1. 52
  1.  

  2. 24

    The real problem is that Google marks stuff as malicious using their mysterious ML shizzle and provides no clear motivation or recourse. Basically, this is the same as Google banning uncommon browsers we saw a few weeks ago.

    That Google doesn’t offer any explanation is probably because … it doesn’t have one. ML is inscrutable beyond the simplest cases, so even Google doesn’t know really why it blocks something, which is the reason these things keep being flagged. There are similar problems with YouTube’s copyright detection system. I think this raises some serious ethical questions about the usage of ML for this sort of stuff.

    The lack of explanation and recourse is probably the worst, and I think they should be held accountable for clearly wrongful classifications. For example my friend’s employer got completely blocked by Google safebrowsing a few weeks ago with no warning or explanation about what’s wrong at all. Eventually it was probably traced to attachments in their email hosting offering (emphasis on probably), but this kind of stuff cost the company real financial and reputation loss. It can literally destroy businesses.

    1. 19

      The real problem is that Google marks stuff as malicious using their mysterious ML shizzle and provides no clear motivation or recourse.

      No, the real problem here is that we’ve allowed essential internet infrastructure (search, and increasingly browsers) to be completely monopolized. Monopolies serve shit sandwiches with no recourse or alternative by definition; what you’re calling “the real problem” is merely a detail of how their particular ML-flavoured shit sandwich is made.

      1. 6

        Maybe, I don’t know. The “immediate problem” is the ML stuff, the “bigger picture problem” is that these are genuinely hard problems to solve. I’m not so sure if things would be significantly better if Google had only a 30% market share, for example. Whose to say that the bigger competitors wouldn’t do more or less the same? And a lot of these issues aren’t really visible to most users, so only a limited number of people would switch anyway.

        That doesn’t mean that we don’t have problems with Google monopoly; I’m just not so sure if this is one of them, or a big part of it.

      2. 8

        Same thing with their email “spam” filtering.

        1. 1

          the more AI we see employed to make decisions, the less decisions made will be explainable. figuring out how an AI reaches a conclusion is a science upon itself.

        2. 9

          Couldn’t agree more. For me though, it’s not Google, it’s SmartScreen - I’m installing a new Windows instance, and the first thing I want to do is install my tools, and Windows will “protect my PC” by deleting them.

          What grates me about these algorithms is:

          1. Programs like Chrome are regularly serviced, but they are implementing an algorithm that assumes a binary can build a reputation over a long period of time. ie., they assume software works in a way it doesn’t, and in a way that is incompatible with the very program performing the check. Maybe this approach would have worked in 1995 when software was immutably pressed on CDs, but then, we wouldn’t need these checks.
          2. Malware, in terms of unwanted software hiding in wanted software, is far more common in Big Tech products than hobbyist products. Hobbyists do it for the reputation; Big Tech is doing it to collect your data and/or monetize to you, which requires bundling things that you don’t want and cannot be disabled. In a sense, the very detection described here could be said to be malware, at least to me and the OP. The attempt to associate free software with malware feels very 1984-like.

          But, even if fewer people use my free software, I’m not directly harmed by this. The worst case is I might receive fewer contributions, but it also means less support load too. In the end, the biggest loser appears to be Windows - if people install a rich variety of software products, they’ll be loyal to a software platform that supports them. If people install a handful of Big Tech products, they can move between platforms far more easily.

          1. 6

            It would be interesting to know if this is an issue for developers of software that does not skirt trademark infringement[1] (which I believe that OP’s software does)

            [1] I am not making a moral judgement here, it’s just that this space has a lot of shady downloads associated with it, so it’s natural that Google’s malware detection would find false positives here.

            1. 6

              Hmm, I can imagine that might be an issue for bsnes, which after all is one letter away from a registered trademark, but I’m pretty sure this post was motivated by the latest release of higan, which (as far as I know) is not any kind of trademark. And even though bsnes is similar to an existing trademark, it’s not a software trademark. If it were called “Adobie Photoshape” or something, then I can see a risk of confusion, but for bsnes…

              Besides which, we already have trademark law to handle trademark infringement, do we really need Google inventing their own secret laws that they can enforce?

              1. 4

                The author seems to be suggesting this is common, but this is the first I’ve heard of it being a problem. I’m not going to say Google’s monopoly isn’t bad in many ways, just not convinced yet that Google is flagging all sites with downloads and this is a widespread problem.

                1. 4

                  Dozens of emulators across dozens of systems use (letter)(system-name) naming convention, and nothing has ever come of it. I believe in good faith that the name is fair use, but if it’s an issue, I’ll be fine with changing the name.

                  The software flagged was “higan v107”, and to my knowledge that is not a trademarked term for either computer software or any video game systems that higan supports.

                  I have heard from a few developers now who have had similar issues to me on my Twitter feed and on the orange Y site, so I am confident it’s not related.

                2. 3

                  If code signing is a requirement to distribute free software, then we need a Let’s Encrypt-style alternative for code signing— yesterday.

                  I’m not doubting the need for an analog to Let’s Encrypt for code signing, but I doubt it will appear.

                  LE and friends (ACME, EFF’s certbot) are driven by the desire to encrypt HTTP traffic. The other primary feature of TLS, authentication, is secondary. certbot just requires the admin of the host which serves a website to have access to the DNS credentials. The functionality that made SSL certs so expensive, which was the verification of the organisation behind the website, is entirely secondary to LE. Any Tom, Dick or Sally can get a SSL cert, they do not need to prove their identity to anyone (not even their DNS provider).

                  Application code signing is different. You’re asking for implicit permission to run code on a user’s computer. This is an incredible privilege and one that malware authors are constantly vying for - hence the cat and mouse game that OP is unfortunately caught up in. I doubt there’s any chance of a service like LE appearing for code signing - or at least, very little chance that certificates supplied by such an organisation to be accepted by the major computing platforms.

                  1. 2

                    There is something like that. http://signpath.io/ has a side foundation that offers their product for FOSS projects for free.

                    It’s not quite let’s encrypt, but in a similar vein.

                    1. 1

                      What are they selling though? Looking at pages like https://about.signpath.io/pricing/ , I think they’re selling a pipeline to keep private keys secure, manage the signing process and add access control/auditing to it, but they expect you to buy and supply your own certificates.

                      For me a pipeline with access control is overkill, it’s the cost and availability of the cert that’s the problem.

                      1. 2

                        For FOSS projects, they have their own key that lends their name.

                        (I’m on very constrained internet, so sorry for not providing a link. I’ll try to do it when I have more bandwidth)

                  2. 1

                    funny joke how this website asks me in a popup whether i want to sign up for a google account. seriously??? even google critics can’t manage some uninfested web space to publish on?

                    1. 1

                      On the other hand, if you were going to call out one of the most influential tech companies, would you want to do it on your own site and risk unrelated search-ranking changes accidentally sending your stuff to page 37?