This morning, an apparent glitch at Google caused nearly every [update 11:44 am] search listing to carry the "Warning! This site may harm your computer" message. Users who attempted to click through the results saw the "interstitial" warning page that mentions the possibility of badware and refers people to StopBadware.org for more information. This led to a denial of service of our website, as millions of Google users attempted to visit our site for more information. We are working now to bring the site back up. We are also awaiting word from Google about what happened to cause the false warnings.

[Update 12:31] Google has posted an update on their official blog that erroneously states that Google gets its list of URLs from us. This is not accurate. Google generates its own list of badware URLs, and no data that we generate is supposed to affect the warnings in Google’s search listings. We are attempting to work with Google to clarify their statement.

[Update 12:41] Google is working on an updated statement. Meanwhile, to clarify some false press reports, it does not appear to be the case that Google has taken down the warnings for legitimately bad sites. We have spot checked a couple known bad sites, and Google is still flagging those sites as bad. i.e., the problem appears to be corrected on their end.

For more information about how the process works and the relative role that Google and StopBadware.org play, please see our Clearinghouse page or this question in our FAQ.

[Update 1:36] Google updated its statement to reflect that StopBadware does not provide Google’s badware data.

[Update 2:35] Hopefully this will be the last update, as Google has acknowledged the error, apologized to its customers, and fixed the problem. As many know, we have a strong relationship with Google, which is a sponsor and partner of StopBadware.org. The mistake in Google’s initial statement, indicating that we supply them with badware data, is a common misperception. We appreciate their follow up efforts in clarifying the relationship on their blog and with the media. Despite today’s glitch, we continue to support Google’s effort to proactively warn users of badware sites, and our experience is that they are committed to doing so as accurately and as fairly as possible.

If you follow news about the Android mobile phone platform, you may have seen recent allegations of malware against a third party application available on Google’s Android application market. It’s unclear whether or not the application in question, MemoryUp, was actually capable of any of the reported claims against it – Google’s own testing showed no malicious behavior – but the application disappeared from the Android Market anyway.

Elisabeth Oppenheimer, of StopBadware director Jonathan Zittrain’s "Future of the Internet" blog, writes:

[I]f Google is going to have the kind of open marketplace they want, they’re going to have to be more clear about what they’re doing. No one seems to know who pulled the app—the developer, Google itself, or perhaps some automatic system based on customer complaints. If Google is silently pulling disputed apps while the developers protest … they’ve replicated the iPhone’s App Store. There hasn’t been much protest about the Android kill switch, and people might well be okay with pulling apps that pose security problems from the Market (especially since there are alternative distribution methods). But Android users ought to know who pulled the app, and why.

Contrast the Apple iTunes App Store, which pre-screens applications. It’s unlikely for malware to get through, but the high level of gatekeeping also can keep legitimate applications out – including, controversially, competitors to some applications designed by Apple.

Elisabeth continues:

Professor Zittrain argues for solutions that engage the community of users and don’t assume a zero-sum game. Having users test and rate applications—as they do on Android—is a certainly a step in that direction. (Google removing apps without explanation would be a step in the opposite direction, and would make developers nervous.)

Do we really need to choose between openness and security? Professor Zittrain argues that, with the help of the community of internet users at large, we should not need to. For companies in a position to act as gatekeepers seeking a balance they can live with, a high level of transparency and communication with users can help mitigate any restrictions on openness – and can help foster a more secure internet for us all. 

Disclosure: Google is one of StopBadware’s sponsors.

President Obama’s cyber security plan is revealed within the Homeland Security agenda posted on Whitehouse.gov. The plan echoes many of the recommendations made in a report (PDF) by the Commission on Cyber Security for the 44th Presidency.

The elements, all of which are sensible, include:

• Appointing a national cyber advisor
• Investing in R&D for infrastructure security
• Working with the private sector to set standards for infrastructure security
• Working with industry to develop safeguards against cyber-espionage
• Shutting down untraceable payment schemes used to facilitate cybercrime
• Providing law enforcement with money and training to improve their cybercrime enforcement efforts
• Set standards for securing personal data and disclosing data breaches

If the administration makes progress towards all of these goals and plays its part well, this would represent a significant step forward in the fight to secure our homeland security and to protect consumers.

I am, however, disappointed that the President’s plan does not include elements specifically focused on botnets and other malware that present a risk to individuals, business, and critical infrastructure. As demonstrated in the 2007 cyber attack against Estonia, infected PCs can be used to attack infrastructure. Just as a traditional military strives to not only defend its assets, but also to reduce its opponent’s armaments, we must work to get the malware off of users’ PCs. A sensible federal cyber security policy should include a focus on education, technology, and research to help keep users’ PCs safe. Ideally, this would incorporate working with the private sector to encourage data sharing, engaging the academic and malware research communities, increasing funding for non-profit initiatives such as the National Cyber Security Alliance (and, dare I say, StopBadware.org), and investing in the development of new technologies and new policies aimed at keeping computers secure.

In recent weeks, a new worm known as Conficker/Downadup has been making the rounds, turning many (reportedly millions) of PCs into bots. At the same time, the number of badware sites Google has reported to us has been steadily increasing, from around 145,000 a couple months ago to around 183,000 now.

Are these related or just a spurious correlation? It’s hard to be sure. Google has been known to tweak its systems, sometimes leading to a significant increase or decrease in the number of reported hosts without any change in external conditions. On the other hand, it seems very possible that there is a direct link. If you’re a malware author looking to quickly spread a worm, compromising a bunch of websites and turning them into unwitting distributors of the worm is an effective weapon in your arsenal. And, of course, the botnet itself, as it grows, can be used to help infect even more sites.

Do you have more information on this question? Let us know at BadwareBusters.org.

When it comes to keeping client software patched against the latest known security vulnerabilities, automatic updates are one of the more effective mechanisms out there. By shifting the burden of checking regularly for updates from the user (we humans are notoriously unreliable) to the software, companies ensure that users at least are aware of the patches and, depending on the configuration, even get the patches installed automatically.

We’ve previously written about the problem of a software vendor abusing this system to push new software and/or potentially unwanted functionality to users’ computers. (See also the discussion here.) But, over at the blog of the Center for Education and Research in Information Assurance and Security (CERIAS), Gene Spafford writes about a different potential problem of automatic updates: they can break things. As Spafford writes:

The [Samsung BD-P]1500 [Blu-Ray player] came up with an on-screen message early in the week that a firmware update was available. Having had experience with downloads and upgrades of OS components, I waited a couple of days before doing anything. When I initiated the download, it completed without error, according to the display. However, after completion, it too was dead—no response to anything, including reset codes.

He goes on to relate Samsung’s response which, boiled down, was that they acknowledged the problem but didn’t know when there would be a fix available. In other words, installing the automatic update made his device unusable, and there was nothing he could do about it.

Thinking about the Apple Software Update fiasco, Spafford’s experience with his Blu-Ray player, and various past cases of updates causing some users’ systems to crash, I’m struck by the amount of power that a software or hardware vendor has when it incorporates an automatic update feature into its product. With little more than a single click by the user (or in the case of unattended updates, not even that), the vendor has the potential to disable a product, enable new functionality, push new products, and more.

Spider-Man’s uncle famously said, "With great power comes great responsibility." Indeed, any vendor incorporating automatic updates has a responsibility to use the feature in a way that benefits and protects the customer and does not abuse the customer’s trust. At a minimum, this includes sending updates only after extensive testing, protecting the system from abuse (e.g., someone coopting the system to distribute malware), quickly notifying users of and correcting "bad" updates, and avoiding the temptation to push new products or potentially unwanted functionality down users’ throats.

[Hat tip to Jon Kibler for bringing Spafford’s blog post to our attention.]