I've been on some websites that have had the unwanted software warnings, only to find the site admins posting on the forums saying that the site is safe. They even give instructions on how to turn off the unwanted software warnings in Chrome (which in turn turns off /all/ of Chrome's red security pages).
I think it would be more helpful if the warning page at least described what Google detected. As it stands, if people can be socially engineered into turning off warnings because they don't believe them, then it's failed as a security product to a certain degree.
Google Search Console (previously Webmaster Tools) will send an alert with details when unwanted software is detected by Google. Of course, this requires the webmaster to sign up with Search Console, but that is quite useful for other features as well.
Being on the false positive end of this system, it's incredibly frustrating having my site repeatedly flagged and not being able to do anything about it. There doesn't appear to be any way to contact a human except through the "Search Console" where the UI doesn't tell me what it thinks the problem is (http://i.imgur.com/LWrBINe.png), and Google's safe browsing list is the only thing that thinks there's a problem (100% clean on virustotal).
Ended up banging head against the wall for nearly a month, submitting review request after review request only to discover that the damn request submission form in WMT console was broken and was failing silently. Fucking hell. If you take on responsibility of (mis)labeling other people work as dangerous crapware, you should probably test the hell out of false positive submission mechanism, shouldn't you? If it weren't for another person discovering and sharing this on WMT Google group, god knows we might've been still wondering why G is so damn incompetent.
To add to the insult, a formal promoted "answer" from a resident "expert" of the WMT group was to the tune of "let me google that for you, you imbecile". So, it was a fascinating experience all around.
The lack of clear way of communicating with Google directly on this sort of matter was absolutely infuriating.
It seems the most reliable way to talk to a human at Google (if you don't already know one working there), is to complain on twitter or your blog or similar.
Thank you, for your efforts, but there's still a long way to go.
I occasionally need to tell non-technical users to install WinSCP. Assume someone told you to download the software from the following page: http://i.imgur.com/1HoyMWz.png Where is the ad, and where is the download link?
It's better than last time I looked, since the ad is no longer a big green button labelled "download", but it is still misleading.
I keep thinking this fight is just a game of whack-a-mole. It's nice to reduce the impact but there's some really core issues with the model in the first place:
Embedding ads means embedding dynamic content from a third party server that was submitted by other people.
On top of that, Windows users having to download software off websites instead of common software being distributed through a repository doesn't help. The repository (aka "store") model has shown itself to work really well even in the mainstream, unfortunately the Windows store is atrocious.
> We started disabling Google ads that lead to sites with UwS downloads.
Google still has a long way to go on that front. A good place to start would be making sure Google's ads always have the option to report them, which currently they mostly don't. I recently came across one of these as a text ad on YouTube, it was quite obviously intended to mislead and give people UwS, and decided to try to report it.
There was no way to do it on the page. There was no way to do it elsewhere, at least that I could find through googling. I eventually reported it to the security team, on a form intended for reporting vulnerabilities, as "whatever malicious-ad-filtering you have can't be working at all if it let this through".
It deceptively claims to increase web speeds, piggybacks on CCleaner's installation, doesn't inform the user about what it does, replaces the default web browser by default, "collects or transmits private information without the user’s knowledge", and it is bundled with other software.
The only characteristic that Chrome doesn't have is being difficult to remove.
About time. Based on malware cleanup work I've done in people's homes and asking how they got to them (unscientific, I know), Google AdWords seems like the primary method of malware distribution.
Google has gone out of their way to make AdWords look more and more like a normal search result, and particularly among seniors, it's common to expect that first link is legitimate. It usually isn't.
I appreciate your effort on trying to putt the words 'google' and 'ethical' in the same sentence. It just doesn't fit. It's business. Who cares about the user any longer?
Honestly, the biggest and best move Google could make is to have certain categories of search results ad-free. No search result for a financial institution should include AdWords. There's too many phishing sites that get into AdWords. Same for specific download categories. If you search for "Adobe Flash Player download", you shouldn't get any results or ads that aren't adobe.com at this point.
Is that relevant? Those cost-per-click prices would be driven up by high demand between malware and phishing site owners. If Google knowingly continues to profit off prices driven primarily by malware, doesn't that make them legally responsible for those infections? Shouldn't Google be held to some accountability for the amount of malware it distributes?
That's not under Google's control, it's under the OEM's or (in the US) the carrier. A phone bought directly from Google (the Nexus line, Google Play edition, etc) doesn't have crapware of any kind unless you extend the definition to any app you don't personally use.
This simply isn't true. The Skyhook trial proved definitively that Google has the power to dictate what OEMs that ship the Google Apps suite include on their phones. Problem is, they've only ever used that ability to push their own products and services.
There's two categories of bloatware, both of which Google can control:
- Google's bloatware. Google insists OEMs include like 20 Google services on every phone. Get rid of it. All of it. People want the Play Store, and if they want any other Google service, they can download it themselves.
- Third party bloatware. Google places dozens of branding and so-called 'quality' restrictions on how Android is shipped. At the very least, all pre-installed software should be uninstallable, and that's a reasonable consumer protection they could insist upon in the MADA. As another commenter said though, Google only uses the MADA to protect it's illegal monopoly, not to protect consumers.
Google only contols manufacturers as far as they want to ship google playstore. Android itself is gpl and apache license, so oems could just roll it themselves or go to a group such as cyanogenmod if google gets too restrictive.
That's really not shockingly relevant. It's nearly impossible to sell a successful Android product without the Play Store. If it was, most companies would already be doing it to avoid Google's bloatware.
Not only could ad injectors not work, they probably wouldn't have been installed in the first place because the ad blocker would block any links to them. Not sure if that was your point; if so, I agree.
>> We reduced the number of UwS warnings that users see via AdWords by 95%, compared to last year. Even prior to last year, less than 1% of UwS downloads were due to AdWords.
That 95% drop is great! That 1% number must still be quite a large number though, ~1% of the ads they show must be well into the millions?
It says "less than 1% of UwS downloads were due to AdWords.", not "less than 1% of AdWords shown where UwS". What they're saying is: <1% of those who download UwS get there by clicking on an AdWords ad.
I knew google was controlling email and labeling which email servers are "safe" or not.. with a lot of false positives! Didn't knew they were already doing the same to websites.
Nasty google.
While i also would like a world where i could host my own email server, you have to realize that the "nasty" labeling google is doing is the only reasonable way for a free service.
My prof told me about the university receiving about a terrabyte spam mail a day. Imagine what gmail gets with 90% of mail traffic being spam.
I understand your point of view but still would prefer google to blacklist instead of whitelisting. As a single user, I don't honestly care but this is making it more difficult for companies which find it more difficult to have their own mail servers. Imagine that all their emails end up on their customers gmail spam folder by default, without any proof of being spam. This makes companies to loose business/money.
I think it would be more helpful if the warning page at least described what Google detected. As it stands, if people can be socially engineered into turning off warnings because they don't believe them, then it's failed as a security product to a certain degree.