> The Bing search engine is about as bad.
A close friend used IE to get Google Chrome. They clicked the first result and luckily I was able to stop them before starting the install on some crapware.
So I asked them to be careful to ensure the download site is correct and left them to it.
I came back to find they had downloaded some other crapware.
I checked the search results. The ENTIRE first one and a half page of results were advertisements for versions of crapware which may or may not have been Chromium or Chrome lookalikes with lots of malware.
Makes me wonder how Microsoft ranks search results. Surely if they were counting links to a page from other pages (like Google does), Google would've come out on top? Or does noone link to Google anymore since people tend to find their way there anyway?
I've just checked on bing with IE and the first results are:
- ad by Google for Google Chrome
- ad by Mozilla for Firefox
- 2 result on Google's site
- one download site (didn't check if it's crapware)
- two wikipedia links
- the same ads at the tops
In one case, I saw where it looked like an ad by Google for Google Chrome- but once clicked, it actually led elsewhere (to a very well-constructed fake Google page)- even though on the result page the URL looked legitimate
It‘s kinda sad that there‘s currently no more intuitive, built-in, simple and elegant better way to do that.
(I know of thousands (if not infinitely) more complex ones so please don‘t start on them)
It must be as simple as „google that and press install“. Everything requiring an install has a huge negative attached, but the worst is if they google for the tool you use to then type in ... . Maybe make the tool the start page and train them to press the startpage-button first every time you tell them to „google sth“.
You‘ll miss a business model though incase you don‘t want to show links to crapware like certain others.
Call me paranoid, but every time I install software on Windows [1] I do the following dance:
1. Search for the name of the software on Google [2].
2. Open link to software in separate tab.
3. Open Wikipedia link (usually on the same SERP) for software in separate tab.
4. Compare domain name from direct link with the domain name from the Wikipedia article.
5. Open another tab and type domain name manually.
6. Find download link manually on domain[3].
I do this since a family member got burned badly by a malicious OpenOffice install many years ago.
[1] Sometimes I do it on Mac too, because the App Store has it's own issues (e.g. upgrades are often cheaper if you buy software directly). On any other system I use the package manager. All of this makes the effort bearable because I only have to do it rarely.
[2] I'm usually on DuckDuckGo, but for this I always used Google. The reason is that I had hope that they'd remove malicious results quicker. It's manual work after all and Google has more resources. This whole thread makes me doubt though.
[3] I'd do this anyway because I usually don't want to install the version that is automatically suggested, but decide myself which specific version I want to install. Most of the time the reason is the language.
Disclaimer: I'm the author/maintainer for AppGet [0].
What you explained here is one of the main selling points (as in convincing, appget is completely free) for appget.
AppGet pretty much automates what you explained here and more.
We automatically download and validate SHA256 of downloads (We have a strict policy of only allowing releases from the official source)
All package info that is used to install applications are fully public in our GitHub repository [1] (think homebrew)
Also, for less tech-savvy users, they can install applications through our gallery e.g. https://appget.net/packages/i/chrome using appget as long as they have appget installed on the machine.
AppGet doesn't use custom scripts on install; everything is defined by data (YAML files). The client uses the data in the manifest and knows how to deal with different installers. This alone makes appget more secure; if you trust the client (it's opensource and managed by the core team) you don't blindly run a PowerShell script as admin on your machine.
Also, adding/updating packages is trivial since all you need to do is update/create a very simple YAML file.
Another benefit is we can upgrade the client to better deal with let's say MSI installers, and none of the manifests need to be updated since all the logic is in the client, the manifest only needs to identify itself as MSI.
This also means you can install an app in different interactivity levels, Silent (everything happens in the background), Passive (you see the installer and progress, but you don't have to click next or do anything) or Interactive (appget downloads and validates the installer and just launches it for you, but you can run through the installer and customized it as you see fit)
Our packages are more up-to-date. We have a crawler that checks for updates on regular bases, we use GitHub api, and check vendor sites constantly (over 500K of check events per day). Trivial updates are automatically pushed to the repository, For non-trivial ones the bot automatically creates a pull-request on GitHub to be reviewed by a human. Most cases we pickup updated releases for apps within hours.
AppGet can list, upgrade and uninstall apps that aren't even installed using appget. We check windows installer database as the source of truth. You can download appget right now, run "appget outdated" and I guarantee it'll find outdated apps for you.
I'm sure there are more things, this question comes up a lot, so I'm gonna spend some time and add a page to the documentation just for this.
Chocolatey completely turned me off from Windows package managers. I'm sure you're familiar with all of the sore points that make it more hassle than it's worth.
But your description of AppGet has convinced me to try it out. Thank you!
Edit: There seems to be no obvious way to globally set the install location for apps. This is critical for my setup, I don't install apps in Program Files, because my Windows partition is lean and on an ssd that is shared with other VMs. Apps are installed in another drive location. Is there any way to do this currently?
In the meantime, what you can do as a workaround, is to use `-i` param when installing apps to launch the installer in interactive mode. That will let you run through the installer and customize everything including the install location. I know it's not ideal, but if you want to use appget to automatically download, validate the installers and check for outdated apps, it might be a reasonable work-around.
Still a good enough workaround to leverage the benefits of the trusted repository. Thanks for the tip! Definitely interested in seeing #14 get addressed :)
As far as monetization, we do have plans for a paid offering, internally we are calling it "AppGet for Fleets" it'll be to manage/monitor app installation on a group of computers remotely using a hosted dashboard (SaaS offering).
AppGet as you see today and all of its stand-alone features will remain free and opensource.
> 5. Open another tab and type domain name manually.
I think this point is vulnerable to typosquatting and could actually reduces the overall security of your approach. I would say if the Wikipedia link matches the search engine link you are good to go.
My reasoning is that someone could change the Wikipedia link to a look-alike domain and that this could easily go unnoticed for some time. Even if the domains visually match they don't need to be identical (Unicode Confusables [1]), but the plain ASCII version that I can type on my keyboard is probably the right one.
I use ninite.com to achieve the same thing with less pain. The downside of my approach will only be revealed if ninite.com for some reason goes dark or to the dark side. I hope it doesn't happen and that if it does happen I hear about in time to transition to your approach!
2. See if something looking like a site for the product shows up.
3a. If a product site shows up, I take a careful look around, and if it feels legit, I manually find the download link and use it.
3b. If a SourceForge link shows up, I proceed to the download. This is rare, but some program authors don't bother setting up their own sites, and I'm yet to see a malicious SF repo.
This is less secure than your procedure, but worked well enough so far.
Well... normal for the 1% of us tech savvy computer users.
This reminds me of a podcast I listened to last night where a physician explained how to get a flu shot: go to your place of work and do it yourself. Of course she was being sarcastic.
I have a deal with people who I love most. They are NOT allowed to install new software without my supervision. In return, they buy me coffee/treats for the help. It works! I presume this deal will continue to exist until binary signatures become a thing of importance for the end user.
I remember when several years ago I typed "download Flash" in Russian Google, there were non-official sites in top results. Now Adobe's site is the first result.
Also I tried to experiment a little. If I type "download flash player" in Russian, official Adobe site is only on the 3rd position [1]. The first and second results are "adobe-flash-player.ru.softonic.com".
The title of this article is deceptive clickbait.[1] The problem has nothing to do with the Edge browser, it has to do with search results returned by Bing, which happens to be Edge's default search engine. If you have a new Windows 10 PC and want to download Chrome, how else could you do it besides "using Microsoft Edge to download Chrome"? So "stop using Edge to download Chrome" is not useful advice. Better advice would be to check the URL and certificate information before downloading anything from any site.
And the problem seems to have been fixed. When I search for chrome download on Bing, the top result is https://www.google.com/chrome.
[1] Successful clickbait, too. Writing an article with "download Chrome" in the title apparently got them the top spot in Bing's "News about Chrome Download", so anyone who searches for "chrome download" will see this article near the top of the search results page. Very clever.
Perhaps the ad was using one of the Google redirect tricks? There’s a few google.com endpoints (if I recall) that you can abuse to redirect to arbitrary URLs.
It's a feature, Google allows the same. Basically advertisers want to set the links to be tracking links and stuff which may be through third parties which then redirect to their site.
So both ad services allow the advertiser to display one URL while directing users to another.
Surely they're doing some verification to ensure that either the redirect lands on the advertised TLD, or alternatively that you're at least "in control" of the TLD you're advertising as (similar to GAnalytics verification -- via meta tag, DNS txt entry, etc)?
This is a tangent/pile-on, but this is not the only dark pattern google engages in. I absolutely do not want YouTube Red. Any software that respects the user would let you dismiss the offer with an option for “do not ask me again.” And yet, because the software is not respecting the user, YouTube asks me ad nauseum if I want to upgrade to YouTube Red. No. I do not. But I don’t get an option for no. There is something like “yes” and “maybe later.” No google. My answer is no. Please respect me enough to let me make that choice.
Try buying a Nest camera and NOT buying their "Nest Aware" subscription. You'll be stuck with a massive bar on the bottom of your camera web views -- cannot be dismissed:
https://imgur.com/a/iR5C9bH
Their support team responds to (numerous) requests from multiple users about it saying roughly "cannot be disabled without buying but we'll let engineering dept. know you want that". Yeah, right, like it's an engineering problem.
Worse yet -- if you have >1 Nest camera, and you DO pay for Nest Aware on some but not all of them, the banner still shows up on any camera views you aren't subscribing for.
It's really crappy because the bottom bar is a fixed height, so if you shrink the browser window it can easily take up >=50% of your viewport. Absolutely absurd -- only option once you have their hardware is to use a plugin/bookmarklet to kill the nag bar's CSS. =(
Funny, when an app is obnoxious about asking for a review, I always oblige.
My review will of course focus mostly on my most recent experience with the app, which was "getting annoyed with an obnoxious pop-up". I hope that this discourages app authors from doing that.
I should start doing that. I do occasionally fill out the stupid lengthy third party form sites use. It has a red logo, I forget the name of it. But in the free form comment section I explain how obnoxious it is. Also that company will hopefully go bankrupt asap.
Tangential on top of the pile-on: when using a "not-logged into google services browser that is not Chrome" the Google captchas produced are at times never ending for me (i.e. I will never spot enough traffic lights and cars for them to let me past). Would be interested in whether others have had similar experiences?
This isn’t the same thing. Some people are happy with viewing ads in general, but are not happy with aggressive pop-ups that tell them to upgrad. In essence these alerts are saying their choice is the wrong one, even though it’s a choice that YouTube itself gave them.
More specifically: "good" ads aren't modal and don't force you to click through to continue. If YouTube just mixed YouTube Red ads in with all their other ads, I doubt that anyone would be complaining. (Except for the people who want everything to be free without any ads.)
I don’t use Edge, but it’s unfair to characterize Edge as a “downgrade” for all people. The average user cares much more about being able to annotate webpages (for example) than having access to the latest web standard. So the “upgrade” you’re talking about is only from the point of view of the web developer, which is usually the wrong way to think about this kind of stuff. If you go far enough along the path of prioritizing the developer over the user, you end up with stuff like Electron, which penalizes users for not “upgrading” to Chrome and deciding they wanted a native app instead.
>The average user cares much more about being able to annotate webpages
You grossly overestimate what the average user wants to do. The average user doesn't even know the difference between browsers, rarely (if ever) uses bookmarks, and considers printing a web page an advanced task.
Annotating webpages is something that a tiny sliver of power users will use.
Are you from 1999? You sound like you're from 1999. It's 2018, and a significant chunk of users are younger than the browsers we use, and especially people still in the education system often use browsers - and computers in general - in fairly fancy ways.
Yeah, picking on the upgrade wording is tricky, and cuts both ways. It has a common, semi-specific meaning with computers, but has also been used for far longer in the more general way it's used here.
If you say "I upgraded my stereo system", I would consider the chance you meant that to imply you got better versions of the same devices from the same manufacturer to be essentially nil.
I'm that respect, it may seem misleading if you do a lot of work with computer or have for many years, buts maybe it isn't much to a layperson?
If you said you upgraded your stereo, though, I’d expect you bought something pretty clearly nicer, eg by moving from a pair of PC speakers to a professional hifi. I wouldn’t expect that you’d have moved from one well-respected hifi manufacturer to another with different tradeoffs. Admittedly IE is pretty awful, but Chrome and FF are effectively comparable; “upgrade” is too strong a word for switching between them.
> I wouldn’t expect that you’d have moved from one well-respected hifi manufacturer to another with different tradeoffs.
I think you either have more respect for manufacturers and how they advertise, or have a higher estimation for people's ability to successfully wade through marketing bullshit than me.
Here's a question, is replacing your stereo cables with gold plated monster cables an "upgrade"? What do you think the average person thinks.
> Chrome and FF are effectively comparable
that depends quite a bit on the criteria used to judge them. If you value your privacy, I don't think the are comparable (as a synonym for similar) at all.
I hear your intended point, but the question was "how else..." which your answer didn't address. "Simply visit..." implies use of a browser, and for a new Win10 machine that browser will be Edge.
> The problem has nothing to do with the Edge browser, it has to do with search results returned by Bing, which happens to be Edge's default search engine.
I think you're slicing this too thinly. This has everything to do with Edge, which is purposely configured to use a search engine that creates a liability for users.
I would agree that "stop using Edge to download Chrome" is not useful and probably clickbait-y. A better guide would be "Be careful when downloading a different browser on Windows 10."
this same thing happened to my older co-worker who was using chrome and google to get firefox and he downloaded it from a top ad link that was a malware'd firefox...
Because Google Chrome is a greater threat to them than Firefox, so promoting Firefox helps them even if it hurts Edge, as long as it also hurts Chrome.
Also because if they preload Firefox with Bing as the default search engine then Firefox users may leave it that way.
I'm really not clear why they don't. Apart from driving traffic to bing, what advantage do they gain by developing edge? How does edge drive more traffic than a customized firefox?
The only thing plausible thing I can think of is hoping to execute another round of embrace extend extinguish on the web, putting other desktop operating systems at a disadvantage. With google chrome's dominance that seems unlikely to work.
Besides being a stepping-stone to the desire for full vertical control of the user experience Edge components are also integrated into other portions of Windows. This is similar to the situation with Internet Explorer.
If I recall correctly UWP uses Edge's rendering engine (EdgeHTML) and JavaScript engine (Chakra). Edge integration/embeddability is also available to Win32/WPF/WinForms applications past a certain Windows 10 version. It makes some sense for them to develop something they have full control over if they use its technology in other core components/libraries of their operating system.
Problem #1 has nothing to do with Edge (other than Edge using Bing by default) and I’m sure Google may let malicious ads through from time to time.
But problem #2 is entirely Edge.
> The malicious URL that Bing is happy to promote can’t fool Google or Firefox. When I simply type the above URL into my Firefox browser I’m faced with a bold red page declaring “Deceptive Site Ahead” completely with details and an option to go back.
The recommendation to stop using Edge to download Chrome is indeed wrong though.
You're making it sound pretty difficut. Just tell them to type chrome.com into address bar. Redirects to Chrome download site on Firefox. Many lay people will actually try this on their own since they assume (term).com will often work. A dangerous assumption but wouldve worked here.
So, we just spread the word to use the actual URL when possible (been doing that) instead of search and that chrome.com works for Chrome.
I don't agree with you that the article is "deceptive clickbait". What is true though, whoever uses Bing for searches instead of Google gets served by subpar search results, hence the chances are great to get served malware. That is common knowledge today. Who uses Bing anyway, even on Edge? That's what the article gets wrong.
As I noted back in 2017, Edge flagged the destination site as malicious, Chrome did not. Warning on malicious websites is, in fact, done in Edge. But as with Chrome and Firefox, it doesn't catch every one of them.
Is microsoft: dangerous together better? Microsoft's web infrastructure, including Bing and edge and advertising on their properties are not controlled by Microsoft? They could fix this. One could be pedantic and say the entire Microsoft web stack is dangerous together, if you interrupt the default flow with a different browser, different search engine or different os this wouldn't happen (cause edge is only on Windows and edge defaults to using dangerous Bing). I'm sure it sucks but the all Microsoft combination together exposes you to this.
FWIW Google also returns malicious chrome ads. My father had a brand new laptop and the first thing he did was to google chrome. He got a bunch or malware by clicking on the first link.
There was a short time about seven years ago when Google was returning a malicious link for Blizard's BattleNet. Had my WoW creds stolen and I wasn't what you would call naive on a computer.
It is important to remember that phishing works against even experienced and savvy users who know about phishing, and that effective countermeasures for these types of attacks do not include “replace users with smarter users”.
This is not a very clever point. Plenty of things used to be caller "somethingnet" in order to advertise their ties with the internet. It was never about a tld. Kind of like how having "block" or "chain" in your app's name makes you "cool" nowadays.
I wonder if it was to associate with the internet or with Microsoft branding.
Microsoft went apeshit and called all their products .NET in the early 2000s. The branding was all over the place so I could see how calling your product *net might get you installs by association.
I mean, you could guess. The name even hints at it for anyone aware of the `.net` tld.
That's not a great solution, since many people are barely aware what at url is, but I think it should still be one that you and I (as people who are) use.
Similarly the article is fixed by guessing that google chrome is probably at chrome.google.com (also chrome.com), firefox is probably at firefox.com, cnn is probably at cnn.com, gmail is probably at mail.google.com, gmail.google.com, or gmail.com (actually all 3), hacker news is probably at hackernews.com (oops), etc.
Steam isn't at steam.com, but there also isn't a phishing site for steam at steam.com, and if there was you can bet that valve would do something about it.
Basically I'm trading Google/Bing and ads known to be malicious, for ICANN/registrars, self interested companies, and a reasonably functional "legal" system. Edit: And less tracking, and faster access to websites.
This was soon after the switch to battle.net and I may not have realized that the address was actually 'battle.net'. I don't remember. Honestly, I still search from time to time even when I know the address (didn't back then) because sometimes it's fast, and sometimes it's just muscle memory.
Unfortunately the problem is not with Bing alone. There are multiple ad networks including admob owned by google, who will serve a url, or sometimes a script for an ad. That is unfortunately just how advertising works.
The industry never matured (to handle spam, malicious content or fraud) thanks to the Duopoly of Fb and Google, and even the biggest players are not immune to these issues as the onus is on the user to not to click on ads that offer to upgrade browsers, or any system software through ads.
It is the same systems that served malicious election results, the same systems that contributed to the echo chambers that impacted recent elections.
Ironically, this should have been an opportunity for Bing to differentiate themselves:
Create a "safe" ad network that is not a vector for drive-by downloads or privacy violations, and go after publishers that are being hurt by ad blockers or experiencing reputation damage from security breaches.
Given the cutthroat short term metrics these companies' employees operate under, do you really think such strategic thinking would have ever been incentivized? It's a question whether any salutary effects can even be reliably defined and measured to justify such a project to your boss.
Bing can easily fix this domain spoofing vulnerability. I've reported this vulnerability to MSRC previously but received no response.
This is also why open redirects can be so dangerous. Even if this domain spoofing vulnerability is fixed on Bing's end attackers can abuse open redirects to achieve the same result.
I don't think they will fix the underlying issue now. I've had the same issue ( literally trying to download chrome) in 2014. Now that they have public pushback they will fix just this ad placement.
I wonder what makes them think this is acceptable.
The argument to ditch Windows felt kind of shoehorned in.
If Bing is returning malicious search results, that's a reason to stop using the search engine, _not the whole OS_. The October update fiasco is a reason to stop using Windows. These are separate issues in separate projects made by separate teams, happening at separate times.
The implication is that everything MSoft touches is insecure or otherwise out to get me is weakly supported. It may or may not be true, but a quick toss in of one data point about how Windows is bad and oh by the way Ubuntu is better isn't convincing.
The issue here is a broken functionality that I've reported on before with Google Ads which Bing mirrors: Allowing advertisers to lie about the destination URL of their ads.
Ads should always be forced to display in the URL text the actual URL the ad directs the browser to. Maybe as a side bonus, less tracking URLs will get used to keep it looking cleaner.
I never quite understood the appeal of giving some unknown third-party the right to put links and text and javascript onto your site.
It might be labour intensive to have human eyes on every ad that is sold when you're at Google, or even Bing, scale. But it seems a little bit too hands-off, and irresponsible, to take money without vetting the input and then letting every scammer get into that very "blessed" and visible top spot of a search page.
If you want something done right, do it yourself. You can't expect scammers to not to be scamming.
I spent some time trying to understand googles ads and seo structure for a project, as a sysadmin. My conclusion was the reason greyhat and blackhat techniques werent dealt with was because they make too much money from it... I wrote a big report on it, but that was the gist. Im sure the same is true of MS et al.
A lot of tech company woes come down to an insistence on automating things that really need human attention.
Your recommended children’s videos are actually disturbing parodies? Easily solved with human curation. Some Alex Jones story makes its way into your news aggregator? Having people check the story would fix this. Scammy or malware-ridden ads on your site? See above.
Obviously this isn’t practical for everything, but tech companies take it way beyond what’s necessary, then act like the problems are impossible to avoid.
Bing makes it clear when a site is promoted by prepending "ad" to the search result. Other search engines such as DuckDuckGo and Google do the same.
It is near impossible for Bing to manually review every advert so perhaps it would be beneficial for search engines to provide a way for users to report rouge promoted links, similar to how YouTube allows you to report its sidebar ads.
> Bing makes it clear when a site is promoted by prepending "ad" to the search result. Other search engines such as DuckDuckGo and Google do the same.
They very specifically do not make it clear, they (and I mean all of them) intend to make sponsored results look as identical as possible to organic results to improve the likelihood that you'll click them. They only have subtle markings showing that they're ads because if they didn't, such an abuse of trust would be ruinous to any search engine.
What's even worse here is that in the linked video, the Bing ad shows the domain as `google.com`, which is something you expect to be accurately represented in any listing, organic or paid. That's the sort of thing that should be ruinous to Bing.
There's a reason for this - ad tracking for conversion, performance or even to make sure the advertising network is honest. The ad tracking domain is not always the same as destination domain.
AFAIK, this problem seems easily solved.
All Ms has to do is flag ads whose displayed URL do not match the final URL for manual review. Or simply ban it.
Bing and Google have always paid a lot of attention to the "landing page" for search ads, and they have a lot of technology to make sure that the landing page for an ad doesn't change after they've reviewed it.
Still, fraudsters have ways of changing the landing page to something different. In this case someone seems to have successfully convinced bing that the landing page domain is google.com -- it's unlikely that it's "easily solved". Or that the next one will be easily solved.
>It is near impossible for Bing to manually review every advert
I don't agree with this. Reviewing ads should be a straight forward process, much more so than reviewing an app submission. Plus, obvious issues can easily be automated, reducing the load of manual reviews.
It would be possible to handle the quantity of ad campaigns, but not without false positives or missed fraudulent ads.
If you paid a person or a team of people to remove adverts promoting fake websites, the person reviewing the advert would have to understand the product being sold, the company selling the product and the companies real website. For Chrome this may be easy, but for more obscure projects such as a cryptocurrency wallet or email client it'd be hard for a person to distinguish between real and fake continually over the course of an 8 hour work day.
People who are searching for a product already understand that context and so will be able to make a less erroneous judgement on whether a promoted link is real or fake.
Really? If I go to the site in Chrome, it tells me it's a malicious site. If they can do this, then I can't see why they can't handle it when serving out advertisements.
It's possible to install Google Chrome on a Windows box with chocolatey, the Windows answer to apt and brew.
But, still, Microsoft's browsers still aren't good. In my workplace (where we do some complex cross-browser work) they're an enormous nuisance to development and QA. I wish Edge were far better than IE, but they're both quirky. Firefox and Google Chrome ordinarily work predictably. Safari has a few quirks, Edge is really quirky, and IE is a narrow gauge steam train, all different.
Why doesn't Redmond stop throwing good money after bad and just license Firefox? Are they stuck in the sunk-cost fallacy?
Chocolatey is very handy but has a few warts. It can't tell if the underlying app has self-updated. When Chrome autoupdates after choco install, the next time you run a choco upgrade, it will unnecessarily upgrade Chrome again.
take a look at appget, we use windows itself as the source of truth. so even if an app self updates, or you have installed the app manually or even using chocolate, appget will know the _currently_ installed version.
also, we don't run some random PowerShell script written by god-knows-who on your machine. All installs are driven by pure data, so the only thing you need to trust is the appget client itself.
Microsoft wouldn't even need to license Firefox, they could build their own browser on top of it and do minimal work. They already do that on Android (Chrome) and iOS (Safari), and once GeckoView stabilizes, they can even use that on Android.
However, I think it's more of a branding thing. Microsoft wants a complete experience when you install their OS, and they want something that will keep users on that platform. If they build IE, they can control the platforms it runs, which means users will feel uncomfortable on anything else.
Perhaps since MS makes only a tiny minority of their income from ads they can ship an effective adblocker with their default browser. It could be great opportunity to lead the market in a customer friendly way.
Incidentally, the relative lack of filtering/censorship also means I've had far more luck "Binging" obscure/fringe/questionable-content sites than with Google. I suppose them receiving fewer DMCA takedowns also contributes.
Have to say, I was looking for a way to get away from Google, and I found that Duckduckgo's results didn't work for me. Bing, though, does the job nicely.
+1 here. I switched to Bing back in April when a Google algorithm update really trashed Google's results for me (it felt like I'd suddenly gone back to the days of Altavista & HotBot). At first my switch to Bing was out of spite, but 6 months later I'm still using Bing & I love it. I really like how it breaks out code snippets for StackOverflow results, for instance.
So it's frustrating to see Bing hurt their reputation with something as stupid as this. If Microsoft want more people to switch, they've got to be at 100% in all areas, they can't afford to let Bing Ads ruin the whole service.
.. and that's why running an ad-blocker these days is not even a moral question; It's proper hygiene. I don't eat without washing my hands first, and I don't browse without an ad blocker.
I'm with you on that, but in this specific case people are using Edge exactly once on a new machine in order to download Google Chrome. It's reasonable to assume they aren't going to bother installing an ad blocker on Edge for this use.
This metaphor is actually quite apt. If you aren’t accustomed to mentally filtering out ads from content, you may be more likely to be swayed by sponsored content and the like.
In my experience, whenever I browse without an ad blocker (e.g., someone else's computer), the flurry of intrusive ads shocks me out of information-absorption mode, and just prompts me to think about how best to suggest to the computer owner that they use an ad blocker.
Using browsers to download software should never have become the standard practice...
Linux got it right with the built-in package repositories. Unfortunately Windows and Mac have never really adopted the super-easy "apt install this" style.
True, this was one of the things that originally appealed to me about Linux. But on a for-profit operating system this turns into an "app store" which gets to pick which software is and isn't allowed, while taking a 30% cut of the profits.
Sure they do, and there's usually an official first-party process to add repositories not approved by the distro maintainer. As far as I am aware neither the microsoft nor the apple app stores allow this.
`apt install this` would be problematic at App Store/Play Store scale, though. I agree that search engines as an intermediary don't do enough to curb confusion, but exploitation of `apt` and other "more stable" distribution channels is prevented not as much by their design superiority than by the risk/reward dynamics of their incentive structures.
Both windows and mac have built in app stores which are the equivalent of package managers.
But package managers can also have lookalike names. Npm and pip has had a few famous misspelled common packages that contained malware instead. Those are more open than apt or the big app stores but even on Google play you will find tons of lookalikes.
This whole incident just shows you should never just search for anything by name and pick the first good looking result. You really have to verify the source regardless of which search engine you are using. What I very much dislike is companies who refer to their own app in the app store only by name and then you when you search you get 10 results which all look equally shady. And because they outsourced the app development the publisher doesn't even match. Place a god damn link or show the unique package name on your websitr instead.
Yeah, I mean obviously what the average users wants it to have to type in apt get commands and finding the slug to get the right package instead of clicking a link. Very intuitive.
You know how Google & Firefox could easily help fix this? List their browsers in the Mac and Windows Store.
Package managers have had nice gui front ends for a long long time. The first earliest I'm aware of (which is to say it came with the first linux distro I ever used) is synaptic [0]. Looks like it was first released in 2001...
The interface for this is "start nice gui front end, type firefox into search bar, select firefox package, click install"
No they aren't, the UC Browser is listed in the Windows store (third most popular mobile browser in the world,) along with some others. Microsoft has been very willing to help companies list Win32 apps in the Windows store, especially large ones.
Interesting. But I think UC Browser is special by being sort of a thin client. The store policy is quite clear: "Apps that browse the web must use the appropriate HTML and JavaScript engines provided by the Windows Platform."
For general win32 apps I do think the situation has improved since I last looked.
3. Even if the "this" installed wasn't the "this" you read about in your browser, it still came from your package manager repos, which you could consider safe, and you'll be able to uninstall it cleanly.
chromium-browser is the one. Although on Ubuntu it's in the Universe repository, so you have to add the chromium-team ppa in order to get on-time updates.
I will admit that Chrome/Chromium is one of the few things you can't easily get from the repos, on Ubuntu at least.
So how does that prevent a malicious PPA or repo that the attacker could push up in the search rankings? Just like the attacker here pushed up a malicious download page in the search rankings?
It doesn't in this case, however you can determine that the chromium-team ppa is the official one in Ubuntu by following links from the Chromium website.
The security of the package repository system falls down when people add apt signing keys that are untrusted/unverified, which is what happens when you add a ppa in Ubuntu.
> Googling debian google chrome results in instructions for getting chrome on debian.
Yes. I know. I'm not picking on debian specifically here, fedora's dnf doesn't help you install chrome either.
My point is rather the following: The GP asserts that the way to find (and subsequently install) software is "apt search `software`" and that way breaks down on exactly the piece of software that the article is about. You have to google instructions and then install either the .deb or add googles repo. And that's where the attacker could just as well insert an ad pointing you to a malicious repo. Just as the attacker currently points people to a malicious download. So the GPs solution isn't a solution at all. Not to this problem.
> GP's solution is valid for the majority of software - at least the sort of software that us HN folk probably use.
That’s a bold statement to make, especially since a single piece of malicious software is sufficient. And yes, I want chrome. I need chrome. I need to test stuff on chrome.
Going to googles official webpage will tell you how to get chrome for Debian/Ubuntu/Opensuse/Fedora. This is about as good as it can be because chrome is closed source.
The Mac experience is almost identical, except that the App Store has a GUI (although Linux distributions also have those these days, I hear). Apple regularly gets lots of grief here because people have been suspicious they want to shut down distribution outside of the store.
I have my doubts that any Linux distribution is capable of auditing every line of every package they distribute, so I think the relative lack of malware on Linux (and possibly MacOS as well) may not actually be caused the specific method of distribution.
I don't agree. If you search for "chrome" or "firefox", you will get a page full of spammy apps that are anything but what you searched for.
Linux distributions probably don't audit every single line of code in the packages, however this is code written by trusted developers that is mandated to be open source and distributed through official channels.
Getting malware into the package repositories would be very difficult, but it seems that getting a fake Google ad on Bing is very easy, so in my opinion the distribution method makes a big difference.
Package managers are a fundamentally flawed concept:
You depend on your distro mantainers to package what you need to install. If it isn't packaged, best case scenario is you get a tarball, which is already too hard for 99% of computer users. Snaps and Flatpaks are still too unpolished.
Getting all your user applications (DAW, IDE, etc) from your OS developer (instead of getting it from the application developer) is also against the sentiment of freedom that so many Linux users preach.
No. Ubuntu makes private package archives (PPAs) very simple to use; many packages are available from the maintainer’s PPA.
There are many alternative repositories for essentially all distorts today; snaps and flatpaks are indeed not yet polished enough, but they are much better and easier for 99% of users than tarballs, so calling tarballs a “best case scenario” is, in my opinion, wrong.
And how are PPAs fundamentally different from downloading a Windows installer from the Internet? If I download the installer from the maintainer's site, there's 0 risk (assuming HTTPS). And the site giving the PPA link is just as likely to be a phishing site as the the one serving some exe. Except browsers will sometimes warn on strange executables, whereas none do on misleading PPA links.
You were complaining tarballs are the “best case” and are not good enough because they’re too hard for regular users.
PPA is as easy as windows downloads; it updates the same way as the main system unlike windows; and it always go through ununtu’s Servers which makes it somewhat more monitorable. But that’s a new discussion.
For the all the shit Google taking lately, we should give them a big shoutout when their own cloud pages and other product pages rank way down in their own Google search ranking.
I often dig into phishing and malware spam I receive, reporting it to the abuse@ address for the sending network, and reporting any links hosting malware.
I frequently come across malware hosted on onedrive and I've stopped bothering to try to report it, its still there months later and I've never received a response from Microsoft.
It always used to be fun to count how many malware sites appeared before the real one when you searched for "download vlc" with yahoo. They've fixed that one now, but in 2017 it was still definitely a problem.
I usually use ninite to set up first time downloads, it's great because you can just run it again every couple weeks to make sure all your software is up to date.
It avoids using malicious options accidentally and it also means I don't need to go through each installer. Plus I can just send the file to friends and family when they get a new comp.
edit: just wondering why people disagree with this idea?
I'm sure they're aware of it and 'intend' to fix it, but given the often consumer-hostile tactics MSFT is fond of using to shove Bing, Edge, and other products down users' throats, and the fact that this issue, in its current form, happens to align with those goals, I wouldn't be surprised to learn it's not being treated as high priority.
Given the malware Google's ads also ship, which Googlers here on HN have tried to have removed only to return an hour later, suffice to say malicious ads are an industry pervasive problem, and the solution is to kill the online advertising market. Aggressively.
In fact, when I tried to look for a specific class of malicious ads (looking for "mapquest") recently, DuckDuckGo was even as bad as Google, it was Bing who gave the least malicious results. But obviously they've failed here.
Automated advertising platforms have been overrun by malware and no automated solutions are going to fix it.
Nowadays it's impossible to support the creators you enjoy online by whitelisting ads without exposing your device to multiple megabytes of untrusted, vulnerability-filled JS and iFrames with links off to malware sites.
I think that the sponsorship model many YouTubers use these days works really well, because there isn't any code involved that I have to run.
I don't remember "untrusted JS" being any sort of problem in the last, say, 10 years?
Now I'm sure you can dig up some vulnerabilities, and a select few of them may even had (remote) exploits. But I've never run into any problems, and I'm not especially careful, have been around the seedy underbelly of the web, and don't run any anti-virus. Just not clicking on any .exe that suddenly downloads seems to be enough. Being on MacOS rather than Windows may also help, although as far as I can tell, security on Windows today is also far far better than it was a decade or so ago.
Considering all that, I can't shake the suspicion that people complaining about JS vulnerabilities to defend their use of ad blockers are just searching for justification.
Yeah, there's a few YouTube creators and a few coders I've added to Patreon from time to time. I'd much rather toss someone a dollar a month than watch a dollar worth of ads, where 70 cents goes to a FAANG company.
One solution that would go part way there is signed for browsers to only run signed javascript when it originates off site. Common libraries that are distributed via CDNs can be signed, and any javascript that ships with ads would have to be signed too. And any CA that signs too many malware (too many meaning more than one) gets their cert revoked.
Just FYI, that ad you're talking about appears to really, truly be gone now. Im not sure why it reappeared, but I didn't need to take any other action for it to be removed.
Malicious ads pretending to be MapQuest remain alive and well. After pausing my Pi-hole, I can confirm that it refuses to actually provide directions when asked, and promptly tries to add an extension to my web browser.
Part of the problem with ad platforms like these (including Bing's), is even if you report one and take it down, it's trivial for the same people to stand up the same website on a different cloud server with a slightly different domain name and do it again.
Notes:
- My sole extension not made by Mozilla itself is the EFF's Privacy Badger. I also use Firefox Multi-Account Containers and the Facebook Container, both first party.
- Do recall that advertisers can target users by a variety of variables (browser, location, etc.), your ad experience does not reflect everyone else's ad experience.
That's very peculiar. I was running in incognito with no adblock, and checked across multiple devices and multiple internet connections, so you seem to be uniquely affected.
This one is especially bad, but there's a major problem in general. I have to constantly warn people not to "google" for printer drivers or video drivers, etc, because the links they'll get from any search engine are almost certain to be malware.
I made $0 in Amazon gift cards from DDG, but I did retain my privacy. If you got $50 in gift cards from Microsoft, you can be sure they profited more than $50 from you.
You can't be sure of that. It could be a loss leader to get people off Google. That said they are hoping that eventually they'll profit more than $50 from you.
Too bad Edge doesn't support Safe Browsing mode. IIRC the API is publicly available too; MS doesn't want to swallow its pride and implement a client for it.
So basically Microsoft's browser isn't even safe to use temporarily to download a real browser. In 2018 can we stop pretending that any web browser is a safe effective way to acquire any software. While it can be done people have been consistently getting pwned for decades now.
Software should be distributed via apps stores. Preferably vetted lists as opposed to free for alls you can post malware to for $25.
Linux has been doing this correctly for a long time. Any time you guys at Microsoft want to rip this off properly would be absolutely fantastic.
The scariest thing about this example is that the green "URL" below the ad says "www.google.com". Who thought it would be a good idea to allow advertisers to fake the URL like that?
https://news.ycombinator.com/item?id=14338174
> The Bing search engine is about as bad. A close friend used IE to get Google Chrome. They clicked the first result and luckily I was able to stop them before starting the install on some crapware.
So I asked them to be careful to ensure the download site is correct and left them to it.
I came back to find they had downloaded some other crapware.
I checked the search results. The ENTIRE first one and a half page of results were advertisements for versions of crapware which may or may not have been Chromium or Chrome lookalikes with lots of malware.