MacInTouch Reader Reports

Security: Google/Gmail

Older entries...

Jun. 1, 2015
Jun. 15, 2015
Jun. 26, 2015
Jun. 29, 2015
Jun. 30, 2015
Jul. 1, 2015
Jul. 2, 2015
Jul. 6, 2015
Jul. 27, 2015
Jul. 28, 2015
Aug. 3, 2015
Aug. 17, 2015
Sep. 22, 2015
Oct. 19, 2015
Oct. 20, 2015
Jan. 26, 2016
Jan. 27, 2016
Jan. 28, 2016
Feb. 1, 2016
Feb. 12, 2016
Feb. 13, 2016
Feb. 17, 2016
Feb. 22, 2016
Mar. 31, 2016
Apr. 16, 2016
Apr. 25, 2016
May. 6, 2016
May. 9, 2016
May. 20, 2016
May. 21, 2016
May. 23, 2016
May. 25, 2016
Jun. 1, 2016

Previous Page...

Jun. 1, 2015

item.211030

Bruce Klutchko

Further on my last posting about Gmail's new sign in, which remembers if you've used the computer before, even if you delete cookies, history, etc.

The Google product forums had such a lively discussion about this situation (with comments running 80% negative) that Google closed the discussion. It is pinned to the top of the gmail discussions, if you're interested in reading it.

A second discussion on their forums reveals that this is likely due to their use of an "evercookie" - an insidious series of cookies that is planted in many places on your computer. This explains what an evercookie is:

http://samy.pl/evercookie/

They show this is where the info exists, in case you want to try to remove it (this is for Windows, but you get the idea):

- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
- HTML5 IndexedDB
- Java JNLP PersistenceService
- Java CVE-2013-0422 exploit (applet sandbox escaping)

In other words, once you've used Gmail, neither deleting cookies, deleting flash cookies, using private browsing mode, nor deleting all history will stop them from knowing you and your machine.

Sadly, the second Gmail forum discussion seems to have devolved into a discussion of whether Google is suppressing awareness of this issue by locking the first discussion.

I really don't want them putting this crap on my Mac. I feel like they are trespassing. I want them off. This is going to take some planning to do right, because I may have to start with a blank hard drive, install a new OS, and copy only documents, photos, videos, etc.

What an incredible pain.

item.211039

Ryan Edgecliff

A step just about every user of Gmail should take is to enable two factor authentication. Then you will have robust protection against co-workers accessing your account and very robust protection against a purchaser of your used computer accessing your account.

item.211421

Colleen Thompson

Finally, let's say that at the end of several years of great service, my Mac has reached the age of retirement. I decide to sell it for a nominal fee. The new owner could learn my email, unless I find out how Google tags my Mac so I can remove this information.

You should always wipe the drive and reinstall a fresh system, when selling a computer. When wiping the drive, doing a Write All Zeros is a good idea too.

item.211502

Ed Sikorski

Re: Colleen Thompson's note:

You should always wipe the drive and reinstall a fresh system, when selling a computer. When wiping the drive, doing a Write All Zeros is a good idea too.

I remove the drives for my clients, working or not. This allows them flexibility if they happen to need a recovery. And they can store it or destroy it.

If they are reselling the Mac, they offer me to install a new drive for the buyer.
Personally, I would want a newer, larger HDD/SSD too.

Jun. 15, 2015

item.212074

MacInTouch Reader

Google recently added and promoted "My Account" that gives another way of looking at all settings. Unfortunately, when the screen came up showing YouTube history on, I decided to turn it off.

Big mistake -- Congratulations, you've activated your YouTube account! I never had one and didn't want one. At least, it didn't auto-create a YouTube channel for me as best as I can see. There's no way to unsubscribe from YouTube in any Google or YouTube settings.

Jun. 26, 2015

item.212465

MacInTouch

NOT OK, Google! Privacy advocates take on the Chromium team and win...

The contested behaviour in Chromium boiled down to this:

  • Install Chromium (the reporter was using OS X but Chromium builds on Windows and Linux too, amongst others).
  • Run it.
  • Watch it download a binary BLOB (non-open-source lump of executable code).
  • Find out that the BLOB is responsible for listening to your microphone [...]

Open-source privacy advocates rather convincingly argued that this behaviour is not the sort of thing you'd expect from an open project.

Firstly, there's the issue of automatically downloading an add-in module that you didn't build yourself, without being asked, and without knowing what it's for.

Secondly, there's the issue of code that turns on your microphone without asking you first.

Thirdly, the privacy guys quickly noticed, there's the problem that the add-in module doesn't show up in Chromium's add-in list.

item.212488

Colleen Thompson

The "Undo Send" feature is now officially part of Gmail.

Oops, you've just sent off an angry email to your boss from your Gmail account. Should you start looking for a new job? Not if you've enabled Gmail's Undo Send feature.

We've all sent emails on the spur of the moment that we've regretted. Certain email programs offer an option to recall or retract an email, but that doesn't necessarily mean the recipient won't still receive it. Gmail's Undo Send feature works differently in that it actually waits to send your email, giving you a certain amount of time to change your mind and prevent it from being sent. But you have to be quick, as Gmail gives you only a specific number of seconds to halt your email. email.

item.212425

MacInTouch

Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth

Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to "we can do that".

Jun. 29, 2015

item.212554

Bill DeFelice

Is there any way to check whether or not this undocumented [microphone monitoring] module exists on the system? Does it reside within Chromium or does it load elsewhere and get called upon launching the web browser? I keep a separate hard drive with a clean image for restoration purposes that only gets booted up monthly to apply any software updates and to create a new drive image to restore my system. I would hate to discover I need to go back to a very early version of the image because Chromium and/or Google Chrome has downloaded this suspect software.

With that I might as well ask, are any other builds such as Epic affected, too?

item.212567

Ted Spinle

Does anyone know how we can delete this "listener" that Chrome installs?

Jun. 30, 2015

item.212627

MacInTouch

Google Manipulates Search Results, According to Study From Yelp and Legal Star Tim Wu

Google knowingly manipulates search results according to a research paper published Monday from several academics. The study presents evidence that the search giant sets out to hamper competitors and limit consumers' options. The paper lands as Google prepares to release its response to the European Union investigation, which rests on similar claims about Google's comparison-shopping product.

The paper was authored by Tim Wu, the legal scholar and former FTC adviser, which is notable as he had previously penned a column in the New Republic saying that Google had successfully cleared a Federal Trade Commission investigation into search bias on its own merits, and not because of its lobbying prowess.

Now, two years later, Wu is making an about-face.

"When the facts change, your thinking should change," Wu told Re/code about the evolution of his stance. "The main surprising and shocking realization is that Google is not presenting its best product. In fact, it's presenting a version of the product that's degraded and intentionally worse for consumers."

item.212623

MacInTouch Reader

If you go here using Chrome

chrome://voicesearch/

you will get a page stating where the files are for the "OK Google" listening extension. I was able to erase the ones in my user folder and that changed "microphone" status to "no" but I was unable to find the ones that were supposed to be inside the Chrome package, which I thought was strange. I cannot figure out how to turn "audio capture allowed" to "no", even though I have not enabled the setting to allow "OK, Google"

I really dislike this security creep. They enable some function and leave it that way for a year until it becomes normal. Then they take one more step. Feels like we are going to wake up one day with nothing left to protect.

item.212664

MacInTouch Reader

I used the provided link and viewed the same results on my system. However, after removing the indicated module from my User/Library path, both the microphone and audio capture toggles remained enabled, even after a reboot.

Since I normally don't have a microphone connected to my CPU, this isn't critical to me. If I used a machine with an integrated mic/camera, I'd definitely stay away from Chrome until these privacy-busting capabilities can be neutered or avoided.

item.212665

MacInTouch Reader

<rant>
Google's slogan
"don't be evil"
is concise
but Warren Zevon's lyrics
are pithier:
"The flood gates have opened
We've let the demons loose
The big guns have spoken
And we've fallen for the ruse"
</rant>

item.212666

MacInTouch Reader

Yelp yelps on Google!

Whoa! It is "news" that a Yelp affiliated research project has targeted the quality of Google's search results.

Let's consider.

There's a little cafe down the street. I want to know its hours. So I Google it, or even cruise up the street using Google Street view.

Google offers me a synopsis at the top of the page, and elevates the cafe's own website, ahead of Yelp.

Hallejulah! I have what I want to know without having to engage with Yelp.

Obviously, Yelp doesn't like that.

In fact, Yelp has been accused (but not convicted) of using the power of its grasp of "restaurant search" to force restaurants to buy Yelp ads.

How one restaurant fought Yelp's alleged extortion

I'm a believer that we all need to monitor our "Tech Overlords." Google, Microsoft, Apple all need to be called out. Like when Google, without notice, inserted proprietary "OK Google" Code in the "open-source" Chromium project. Yet even that, which shouldn't have occurred, became anti-Google hysteria. Even with the OK Google Code in place, a user had to actively enable the feature.

'OK Google' hotword detection yanked from Chromium after user revolt

Jul. 1, 2015

item.212682

Samuel Herschbein

About the Chrome and Chromium Extension kerfuffle, here's the list of extension names in my Google Chrome home folder hierarchy (Chromium has the top two)

lccekmodgklaepjeofjdjpbminllajkg
nmmhkkegccagdldgiimedpiccmgmieda
aapocclcgogkmnckokdopfmhonfmgoek
aohghmighlieiainnegkcijnfilokake
apdfllckaahabafndbhieahigkjlhalf
blpcfgokakmgnkcojhhkbfbldkacnbeo
coobgpohoikkiipiblmjeljniedjpjpf
felcaaldnbdncclmgdcncolpebgiejap
pjkljhegncpnkpknbcohdijeoejaedia

Someone made a conscious choice to use gibberish names thatich obfuscate what these extensions actually do. I can open the folders and figure out what they are. But even my most tech-savvy users would have no clue.

To me, the question is why? Is Google trying to hide something? Could this be a programming choice to avoid duplicate extension names?

item.212688

Fred Moore

When I use the chrome://voicesearch/ URL in Chromium, it tells me that OK Google is there and audio capture is on, but the microphone is off.

It also states:

Extension Path /Applications/Chromium.app/Contents/Versions/43.0.2357.65/Chromium Framework.framework/Resources/hotword
Extension State ENABLED

However, when I follow the path inside the Chromium package, there is no file or directory 'hotword'. Any idea what's going on?

Jul. 2, 2015

item.212801

Lee Clawson

Samuel Herschbein, regarding Chrome extensions,
asks if Google trying to hide something? And why? Giving one possibility, a programming choice to avoid duplicate extension names.

I always assume Google always tries to hide everything.

My question, "can we trash these folders"?

item.212847

Steven Wicinski

Samuel Herschbein questioned Chrome's use of gibberish folder names for extensions.

I would posit this has less to do with obfuscation (for there's far better ways to hide the purpose of an extension) than making sure the folder names are unique. Similar to your Firefox profile folder.

Five different developers could create an extension called "Mercury". Would the folder be called mercury? Would installing one overwrite the other? What if they changed the name of mercury to Venus? Should the folder change mid stream? How much easier would it be for a malware developer to replace an extension with their own?

Jul. 6, 2015

item.212857

Bill DeFelice

Regarding Samuel Herschbein's observations, I was able to examine the gibberish filenames as they are listed in the external_extensions.json file located in Google Chrome -> Contents -> Versions -> 43.0.2357.130. I opened the file in TextWrangler and found the following:

"blpcfgokakmgnkcojhhkbfbldkacnbeo" : {
"external_crx": "youtube.crx",
"external_version": "4.2.5",
"is_bookmark_app": true
},
"coobgpohoikkiipiblmjeljniedjpjpf" : {
"external_crx": "search.crx",
"external_version": "0.0.0.19",
"is_bookmark_app": true
},
"pjkljhegncpnkpknbcohdijeoejaedia" : {
"external_crx": "gmail.crx",
"external_version": "7"
},
"apdfllckaahabafndbhieahigkjlhalf" : {
"external_crx": "drive.crx",
"external_version": "6.2"
},
"aohghmighlieiainnegkcijnfilokake" : {
"external_crx": "docs.crx",
"external_version": "0.0.0.6"
},
// Google Sheets
"aapocclcgogkmnckokdopfmhonfmgoek" : {
"external_update_url": "https://clients2.google.com/service/update2/crx"
},
// Google Slides
"felcaaldnbdncclmgdcncolpebgiejap" : {
"external_update_url": "https://clients2.google.com/service/update2/crx"

The list isn't as large as Samuel mentioned but perhaps this will provide a little insight. Personally, I'm still bothered by the undisclosed code and I'm ready to abandon all use of Google Chrome, Chromium and anything built on this codebase until it gets sorted out and explained where a layperson can be reasonably certain they're out of harm's way.

Jul. 27, 2015

item.213688

MacInTouch

Worried about Google's Your Timeline? Here's how to disable tracking

Google on Tuesday announced something called Your Timeline: a Google Maps tool that promises to enable users to "rediscover" the places we've been on any given day, the routes we've taken to get there, and the photos we took and which Google tucked away into Google Photos. This is all data that Google keeps track of on our behalf, all adding up to a rather terrifying portrait of how much the apex data predator snarfs down about us.... [revealing]

  • Your movements;
  • What's easily discernible as your home, down to the street address;
  • The places you frequently go, which points to where your family, friends, illicit dalliances or political collaborators are located;
  • The routes you take to get there;
  • The businesses that you visited on any given day (as well as Google's guess as to where you went, if you haven't already confirmed its guesses); and
  • Photos that document who you were with on a particular day at a specific place.
Jul. 28, 2015

item.213720

MacInTouch Reader

Just went to my "Your Timeline" pages for my two Google accounts. In both cases, the Location Services feature was not enabled. So I had no timeline. Looks like it's off by default.

One interesting feature is that the control that lets you see your timeline on specific dates does not stop working on today's date. I was able to set the date several days into the future. If I had enabled Location Services, does that mean I would be seeing the locations where I will be going? :)

Aug. 3, 2015

item.214028

MacInTouch

Chrome extensions crocked with simple attack
Security-enhancer HTTPS Everywhere switched off with this one weird trick

Detectify researcher Mathias Karlsson says attackers can remove Google Chrome extensions, including the popular HTTPS Everywhere extension, if users do nothing else but visit a web page. Karlsson (@avlidienbrunn) says the vulnerability, patched and pushed into the latest stable edition of Chrome, allows users to be targeted without requiring intervention.

Aug. 17, 2015

item.214579

MacInTouch

Sandbox bypass through Google Admin WebView

Google has patched a vulnerability in the Google Admin application that could allow attackers to steal enterprise accounts.

MWR Labs researcher Rob Miller reported the sandbox-hopping hole, rated medium severity, which can be exploited by malware residing on a user's device.

The flaw can be used to steal Google for Work credentials, according to the UK researcher.

"A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox," Miller says in an advisory.

Sep. 22, 2015

item.216205

MacInTouch

Crash Google Chrome with one tiny URL: We cram a probe in this bug

You can crash the latest version of Google Chrome with a simple tiny URL.

Just rolling your mouse over it in a page, launching it from another app such as an email client, or pasting it into the address bar, will kill either that tab or the whole browser.

It's perfect for pranking friends by sending it to them in emails and messages.

Oct. 19, 2015

item.217939

MacInTouch

How a few legitimate app developers threaten the entire Android userbase

A handful of app distributors are putting hundreds of millions of Android users at risk by bundling powerful root exploits with their wares, computer scientists have found. The researchers presented a paper on Thursday that shows how the exploits -- which legitimate developers openly use to give Android phones added functionality -- can be easily reverse-engineered and surreptitiously incorporated into malicious apps that bypass crucial Android security measures.

Development outfits with names including Root Genius, 360 Root, IRoot, and King Root provide apps that "root" Android phones so they can overcome limitations imposed by carriers or manufacturers. To do this, the root providers collectively package hundreds of exploits that target specific hardware devices running specific versions of Android. Their code often includes state-of-the-art implementations of already known exploits such as TowelRoot (also known as futex), PingPong root, and Gingerbreak. Usually, such exploits are blocked by Android antivirus apps. But thanks to improvements made by the root providers, the professionally developed exploits are rarely detected. Even worse, many of the off-the-shelf exploits target undocumented Android security flaws.

Oct. 20, 2015

item.218069

Lyman Taylor

Re:

Development outfits with names including Root Genius, 360 Root, IRoot, and King Root provide apps that "root" Android phones so they can overcome limitations imposed by carriers or manufacturers.

iOS doesn't have root exploit vendors? Fewer in number perhaps, but the general problem of security exploits for sale is pretty rampant and close to universal (where there is any sort of viable market ) at this point.

[The distinction here is that "regular" developers on the Android platform are installing root exploit code in their apps as a convenience, quite apart from criminals and governments doing similar things. As far as I'm aware, there's nothing quite like that happening on the iOS platform, and the iOS security model is certainly different from Android's in how permission handling, root access and other things work. -Ric Ford]

Jan. 26, 2016

item.222285

MacInTouch Reader

I have 2 Gmail accounts and I use the same Mac from the same IP address basically always; I don't travel much. The accounts were not created at the same time.

I got phone verification requests (2FA) from both accounts within a 12 hour span. Normally, years can go by without a pin request. Has anyone else had the same experience? I have the concern something might have changed on my Mac, though Little Snitch and NoScript have reported no unexpected behaviors.

Jan. 27, 2016

item.222333

MacInTouch Reader

"I got phone verification requests (2FA) from both [gmail] accounts within a 12 hour span. Normally, years can go by without a pin request. Has anyone else had the same experience?"

Kind of... yesterday I received a bogus verification request (by email, not phone) in my Gmail account, which I've never gotten before. It said that if I'd signed up for Twitch, I should click the link so they can start sending me stuff, or something. The link went to a Twitch URL, but I didn't click it.

Instead, I sent a fresh email to "abuse@twitch.com" saying that it wasn't me, and I don't even know what Twitch is. (I also don't care, although I didn't tell them that.) So obviously the person who signed up using my Gmail address wasn't me.

My email to them bounced with a server error. I thought almost every company had an "abuse@whatever" email address, but I guess not.

[See excerpt from a whois lookup below. -Ric Ford]

Domain Name: TWITCH.COM
Registry Domain ID: 271956_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2015-12-31T09:17:44Z
Creation Date: 1997-05-28T04:00:00Z
Registrar Registration Expiration Date: 2020-05-27T04:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680

item.222352

Robert J

Yep. I haven't used Gmail for 8 years or so, but I do have a Google cum YouTube account, which I access at the most once a year. After logging in to YouTube a few days ago, I got some message about "abnormal activity, blah blah", and that the account was being blocked.

Basically, after running around a bunch of links that brought me back to the same pages, I found out that I could only get it up and running again if I gave Google my phone number. This was also the case after I tried to follow the instructions in the emails claiming that "someone (yes, myself) had just stolen my password" (PANIC is business!!!) which Google sent right away to my usual address.

As there's no way I'm going to give Google my phone number, I guess I'll go ahead and live the rest of my days without a Google/YouTube account. Or create a new one if I really, really need it.

item.222360

MacInTouch Reader

I have a similar situation - two Gmail accounts, one iMac & one iPad. I ran into an issue with Gmail after recently changing my ISP, wherein I had to reconfigure my connections. After that, I kept getting locked out of Gmail for one or the other account, and sometimes both, when trying to set up Mail.

I have ended up using webmail on the iMac and Gmail app on the iPad, because it was never consistent, and I could be locked out of the account at any time or place. I believe it to be an issue from the Gmail end. I have also finally been able to set up Mail to work on the iMac- still using the Gmail app on the iPad.

YMMV

item.222366

Derek Fong

If MacInTouch Reader received 2FA requests but did not actually initiate any login attempt himself, then change your passwords for the related accounts from a trusted computer immediately.

The 2FA requests only get sent when someone logs into your account with the correct username and password combination, which means someone has your username and password but is being blocked from accessing your account by the 2FA protection.

Take this opportunity to make sure that you do not share passwords between sites. A password manager like 1Password (which I could not live without and highly recommend) is great for generating strong random passwords that are unique to each site.

Jan. 28, 2016

item.222373

Stephen Magladry

Hey Robert J,

What about getting an app that is simply a front end for YouTube. There a number in the App Store. I don't have a recommendation for the Mac but can recommend Tubee for iOS.

item.222395

MacInTouch Reader

I reported here that someone apparently tried to sign up for something-or-other using my name and Gmail address... and the complaint-contact address I made up off the top of my head (abuse@twitch.com) didn't work. No big deal, but now we get into a bit of whois stuff...

Ric responded to my post with a whois data block that included...

Domain Name: TWITCH.COM
...
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
...
Registrar Abuse Contact Email: abuse@web.com

"Registrar" refers to Network Solutions, probably not to the Registrant (domain owner), although occasionally they are the same company. Some whois listings are more complete than others, and include information about the Registrant as well; the whois Ric cited doesn't.

Web.com is the same company as Network Solutions, Register.com, and various other brand names; abuse@web.com is for reporting domain-name/registration abuse to them (like somebody trying to steal your domain name, or registering a domain using a phony identity). An individual visitor "registering" on a website has nothing to do with a domain-holder "registering" the domain itself; they're on completely different levels of jurisdiction.

Obviously I could research how to contact any particular website to report fraud or abuse, if I wanted to bother. Most domains enable "abuse@thisdomain.com" so you don't have to research it.

Thinking about "Twitch" while drinking my third cup of coffee is a little odd anyway :)
And I still don't care who they are, although I may pay a few bucks to the nice old voodoo lady who does business up the block from me (really, not a joke) to put a curse on anybody who pretends to be me online  :)

Feb. 1, 2016

item.222535

John Herbert

With the imminent demise of security support for Chrome,
I will be eager to read, here at MacInTouch, strategies for maintaining a modicum of security while not having to upgrade to a later Mac OS.

For me upgrading offers a host of inconveniences, not to mention (my gut tells me) what might be a host of new problems for a MacBook Pro 2012 running on 4 gigs of memory and the meandering lion of the mountains :)

item.222549

MacInTouch

Updates to Chrome platform support

Today, we're announcing the end of Chrome's support for Windows XP, as well as Windows Vista, and Mac OS X 10.6, 10.7, and 10.8, since these platforms are no longer actively supported by Microsoft and Apple. Starting April 2016, Chrome will continue to function on these platforms but will no longer receive updates and security fixes.

Feb. 12, 2016

item.223388

MacInTouch Reader

Thank you Ric for listing the most recent security update to Google Chrome.

I opened my copy and checking Chrome's About box discovered that I had version 46.0.2490.80 and was already up to date. Not remembering when or how I had upgraded, I double-checked.

You said 48.0.2564.109 is current.

I clicked your link to the Chrome download page, and downloaded what was offered. What I received was 48.0.2564.109. Checking Get Info on my original copy of Chrome, I see a modification date of October 20 of last year.

For months now I have been using an outdated, insecure, and vulnerable copy of Chrome — because I trusted Google.

I do not think I will make that mistake again.

Feb. 13, 2016

item.223415

MacInTouch Reader

Re # 223388

Thank you Ric for listing the most recent security update to Google Chrome.

I opened my copy and checking Chrome's About box discovered that I had version 46.0.2490.80 and was already up to date. Not remembering when or how I had upgraded, I double-checked.

You said 48.0.2564.109 is current.

I clicked your link to the Chrome download page, and downloaded what was offered. What I received was 48.0.2564.109. Checking Get Info on my original copy of Chrome, I see a modification date of October 20 of last year.

For months now I have been using an outdated, insecure, and vulnerable copy of Chrome &mdash because I trusted Google.

I do not think I will make that mistake again.

It is darn hard to disable Chrome's automatic update on a Mac. But it is possible.

Google is probably the least likely culprit.

Google Software Update needs to run:
- GoogleSoftwareUpdateAgent
- GoogleSoftwareUpdateDaemon

Those could be blocked by Little Snitch or one of its similar competitors

The Chrome Help Page

"Fix Chrome update problems and failed updates"

lists many reasons Chrome may not update as expected.

The most troubling is malware, and a list of Mac malware is on the page.

Important note: Malware can travel from computer to computer via Browser Sync.

Even Chromebooks, which are "supposed" to be impervious, can be hijacked by an extension synced from another computer.

If Chrome isn't updating on any computer, you should check for malware and also for browser hijacking.

Feb. 17, 2016

item.223641

MacInTouch

Google Acknowledges It Collects Student Information, but Doesn't Target Ads

Google acknowledges it collects information about students when they're visiting Google-owned sites such as YouTube or services like Google Maps -- but says it doesn't use this personal data to target advertising.
...
The schools are responsible for obtaining a parent's consent and determining whether students have access to services such as Google Search, Earth, Maps or YouTube. The company does not share personal information with third parties, except when schools ask Google to do so, Molinari wrote.

Feb. 22, 2016

item.223837

MacInTouch Reader

Google Chrome now displays a message that there will be no more updates supporting Snow Leopard (or Lion, Mountain Lion). We are on 10.6.8 and the latest Chrome update.

item.223857

MacInTouch

What If San Bernardino Suspect Had Used an Android Instead of an iPhone?

... In a sweeping November report on encryption, Manhattan District Attorney Cy Vance wrote that Google can "reset the passcodes" on some Android phones without full encryption, when served with a search warrant. "This process can be done by Google remotely and allows forensic examiners to view the contents of a device," according to the report.

Trouble is, we don't know how many Android phones are fully encrypted. (Google says it doesn't know, either.) Just 1.3 percent of Android devices run the latest Marshmallow software, many of them the newest Nexus phones, which Google fully controls. For the 34.1 percent of phones running Lollipop software, turning on full device encryption is optional.

Phone makers can add their own security, as Samsung and BlackBerry do, but they are also free to tweak Android's source code and occasionally inadvertently introduce their own security vulnerabilities along with their custom software.

That means that given a San Bernardino-like scenario with most Android phones, the FBI could likely avoid the complicated back-and-forth it has had with Apple, but could find its job harder or easier depending on the particular phone, phone maker or user-chosen options.

Mar. 31, 2016

item.225894

MacInTouch

More Encryption, More Notifications, More Email Security [Google Security Blog]

Today, we're announcing a variety of new protections that will help keep Gmail users even safer and promote email security best practices across the Internet as a whole.

Apr. 16, 2016

item.226797

MacInTouch Reader

Chrome version 50 (50.0.2661.75) was moved to the Stable Channel the other day and represents the first version to drop support for Mac OS X 10.8 and earlier along with XP and Vista for Windows. Now when you go to the download page for Google Chrome it states:

"For Mac OS X 10.9 or later" (Note: This disappeared later in the evening)

As of this writing the page still downloads version 49.0.2623.112 and I have not seen an update for Chromium or other browsers based on the same code. Would expect those to appear sooner rather than later.

https://www.google.com/chrome/browser/desktop/index.html

http://googlechromereleases.blogspot.com/

Apr. 25, 2016

item.227077

Peter Stanbridge

According to numerous reports in the media, Google is 'partially dangerous'.

Google.com is a 'partially dangerous' website - according to Google
Visitors warned about malware and cybercriminal links on search engine by the company's own Safe Browsing Site Status report

In the meantime, concerned web users may wish to try alternative search engines. Microsoft's Bing.com is currently assigned a "not dangerous" status by Google, despite its report flagging up the fact that some pages on that website also redirect visitors to malware-installing sites.

Anonymous search engine DuckDuckGo, meanwhile, gets a clean bill of health according to its Google Safe Browsing report.

May. 6, 2016

item.227881

MacInTouch Reader

I'd like to enable 2-Step verification with Google, which I use for many email accounts. The only thing stopping me is they require a cell phone number. I'm inclined to give them my real number, rather than a Google Voice number that's on a different account.

Obviously the account will be more secure with 2-Step, but giving Google my number creeps me out a little. Advice?

May. 9, 2016

item.227908

Paul Chernoff

You can give Google your phone number and then switch it over to use Google Authenticator once you have 2-factor set up.

item.227924

MacInTouch Reader

With my post 227881 about enabling 2-Step verification with Google, I took the plunge. But I discovered that after setting it up for 10 accounts, it would no longer let me use that real number to send codes for an 11th account.

So with other accounts, I'll have no choice but to use a Google Voice number (tied to other accounts) as the verification number, and switch Google Authenticator to the primary verification. Hopefully 2-step with Google Authenticator 1st, and a Google Voice number 2nd (tied to a different account) is safer than no 2-step at all. For recovery options, I already have another email and the same Google Voice number listed. Opinions please?

I also noticed Yahoo doesn't like Google Voice numbers for verification. Either that, or they don't realize that a certain area code is valid.

item.227934

MacInTouch Reader

I ran into an apparent Gmail security glitch while traveling over the weekend while trying to access email through Apple Mail and Firefox on my MacBook Pro using 10.9.5.

Two accesses were logged as coming from iOS devices at a time when I was using a hotel network with the Macbook, but I have no iOS devices. It does not mention any access at that time from a Mac.

The most plausible explanation I can think of is that the hotel network somehow garbled the identification of the Macbook.

Google as usual leaves no way to notify them of possible bugs.

May. 20, 2016

item.228525

MacInTouch

KSFetch Annoyance on Mac OS X 10.8 ML with 'Hands Off' or 'Little Snitch' Firewall.

KSFetch is a process for autoupdating of any and all google products installed on your system. Chrome being one of the most popular. Unfortunately, KSFetch is recreated each time it wants to check for updates and placed in a new directory, part of which is randomised. The randomised part of it means your firewall won't know of it every time a new one is created even though you may have selected 'always allow' or 'always deny' because its looking at the wrong directories due to the nature of the random string in each. This results in your firewall having a ridiculous list of KSFetch entries in it and a continual nagging from your firewall about wether to allow or deny.

Another aspect to the issue is that, not only can we not block programs that keep moving and re-spawning in new locations effectively in our firewalls but that it does it every single bloody hour as the default. It's insanity.

May. 21, 2016

item.228561

MacInTouch Reader

"KSFetch is recreated each time it wants to check for updates and placed in a new directory, part of which is randomised."

You might be able to block this (or allow this) without further annoyance by setting a rule for any process to deny forever (or allow forever) connecting to the domain that KSFetch is trying to reach.

May. 23, 2016

item.228579

MacInTouch

Incensing critics, Google engineer ends push for crypto-only setting in Allo

A co-leader on Google's product security team has waved a piece of red meat in front of already frothing privacy advocates by deleting part of a blog post saying he wished the Allo messenger app the company announced Wednesday would provide end-to-end encryption by default.

Control the size of messages, use smart replies, and see video of callers before you pick up. To critics, the deletion by Thai Duong amounted to tacit admission that his employer was willfully choosing to leave messages sent by the vast number of Allo users open to government surveillance. The critics have argued that because end-to-end encryption will be turned off by default and turned on only in an incognito mode, most users will never avail themselves of the protection.

May. 25, 2016

item.228685

MacInTouch

Can Google replace passwords by tracking you more thoroughly?

Google thinks it has the answer: build the biometric measurements into the device and the operating system itself by tracking some, any or all of how you type, speak, move, and otherwise conduct your online life...

...so that the device can vouch for you at any moment.

Google's Advanced Technologies and Projects division, or ATAP for short, calls it Project Abacus, and it's supposed to keep track of your behaviour as you work, and maintain a rolling score called a Trust Score.

Jun. 1, 2016

item.229005

Ric Ford [MacInTouch]

For what it's worth, in the context of recent discussion, here are just a few of the multiple long, complicated descriptions of Google's personal data collection and usage:

Google Privacy Policy

Google Chrome Privacy Notice

Google Advertising Technologies

Google "Privacy Checkup" (requires Google Account sign-in)


MacInTouch Amazon link...

Talk to MacInTouch     Support  •  Find/Go