Slashdot Mirror
Chrome Is Scanning Files on Your Computer, and People Are Freaking Out (vice.com)
Some cybersecurity experts and regular users were surprised to learn about a Chrome tool that scans Windows computers for malware. But there's no reason to freak out about it. From a report: Last year, Google announced some upgrades to Chrome, by far the world's most used browser -- and the one security pros often recommend. The company promised to make internet surfing on Windows computers even "cleaner" and "safer" adding what The Verge called "basic antivirus features." What Google did was improve something called Chrome Cleanup Tool for Windows users, using software from cybersecurity and antivirus company ESET.
[...] Last week, Kelly Shortridge, who works at cybersecurity startup SecurityScorecard, noticed that Chrome was scanning files in the Documents folder of her Windows computer. "In the current climate, it really shocked me that Google would so quietly roll out this feature without publicizing more detailed supporting documentation -- even just to preemptively ease speculation," Shortridge told me in an online chat. "Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of 'user-friendly software' that informs the policy for Chrome Cleanup [Tool]." Her tweet got a lot of attention and caused other people in the infosec community -- as well as average users such as me -- to scratch their heads.
[...] Last week, Kelly Shortridge, who works at cybersecurity startup SecurityScorecard, noticed that Chrome was scanning files in the Documents folder of her Windows computer. "In the current climate, it really shocked me that Google would so quietly roll out this feature without publicizing more detailed supporting documentation -- even just to preemptively ease speculation," Shortridge told me in an online chat. "Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of 'user-friendly software' that informs the policy for Chrome Cleanup [Tool]." Her tweet got a lot of attention and caused other people in the infosec community -- as well as average users such as me -- to scratch their heads.
If there's nothing to hide and this is only scanning for viruses, why not notify users and GIVE THEM AN OPTION? Even if it's "only" an anti-virus, having one AV running on top of another tends to slow older hardware down.
And what kind of performance hit do I suffer when this happy surprise software runs on my older computer? Do I get to choose when it runs?
When someone says, "Any fool can see
...For forgiveness than for permission."
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
So the Chrome Cleanup Tool for Windows doesn't remove registry enteries after a failed uninstall?
Why are people freaking out? You let Google run whatever software they want on your computer. They might be reading all your files and sending them to their servers. How would you know? If you care, why would you run Chrome? What a mess this industry is in now. People should have listened to Stallman. Instead we have "open source" Chrome and Android.
This is google creating malware. Just because it appears benign doesnâ(TM)t imply this isnâ(TM)t dangerous. If they are willing to do this, what else are they willing to do without notification?
Does anyone know if current builds of Chromium do this?
Why the f*ck is my web browser trying to be a virus checker? If i wanted that I would get a virus checker.
This kind of idiocy, however well intended, is why we have computer f*cking about SWAP SWAP SWAP SWAP instead of getting on with useful tasks.
Would be most important to me. Back when, I'd go into the quarantined folder to get my Keygens back out.
what item to buy from the next ad you see with out Google help. Come on Corptizen you want to do all the figuring out yourself and not have Google selects the right choice for you.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
I've got AV, and I've got it set up how I want it, I don't need google deciding it needs to screw with my system just because I use their web browser.
At the very least, it needs to be simple to opt out of, which it doesn't seem like it is.
If you want not to be spied on, you need to seriously up your game. You assholes use Chrome and expect not to be spied on? How stupid are you all? I pitty you.
Don't use Google products, at all.
Don't assume any other product is safe.
Alright, fuck it. You people are not smart enough to maintain privacy.
The truth is, you people are not smart enough, and those who are don't care.
Fuck your privacy. If you don't understand TCP/IP , you're done.
Fuck you, for good measure.
0.0.0.0 *.scorecard.*[net,org,com,biz,*]
You know they are remotely storing metadata about what it scans.
Their intentions are clearly security-minded, but the lack of explicit consent and transparency seems to violate their own criteria of âuser-friendly software' that informs the policy for Chrome Cleanup [Tool].
This is the difference between wanted security consciousness and hiding what you're doing to a customer's computer. Communication. If Google had come out and said they would add this to Chrome, before a security researcher came out with this information, no one would have cared or looked twice. It's all about communication. Tell people what you're up to, otherwise, we freak out and assume the worst.
They can hire me as a chef, but in between my cooking duties I'll rifle through everybody's office looking for dangerous things. No need to panic - I have only good intentions at heart. What, you didn't think a chef should also double as your security detail?
I use Eset and purchase their antivirus software on a reg basis and i trust them but i don't for life of me Trust that google is only "scanning for virus's". Given how recent revelation I heard how good pretty much will track gps of where you been and save it for years. Also if sites you visit even when using incognito mode, only thing this tells me its harvesting more info on end users. this video kinda tells you exacty what they collect about you on a reg basis and its kinda scary: https://youtu.be/Ke1gViMc2dY?t...
I only use Chrome for accessing sites which require it... or require Flash. Otherwise, I steer clear of Chrome.
It's also an object lesson proving people right who've consistently argued that Chrome (on the Mac, at least) shouldn't be given the default admin permissions it asks for to "keep itself updated". It's true you shouldn't trust any company too much... but you really can't trust an advertising company to not put its hands in the cookie jar if you've placed it conveniently within their reach.
#DeleteChrome
Your ISP is collecting your data. Your OS is collecting your data. Your search engine is collecting your data. Advertisers are collecting your data. Your browser is collecting your data. The NSA knows what I'm thinking before I do. So now everyone knows the size of my bank account, my shoes, and my dick. Hardly seems worth all the trouble. We've created this huge surveillance network ostensibly so they can market shit to me. Yet, I ignore 99% of the advertising that I see. And the network is predictably (also predictedly) leaky as fuck. Several of my unique passwords and all my identity information is probably floating around in dozens of nefarious databases. Are we better off?
Google acquired Gizmo project, an open SIP Skype alternative, back in 2009. That was also scanning the whole computer for some reason.
And they are not part of the metasploit package... unlike almost every other antivirus app.
[($)]
Why does Chrome allow dangerous extensions to be installed and let ads through when it shouldn't in the first place?
In the settings page, chrome://settings/cleanup
The option is "Report details to Google" and it defaults to being Checked. When I uncheck it, then eventually shut down the Chrome process (on Windows), then restart Chrome and verify its status, it remains as Checked.
So, essentially, this option cannot be disabled except MAYBE momentarily. Is it a feature or a bug?
https://wikileaks.org/gifiles/docs/12/1264544_fwd-ignorance-is-futile-about-google-.html
APK.
APK.
APK!
RUN!
A/V is so 1990s.
Perhaps it is time to use a browser that only has 5 known security bugs?
Tried lynx yet?
Perhaps it is time to use an email program that has no known security issues?
Tried neomutt yet?
Stop following the uninformed crowd with your OS choice. Choose smarter.
It should be up to the user to decide what a given application has access to outside of standard binaries and user-app-data folder sets. If one wants an app to have access to stuff outside of those, then it should be an OS-level setting, not something the app decides, similar to a fire-wall.
If the app wants to show a tutorial to users for how to config their "folder fire-wall" to allow an app to outside of the sandbox, that's fine, but it should be outside of the app's control still.
Table-ized A.I.
Good analogy, but this is /., and we do car analogies here. This is like buying Michelin tires than having them rifle through your trunk.
They can hire me as a chef, but in between my cooking duties I'll rifle through everybody's office looking for dangerous things. No need to panic - I have only good intentions at heart. What, you didn't think a chef should also double as your security detail?
Sounds like a Navy SEAL with karate and explosive skills turned cook https://en.m.wikipedia.org/wik...
my karma will be here long after I'm gone
what is so-called AV scanning?
They're looking for file hashes. It's not just AV, it could be hashes of kiddy porn, government documents, exploits, etc.
The question is, are they "quarantining" the files and uploading them for analysis like Kaspersky did with the NSA guy who walked out with 0-day exploits?
I once created a blog for various rants with Google services and associated a grotesque avatar with it. It was the only Google service I used at the time. A couple of years later I created a gmail account, and linked my phone to it. People then complained that they saw the grotesque avatar on THEIR phone whenever I made a call. It took me a while to figure out how to disable it, and it seems local Android caching added to the cleanup delay. Other info also was visible across services, including Youtube, and relatives reported similar.
This is when Google was trying to out-Facebook Facebook at all costs, and tried to force sharing to kick-start their "social network".
In short, they shared my info across services without asking, or at least not making it clear. I'm hesitant to use Google for anything sensitive or controversial. They created an anti-social network; screwem!
Table-ized A.I.
It would be a security improvement to prevent it from doing so.
Let me ask a really stupid question.
Imagine you were browsing the web minding your own business. Next thing you know all of the sudden your browser flips out opening windows warning you about viruses on your own computer would you believe it? For years we keep telling people not to fall for this shit.
Now this... just the uncertainty / phishing leverage alone of browsers doing AV the mere fact this feature exists within a browser puts end users at massive unnecessary risk for no valid reason. Google could simply release a standalone virus scanner if they really gave a shit.
Try Googling chrome and virus scanner.. The results speak to why doing this is a really really bad idea.
My personal opinion every means by which data is exfiltrated requires some cloak of legitimacy. You can't just have shit rummage through everyone's computer for no reason. You'll be publically skewered and sued. There has to be a plausible enabling excuse hence the virus scanner nobody knows about. Oh look our scanner found something interesting ... there was no prompt asking the user whether they want their computer scanned in the first place so why does anyone think there would be a prompt before your data (or "metadata") starts getting uploaded to Google "for your own good" ?
As you may have guessed I don't trust Google enough to run any of their software on my computer. Those who prefer Chrome should consider Chromium.
Google knows you better than you do, and after spying on everyone Google seems to think all Chrome users need more anti-virus protection.
That kind of proactive behavior (on behalf of its users, if you believe the PR spin), seems like a bonus to many users. "If Google can make a better product by spying on hundreds of millions of users and never really HURTING anyone, then good for all of us."
If you don't like it (like myself), there's always the ever-improving Chrome clone (Firefox).
Chrome is not able to handle file:// protocol the right way (a la firefox) because it is too difficult and nobody volunteer to scan the code after original dev resigns and then there will need to scan the disk ? Come on ! You're kidding me.
I would only run Chrome browser in a virtual machine to test websites I develop. Otherwise, I simply do not use it. IMHO, it likely spyware with a browsing feature. I confounds me is that most people use it as their main browser, as if the Google spy-widgets in half the sites out there aren't enough for them.
While Windows is of late too snoopy by default (if you switch to Basic it collects mostly hardware spec stuff which it's been doing since it offered updating back in the 1990s or XP), it would be very reasonable to assume Google and Facebook has far far (far far far) more on folks than Windows and Microsoft ever will.
Moreover, if one chooses and configures carefully, one can shut off the excessive telemetry stuff (yes you can) and still use from the Windows 10 family of operating systems relatively privately at least at the computer and operating system side.
I have many of Google's snoopy URLs deadsunk in a hosts file, and FB completely deadsunk except on one computer. They are in the business of snooping in a way Apple and Microsoft are not. So be wary of Google and Facebook. They are trying to be everywhere online watching what you do.
But to use Chrome !? As your browser !? Are you a dupe !? You've got to be kidding!
“For almost all users, this seems really harmless, and for those who are extremely concerned about Google seeing some metadata, maybe they shouldn't be running Google's browser in the first place,”
Deal, that's the last straw for me. What makes this so deceptive is the fact that they don't tell anyone about it.
I think everyone is getting sick of these big corps edging for more and more control over everything. They push and take as much as they can before being caught, and then ask for forgiveness later but only if absolutely necessary.
Chrome is not a virus scanner. Until it is, it should not scan. We need a, this program can't randomly scan stuff on my computer, bad program. Apple does this with iOS, and it it what make iOS apps easier to install with less worry about them.
Holy Moving Goal Posts, Batman!
Re- the claim that "some security experts recommend Chrome", frankly this is nuts. You can't be a security professional and not know that chrome is malware. The amount of information it gathers, the anti-privacy posture and sometimes plain crazy defaults, the fact that your browser asks you to sign in (so google can tie all your browsing information from all devices and without supercookies), the lack of transparency about what is done with you data - to name a few reasons. A few years ago, a browser like this would be treated like a virus. While nothing has changed security-wise, google has succeeded in convincing the consumer that it's ok for them to steal your information. Well, it's not.
I first really understood google when I got my first android phone. By default, and without any notification, they maintained my location history. This creepped me out. If anybody else did this to you, you could sue them for stalking and get a restraining order. Yet, google believe this is a reasonable default.
Ten years on, I don't use google products anymore - with maps being the only exception.
This is simply another reason not to install spyware on your system.
Their claim to be "helpful" and "protect" you is the same BS the Department of Homeland Security uses.
Straight out of Orwell.
It's Google, of course it's scanning you. For all of their talk, none of their stuff protects you from Google themselves, and they are likely the worst of all. As for the so-called 'security experts', fifteen years ago they were recommending Internet Explorer. You do the math.
If I were to be using chrome, this would have been a major problem for me. My documents are on a different drive, and that drive sleeps for most of its life.
(It's actually kind of funny that in 2018, on a new and wonderful build, It takes longer for me to open an mp3 or a doc file, than it did in 1985! First access of the hour wakes the drive, and between the time-delay and the drive spinning up and the case fans spinning up at the same time, it feels and even sounds almost like a floppy disk drive. It can be up to ten full seconds, though it's usually closer to five seconds.)
This feature in chrome would cost me major money, in terms of the life of my storage drives -- both HDD and SSD -- as well as the electrical expense, and the fan noise. It would also be a major curiosity and point of confusion as I'd be wondering why my machine were so active when nothing's being accessed.
Wheres the setting at? I don't have the "cleanup tool" installed and see no settings asking or telling me chrome is scanning my files..Chrome is not my default Browser btw.
Jack of all trades,master of none
Class Action: $1 for every piece of info.
This is just wrong. So how can we turn it off or stop it???? I don't care what good intentions Mr. Hitler, I don't agree with your party's beliefs that this is for my own good.
You think free things like Chrome, Firefox, IE, or things like "free" apps, websites and everything are free because these companies are giving it to you out of the goodness of their heart? NOPE...it's about DATA MINING.
Quietly release a virus scanner (in a browser?!?), get people used to it, and then start uploading analytical data, serve even more targeted ads.
Sounds like a wedge strategy to me.
I would have said:
" Nothing to be concerned about because if Google got caught doing something crazy like perusing all the files on your system, the backlash would be epic. "
These days, I've come to realize Google or Microsoft ( of their own design or at the behest of another . . . *cough* Intelligence Commmunities *cough* ) going through your effects with a fine toothed comb and flagging anything of interest they may find. If they get caught, they get a slap on the wrist, a reprimand ( with stern sounding language no less ) and their promise to never do it again. :|
Then, we simply wait until the storm dies out, and start again under a new name.
We truly can trust no one anymore because it seems that even the trustworthy are simply hiding the knife until we look away for a moment. ( No, I don't consider either G or M to be trustworthy, but there is always someone who loves to speak up when X gets caught doing something stupid claiming they would never do such a dastardly thing. Like DuckDuckGo or Tor or $League_of_anti_evil_corporation )
It really gets old.
For every thing that Facebook knows about us, Google knows a hundred things. Google wants to know EVERYTHING about EVERYBODY and that includes a detailed cataloging of every single file on your computer. Did anyone seriously think they'd bother asking for your consent?
I am more than a little shocked that a piece of closed source software would be able to slip something like this in. I don't think anybody anywhere saw that one coming.
If you're not running your web browser in a VM or a container, then you don't give a shit about your security in the first place, so this really shouldn't bother you. You're probably more concerned about catching up on the latest celeb gossip anyway. Go fire up that feed! There might be some breaking news.
Why is a fucking web browser scanning my files? Can you imagine if IE (cough, Edge) or Firefox did this?
How is what they are doing even legal? It sounds like a textbook definition of hacking (see reply title). Just because someone installed their browser does not authorize them to gain access to non-browser files. They let people connect to their servers, does that mean they authorize people to gain access to anything they can get access to through that connection?
I trust Google even less than Microsoft. While I have to use windows 7 (osx and Linux are a joke for the desktop) I don't have to use Chrome. Having Google scanning the contents of all my files is not OK. I already have a great Antivirus and I have male are bytes. There is no reason for Google to be scanning anything. I'll go back to using ie if I have to.
From what i can see most chrome and ue browser usage are due to being default on the OS/hardware they are on. I woukd wager a very small percentage use it as a conscious choice, OTOH i am relatively certain that is a huge percentage for non standard browser.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Let's all pray now for the poor souls that had "hate speech", "terrorist" material or pictures of their kids in the bathtub on their local harddrives and were "... reporting you to the relevant authorities." Amen.
Why don't people drop google, facebook, et al. like a hot potato?
Because people are inert, hopelessly dependent on the system. They fight to protect it.
That is why nothing will change.
We don't need/want governments to enact laws (Macron, etc.).
People need to look themselves in the ass and take their own lives into their own hands.
Same with the new visa requirements for the US. Just don't go !!! Just don't do it !!! For crying out loud - how difficult can it be ?!?!?!
"Their intentions are clearly security-minded"
Oh, are they?
No, Google. It's already hard enough to keep you out of my life without having a spy of yours (be it phone or browser) whithin my perimeter.
At best this is a bug. At worst it's malware.
They can hire me as a chef, but in between my cooking duties I'll rifle through everybody's office looking for dangerous things.
To extend that analogy the chef is also the only one who routinely brings big knives in through security.
What I'm saying is, scanning for malware by the vector which is most likely to introduce it to the system actually makes sense.
.. through your trunk, stealing your pr0n magazines, then leaving a receipt of what they took at the back of the glove box under several years of junk where you'll never know it even exists and you don't even know to ask the tire changing guys BECAUSE YOU PAID THEM TO PUT NEW TIRES ON THE CAR NOT CHANGE CHECK YOUR CAR FOR DUBIOUS MATERIAL
you don't know the half of the dirty tricks, scanning and reporting almost all of your software does behind your back. how could you if you are using closed source software. if you care about that stuff you shouldn't be using windows at all (as you know, windows itself already does this, no need to install extra software).
don't be so surprised, this has been the state of things since so long. people do easily forget, this whole 'surprise' about facebook and many other privacy violating online services was already documented many, many years ago, still people act surprised and outraged as if it's a new thing.
On a long enough timeline, the survival rate for everyone drops to zero.
What I'm saying is, scanning for malware by the vector which is most likely to introduce it to the system actually makes sense.
I agree, but Google should be scanning the specific files Chrome downloads rather than doing system-wide sweeps. They already own a site they can use for the purpose - VirusTotal.
I already have anti-virus software running. How do I know that it won't be fighting chrome for file access. I have helped people who in their paranoia have installed multiple anti-virus programs and then started having trouble as the programs fight back and forth when scanning files.
Calvin:Do you believe in the devil? Hobbes:I'm not sure man needs the help.
Why would it not be legal? Didn't you read the EULA?
And you did agree to it? Before installing.
Multiple programs trying to access the same hardware and files causing havoc, is not a software problem, it is an unqualified operator.
That is an undeniable foot shot.
Not a fan of AV software I think it makes the operator less careful as they are "protected".
Rick B.
Their motivation is not so much to protect us, it is to slow down the competition whilst getting direct access to your data.
They will profit in a two fold manner from this on one angle they slow or block competition and on the other angle they have the freshest data that pays more and they can also charge more as the other players can't provide data that fresh.
Slowly, the water warms the frog....
Rick B.
Don't let allegations of popularity (regardless of whether they're true) hamper better thinking. Any so-called "security pro" that pushes for proprietary software is unfit to be called a computer "security professional". Proprietary (non-free, user-subjugating) software is never under the control of the user. It doesn't matter what the program purports to do, how popular someone claims it is, or who made the program. A lack of software freedom for the user is untrustworthy by default. And trusting a massive spy operation (such as Google certainly is) should make the software suspect as well.
With free software one doesn't need to trust the software—if you doubt the software in any way, you can inspect it to see what it does (or get someone you trust to do this for you), edit the software to suit your needs (or get someone to do this for you), and run the variant of the code you vetted and edited. Computer users have to fall back on trust when they're left without the information they need to make an informed judgment (precisely the judgment free software allows the user to make and proprietary software prevents users from making).
Digital Citizen
Under Ubuntu 16.04++, and other systems supporting contained snaps:
sudo snap install chromium
sudo snap disconnect chromium:home core:home
sudo snap disconnect chromium:camera core:camera
First installs chromium, fully contained, as /snap/bin/chromium. Second removes its access to your home directory. Third the camera. Stick a copy of ~/.mozilla in ~/snap/firefox/common/.mozilla to get everything migrated. Enjoy your sandboxed chromium.
Seeing as a big chunk of viruses actually target you browser as a vector of intrusion it kind of makes sense that Chrome might integrate some modicum of virus checking as part of it's makeup. I don't think I would expect it to look for the whole spectrum of pests, but only those that might target itself. Doesn't seem all that outlandish to me.
However a part of me likes to thing perhaps its the first step to self awareness and an innate desire for survival... :)
Apparently the range of scanning is so broad that it is now affecting canary tokens (boobytrapped files/shortcuts to beacon when touched), triggering false alerts.
Since this isn't full antivirus, there's also no full AV controls to write in scanning exceptions, so this will be a continuing security/alert problem.