Update: we seem to be unblocked. Thank you all!
—
Last night, the website of Reykjavík #Hackerspace, Hakkavélin, got flagged by Google's "Safe Browsing" as "deceptive":
https://mstdn.social/@rysiek/110166076666804008
The site is now unblocked.
But our #Yunohost login page is still blocked:
https://bob.hakkavelin.is/yunohost/sso/
We would really appreciate help with reporting this also as incorrect. You can do this here, and it takes less than a minute:
https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url=https%3A%2F%2Fbob.hakkavelin.is%2Fyunohost%2Fsso%2F
Side note: I am wondering how best to highlight this as a clear example of anti-competitive behavior on part of Google.
Our Yunohost hosts e-mail, #Nextcloud, other services that can be seen as "competing" (not in scale, but in function) with some Google services.
Google flagging @yunohost login pages as "deceptive" makes it considerably harder to self-host.
And it doesn't matter if it is on purpose or accidental. Google has the resources to not make such "mistakes".
@rysiek Would blocking Google & other search engines from crawling your admin log-in URLs mitigate that issue? Or put a file system password on it?
@adam no clue. Also beside the point. I should not have to go out of my way to stop Google from mis-categorizing my site as malware.
@rysiek Yes, of course. I was just trying to think of a way around it.
@adam fair.
Any such mitigation issue it potentially adds complexity and friction to the user experience. This is not my personal server (where I would just put it behind a WireGuard tunnel), but a set of services that are supposed to be useful for a bunch of people.
@rysiek
Gotta love the double standard:
ads with malware? Go ahead, completely safe!
a website for a Hackerspace? Fuck you, dangerous!
@RedstoneLP2, it's in the name. HACKERspace - obvously suspicious
I wonder what would happen if you had Google Ads on it too though. Would the two things negate each other?
@rysiek So much "anti-abuse" stuff doubles as a barrier to entry.
So, so, much. The e-mail ecosystem has been completely hijacked by this to the point that admins just think it's normal.
Every time the big guys "raise the bar" on anything related to security, they kill off a few independents. Shrugged off as collateral damage for the greater good.
The dynamic is obvious enough, and has been understood long enough, that I don't think they can feign innocence anymore.
@rysiek I hate the whole thing... but there IS a legitimate debate to be had there.
Is this an inevitable consequence of the industry growing up and being more responsible about security? Or is this gratuitous and unnecessary?
Is there such a thing as "secure enough", or do we keep ratcheting upwards until nobody can host anything online without a dedicated 24/7 admin team?
@HerraBRE the legitimate debate is about who should host and control these kinds of tools.
Google doing both hosting of certain types of services, and deciding to block other sites hosting these kinds of services, is simply not acceptable.
#BreakUpTheGoogles
(also, whatever happened to breaking up Microsoft -- that was a thing they were seriously talking about awhile back, and then it just kind of... went away.)
@HerraBRE yeah, and it's particularly stark in situations like this, or like with e-mail, where Googles and Microsofts of this world are *clearly* not held to the same standard as some random microscopic Yunohost-based services hosting.
Google gets queasy about the h-word on our site, and bam, full block on domain and subdomains, fuck you very much.
But when I flag a bunch of phishing or malicious e-mails *hosted on Google Sites* or other Google services? Nah, can't have google.com blocked!
@rysiek @HerraBRE the abolute majority of SPAM I get comes from both of their core email products or servers hosted on their cloud. For the former, all the emails are literally the same.
Any independent operator can (and must or face the wrath of GAFAM) stop that easily, where as these pricks are like "Free bitcoin, sounds great, send it".
MS even made it impossible to report SPAM for a while (a few months), because they could and still can
@rysiek @HerraBRE also hilariously, even though I have no love in the slightest for SORBS, the do block Google on and off :
https://support.google.com/mail/thread/43572884/google-ip-blacklisted-on-sorbs-net?hl=en
https://www.reddit.com/r/sysadmin/comments/soxs3i/google_mail_server_blacklisted_by_sorbs_feb_2022/
The end advice stop using blacklists and Google gets away with doing nothing to resolve the issue
@kc @rysiek In my experience (as the author of a mail client), at-the-client statistical content analysis performs well enough that we don't actually need blacklists at all.
Of course, lots of clients do a bad job, and users expect admins to solve the issue even if it's best solved elsewhere.
I know why it happens, but I consider blacklists a 2nd rate solution with a lot of collateral damage. I wish they would go away.
@wndlb, no. But essentially you apply machine learning locally on your computer tailored to you.
Initially it takes some time to mark what's ham and spam, but soon it starts to just work.
At this stage my bogofilter is more accurate than Gmail's for my use case and requires less intervention too.
@hook @HerraBRE @kc @rysiek I've selhosted mail servers since early 2000s.
No. Client side sucks. It only works for clients on powerful computers. Your android cannot train spamfilters, nor handle the amount of emails needed for that. It requires each accesspoint to retrain. Webmail, mobile, desktop: all need to train and keep learning. At best a waste, but commonly just expensive.
A serverside bogofilter or spam assassin solves all that.
@berkes, your phone is very likely much more powerful than my previous laptop that I used to train my bogofilter anti-spam on. In any case you could also just have the phone just use, not train, the filter.
With all the internet traffic, what’s the problem of syncing the bogofilter wordlist.db between your computer(s) and mobile device(s)? Mine’s 35 MB and I have been using/training it for about a decade.
@hook which client for Android has support for such a filter? Which mobile client pulls all mail client side? (And if there are any, which I doubt, how terrible is their battery time?)
Why not just run a single filter on a server and have all clients use that?
@berkes, might be more efficient, I agree. But in that case it should be a filter *per user* (and making sure the privacy of users is also protected).
@hook @berkes Maia Mail Guard (FOSS) used to provide this (but the project seems to have died silently) and similarly commercial solutions, such as from Messagelabs/Symantec.
It worked very fine, especially for power users with a lot of (junk-)mail and multiple entry points/devices. Privacy wasn’t a concern at the time as it ran on the mailserver itself (or and/or was run by the provider).
The problem was with regular users finding a separate webpage/login to much hassle, not using it.
@berkes @hook Without getting bogged down in details, there are solutions. They have pros and cons. We could, collectively, be addressing the cons if we wanted to.
But people have kinda just given up and accepted centralized, unaccountable censorship as an easy out, so it's not really happening.
I think that's a shame!
(Running it on a server might be fine, but if it runs on the client, privacy is improved and the user interface can be much nicer; the filter can learn from your behavior.)
@HerraBRE if things are doable and work already on a small sample, but improve with scale, I’d say we can probably rally up some hackerspaces etc. as early adopters.
I see people slowly becoming (sometimes painfully) aware of the privacy etc. issues that the current laissez-faire approach towards profiling companies brought.
@yunohost yup. The screenshot in the other thread is in fact from Firefox.
@rysiek
At some point there needs to be a class action suit for defamation.
@jpaul years ago a big PL telco, #Netia, had a major leak, which unfortunately also included my personal data (I used to be a customer).
They then published a page explaining that they were "hacked" and that "hackers" came into possession of personal data, and so on.
I e-mailed them, using my address that was leaked — in a domain containing word "hacker"! — and said that if they immediately change the wording to stop slandering hackers I will consider not suing the shit out of them.
They did.
@jpaul tbh I still should have sued the shit out of them.
@rysiek Your're targetting the EU "market" right? ;) Report here: https://europa.eu/youreurope/business/selling-in-eu/competition-between-businesses/anti-competitive-behaviour/index_en.htm
And ask others that run #Yunohost or #Nextcloud in/for EU that run into similar #anticompetitive issues with #Google to do the same.
@AstaMcCarthy awesome, thanks!
Full ack, exactly this is important.
When Elmo was censoring mastodon links and journos, we reported it in bulk with a volunteer lawyer.
This was https://digitalcourage.social/@sl007/109522641223087409 ff
and today I clearly think, Elmo is a case for §102 TFEU which is “Abuse of dominant power” within the “Treaty on the functioning of the European Union”.
Otherwise it will just stop functioning. :)
@sl007 @AstaMcCarthy ah it's not going to work for us, as #Iceland is not in the EU (even though it's in EEA and Schengen).
@rysiek
Hm, encouraging Iceland and Scotland to press the Join button.
Did not know you're Iceland. Did you visit Joshis https://material.is/archive/ ?
@sl007 sadly no, that was before I had moved here.
@sl007 @rysiek @AstaMcCarthy He still seems to be doing so outside the EU