Adware Vendors Buying Chrome Extensions, Injecting Ads 194
An anonymous reader writes "Ars reports that the developers of moderately popular Chrome extensions are being contacted and offered thousands of dollars to sell ownership of those extensions. The buyers are then adding adware and malware to the extensions and letting the auto-update roll it out to end users. The article says, 'When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer.'"
And That, Ladies and Gentlemen ... (Score:5, Interesting)
And that, ladies and gentlemen, is how the free market works.
The reputation of these plugins is worth money. The down side is that once the malware infected extensions are reported to Google, Google will kill them off in the browsers. They wont live long enough to make their money back. The adsheisters will quickly see their reputation vanish and their install base dwindle.
Re:And That, Ladies and Gentlemen ... (Score:5, Insightful)
Doesn't Google share at least part of the blame here for not allowing users to opt-out of automatic updates once an extension is installed? As the article points out, it's precisely this ability to automatically "push update" thousands or tens of thousands of users without recourse, combined with lax enforcement by Google of update rules, that makes this situation attractive to the advertisers. Why not instead allow users to decide what the update policy will be on their device, as in Firefox?
Google is to blame... (Score:2, Informative)
Other than 'feature bloat' - and may be closing few security issues - there are no great advantages to a newer browser anymore, at least on the desktops.
Re: (Score:2, Informative)
Did you try searching for how to disable Chrome auto-update?
Set the value of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update\AutoUpdateCheckPeriodMinutes to the REG_DWORD value of "0"
That's it. A single register value change. Now, I get what you are saying, it's not a GUI option, they don't want average users to disable it, which gives me mixed feelings as well. Many users probably have never heard of regedit. However, for someone posting on /. it shouldn't be that hard.
Re: (Score:2)
Re:Google is to blame... (Score:5, Funny)
Many users probably have never heard of regedit. However, for someone posting on /. it shouldn't be that hard.
I've looked for regedit in the Fedora repo and I couldn't find it.
Re: (Score:2)
I've looked for regedit in the Fedora repo and I couldn't find it.
It is in the Wine package. ;)
Re: (Score:2)
Have you ever tried to change Google-Chrome anything?
I've got a CS degree and 5years development experience with a variety of poorly designed 4th-gen tools and figuring out how to do anything not listed in that minimalist menu is still beyond me.
The majority of users are equally as capable at changing google-chrome's settings: they type into the search bar: "google chrome " follow whatever directions get returned.
Though you have to check how recent those instructions are, it seems every couple days the Goog
Re:And That, Ladies and Gentlemen ... (Score:5, Insightful)
This would not have prevented what happened, unless the OP likes to never update his software. At most, it would have (possibly) saved the OP some time if he would have made the connection (which is not at all a for-sure thing).
Re: (Score:3)
My only extension in Chrome is Google Docs. Somehow I think the malware authors will have trouble obtaining that one.
In Firefox I have fifteen different extensions, many of which are restrictive in nature: they break websites by defeating cookies and scripts. Many of the rest are small (but vital) user-interface tweaks. Firefox is where I impose my own will on the web. Chrome is where I retreat for the bog-standard experience. Even if my chrome profile is suffering from a cookie cabal infestation (Hell
Re: And That, Ladies and Gentlemen ... (Score:2)
They aren't malcontents, they're clever programmers who've figured out how to make a lot of money quickly.
Re: (Score:2)
Actually I think if Google was even aware of this at all, they would probably act, if they haven't begun to act already. Google really doesn't like it when its search results are screwed with by anything at all; it's sort of their sacred cow. They've used the court system to block people from screwing with the search results for even stuff in IE.
Re: (Score:1)
They wont live long enough to make their money back.
Damn you optimists. Maybe they will, and then they can use the profits to acquire more plugins and repeat the cycle.
Re: And That, Ladies and Gentlemen ... (Score:2, Informative)
On the contrary, according to Ars an extension called "Add to Feedly" had ~30,000 before being sold. It now reports 32,354 according to the Chrome Web Store. It's just really hard to detect the culprit, apparently.
Re: And That, Ladies and Gentlemen ... (Score:5, Insightful)
Your theory flies in the face of history. Spam now represents the majority of email sent and they only need a fraction of a percent in return in order to reap a significant reward to justify their efforts. This particular clever exploit has been around how long undetected? And all they have to do is take the same code and inject it into the next extension they buy, or roll out. This is even better than spam.
Google's main reason for getting involved in this one is that it's leeching off of their core business. I guarantee that's not something they'll let slide.
Re: (Score:2)
It was inevitable. Probably a lot of plugins on defunct projects that they wouldn't even have to pay for, just offer to take over.
Re: (Score:2)
Re: (Score:2)
Well, yeah. Ads that *Google* doesn't put there.
Ads aren't necessarily user experience killers; understanding this was part of why Google won the search engine wars. Most people don't mind a modest number of non-intrusive ads, and it's in Google's interest to protect its platform by not offending *most* users.
The adware vendors behave in a way that shows they don't have any long term interest in the user experience. They're out to recoup their investments fast and move on.
Great (Score:5, Interesting)
What makes this really bad is that it's difficult to permanently remove Chrome extensions sometimes. If I delete it, it will just show back up in a few minutes, probably because it's saved somewhere in my central account. Now with this out there...
Re: (Score:2)
Re: (Score:1)
Re:Great (Score:5, Informative)
If you set your browser to remember your passwords, then anyone that uses your browser (including a virus) can get your passwords. That's exactly how the feature is supposed to work.
Re: (Score:2)
And none of my software will run.
Thanks for a really knuckle head idea. I could get exactly the same effect by loading linux and not have to buy new hardware.
Re: (Score:2)
yeah but linux isn't a end user desktop environment. what software do you have that needs windows? If you have linux software then this can run on mac. usually you have to buy new hardware anyway eventually.
Re: (Score:2)
that's cool. then spend 10x longer wasting time futzing with your computer. Do the math of up front cost, ongoing time investments, and value of time to determine which purchase is best for you.
Re:Great (Score:5, Informative)
Chrome developer here. If you are deleting your extensions and they are showing back up in a few minutes, you have malware on your system that is actively re-installing them (I have seen this in action).
Under normal circumstances, deleting an extension on one machine (assuming you have extensions sync turned on) will cause it to be deleted in your central account, and this delete will propagate to your other machines. Chrome won't push an extension back to your machine that you just deleted. Also, side-loaded extensions (ones that you didn't get from the Web Store) are never synced.
The problem is that many users have malware running in their system that continually installs a particular extension into Chrome, so if you delete it, it goes right back (through no fault of Chrome's). The only solution for now is to find and disable the malware. On Windows, we will soon be blocking side-loaded extensions [chromium.org] to prevent this sort of thing from happening.
Re: (Score:2)
There's no malware. The issue persists across multiple computers, one of which I did a complete reformat before installing Windows 8.1 a few months ago. It seems to be an issue with Google Sync, although I'm sure what your suggesting is the cause for many people.
Re: (Score:2)
Is the extension installed from the Web Store, or side-loaded? Either way, if you are sure there is no malware, I would appreciate a detailed bug report [crbug.com], because this is certainly not the intended behaviour. Thank you in advance.
Re: (Score:3)
Both are from the store.
https://chrome.google.com/webstore/detail/turn-off-the-lights/bfbmjmiodbnnpllbbbfblcplfjjepjdn?hl=en [google.com]
and
https://chrome.google.com/webstore/detail/exif-viewer/nafpfdcmppffipmhcpkbplhkoiekndck [google.com]
For what it's worth, I was able to get them to go away entirely about an hour ago finally. I had to go to the Google Sync Dashboard, and clear *all* of the data (they won't let you clear just parts), at which point I basically had a blank profile. I think the issue is definitely on Googles side,
Re: (Score:3)
Hi, thanks for the details. Would you be able to file a full bug report by going to:
http://crbug.com/new [crbug.com]
Just fill in the required fields (such as operating system, Chrome version, etc) and then paste what you told me here. Thanks.
Re:Great (Score:4, Informative)
Done. Issue 335979
Re: (Score:2)
Cloud issues can really be hard to solve from the end users side of things. For example I play a lot of TF2 and Valve somewhere along the way decided that it would be cool to add cloud features such as tracking my favorite servers. This cloud feature can be disabled, but is on by default.
Some of the servers that I have added to favorites no longer exist, and the TF2 client quietly doesnt list any servers that it cannot get a ping from so they dont appear on this list within th
Re: (Score:2)
This is not the place to talk about removing features in a pisitive light mr chrome....
Malware development gigs on Guru.com (Score:3, Interesting)
Re: (Score:3)
Disconnect the Updates (Score:5, Insightful)
Google need to disconnect their Chrome core update mechanism from the extension updates (unless ones of their own authorship). Of course, they cannot do anything about users accepting updates directly from independent extension writers.
Otherwise, Chrome is dead in the water.
Re: (Score:3)
What if I reimage my computer? Can I get my old extensions back?
Re:Disconnect the Updates (Score:5, Informative)
Otherwise, Chrome is dead in the water.
I wonder how you come to this conclusion. We live in a world where users don't want to be interrupted with mindless things like updating software. Combined with Microsoft's militant approach to harassing users if their computers aren't configured to auto update, and the general consensus that many user facing apps now auto update and the trend is moving towards doing it silently I don't see this affecting Chrome's user base one bit.
Re:Disconnect the Updates (Score:4, Insightful)
Otherwise, Chrome is dead in the water.
I wonder how you come to this conclusion. We live in a world where users don't want to be interrupted with mindless things like updating software. Combined with Microsoft's militant approach to harassing users if their computers aren't configured to auto update, and the general consensus that many user facing apps now auto update and the trend is moving towards doing it silently I don't see this affecting Chrome's user base one bit.
If this isn't rapidly nipped in the bud Chrome will soon be known as a hotbed of Malware, credit card fraud, bank fraud and porn ads to general users. Once it has this reputation it will be very difficult to get users to continue using it.
Re: (Score:2)
SeaMonkey's browser is as "lightweight" as you need. I use it for my standard browsing and I don't find it slow, mainly because it uses Gecko, which isn't slow. It still has a proper browser interface, and it doesn't have some bullshit centralized account system where you automatically get a bunch of extensions installed on any machine you insall it. Whatsmore, it's straightforward to turn off auto-updating or make it non-silent.
Re: (Score:2)
More over many "apps" that people use these days are web sites like Google, Facebook, Twitter and YouTube. Silent updates are the norm for them, even though there are often loud complaints from large numbers of users. Google wants Chrome to be that way too.
Re: (Score:2)
The reason for this is that often new core updates break old versions of extensions.
They could make the extension updates a more visible process like Firefox does, but most people are going to be pressing "yes" to the update box anyway.
Re: (Score:2)
The other option is to review updates to extensions before pushing them out to users. That's what Mozilla does with Firefox extensions.
Re: (Score:2)
I would be perfectly happy with the option to simply disable an extention until it is updated.
In the event that Chrome updates, it would be nice to see which extentions offered tethered updates and if they were something I didn't feel like trusting, simply disable until I click the "Manual Update" button. An option to also remove the extention would be nice also.
Re:Disconnect the Updates (Score:5, Insightful)
No. what it should do is act like android plugins and pop a security warning if any permission level changes between updates, or if it modifies settings.
Disabling auto update may add more problems if the app has bugs that can be exploited. I'd rather have Chrome disable the plugin if permissions change instead of removing auto update altogether.
On another note. why is this all of a sudden news now? I've been seeing all of these Virus ads and plugins posts on slashdot this week and I've been seeing this stuff going in chrome for Months now. Hell 60-70% of my service calls are from this stuff.
Hell, I had two Chromebooks come in infected and you can't just remove the extension on a chromebook. You basicially have to log into google using Chrome on a windows PC, Infect that chrome, disinfect it using ADWCleaner or JRT to remove the extension enough in chrome so it deletes the plugin in your cloud settings, and reset the Chromebook to factory (otherwise it comes back). So much for "Chromebooks don't get viruses", although Google now has a browser reset button (The two chromebooks were infected before this feature was added in the WIndows builds) so that might make it easier to remove. I sure hope so for Chromebook's sake.
Google. You Seriously need to start monitoring and cracking down on this stuff ASAP. And start paying attention to your damn Google ads! I'm sick of people installing buldleware virii everytime they search for any of the following:
Firefox
Google Chrome (Thats right! They're hijacking your OWN BROWSER'S ADS ON YOUR OWN SEARCH ENGINE!)
Internet Explorer
Windows Media Player
Openoffice/Libreoffice ETC
VLC Media Player
7ZIP
Quicktime/Itunes ETC
ETC. (I can literally go on forever with this list. Just as a rule of thumb, if it's a popular software download, it's most likely been install hijacked by a Virus Inc.)
Anytime anyone uses adwords to get listed on a legitimate app, and it doesn't go to the Legitimate program's website, I want a big red light to start blinking with 150DB Sirens going off and a Evil Sounding voice that says WARNING!! ADWORDS HIJACK DETECTED!! going down somewhere in your security dept so your security team scours their ad submission in fear of the big red light of screaming Terror going off. And they better damn well ban that entire domain and any subdomains from ALL ADS FOR LIFE! Either Get Tough and declare war on spam and virus pushers or get steamrolled!
The same goes for you too MS. Fix Bing! See what Google is doing? You're doing the exact same thing and need the exact same remidies! Hell! Slahdot? Want a Bash MS Story for your front page? There's malicious apps in the Windows 8 Store! Just open up the store, search for "getdesktopapp" and see the Virus and Adware crap MS's Own Store is infecting people with! Now get on bashing M$ like you love to do. Chop Chop!
And as for Antivirus firms. (And frankly, I don't care who you are. You ALL suck when it comes to this) Wake The F Up! You detect Gator, A 10 year old adware/spyware mess as a virus, but Conduit SearchProtect is totally legitimate and in no way is a threat to computer users even though it does thins that are 10 times worse than anything Claria did? BS! Wake Up, Grow a Pair and start doing your damn job! It's a shame that the only people that detect these things is the people behind ADWCleaner and the Junkware Removal Tool (thanks BTW for making these two tools since noone else detects adware anymore). Adware is a VIrus now. Bundleware is a Virus. Start detecting and removing this crap as malware like you should! It's real easy to find out what to detect. If you install a wanted program (like Adobe reader), and it installs Something the person didn't want (like Ask Toolbar, or whatever garbageware of the day adobe gets paid to infect PC's with) It's malicious and should be flagged as such. I don't care if it's got a Checkmark to not install or who the hell is pushing the junkware or who the junkware creator is. the practice is bad and needs to die.
Re: (Score:2)
+10 Spot on
It is Google's job to sort out the malware it hosts and now the problem is known about it really shouldn't be hard for technically proficient people to root out and report bad apps.
Why would anyone want to use the browser made by an advertising giant that puts the NSA to shame with regard to watching everything on the web (google analytics, google+ web-bugs etc).
Todays Anti-virus software is truly pathetic, I don't waste my time with this useless nagware. I haven't had AV installed for over 5 yea
Ads? (Score:1)
The internet has ads?
I haven't seen em in years...
Re: (Score:2)
Some include trackers and keyloggers (Score:3)
The commenters in arstechnica also mentioned search engine hijacking too. Maleare if you ask me?
This and advertisers circumventing adblock which was mentioned yesterday shows a war.
Is IE the only defense? Firefox has a lot more powerful API for extensions and add ons so I wonder if that is unsafe as well? However Mozilla has a greater track record in protecting freedom and privacy as an organization. Taco was an infamous extension that did what ghostery does for Firefox but a spammer bought it and ruined it.
I had a couple offers (Score:5, Informative)
I don't see it as a huge problem though. Most extension developers are like me, hobbiests and enthusiasts. There's really only a few big ones (like Adblock Plus and Firebug) and those are big enough they're not a target for these sorts of things.
Re: (Score:2)
We're all really screwed if... (Score:4, Insightful)
...these malware companies buy out AdBlock. :-/
Re:We're all really screwed if... (Score:5, Informative)
They already have. The option to allow ads from people that have paid AdBlock is checked by default. https://easylist-downloads.adblockplus.org/exceptionrules.txt [adblockplus.org]
Re: (Score:2)
https://adblockplus.org/en/acceptable-ads-agreements [adblockplus.org]
Do companies pay you for being added to the list?
Whitelisting is free for all small- and medium websites and blogs. However, managing this list requires significant effort on our side and this task cannot be completely taken over by volunteers as it happens with common filter lists. That's why we are being paid by some larger properties that serve non-intrusive advertisements that want to participate in the Acceptable Ads initiative.
Re: (Score:2)
It requires Chrome or Safari. This does not help you if you are using Firefox.
Re:buy out AdBlock (Score:2)
Well, there's at least two - Adblock Plus and Adblock Edge, which is a fork. So it would take a few more dollars to both buy them both AND re-license it with a mean lawyer who takes out the forking permission rights!
Re: (Score:2)
Actually, I use Adblock Plus. I've never tried Adblock Edge; I guess I'll look into it.
But still, whatever plug-in we're talking about, there's always the chance that the owner can be bought out. For, in the words of the most beloved children's entertainer of our times: They drove a dump truck full of money up to my house! I'm not made of stone!
Re: (Score:2)
...these malware companies buy out AdBlock. :-/
They already did, years ago.
If you haven't switched to AdBlock Edge, yet, you're behind.
Re: (Score:2)
Your choice, though the problem isn't leaky, the problem is that ADB is now literally owned by an advertising agency. You could just as well switch your gmail.com address for one directly hosted at the NSA, or run your bittorrent client with a proxy owned by the MPAA.
Now the "alternative" is becoming the culprit (Score:4, Interesting)
Many people have defected from IE due to its problems with malware and adware. Firefox, but more so Chrome seemed to be safe. So now that the awesome, "safe alternative" browser is compromised, what's next? I can't imagine there an easy fix to this. Is it time to go to yet another browser?
This is almost like how pharmaceutical scientists keep having to modify and discover new antibiotics. The current batch of drugs eventually becomes less and less effective and the bacteria become resistant, prompting us to constantly evolve the offerings.
Re:Now the "alternative" is becoming the culprit (Score:5, Funny)
Obviously what we need to be really secure is a Open Source browser.... uh... oh... never mind....
Re:Now the "alternative" is becoming the culprit (Score:4, Insightful)
I think you typed in jest, but I think you are still spot-on.
The biggest problem I see is all these scripting thingies where webmasters can insist you run arbitrary code in order to view their page. The magic of our legal system allows them to do all this ""hold harmless" stuff regarding anything you ingest at their site. See if this "hold harmless" talk also applies to restaurants. It won't. You eat some restaurant's food and get sick, the restaurant owner has a lot of explaining to do. If common law held anyone who insisted arbitrary code be run in order to view content - hold them liable for malcontent - this would soon stop.
Business went to our Congress over the DMCA and had really stiff penalties legally levied on anyone who violated their business model. Any chance our Congress take our computer infrastructure integrity as seriously as they take the illegal downloading of a song?
If some business made it mandatory you eat one of their candies in order to enter the business, should they be held liable if the candies they insisted on caused a diabetic to go into a coma? Or should their relationship with the U.S. Congress insulate them from liability?
The difference I see is that business will organize and put their concerns before Congress and hound them until they pass whatever legislation they want, whereas voters seem to vote for whoever has the best sound bites, and do not hold their congressmen to their campaign promises. So we end up with software we can't trust.
I rant and rave all the time here bagging on Microsoft for caving in to special interests for things like backdoors and DRM, both of which are hijackable and used to annoy the hell out of those who lack the hacking skills to pirate the damm stuff in the first place. But then, very little of this is Microsoft's doing... its just that they provide the means for others to do this.
I posted a few days ago about Micrium's stuff. ( uC/OS II). I guess the only OS I consider truly secure. Rom-able. Why this is not the standard for standalone industrial controllers is beyond me.
I get so fed up with the way we do things in these Von-Neuman ( Princeton ) architecture machines where we mix code and data. I do not think anyone can really code a secure OS where there is no hardware line of demarcation over what is OS and what is user code. Personally, I would love to see someone come up with something like the Android - running ROM - on a Harvard machine, requiring a physical jumper to re-flash its ROM. Something completely open-source so nobody is trying to hide anything about the inner workings of the OS. The OS would be like a toolbox - handling all the devices on the system. And that's all it would do. Manage the TCP/IP stack, display, keyboard, USB port, HDD files, RAM, and sound. Virus? It will have to infect an app, which now will no longer have a proper signature when its files are verified by the OS's file hasher. Bad app? Delete it. Phoning home app? It HAS to go through the OS to get to the TCP/IP stack, and the OS will rat it out.
Running arbitrary code? Go ahead with Java. In RAM. In the data space. Interpreted. It can't really do anything the OS won't let it do... and its completely helpless to overwrite the OS so it can get its way, as it cannot install the necessary jumper plug that enables the write current.
We take something so simple, and make a helluva mess out of it, just so some special interests can manipulate it at everyone else's expense. Tragedy of the Commons.
Re: (Score:2)
Things are so half-cooked right now its hard to fi
Re: (Score:2)
Damn - I missed your troll.......
Re: (Score:2)
No it's not. There was no security issues introduced here by Chrome, rather a simple third party extension.
If you run vanilla Chrome then you're placing your trust in only one company. It's much harder to buyout a large rich company than a single user.
Though given RSA's recent activities I don't think any software on any computer is technically safe.
Re: (Score:2)
1. Make it mandatory to obtain a license to buy a PC. Just like a drivers license. Tablets are license free.
Then we'll get all the tablet users breaking red lights, tableting on pavements and knocking over smart phone users - it'll be carnage. Meanwhile, the Daily Mail will start complaining about all the middle aged Lycra-wearing tablet users being a danger to all the law abiding PC users, and that most of them are probably immigrants anyway.
Comment removed (Score:4, Interesting)
Re: (Score:2)
im using adblock plus on chrome right now. ...and its been installed over 10,000,000 times according to the google play store.
apparently youve been hating on chrome for the past 3 or 4 years and not noticed that youve been wrong the whole time
Wipe / reinstall of the OS wouldn't have worked (Score:2)
The author was about to try wiping the OS and reinstalling. But when he installed Chrome, it would have auto-installed the extension on the clean new OS. Just lovely.
Re: (Score:3)
Not a problem. When you set up Chrome, as you're connecting your account you just configure sync to not sync extensions and apps. That'll prevent the auto-download of them. If you need to clean up sync'd data, it's a dance: get Chrome sync'd up, turn off sync so the local copy is disconnected from the sync'd data, go to your dashboard and clear your sync'd data, then configure what you want sync'd and reenable sync.
Re: (Score:2)
You're assuming he knew it was a Chrome extension. If he wiped the OS, he would have done that because he didn't know.
Is Firefox safer? (Score:3)
Specifically, can we assume that any extension loaded into Firefox via the official extensions repository, is open-source, and that someone from Mozilla is checking the extension before an update is released?
Re:Is Firefox safer? (Score:5, Informative)
Re:Is Firefox safer? No. Mozilla sold out. (Score:3)
No, Firefox isn't safer. Mozilla sold out last year. [mozilla.org]. This came up when Wips bought up a number of plug-ins, including BlockSite, and installed spyware with a ransomware "opt-in" feature. (Opt in, or we block Flickr, etc.)
Mozilla policy: [mozilla.org] "These features (spyware, etc.) cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review."
Jorge Villalobos, Mozilla management-level employee: That's outdated, since we don't enforce that policy. As l
Re: (Score:2)
Not Just Chrome Extensions (Score:1)
I have noticed that quite a few of the free and freemium utilities out there that have been mysteriously "corrupted." For instance reputable utilities for removing or repairing PUA infestations that suddenly start including trojan payloads of their own. Others have been gutted to the point of near or complete uselessness and only act as nagware to purchase a former and quite often shady competitor's payware version instead.
Looks like FUD to me. (Score:1)
Re: (Score:2)
Considering that any ActiveX control is effectively an "IE extension", and further considering that IE installs ActiveX to a non-user-writable directory by default *and* prompts the user when they update, I think you're full of shit. But sure, work an anti-MS angle into this somehow. I'm sure that'll get you modded up...
A few new trends upon us mere users? (Score:2)
Adds (Score:3)
question (Score:2)
Do these developers who sell the extensions even get paid? Or do they get scammed too?
Chrome **does** warn about new permissions (Score:3)
Chrome **does** warn about new permissions, in fact it's more than that - it just disables them, and leaves you a message - "Such and such extensions requires new permissions, so it has been disabled.", and it's up to you to go and re-enable it.
Re:Autoupdate (Score:5, Insightful)
Please assure that you're not one of those people who complain about users running unpatched Windows boxes because they turned off auto-update.
For the average non-techy user auto-update is the one thing I'd say is essential. They're not in any position to judge what parts of their system need, or don't need updates, and I'd rather that they trust in Google, or Microsoft, or even Canonical to decide for them.
Now, you can debate the fine points, about whether minor plug-ins should auto-update, or ask why Java on Windows boxes seems to want to update every third day, as does Adobe Reader, but in general I'd still argue that auto-updates are good security practice.
Re: (Score:3, Insightful)
Automatic updates, by themselves, are an awful security practice. They mean that whoever writes the updates can install (intentionally or unintentionally) damaging code on all users' machines without the knowledge or choice of the user.
Automatic updates are a good security practice only if the user is willing to give their unconditional trust to the author for the entire time that the updater is running. This is not always the case. The possibility of an ownership transfer is one reason why it is not. Anoth
Re:Autoupdate (Score:5, Insightful)
So you sit down and check on the health of your machine, you go through logs reading on what is vulnerable, and then you manually apply security patches.
How is this relevant in a discussion about what is best for a normal user again?
The normal user can barely be trusted to check in their car for a scheduled service let alone go through security updates one at a time. Like it or not the number of security threats caused by malicious updates is infinitesimal compared to the number of security threats caused by bugs which haven't been patched.
Re: (Score:2)
Re: (Score:2)
So in this case the store that sold you your Clarion deck will stop by and fix your stereo but also leave a GPS tracker or mute your system to play their own wares.
Updating Chrome is one thing because Google doesn't
Re: (Score:2)
The comparison is fair, you're just hung up on what is important to update. I'm talking about updates in general replying to a person who was talking about the process he uses to deal with security updates. Whether that update is %insert small plugin% or %insert critical OS flaw%, the problem could lead to equally serious issues for the user if exploited.
I'm like the OP, in the sense of the car I go as far as changing my own oil, and checking the vehicle log-book to find out what my next service will actual
Re: (Score:2)
and this is exactly why I don't allow auto updates. I take the time to read up on the vulnerabilities but as I tend to run Gentoo,
You got me, as soon as you said GENTOO. Ok another self flagellating penguin. Either that or a frustrated MSCE that moved over to Linux a few years back just to really experience some excruciating pain instead of hearing others scream in agony all the time to tech support about WINDOWS UPDATE. Oh the irony.
Re: (Score:2)
Gentoo isn't actually that bad, though it does require a little more understanding of how the system works than something like Ubuntu. It does have a fairly decent package management system though, and because most of what you're using is compiled it tends to be a fairly fast system to use.
Each to their own. For me, computers have gotten fast enough that I don't really care about a few milliseconds here or there, and am currently using a Ubuntu derivative now for ease of package management (and because this
Re: (Score:1)
The whole notion of automatic updates just doesn't make any sense.
Please assure that you're not one of those people who complain about users running unpatched Windows boxes because they turned off auto-update.
For the average non-techy user auto-update is the one thing I'd say is essential. They're not in any position to judge what parts of their system need, or don't need updates, and I'd rather that they trust in Google, or Microsoft, or even Canonical to decide for them.
Now, you can debate the fine points, about whether minor plug-ins should auto-update, or ask why Java on Windows boxes seems to want to update every third day, as does Adobe Reader, but in general I'd still argue that auto-updates are good security practice.
And your theory holds true...right up to the point where those trusted sources (Google, Microsoft, or even Canonical) start pushing their own ad(genda), along with their mal(genda) and spy(genda).
And besides, those trusted sources don't even have to install anything on my computer for me to not trust them at all. It isn't what they do ON my system that worries me as much as what they do with my data gathered via the intertubes that they'll sell off to the highest bidder, or hand over to the government on a
Re: (Score:1)
Re: (Score:2)
Or ask why Java on Windows boxes seems to want to update every third day, as does Adobe Reader
I hate to break it to you, but updating your Java plugin is NOT sound security practice.
Completely disabling and uninstalling your Java plugin is sound security practice; the Reader plugin should be turned off as well.
It doesn't matter, how up to date you think you are ---- the latest Java has more security holes than a sieve in it. Yeah; some of them will eventually be found, and exploited, and malware de
Re: (Score:2)
download "Paris Hilton Sucks Cocks.jpg.exe"
Citation needed.
Re: (Score:2)
Doesn't Paris Hilton's active sex life fall in the same category as water is wet and the sky looks blue? Do we need a citation for everything?
Re: (Score:2)
"Sky looks blue"
Citation needed
Re: (Score:3)
Yeah no security risk at all to not autoupdate a platform that executes code
Re:NSA (Score:5, Funny)
Would anyone be surprised to learn the NSA has been doing similar tactics, strong-arming popular extension writer like ad-blockers to spy on users?
That's why I use a hosts file.
Where's that guy that aways talks about hosts files on here?
Patience... He's typing now. The clipboard only holds so much.
Re: (Score:2)
Are you trying logic on a paranoid rant with bursts of all-caps for emphasis? You must be delusional as well. Industrial strength antipsychotics are the only viable counterargument to that.
Re:New business model! SpamBayes again... (Score:2)