Just when I thought shoddy tech "journalism" couldn't stoop any lower, there is now a supposedly "new" report out that Chrome stores its passwords in plain text.

From Google Chrome security flaw offers unrestricted password access at The Guardian:

A serious flaw in the security of Google's Chrome browser lets anyone with access to a user's computer see all the passwords stored for email, social media and other sites, directly from the settings panel. No password is needed to view them.

Absolutely no mention that this has been known for years. Why this is being reported now, I have no idea.

From Google Chrome flaw exposes user passwords at The Telegraph:

Software developer Elliott Kember stumbled across the vulnerability when importing his bookmarks from Apple's Safari browser to Google Chrome. He discovered that it was mandatory to import saved passwords from one browser to the other – something he described as 'odd'.

After doing a bit more digging, he found that Google does not protect passwords from being viewed when a user is logged in and running Chrome. Anyone with access to the computer can view stored passwords by going to the advanced settings page and clicking on the “Passwords and forms” option, followed by “Manage saved passwords”.

Here the reporter goes a step further to make it sound as if this is some new discovery.

This is not a new discovery. Many people, including the developers at Google, know about this, and have known about this for years. It's a deliberate (albeit bad) design choice. I knew about it in 2009, and I've known about it ever since.

Someone back in December 2008 already reported it to Google:

Google, Why does your browser Chrome not have a master password for saved passwords? This is ridiculous

and Google's response:

Hi everybody,

We understand that many of you want a master password for your saved passwords in Google Chrome. You’ve laid out many scenarios in which this might be useful, but the most common is that if your computer were to fall into the wrong hands, that person would then have access to your saved passwords.

While we agree that this situation would be terrible, we believe that a master password would not sufficiently protect you from danger. Someone with physical access to your computer could install a keylogger to steal your passwords or go to the sites where your passwords are stored and get them from the automatically filled-in password fields. A master password required to show saved passwords would not prevent these outcomes.

Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time. We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption.

We know this is a long-standing issue, and we see where you're coming from. Please know that your security is our highest priority, and our decision not to implement the master password feature is base

Okay. It took Google almost a year to make that official response, but that's still almost three years ago!

I thought the "There are millions of Android malware apps (which no one is actually installing)" scare headlines were bad enough. Now known bugs that are deliberate design choices are suddenly newly-discovered security flaws. I can't palm forehead this enough...

If you want to store passwords with a master password, use Firefox. The master password encrypts your saved passwords. It's not a perfect solution, but it's better than what Chrome's doing... and has been doing for years.

Whenever a new trojan appears for Linux, Mac OS X, or (now) Android, inevitably you get a crowd of ignorant panic-mongers up in arms saying “See? [fill in the blank] gets viruses, too! Ah ha! Better install that antivirus now.” Now, apart from the fact that so-called “antivirus” software is for all practical purposes useless (a placebo at best), viruses and trojans are conceptually very different types of malware.

And, no, this is not just a matter of some geeky semantics.

The mass hysteria out there right now about Android malware reminds me of HIV/AIDS “information” back in the early or mid 80s. People were genuinely afraid you could catch AIDS from hugging someone or drinking from the same water fountain as someone who had AIDS. There wasn’t a lot of reliable and consistent information about how people became HIV positive.

Same deal now. If you read any mainstream press coverage of Android malware, you’ll see the focus is really on quantity (Android Malware Surges Nearly Five-Fold Since July or Android sees a 472% increase in malware since July) of malware instead of actual risk of infection. In typical pop journalism fashion, a lot of “news” articles are taking the “here’s one extreme, and here’s another extreme, so you decide” approach instead of actually informing consumers of the facts of how they can protect themselves from malware.

For example, Security Experts Concerned About Google’s Attitude Toward Android Malware makes it sound as if there is Chris DiBona saying Android malware isn’t a problem and then there are the “antivirus” vendors saying it is a problem. Same deal in Android Security: Threat Level None?

All these articles leave the consumer with is a sense of confusion, and no real practical steps to protect oneself. The former, for example, says:

Most malware researchers agree that the openness of the Android platform, which allows installing non-vetted apps, and more importantly the openness of the Android market, which lacks a strict application review process, contribute to its malware problem.

The latter at least hints that users could be responsible for malware proliferation:

Now that we have a few different views on this topic, who do you think is right? Well, there’s some truth to what the security vendors are telling us. Smartphones—and apparently Android devices in particular—can be infected with malware through careless use.

Careless use. Who is doing the careless using? Phone owners. Phone users.

That is the big difference between a virus and a trojan. The trojan you have to give permission to. You have to invite the trojan in. You know the famous story about the Trojan Horse? Yeah, that attack wouldn’t have worked if Troy had said “Yeah, fancy wooden horse? We’re not letting that into our city.” Same deal with malware. If you don’t install malicious apps pretending to be legitimate, you won’t magically get infected with malware. This is true for Android, Mac OS X, and Linux. I have never heard of any malware proliferating on any of those platforms that was not a trojan.

So if you want to protect yourself, don’t install “antivirus.” Install some common sense instead. Here is a great, step-by-step guide on how to do that: How to be safe, find trusted apps, & avoid viruses – A guide for those new to Android

You’re welcome.

Android malware in the news

March 9th, 2011

Nonsense. That’s to be expected.

Common sense. Surprising.

Ever since 2009, I’ve been hearing a lot in tech blog posts and the media about “Android fragmentation.” No actual Android user I know in real life has complained about it, though. I’ve also noticed that criticisms about so-called Android fragmentation tend to be quite vague.

From Android fragmentation is real:

For Joe Average, this created an ultra-confusing marketplace where operating system versions changed every few months. It also meant that compatibility issues were inevitable.

What compatibility issues? Examples?

From Ask Maggie: On waiting for a Verizon iPhone 5:

But one of the problems that Android has is that it’s very fragmented. Even at the smartphone level, different devices run different versions of the Android OS and that means that not every app runs every device.

What apps? Examples?

On my MyTouch 3G (the original), I’ve used just about every version of Android there is. 1.5, 1.6, 2.0, 2.1, 2.2. Some rooted. Some OTA from T-Mobile. I’ve experienced no problems as an end user in terms of applications having compatibility issues. Some of the more graphics-intensive apps don’t run well on my 528 MHz processor with 192 MB of RAM, but that’s regardless of what version of Android I have—my phone just isn’t that powerful, so Angry Birds will just not run well on it. That has nothing to do with “fragmentation.”

Some people who want to make a big deal about Android fragmentation will point to an interview with one of the Angry Birds makers (Peter Veterbacka) in which he says

Android is growing, but it’s also growing complexity at the same time. Device fragmentation not the issue, but rather the fragmentation of the ecosystem. So many different shops, so many different models. The carriers messing with the experience again. Open but not really open, a very Google centric ecosystem.

but they seem to ignore that when asked directly about Android fragmentation being an issue, he says

Fragmentation on the device side is not a huge problem, but Steve is absolutely right when he says that there are more challenges for developers when working with Android. But that’s fine, developers will figure out how to work any given ecosystem and as long as it doesn’t cause physical pain, it’s ok;-) Nobody else will be able to build what Apple has built, there just isn’t that kind of market power out there.

That doesn’t mean that model is superior, it’s just important to understand that Apple is Apple and Google is Google. Different. And developers need to understand that. Different business models for different ecosystems. And wouldn’t forget about Nokia and MeeGo either, new leadership always tends to shake things up and create opportunity. And HP-Palm. And RIM. And even Microsoft. It’s a fragmented world.

If you actually own and use an Android device as your primary phone, how (with specific examples) have you found so-called “fragmentation” affecting you? Which applications do not work on your version of Android that would work on another version? Why do you think people don’t make as big a deal about “Windows fragmentation” (Windows 98, 2000, XP, Vista, 7) or “Mac fragmentation” (Panther, Tiger, Leopard, Snow Leopard)? Am I crazy for thinking Android fragmentation is a non-issue?

In Google: Judge, Jury and Online Shopping Executioner, Lance Ulanoff says Google—in updating its search algorithm to no longer reward with top search results businesses who have lots of negative user experiences—is potentially dooming other legitimate businesses:

Borker was very upfront is[sic] his dastardly business strategy and has only his self to blame for the world’s largest online search corporation summarily dismissing him for them web. But who are these other companies? How did Google come up with this list of companies with bad user experiences? How will these companies know if they’ve been “Borkered”?

Uh, read Google’s official announcement about the change. They didn’t come up with a list of companies. They updated their search algorithm. I’m sure they probably did some investigating to find a handful of Borker-similar businesses so they could test their algorithm, but they don’t have a static or periodically updated blacklist of “bad” businesses. They have a search algorithm. The algorithm got updated.

But what if some didn’t deserve it? What’s their recourse and where does Judge Google stop?

A computerized search algorithm will never perfectly return the absolute best results as determined by Lance Ulanoff. It’s an algorithm. Google’s been tweaking its algorithm for over ten years now, and it’s never been perfect, but it’s been good enough that people still use it more than any other search engine. Hey, I think my wife’s graphic design firm is the best, but if you search for graphic design firms on Google, she doesn’t appear anywhere on the first page. This is an outrage! What recourse does she have? Where does Judge Google stop? How could Google have condemned my wife’s business to a lower ranking than some worse design firm? See where this is going? You aren’t entitled to be at the top because you think you’re the best or that you’re just supposed to be there. As Ulanoff admits, even PCMag itself isn’t into such a supposed meritocracy:

PCMag.com doesn’t sell anything to consumers (aside from our Utilities Downloads), but we certainly work hard to be a part of the first page of any Google search relating to products and technology. Our methods are based on good search engine optimization (SEO) training—and mostly focus on topic relevance.

If you’re search engine optimizing instead of just being the highest quality content you can, aren’t you anointing yourself your own judge over what should be at the top instead of just letting the natural results rise to the top?

Here’s the most ridiculous example:

I have seen big companies struggle to shake off the burden of previous missteps. Perception is not only reality, it can be awfully persistent. Look at Symantec and its product Norton Internet Security. For years, it was a dog of a product that, while properly protecting your PC, turned it into a sluggish mess. A few years ago, Symantec completely rebuilt the security suite. It’s now among the fastest, lightest and most effective security suites on the market. Yet, when I speak to people, they still think it’s a dog and refuse to even try it. It’s like they have their own brain-matter-based search engine that’s stuck on all the bad info fed into it years ago. New, positive information can’t seem to rise up above the vast amount of negative sentiment they initially received about the product.

In Google’s new world, bad actors are always bad actors. They could be banished based on bad reviews, even if the company is busy cleaning up its act.

First of all, bad actors are not always bad actors. Somehow Ulanoff missed that Google updated its search algorithm. It’s not a static blacklist of businesses that are bad.

More importantly, if you do a Google search for antivirus, Symantec shows up in the first ten results. The idea that customers who have a bad experience with a product will not return to the product despite its later improvements has absolutely nothing to do with Google search results. That’s just life. That happened before Google. That happened before the internet. That’s a branding and marketing issue. That isn’t search result ranking.

If Symantec wants to fix its problem, it need a proper marketing campaign. And if Google wants to fix its problem, it needs to update its search algorithm, which it actually has done.

The irony is that Ulanoff’s “article” has risen to the top of Google News right now over other more sanely written articles on the same topic. Maybe Google’s next algorithm update project should be on punishing attention-grabbing headlines for poorly written articles.