back to article Would you let users vouch for unknown software's safety with an upvote? Google does

Google has revealed that its internal anti-malware tools include a “social voting” scheme that lets staff vouch for code they want to install won’t do any damage. The ad and search giant’s rationale is that blocking all unknown software works but may limit productivity, while blocking only known unsafe software requires a lot …

  1. KittenHuffer Silver badge
    Devil

    This is not gonna end well

    So software installed on a single machine on your network is not going to be able to 'infect' other machines on the same network?!?

    If forced to use this I would certainly have this facility disabled for the coloured crayon departments!

    1. big_D Silver badge

      Re: This is not gonna end well

      I'd have the up-vote button linked back to the users stool via the mains...

    2. needmorehare
      Joke

      One mans malware is another mans

      Bonzi Buddy!

    3. Anonymous Coward
      Anonymous Coward

      Re: This is not gonna end well

      Google gives no particular trust to its internal network:

      Google reveals own security regime policy trusts no network, anywhere, ever

      They have no notion of "same network".

  2. Steve K Silver badge
    WTF?

    Convenience trumps security.....?

    I believe that the saying is "Convenience trumps security"?

    I am surprised that corporate policy allows the downloading of random software on to corporate machines, since for most use cases surely the tools required for people to do their jobs are pretty well-defined, and there is a process to request new software approvals.

    With this approach the bad guys only have to be lucky once (dependent on other security countermeasures), and it doesn't matter if the user will downvote in future, the damage is done?

    1. KittenHuffer Silver badge
      Coat

      Re: Convenience Trump's Security.....?

      I read the title of your comment and wondered why I'd never heard that Trump had a sister called Convenience! And I wondered how her security was relevant to a software voting system!

    2. HildyJ Silver badge
      Facepalm

      Re: Convenience trumps security.....?

      Unfortunately, in far too many companies, corporate PCs are not locked down.

      I don't see this doing much good, though, since whoever first wanted it with upvote it and get their peers and friends to do likewise. Also, much of the problem stems from management who will not want to limited.

  3. Ochib

    McBoatfacing

    To get Boaty McBoatfaced means that you’ve made the critical mistake of letting the internet decide things. In other words, as much as we revere democracy, there are times — and they do typically involve the internet — when one’s fellow citizens deliberately make their choices not in order to foster the greatest societal good, but, instead, to mess with you.

    The city of Austin, Texas, got McBoatfaced, for example, when it asked the internet to name its waste management service. The internet obliged by suggesting it be named in honor of Fred Durst, the frontman of the rock band Limp Bizkit.

    Taylor Swift and VH1 got McBoatfaced when they asked the internet to choose a location for her forthcoming concert. The internet obliged by choosing the Horace Mann School for the Deaf and Hard of Hearing. (Ms. Swift, proving once and for all that she is a good sport, donated $10,000 to the school, before settling on another venue.)

    But sometimes these episodes can take a darker turn. Mountain Dew got McBoatfaced when it asked the internet to name its new flavor. The internet — largely driven by members of the message boards Reddit and 4chan — obliged by naming the new flavor “Hitler Did Nothing Wrong.”

  4. Aaiieeee
    Paris Hilton

    I don't get it

    Either you know the software is safe (you wrote it, you audited it), or you do not. Therefore how can the majority vouch for it?

    "I used it before" isn't exactly a glowing security review.

  5. sorry, what?
    Meh

    So you have to vote for being able to run the software...

    before you've had the chance to run the software to find out if it's a "Bad Idea". Hmmm.

    How about making it so the new software can only be run in an virtual machine with very restricted connectivity and only if the experience goes well, and the malware and anti-virus are happy, allowing the user to "upvote"?

  6. Graham 32

    Not as dumb as it seems

    At first this seems dumb, but at least the IT department knows what software is being run. In a company full of techies the blocks from IT are just seen as a challenge. This stuff will get run anyway. The barrier needs to be low or the staff will go rogue.

    1. Roland6 Silver badge

      Re: Not as dumb as it seems

      >but at least the IT department knows what software is being run.

      There are asset monitoring tools that do that much more reliably...

      1. big_D Silver badge

        Re: Not as dumb as it seems

        Yep. And at the last 2 software houses I worked at, devs caught installing software off their own backs would end up on the wrong end of a disciplinary procedure! A written warning at best, a shoe carton with their personal possessions and a boot up the rear at worst.

      2. Graham 32

        Re: Not as dumb as it seems

        This is an asset monitoring tool. It's a monitoring tool with a blacklist, a whitelist, and requests some feedback for anything in between. I was comparing it to the type of monitoring tool that bans everything except what's on a whitelist.

    2. Anonymous Coward
      Anonymous Coward

      Re: Not as dumb as it seems

      "This stuff will get run anyway" Not if the company uses MDM software effectively.

      Our company "proposed" Policy (to allow work Email on phones) - No unapproved apps (pretty much no non-work app) can be installed. Yep harsh, but we hold your finances, and "your" security is more important that an employee getting coupon pop ups all day. They can use their own device for that.

      Android phones (I like them but) have more malware than ever before and keeps gowning. Thanks mostly to google security policies, and the rest on the scammers that take advantage of them.

  7. iron Silver badge

    This is about as effective as the dialog I see on work machines that asks why I am installing software. As if I would pick any option other than "I need it to do my job" no matter what the software is. VS2019... for my job. Firefox... for my job. VLC... job. Spotify... job obvs.

  8. 0laf Silver badge
    Facepalm

    Problem = people

    I've yet to find the bottom of how far people will go to prove just how stupid they are.

    Just the last few days have made me question Darwin's theory of evolution since people as stupid as I've met recently should have choked to death on a hammer or other large inedible object long before they reached breeding age.

    Asking these people to decide on what consitutes malware seems somewhat of an irrational decision. These being the same people that will curse science as dark magic when asked to get vaccinated on their high technology mobile phone device. Which they seem to think was grown on an organic phone farm.

  9. Avatar of They
    WTF?

    Can you imagine

    An ExCo meeting following a breach.

    CEO

    "So the breech has cost is millions in pay outs, legal fees and our customer base is rapidly shrinking because no one trusts we can deliver anything safely."

    CRO

    "Well Mr CEO, the software that brought the malware into the company had a lot of upvotes... So we thought we would go with that one."

    1. Roland6 Silver badge

      Re: Can you imagine

      Or...

      An ExCo meeting following a lack of downloads.

      CEO

      "Our customer base is rapidly shrinking because no one trusts we can deliver anything safely."

      CRO

      "Well Mr CEO, we don't have the necessary number of upvotes for potential customers to be sure our software isn't malware, so they don't download it."

  10. heyrick Silver badge

    User ratings?

    Might do them to look at... many evaluations on Amazon. What the ratings say and what the project actually is can be quite different.

  11. katrinab Silver badge
    Meh

    There is no option for my opinion:

    It might work in Google, where the employees tend to be more technically astute than average, but it wouldn't work elsewhere.

    1. Claptrap314 Silver badge

      As an ex-Googler, this was my thought exactly. This looks like a very Googly solution to a very Googly problem.

      When I was there, we had >30,000 devs. And one code repository. There is nothing like the feeling of being one of a hundred or so people responsible for figuring out if you personally had broken the build. "Builds character", I believe is the phrase. So personal responsibility is a real thing.

      Moreover, like most shops, I was root on my box. The ME was beyond my reach, which was good. And yes, there developers are better than average, which also matters.

      Having said all of that, I don't believe for a moment that this tool is a match of what is actually going on inside. The priesthood of readability is already well established, and it makes 0 sense to allow a green grad to directly affect such a process. I expect that there is a new priesthood for this, and that the priesthood is functioning with a tool like this one.

  12. The Kraken

    This is based on a false assumption - that users have any real way of knowing a-priori that unknown software is safe to run.

    They don’t.

    The seconds fallacy is that just because an opinion is popular, that opinion is correct.

    Google you really have no idea...

  13. CrackedNoggin

    With reputations to protect and reasonable level of paranoia, it could be that almost nothing passes without a single downvote, which is enough to stop it.

    In this case the details are in the execution, which we can't see.

  14. Guido Esperanto

    hmmm

    Send an email purporting to be from a person tech dept, asking for their password to somerhing.

    That'll give you all the insight you need about users view on security.

  15. Tabor

    Could work

    It's an interesting idea, and could work IF configured correctly. For instance : set x to the total number of users allowed to upvote, and set the "allow" threshold to x+1.

    Users think they have a say in the matter, and sysadmins don't lose sleep in the knowledge that said users actually don't. Win/win.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021