Slashdot Mirror
Google Warns Users About "Unsafe Sites"
Dynamoo writes "The BBC is reporting that Google will start to warn users about unsafe websites, in particular those that host spyware or have privacy implications. The technology to do this has been developed in partnership with StopBadware, and appears to be an alternative to the popular McAfee SiteAdvisor application. Perhaps this will help curtail slimeware ridden sites from peddling their wares. But it will be interesting to see how Google rates some of its own products, including the potentially risky Google Desktop."
If you don't want to RTFA, you can follow the link to Google's policy here:
www.goatse.ru
-THE END-
If you thought Google had a lot of lawsuits when altering pageranks of linkfarms, wait until limewire et al start suing Google for "defamation".
A "screensaver" site isn't going to get much traffic on page 1000.
This tagline is copyrighted material. Please send $10 for an affordable replacement.
In my opinion it's like saying I am a risk because I have arms. Potentially I could strangle someone with them.
their WWW browser and/or OS is unsafe in various ways. We know that IE and Windows is not the safest combination,
but looking at the recent string of security holes in Firefox/Thunderbird shows that this is not particulary
safe either.
Why not fix the software and/or its default configuration so that it is safe to use?
Google Desktop isn't unsafe in any way. Google fully discloses the fact that they'll be rooting around in your hard drive and mixing data from there, with data from their servers, for the purposes of providing a local Google search to you on your own machine.
There's nothing wrong with people who are willing to voluntarily give up some measure of their own privacy in exchange for a service provided on that data -- I use Gmail for all of my e-mail, even to the point of forwarding multiple accounts into my gmail inbox, and don't think twice about the fact that somewhere, Google is reading and storing it.
The problem arises when people aren't informed their privacy is being tampered with...malicious web toolbars and cursor packages, Gator, etc. No anti-spyware application I've seen to date has detected Google Desktop (granted, I've only seen 3 machines that actually used GD) but that says something to me.
Google Desktop and crap-ware ridden screensavers have nothing to do with one another. Summary is a google-bashing troll, at best.
Beware of the Leopard.
Or even better still, read the Google cache of the site with all the bad stuff removed. That would be trick!
I'm sure my letter of commendation, along with Google stock options grant, is arriving any moment now.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
But it will be interesting to see how Google rates some of its own products, including the potentially risky Google Desktop."
From the article:
Google confirmed to ZDNet UK that data was temporarily transported outside of businesses when the Search Across Computers feature was used, and that this represented "as much of a security risk as e-mail does."
And also...
Gartner has recommended that businesses use Google Desktop for Enterprise, as this allows systems administrators to centrally turn off the Search Across Computers feature, which it said should be "immediately disabled."
In other words, mostly harmless.
Like Financial Services companies that used to advise their clients to buy their company's own investments, I can easily see how Google getting involved in this could be a quagmire. As the summary example pointed out, what happens when Google's own software is dangerous? Do they have to face down their own rating service to get it out there? Chances are... they won't. They will assume that all Google software is "Good" software.
Fair enough, since I guess you can assume that Google wouldn't be actually creating malware on purpose. If you just single out those sites with the 1000 porn banners that try and install virii and spyware on your computer, Google won't have a problem. However, I think, the real problem for most users is not sites like that which are obviously dodgy, its the sites that look clean and professional that seem to have a legitimate purpose for their software, and often those proprietors are quick to try and play up their legitimacy. When Google marks them as "bad", you can expect lawsuits.
While I find that this may be a big plus for a search engine that can be percieved as impartial to software makers, as Google becomes a notable software maker itself, it may be an issue. It certainly could leave them vulnerable to the charge of conflict of interest as time goes on.
So you want searches for, say, "Big Tits" or "Wet Pussy," to go to birds and cats? Perhaps the family filter could be improved, but I don't think that should reflect on what the non-prude searcher sees. Unless the page title is deceptive... but that will be pageranked down anyways. No one except other low rank affiliate sites would link to it in similar deceptive terms. But hey, better results for relevant stuff is always nice, wouldn't complain about that.
I have freaks! I did something right...
Why not give users feedback about their browser or the browser compatibility of sites? I think it would be nice if Google would tell IE users with Active X on that a site they're about to visit contains Active X and may be a threat to their system.
Better yet, consider standards compliance and accessibility when ranking pages.
If Google wants to use their position to police the Internet, why stop with Spyware. Test whether people have a secure browser and tell them when they don't:
"FYI, your version of IE is 3 years out of date. Please go here to upgrade it, or go here to replace it."
They could fix a lot of the problem right there.
Some people have a way with words, and some people, um, thingy.
and that's entirely due to the fact that it is not
The first result in a search for "Serial Box" Serial Box gives an example of the new behaviour. A page headed "Malware Warning" appears and warns you the page you are about to visit may harm your computer.
Because google [claims it] doesn't alter search results. Flagging them doesn't technically alter them (it just displays a bit more information), but moving them to the bottom of the pile, so to speak, is.
But what if your site was somehow rated as "spyware-filled", when, in fact, it wasn't? Would you rather be flagged as dangerous, or would you rather be sent to the bottom? At least the flag can be ignored.
I don't think they want to modify the page ranks just because a sight contains something harmful. It's my belief that they just want to make it a little better for the average internet newbie.
DANGEROUS KEYWORDS
Free screensavers
Bearshare
Screensavers
Winmx
Limewire
Lime wire
Free ringtones
Where is 'advertisment?'
He who knows best knows how little he knows. - Thomas Jefferson
... like AOL.
Naturally they wouldn't; I don't think one should consider programs that tell you what they are going to do as spyware; the whole definition of "SPY" is lost.
Music, my drug; dance, my ecstasy.
The original post never implied that searches for porn should turn up anything else but porn. It just said that if you search for kitty cat that you shouldn't get a bunch of beastiality websites. Now if you searched for "kitty cat porn" then fine.
If Google flags sites for using Javascript, then they'd better make sure http://google.com/ is flagged!
...following the principles of Heisenburger's Uncertain Cat...
What is it with the anti-javascript/flash attitude here? Properly managed use of Javascript is fine. Yes, it has more holes than swiss cheese, but it is so easy to disable and manage with firefox and the like; why claim that ANY site using Javascript is a "potential security risk"? The same goes for PHP, Flash, and every other web technology that has potential security holes; surely, nine outta ten times, the benefits outweigh the risks. Yes, AJAX is overhyped, but Javascript is in its name for a good reason.
They'll flag sites that deploy malware, spyware, and other junk. They'll flag sites that use unrestricted javascript and dangeous security workarounds. Not everything. Blanket labelling would only cause annoyance.
Granted, there are privacy concerns to some users but there is a huge difference between Google Desktop and Spyware Applications. .....spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user.....
From wikipedia:
Everything that Google does with Google Desktop is fully disclosed. Additionally, the concerns of Google Desktop are legitimate features that offer an experience to the user that is desired. Spyware concerns offer nothing of any benefit to the person using the infected computer.
How do you handle sites where the bad pages are hidden behind a robots file? The front page may be crawlable, but the page with the malware isn't.
How do they handle redirects? If I have a site that redirects a user to bad content, is the original page flagged as bad? Combined with a page that isn't crawled, how would they know to flag it?
How are they going to handle any obfuscation that takes place? Or handle new malware? This might not be a show-stopper, but I think it is a techinical issue that should be addressed.
How are they going to handle the lag between crawling and new content? My server gets crawled about once a week. So I would have ~6 days to host bad content before switching it back to look legit for my next Google crawl.
What system are they going to have to handle complaints or appeals? If my site is flagged incorrectly, Google is taking a risk of liability by flagging it that way. It seems that if they take due diligence to keep the false positives low, there will be an increase in false negatives.
These are just off the top of my head and I am sure there are a lot more issues that I haven't thought of.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
But what if your site was somehow rated as "spyware-filled", when, in fact, it wasn't? Would you rather be flagged as dangerous, or would you rather be sent to the bottom? At least the flag can be ignored.
If Google reported my site as "spyware-filled" and it wasn't, I'd want Google to fix it. As long as they have a straightforward and reasonably quick process for dealing with false positives, I'd be glad if they moved spyware-filled sites to the bottom of the list, if not off the list altogether (perhaps by a check box, as mentioned in another post).
This tagline is copyrighted material. Please send $10 for an affordable replacement.
Find me one person that said "damn computer, I need that claria product to make it useful"
If so motivated I could find you at least 100 people that I know that would agree with that statement. They are not the smartest people not the kind that know what slashdot is, but they exist. They download whatever looks like it might make using the computer more fun, then they get confused when strange things start happening to their comptuer and they call me to fix it. I do, remove all fothe crap explain to them why they had the problem and get called with the same problem in another month becasue they replaced the programs I removed.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Mod parent up plzkthx! Agreed and... agreed! Why /don't/ we just remove all dynamic functionality from the web? *tounge firmly in cheek*
"For everything, there's Rupees. For everything else... there's Master Sword."
People like you starting to censor things on the web for the rest of thw word..... how about a little self censorship for you and your family.
i'll keep your box closed for now.
There's nothing Intelligent about Intelligent Design.
WindowsUpdate? Would I see a warning screen?
The only true way to surf the web is to not log on at all.
But for those who just can't go cold turkey. Best way to stay safe is use hardware firewall and/or new wired router, software firewall, and VMWare's Browsing Appliance with ubuntu.
\
IMHO Google could very well offer a choice in that matter; vis a vis seeing the site as flagged or relegated to the bottom. Just a check box in one's preferences. Google is under no obligation to anyone other than their stockholders to do squat; they are not a public utility nor a monopoly so they can bloody well use any method to rate sites they want and Devil take the hindmost; no one is obligated to use them.
"Everyone is entitled to their own opinion, but not their own facts."
Sounds like a hit-and-miss to me.
And regarding a "please check me, I promise I'm not spyware" button, that's not something Google would do. If they discover a Google-bomb, they remove it from the database. And once something's done, Google has a history of not undoing it.
I use the firefox plugin made by McAfee from http://siteadvisor.com/ it labels results in Google with a color coded system based on a few ratings. They test on website safety (pop ups, fraudulent practices, browser exploits), safety of downloads and spam on submit information. Google's new feature breaks that and is less informative. I think Google is doing something good but I'm not sure their execution is the best. I would hope it would be a search preference but I guess it's in googles best interest to keep spyads down and their ads up not to mention the faster we can surf the more Google ads we see. I also don't imagine it would be long before Ads show up on the warning pages. I wish there was more info on testing and rating for the system.
Eih. Let the spyware infect your machine. The pages I view causes most spyware to go blind in seconds anyways.
I'm waiting for a site to put a virus on their page that destroys a google server once their site gets on the cache! Haha!
Ginga no Rekshiya Mata Each page.
But they have a reputation to keep if they're going to keep vistors and ad-impressions. Showing integrity is one way to do that.
This is a good idea. Being notified of bunk sites during searches will be great.
[%] Cingular Ringtones
I wasn't saying that he was. I was just saying that there are ambiguous terms. If you don't want such images, then there should be a filter, or it should be obvious in the link text that it is a dirty site. And just how dirty of a dirty site would you want removed? What if you are searching for information on pornograpy, and don't want to see smut? Your proposal would seperate searchers into perverted and non-perverted, rather than prudeish and non-prudeish. A seperate filter would enable the most control over what you see and what you don't see.
I have freaks! I did something right...
If you were searching for "Pandoras Box" you probably were getting porn....
Maybe so, but who goes to google to search for google?
But how would you know it was marked if it's on the bottom? Do you periodically check the 1000th page of a google search you believe your site should show up under to see if it's marked "spyware!"?
Let's assume I have a commercial site. It normally comes up within the first two Google pages for a certain search. Suddenly, it doesn't come up even in the first three or four. Since it's my page, I could presumably craft a specific search to narrow things down. If I clicked on it and Google warned against spyware present on it, I would have a good idea what happened to its placement if such a rank-dropping method were in place.
This tagline is copyrighted material. Please send $10 for an affordable replacement.
Grease Monkey scripts that saves you a mouse click: http://johnbokma.com/firefox/greasemonkey/google-u nsafe-sites.html
Perl Programmer for hire
Well there are other spots too. For example if you want Game Hints, (Many of those have Spyware), checking out some "Funny" stuff that a friend forwards you. or some other sites where the site owners don't ask to many questions about the add and revenu they get from it. Sure CNN and FOX News wont be filled with the crap. But the smaller web sites do. Also when you are searching for information on google sometimes they just bring you to the wrong spot because they found out how to get themselves ranked higher in google so you click on the link and bang you infected.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This is one of those ideas that sounds good in theory, but isn't likely to help much in the long run.
The reason it won't work very well is that all the malware sites have to do is present a non-malware version of their pages to google's spiders. If they don't see the malware, they can't know it is there for everybody else.
So, at first we will see Google correctly identify malware sites, and that will be effective for just long enough that people will come to expect that sites without a malware warning are safe. By then, someone will have come up with an automated systems for giving google a "clean" version of the website and serving malware to everyone else. This automation will spread rapidly and then google will no longer be effective - but now some number of people will have started to rely on google's warnings (or rather lack of warning), thus making them more vulnerable than before.
I think another poster's idea is much better - include malware detection as part of the pagerank score. Don't advertise it, don't spell it out, just do it. Malware sites will sink to the end of the search results (where they belong anyway since they are rarely useful for anything but malware distribution). Eventually the malware distributors will figure it out and start feeding "good" pages to google's spyder - but at least no regular users will ever be lulled into a false sense of security by thinking that the lack of a warning is an indication of safety.
Or not. http://www.google.com/search?q=pandoras+box
How DARE Google provide information that others might possibly use to censor the content of sites they don't want to visit and which in no way hampers my ability to still continue to effectively use Google as my Trojan/Virus/Mal-ware/Porn/Ad-ware portal.[/sarcasim]
I'm all for the increase of providing users with link ratings. If Google, or anyone else for that matter, has information that can help users judge whether or not to visit a site, as long as it is moderated and ratings can be reversed if innacurate, then why not provide such information? Ratings, in any medium (AGAIN AS LONG AS THEY ARE MODERATED AND CAN BE REVERSED IF INNACURATE), do not constitute censorship but simply put control of participation into the hands of the audience, where it belongs, instead of the artist.
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
It still amazes me that screen savers are not run in virtual machines. They are a well known malware vector. They only kick in when you are not actively using the machine, so the overhead is largely irrelevent. There are very few reasons for a screen saver to access any resources that are not internal to the screen saver package. If you had to specifically allow access to shares via the OS for things like picture slide shows, the only damage a screen saver could do would be to eat too many cpu cycles. Given the none critical nature of screen savers, this seems like it would be a good security/functionality trade off.
If I would have been warned about goatse many years ago, my life would be much better. I don't know think it is malware, but it is definitely foulware.
The real solution would be to completely remove these sites from the search results and sponsored links. They already remove plenty of sites they think are "spamming" the results, but they won't remove their bread and butter crapware from their sponsored links.
-- these are only opinions and they might not be mine.
Google bans sites which return different results for normal user-agents and for the Google search-bot.
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
Don't give the slimeware merchants ideas. It's treasonous! You're letting the terrorists win!
The majority of ads, especially obnoxious interstitial and animated ads, use Flash and/or JavaScript. No thanks.
surely, nine outta ten times, the benefits outweigh the risks.
Interesting, my assessment of the risk to benefit ratio is completely opposite. But then, I'm a sysadmin who is responsible for security at several organizations, and I've spent too much time cleaning up infected machines at client sites to have any illusions about the nature of the risks.
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
You, sir, have swallowed someone's propaganda hook, line and sinker. Some sites do use porn to trick people into installing spyware, but they are just one of many types of sites that do this. I've gotten to know a number of porn site webmasters over the years and nearly all of them absolutely hate spyware.
I do spyware and antispyware testing all the time as part of my job. I go to sites with ActiveX installers or that exploit browser flaws and let a virtual machine become badly infected and then run various tests.
Not once have I ever had to go to a porn site to do this. Wrestling fan sites, yes. Serial number and warez sites, yes. Screensaver sites, yes. Certain "ad-supported free hosted" sites, yes. Porn, no, not once.
Only on
Google bans sites which return different results for normal user-agents and for the Google search-bot.
Labelling it "malware" will have the same effect as banning anyway, so they will have nothing to lose. Google can only ban a site if they catch it.
Plus, there are clearly exceptions - news sites that let google index content that normally requires a username/password. I used to regularly get into such sites simply by setting my user-agent to that of the google spider. That doesn't work so much anymore since they wised up and now probably check the source IP too.
But it would be trivial for the malware site to do the reverse - google spiders run into authentication requirements to get to the badware pages, but everyone else can get in without authentication.
And therein lies the problem. They're entitled to do this - but all references to free speech etc, they're making a statement that it is the intention of a site to harm. That's a material statement that could well have material damages associated.
To be fair, plenty of dodgy warez sites have porn advertising, which makes them essentially porn sites (a website with pictures of women showing their bodies to turn you on is a porn site). Porn advertising is a good indicator of sleaze and not caring about who advertises with you. Paranoia is partially justified here.
:)
Me, I like porn too much
No, they're saying that the particular website has been reported to the Stop Badware coalition, and MAY contain spyware. If the site has actually been falsely reported to the coalition, Google still isn't lying per se. I'm not sure if this would protect them or not though.
Name me one Google product that sends your data to Google without your permission, and without you having to manually turn on the feature (as is the case with Google Desktop).
W3C's standards are documented. IE's "standards" are not.
Centralization breaks the internet.
Who cares? It could send copies of your credit cards to IRC warez channels, but I still doubt that Google would say "hey, stay away from that desktop search of ours - it's bad juju!"
Dewey, what part of this looks like authorities should be involved?
So? Anything could happen in the future...Microsoft could bundle spyware with Windows even. I'm just saying that Google would have no reason currently to label their own software as spyware, because it isn't spyware, so your prediction is probably right, but not for the reasons you implied. Microsoft could do the same thing with MSN, and Yahoo! could intentionally not label their spyware infested toolbar as spyware, but until they or Google actually do something to that nature, this conversation is pointless. That was my point.
TrustWatch Search extension. Does something similar. Focused on phishing not malware but also not limited to Google.
Disclaimer: Other verification providers are available
And behold, a command prompt and he who sat upon it, his name was shutdown and -h 3:11 followed with him
I sympathise. As an individual user, on my single home computer, and with the knowledge to look after and protect my own machine, it's a completely different scenario. Out in the business world, Javascript and Flash are big no-nos, with maybe one or two exceptions (overdone web design on a site you need to access, such as a client's site).
Being a sysadmin nowadays has more in common with being a plumber than an engineer: it's amazing just how much crap appears when something goes wrong with them "pipes". :-)
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
On various areas of a site, I may use javascript to make the UI easier to navigate by popping up dialogs etc. As a backup, there are also scriptlets that will display the same in-page dialogs, it just takes a bit longer that way since you have to submit data back-and-forth between the client and server.
XMLHTTPRequest, a feature created by Microsoft in Internet Explorer 5 and now the cornerstone of AJAX development, is pretty well documented.
Most of what IE does is a mystery, but Microsoft deserves some credit for starting the trend of "let's rewrite an otherwise stable, reliable application in JavaScript" that has generated untold millions in venture capital for Web 2.0 bubble companies.
For more information, click here.
You make a good point. I was thinking about IE's weird CSS interpretations.
Centralization breaks the internet.