[HN Gopher] Thanks HN: Lessons learned after Google nearly kille...
___________________________________________________________________
Thanks HN: Lessons learned after Google nearly killed my site
Author : uploaderwin
Score : 323 points
Date : 2021-03-05 14:12 UTC (1 days ago)
(HTM) web link (www.uploader.win)
(TXT) w3m dump (www.uploader.win)
| kjrose wrote:
| Everyone in this thread is clearly stating how this is not a
| properly functioning system and there is story after story of the
| kafkaesque disasters to which Google is not responsible at all.
|
| The question I have is what can anyone do to really change
| things? If we all agree this is a major issue why can't we find a
| reasonable solution to it.
| weef wrote:
| Clicking the OP link I get a warning page from my ESET AV:
|
| "Potential phishing attempt. This web page tries to trick
| visitors to submit sensitive personal information such as login
| data or credit card numbers."
|
| Is this somehow related to the Google situation?
| david422 wrote:
| Thanks for the writeup - I've learned some things. I have a site
| that allows user image uploads as well. I take each "image" and
| resize and compress it. If it's not an image after that, it get's
| rejected. Hopefully this is rejecting any malware.
|
| I have gotten warnings from google multiple times about hosting
| NSFW images (that is not the purpose of the site) that have ads
| on the page. This isn't google disliking NSFW content - it's
| google not liking NSFW content and ads together. Due to multiple
| warnings, and worried about bans, I now actually manually review
| each image. This is actually easier than it sounds. I wrote
| myself a batch script and review in chunks before I allow google
| to view any images.
| rgj wrote:
| Let's not forget that the site probably was actually hosting
| malicious content. The problem is not Google blocking the site,
| that was the right decision. The problem is that Google is hard
| to reach in cases like this.
| random5634 wrote:
| Quick notes:
|
| Site owner has not confirmed they screened all uploaded content
| for malware - this is a major issue these days and google and
| others will flag you if you host viruses and pump out malware.
|
| And no - you cannot sue google to force them to allow users to be
| infected.
|
| It's not clear that all customer content is hosted on a separate
| domain, and each customer on a separate sub domain . Your
| reputation will be trashed pretty quickly if you host content on
| main domain blindly.
|
| It's not clear that all uploaded content is protected from being
| linked too or downloaded. Google admins and other virus vendors
| can setup screens on downloads.
|
| Anyways - see plenty of shady / scam and incompetent website
| owners hosting malware - not much sympathy in most cases.
| wnoise wrote:
| > We never allow anything other than video and image files
| either.
|
| I would have thought this would be an excellent way to not host
| malware.
| freeone3000 wrote:
| Not quite. There have been several flaws in WMF that have
| caused video and image files to be viral vectors. https://en.
| m.wikipedia.org/wiki/Windows_Metafile_vulnerabili...
| [deleted]
| rightbyte wrote:
| Something tells me that Google doesn't ban G Drive, Dropbox or
| MS's what ever it is named when those host malware. I rather
| not have only the giants host user generated content ...
| lrem wrote:
| Google does the silly separate domain dance GP recommended. I
| couldn't figure out what is it for, until I read this advice
| in the previous discussion.
|
| Disclaimer: I'm a Google SRE. But never supported anything
| reachable from the outside.
| alisonkisk wrote:
| Google doesn't have a separate domain for Drive files, for
| example, nor do they have separate per-user domains under
| googleusercontent.com for photos etc
| lrem wrote:
| According to my Firefox, the JPEG file I just tried came
| from googleusercontent. But you're right, it's not per-
| user.
| asdfasgasdgasdg wrote:
| That's not what it's for. It's to prevent user content from
| being served from the same origin as Google services. If
| the content were to be served from the same origin, scripts
| loaded from that origin would be able to access your google
| cookies and therefore would be able to access your account
| data.
| lrem wrote:
| Oh. I even heard about this mechanism before ;)
|
| Thanks, this makes more sense.
| gpm wrote:
| > And no - you cannot sue google to force them to allow users
| to be infected.
|
| Has anyone tried, genuinely curious how this would turn out.
| hamburglar wrote:
| I haven't read all comments so I don't know if anyone made this
| suggestion already, but for a demo uploader, you could probably
| just have all the file contents replaced with zeros, or stand-
| in data of the same content type (eg all videos turn into a
| video saying thanks for trying it out, padded with zeros to the
| original upload size)
| simion314 wrote:
| Is not about the viruses, a pdf that looks like phishing can be
| reported and you get your website blocked. If anyone knows of a
| way to scan pdfs please let me know(I think it would involve
| finding the links in the pdf, try to follow them and detect if
| are phishing but maybe the link is fine at the pdf upload time
| and it changes after)
| ttt0 wrote:
| They can remove your YouTube account, app, entire Google account
| or even your website at any time and you can only make guesses
| why did that happen, because they always make the rules really
| vague and it's never clear what is or is not allowed. And even
| when they do admit the mistake and get you back up, they still
| won't explain anything and nothing is ever fixed. Thank you
| Google, very cool.
| superzamp wrote:
| At this point they, and other giants, successfully demonstrated
| that they cannot regulate themselves over these random
| terminations and that the public needs to step in.
| whatshisface wrote:
| Rather than further secure their market positions by forcing
| them to treat their customers well, why not replace the
| entire company by competition from less insane providers?
| gambiting wrote:
| No. Absolutely hard disagree.
|
| To give you an example of this working well:
|
| In some countried(UK) regulators recognized that you cannot
| operate in the society without a bank account. So a rule
| was made that a bank cannot close down your bank account
| without a court order. They can block your access to nearly
| all other services, block all of your cards, but at the end
| of the day, you cannot lose access to your basic bank
| account and money in that account unless a judge says
| otherwise. The solution to the problem of "every citizen
| needs a bank account to function" wasn't "let the free
| market sort it out". It was to force banks to maintain
| access to a basic checking account no matter what until a
| court order is given.
|
| In my opinion, Google should be forced to do exactly the
| same - no matter what, you should never lose access to your
| google account without a court order. It might be placed
| under severe restrictions(no new uploads, restriction to
| storage etc) pending review, but until a lawful court
| agrees that you broke the rules somehow and google is free
| to kill your account? They should be forced by law to keep
| providing their service.
| doliveira wrote:
| I am now left wondering about the .dev gTLD, isn't it owned by
| Google?
| edoceo wrote:
| Yep. Adjust risk factors as necessary.
|
| https://en.m.wikipedia.org/wiki/.dev
| [deleted]
| denysvitali wrote:
| Ironically I had the opposite issue a couple of weeks ago: I've
| found a phishing website (for Facebook) that was hosted on a
| Google server and was actively used. I sent an email to Google's
| abuse email address - got an automated reply back saying
| basically "use this other form instead". Did that, never got a
| reply back. I have reported the website to their SecureSearch (or
| whatever the name is) product, entered the URL and all the
| related infos: nada. The site is still up and running, phishing
| users, and no alerts are triggered for Chrome users... Sad,
| really sad.
| guerby wrote:
| Let's do an experiment, please post the URL here and see if
| someone at google takes notice :)
| [deleted]
| dgellow wrote:
| From what I see Google should now be considered an active threat.
| You have to design your system knowing they will eventually act
| against you, either your domains or your accounts. And your
| chances to get it fixed are slim, unless you're able to get some
| public outrage.
|
| Really a disgusting company.
| marshmallow_12 wrote:
| >Really a disgusting company
|
| that's quite a strong word. For the average Joe, google has
| immesurably improved their internet experience. The vast
| majority of people are perfectly happy with google and love it
| for gmail, youtube etc. Just because they are good at
| destroying some peoples lives, most users don't really care at
| all. You might find it hard to recruit supporters just because
| google are horrible sometimes.
| that_guy_iain wrote:
| >Now we run automated tests to monitor server uptime and check
| server for problems every 30 seconds. Unfortunately automated
| test scripts were happily getting HTTP/200 replies while people
| using the Chrome browser were being told this is a scam business
| trying to steal their bank account information.
|
| I was surprised this wasn't part of the lessons learned. But it
| seems the monitoring basically failed but that wasn't a lesson.
|
| I feel like majority of uptime monitors are falling for this same
| trap. One of the reasons why for my monitoring service I choose
| to do full page load monitoring via Chrome instead of just a http
| request via Curl or whatever. Main reason, people care if the
| webpage loads or not. People care how long it takes for their
| webpage to load. Having a website respond in 200ms is great but
| if it takes 8000ms for all the JS to load and process your
| website is still slow. I get why sites are just doing curl
| requests because it's way cheaper but really you're monitoring
| one part of the stack while really caring about all of it. If
| your website starts producing javascript errors you want to know,
| etc.
|
| [1] https://www.ootliers.com (The landing page and everything are
| terrible and I'm working on improving that)
| nchelluri wrote:
| It's funny you read it that way, you may understand it
| correctly but I came away with a different interpretation, that
| they allow-listed the developer's IP and returned good non-
| phishing-warning responses to the monitoring check, but not to
| end-users.
| that_guy_iain wrote:
| They said their test scripts worked but people using Chrome
| got an error. So I take that as in their scripts weren't
| using Chrome at all.
|
| To be fair, I've not had this happen yet so I am going to try
| and find a site that chrome won't let me visit and see what
| happens when I visit it programmatically.
| imwillofficial wrote:
| When that warning page is thrown, is a 200 returned? It
| could "load" ok, but be blocked by a flag for chrome that
| isn't http flag. Total guess. Anyone have any insight on
| that page showing up?
| that_guy_iain wrote:
| After a bunch of searching I found a test URL.
| https://testsafebrowsing.appspot.com/s/malware.html via
| my Chrome script I get a 500. And when ignoring it in
| chrome manually it returns a 200 so the web url works.
|
| This is totally an edge case I didn't even think of until
| I read that blog. Super happy that my monitoring approach
| picks up on it.
|
| For others wanting to do the same I'm using chromedp. It
| does take up way more resources tho. I worked out I can
| do 90 per minute per 8-core 16gb server.
|
| [1] https://github.com/chromedp/chromedp
| gortok wrote:
| I tried to send the blog post link to another person on Twitter
| and got a notice that the tweet couldn't be sent because the site
| was potentially harmful:
| https://twitter.com/gortok/status/1368309384619626506?s=21
| martin_a wrote:
| > But there are plenty of Google engineers and good helpful
| people on Hacker news.
|
| > (from a screenshot) I work at Google [...] so I escalated your
| issue [...]
|
| > I believe the HN thread getting on the homepage tremendously
| helped me and somebody from Google saw it and expedited the
| review after all
|
| So, once more an issue with FAANG could only be fixed because
| somebody knew somebody else and went out of his way to get this
| to the right eyes.
|
| This could easily have gone another way and OP would have
| received no help whatsoever and would have waited for days or
| weeks to get this issue cleared and lost his business.
|
| Maybe it's only me but I find it unbearable that you'll usually
| not be able to reach any real person at all for issues like these
| and it's pure luck what happens to you.
| inglor_cz wrote:
| This is really feudalism replayed.
|
| If you know important people at the emperor's court, you have a
| chance to get yor problem solved.
| drc500free wrote:
| Definitely seems like a class system, you're either above the
| algorithm or below it.
| alisonkisk wrote:
| It's not "feudalism", it's human social relations and power
| dynamics.
| rakoo wrote:
| It's not "power dynamics", it's freedom to innovate
| [deleted]
| croes wrote:
| What if his post had not been seen or he didn't know HN.
| Google etc are the gatekeepers they decides what allowed
| and what isn't.
| mpweiher wrote:
| Unregulated power dynamics _are_ basically feudalism.
| (Well, feudalism put in _some_ regulations...)
| inglor_cz wrote:
| Democratic societies try to limit this problem by
| establishing some semireliable channels to remedy
| injustice, though.
| x86_64Ubuntu wrote:
| I don't think anyone considers this to be in the realm of
| injustice.
| dleslie wrote:
| It's definitely in the realm of injustice; how could it
| not be?
| inglor_cz wrote:
| Anyone? That is a strong word.
|
| At least I would consider losing an important asset based
| on a whim of an algorithm without a possibility of appeal
| to humans quite a gross injustice, though within the
| limits of the law as it stands today.
| cema wrote:
| I do consider it injustice, in the everyday sense of the
| word (not legal).
| franklampard wrote:
| Not really just feudalism. But how most parts of the world
| work
| rakoo wrote:
| A secret set of rules, a single party that is the judge,
| jury and executioner, an opaque resolution process that
| involves backchannels rather than merit, and no oversight ?
| Is that really something to accept as inevitable ?
| mushbino wrote:
| Yes, networking is inevitable. Transparency and
| accountability are hedges against this, but incentives
| aren't there short of some sort of massive public
| pressure.
| edoceo wrote:
| Massive public pressure means.... sounds like legislation
| to me.
| [deleted]
| jahewson wrote:
| It's really not, least of all because feudalism didn't have
| emperors.
| inglor_cz wrote:
| What? Even if we ignore China or Japan, the existence of
| the Holy Roman Empire overlapped that of feudalism in
| Europe.
| dividedbyzero wrote:
| The Holy Roman Empire was pretty much prototypical for
| feudalism and definitely had emperors
| xenihn wrote:
| Dark ages Europe wasn't the only example of feudalism in
| history.
| dang wrote:
| That quote is from an 8-year-old comment:
| https://news.ycombinator.com/item?id=5972927.
| matheusmoreira wrote:
| You're not the only one who finds it unbearable. Google acts
| like they own the internet. They cause massive damage to people
| and businesses when they unilaterally block them. They compound
| that damage by refusing to resolve the issue unless people
| somehow manage to reach some insider.
| marshmallow_12 wrote:
| >Google acts like they own the internet
|
| They kind of do
| C19is20 wrote:
| Isn't that how life works?
| bitcharmer wrote:
| This is the norm with FAANG and it really annoys me. How many
| of these cases never saw the light of day because of that?
|
| Even with HN it's a complete lottery what contents reaches the
| front page, so getting issues like these resolved is a matter
| of extreme luck for a common person.
| uh_uh wrote:
| Probably naive idea: Would it be possible to set up an
| insurance fund for this? As in, the money would be used to
| sue FAANG for damages in cases when businesses are lost due
| to them being flagged/blacklisted by FAANG incorrectly.
|
| If enough companies contribute to this, it might put some
| pressure on FAANG to take things seriously.
| jokethrowaway wrote:
| Another idea is to stop supporting FAANG.
|
| Apple or Google won't see a cent from me.
| bonzini wrote:
| Do you not own a smartphone?
| davidmurdoch wrote:
| I can't access my 13+ year old gmail account because Google now
| requires I verify I have access to a phone number I've never
| owned. There is no 2FA on this account, I know my password, and
| have access to the "Recovery Email" (which gets emailed a
| "Somebody knows your password" warning whenever I attempt to
| sign in to the account with my password).
|
| I reached a real person at Google Domains and managed to get
| things escalated to "Specialist". Their response: "we can't
| help you, post about it on the community forums" (which I had
| already done 20 days prior).
|
| This account "owns" digital goods, thousands of songs, and many
| domain names. Google is _actively_ stealing these things, but
| they don 't care and, "can't help".
| childintime wrote:
| +1
| jokethrowaway wrote:
| I'm in a similar situation with Apple. I can't access my 10
| years old account even though I know the password and control
| the email attached to it because I don't remember my security
| questions and I don't have my recovery email anymore. I
| probably put rubbish data in the security questions as they
| weaken the security of the account.
|
| Funnily enough that password leaked and someone managed to
| take over my account (I wonder how they manage to bypass the
| security questions, sounds like a security vulnerability on
| Apple) and they're using it to register (I assume) stolen
| devices and install software. I get email notifications every
| time these people do something.
|
| I reached Apple support but they're unwilling to help, they
| even refuse to nuke the account as a last resort.
| ttt0 wrote:
| > I reached Apple support but they're unwilling to help,
| they even refuse to nuke the account as a last resort.
|
| I wonder, aren't they required to nuke the account under
| GDPR? It's probably tied to your real identity.
| StanislavPetrov wrote:
| >I probably put rubbish data in the security questions as
| they weaken the security of the account.
|
| I had a similar problem, where I had created an account so
| long ago there were no security questions. They later added
| the security question requirement, but since I had never
| filled them out and they refused to accept a blank answer
| and I was forever locked out.
| appsecthrowaway wrote:
| I was in a similar situation 3-4 years ago. The app store
| kept asking for answers to my security questions which I
| did not remember to have set up, ever. I went various
| rounds with their phone support trying answers on the phone
| (there are only so many reasonable answers for "Who was
| your first manager?") to no avail. Then I just enabled 2FA
| and the security questions requirement went away
| immediately. Back then, the whole thing smelled like a bug
| on their side to be honest.
| randycupertino wrote:
| I had one recently where I was locked out of my
| medidata/Rave account for not knowing the answer for "Who
| was your best friend in 4th grade?" I seem to recall that
| I had a _lot_ of different friends in 4th grade, and it
| was also blurring with crossover to 3rd and 5th grade
| etc.
|
| After spending hours on hold and escalating through the
| support, they finally unencrypted my answer and told me
| what it was and I had put our cat! Totally did not
| remember that. Since then I've started paying attention
| to the questions I select when I set up the passwords and
| trying to idiot-proof myself to something I will actually
| remember in 7 years, _not_ trying to be clever in the
| response.
|
| As a bonus stick you in the ribs "revenge," when I
| finally was able to get it reset up and log in, I was
| gobsmacked to see that the customer support reps had
| assigned me mandatory extra remedial rave training to be
| completed before I could access the functional areas of
| the software! Lol. Touche.
| yojo wrote:
| Not useful for your current case, but I recommend using a
| password manager to fill random phrases for security
| questions. That way they're easy to read out over the phone
| to CS reps, but are more secure than literal answers, which
| can often be derived from publicly available info.
| randycupertino wrote:
| Is there a password manager you recommend? I've never
| used one. Ty!
| MaKey wrote:
| Have a look at bitwarden [0], it's open source and has a
| free tier.
|
| [0] https://bitwarden.com/
| davidmurdoch wrote:
| I actually have the same issue with my Apple account I used
| back in the ipod days; they are now requiring that I answer
| my security question during log in. But I actually don't
| remember the answer to the security question, as I used to
| always put gibberish instead of a real answer. Back in
| those days these questions would only be used to reset your
| password, and I was confident I wouldn't forget the
| password. I've given up on getting that account sorted.
| ghaff wrote:
| Furthermore, the answers to security questions aren't
| always stable. "What was your first pet?" Well, I know
| how I answer this question because one dog in particular
| I sort of consider my first pet. But I can remember dogs
| we had before that one so my answer is a somewhat
| arbitrary one.
| heavyset_go wrote:
| By answering honestly, you also run the risk of having
| anyone that knows basic facts about your life being able
| to really make your life difficult.
|
| It isn't just people you cross paths with that could get
| into those accounts, it's scammers that want to social
| engineer you or have access to the numerous database
| leaks that are accessible to anyone with the Tor Browser
| installed.
|
| The answers to security questions are essentially
| passwords themselves, and they should be treated as such.
| thinkloop wrote:
| It's none of anyone's business! I generate one password
| for the password and a second password to break into 4
| char random chunks for the security questions which I
| record in "notes" of the password manager.
| ghaff wrote:
| Meanwhile, in practice, when I had to do a brokerage
| transfer a couple months back virtually, the brokerage
| had a long list of security questions that they had
| apparently assembled from various credit reporting and
| other sources that I had to answer to make the transfer.
| The identity of my first pet or my city of birth is
| simply not a big concern of mine compared to the
| information widely available on me from all sorts of
| sources that I have no control over.
| heavyset_go wrote:
| > _I 'm in a similar situation with Apple. I can't access
| my 10 years old account even though I know the password and
| control the email attached to it because I don't remember
| my security questions and I don't have my recovery email
| anymore_
|
| I have an iPad that I let sit on a shelf for a while.
| During that time, Apple deleted the Apple account it was
| signed into. As a result, I cannot unlock the iPad or use
| it at all. I even made a new Apple account using the same
| username and password in an attempt to unlock it. No dice.
| Apple support won't help.
| randycupertino wrote:
| These sort of problems are so aggravating and seem to
| take a disproportionate amount of mental and emotional
| energy to the problem. I'm not exactly sure why, either.
| Perhaps it's because trying to explain the issue to
| anyone else (support, spouse, etc) and catch them up on
| where you are, what the issue is and what's been tried
| already takes so long and then in the end that person is
| powerless to help. And to make any progress forward you
| have to be relentlessly tenacious and still the problem
| will fall on deaf ears.
|
| It's like the system is built against you to just force
| people to ultimately run out of steam trying to get it
| resolved and give up.
| ncann wrote:
| Same thing with my Skype account. I have it logged in on both
| my phone and my laptop. One day it decides to automatically
| log me out on both and when I try to log in it insists on
| requiring sending a code to a phone number that I no longer
| have access to. So just like that I lost access to my long
| time Skype account even though I know the password, even
| though there's no 2FA setup, even though I'm trying to log in
| on 2 devices that I've logged in previously, from the same IP
| address. All support requests went nowhere.
|
| I wonder how many people lost their account like me because
| of these overzealous security measures.
| MeinBlutIstBlau wrote:
| I can't access my flickr account because it's tied to a Yahoo
| account which won't let me access unless I know the 2nd Yahoo
| account email address 2fa which is blurred out and yahoo
| won't let me access it because it's been locked even though I
| know all the info.
| ghaff wrote:
| Flickr is no longer associated with Yahoo. It's owned by
| Smugmug. Even if you can log into Yahoo that probably won't
| give you access to Flickr any longer. (Smugmug also cut
| back significantly on what Yahoo provided for free
| accounts.)
| heavyset_go wrote:
| > _This account "owns" digital goods, thousands of songs, and
| many domain names. Google is actively stealing these things,
| but they don't care and, "can't help"._
|
| I long for the day that they cross the wrong person with
| means to take them to court over their negligence.
| MaxBarraclough wrote:
| My very-much-not-a-lawyer understanding is that their legal
| obligations and liabilities are minimal on account of Gmail
| being offered free of charge. Anyone know if that's true?
| mrighele wrote:
| > This account "owns" digital goods, thousands of songs,
| and many domain names.
|
| It seems it's not only about a free Gmail account.
| edoceo wrote:
| Its the terms of service users agreed to. Prices not
| relevant
| MaxBarraclough wrote:
| That doesn't sound right. If you charge money, you have
| to deliver a product that's fit for service. You can't
| take people's money then refuse to deliver.
|
| At least here in the UK, EULAs that say _You have no
| recourse if we completely fail to deliver_ are generally
| disregarded in court, as it should be.
| edoceo wrote:
| But this scenario is neither a refusal or complete
| failure (debatable). But again, the terms of service are
| more important than the price factor.
|
| The big G say they can kick you off whenever/wherever.
|
| That it's free in price is just another way to give the
| "customer" (really just user) less power.
| markdown wrote:
| Not true.
|
| Say I offer my front yard for anyone to use for free.
|
| You come and set up a bbq stand to have a picnic with
| your friends. You walk across the street to a lemonade
| stand, and when you return, you're confronted with a
| security guard who won't let you back into my yard.
|
| You demand entry, saying your property is in my yard. You
| want to speak with me, but the security guard says you
| can't do that. What you can do is head over to the town
| square and ask if anyone there knows how you can regain
| access to your property.
| heavyset_go wrote:
| Google incentivizes and encourages users to entrust and
| entangle important, and often financial, aspects of their
| lives with Google's services, and in exchange, Google
| gets to profit greatly by mining their data. They also
| charge users money for many of their services, too.
| dencodev wrote:
| Have you considered calling the number tied to the account
| and asking them to help?
| jabo wrote:
| IIRC only the last 4 digits of the phone number are shown.
| davidmurdoch wrote:
| They only show the last two digits of the number. And I've
| only ever had two phone numbers in my life, and neither of
| them end with those digits.
| ncann wrote:
| Plus it is always a bad idea to give someone a code sent
| to your number. 99% of the time someone is trying to hack
| you and a necessary step is obtaining that code.
| kuschku wrote:
| For me that actually ended up the only way to gain access
| back to an old account of mine. Luckily I was able to
| cooperate with the new owner of the number, and he was
| helpful enough to give me the code that was sent,
| otherwise I'd have lost a Google account with several
| hundred euros of purchases on it, despite having the
| password, control of the backup email, knowing all
| security questions, and knowing the exact date the
| account was registered (the only issue was that mobile
| carriers here re-issue phone numbers after 6 months
| without any calls, and I had put the SIM into a tablet).
| maddyboo wrote:
| Same thing happened to a Bitbucket account of mine. I know
| the email and password, but the primary email is under a
| domain I lost access to. At some point, Bitbucket decided I
| needed to verify my email in order to sign in. Support was
| utterly unhelpful.
| deckard1 wrote:
| The worst part is that we are just conditioning people to
| accept this as normal. Just like EULA and cookie banners.
|
| It's always the same story. Some guy gets on Twitter or HN who
| happens to get noticed, then FAANG releases a statement saying
| they made a "mistake". Mistakes in the aggregate that affect
| millions of people aren't "mistakes." That's deliberate
| malfeasance at scale.
|
| Funny they never ask you that design question in interviews.
| "Design a system which will harm at most 5% of your users while
| scaling up to billions of people." Maybe if more people
| understood the sobering dark side of scale, they would stop
| gleefully promoting runaway scale-at-any-cost engineering.
|
| Just kidding. Profit is God.
|
| I'm also reminded of the dystopian movie Brazil. You're always
| at danger of getting eaten by the bureaucratic machine today,
| with only the most absurd recourse available. Just read the
| passive indifference of the email that Google sent this guy.
| "Google has received and processed...", "Google systems
| indicate...". This is one shit dystopia are are living.
| edoceo wrote:
| Upvote for Brazil! Great movie, Gilliam is a genius, so good.
| https://m.imdb.com/title/tt0088846/
| Jimmc414 wrote:
| This gentleman had a similar issue where his site was taken
| down without explanation at youtube. I intervened certain that
| we just needed to light some fires and get a human to look at
| it. He never got back into his account and to my knowledge
| never got a reply that was not a canned response.
| https://www.linkedin.com/posts/mohammedadam24_cybersecurity-...
| julienreszka wrote:
| Very scary
| HDMI_Cable wrote:
| This is another argument on why we shouldn't be using Google Safe
| Browsing. It's frankly unacceptable that for every 5 (or less!)
| bad sites it blocks, we get something like this.
| asddubs wrote:
| so what was the contents of the actual malicious file that was
| uploaded?
| yccs27 wrote:
| It was likely already deleted, since they only kept files for
| 24h.
| mleonhard wrote:
| Website blacklists exist because of malware and phishing. Malware
| exists because our browsers and OS's are insecure. Phishing
| exists because our auth systems are insecure. Solving software
| security and auth will have wide positive effects on society.
| julianlam wrote:
| Thank you for the write up, I really appreciate how there were
| actionable suggestions within.
|
| NodeBB does host a demo instance to allow people to kick the
| tires. I don't believe we allow people to upload images, but it
| is worth double checking just in case.
| hertzrat wrote:
| I made a Wordpress site last year to start blogging that had this
| happen. The only reason I found out in this case was from
| visiting it in edge, which showed a warning pop up, so maybe it
| was a Microsoft flag instead of google in this case. I never
| figured out the cause or a way to remedy it and just took the
| site offline because it was invisible to all search engines.
| Pretty disappointing
| system2 wrote:
| What was your site about? Did you have uploaders or embedded
| 3rd party widgets?
| mscarborough wrote:
| Your cert is triggering SSL_ERROR_BAD_CERT_DOMAIN.
| jacoblambda wrote:
| Curious, I'm not seeing it on my end (just another person
| accessing the site). Which domain is it upset about for you?
| Kiro wrote:
| > But there are plenty of Google engineers and good helpful
| people on Hacker news.
|
| Way less nowadays due to all the employee shaming.
| lanevorockz wrote:
| Google is a monopoly and they destroy the lives of anyone that
| even dares to challenge them or their owners. It's time to break
| this big tech monopolies. Obviously, through make something
| better ... This is more of an inevitability than a question.
| thinkloop wrote:
| Someone uploaded a "virus" to OP's domain and Google crawler
| found it and blocked said domain? Is that the mechanics?
| duckfang wrote:
| To be quite honest, this seems like a case of Libel and possibly
| Tortious Interference on behalf of Google/Alphabet.
|
| Especially if you can show damages/customers cancelling service,
| I think this would be a hill to die on. Google et al have too
| much power, even over people and orgs that aren't even customers.
| Its high time we reign their powers in, find them strongly
| culpable for what they do (and what they change and then refuse
| to do), and consider breaking up these monster companies up when
| they show they are against the public interest.
|
| Were you, uploaderwin, given a notice prior (say to
| abuse@uploader.win , admin@uploader.win or other appropriate
| mails) to being effectively banned WRT google? I'd go on a limb
| and say you didnt. No, you have to be aware of the right page at
| Google, register you as an admin to the site, and hope they share
| what they consider abuse.
|
| And frankly, you were lucky you got the social media escalation.
| You should have never had this happen... But here we are.
| kemayo wrote:
| Based on what the article says, it sounds like the Google auto-
| blocking was _correct_.
|
| The website owner's theory is that someone used their demo to
| upload a genuinely malicious file, and presumably then shared
| it to others. Adding the site to their blocklist immediately is
| a reasonable action taken in defense of Google's users. It's
| certainly not libel for them to _truthfully_ say the website is
| hosting malicious content. Well, not in the US; other
| jurisdictions don 't necessarily have truth as a defense.
| (Tortious interference is complicated, but typically requires
| that the person interfering _knows_ about the business
| relationship they 're obstructing, and is taking the action
| _for the purpose_ of obstructing it. It seems like a stretch
| here.)
|
| As always with Google, the real issue here is their awful
| communication and slow responses to people who can't find a way
| to go outside the normal channels.
|
| EDIT: and the article has some useful suggestions for practices
| to follow if you need to let people upload files as a demo. I
| hadn't really considered the purpose of a separate domain for
| such things from this angle before.
| croh wrote:
| > Based on what the article says, it sounds like the Google
| auto-blocking was correct.
|
| Even it is correct, we can't assume it will be always
| correct.
|
| > As always with Google, the real issue here is their awful
| communication and slow responses to people who can't find a
| way to go outside the normal channels.
|
| Real problem is their slow repsponse can kill business (or
| may be people). If they are yielding this much power, there
| must be atleast some paid support service. I guess, it is
| time, all govs should look into this and regulate FAANG.
| hn_throwaway_99 wrote:
| I think it's fairly easy to acknowledge the the following are
| all true:
|
| 1. The poster was hosting malicious content from their domain
| (user uploaded no doubt, but still on the domain they control).
|
| 2. On one hand, it is desirable that people who are _not_
| malicious be given enough information as fast as possible to
| rectify their sites.
|
| 3. On the other hand, this same sort of information can make it
| easier for malicious users to evade detection.
|
| That is, it seems to me like there is an inherent tension
| between #2 and #3 that make a simple solution difficult.
|
| Seems to me that:
|
| 1. As the poster discovered, user content should always be
| hosted on a separate domain. Google should recommend this as a
| standard good practice.
|
| 2. Perhaps I'm missing something, but when Google blocks an
| entire domain, I don't see the harm in telling the site owner
| _which_ subdomain is causing the flag, which could let good
| users identify the problem faster.
| LocalH wrote:
| > On the other hand, this same sort of information can make
| it easier for malicious users to evade detection
|
| I never bought that excuse. That sounds like saying we should
| be secretive about legal charges brought against a person,
| lest that information help criminals evade detection.
| duckfang wrote:
| Alas, there goes my post (currently at -3).
|
| Although I didn't elaborate about the libel, I do believe
| there is a strong separation between a "malicious site" and
| a "site that has malicious content".
|
| If someone encoded an image in an HN post encoded as
| base64, that could be definitely malicious content. But
| that would _not_ make HN a malicious site. No reasonable
| person would argue that. I would argue that claiming it was
| a malicious site is the heart of this libel.
|
| Now, as a converse, we've seen sites that are just textspam
| with links that are all .exe or .com or likewise. They have
| no legitimate purpose other than getting higher scores in
| search engines. And their content is full of malware of all
| sorts. This would be an example of a malicious site.
|
| On top of that, nobody mentioned about my call to email the
| webmaster/abuse/admin contacts at a domain. Even an email
| and then 1h later would provide some sort of "whoops we
| didn't catch that" buffer. A legitimate site will respond
| quickly to warnings of malware or hacked site.
|
| Of course, we all on HN know about the ills of contacting
| Google for issues like this. Unless you have a Social Media
| Escalation (aka: this type of post), you pretty much
| guaranteed will have no recourse. That is a whole another
| level of problem, especially if they control (they do!) the
| browsers of millions of people. Where are the checks and
| balances? There are none.
|
| And we also come to the issue of secret charges, secret
| evidence, secret judges, secret punishments, and no
| appeals. The common saw here is "We dont want to tell bad
| people what they're doing bad". This doesn't fly with our
| government, and shouldn't fly with mega companies (read:
| monopolies or oligopolies). If I'm doing something wrong, I
| should be shown what I'm doing wrong, and a window of time
| to remediate. (And I'd argue that once something's
| detected, then enhanced scanning could be done.)
| alisonkisk wrote:
| The difference is that computers can commit crimes
| thousands of times per second.
| LocalH wrote:
| So it's ok to ban someone's account (which can be tied to
| any number of different services thanks to OAuth) but not
| tell them specifically why? Sorry, but I reject that as
| being necessary such that we hear about things like this
| on a quite regular basis.
| ttt0 wrote:
| Yeah, just provide like logs what specifically got you
| taken down or something. _Anything_.
| mortehu wrote:
| If you're hosting lots of malware on different subdomains,
| there is harm in Google telling you which ones it detected.
| You could use that information to keep hosting the undetected
| malware, perhaps out of laziness.
| hn_throwaway_99 wrote:
| Perhaps just telling the site owner a max of 1 compromised
| subdomain, e.g. "We detected malware on sub.yourdomain.com"
| or "We detected malware on sub.yourdomain.com and
| potentially other subdomains." Seems like that would
| provide a huge benefit to people trying to be compliant
| without much benefit to bad guys hosting lots of malware on
| different subdomains.
| [deleted]
| bilater wrote:
| Glad you got a resolution. Google recently banned my ad account
| for running ads to my landing page templates and I still don't
| know what was wrong with that. They just gave me a bs corporate
| answer and that was it.
| stonecraftwolf wrote:
| I'm so sorry this happened to you. Can you show us the site?
| bilater wrote:
| The site is https://nextails.com/
|
| I just ran ads with headlines like Nextjs + TailwindCSS
| Landing Pages
|
| Apparently somehow I ran afoul of their Circumventing Systems
| policy. I don't know how this qualifies and when I appealed
| they came back saying the same thing.
| stonecraftwolf wrote:
| I hope this attracts attention from someone who knows more
| than I do, but I can't see anything wrong with that. The
| arbitrary and immense power FAANG wields is fucking
| terrifying.
| [deleted]
| bilater wrote:
| I hope so - thank you for the support! :)
| thomas wrote:
| And now the side it actually dead? Anyone find a cached version?
| Had something similar almost happen and was curious to read!
| fefe23 wrote:
| Can someone explain to my why Google isn't being drowned in a
| torrent of lawsuits?
|
| We are getting stories like this on a weekly basis now.
|
| Google is clearly causing measurable harm to your company and
| you. And apparently to thousands before you.
|
| Considering how much money patent trolls manage to extract from
| Big Tech with considerably weaker cases, how is it that everybody
| is treating Google like a fragile grandmother with dementia,
| going out of their way not to hold them responsible in court?
|
| This is not a rhetorical question. I really don't get it.
|
| America is the land of getting millions in settlement when
| McDonald's gives you coffee that is hotter than you anticipated.
| How the hell is Google getting away with their behavior?
| matthewheath wrote:
| In the UK at least, these consequences (website going offline /
| certificate warning / unsearchable in the search engine) would
| likely be deemed "pure economic loss" following _Spartan Steel
| & Alloys Ltd v Martin & Co (Contractors) Ltd_ [1973] QB 27 and
| _Murphy v Brentwood District Council_ [1991] 1 AC 398 where the
| Court of Appeal and House of Lords respectively held that
| unless some sort of physical harm was suffered to you or your
| property, the losses were held to be "purely economic" and so
| not recoverable in tort.
|
| It's unlikely that any claimant would be able to show a
| contractual provision that enables them to claim for damages
| against Google (thus allowing them to sue in contract), so a
| cause of action for tort would be the usual way to sue Google -
| except unless Google makes you suffer some form of physical
| harm or damages your property, you're unlikely to be able to
| recover any damages for your website suffering these
| consequences, in the UK at least. I understand US law may be
| quite different.
|
| There's a testable argument to be made about the requirement
| for "damage" to your property (the website) being inflicted by
| the certificate warning, but policy arguments on the matter of
| "ripple effect" liability makes it seem likely the courts would
| hold that Google isn't liable.
|
| Also Google is probably far better placed to weather lawsuits
| than most ordinary people; they can probably afford to induce
| the other party to settle out of court, and presumably the
| relevant monopoly and abuse of market position laws only allow
| a regulator to take legal action (the ordinary consumer being
| restricted to contract and tort lawsuits).
| fefe23 wrote:
| I'm guessing the web site has telemetry and analytics and can
| show the conversion rate going down. If the web site sells
| something, you could even put a dollar amount on the damage.
|
| I'm probably misunderstanding your argument here, but if,
| say, Google steals your bike that would be purely economic
| damage. Surely the UK legal system would still punish
| that...!?
| golemiprague wrote:
| What about simple libel? if google openly declare to people
| that your site harm them when it is not, isn't it a classic
| libel?
| imwillofficial wrote:
| Two words.
|
| Regulatory Capture.
|
| The dividing line between big tech and big gov is far thinner
| than most people consider.
| pja wrote:
| Because Google has set things be up so that they have no legal
| responsibility & even if they do it's an enormous legal
| mountain to climb to a) prove it and b) get any kind of
| reasonable recompense out of them.
|
| Currently they have all the benefits of their monopoly with
| none of the responsibility which is exactly the way they like
| it.
| jokethrowaway wrote:
| Go figure why nobody keeps them accountable.
|
| They have enough money to influence the USA government if
| anything changing the situation were to be introduced.
| hctaw wrote:
| They're a frequent target of rhetoric and legislation by
| the republicans. Granted, nothing comes of it because the
| fundamental issue they have is that reality has a liberal
| bias.
| ttt0 wrote:
| Probably something something along the lines of "private
| company and they can do whatever they want".
| justAnIdea wrote:
| Sure, but this is not a Google issue _per se_ , this is a
| browser issue. If they f** up and put you on a phishing list
| and your business just evaporates because people's browsers
| literally stop working with your site, that goes far beyond
| what google does as a private company on its private
| platform. I think this is totally worth suing for and
| probably winning.
| matheusmoreira wrote:
| > how is it that everybody is treating Google like a fragile
| grandmother with dementia, going out of their way not to hold
| them responsible in court?
|
| Yeah, it's a really good question. We got all these fully
| staffed insanely rich companies causing measurable harm to
| people. They just insist there's nothing they can do to stop
| it. Why does everyone believe them?
| alisonkisk wrote:
| What is the tort?
|
| Mcdonald's _burned off a woman 's labia_ after burning the
| flesh of several people with coffee tens of degrees hotter than
| is safe, and then refused to simply pay her medical bills,
| prompting a lawsuit.
|
| Has Google burned your labia?
| jedberg wrote:
| https://en.wikipedia.org/wiki/Tortious_interference
|
| They interfered with the contract OP has with their
| customers.
| benlivengood wrote:
| Nah, Google offered a free browser and the author's
| customers' and their customers chose to use it.
|
| Remember all the "best viewed in ie6" or "only works on
| netscape 3 or above" banners? There has never been
| universal accessibility on the web. The dominant browser
| changes over the decades and it causes problems for
| everyone when one becomes too popular.
| imwillofficial wrote:
| McDonald's did not "burn off a woman's labia"
|
| That's some dumb shit right there.
| DanBC wrote:
| She had full thickness burns requiring debridement and skin
| grafts. You probably need to read up on her injuries before
| calling it dumb shit.
| dna_polymerase wrote:
| As an aside, Google themselves use base64 images quite heavily.
| They are the kings of inlining.
| codesternews wrote:
| whats your revenue? just curious. Plans are good. Thanks
| vntok wrote:
| From the article:
|
| > So after a lot of brainstorming and ideas from HNers I finally
| figured out the culprit(s).
|
| > We have a live demo on our home where people can upload a test
| file. [...]
|
| > We also give all users a 20MB test storage. [...]
|
| > I believe that somebody signed up for our service (it's free to
| sign up) and then uploaded a malicious file on our test storage
| and abused this feature.
|
| If that is correct, Google was completely in the right to flag
| the domain as malicious and warn visitors.
| matsemann wrote:
| Why? Should GDrive be banned if a single user uploads a
| malicious file and links to it from a Gdoc?
| ttt0 wrote:
| Like they were in the right in removing decades of comp.lang.c
| archives, because it contained some spam?
|
| edit: just noticed, their comp.lang.c archives are back up now
| ufmace wrote:
| I'm wondering if this could actually be spun into being a good
| thing.
|
| I just looked over the site a little more. The business idea
| seems to be to have a widget to add to your site that can be used
| to upload arbitrary files to it. The real advantage looks to be
| that they have a bunch of integrations set up with Facebook,
| GDrive, Dropbox, Instagram, etc so that all just works without
| you having to set up and manage developer accounts with 10
| different services. Plus built-in image resizing and such things
| that all just works. Pretty cool, and I might use it if I built a
| site that needed to do that.
|
| One way you can frame the point of this business is that they
| worry about the details of integrating with these other services
| so that you don't have to. As they found out, hosting external
| content is inherently dangerous, and it pays to have someone
| responsible for that who knows the risks and has experience in
| mitigating them. If a site owner wasn't using this service, they
| would have to take that responsibility on for themselves and re-
| learn these same lessons. So that's just another advantage of
| using this service - "we have experience in mitigating the risk
| of hostile users abusing upload services to serve malware, so you
| don't have to worry about it".
| r1ch wrote:
| I wonder if the use of a .win domain had any influence. I've seen
| nothing but spam and malware / phishing from these $2 TLDs.
|
| https://symantec-enterprise-blogs.security.com/blogs/feature...
| simion314 wrote:
| The issue with this black lists is that all the
| antiviruses/security tools will immediately put you on their list
| but it can take days or weeks to have them remove you and you can
| still get some customer that uses some weird security program
| that he still gets the issue. One of the anti-viruses company has
| a form to submit a dispute but their form was broken for weeks.
| nikita2206 wrote:
| Sounds quite familiar. Similar thing happens in judicial
| system, at least in my country but from what I observe - in
| most.
| dang wrote:
| The previous thread:
|
| _Help HN: Google just blocked my site as deceptive site_ -
| https://news.ycombinator.com/item?id=26326528 - March 2021 (20
| comments)
| imwillofficial wrote:
| So this sucks for the developer, but I have another story to
| share.
|
| I was trying to buy a school bus to make a schoolie out of, the
| Craigslist add directed me to a seemingly innocuous eBay motors
| link that looks pretty close to the real thing. I was busy and
| clicked, totally intending to drop $5k. I got distracted and had
| to come back to it later, when I did, credit card in hand, the
| page showed the red screen with a huge warning. A closer look
| revealed the bad url.
|
| Saved by google? Oh god, I think I need a shower now.
| sneak wrote:
| The fact that they are sometimes useful does not negate the
| fact that they have too much power to censor the web.
| trinovantes wrote:
| How do cdn providers (Cloudflare, Cloudfront etc.) avoid the
| subdomain blacklisting problem? Do they just have some agreement
| with browser vendors to whitelist their all of their subdomains
| because they're big enough?
| mhio wrote:
| Mozilla maintains a public suffix list -
| https://publicsuffix.org/
|
| https://github.com/publicsuffix/list/blob/master/public_suff...
| aboringusername wrote:
| Anyone who thinks this is the functioning of a "normal" internet
| is mistaken. This is a symptom of a decades-in-the-making
| problem. It strongly appears those in charge of legislation are
| not technically minded and have no idea "how" the internet works.
| Or they do and they have data-sharing agreements with all the
| 'big tech' software and are okay to "appear" to legislate but
| cannot actually change anything substantial in fear of
| retaliation (losing access to all that juicy data they collect).
| Imagine the power Google wields in this scenario, to me they are
| more scary than any drug cartel boss. I genuinely can't see how
| this isn't akin to a Coup d'etat of the internet as a means of
| transmitting information. We cannot shut down these tentacles
| because of how deeply ingrained they are (remember when FB's SDK
| was having issues? Hundreds of third parties apps just broke).
|
| Google should have been regulated years ago, instead, they have
| been allowed to snap up every smaller company to solidify their
| position in the market and ensure _they_ and _only they_ are
| allowed positions of power, control and authority.
|
| If Google dislikes you (or their baseless algorithms that are
| detached from reality) then you are _toast_. How long before
| Google 's algorithm results in an actual human death? Doesn't
| seem totally far fetched and entirely plausible.
|
| Yet, _you_ let this happen, or rather, it seems this isn 't
| concerning enough for it to warrant a massive protest, after all,
| Big Tech controls protest online and can just shut it down.
| Amazon seems to have been mightily effective at stopping any
| "union" movement, so we know the censor machines are fine tuned
| and ready to fire at any moment.
|
| We need to be talking about this daily, in needs to be front and
| center for weeks and weeks, and we need to _demand_
| accountability. We are ruled and governed not by elected
| officials but by faceless, nameless and non-human machines. They
| do not Think. They do not Talk. They do not care.
|
| Yet this thread will disappear in a few short hours, and this
| will be just another episode of the weekly "Google's systems are
| out of control and one developer got caught out, too bad I hope
| they are okay".
|
| This is happening to thousands of others undoubtedly that do not
| make hackernews or have the resources/energy to fix it.
|
| We should demand better.
| still_grokking wrote:
| > It strongly appears those in charge of legislation are not
| technically minded and have no idea "how" the internet works.
|
| Of course they know. Everybody knows, it's just a series of
| tubes.
|
| But that's not the point. The people in charge also know:
|
| > If Google dislikes you (or their baseless algorithms that are
| detached from reality) then you are toast.
|
| Replace here Google with FAANG, and see how whole countries are
| completely depended on those companies. At this point those
| companies can blackmail any government on earth into almost
| anything they want. FAANG are actually even richer than most
| countries on this planet.
| dehrmann wrote:
| > How long before Google's algorithm results in an actual human
| death? Doesn't seem totally far fetched and entirely plausible.
|
| https://en.wikipedia.org/wiki/YouTube_headquarters_shooting
| stonecraftwolf wrote:
| You'd think there would be a business opportunity for advocacy
| consulting, but I think the total lack of regulatory
| consequences for ruining people's livelihoods renders that
| moot. FAANG can just ignore advocacy that isn't backed by
| regulatory teeth.
|
| I think if FAANG didn't already control so much of our
| communications you might see such advocacy groups, but as it
| is...
|
| Do you want to be the face of a campaign that will piss off
| FAANG?
___________________________________________________________________
(page generated 2021-03-06 23:00 UTC)