Administered by:
@rysiek@mstdn.socialEdit: both main site and #Yunohost login page are unblocked. 
—
Website of Reykjavík #Hackerspace, Hakkavélin, just got flagged by #Google Safe Browsing as "deceptive"; anyone who visits this site gets a scary red warning:
https://hakkavelin.is/
Thing is, I manage this site. It's literally a single static HTML file.
This is what we get for allowing shitty journalists to farm clicks by abusing the words "hacker" and "hack" to mean "cybercriminal" and "attack".
Every time you use the word "hacker" when you mean "cybercriminal", "attacker", "malicious actor", you *personally* support this kind of bullshit.
Every time you use the word "hack" to mean "compromise", "break-in", "leak", you *personally* make it harder for a small community of creative people to focus on their projects, because now they have to go prove to Google they are not, in fact, attacking anyone.
And guess what, when Google Sites are used in phishing attacks — and anyone who does any #InfoSec work knows they do, a lot! — somehow the whole sites.google.com domain does not get flagged like that.
When Google Amp is used in phishing attacks — again, not a rare occurrence! — somehow Google Amp domains do not get flagged this way. 
Flagging our site stopped exactly zero attacks. But now we have to send in reports and beg Google to maybe please unblock us.
And why is that?
Because over-blocking a website of small hackerspace is *cheap*. "No downside".
Because "hacker" and "hack" have been appropriated by those too lazy to be specific in their use of language when talking about "computer stuff." Also, it drives clicks!
Result? Some algorithm somewhere sees "hacker" and goes bananas: "danger, Will Robinson!"
So forgive me when in the future I react *badly* to some random toot mislabeling cybercriminals as "hackers".
In the meantime, if you want to help our small #hackerspace get our website un-blocked, go here and "report a detection error":
https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url=http%3A%2F%2Fhakkavelin.is%2F
And long-term, consider not abusing the h-word when you want to talk about cybersecurity. Even if it's a tiny bit more difficult at first because due to force of habit:
https://rys.io/en/155.html
I am so damn tired of having to prove, after a decade-and-a-half in #InfoSec, that I am not a one-man APT myself, ffs!
And if you happen to ever be in Reykjavík on a Thursday evening, come have a beverage with us.
Hopefully the site gets unblocked soon, we try to keep it up to date with the details of where we meet each week.
Oh by the way, this is what the site looks like (and yes, we will soon move away from the gmail address, because — you guessed it — #FuckGoogle).
@rysiek
I feel like there should be people at Google who are aware that hack ≠ bad and are able to write exceptions for this kind of thing. I guess human beings aren't involved in too many of their decisions anymore. It must be fucked up in the same way YouTube is.
@rysiek : one solution would be to simply don’t care.
If enough false positives don’t care, the whole "Google Safe Browsing" will become useless. Google Chrome will be perceived as annoying.
Because the goal of the website is not to get clicks and visitors.
@ploum Firefox also uses this. In fact, the screenshot of the warning is from Firefox.
@rysiek : no problem for me on your website.
The real problem being that Mozilla is more or less a Google subsidiary.
No easy fix to this 
@ploum@mamot.fr @rysiek@mstdn.social They already removed it from the list, or at least it doesn't appear listed for me.
That's the one thing I'll give Safe Browsing credit for, at least they actually respond decently fast. 
@rysiek Wrt email, I use protonmail with my own domain, I say #FuckGoogle at least once a day, life outside the #Matrix is so much better 
Has anyone tried making a list of where Google's security policies have ended up also attacking a competitor to their services?
@rysiek I was just talking about trip to Iceland maybe summer of 2024.
@riskymanag3ment great to hear! 
@rysiek done. I took a second to rejoice merrily, as Papa Google ordered me to, as well.
@rysiek So basically nothing has changed in 30 years? Hackers are still demonized by the software industry and governments.
@yuki2501 doesn't mean we have to take it lying down.
@rysiek Of course not.
@rysiek oko.press to dziennikarze rzucający się na wszystko. z artykułu który zlinkowałeś:
@bluszcz tak, wiem, dlatego im napisałem ten tekst. Po tym tekście trochę się w Oku poprawiło z używaniem "słów na h".
Technicznie rzecz biorąc sam jestem dziennikarzem piszącym dla Oko Press, więc ostrożnie z generalizacjami. 
@rysiek haha ok, no bad feelings :P
@rysiek the battle for correct usage of 'hacker' in the general public was lost a long time ago, sadly.
@brianxlong no it wasn't. I've convinced ministries and media outlets to stop using the h-word when they want to talk about cybercriminals etc.
It's only lost when we give up. So this kind of defeatist bullshit is what *really* gets me going.
If you don't believe h-word can be reclaimed by the community the way other communities reclaimed other words, whatever. But what's the point, then, of even saying that?
Doesn't make you sound like a sage. Makes you sound like a quitter.
@rysiek I tried this in five different browsers and never got any warning of any kind. If this was a prank, you got me. Chrome had "Safe Browsing Standard Protection" turned on. Good luck with your website.
wasnt there also an issue with Gmail blocking entire IP ranges just because they got used for spam, now its hard to get email servers working with theirs?
@rysiek
@rysiek
Our big mirror kept getting flagged (including the other names, like cdimage.debian.org), the only way to figure anything out was to sign up for some google service (search console or something) and there you could see exactly what it objected to.
In our case it was some windows binaries from the 90s in the historical section that was "malware" which we had to remove access to in order to be able to serve Debian isos to people...
I had a similar thing happen to me with email, although their ban was justified since a compromised email account was sending spam from my domain. Now my messages instantly go to spam. I tried to talk about it with google and microsoft support. I couldn't even find where I could directly contact google and microsoft support agents didn't understand what I want after talking to them for 2 hours.
@AdamOnLinux @rysiek just thinking if we can beat them with their own tools. Can we use (hack) their report-mislabeling tool using (a new paid) Microsoft account, send email to it, and automatically "mark as not spam" to lower the score? (maybe send from different accounts from the offended domain to different accounts, rinse repeat)
I can even imagine a little collaborative platform to use different Microsoft accounts for that (imaginably frequently used o365 accounts work better).
@rysiek Also what we get for allowing trillion-dollar Silicon Valley corporations to filter what is and isn’t acceptable for the entire world.
@rysiek I can see it without any warning from México, using Chrome for Android.
@rysiek @stux Reported the Error I received as an Incorrect Flag; https://safebrowsing.google.com/safebrowsing/report_error/?url=https%3A%2F%2Fhakkavelin.is%2F Hope this helps.
@rysiek I just saw the website on chrome mobile. Might also be a thing coming from Japan? Not sure, works like a charm though
@rysiek oh funny, I reloaded it three times, now I am getting the warning as well 
@Polychrome much obliged. Every bit helps!
@rysiek Google keeps doing this also with Yunohost based servers..
it's soooo annoying
@stux interesting. There is a Yunohost instance on that server, in fact, and some services on subdomains are managed by it.
@rysiek I keeo having the same issue with some of my clients servers 
@stux seriously, time to start *invoicing* Google for time wasted on dealing with their fucked up ideas on what is and what is not "dangerous".
If they have no actual proof of malicious activity on the domain, they need to be forced to pay up.
Maybe then they will figure out how to tell a phishing site from a static HTML file inviting people to a meetup every Thursday.
@rysiek @stux I like the sentiment, but content moderation is pretty hard, OK?
That said, I would rather that bad stuff occasionally gets through than overblocking, personally.
Maybe have a “confidence threshold” that the user can set when they encounter these pages, or in Settings? One for “block this site until user interaction” and another for “dont block this site, but put a warning somewhere in the browser UI”. Also, adjust the wording of the block page and warning based on confidence (e.g. from this site is possibly malicious, to this site is malicious). Adjusting the wording would make the fact that the browser may be unsure more obvious to regular users.
> I like the sentiment, but content moderation is pretty hard, OK?
Google is one of the largest, wealthiest, most powerful corporations in the world. Surely they can get their shit together and not block a static website of a hackerspace, or a Yunohost login page. They don't get to play the "this is haaard" card, sorry.
@rysiek @stux They also deal with trying to moderate the entire internet.
You can’t do it by hand, and algorithms certainly can’t do it accurately. Even if you did it by hand, it might not always be accurate.
There is just too much content out there.
I think that overblocking sucks too - but with such a system, it is inevitable. This isn’t a problem where you can “nerd harder”, you are going to have errors that slip through. The only real way around it is to have a robust system for correcting false positives (i.e. not what YouTube does with Content ID).
The process definitely could be improved for a lot of Google’s content moderation, but short of outright disabling or drastically shrinking the scope of Safe Browsing, you are going to have overblocking. Even the EU can’t make a fully-functional copyright filter - and that is just one aspect of content moderation on the web. Google has far too much to deal with.
Anyway, if you haven’t seen it yet, you can report an error with Google Safe Browsing here.
> They also deal with trying to moderate the entire internet.
Nobody asked them to take this responsibility upon themselves, and I am not sure they should be the ones doing this in the first place.
Especially if they are doing it so badly.
And again, they do not get to play the "but it's haaaard" card. Especially when on the other side there is a tiny social club somewhere in Iceland that just had its website and services blocked.
