1. 25

    I fail to see how this is not entirely Netflix’s fault. Every website should be verifying users email addresses. My email server has a catch all account so any email username is valid. Netflix doesn’t need insider info on my server it just needs to stop people signing up using my email addresses by verifying them.

    1. 0

      TFA already includes a rebuttal to this:

      Some would say it’s Netflix’s fault; that Netflix should verify the email address on sign up. But using someone else’s address on signup only cedes control of the account to that person. Others would say that Netflix should disallow the registration of james.hfisher@gmail.com, but this would force Netflix and every other website to have insider knowledge of Gmail’s canonicalization algorithm.

      1. 8

        That’s hardly a rebuttal, it’s poor justification for the bad design. In this case it was a dot, but if I actually make a typo, does that mean some random stranger should have access to my account? Should a website just send spam to any e-mail given? There’s a reason why e-mail verification are a standard. I understand Netflix wants to provide a clean and fast experience, and that’s fine, but they should still wait for verification before sending any sensitive data to the provided e-mail.

        If you think of it, the security breach had very little to do with Gmail. It was Netflix that was about to steal his credit card information, not Gmail.

        1. 1

          The point is that the credit card scam is still present regardless of initial email verification.

          If some average, non-security-conscious Netflix user would fall for the credit card scam by not noticing the last 4 digits of the card, it’s not hard to assume the same user would click through any subsequent validation emails from Netflix. The user might even think it was sent out for extra security, and probably not notice the dot at all.

          If people are adamant on putting the blame on Netflix, the problem wouldn’t be the lack of initial email verification, but rather the ability to change your email at will, after the initial signup. But people would obviously find UX flaws with that restriction.

          In this case it was a dot, but if I actually make a typo, does that mean some random stranger should have access to my account? Should a website just send spam to any e-mail given?

          This argument doesn’t make sense. If you typo your email, and happen to put a scammer’s address, that scammer would happily click “verify” in the verification email that was sent to them. So verification email wouldn’t help you there. Anyway this argument is unrelated to the credit card scam discussed in TFA.

    1. 18

      I actually used to work as a contractor on this project as a malware analyst. The cleaner was first developped by Google, but they moved to ESET after a while. For what it’s worth, the team are really privacy minded, and I can attest that it did made our job harder to track and possibly clean bad stuff. As a contractor I couldn’t even access any PII, including user report, since they could contains path with username, etc.

      For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file. It’s not as if you didn’t have alternative anyway, Chromium doesn’t have this component and Firefox is quite awesome.

      Anyway, if you have any question please feel free to ask! I’m not on this project anymore (Neither at Google), but I’ve been on the team since the beginning until the ESET transition and I’m still in touch with the team.

      1. 7

        I appreciate the details. The stuff on the team isnt comforting since it could change any time. Far as disabling it, that’s not a good argument given they could just offer a trusted tool that does this for the user. Not just for this but other risky stuff. They could even sell this. If anything, disabling it would reduce attack surface since anti-malware tools have been an attack vector in the past. It will also eliminate any negative impact on performance or watts.

        1. 4

          The stuff on the team isnt comforting since it could change any time.

          Also true for any service you use. I know it’s hard to believe, but Google is pretty strict about PII and what can be saved where for how long and seen by who and has an organisation overseeing all of this. There are processes in place governing each team at Google that requires team to document every PII they collect and the motivation behind this. In any case, detailed reports are sent only when users opt-in to send it.

          Far as disabling it, that’s not a good argument given they could just offer a trusted tool that does this for the user. Not just for this but other risky stuff. They could even sell this.

          Could you elaborate? I don’t seem understand what you want to convey here. Who are “they”, what “tool” and what “stuff” are talking about here?

          If anything, disabling it would reduce attack surface since anti-malware tools have been an attack vector in the past. It will also eliminate any negative impact on performance or watts.

          The scanner is sandboxed (open-source, part of chromium) and somewhat limited in what it can do. It’s not your usual anti-malware tools running from the kernel and featuring RCE as a service. It also think it was reviewed by that guy ;)

          Something to think about is the actual state of the internet for the broad public. While most of us here won’t benefits from this tool and at worse will find it annoying while it scans in the background, reality is that a very large portion of the internet users are currently infected by spyware and adware. While we are arguing about privacy issue due to Chrome reading some of you files on your disk (And not sending them anywhere), most people have their whole internet history tracked by shady adware corporation and are being shown ads tricking them into buying fraud application and calling fake tech support. And I’m not even talking about the fact most of those software have backdoor usable by any actors to run arbitrary payload. Want an easy botnet? Reverse some of those freeware “updaters”.

          Of course the Chrome Cleanup Tool doesn’t fix the root cause, but it could be argued that’s it’s better than nothing. And from Google point of view, there are benefits from it other than invade more of its user privacy. When Chrome is crashing due to an adware injecting its unstable DLL, guess who get the blame? I’ve even seen many report blaming Google about how Chrome is sending PII or rewriting ads when in fact it was adware being installed on user machine. It’s in Google interest to fix this issue before getting in the point where IE was with the toolbars hell.

          So in short, Chrome Cleanup Tool is not there to help you, it’s there for your not techsavy windows user that behave by clicking and running everything as admin it come across, and is now proxying his whole internet connection through some ad company server.

          1. 6

            Could you elaborate? I don’t seem understand what you want to convey here. Who are “they”, what “tool” and what “stuff” are talking about here?

            I don’t want my tools to do things they’re not advertised as doing. Chrome’s job isn’t to scan my files, so it should never do that without telling me.

            So in short, Chrome Cleanup Tool is not there to help you, it’s there for your not techsavy windows user that behave by clicking and running everything as admin it come across, and is now proxying his whole internet connection through some ad company server.

            I don’t want contractors that I hired to replace my siding to break into my house and secretly rewire my kitchen without telling me, no matter how faulty the wiring. I don’t want Chrome to suddenly take it upon itself to scan my data without my express consent.

            And now, Google has a list of files on their servers. Ones that a malicious employee can access, or which might be given in bulk to the NSA, should the NSA ask.

            It’s not just annoying. It’s a breach of trust.

            1. 6

              “should the NSA ask.”

              Should they force them, too. Also, in the Lavabit court records, the FBI told the judge the founder could avoid reputational damage by hiding that he gave over the key. He’d just keep telling users it was a private service. The judge agreed. Probably wasn’t the first or won’t be the last agreeing to give the government what they want while telling the company to lie that it couldn’t or didn’t happen.

              1. 1

                I don’t want contractors that I hired to replace my siding to break into my house and secretly rewire my kitchen without telling me, no matter how faulty the wiring. I don’t want Chrome to suddenly take it upon itself to scan my data without my express consent.

                People hire Chrome to manage their banking account or browse trusted content. When Chrome begins to display more ads than it should, try to trick the user into paying fake service or simply steal users data, the same users that end up installing those malware are unlikely to understand they are the culprit in the first place. They trusted Chrome to protect them from themselve. Chrome only defense at that point is to clean after the user. Chrome is not annoying, user behavior is, and Chrome Cleanup Tool is only a hack trying to fix a part of the issue.

                You don’t expect the contractor to rewire you kitchen because you won’t blame them if you break your wiring. Chrome is a whole another story. You expect someone to tell you if your wiring is about to burn your house down. This is exactly what Chrome is doing here. Many house have burn down, blame have been put on Chrome. Now Chrome is doing a quick check up from time to time, and if it find some fire hazard it gives you an opportunity to fix it. Chrome is only fixing once you gave it your explicit consent. It also won’t tell anyone unless you tell him otherwise.

                1. 2

                  It is scanning without consent. For all we know this could be a tool for corporate espionage. Frankly with this knowledge no business and especially no software business should allow their employees to use chrome. I regularly recommended chrome to others, but never again.

                2. 0

                  The goal of Chrome may not be to keep your whole computer malware free, but it is to keep itself secure. If Chrome can be taken over by malware (and as the most used browser, it has a huge target on its back), then how can users trust it as a safe software? If anything, this feature makes it a safer browser.

                  1. 2

                    So to keep itself secure it should also check for vulnerable IoT devices in the network and use the webcam to prevent unauthorized access? /s

                3. 3

                  “ I don’t seem understand what you want to convey here.”

                  “For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file.”

                  This was in the general sense a false claim that I’ve seen way too many times, usually with nefarious features. That association is why I counter it quickly. They could definitely roll out the ability for a user, within the browser UI or as a standalone tool, to change this or other settings where they’re checked at startup and not enabled. Even the AV programs allow this. They let me tell it not to scan things for a certain period of time or at all. Let’s me mix and match features of various vendors should I choose to accept the challenges or risk that poses. The attacks on the AV’s so far have been malicious input into components that interact with network or files (like the scanners), not the switches in the UI.

                  That they were stealthy about this and didn’t allow anyone to turn it off means they just don’t care whether all users wanted it or still want it. Them not caring about users’ preferences is a separate issue that other browser vendors have done themselves on some of their components.

                  “Also true for any service you use.”

                  It’s always true that people or priorities can change at any time. From there, we look at the organization’s charter/purpose, the business model, its operating environment, and past behavior to assess risk. This is about a widely-deployed application people do tons of private stuff with developed by a publicly-traded, surveillance company working to get closer to Washington, DC. A team in that company rolled out something that started scanning people’s files without their knowledge. I don’t believe it’s nefarious at this point but it’s not just any company or product we’re talking about. The circumstances give more reason to worry than usual for some people.

                  They shouldn’t have done it or should let people disable it. All that said, I like they at least added some sandboxing and restrictions to it. That’s good.