55 comments

[ 6.2 ms ] story [ 136 ms ] thread
Google complicit in refusing to take down misinformation? I don't believe it.
Just baselessly accuse the website of hosting death threats. That will get it taken down.
example?

EDIT: not that Google isn't in the wrong here, this just feels like you're trying to push some other political agenda.

What "other political agenda" would that be?
My guess is kiwifarms, which famously went offline after Cloudflare said that they "had to act" because of an "imminent threat to life" (not actual quotes, but not my own words either, in a nutshell that's what they claimed)
Cloudflare is not google
Getting in there though. They are shielding a ton of in-your-face malware, crack and blackhat sites and don't do much about it.
I don't care what they are doing right now.

This discussion and thread was about Google. The original comment was "Just baselessly accuse the website of hosting death threats. That will get it taken down."

A user asked for an example, then another user provided one but for Cloudflare. Which isn't an example of Google taking down a site

I was right though. (As in, I was right about what they were alluding to)
surprise surprise kiwifarms being brought up but not being compared to the to the original claims.
Kiwifarms. And my "political agenda" is not wanting websites that don't violate the law being taken down.
Obviously kwififarms defenders such as yourself try to muddle the facts: Google isn't taking down any websites or being asked to take them down, just delisting them from their own indexes. GP didn't claim this either, just said they werent hosting death threats. This is an easily verifiable claim, which would take someone at Google seconds to check, while it would take the court system many weeks and a lot of money to convict of a crime.
Let’s not forget the supermarkets that sell these people food and the electricity lines that run power in to the servers.
They're too busy delisting domains that follow the law to actually do anything of public worth.
Example?
(comment deleted)
GP is trying to vaguely gesture at imagined hypocrisy, has no actual point
Is there a current legal dispute over the VLC trademark that would make this situation ambiguous?
Alternatively: Google prefers not to adjudicate on any given dispute any 2 parties with a website might have.
But Google does adjudicate on such disputes all the time, but usually only when the issue is wrongthink and not malware.
What wrong think is that?
There are no degrees of wrong think. I think you think wrong about wrong think.
Seems unlikely given their long history of adjudicating precisely this kind of dispute.
Unless one party is a large conglomerate like Disney or Viacom, in which case they are happy to straight up give them the keys to the banhammer.
Meanwhile the other day I did a Google takeout of my Photos and when I clicked the download link, Google warned me about malware on their own *.googleapis.com domain

I think an ML black box is getting out of control

In the future, Google will have only one employee, who will be issued a dog. The employee's job will be to reboot the ML black box when it crashes. The dog's job will be to bite the employee when he or she tries to do anything else besides that.
Google Safe Browsing is going off the rails with silently Man in the Middling Chrome users. You will see traffic coming from logged in users via a Google IPv4 address, the user is unaware their traffic is being proxied for analysis.

Flagging and locking the accounts for potentially malicious activity or dropping Googles ASN has been an effective fix. Another plus is much cleaner logs, as we were getting hundreds of attempted injection attacks from Google's ASN before dropping all traffic from them, and unlike Amazon they did not respond to abuse reports.

They have a storage.googleapis.com subdomain that you can upload files to, so it was doing the warning correctly.
What am I missing here? Why is google involved with this? Normally, you contact the abuse contact in the domain's whois or the IPs abuse contact. If they are on a bullet proof host, your only avenue for a take down is government agencies. (Edit: you can also ask the RIR to reclaim the subnet but I've never heard of that actually being done for reasons I am not fully sure about)

What does google have to do with content take down? Even for delisting them from results you have other search engines people use and threat actors can and do use redirectors when that becomes an issue. It is whack-a-mole, best they can do is beat the TA's SEO unless they have a lot of time and resources.

Google has by far the majority of searches (in this category, not counting eBay/marketplace/insta searches). Delisting or even pushing to the second page would drastically reduce the effectiveness of such malware campaigns.

There are a number of super important software tools that big platform vendors have been obstinate or hostile to supporting or securing. VLC and putty spring to mind.

I repond to incidents where SEO is being used to selectively target users and compromise their network (typical ransomware gangs these days). VLC maybe special to certain types of users but I assure you there are many SEO optimizes malware delivery campaigns. Google is not a people company, they won't devote human resources for this nor would they implicitly accept responsibility for the content of search results by actively taking things down. This isn't how the internet works. Search engines search stuff, name servers host domains, etc... everyone has their role. Keep in mind, they won't give up and go home because google delisted something, they will just move on to a different domain. Google will not commit resources for vlc alone like that.

Another thing I forgot to mention earlier is VLC can literally take over the domain themselves after a court filing based on US cybersquatting law (.com is US jurisdiction).

You're viewing this a binary outcome of "will delisting block all malware results". Of course it won't, and it doesn't have to. This fight is never ending, and we need small victories.

Google doesn't need to be a customer service company to do this. In fact, the opposite, they need to be a search engine company. Some domain names, IPs and site content have associations with software products, but at present Google only extends the protection of being an authoritative source to some products.

Google also own Virus Total, they know which files are malware. So they can know which sites are full of malware, they just don't alter the search rankings to reflect that.

As to legalities, VLC playing whack a mole in the US courts is expensive and pointless, the time scale is so long they would easily switch to the backup domain. But that doesn't work with crawling -- to appear in a result you need to be indexed.

You have good points but you are missing mine: Google doesn't owe anyone the service of removing malicious results. If it is in their own best interest to do so, that is their business. You can't demand they remove this content, the only people who can are their actual customers of google search: advertisers!

The people responsible for the malware removal have abuse contacts and if they don't you kinda have to follow SOP with legal and law enforcement avenues. Just how it works. Even the FBI let's you report internet crime, you can scream at google but law enforcement and webhosts/ISPs(transit providers) are more likely to respond and do something. Vlc doesn't have a fat wallet so your point about the cours is true, but if a lawyer will do pro-bono for them, it's an easy open-and-shut case.

Yes, google owns VT but you won't even see long standing malicious site verdicts in VT make it to safebrowsing, if they won't even do that, do you think people screaming on twitter is something they listen to? I hope so, but unlikely and a waste of time other than for rage scrollers.

I think google is suffering big company problems. I think a lot of googlers want to penalise malicious sites but it's a second tier goal for the search team, who are getting hammered constantly by other players trying to alter rankings.

Obviously a few open source projects complaining won't move the needle much, but law enforcement and cyber agencies do have big requirements for improving resilience to these attacks (and supply chain especially). Improving the consumer supply chain security is a big government goal in many countries.

Also introduces the issue of subjectivity and Google being the arbiter of truth and success
In this case, there's a very obvious standard of objectivity. There is one true VLC homepage and there are a multitude of malware clones of the website. I feel as though Google should be able to differentiate between them.
Google is involved because they are being paid to link to these websites as advertisements. Since these are ads, and ads appear above regular search results on Google, they will appear above videolan.org, no matter how good VideoLAN's SEO is.
Google is involved because they operate the world's largest scam website checker, Safe Browsing, and their filter is baked into, and enabled by default in all of the modern mainstream browsers. Search results are one thing, going on this list would mean that the browser wouldn't open the page.

https://safebrowsing.google.com/

I know what safebrowsing is, it has a proper reporting system and it is for Chrome users not Google search.
Not just. It is for Chrome, Firefox, Safari, Edge users, and I suspect that other browsers use it too. Google doesn't react to the reports. OOP talks about this here: https://news.ycombinator.com/item?id=33728767

Also the websites are reported on Google Search, and the malicious ads too.

President of VideoLAN here.

The issue is two-fold here:

- On Google Search, Google refuses to unlist websites that are clearly promoting adware, spyware and violating the brands of Open Source projects (VLC is not the only one impacted).

In addition, the ads reported are never deleted.

- On Google Chrome, the safe browsing team refuses to flag some websites, even after long explanations about what the binaries are doing. One of the reason is that "the binaries are too big" (sic.). The other reason, is that they scan only the installer, and of course, the installer downloads other things.

This has been going on for years, at least 10.

One of the most egregious one is VLC.de which inundates the German web.

The thing is that it's not that they steal traffic (why would we care), it is that they install spyware, adware or other rootkits, all the time.

This is why I say that Google Safe Browsing is a total joke, and that Google does not care about its users security.

god bless vlc
I'm not surprised. Google has knowingly hosted (and profited by) ads promoting software driver and tech support scams which target the most vulnerable customers of virtually every major hardware and software company out there, and has done so for the better part of the last two decades. This, despite the years-long protests of many of these companies.

Until there is a class action lawsuit with unprecedented punitive damages, or until regulators do their job and regulate it, nothing will change.

Anyone want to lay odds?

At least ublock tags vlc.de as a "badware" risk.
Seriously, uBlock Origin is the one "endpoint security" product that's actually useful. I install it on practically every machine I ever touch.
Is this why India had blocked the real videolan site for months?
No. That's why this was a bigger problem in India due to Indian ban of the only legitimate source.
I'm sorry your excellent efforts on this wonderful application are associated with these unethical actors.
I found a job for Darl McBride that would finally make him useful for the society at large. He should found a company whose sole aim would be suing Google for refusing to deal with DMCA requests filed by Videolan (and possibly other open source projects facing the same problem) on time. Easy money.