse time stopping malware spread than we already have. So while it is hard to feel sorry for a company as wealthy and powerful as Google, I think the issue is not as clear-cut as some comments on this thread seem to suggest.
But that being said, by far the biggest problem is just the lack of recourse and communication. Compare this to email spam prevention and the like, which solves a very similar problem but if you accidentally get blacklisted you can just talk to the SpamHaus people or whatnot and get the problem sorted.
It's not hard to imagine how Google could improve here: send better notifications when something is blacklisted, provide a reason why, and offer a better procedure to get your problem fixed.
Yes, this will cost time and money due to the large scale of things. But if you have the ability to block parts of the internet for much of the population then you also have some responsibility here; you can quite literally kill companies with this. Email spam prevention usually step up to this responsibility. Google ... not so much.
Mistakes will still happen, and that's okay. I appreciate the hard job they're doing, which does provide a lot of value. It's how you deal with those mistakes that matters, and Google deals with them terribly across all of their products.
> One common criticism is that there was no way to contact SPEWS. According to the SPEWS FAQ: "Q41: How does one contact SPEWS? A41: One does not..."
Point isn't they need to do it for every site. Just, a semblance of effort seems like the kind of thing that's worth throwing some resources at.
Unfortunately, that was abused.
It also doesn't seem like sites like Facebook, Reddit, Youtube, Google photos, etc. run into this problem, even though they allow user uploaded content so there is some kind of bias against smaller companies.
And I find it hard to believe that there isn't any malware or phishing content on any of the big content provider's properties.
No, but IF you allow people to anonymously upload malware to your site, Google-quality malware detection filters will absolutely do what they were designed to do and detect the malware on your site.
I just don't understand the people insisting on arguing that somehow this was a false positive. Google was right! This site was hosting malware! It's true it wasn't "intentionally" hosting malware, and that it was designed for benign purposes.
Which is to say, you are demanding that Google forgive this site automatically based on intent and not evidence. And sadly, while Google may have Google-quality malware detection filters, they haven't yet cracked the nut of thought crime detection.
I am genuinely curious how you would prevent your site from being blocked like this? Sure in this case it was a demo, but what if it was an actual image hosting service that required login? What's to stop a bad actor from creating an account and uploading malicious content. Maybe you even have some filter that does image recognition on the images and tries to detect if it is phishing. But unless your filter is able to catch the exact same content that google's malware detector uses, there's still a chance that you'll miss something that google finds, and starts blocking your site.
But even interpreting you narrowly: How much warning do you think Google should be expected to give before flagging sites with known malicious content? Would you apply that same logic to the sites you visit as a user?
I just don't see how the principle you want is going to work in concert with a world with rampant malware. Most of us very much want the trigger happy filers, because it keeps the problem manageable at the cost of some inconvenience and increased vigilance on the part of the content providers, which is IMHO exactly where it should be.
Realistically, offering an anonymous demo is probably a bad idea, no matter how many conversions it gives you.
About half of them are taken down by the time I get to them. The other half, I've had to report myself.
I realize, however, that these are not malware.
(Funnily enough, I think all of the attempts I was able to view were trying to phish O365 creds.)
this breaks down because there are friendly jurisdictions and/or hosting companies to bad actors. see "bulletproof hosting" for instance.
Embrace the centralization.
I think tech companies deciding what people can access is the most likely endgame no matter what. People will demand protection. Whether it's a great firewall, a whitelist-only internet, ...or just automated filtering like this, which may be the most liberal option we can realistically expect.
What you're left with is things hosted out of uncooperative countries like Russia or China. But then shouldn't the block list consist entirely of things hosted out of uncooperative countries like Russia or China? How did this US-hosted business fall victim?
PS. Twitter still does not allow me to share links to OP's website.
I was surprised this wasn't part of the lessons learned. But it seems the monitoring basically failed but that wasn't a lesson.
 https://www.ootliers.com (The landing page and everything are terrible and I'm working on improving that)
- a frequent/simple check dealing directly (on the internal network) with the webserver ("does it work well yes/no, what's the raw response time, etc..."). Here is where I would definitely use "curl".
- another less frequent test involving as well the DNS and the external network.
- another end-to-end test (e.g. once every 10 minutes?) involving as well one or more real browsers (this would test as well for example revoked SSL certs).
=> all these infos/metrics should be quite helpful to identify problems, or at least to shrink the potential area that is causing it.
The main offer is for order monitoring but I am in the middle of creating a just page load monitoring offer for others since I think that service by itself is super useful.
But the key thing for me is the "goal" montioring. So for ecommerce it's orders but for other systems it's different. That's the thing I really want to monitor. If other things break they'll affect those so you can detect lots of failures. The only issue is finding out what the cause is. But first I'll improve the anomaly detection a bunch before looking into root cause detection.
From a pure perspective, yes, you should be able to use headless mode and run some sort of validation on the HTML. That would make things really straightforward.
In practice... the easiest explanation is that I just spent about 35 minutes trying to find a live test/example safe-browsing trigger so I could check whether right-click is disabled, and I couldn't find one. Even after firing up a separate Chrome profile and verifying Safe Browsing was enabled at chrome://safe-browsing/, modifying /etc/hosts to point http://malware.testing.google.test/testing/malware/* anywhere did not work, none of the links https://testsafebrowsing.appspot.com/ generate any scary red warnings (and now my Downloads folder is full of EXEs), and I'm kinda sitting dazedly scratching my head a bit. Maybe all this requires some magic sauce I'm not aware of, or maybe it's just quietly bitrotted (doesn't seem to be the case?)... but the overwhelming lack of determinism is what makes trying to automate this next to impossible.
You just have to shove the website into a browser and screenshot the output. Because the chain between "load URL" and "user sees red" is that rickety, that there's no clean way to test it. D:
To be fair, I've not had this happen yet so I am going to try and find a site that chrome won't let me visit and see what happens when I visit it programmatically.
This is totally an edge case I didn't even think of until I read that blog. Super happy that my monitoring approach picks up on it.
For others wanting to do the same I'm using chromedp. It does take up way more resources tho. I worked out I can do 90 per minute per 8-core 16gb server.
Why would they flag that as a phishing site?
I’m just having a difficult time determining how this situation is not the fault of the site/app; we don’t even know that any of this is true and it looks more scripted than an offended rant.
They could use Google's safe browsing api to check if they're on that list as well as curl.
I don't know how to help make this happen.
1. Mozilla and the Chrome clones (Edge, Brave, etc.) partner to make an (open as possible) standard for blocking and reviewing, and start maintaining their own list upstream from Google.
2. When Google adds to their blocklist, independently check it according to the consortium's own standards.
3. Cut a deal with Bing or Yandex to scan for malware as part of their crawls, to get technology independence.
4. Put pressure on Google to get onboard.
Step 4 is the hardest.
We don’t know that this whole thing is not invented by the author or that they were indeed not doing anything malicious.
All of this, as credible as it may seem, could just be invented bad PR against Google, which if true should make us take a hard look at whomever is behind this.
Seriously, read the Lessons Learned again and tell me for certain this really happened. How in the world would it look so staged, with the bold words and thought-out structure. I’m not going to jump on the bandwagon everytime someone makes claims.
To give you an example of this working well:
In some countries(UK) regulators recognized that you cannot operate in the society without a bank account. So a rule was made that a bank cannot close down your bank account without a court order. They can block your access to nearly all other services, block all of your cards, but at the end of the day, you cannot lose access to your basic bank account and money in that account unless a judge says otherwise. The solution to the problem of "every citizen needs a bank account to function" wasn't "let the free market sort it out". It was to force banks to maintain access to a basic checking account no matter what until a court order is given.
In my opinion, Google should be forced to do exactly the same - no matter what, you should never lose access to your google account without a court order. It might be placed under severe restrictions(no new uploads, restriction to storage etc) pending review, but until a lawful court agrees that you broke the rules somehow and google is free to kill your account? They should be forced by law to keep providing their service.
"Losing access to the money in that account" is blatantly stealing from you. It's should be obvious that no company should be able to do this under any circumstances, but that is a separate issue from the question of adequate competition.
You still need competition because a monopoly can find an unlimited number of ways to abuse their customers and regulators can only address the ones they foresee ahead of time.
> The solution to the problem of "every citizen needs a bank account to function" wasn't "let the free market sort it out".
Which allows banks to remain an uncompetitive yet inherently necessary market. But how is that better than having enough competition between banks that anyone can find one willing to provide service?
Just because the market is regulated doesn't mean there is no competition.
It's better because the banks can't gang up on you like tech companies do. At least in the EU.
Look at what a dumpster fire every regulated private monopoly is. "Success" is a stagnant inefficient bureaucracy that ossifies everything it touches. Failure is the F-35 wasting a number of public dollars with twelve zeroes after it.
Tell me, why shops are not allowed to discriminate on the basis of race? Why not just have competition deal with that?
Competition would work as a solution to this particular problem and overall.
> And we're not talking about central banks, but normal banks. The competition is still there.
Banks have notoriously high switching costs and barriers to entry. What competition would look like is a regulatory environment that enabled switching banks to be as easy as switching wireless providers after number portability.
> Tell me, why shops are not allowed to discriminate on the basis of race? Why not just have competition deal with that?
Originally, because white customers would refuse to patronize shops that served black customers, effectively acting as a monopsony (lack of competition) and the law was needed to restore competition.
Today, mostly for historical reasons. Do you honestly think that a black person right now would have trouble finding a restaurant to eat in even if there was no law forcing all restaurants to serve them?
No. My point is that it's not as big of a deal as you make it out to be. Competition didn't suddenly disappear because of that.
In the EU we already have the laws we're talking about, requiring banks to provide you a basic bank account. The competition between banks didn't disappear here either.
Also banking is not exactly a free market one way or another.
I'm really curious what you mean here. Banks(here in UK) are stupidly competitve, there's constant offers and incentives to switch, I cannot imagine anyone in this country thinking "oh I would switch but they can't close my account so I won't".
>>It's should be obvious that no company should be able to do this under any circumstances
Are you familiar with a small company known as PayPal? Where they can lock your account for 6 months without providing any reason whatsoever and you don't have access to your funds? You can't dismiss a real issue by just saying "it should be obvious". Sure, it's obvious but the only way we stop this from happening is through regulation.
How competitive a market in is fundamentally a question of how hard it is to switch. So probably the most uncompetitive market in the world is iOS app distribution. Because if you don't want to use Apple to distribute your iOS app, you not only have to create your own app store, then you have to create your own OS, and hardware competitive with Apple's, and convince enough other developers to use your store that it can attract users, and then attract all of the users.
A great metric for how uncompetitive a market is would be how much profit the incumbent makes, and you'll notice that Apple as at the top of the market cap list. Because otherwise price competition would drive down margins. But you'll notice that banks are not exactly scraping by either.
Because switching costs are high there too. You want to switch banks? Go fill out HR paperwork at work to change your direct deposit to the new bank, otherwise the new bank charges a monthly fee. But wait, now the old bank charges a monthly fee without it, so you need to get everything else switched right away.
Everything else is quite a list. Every separate business you have recurring payments set up with. Mortgage lender, student loans, power company, water company, cable company, wireless company, car insurance, homeowners insurance etc. etc. You're going to be screwing with this for hours, might as well stick with the existing bank unless they're actively in the process of murdering your dog.
And then they don't have to compete with each other on the metrics that really matter. Notice that it's all up-front switching gimmicks and introductory rates, because once they've got you, you're stuck.
> Are you familiar with a small company known as PayPal? Where they can lock your account for 6 months without providing any reason whatsoever and you don't have access to your funds? You can't dismiss a real issue by just saying "it should be obvious". Sure, it's obvious but the only way we stop this from happening is through regulation.
And this is a failure of both regulation and competition. It's just another example of regulation without competition being insufficient.
Notice that competition could solve this, if it was present. But the switching cost for a merchant is even higher than it is for a buyer. You have to get all of your own customers to switch to a different payment provider, of which there are many more than your typical individual has utility bills, and with no guarantee that they would all even be willing to switch.
The primary goal of regulation should be to create a higher level of competition than this, because once you have that, the competition itself solves >99% of other problems.
How long do you think Paypal would be arbitrarily freezing accounts if it was trivially easy to move all of a merchant's own customers to a different payment processor, so that the first time Paypal froze a customer's money they lost two thirds of their merchants to a competitor?
Example of a regulation that would actually help in banking, because it would increase competition: Bank account routing number portability, so that if you move to another bank, you can keep your routing number and all of your recurring payments still work against the new account.
Or for Paypal, a standardized public vendor-agnostic money transfer API, so that vendors and buyers don't have to use the same payment processor and vendors can switch from one to another without their customers having to do anything.
Well, again, in the UK switching couldn't be easier. You basically tell your new bank who your old bank was, and they handle the transfer entirely without any bother for yourself. They move over all direct debits, regular payments, and for at least 6 months after the switch any money going into your old account is automatically routed to your new account. The only possible bother is yes, telling your employer that you changed accounts, but that's the only thing I can possibly think of. The cost of switching banks in UK is practically zero, or very close to it.
>>Or for Paypal, a standardized public vendor-agnostic money transfer API, so that vendors and buyers don't have to use the same payment processor and vendors can switch from one to another without their customers having to do anything.
Yeah, I can agree with that.
How exactly is a bank uncompetitive with this regulation?
You can still do most things without card access:
- keep standing orders flowing;
- transfer your money out through the mobile app or website;
- withdraw money from an ATM using an authenticator (nation-wide example in Poland: https://www.blik.com/);
- if push comes to shove, go to a branch and withdraw your money in person.
How is that rhetoric loaded? What rhetoric?
> if push comes to shove, go to a branch and withdraw your money in person.
When I was starting out in my IT career, the nearest branch of my credit union was more than an hour away by car, and for much of that time I didn't even have a car. If my credit union had restricted my account to "thou must visiteth a branch and speaketh with a representative", I would've been screwed - on a level of "freezing and starving".
> transfer your money out through the mobile app or website;
Assuming this wouldn't be one of the first things shut off alongside the card.
But then.....why did you open an account with a bank without a branch nearby? Not being funny, but that's your own failing, not of the bank.
I could've switched banks, but the only option in my new town was Bank of America, and after they screwed my folks over I'd sooner store my money in a mattress like my great grandma did in the Depression than trust my money with them.
One the other hand it seems, based on this and many other posts, that there isn't much communication from Google to its "clients" to 1) explain what's wrong and 2) quickly/directly ask for a reevaluation (e.g. after the problem has been fixed, to question the validity of the problem, etc)?
I understand that there might be bad actors around doing everything on purpose on their website/app and that therefore #1 (basically telling the bad people why they got detected) would be a bit of a gray zone, but at least #2 should be a no-brainer (e.g. in the case of the previous ".ass"-files-case anybody in any support desk could have immediately whitelisted that "problem")?
Then that's a problem with the rules, which need clarified to better encode the "spirit" thereof. Hiding the rules entirely is a poor substitute for that.
What are your saying?
Google should have been regulated years ago, instead, they have been allowed to snap up every smaller company to solidify their position in the market and ensure they and only they are allowed positions of power, control and authority.
If Google dislikes you (or their baseless algorithms that are detached from reality) then you are toast. How long before Google's algorithm results in an actual human death? Doesn't seem totally far fetched and entirely plausible.
Yet, you let this happen, or rather, it seems this isn't concerning enough for it to warrant a massive protest, after all, Big Tech controls protest online and can just shut it down. Amazon seems to have been mightily effective at stopping any "union" movement, so we know the censor machines are fine tuned and ready to fire at any moment.
We need to be talking about this daily, in needs to be front and center for weeks and weeks, and we need to demand accountability. We are ruled and governed not by elected officials but by faceless, nameless and non-human machines. They do not Think. They do not Talk. They do not care.
Yet this thread will disappear in a few short hours, and this will be just another episode of the weekly "Google's systems are out of control and one developer got caught out, too bad I hope they are okay".
This is happening to thousands of others undoubtedly that do not make hackernews or have the resources/energy to fix it.
We should demand better.
Of course they know. Everybody knows, it's just a series of tubes.
But that's not the point. The people in charge also know:
> If Google dislikes you (or their baseless algorithms that are detached from reality) then you are toast.
Replace here Google with FAANG, and see how whole countries are completely depended on those companies. At this point those companies can blackmail any government on earth into almost anything they want. FAANG are actually even richer than most countries on this planet.
I think if FAANG didn’t already control so much of our communications you might see such advocacy groups, but as it is...
Do you want to be the face of a campaign that will piss off FAANG?
We are getting stories like this on a weekly basis now.
Google is clearly causing measurable harm to your company and you. And apparently to thousands before you.
Considering how much money patent trolls manage to extract from Big Tech with considerably weaker cases, how is it that everybody is treating Google like a fragile grandmother with dementia, going out of their way not to hold them responsible in court?
This is not a rhetorical question. I really don't get it.
America is the land of getting millions in settlement when McDonald's gives you coffee that is hotter than you anticipated. How the hell is Google getting away with their behavior?
The coffee was not merely "hotter than you anticipated" (although that's at least sort of right), it was near boiling: McDonald's required franchisees to hold coffee at 180–190 °F, much closer to actual boiling than what other establishments hold coffee at, which is typically twenty degrees below that in that area. She had third degree burns on six percent of her body, six rather sensitive percent. She needed an eight day hospital stay just for skin grafts. I once dug up the photos, by the way, they're rather unpleasant, and I say that as someone who has attended autopsies.
Of course, the temperature differences may not seem like much, but a ten degree drop at that point changes the time from "skin graft city" from three seconds to perhaps four or five times that.
Final verdict, before settlement, was $640,000, not "millions." The parties settled out of court for an undisclosed final amount less than $600,000.
1. publishers want to be able to put content on the Web without undergoing background checks
2. everyone wants to be able to discover content with as little friction as possible
3. consumers don’t want to drown in unwanted crap
The incomprehensible Algorithm is the result of trying to square that circle. Give up any of those requirements, and the arms race would end:
Give up #1, and it’ll be possible to do all of the rules enforcement reactively, with no algorithms and no inhumane call centers, because when someone is banned, they’ll stay banned. The ban will be tied to a legal name and anyone caught ban-dodging can be sued.
Give up #2, and it won’t matter how much spam you make available on the web because nobody will fall victim to it. The web becomes less like a publishing platform and more P2P, because you basically only find content on there through your in-person social contacts.
Give up #3, and you don’t need Safe Browsing any more. Good luck selling that to everyone, though.
In order to sue them, you need to come up with something that they should’ve done but didn’t. Having a human review every web page that’s ever published is obviously dumb, so they’re going to have to go with the algorithmic approach.
This doesn't actually work because the people doing bad stuff are criminals with no qualms about committing crimes, like identity theft. Some large fraction of spam is sent from compromised but otherwise legitimate mail servers.
> Give up #2, and it won’t matter how much spam you make available on the web because nobody will fall victim to it. The web becomes less like a publishing platform and more P2P, because you basically only find content on there through your in-person social contacts.
This is the one you can actually fix because it's a spectrum rather than binary. It's also something that doesn't need to be a monopoly, and not being a monopoly would significantly reduce the consequences of mistakes.
Discovery is also fundamentally a search issue. Not putting something you suspect of being spam in the first page of your search results is a world away from shutting down some guilty until proven innocent third party's DNS or hosting.
How so? If you sue for damages, you only have to prove you were harmed by Google's actions, no? And actively misrepresenting your website as dangerous and deceptive to your customers is sort of libelous and clearly damaging.
Now, I’m not going to actually say that you’re wrong to claim that Google runs Safe Browsing in a negligent manner. But I will say that, if you’re going to go with that, then you’re going to have to say what they neglected to do. Have a human review all their entries? Apple does that, and they get just as many complaints. Get rid of Safe Browsing entirely? It was created to solve real problems, and those problems aren’t just going to go away.
> ctively misrepresenting your website as dangerous and deceptive to your customers is sort of libelous and clearly damaging.
Except the OP even said someone uploaded a malicious file that was put in a place publicly accessible. Google was not being libelous. There was a malicious file.
So what? Google has no right to tell falsehoods about your website as a whole to your customers, though.
I'm pretty sure google will not blacklist github.com if one malicious file is hosted on there, either.
None of the links provided by Google in their console were said to be malicious, either. So what then?
Currently they have all the benefits of their monopoly with none of the responsibility which is exactly the way they like it.
They have enough money to influence the USA government if anything changing the situation were to be introduced.
It's unlikely that any claimant would be able to show a contractual provision that enables them to claim for damages against Google (thus allowing them to sue in contract), so a cause of action for tort would be the usual way to sue Google - except unless Google makes you suffer some form of physical harm or damages your property, you're unlikely to be able to recover any damages for your website suffering these consequences, in the UK at least. I understand US law may be quite different.
There's a testable argument to be made about the requirement for "damage" to your property (the website) being inflicted by the certificate warning, but policy arguments on the matter of "ripple effect" liability makes it seem likely the courts would hold that Google isn't liable.
Also Google is probably far better placed to weather lawsuits than most ordinary people; they can probably afford to induce the other party to settle out of court, and presumably the relevant monopoly and abuse of market position laws only allow a regulator to take legal action (the ordinary consumer being restricted to contract and tort lawsuits).
I'm probably misunderstanding your argument here, but if, say, Google steals your bike that would be purely economic damage. Surely the UK legal system would still punish that...!?
Having a browser you develop show "we don't like this site" is not illegal per se; and by default if something you have the right to do causes a loss to someone else, that's their problem - for example, if I put out a new excellent product for sale at a great price, that causes clear, measurable and provable economic damage to my competitors, possibly even bankrupting them, but that's their problem, not mine, because I did nothing wrong and did not owe them any duty to preserve their profits.
There is the concept of "tort" which may apply for such losses, but that generally requires specific intent (which is absent here), negligence (which requires the existence of some obligation or duty of care, which IMHO is absent here, Google has no obligation to show your site correctly in Chrome) or the narrow cases where strict liability applies, which also is absent here - the parent post goes into detail of why in this particular case a tort claim is likely to not succeed.
Yes, they would. This is because there is a specific Act of Parliament known as the Torts (Interference with Goods) Act 1977 which specifically addresses the tort of "trespass to goods" also known as "wrongful interference with goods".
You would need to prove that Google "deliberately" interfered with your bike, on the balance of probabilities. However, Google would have two defences:
- Consent (e.g. you trespass on to their land, and they clamp or detain your bike - you are seen as consenting to the consequences of your trespass, namely the clamping, so cannot argue wrongful interference with goods)
- Distress damage feasant (e.g. you trespass on to their land, Google is entitled to seize and detain any property you brought with you until you leave, or (if damage has been caused) until you pay for any damages).
There are no other specific defences to this tort, only general defences to a tort (such as limitation, illegality, etc.)
In your stated case, assuming you proved the tort on the balance of probabilities, you'd be entitled to damages per Section 3 of the Act.
Yeah, it's a really good question. We got all these fully staffed insanely rich companies causing measurable harm to people. They just insist there's nothing they can do to stop it. Why does everyone believe them?
Users won't sue as long as there's no meaningful harm to the users. And there's essentially no meaningful harm to the users by dropping a single site. As a user, I don't care if any particular site hosts a malware and gets blocked - that's what I want. If that site gets back slowly, I don't care either. That's the website owner's loss.
Government doesn't have standing to sue, as long as there's no discriminatory effect - and as long as the selection criteria is fair (malware/phishing), and they are not negligent in fixing false positives, government will have hard time finding a leg to sue.
It comes down to - as a society, safe browsing APIs are critically important and they have been working reasonably well. You'll have to show they are mismanaging, or malicious, or doing damages to the users. There's no evidence for any of those.
The dividing line between big tech and big gov is far thinner than most people consider.
Mcdonald's burned off a woman's labia after burning the flesh of several people with coffee tens of degrees hotter than is safe, and then refused to simply pay her medical bills, prompting a lawsuit.
Has Google burned your labia?
They interfered with the contract OP has with their customers.
Remember all the "best viewed in ie6" or "only works on netscape 3 or above" banners? There has never been universal accessibility on the web. The dominant browser changes over the decades and it causes problems for everyone when one becomes too popular.
That’s some dumb shit right there.
Help HN: Google just blocked my site as deceptive site - https://news.ycombinator.com/item?id=26326528 - March 2021 (20 comments)
I just looked over the site a little more. The business idea seems to be to have a widget to add to your site that can be used to upload arbitrary files to it. The real advantage looks to be that they have a bunch of integrations set up with Facebook, GDrive, Dropbox, Instagram, etc so that all just works without you having to set up and manage developer accounts with 10 different services. Plus built-in image resizing and such things that all just works. Pretty cool, and I might use it if I built a site that needed to do that.
One way you can frame the point of this business is that they worry about the details of integrating with these other services so that you don't have to. As they found out, hosting external content is inherently dangerous, and it pays to have someone responsible for that who knows the risks and has experience in mitigating them. If a site owner wasn't using this service, they would have to take that responsibility on for themselves and re-learn these same lessons. So that's just another advantage of using this service - "we have experience in mitigating the risk of hostile users abusing upload services to serve malware, so you don't have to worry about it".
Site owner has not confirmed they screened all uploaded content for malware - this is a major issue these days and google and others will flag you if you host viruses and pump out malware.
And no - you cannot sue google to force them to allow users to be infected.
It’s not clear that all customer content is hosted on a separate domain, and each customer on a separate sub domain . Your reputation will be trashed pretty quickly if you host content on main domain blindly.
It’s not clear that all uploaded content is protected from being linked too or downloaded. Google admins and other virus vendors can setup screens on downloads.
Anyways - see plenty of shady / scam and incompetent website owners hosting malware - not much sympathy in most cases.
This is actually a big issue sometimes for folks who use google drive, because malware will infect their files, they will then be synced to google, then blocked from downloading them ever again!
That leads to support requests list this:
Even if you pay the ransomeware fee, google WILL NOT let you access your own files again. So years worth of files - GONE.
They do use different origins for these services. Google DOES actively ban users (everything, youtube, drive and email) from their service even users using google services (vs a third party upload service). Ie, if you are going to run a phishing scam, host the image on this service, not google, or your drive account + a lot of other stuff is at risk. I've even seen google follow links to other accounts your google account is an admin on, so can have business impacts and more.
I don't know where the idea comes from that google is very hands off on this stuff, they run a major spam fighting op that blocks lots of even potentially legit email, they do tons of scans through chrome, they do advanced stuff for opt-in domains on their paid platforms (even more intrusive but let's them pick stuff up behind password locked pages etc).
This last one can really confuse site owners, when NON PUBLIC content results in site bans.
Disclaimer: I'm a Google SRE. But never supported anything reachable from the outside.
Thanks, this makes more sense.
I would have thought this would be an excellent way to not host malware.
Has anyone tried, genuinely curious how this would turn out.
You are warned: the above link is a phishing website that when used will spam you whole Facebook friends with the same link via message. Google Chrome, still today, shows it as a normal website:
I was trying to buy a school bus to make a schoolie out of, the Craigslist add directed me to a seemingly innocuous eBay motors link that looks pretty close to the real thing. I was busy and clicked, totally intending to drop $5k. I got distracted and had to come back to it later, when I did, credit card in hand, the page showed the red screen with a huge warning. A closer look revealed the bad url.
Saved by google? Oh god, I think I need a shower now.
I just ran ads with headlines like Nextjs + TailwindCSS Landing Pages
Apparently somehow I ran afoul of their Circumventing Systems policy. I don't know how this qualifies and when I appealed they came back saying the same thing.
Recently launched a new startup and decided to look at Facebook ads, set up a brand new business account and page and the ad account was instantly banned. An appeal resulted in the message “your account has been consistently promoting ads that do not comply with our policies” but I’ve never run a single ad since they banned the account before I could even create one. The whole ecosystem feels like a bad joke at this point!
That almost sounds like they’re sharing ban lists
Virustotal.com also supports URL scanning, of you're concerned about a specific payload.
> (from a screenshot) I work at Google [...] so I escalated your issue [...]
> I believe the HN thread getting on the homepage tremendously helped me and somebody from Google saw it and expedited the review after all
So, once more an issue with FAANG could only be fixed because somebody knew somebody else and went out of his way to get this to the right eyes.
This could easily have gone another way and OP would have received no help whatsoever and would have waited for days or weeks to get this issue cleared and lost his business.
Maybe it's only me but I find it unbearable that you'll usually not be able to reach any real person at all for issues like these and it's pure luck what happens to you.
I reached a real person at Google Domains and managed to get things escalated to "Specialist". Their response: "we can't help you, post about it on the community forums" (which I had already done 20 days prior).
This account "owns" digital goods, thousands of songs, and many domain names. Google is actively stealing these things, but they don't care and, "can't help".
Funnily enough that password leaked and someone managed to take over my account (I wonder how they manage to bypass the security questions, sounds like a security vulnerability on Apple) and they're using it to register (I assume) stolen devices and install software.
I get email notifications every time these people do something.
I reached Apple support but they're unwilling to help, they even refuse to nuke the account as a last resort.
I have an iPad that I let sit on a shelf for a while. During that time, Apple deleted the Apple account it was signed into. As a result, I cannot unlock the iPad or use it at all. I even made a new Apple account using the same username and password in an attempt to unlock it. No dice. Apple support won't help.
It's like the system is built against you to just force people to ultimately run out of steam trying to get it resolved and give up.
I had a similar problem, where I had created an account so long ago there were no security questions. They later added the security question requirement, but since I had never filled them out and they refused to accept a blank answer and I was forever locked out.
After spending hours on hold and escalating through the support, they finally unencrypted my answer and told me what it was and I had put our cat! Totally did not remember that. Since then I've started paying attention to the questions I select when I set up the passwords and trying to idiot-proof myself to something I will actually remember in 7 years, not trying to be clever in the response.
As a bonus stick you in the ribs "revenge," when I finally was able to get it reset up and log in, I was gobsmacked to see that the customer support reps had assigned me mandatory extra remedial rave training to be completed before I could access the functional areas of the software! Lol. Touche.
It isn't just people you cross paths with that could get into those accounts, it's scammers that want to social engineer you or have access to the numerous database leaks that are accessible to anyone with the Tor Browser installed.
The answers to security questions are essentially passwords themselves, and they should be treated as such.
I wonder, aren't they required to nuke the account under GDPR? It's probably tied to your real identity.
I wonder how many people lost their account like me because of these overzealous security measures.
I long for the day that they cross the wrong person with means to take them to court over their negligence.
Say I offer my front yard for anyone to use for free.
You come and set up a bbq stand to have a picnic with your friends. You walk across the street to a lemonade stand, and when you return, you're confronted with a security guard who won't let you back into my yard.
You demand entry, saying your property is in my yard. You want to speak with me, but the security guard says you can't do that. What you can do is head over to the town square and ask if anyone there knows how you can regain access to your property.
It seems it's not only about a free Gmail account.
At least here in the UK, EULAs that say You have no recourse if we completely fail to deliver are generally disregarded in court, as it should be.
The big G say they can kick you off whenever/wherever.
That it's free in price is just another way to give the "customer" (really just user) less power.
It's always the same story. Some guy gets on Twitter or HN who happens to get noticed, then FAANG releases a statement saying they made a "mistake". Mistakes in the aggregate that affect millions of people aren't "mistakes." That's deliberate malfeasance at scale.
Funny they never ask you that design question in interviews. "Design a system which will harm at most 5% of your users while scaling up to billions of people." Maybe if more people understood the sobering dark side of scale, they would stop gleefully promoting runaway scale-at-any-cost engineering.
Just kidding. Profit is God.
I'm also reminded of the dystopian movie Brazil. You're always at danger of getting eaten by the bureaucratic machine today, with only the most absurd recourse available. Just read the passive indifference of the email that Google sent this guy. "Google has received and processed...", "Google systems indicate...". This is one shit dystopia are are living.
If you know important people at the emperor's court, you have a chance to get yor problem solved.
At least I would consider losing an important asset based on a whim of an algorithm without a possibility of appeal to humans quite a gross injustice, though within the limits of the law as it stands today.
Even with HN it's a complete lottery what contents reaches the front page, so getting issues like these resolved is a matter of extreme luck for a common person.
If enough companies contribute to this, it might put some pressure on FAANG to take things seriously.
Apple or Google won't see a cent from me.
They kind of do
> So after a lot of brainstorming and ideas from HNers I finally figured out the culprit(s).
> We have a live demo on our home where people can upload a test file. [...]
> We also give all users a 20MB test storage. [...]
> I believe that somebody signed up for our service (it’s free to sign up) and then uploaded a malicious file on our test storage and abused this feature.
If that is correct, Google was completely in the right to flag the domain as malicious and warn visitors.
edit: just noticed, their comp.lang.c archives are back up now
NodeBB does host a demo instance to allow people to kick the tires. I don't believe we allow people to upload images, but it is worth double checking just in case.
Way less nowadays due to all the employee shaming.
I have gotten warnings from google multiple times about hosting NSFW images (that is not the purpose of the site) that have ads on the page. This isn't google disliking NSFW content - it's google not liking NSFW content and ads together. Due to multiple warnings, and worried about bans, I now actually manually review each image. This is actually easier than it sounds. I wrote myself a batch script and review in chunks before I allow google to view any images.
"Potential phishing attempt. This web page tries to trick visitors to submit sensitive personal information such as login data or credit card numbers."
Is this somehow related to the Google situation?