As per mentioned Ghisler page: "The security assessment would have to be performed by a specialized company, and costs up to $75'000 per year and program (so $150'000 for 32bit+64-bit). This is not sustainable even with a subscription." [0]
This is death kiss to indie developement.
But paradoxically it is great. Killing interoperability is nail to coffin. This brings more and more focus to alternative solutions out of Google market, especially in independent software area. Like yt-dlp, FreeTube, F-Droid - actually all my family uses them and I recommend it to everyone. I can't wait to get some alternative GDrive client lib which simulates browser to throw data over that garden wall, and I don't care if it nags with captcha. The more hassle the more people are going to hate that ivory tower.
This is what everyone said they wanted after Cambridge Analytica! For platforms to exercise due diligence before allowing users to delegate their access to third parties.
Yes, the situation superficially resembles Cambridge Analytica, but there's a few differences here. People aren't building detailed dossiers of themselves on Google Drive like they were on Facebook, and Transmit is a client app that is honest, open and up-front about how it uses your data - to move it in and out of Google Drive.
To be clear, the problem with Cambridge Analytica was not Cambridge Analytica. The problem was - and still is - Facebook's habit of getting everyone to overshare and self-surveil. There needs to be some control and vetting over the apps that have access to your data but not so much that actually honest developers are quitting the game.
My guess is that Google just doesn't want third-party clients (you can't shove "AI" or "Investor Advertising" into it), so they're slowly turning up the heat by abusing the data scare.
A lot of people will have substantially more sensitive data in their chosen cloud storage system (whether Drive, DropBox, OneDrive, iCloud) than on Facebook or any other social network. For example documents like ID scans, financial records, and medical records are going to be commonplace.
It seems like if a nefarious actor built a seemingly helpful app that asked for Google Drive access and convinced some people to use it, they could do a lot worse than Cambridge Analytica.
My Facebook account is largely limited to information that’s already largely public. I imagine there are Google Drive accounts out there with tax returns, health records, background checks, etc in them.
Yes, this sucks that it puts road blocks for well meaning developers, but for the general public, it’s pretty hard to tell who is a well meaning developer and who isn’t. Also, inexperienced or careless well meaning developers can still accidentally put your data in a public internet facing DB.
This is a fair thing to point out! I as a user feel I'm being much more respected when I'm allowed to use some independent client software of my choices, than being told that "for my own good" I must use the absolute abomination that is most of the software provided by Big Tech firms themselves. Like, thanks for your opinion, Google, but 90% of these "security audits" are about box checking and ass-covering. It's the technology equivalent of all of the silliest parts of the TSA process, meaning that it contributes nothing to security while employing a lot of people to do valueless work at the expense of those doing useful work.
Facebook provided a general API for apps, not some kind of data feed. The API required user consent from the app user, though almost certainly not informed consent.
The API also provided too much data, in particular on the user's social graph, which is why a single user giving uninformed consent would lead to data being extracted for multiple others. But even if the app had informed users about intending to steal the social graph, most users would still have consented. They would not have read the text, or not cared. Just click ok until the computer lets you do what you wanted.
So we really do know that the only way to safeguard the data is to design safe scoped APIs for the typical use cases, and keep dangerous unscoped APIs around only as an escape hatch with much stricter security and safety requirements.
Facebook users shared data with their friends. Those friends gave access to the data to CA. So like if you share a document with me and I then give CA access to my GDrive.
IIRC the way Facebook's "platform" stuff worked was that when one user authorized an application, it got to see all their friends' data. Farmville had to be able to access your friends list to see who you could send a sheep to, you see.
Nowerdays this seems like an incredibly dumb idea, sure, and personally I disabled it entirely the moment it came out. But we can cut them some slack, because back in ~2006 facebook was a new thing, for young people - and nobody was sure where this new "social media" thing was going to go.
On top of that I believe Cambridge Analytica did the usual "personality test" trickery where you fill out a survey, then it won't show your result until you hand over your details and accept some legal mumbo-jumbo.
So your Great Uncle wanted to know what harry potter character he was, clicked a consent button, and Cambridge Analytica got your PII.
In the same sense that if someone uses a third-party Google Drive client, the input of other collaborators on shared documents is exposed without their consent. (It was data about friends of users who authorized the application in Facebook's case).
There is some massive confusion around the types and costs of audits required for full Drive permissions scope (and I definitely blame Google for the lack of communication/direction on this). I had to get this audit for an app and it was nowhere near 75k - I believe it was well under 10k. Another commenter said they had it done for $4k: https://news.ycombinator.com/item?id=41781325
Transmit is as "easy" as one could imagine software of that type being.
You do have to know what a file is and what a directory is, mind you, which is something I can non-ironically say does rule out half of GenZ or anyone else raised in the postmodern era, where 'content' just lives 'in' an 'app' and can be searched for (and if you're lucky, found). But I don't think people of that minimum level of sophistication are in the market for products like Backblaze or S3 - they're just out there paying for more iCloud storage (or new laptops) because Apple said they are out of space.
Its the kiss of death for google drive support, and eventually when many apps don't support using google drive people who are on it will switch to other cloud storage providers.
Even the "audit" they require for increasing something simple as your YouTube API quota is already annoying and a massive waste of time, and this is not even close to the one they are requiring from Panic.
The quota increase process is roughly:
1) Fill out the same form every year from scratch
2) Send it into the black hole that's Google "support"
3) A few weeks later receive a reply from someone asking a irrelevant question to our use case
4) Two weeks later another person replies asking for screenshots of the "implementation", so you send a screenshot of "func storeTrailerMetadata()"
5) Another two weeks later, another automated person replies that you got approved.
The Google "support" black hole even exists for their high budget ad customers. I've seen a case where things went into the Google support black hole for a company spending a few million per month via DV360 / Google Ads. Nothing anyone could do about it, campaign blocked, work with "support" to fix it.
Have the same experience with Microsoft support. The difference is the timeline is much shorter and when our issues don't get any traction our rep intervenes and escalates to engineers.
I understand that level-1 support for these orgs are basically documentation librarians. Cool. We pay an incredible amount for premium support, but whatever. It's fine. What matters is that we have a rep that is engaged and cares about us being unblocked and isn't going to let us flounder for issues their support team is not going to solve. Have never seen this level of commitment from Google.
When we filled ours out for a CRM they wanted a video of the CRM. So we showed them a video (from dev with fake data). We appealed the process explaining that Mickey Mouse is a not a real person. They rejected that appeal. So after going back and forth for a week or two we uploaded a video with basically everything but the navmenu blurred out and they finally approved it.
Just another reason to not deal with Google. Eventually, gravity is going to catch up with them, and they will never recover, because their business culture is shit. Zero interest or focus on the customers.
I know everyone loves to dunk on Google, and I definitely agree their communication and customer service to app developers is shite, but this change to permissions scope is a good thing. If you have full, unfettered access to large number of people's Google Drive data, you're a huge target for malevolent actors. If you can't afford the new audit requirements (which I've done and are quite easy - if anything I'm sympathetic to the argument that they're more "box ticking" than valuable security audits), then I'd really question your ability to appropriately safeguard so much critically private data. For reference, these audits are about 1/20th as complicated as a full SOC 2 audit, for example.
FWIW I'm not previously familiar with this Transmit app, but based on their use cases (e.g. backup) it sounds like the limited "drive.file" scope wouldn't work for them. Still, if you want complete, unfettered access to my entire Drive account, I don't think it's a bad thing that Google is enforcing some minimal security standards.
The problem with Google’s security certifications, especially when compared to competitors like Salesforce and Microsoft, is how disorganized the process is. While these companies all require security reviews, Google’s approach seems particularly disorganized: if something goes wrong, there’s almost no one to contact for help.
The certifications themselves are valuable, but Google’s main issue lies in its poor communication and support.
Third-party developers, even those paying $60k annually for re-certification, struggle to get timely responses or any at all.
What’s ironic is that the very partners handling these certifications often avoid using Google themselves because it’s “unreliable if something unusual happens.”
And that’s the crux of the issue—when things do go wrong or something unusual happens, it’s incredibly difficult to resolve.
100% agree. Again, my position is that Google rightfully deserves all the criticism they get around communication and customer support. I just think it's a mistake to confuse that criticism with Google's change to enforce better security for highly sensitive permission scopes.
That seems like a poor argument for an app which doesn’t mirror data or accept commands remotely (if I can control your app on your device, I can control the official Google Drive app) but there is a general point about full drive access. However, I think the answer there is for Google to improve the security model for Drive - for example, allow the user to select a non-root folder which Transmit or iA Writer can use and have some UI indicating that it’s shared. Instead, this process serves as a competitive moat and isn’t very effective – all of the large companies that we’ve seen getting breached are going to pay KPMG to spend time on performative box checking, and your data will still be exfiltrated but they’ll at least say they’re very sorry.
> However, I think the answer there is for Google to improve the security model for Drive - for example, allow the user to select a non-root folder which Transmit or iA Writer can use and have some UI indicating that it’s shared.
The oauth scope https://www.googleapis.com/auth/drive.file [0]basically allows this. If memory serves the app can use this scope, create a folder, and have access to things within that folder, it can certainly have access to all files created via the app (which should in general be true for iA and probably also Transmit). Offhand, I don't actually see what iA or Transmit are doing that needs the broader scope, though TotalCommander, trying to be a replacement file manager would still need the biggest scopes.
Lets just say this: the US Federal Government, several large health care and health insurance organizations, several large financial institutions, a major university, and several others have all had to send me "We take security seriously" letters. They could all afford to undergo (and had passed) various security audits. But in the real world they failed.
If you can't afford to buy starbucks every day, I'd really question your ability to buy a private jet. However, that doesn't mean that being able to afford to buy starbucks every day is sufficient to being able to afford to buy a private jet.
> if you want complete, unfettered access to my entire Drive account,
Panic never got complete or unfettered (or any) access to my Google Drive. I got access. I used their application, which can easily be supervised with Little Snitch or other software to prove that is not sending a copy of my credentials or my files to Panic. If it were OSS it would be even more categorically provable that it's not giving access to anyone but the end user, but these draconian requirements would still apply.
The point is, Google is telling THEIR users, not Panic, that they aren't qualified to use their own judgment to select a client. It woudl be just as bad as Microsoft saying that if you want to check your email or access SharePoint you can't use anything but Edge (insert jokes about how they basically did do that 20 years ago with MSIE, but let's be serious, that sort of thing would be rightfully mocked today).
> I don't think it's a bad thing that Google is enforcing some minimal security standards.
These certification programs are 100% a moneymaking program to engage in a lot of box-checking, which I'd wager has zero correlation with a positive outcome for anyone other than the shareholders of the "labs" that do these audits.
They're my files in Google Drive. If I've made the choice to buy a product from Panic, and I trust Panic as a company personally, it should be my right to decide to give Panic access to my files in Google Drive. It is not up to Google to shuffle money into the pockets of their security partners under the guise of doing it for my safety. My safety and the safety of my files is my responsibility, not Google's, and it's oddly convenient from a monetary perspective (both for Google itself and their partners) for Google to suddenly care a lot more about this than they used to, so it does not seem particularly altruistic in any way.
I think it's relevant that Transmit is a local native app. There's no hosted app exposed to the internet to hack here. Google made one lengthy process that doesn't fit this use case.
Panic runs a cloud-hosted sync service that syncs your credentials and connection info between different instances of Transmit you may have.
No idea if that's what google is targeting here, but that is a cloud service, that presumably gets a copy of people's Google Drive OAuth keys if they use Google Drive with Transmit and the sync service.
How can you be so sure? Even after reading all the source code, there still can be bugs, attacks, demanding letters from different agencies, misconfigurations, vulnerabilities in code and in libraries, etc. etc. etc.
exposed to the internet and connected to the internet are different. Exposed implies that traffic originating from the internet reaches the app. You still do have to worry about things like parsing malicious files, but the class of relevant attacks is much smaller and generally easier to defend against.
Everything's connected to the internet, what the OP was talking about was attack vectors and since Transmit is a local app it really isn't one unless your whole machine is compromised, which in that case you're screwed.
Google's not my dad. It's not their responsibility (or their place) to audit every piece of software I use to interact with their services. I'm tired of being treated like a child who needs every sharp corner ground down for my safety.
Edit: Next logical step is auditing every IMAP client before you can connect it to Gmail. Ridiculous.
They're the ones who will take the blame when a third-party app gets compromised and is used to siphon off people's data.
This isn't a theoretical concern. It's pretty much exactly what happened with Cambridge Analytica. Facebook didn't really do anything wrong; they provided an API for data access, people explicitly authorized an app with broad access their data, and it turned out that the app was basically a trojan horse for data collection. And politicians, the media, the general public, and even the technologically savvier people who should know better all blamed Facebook for this.
> Edit: Next logical step is auditing every IMAP client before you can connect it to Gmail. Ridiculous.
Actually .... They're not that far away from that, if they're not already implementing it. Office365, and Google, if they haven't already have disabled basic Auth for IMAP/SMTP, and only supporting oauth2. Which requires a AppId/ClientSecret handed out out by registering your app with Microsoft/Google.
You say that, but I've been in plenty of situations where people say they're comfortable taking on the risk themselves, but then when shit blows up, they come and blame the biggest actor (with the biggest pockets) they can. I mean, just check out some sob stories that made the front pages of NYT and Washington Post when people got scammed out of a lot of crypto money - I've read a bunch of those and always the first thing I think is "lord, there is no way these people should have had a dime in crypto in the first place", but then when they lose their money they're the first to blame everyone else but themselves.
This assumes that Google can be trusted with my data and other apps can't, and that I'm ok with Google assessing the safety of other apps. It's something that is automatic, and right now it needs to be explained.
Yes, assessing the trustability of apps is important. No, I don't trust Google to do it properly. Maybe I didn't choose Google because I find them the best, but because I have to (because Google, surprise surprise, forces itself down the throat of everyone, so the people I want to collaborate with use it).
Did my apps certify Google as a trustable provider ?
The problem is that if you want to provide a full-featured file picker, and not rely on Google's limited browser-based version, your app will require the full "drive" scope. (We do, and we do, for our InDesign-to-Google Docs connector plugin.)
If you use some of the lower-tier CASA labs, it's not that expensive (4K/year), but it is definitely a nuisance for a pure desktop plugin like ours that has absolutely no cloud component (other than connecting to GDocs).
> which I've done and are quite easy - if anything
Did you read the part where it took multiple months to continue because of slow replies and non-working tooling from Google's side?
It's also pretty expensive for a relatively niche app, it might be fine if you are Dropbox or a big VC funded Mail app but for smaller companies it's not "easy".
> I don't think it's a bad thing that Google is enforcing some minimal security standards.
How would Google find out if the version that they are "scanning" is the same one that gets uploaded to the app store on every small app update? Zero, so there's no security benefit.
How much was the external audit they are now requiring? As it's most likely not based on company revenue, it's obvious that it's less of an issue for bigger companies who can afford to pay an auditor for their stamp of approval and task a person with talking to Google over a few months every year.
If you read the article, they went through the casa audit, found that it did not improve the security of their app, and came to the conclusion it wasn't worth the time and now money to do it a second time.
> and came to the conclusion it wasn't worth the time and now money to do it a second time.
Especially because they'd now have to go through an other third-party to perform the audit process (not just the security lab, the entire thing), according to the total commander folks[1] that's 75k/year/program.
They say it's "up to 75,000" per program, looking at the actual assessor websites, most require quotes, but tier 2 assessments start at $500 and tier 3 start at $5-6000, and you're in the land of asking for quotes from companies, so "hey we compile the same code into 32 and 64 bit versions" probably does not actually require a 2x cost increase.
> It raises the bar for low effort hackers and improves security.
There are meaningful ways you can improve the security of your app. There are ways to make sure your app passes CASA. I found very little if any overlap between those two when going through the process.
> But then… a couple of months later, Google completely removed the option for us to scan our own code. Instead, to keep access to Google Drive, we would now have to pay one of Google’s business partners to conduct the review.
What a racket. Smells downright anti-competitive The EU will have fun with this when it catches up.
Just as a data point, we paid $750 for one of these engagements (scan + some discussion about use cases etc) to one of Google's preferred providers. There were multiple options for providers.
And the issue is the other corporations may likely follow, so you have to stack hefty audit sum every year for multiple monopolistic cloud vendors because you made some cheap documents scanner app with convenient storage options for your user.
The EU absolutely loves adding requirements for certifications, so no I don't think they would get involved here. In fact, it's something they are pushing for in general.
> Smells downright anti-competitive The EU will have fun with this when it catches up
What? The EU wants to introduce certifications for all products and services, further kneecapping local innovation through regulation and costly certifications.
Man... this stuff sucks. If I were panic, I would do the same... but I also wouldn't want to be the one at google to navigate this.
With Google Drive now being at the center of so many companies for storing business data, I am certain it is a juicy target, and third party access with full access to read and write to that big hard drive full of proprietary data is one that I would understand want to lock down... but not like this?
I don't think the market is anywhere near to shifting where business are going to dump google drive en masse, but as the ecosystem shrinks because so few companies can afford the cost to play in google's backyard, it does make me wonder how many companies are going to absolutely resent google, comparable to the way they resented oracle.
> With Google Drive now being at the center of so many companies for storing business data, I am certain it is a juicy target, and third party access with full access to read and write to that big hard drive full of proprietary data is one that I would understand want to lock down... but not like this?
Could be a Google Workspace policy where you can just set that employees can't access the corporate Drive account through third party apps, while it continues to work for personal accounts.
There is a clear subtext to this and the Play Store changes: everyone interacting with the Google ecosystem is going to be pinned down and deanonymized with rights assigned based on legal identities. This will be done in the name of security. There is no freedom in who you trust here.
The big question here is if all this was preemptive or the response to something.
All monopolies do this. Once they're past the point where the government can effectively regulate them they essentially take over and regulate the market for their own interests. Google is very good at this. They're probably better at this than actually writing code these days.
Which is why anyone and everyone should flat out avoid them as a company.
Entire companies have been destroyed because they rely on Amazon, Google, or some other service, and then have the rug pulled. Sometimes companies have even been destroyed, notably by Amazon, for having the wrong political viewpoints.
My rule of thumb is: Only use open source components, and only run my stuff on Linux. So that way I maintain full control over my stack, and stay mostly immune from the political rug pulls, and other kinds of rug pulls.
> Sometimes companies have even been destroyed, notably by Amazon, for having the wrong political viewpoints.
Ok, I'll ask: what company did Amazon destroy for having the wrong political viewpoint?
AWS hosts some pretty vile stuff without blinking. The last time a company made a big "woe is me, my ideas are being suppressed" claim against Amazon, it was Parler, and they weren't kicked off for their viewpoints. They were kicked off for operating a crime-ridden site with zero effective moderation.
Not too long after Parler was kicked off AWS, I was on a call with hundreds of representatives from power utilities about a modeling tool we were transitioning to. It was mentioned that the tool was hosted on AWS and someone suggested they have a fallback plan in case they got kicked off like "other companies".
Elon Musk's companies are doing great under the democratic administration he publicly rails against. He's back on top of the richest list. Peter Thiel's portfolio seems to be doing great. PLTR is up 350% in the past five years. Facebook altered it's policies in a pro-conservative way by allowing falsehoods in political ads, and they're doing fine. Right-wing content has flourished there for years. Oracle and Larry Ellison are doing better than ever. Rupert Murdoch and News Corp are financially healthy and not in crisis.
Now twitter is doing badly, but that's not because of their political slant, it's because they're operating the business with ideology first, business acumen second approach. That's not politics, that's plain old bad execution.
None of that is evidence conservatives aren't under attack, it's evidence that we're winning the culture war.
About Musk, once he took over Twitter, that mostly solved the Social Media "Free Speech" problem, because as long as the most popular gathering place in the world is free we're [mostly] all free. So you're right, there's lots of reasons for Conservative optimism.
> None of that is evidence conservatives aren't under attack, it's evidence that we're winning the culture war.
None of those businesses are part of the culture war, or if anything they're 'woke' businesses.
Thiel doesn't make money being conservative, he makes money on venture capital and running a big government surveillance business. Larry Ellison makes money price gouging on licensing. Elon Musk's main source of income is a 'woke' EV business. Rupert Murdoch makes money on tabloids, of which Fox News is just one flavor - and the tabloids are arguably 'woke' as they mainly pitch conspiracy theories that the 'normies' don't know about.
Twitter under Musk is no more free speech than it has ever been. They comply with the vast majority of censorship requests from authoritarian governments[1]. They most recently rolled over for Brazil's demands and are now fumbling their execution on paying the fines Brazil levied against them. Musk also censored Ken Klippenstein's account when he published a link to his Substack article about the JD Vance opposition research dump. So no, "free speech" on Twitter is just a slogan and a marketing campaign for low information news consumers, and it's working.
I read up on that situation, and it sounded like the three letter agencies were working with Cloudflare all along. They never even asked them nicely to stop hosting lulzsec. To top it off, Sabu from lulzsec was an informer[1].
So Cloudflare wasn't bravely standing on principle, they were just doing garden variety collaboration with the feds.
I don’t know about the political stuff that poster is talking about but this is true for quite a few small stores that transitioned to mail order as Amazon really took off. If you couldn’t handle complaints quickly enough or had too many flagged listings (stuff Amazon didn’t want to allow on the platform for one reason or another) you could get kicked off without much recourse except trying to open a new account and hope you were not caught.
You could see this as good for the consumer in cases where the abuse is bad but the store I was at in the 00s got kicked off for selling some Martial Arts equipment legal in 47 States but on a naughty list we were unaware of. We listed it in a few colors and that was enough to get kicked out.
Okay, so what? That you agree with the political motivation behind the decision does not make the decision any less politically motivated, proving that AWS does in fact kick out consumers based on politics.
>It’s clear that WikiLeaks doesn’t own or otherwise control all the rights to this classified content. Further, it is not credible that the extraordinary volume of 250,000 classified documents that WikiLeaks is publishing could have been carefully redacted in such a way as to ensure that they weren’t putting innocent people in jeopardy.
You can be obtuse about it if you want, but this is basically what it means. The only innocent people that the documents could've exposed would be related to american intelligence agencies
One thing is for sure though, AWS has never terminated a website because they exposed Russian intelligence documents, or because they made non american classified documents public. If you are american, then you can obviously play dumb here but it is blatant for everyone else.
And even beyond that, caring about the clearance level of a document is inherently political, and they explicitly say that it was one of the reasons for their decision to terminate WikiLeaks' hosting.
The fact that people will disagree about what's political and what isn't is precisely why censorship, in general, is illegal. Because when people have power over others (including censorship power) it's guaranteed they'll abuse it, even if simply by being convinced their own interpretation of reality is correct.
Look, they were kicked off for their content. I hesitate to call their content "viewpoints" but it's become roughly synonymous with speech so I guess it kinda fits. Regardless, I'm happy they did it. I think there is room for "exception that proves the rule" type behavior. When the bridge too far is literal Nazis I'm okay with considering AWS to still be politically neutral. No ToS violation (which was flimsy at best) needed.
I didn't realize that death threats were a viewpoint.[1]
> People on Parler used the social network to stoke fear, spread hate, and allegedly coordinate the insurrection at the Capitol building on Wednesday. The app has recently been overrun with death threats, celebrations of violence, and posts encouraging “Patriots” to march on Washington, DC, with weapons on Jan. 19, the day before the inauguration of President-elect Joe Biden.
> In an email obtained by BuzzFeed News, an AWS Trust and Safety team told Parler Chief Policy Officer Amy Peikoff that the calls for violence propagating across the social network violated its terms of service. Amazon said it was unconvinced that the service’s plan to use volunteers to moderate calls for violence and hate speech would be effective.
Parler was used to coordinate the Jan 6 attacks, and when they were caught with their pants down they promised some half baked scheme to have unpaid volunteers do moderation. It was demonstrably a joke and they were caught failing to moderate more attack planning that was happening out in the open on their app. I think Parler leadership got off easy on this, they frankly should've been in jail on January 7th for being accomplices and not merely getting kicked off AWS.
The death threats angle is a complete red herring, considering that other social media absolutely does leave out such posts for even longer than parler did (and very rarely is held accountable for whatever their users are posting, even when it takes literal months to moderate).
But regarding your last paragraph. Sure let's agree that everything you said was right. So what? It still shows that AWS does cut off consumers based on politics. I'm not aware of any legal action against Parler so I don't think they were accused of anything illegal. The fact that you agree with the political reasoning behind the decision does not make it any less political.
Especially since the only time that they ever intervened for something like this was when it happened in the US. It didn't happen during the Arab Spring, or the 2014 Ukrainian revolution, or any other time where people used an AWS hosted platform to coordinate a coup.
> The death threats angle is a complete red herring, considering that other social media absolutely does leave out such posts for even longer than parler did
Other big social media companies generally own their own infra, so they they don't need to get into existential crises when their landlords go looking into their activities.
> But regarding your last paragraph. Sure let's agree that everything you said was right. So what? It still shows that AWS does cut off consumers based on politics.
Not sure how you're able contort this argument together. Parler was involved in crimes. AWS didn't need to prove that beyond a reasonable doubt like the justice system did, they merely had to have a good faith belief crimes were happening on Parler and Parler wasn't making good faith efforts to mitigate them. They didn't merely fail to moderate, they basically told Amazon to kick rocks when they were provided with evidence of crimes on their platform.
It's honestly kind of insulting to cry about political repression when it was just garden variety crime the whole time.
How was it involved in crimes? Again, can you be more specific?
I agree with you about other social media platforms owning their own infra, by the way. But I'm not sure if that supports your point? If the only difference is that they own their own platforms, meaning they can do whatever, doesn't that show that AWS is actually unreliable for products like these? Which is what OP was arguing?
Also, it's weird to say that I was crying about political repression. My point was that your comment itself was arguing that they were still removed for political reasons. Which meant that you agree with the person you replied to, it's just that you think that it was morally correct which is besides the point.
And if Parler did commit a crime, or crimes, surely that would be public knowledge? Jan 6 lead to a rather intense series of prosecutions, so you'd think Parler would also face criminal charges. Unless you meant that it was used for criminal stuff, which is true. But that's a completely different standard, and one that AWS only applied to Parler (for obvious reasons). If you are saying that enabling criminal activities is a crime, then that would apply to other social media too (regardless of if they own their infra or no). Yet again, Facebook or YouTube has never been charged for anything like that.
It's totally fine since AWS was within its rights to ban them, but it's weird to argue that it had nothing to do with the politics of the situation. Again, AWS does not care about coups outside the US, which are just as illegal.
1) If you run the numbers on how many man-hours and cost it takes to moderate a popular platform, what you end up with is a situation where small players (like Social Media Startups) can simply never afford to get into the game, because of the moderation burdeon.
2) The other problem regarding censorship is that it has to be done by humans, and humans are not objective and benevolent. All humans will apply their own political ideologies towards their censorship decisions. This is true because your sense of morality is involved. That's what happened at Old Twitter. They were all Silicon Valley leftist moderators, and so they deemed conservative speech "immoral" and kicked people off for things even as mundane as misgendering or mere "impoliteness" to some "protected class". It got WAY out of hand. Thank God Musk came along and freed everyone.
Almost EVERY single conservative that was kicked off Twitter (before Musk bought it) was kicked for perfectly legal, and often perfectly polite, political speech.
My concern is that people aren't building their own horses the minute it becomes feasible. The farrier now seems mystical and occult to a generation even though they're more than capable of picking up the tools themselves.
Sure integration points to all that are great. The mistake is when your entire company can no longer function at all without Amazon AWS for example. I've worked at a place like that.
EDIT: Of course if you're sure your politics are completely left-leaning you'll have no censorship worries, because these platforms are mostly Silicon Valley run. Also since conservatives basically don't play dirty in this way, the conservatives won't censor stuff just because it's left-leaning. We're for protecting freedom of all legal speech and actions.
That's not really relevant to the problem at hand, which is the ability to integrate with the large and widely used tech giants' platforms. Customers do use Google Drive (unfortunately) and thus the need to integrate.
Worth mentioning Stripe among the destroyers. Sure a percentage of those who complain on r/stripe are breaking ToS, but it's evident that a substantial % are not. Stripe ToS allows them to profit from investing held funds. Once funds are held, nobody at Stripe responds. Has taken years for some to get their funds returned. I wonder how much funds they have on hold at any one time and how much they're making on it.
I am not sure smaller devs were given the option of self-scanning code. I always wondered what the point of that was, given that there is no way for Google to ensure that the scanned code was the version distributed, and even then, as soon as a minor update was released it would have been out of date.
Bingo! The whole thing is for butt-covering purposes. It's just so that when something happens, Google can then say "We followed $STANDARDS_BODY Policy #420.69, so we can't be held responsible!" Theoretically even Panic would gain a little butt-covering from it too. "Look, this vulnerability was so hard to spot that even these very professional security auditors missed it 8 years in a row!"
I don't use Google Drive and probably never will but FWIW Transmit is still one of the best all-around data transfer apps that exist. I always miss it when I am on my Linux workstation. Being able to quickly connect to an S3 bucket and dump files and edit their permissions is a huge plus. Not to mention basic SFTP access like Cyberduck or Filezilla would do. I have never regretted my purchase of Transmit, it's great!
Same. I used to pirate it back when Serial Box was a thing and I was a broke college kid, and I've been licensed since growing up. An essential tool. I would say it should be built into the OS, but that's a joke since modern-day Microsoft and Apple could never provide such a useful tool without sanding everything down to a smooth minimalist surface with no discoverability.
This is both a curse and an opportunity. Compliance is one of those things that is costly and time-consuming but can lead to entrenchment in certain industries. I worked for a client eons ago that went through the enormous hassle of HIPPA compliance and now it is a bit of a moat for them. Having SOC 2 compliance almost feels like table stakes for b2b SaaS these days.
It does disgust me that Google is going this route. I wonder how much influence is coming from governmental agencies. It is possible they are being forced in some way based on some kind of KYC-like requirements. Or perhaps the volume of bad actors is even higher than I imagine and Google is being forced to do this just to keep the lights on for the API at all. But the fact of the matter is that they are offloading the cost of whatever compliance they need onto their platform users, the people who are spending time and effort to improve the Google ecosystem. It feels petty and short-sighted but I suppose that Google has shifted into an extraction phase on behalf of their investors. We'll probably see a lot more of this kind of nickel and diming from them.
Having recently had an infuriating experience with an Android app submission, it seems there's a horde of people in a similar jam, running the senseless bureaucratic review process gauntlet: https://www.reddit.com/r/androiddev/comments/1ck1wyp/did_goo...
I just dropped support for Android on my app. From now on it will be iOS only. That’s where all the users willing to pay for apps seem to be anyway any dealing with Google bureaucracy just isn’t worth it.
I'm not familiar with Panic, but the blog post really should explain why the require "full access to users’ files on Drive" and moving to a reduced scope isn't viable.
Transmit is a file transfer client (like FTP). It needs access to your entire drive because you might want to copy something to/from anywhere in your drive.
Raising the barrier for access like Google has done feels very anti-small company. Sure, it's more secure, but I have to wonder if they could improve security without excluding smaller companies like this. Seeing as it's Google, they probably could and specifically choose not to.
Before anyone else does this... make sure people actually use it enough to invest the time and money into it.
I mean for Apple / Android / Windows? app store reviews you often don't get much choice (not until EU laws are fully complied with anyway), as I've found out the hard way over the years developing apps.
> we would now have to pay one of Google’s business partners to conduct the review
This is straight out of the IBM playbook. Did Google pick up some IBM flunkies recently?
What a terrible business practice. This was a company that once proudly displayed the motto, “don’t be evil” and even proved itself in various situations. Those days are long gone as the company is filled with more brain dead, unimaginative MBA flunkies.
I think its totally reasonable. If google wants to make drive functionality expensive and annoying for devs to include, then devs are going to drop support.
I appreciate that this seems to be some additional security for drive access which is ostensibly a good thing but it doesn't seem like the review is very useful or catches any bad actors or errors.
I think if there is one "value" that stands out from Google's culture (as it is reflected onto its customers) it is tremendous lack of empathy.
- Google maps appears to be designed by non-drivers. Much of hte time it is impossible to find out the name of cross streets near one's location by zooming in. Pins get added accidentally and are hard to categorize and find, there is no notion of neighborhoods, and the voice directions say the same redundant thing over and over (and it is often misleading). No intelligent person could design the product that way if they actually used it.
- Google's parental control features in android lack granularity, and the bias is toward kids watching garbage content as there is no way to share curated lists or for creators to become curators of high quality youtube content, etc. For anyone with young kids this is a must have feature and Google has ignored this kind of thing for years. Also if your kid's phone dies there is no way to remove it from the FamilyLink app! Someone really tested it thoroughly!
- Google Home / Nest. Exceptionally buggy devices. Basic functionality like shared speakers (all Nest over Nest wifi) are buggy and slow. "Hey Google" takes an extra few seconds to respond compared to Alexa and none of it is compatible with Google Advanced Security (Google's own feature!). Nobody building this tech is using it at home or else they would be furious about these big oversights.
- Gemini in Gmail is a total dud. It can't tell me what upcoming events are listed in my email inbox. It biases toward searching the inbox, and GMail inbox search has been highly broken for years. I participated in a user study at Google a while back and the PM admitted it was broken and would not be fixed.
Google is now a cash cow advertising business and thanks to Eric Schmidt (a brilliant but morally lacking individual) it has become a major defense contractor.
Thanks to OpenAI and others, Google search is already dead. The market hasn't caught up with this yet. I sincerely regret making gmail my main email, as the company seems to have completely lost its way. In spite of a lot of brilliance the lack of empathy with users and the need to deliver products that solve problems continues to persist.
Sure does. The article even says, on the first screenful of text:
> You may have seen iA Writer’s announcement that they are stopping development of their Android version for similar reasons. Our experience was different, but our circumstances are similar. While Google Drive may not be the most popular connection option in Transmit, we know many users rely on it, and we often use it here at Panic to send and receive files from the game developers we work with.
This is death kiss to indie developement.
But paradoxically it is great. Killing interoperability is nail to coffin. This brings more and more focus to alternative solutions out of Google market, especially in independent software area. Like yt-dlp, FreeTube, F-Droid - actually all my family uses them and I recommend it to everyone. I can't wait to get some alternative GDrive client lib which simulates browser to throw data over that garden wall, and I don't care if it nags with captcha. The more hassle the more people are going to hate that ivory tower.
[0] https://www.ghisler.com/googledrivehelp.htm
reply