badwarebusters

badwarebusters

Silent patching works, but at what cost?

Last week, the ZDNet Zero Day blog summarized a report by researchers from Google Switzerland and ETH Zurich as follows:
Google’s decision to silently update the Chrome browser — without the user’s knowledge or consent –  has put the company at the head of the pack when it comes to securing modern Web browsers.
Indeed, the report noted that, unsurprisingly, the less user intervention and aggravation required to update the browser, the more likely the browser is to be up to date on a given user's machine. It concludes by trumpeting Google's own Chrome browser as a success for using silent updates that successfully keep users' browsers patched. It goes on to encourage other browsers to adopt a similar strategy.
While the technical mechanism in question sounds like an effective and efficient way to update browsers, the lack of user control inherent in Chrome's system is concerning. There is no clear notice during installation or operation of the software that it will be updating itself automatically. (I didn't read the entire EULA, but then, neither will most users.) There is also no obvious place in the program's options screen for disabling this feature, in case you want to test using different builds or have some particular objection to auto updates or a particular change in a newer version.
StopBadware has always been committed to the principle that users should be presented with the information and options necessary to make decisions about how software is installed, updated, and used on their computers. Google should be applauded for seeking new ways to increase browser security, but it should also be held to the highest standards for disclosure and user choice.
What are your thoughts about Google Chrome's silent updating? Let us know over at BadwareBusters.org.

BadwareBusters.org removes beta label, launches publicly

StopBadware.org and Consumer Reports WebWatch are pleased to announce the full public launch of BadwareBusters.org, an online community for people looking for help removing viruses, spyware, and other malicious software from their computers.
Many people have already been helped by BadwareBusters since its beta rollout in November. Thanks to input from members of the community, we have enhanced the site quite a bit in the last few months.
BadwareBusters will be an important platform for the further development of StopBadware's strategy to bring together people, organizations, and data in new ways to fight back against badware. The site already offers a pretty neat user reputation and message rating system, but we plan to build on this to provide tools that allow the community to express its collective voice. We want to learn from our users, so that StopBadware's research and advocacy activities can be as effective and current as possible.

In addition to helping users with badware problems on their computers, the BadwareBusters community has helped webmasters of sites that have been hacked to distribute badware. Two of our volunteers who have worked with those webmasters shared their thoughts on participating in BadwareBusters:

From Anirban Banerjee, "Badwarebusters.org is a great resource for webmasters, both experienced and relatively new. This forum provides volunteers to help pin point issues which vex infected sites and thus has a major social impact by reducing the spread of malware."

Volunteer Denis Sinegubko said, "As an independent security tool developer, I get an invaluable chance to test my tool against the most current real problems of real websites, to communicate with owners of compromised sites and learn what's really important to them. This helps me improve my tool and provides incentive to answer people's questions and help them solve their problems. This sort of mutual benefits makes BadwareBusters.org a live community."
For more about today's launch, see our press release. You can also check out the video below, which demonstrates the key features of the site:

Updated BadwareBusters.org beta

Awhile back, we announced a public beta of BadwareBusters.org, a collaboration between StopBadware.org and Consumer Reports WebWatch to offer an online community meeting place in which people could receive and offer help and thoughts about badware. Today we released a number of improvements to the site designed to make it easier to use.
Read about the changes or sign up for a free account. Please let us know what you think!