I've always hated that "service" (more like malware given this news) like everything else that installs itself into the autolaunch sequence without permission, and remove* it whenever I notice/remember it, but it keeps coming back whenever I touch Google Chrome, which I prefer not to use in favor of Safari/FireFox because of reasons like this.
Things like these (including secretly signing you into Search when you sign into YouTube† or refusing to support PiP on iPadOS/macOS) just solidify Google's image in my mind as a forever scummy, intrusive company that I wish I could leave behind like I did Microsoft, but sadly Google Search and YouTube still don't have good enough alternatives yet.
* (startup items usually reside in the LaunchAgents/ and LaunchDaemons/ folders in your user ~/Library/, the root /Library/ and /System/Library/)
† (you can fix this by deleting all Google cookies after signing into YouTube, on any OS)
The trends that Google has spearheaded have had a real effect on me over the years.
I feel alienated from my computer. Subtle things will just change. If I really dig I might be able to find out why, but I don't have the time, so I just accept it.
Usually very small things that are barely noticeable. My Chromecast extension disappeared and was integrated into the browser. My brain could not help but notice this benign change, which caused a hard to place sense of unease.
Or when Google decided to remove rotation from the home screen on Android 2.3 -- it wasn't a huge problem, but I could have sworn that something changed. Users were conflicted, many convincing themselves that the homescreen never rotated at all.
It has made me not trust my computer. I second guess myself much more. If some option no longer exists, I wonder if it was just my imagination or if it was quietly deprecated while I wasn't looking. Does it even matter?
I think that we are being trained to see devices as ephemeral, and not to get too attached to them.
You feel alienated from your computer because there has been a conscious decision to take away options and user control in modern software. And I get why that decision has been made, even if I hate it as much as you and every other computer enthusiast.
For 90% of people, they have always "felt alienated" from their computers. They didn't understand what was happening or why things changed either, and it was easy to get yourself into trouble if you didn't know what you were doing and were trying to figure out how to fix something.
So companies decided to make their software have fewer options, and do more things automatically, without asking the user to have to make a choice. They don't give the users an option to customize, so they don't have to worry about those customizations causing breakage.
For advanced users this is crippling, but there are a lot more of them than there are of us, so they are going to be catered to.
> For 90% of people, they have always "felt alienated" from their computers. They didn't understand what was happening or why things changed either, and it was easy to get yourself into trouble if you didn't know what you were doing and were trying to figure out how to fix something.
I have stubbornly resisted it, but I think I will go the way of all of my friends and just accept it soon.
I now spend more time doing personal system administration than at any time in my life as a computer user. If you want to have control of your computing devices, you need to spend more time than in the age of five in floppy disks.
Most updates are a one way trip now, and they aren't keep on publishing exactly what features they have removed, so a lot of time is spent disabling updates, firewalling, researching, jailbreaking, imaging, and backing up.
My biggest liability now is not malware, but updates! I have to put all of my development toolchains in virtual machines, because they will break and I can not rely on being able to re-create them. Re-creating my modest workflow is a bi-annual affair, when it really shouldn't be.
And there has been a cultural change in software development as well. Software like Firefox will clobber your data during an update, and when you file a bug report, it will be WONTFIX, and they will say that it is your fault for not using Time Machine and rolling back their changes. They did this awhile back with bookmarks, and they certainly do it with extensions. I had to spend an entire afternoon recovering annotations and citations that were destroyed by a Firefox update, and I was told it was essentially my fault for trusting Firefox and not having hourly backups.
I hate to sound like a broken record, but there was a time when you could reasonably assume that if an update was making major changes, that it would give you the option to go back, or at least export your data if it didn't support it. I really wish the open source community would step up and be different, instead of embracing this.
I think these "lower the ceiling rather than raise the floor" rationales are cop-outs.
Yes, I get it, this reasoning does technically provide a justification for the design decisions made that will shut some people up. But that doesn't make the product or design decisions anything to be proud of.
And, to take it a step further, I don't think UX is putting in honest effort to improve things for unskilled users. All the low barrier to entry stuff is superficially pleasant, but the number of common UI paradigms end users have to learn how to intuit their way around has exploded, while affordances and discoverability have plummeted. People who've spent their dayjobs in front of computers for years - if not decades - are assumed to categorically have bad, less-than-worthless, ideas about what might make interacting with those devices easier. All because "shut up, nerds. Nobody would ever like the things you like" was easier than listening and figuring out the how to separate the wheat from the chaff.
Ironically despite there being less choices in an effort to make it easier for that "90%", the amount of tech support friends and family request from me has only increased in the past years.
Personally I don't buy the whole "removing choices to stop users from hurting themselves" excuse. To me it seems like over zealous designers trimming far more than necessary to make things look nicer at the cost of usability. But what do I know?
People are using tech to do a lot more. 20 years ago tech was a thing you sat down at, turned on, and used to check your email, update a spreadsheet, or type up a document.
Now we're using computers and software every waking hour and using software with millions of distributed users that we expect to always show us the latest updates.
We're using phones for banking and payments, to turn our lights on and off, to keep a lifetime of family photos backed up and synced across multiple devices.
It has made things more complex, but I don't think a world of 1997 style configure-it-yourself software would necessarily help with that.
Regarding the increase, I would argue that is less about increased device complexity but more about the increase in the amount of people who are using these devices on a daily basis. More they use, the more problems they encounter; I think the intersection between complexity and usage is determined moreso by the latter.
I doubt the number of people using smartphones and computers has increased significantly in developed/first-world countries, especially when it comes to one’s family and friends.
As anecdotal as it may be, my friends and family have used computers and smartphones for years, but I’ve experienced the same increase in requests for tech support as the parent comment.
Further, no one said there’s increased complexity. The argument is that the oversimplification, the removal of features, and overzealous design assumptions have made UX go in the wrong direction. It’s also an argument I agree with.
A lot of UX design today fails to recognize the spectrum of “tech literacy” and it should, ideally, accommodate all within that spectrum, rather than pander to the least “tech literate” end. It’s not always possible, but it should be strived towards. Instead, we have UX trending towards attempting to be so “intuitive” that it becomes counterproductive.
I had an interesting incident recently, where I was with some relatives and we were trying to plan the next leg of our trip; what restaurants to go to and what directions to take, etc.
Anyway, we had to start using a paper notepad and pens to keep track of the information!
Even for people who just want to paste an address from a text message to look up in maps, and especially if you want to do anything with the calendar.
I just remember 15 years ago on my Treo 650 never needing to do that, and having no problem copying text between different apps seamlessly, between calendar, email, text, maps, and other apps. Same with Blackberry. Using modern Android is as awkward as driving a car with a mouse.
But I think there was an intentional push to minimize options for users, to make fewer pathways for things to go wrong. Forcing people to use pen and paper when they have a smartphone next to them is a UX success for them, because they don't have to improve handling text.
I'm afraid that's Agile development for you; teams contemplating the emptiness of their backlog and rushing to invent an endless stream of small t-shirts to fill it and keep the velocity within the desired KPIs.
> You feel alienated from your computer because there has been a conscious decision to take away options and user control in modern software. And I get why that decision has been made, even if I hate it as much as you and every other computer enthusiast.
This is a weird claim here because this issue only appears if you made a conscious decision to disable a critical security of the operating system, something only possible because you have "options and user control in modern software".
That this conversation arose within this context is somewhat ironic, but not particularly weird.
It’s great that Apple lets you disable SIP in macOS. It’s not great that Google frequently takes away user control. Different companies making different decisions in different situations is not contradictory, and outliers do not discount an overall trend.
My wife stopped using Android for that very reason. She’s not much into tech and complained that every time Android updates to a new major version, she needs to learn it from scratch, while iOS changes are noticeable but rarely touch user interaction fundamentals.
My mother had that exact same experience with her Nexus 5x. Things kept on shuffling every 6 months. Ever since I’ve got her on iOS, she’s been happy and I’ve been happy. I don’t even have to ask her to update to the latest iOS. She does it automatically and generally is able to find her way through. Never so on Android.
Apple wins in that regard - stability, consistency and reliability in daily use. It’s boring in a way for tech enthusiasts but wins in the eyes of people for whom their phone is just another tool which needs to work when they need it. They’ve no inclination to fiddle around with things nor a desire for a changing UI.
History observers will know that Google started the forced auto-update and permanent beta culture. "We know better than users".
When all is said and done, Google can die off or fail as a business, but this and persistent data collection as a norm will remain its most lasting "contributions".
I absolutely hate auto-updates on anything. Of course this is always met with "but security issues..." YOU BROUGHT SECURITY ISSUES BY MAKING EVERYTHING NETWORKED AND IN A PERPETUALLY UNFINISHED STATE!!!
And of course since everything is in a constantly broken state, it is also in a need of constant auto-updates that both break and unnecessarily change stuff without my knowledge or permission.
> Or when Google decided to remove rotation from the home screen on Android 2.3 -- it wasn't a huge problem, but I could have sworn that something changed. Users were conflicted, many convincing themselves that the homescreen never rotated at all.
For this specific feature, on LineageOS, you can restore home screen rotation. I don't really understand why it's off by default though, it's confusing to have apps rotate but not the home screen.
I've always assumed they know what they are doing (Android UX seems quite good, despite what my three years younger self would think), but I don't get this. Is it because you can mess up your home screen by adding or moving icons when rotated?
> For this specific feature, on LineageOS, you can restore home screen rotation. I don't really understand why it's off by default though, it's confusing to have apps rotate but not the home screen.
I think it is either because iOS doesn't rotate the home screen on phones, or because they introduced this simplified car interface that did rotate, and they wanted to differentiate. But like so many design choices, it was not due to technical reasons, but marketing or political reasons.
It's funny, when I used Windows 10 for the first time recently, Ubuntu's unintuitive lock screen finally made sense, since they copied it. Whenever open source software starts doing something strange with their interface, I only have to look at proprietary software to see what interface they cargo-culted, going back to Pidgin copying iChat. I would love to see the discussions where they make these decisions. I imagine someone bursting into a meeting "You guys, Microsoft did a thing with their interface, we have to put everything else on hold to copy them!"
When I used versions of android with home screen roatation, I remember it would completely jack up most of my widgets. They were designed to be displayed at some aspect ratio and that aspect ratio would change after rotation. Maybe they got rid of the feature because it wasn't worth it to herd developers of widgets into fixing this issue.
I feel the same. That's why I appreciate a lot Free Software and I try to never have essential parts of my workflow depend on proprietary software; because it doesn't change condtantly, it doesn't run away from me, it is always available. It really takes a lot of stress away. If only I could replace every tool with a free alternative...
This was way more than a week ago, I remember installing an extension for exactly this months ago. Then it came back, then it disappeared again [...] - this might be betatesting though.
I can’t speak authoritatively about this specific instance, but I use multiple unlinked google products across multiple devices and they absolutely split test UI changes. It can be fairly nefarious on the advertiser/publisher side of things if you actually understand what their attempting to do.
It’s really too bad, because Google traded their pristine reputation for possibly a slight boost in their near term earnings.
> I feel alienated from my computer. Subtle things will just change.
I sometimes feel like companies have used the guise of "protecting novice users" as a means to take away our freedoms and increase their power (e.g. Google forcing updates on Chrome; Microsoft forcing updates and telemetry on Windows; Apple prohibiting non-app store applications and iOS downgrades). Of course, Linux and BSD exist, but many people don't want to deal with them.
> It has made me not trust my computer. I second guess myself much more. If some option no longer exists, I wonder if it was just my imagination or if it was quietly deprecated while I wasn't looking. Does it even matter?
It's fascinating, because whatever thing was silently deprecated, there will be hoards of defenders in comments insisting that the thing never existed, and it was just your imagination. Even on sites like Stackoverflow!
Part of this is because release notes no longer most things removed (they are just covered under "other interface enhancements").
I did track down the home screen rotation change but it was very obscure. In one thread a user had to post actual video of two different Nexus One devices and prove that the update removed landscape homescreen mode. This is the world we live in, where this is a massive cloud of uncertainty over what our devices are even capable of doing!
Yeah, I removed Chrome precisely because it kept re-adding its crap to the login sequence. It really drove home the notion that Google will not respect any boundary or privacy - your machine is their machine, your data is their data, and screw you if you don't agree.
Now I live in Firefox and it's just as good as Chrome, at least for my needs. I've dropped pretty much all Google stuff except for GMail, mostly out of laziness (I would have to update hundreds of accounts).
>> I've dropped pretty much all Google stuff except for GMail, mostly out of laziness (I would have to update hundreds of accounts).
I held off for two years moving away from GMail for this reason. A year ago I decided to pull the plug anyway, and it turned out to be much less annoying than expected. My strategy was as follows: first enable a forward from GMail to your new mail address, then directly migrate the ~10 vital/daily accounts, then just leave the rest pointing to the GMail account. After that, change each remaining account immediately (no exceptions) the moment I either log in to it, or receive an e-mail from it that refers to the GMail address.
It took me about two months migrating away from GMail, and as a bonus I was able to identify quite a few old login I didn't really have a use for anymore, so I closed them.
For regular mail I put an auto-reply in GMail that says I don't use it anymore and the address will be closed at some point in the future. But honestly, I don't think anyone ever saw it as nobody sends regular email anymore these days. All in all the process was pretty painless, and I feel very happy about ditching the last Google service I was still using (except the rare Google query of DDG fails to return useful results)
Not OP, but for personal email I've noticed the utility of email has gone down and down for me the past few years. I've got more spam/junk, 90% of my other traffic is automated bills and newsletters I get, etc, and an ever dwindling amount of friends keeping in touch via email. There seemed to be a progression from email->fb->whatsapp,snap,IG,etc-> .....?/i'm too old to keep up with the lastest communication these days. Most of my social convos have regressed 15 yrs and are again mostly just texting, even for photo sharing....
Now email in professional life is a different story, and is 100% mandatory, but that's all in the enterprisy outlook world...
WhatsApp or Facebook Messenger. The only personal emails I receive nowadays are from my parents, and people travelling abroad without reliable internet connections.
I've been thinking about migrating away from GMail for a while now. Are you self hosting your email now, or are you using a provider like ProtonMail? Just curious
not GP either, but I did the same and migrated to Fastmail. The transition was extremely smooth, and at least for now gmail allows you to set up integration (either forwarding rule or remote retrieval through IMAP) to forward you old e-mail to fastmail. I have it set up to auto tag all incoming gmail mail and move it into a folder that I check occasionally to see if anything interesting came through.
One amazing advantage to using fastmail (or really any real e-mail provider) is that it is trivial to set it up to use your own domain for e-mail, and to do catchall addresses for your domain. I use this feature heavily, using the general strategy of giving every service a different e-mail address. In this way I can sort by incoming to field, and block out anyone who sends spam using rules acting on the to field. This does an amazing job of sorting out things like mailing lists that keep re-adding you or that are worth monitoring but aren't worthy of showing up in my inbox.
>> Are you self hosting your email now, or are you using a provider like ProtonMail?
I switched to FastMail, and and added an MX record for the domain I already had to alias the mail adres to that domain. So now I could easily switch to some other e-mail provider at any time in the future. But I’ve been totally happy with FastMail so far.
I did consider self-hosting but decided it’s just too much of a hassle to get decent spam filtering and security set up.
My 2 cents. Use your own domain. It’s really cheap and now you own your email address and can move it to another provider whenever you like.
Setting it up in Fastmail is super easy if your halfway computer literate. It literally says what DNS records you need to creat.
Importing your Gmail emails is even easier: log into Gmail from within the Fastmail options. Grant access. Now it’ll import all your mail in the background.
> Yeah, I removed Chrome precisely because it kept re-adding its crap to the login sequence.
This, and forced auto-updates were exactly what finally led me to entirely removing Chrome from all my systems.
> (I would have to update hundreds of accounts).
I actually have been doing this for the past couple months. It wasn't too bad, just time consuming. I took the opportunity to request account closures for every account that I don't expect to use in the future.
> Yeah, I removed Chrome precisely because it kept re-adding its crap to the login sequence. It really drove home the notion that Google will not respect any boundary or privacy - your machine is their machine, your data is their data, and screw you if you don't agree.
Exactly this. Chrome was never my main browser, but though it's useful for testing web dev I just nuked it from the system once I realised it kept trying to find new ways around my deactivation and / or removal of keystone. That was several years back.
iCloud mail + the default Apple Mail app has worked fine enough for me for a decade.
What does Gmail offer that you can't get on other services? (honest question)
Gmail's mandatory phone number requirement upon registration and inability to get unique aliases (iCloud allows 3, so you can have 4 addresses per account at a time, and without the "baseaddress+" prefix which self-defeats the point of an alias) turns me off right at the start.
> Gmail's mandatory phone number requirement upon registration
It's not always mandatory. I don't know what the heuristics are, but I've managed to create a couple new Google accounts (non-gmail, for dev purposes) during the past couple weeks without them being tied to a phone number.
This is the one thing I wish Apple would solve in a new version of macOS. There are so many ways to automatically start software, and I would love a more built-in way to manage what can start with the system. They have login items, but that's an incomplete list. I recently _gave up_ trying to remove Dropbox because its auto-updater kept coming back after removing seemingly all possible places where it was stored.
Apple is willing to inundate users with permission prompts for microphone, location, and disk access. Why not the ability to start with the system?
It looks like Dropbox still tries [1] to abuse [2] Accessibility services in order to gain increased access to things on your computer that applications typically shouldn't need access to. Accessibility services are for helping blind people use your software, not for your software to run roughshod all over my system. Jeez!
This isn't entirely accurate. The hack that they used (writing creds directly into the TCC db instead of using the official dialog) was closed by Apple in High Sierra I believe (might've been Mojave? I can't remember atm). Regardless, now they use the official prompt. Of course, while Apple went to the trouble of SIP protecting the TCC db, they didn't actually fix the API for getting Ax permissions, and it's still a massive pain to get it even remotely right.
As for what they're using accessibility for, I believe the official primary use case is tighter integration with the Office suite (e.g. showing users if anyone else has the doc open). So nothing exactly malicious.
This isn't anything new. Keep in mind that Dropbox was offering sync status icons for years before Apple finally created an official API for doing so. IIRC that was using an even dirtier hack, involving monkey patching Finder at runtime. I'd definitely count that as a useful feature as well, and one that Apple had no interest in supporting until it became a user expectation.
I've got no affiliation with Dropbox, and I can definitely see the concern over the TCC hack. But once you try to do any meaningful integration with macOS, you do begin to sympathize. The official APIs are limited, flaky, and prone to deprecation at a moment's notice (see Quicklook plugins in Catalina for a fresh example). And Apple, despite making it impossible for third parties to innovate in their ecosystem, gets to paint themselves as saints.
Security is paramount, of course, but needlessly restricting how users and developers can use the OS will either lead to even dirtier hacks, or only Apple apps being allowed to do new, interesting things. And I don't particularly like either option.
At least on Windows, I could with confidence say that Sysinternals Autoruns + Process Hacker would get you 99.9% of the way. I too went from Windows to macOS, and I tried countless tools (Lingon X, CleanMyMac, App Cleaner, App Cleaner & Uninstaller Pro, etc.) to no avail in my quest to kill Dropbox.
At least with Dropbox, they needed that access to modify menus and make changes to benefit the user. And they also made it clear that this is what they needed it for.
When Google does it, they are just elbowing their way into your computer.
I really wish there was a way I could revoke an App's ability to request access.
Back then it turned out the password dialog wasn't fake but was the standard OS dialog apps can request sudo access with. The text in the dialog is app-customizable.
I remember a few months ago when Google Cloud was offline and people made a room on Zoom to discuss it. Just clicking on a link opened the Zoom app, because it had installed a daemon behind my back. Considering it's an app with microphone access, I was VERY concerned when it happened.
I might be saying that to the wrong audience, but I think Apple is being overly cautious not to bother developers and power users at the expense of security on the desktop. Not as if other OSs are better – just this week my flash drive came back with a Windows virus after I sent it to a print shop –, but still.
In this specific case it shouldn't be possible to run without SIP outside of safe mode IMO, but it's still possible because some people need to run unsigned kexts and other hacks.
It's the same thing with the sandbox. I've seen a lot of developers making excuses not to publish on the App Store because they need things like unlimited access to home directory for whatever reason and the sandbox restricts them. Last excuse I saw was "we need to scan for subtitles". Yeah, right.
> Last excuse I saw was "we need to scan for subtitles". Yeah, right.
Yeah, that's not even a valid excuse! Once a user manually selects a file, the macOS sandbox also gives an app access to any "associated" files like subtitles, automatically:
That was discovered a short time after I noticed the rogue daemon myself!
Let me try to explain better: There was a thread here in HN about a Google Cloud outage and someone posted a link to a Zoom conference. I noticed that their app was still installed after clicking the given link. This happened to other people too:
In a limited way, Windows is better about this sort of thing. System integrity checks (checksums of critical files) can't be disabled, only defeated. All drivers must be signed or you have to enable test signing mode, which requires a reboot and puts annoying text permanently in the corner of the screen.
...but you can still delete whatever you want out of System32 (though it may grow back), and you can add your own things, and dll hijacking is an issue etc. Just when it comes to kernel code are the protections better.
I vaguely remember Microsoft pissing off a lot of device makers and users with Vista because it started requiring signed drivers.
I might be remembering it wrong, but I thought it was definitely a good thing and definitely a step forward.
I wish that would happen more often. With so many things moving to the web there's not that many excuses left to sacrifice security and stability for backwards compatibility.
Well, I'd expect the "Malware Removal Tool" to remove malware/backdoors in the first place.
But my point is that Zoom shouldn't even have been able to install that server on my system in the first place. It's my computer, so I should have been asked before. Same for Google Keystone Updater.
Dropbox is my next war on this front. The difference with Dropbox is it pretty much has to be running all the time to be useful, which means it has much more power than Chrome to be an unkillable auto-updater.
Considering that Dropbox appears to be a CIA tool to enable snooping on people’s computers masquerading as a file sharing service, I would be surprised if there is anyway to completely safely remove it at all.
I'm not even quite sure why Google does it. Can't they just check and fetch updates while Chrome is open? What's it matter if Chrome is out of date if it isn't running? Are they trying to push off updates to the middle of the night or something? That doesn't really make sense, since people probably mostly leave their browser open anyways.
I had Chrome installed "just in case" (mainly for the dev tools for the rare occasion I do web dev) and I just uninstalled it and the updater. It's not worth the surface area...
Now to get around to nuke all this junk that Citrix Receiver installs. Ugh.
While that is true, I do not believe that is why they are doing it that way. There's nothing stopping them from giving some minimal feedback that an update happened. It would actually be better that they did.
It is also suspicious how set they are so against users using an older version of their browser. Security is not a good enough justification. It is actually easier to use an older Operating System than an older version of Chrome.
This is clearly just to protect the integrity of their platform.
What kind of zero-day does this protect against that wouldn't be blocked by an at-launch-time update check like most regular software uses? If anything, at-launch-time is better because Keystone's last update check might have been 2 hours before the 0day patch came out, but at-launch-time would check immediately and notice.
>but sadly Google Search and YouTube still don't have good enough alternatives yet.
I thought that, too, but then I held my breath and just switched to DuckDuckGo as my main search engine and... there's no difference, really. Maybe some niche cases where google spits out more specific results and handles exact quotes better. But for 99% of "type a word, get results" kind of uses, it works great. I did not expect that, maybe still burnt from when Google was so far ahead of the competition in search it wasn't even a question.
Youtube is a different story but I don't really miss anything not logging in, so there's that.
If duckduckgo doesn't do a good search you can always type
"g! <search>" and it will search using google. I usually search duckduckgo first and then fall back to Google. The thing that made me quit google was the "controversial twiddler"[1] and their delisting of non corporate health sites[2].
I've been using DDG for literal years now, and whenever (rarely) I use Google for a search, I'm completely befuddled by Google Search's user experience. There's stuff everywhere: vertical lists, horizontal lists, thumbnails, chevrons, cards, blocks, drop shadows. DDG is just no-nonsense: a list of web results, like Google was then. For that alone, it wins my heart. Though, privacy is the main reason I use DDG.
You should check out BlockBlock[1] by the cool dudes at Objective-See..
"Malware installs itself persistently, to ensure it's automatically re-executed at reboot. BlockBlock continually monitors common persistence locations and displays an alert whenever a persistent component is added to the OS."
In fairness, having a less-than-up-to-date web browser or OS is quite dangerous from a security perspective. I'm extremely glad that today's browsers patch themselves in the background.
Agreed with you 100% - I also hate the nonstandard window GUI interface elements (tabs in the title bar, fuck outta here!) and the really horrific preferences pane. Chrome is a dumpster fire.
Hey. Google Keystone tech lead here. We are aware of the issue, and we've stopped the release. We're building a replacement that fixes the problem. In the meantime, to fix affected machines:
@norberg or any other Google Chrome/Keystone engineers:
WHY can you not make Chrome update like every other sane, well-behaved app?
Update notification -> User confirmation (or an OPTION for auto-updating) -> Download status.
Why do you insist on installing things into our startup sequence without our permission? If your intent is to "protect" users, increase the nagging. I'd be fine with Chrome refusing to load any website until Chrome is updated to the latest version.
Even Apple, who is notorious for making users' decisions for them, lets us choose when to update apps and operating systems.
Obviously they could have a consensual and transparent updating mechanism. This was not some sort of oversight.
Google's software is a cascade of lies and deceptions.
Think about this: when you start to tamper with Keystone agent, it never says anything to you, it just silently reinstalls itself somewhere else like spyware.
It will keep asking over and over for root access, without explaining why. They make it seem like your installation is incomplete without root access, but that is a lie. It will function fine running out of ~/Library/ as /Library. But there is no way to make it stop asking.
Google Earth, Google Drive, or many other Google products will re-install Keystone agent.
If I try deleting it, then that means I probably want it gone. They should prompt me to repair it or leave it alone.
You would think that Google would want to show off their updater. Even just a growl notification that an update has occurred.
But it makes sense why they don't want users thinking about it. If they were more transparent, they would say:
We've installed this software that will monitor your filesystem and make irreversible changes whenever we feel like it. Sometimes we will break things, but most of the time we won't and if we do break something, we will fix it. It is possible to disable, but you will have to search for it, because you will never discover it yourself. Oh, we could just have a checkbox in Preferences, but we want to make you work for it. And all you are doing is requesting that we stop updating, but we'll still be running.
it's telling that you're still willing to put up with all of this despite what appears to be several really, really angry posts about it.
you have tons of complaints in this thread about google's "bad behavior" but you continue to put up with it to by patronizing the company and their tools, without even apparently asking the question, "do i really need chrome?" or whatever. have you asked yourself why you keep their software on your computer if it's such a headache?
i'm sure i'll get the typical "but there's nothing better!!" response and there may not be, but it's telling of you personally that you are willing to get so upset with all of this and then... keep on keeping on.
Are the issues I've brought up not worth being frustrated about? Do you think I'm a hypocrite for complaining about the thing that I use?
What would you suggest I do?
I use Chrome sometimes. Firefox is bad in its own way, often emulating the worst of Chrome. Like, at least the Keystone agent is unobtrusive and you don't even know it is there. Last time I checked, Firefox's Updater.app is just as disrespectful to the user, but it is horribly inefficient and clumsy.
> WHY can you not make Chrome update like every other sane, well-behaved app?
Because that's how you end up with software that isn't updated, running old insecure versions.
As a user, I like it when my apps automatically update without me having to worry about it. The frustrating part about the Mac App Store is how it still makes you worry about updating apps.
> The frustrating part about the Mac App Store is how it still makes you worry about updating apps.
Wait, what? The Mac App Store updates your apps automatically in background (I know bc sometimes it tells me it can’t update a particular app until I exit it)
> I know bc sometimes it tells me it can’t update a particular app until I exit it
that's the part I find annoying. Contrast to iOS which doesn't have this problem. Obviously the model on iOS is a lot different (more restrictive backgrounding, apps are build to handle shutdown at any time), but its still a minor frustration I have with MAS.
While Sparkle is nice to have a standard way of updating apps, it makes the user worry about updating apps because it pops up dialogs and prompts you to download and install. I would much prefer it just update things for me automatically. If at all necessary, the Chrome approach of "hey, Chrome's been updated. next time you open the app you'll get the new version".
You can do this with sparkle! Our app that uses sparkle runs silent automatic background updates. No prompt for install needed! We could pop a changelog after update, to let the user know there has been one, but most often we don't.
You see a download bar on app icons in the Dock and Finder while they are updating, then a badge (blue dot prefix before the name) on recently updated apps.
Rarely (i.e. on new user accounts) it may ask you for the iCloud account (if it was a purchased app, I think) or administrator password (after some major OS installations).
How is that frustrating and "making you worry" about updating?
It seems like you haven't used the Mac App Store or have changed the default to manual updates.
MAS will download updates automatically, but it whinges and demands you tend to it if the app is open. Contrast to App Store on iOS, or Chrome, which just does everything in the background.
Obviously the model here is different, but its still a minor frustration to me.
This honestly. I've considered getting my parents a Chromebook because they're not technically literate (by their choice) enough to manage a Windows install. Non-automated updates is part of how we got into supporting IE7 forever. If updates were optional, they'd be on the same version I originally installed for them. This non-technically literate demographic is much larger than any of the vocal minority on HackerNews.
Those of us who are fine with running slightly outdated software are probably safe from whatever minor vulnerabilities we might be exposing ourselves to. Regardless, the choice should always be left up to the user. It doesn't have to be one way or the other to make you and me both happy—there can be an "auto-update" setting and a "never check for updates" setting.
100% agree. I shouldn't have to go to war with Google to use their product on my update terms. It's my machine, not Google's. They can ask that I update but they cannot demand.
I’m sure most engineers on the team feel awful. They’re clearly trying, and maybe in a day or so we should figure out the nags ember breakdown. But for the time being, let’s let engineers do their job?
There is no legitimate reason for a user-space install to manipulate system directories. So for an install to do so, there must have been an conscious decision made and code written to make real.
Therefore, for this system manipulation to have both been introduced and released, "most engineers on the team" either raised no problems with it or did not consider the implications of this decision.
> But for the time being, let’s let engineers do their job?
They did their job, which resulted in the release of this system destabilizing product.
Perhaps the job they should have done was to consider their work product be one which did not assume complete control of the machine onto which it runs?
Ok, but with newer macOS releases, SIP is enabled. I'm assuming the Google developers working on this are doing their developer work on newer SIP enabled releases....
No. They bear some responsibility for their abusive updating mechanism. They did bad and they should feel bad.
Users have no choice but to take whatever updates they throw at us, and have no recourse but to sit around and wait for another update to be pushed.
There is no way to roll updates back, and disabling updates is obfuscated and hidden away behind an obscure terminal command that nobody would discover on their own.
Google invited themselves into the guts of our computer on the pretense of updating their browser, and then they made a mess.
If Google explicitly laid out what they were doing and asked permission, many users would not grant it, which is why they are so covert about it. It isn't that it is being unobtrusive, it is that it is hiding.
I swear, only Google can get away with this. Nobody was this defensive when Microsoft pushed Windows 10 on people.
2 days ago keystone and the updater was pumping 100% cpu
Killing it resulted in a relaunch and 100% cpu. There is no way to stop this except for unloading the launch agent, AND launchdaemon. Removing the application and killing the instance.
The os platform providers updates.. use that instead of crafting your own malware.
How would you like it if your car suddenly has a top speed of 15mph, and no power steering, because someone wanted to update the number of radio presets.
Huh. My wife uses Chrome (won't switch to Safari, even as she constantly complains about her battery life—go figure) and the last couple days she'd been saying that her battery life on her Macbook Air had suddenly dropped to like 25% of what it had been, leaving her seeking wall power every hour or so. Wonder if it was that.
Of course then it stopped booting at all yesterday so if it was that then it must have pushed the 4.5yr old battery over the edge and killed it. Or overheated something until it died. I don't think those fans have ever been cleaned.
Especially since the OS will prevent the attempt from succeeding on most Mac installations. Presumably it is a sloppy mistake, but one in an attempt to do … something … that is probably nefarious.
I suppose that's how it happened; some code to tamper with `/var` was accidentally (most likely - I doubt this was intentional/malicious) added into the update script. When this was tested and run through QA, everything looked OK because everyone is running Mac OS with SIP enabled
Makes me wonder if other software might be attempting to damage the system (totally by mistake) but SIP is preventing it, making it quite deadly to use said good software if you happen to turn off SIP for stuff like debugging
What's the bet Google disclaim any and all liability for this? eg the time taken to fix this, loss of income, etc.
Seems an awful lot of work related computers (eg Avid systems, and more) have been rendered inoperatable until someone manually boots and fixes each one.
Honestly, if you're going to go this far, why not switch to Firefox or another Chromium/Blink-based browser, like Brave?
It seems kind of counter productive to kill off the auto update system when you can just as easily switch to a browser that just doesn't do what Keystone does.
I stopped using firefox years ago when chrome got good, and was happy. I wasn't happy with chrome recently (especially memory and CPU usage), and tried switching back to firefox shortly after the quantum release. I've been happily using it since, and have found comparable or lower resource usage. It actually does fine for me, even with tons of tabs (or as fine as any web browser does).
Sure. I hear that, but there have been some specific MacOS issues that have lead to it performing worse on MacOS than on other platforms, and they seem to be getting addressed in the Nightly builds.
In general, I've found it to be much better than Chrome, but as always YMMV.
I've had the same feeling many times with both Firefox and Chrome in the past.
I think in the end that's something that you have to test out for yourself periodically, as it seems to be great differences of which is the best performer across OSs and devices. As a rule of thumb I try to do a short evaluation of each of them every ~5 releases.
It is much better (using v70 beta 8), but still has areas where performance lags behind Chrome. On a large board in https://miro.com/, for example, Firefox is laggy and jittery, whereas Chrome is buttery smooth.
We shall see. So far using some "tab discard" plugin is essential to reasonable performance. Somehow having many tabs/windows open slows down firefox a lot, event though they aren't wasting CPU (I have most javascript disabled).
I usually do chflags schg instead of chmod 000. I know it might seem like overkill, but Google is very sneaky, and I would not put it past Keystone to just change the permissions for itself.
Thank you! Because of Keystone, I have decided to treat Google Chrome as malware. I won't install it unless I really have to. One reason is that I have to test websites on Chrome. I can either run it on a virtual machine or disable the updater as you suggest.
I certainly understand the desire to rage kill google software update because they messed up, but people shouldn't actually do this because they'll be vulnerable to all future malware that targets chrome. And this varsectomany bug will never happen again.
This is not rage-killing. I've been doing this for several years because Keystone is a ridiculous resource hog and I fundamentally disagree with the notion that any software should be allowed to run (much less change the configuration of) my machine without my explicit permission. I'm willing to stay on top of the malware situation and update Chrome manually. I wish I didn't have to, but Google leaves me no other option.
Why does Keystone exist? Everyone else can do updates without having a launch agent, so why does Google insist on doing it this way? Given it deleted such a vital link, security looks to be compromised with this method.
Why did this happen in the first place? Why are you modifying system directories to the point where you can make an oopsie and brick entire machines? In what world is this okay?
You're missing the word "sorry" from your response.
My wife's a primary school headteacher (or K-12 as you say in the States). Her MacBook was disabled by this. Yes, she takes weekly backups, but schools don't have free money to spend on spare laptops for a few days' work, nor on unnecessary technician time to fix it. Fortunately I spotted this posting (thanks, HN poster!) on blearily checking HN this morning and instantly recognised this was what's happening.
Have some decency for the people whose lives you've just affected and apologise to them.
I understand the frustration, but please don't attack someone like this when they come to HN to supply information. It creates a hostile environment and disincentivizes people who have inside knowledge about a situation from showing up here. That makes HN a strictly worse place. It also breaks the site guidelines, which ask us all to Be kind, regardless of how strong and justified one's feelings are.
Understood. Difficult to get the tone right when a poster is clearly posting as a corporate spokesperson (esp. a first-time poster as here), but I'll consider that next time... though I'm rather hoping not for an omg-my-mac-won't-boot next time!
A truth stated passionately doesn't become false. A falsehood stated calmly doesn't become true. This is at the heart of why appeals to emotion are almost always logical fallacies.
I don't think dang is saying that the commenter was making false claims or anything. Just that it's very unlikely an upset comment will cause an overhaul in the google auto-update system. But it is very likely an upset comment will scare developers away from commenting on future situations like these. It just affects the health of HN negatively while not affecting Google. There's probably a reason norberg chose to register and comment on HN and not somewhere else like Reddit.
Content is wrong or it isn't. Tone is a logical fallacy.
Your true statement that tone will often matter is an interesting discusson on society and education. That it is also relevent on a site otherwise dedicated to intelligent discourse was the nugget I was hoping people would think about.
I'm addressing Google corporately. I presume @norberg is posting on behalf of his employers given that he states his job title immediately.
One of the first places "I'd" look? It's not my Mac. I'm not sure how many primary headteachers read Hacker News or have a spouse who does. I'm guessing <1%.
When the world's biggest software company actually bricks people's Macs with a software update, then "sorry" is the least I expect, frankly. But if you want to dismiss this with "dickhead", you do you.
> I presume @norberg is posting on behalf of his employers given that he states his job title immediately.
I'm torn on that one. I want direct communication to be possible without running it though PR or people with PR training, to improve response times especially in such "busy" situation. This requires us on the receiving end to be somewhat lenient. But on the other hand, I also don't find something better elsewhere, including the more official announcement[0] linked to. Thus this style seems like company policy and certainly deserves criticism.
eh? this is a mac bug. any software could trigger it. just happens that keystone is maybe the only one to be so dumb as to modify a system dir. that doesn’t excuse the root cause which lies in mac os.
Reminds me of the Steam bug back in 2015 [1] where on Linux, if you tried to move where Steam stored downloaded games, it would wipe your hard drive by running "rm -rf "$STEAMROOT/"*" with $STEAMROOT being null.
Haha right, I feel like these should always be popularized as `set -eu` and `set -o pipefail` rather than making it look like you an `set pipefail`. I wonder if that chap has been uselessly printing options at the beginning of scripts for a while now.
Of course, Linux could do what Solaris did decades ago and define the directory order in which `rm -rf /` works to start with `pwd` - and thus fail immediately. That would fix that problem completely.
In the example above, the command would be `rm -rf /` without the variable present, and the shell would expand / to all the folders in /. So it's not a direct call to `rm -rf /`, you would need to handle the shell expansion of /* as well?
I've been wary of Gatekeeper and SIP as moving Macs towards an iOS-style walled garden, but this is a perfect case of SIP protecting the user from bad software.
On the contrary, I think that sort of protection just hides problems --- like this one. As a general rule, bugs with the highest impact are also the ones which are most likely to be fixed quickly. If you tested with SIP on, it'd try to remove /var but wouldn't succeed, and you'd think everything is OK when the application's logic is actually faulty.
I find that logic faulty. SIP is justified by these incidents. It is not the user’s job to isolate application faults. That is on the part of the app developer’s.
Yeah. Pre-SIP OSes were affected too, so they literally just did not test this on any non-SIP version of OS X... or if they did they didn't notice that it was nuking /var. Fresh mac VM wiped after every test run and no 'did we just destroy the OS' smoke test?
"If the kernel emits a message but no one is around to read it, did it warn?"
More seriously, SIP messages do show up in the system logs, which next to no one ever reads unless it's to find out that SIP is preventing something that the user really intended to occur.
There’s plenty of bad code that fails to check for errors so the OS may well have flagged something here and the program just didn’t know/care.
It seems even more likely that the result of unlink() would be ignored (right up there with ignoring printf()), not because it’s the right thing to do but because lazy programmers will assume that failures are incredibly unlikely or unimportant. For example, if the code is a cleanup phase that just wants to remove a list of files, what are the odds that the program dutifully checks that the files actually went away?
For example, if the code is a cleanup phase that just wants to remove a list of files, what are the odds that the program dutifully checks that the files actually went away?
Or, as the reason for the omission of such checks is more likely to be, what to do if something that shouldn't fail, fails? And if whatever you decide to do to handle the error itself also fails? Repeat ad infinitum. To even try to go down that rabbithole is simply a waste of effort and does nothing but introduce unnecessary complexity, to put it bluntly.
I'm happy with Gatekeeper and SIP so far. I don't believe Apple will ever totally wall off macOS like iOS. If I ever truly want to mess around with the OS I'll install Linux. My computing platforms present far more risk to me these days than they did years ago. I need the system integrity protected, I don't want untrusted code running on my Mac.
These aren't like the days back when I could self install Linux and expose it to the internet while I configured it.
Catalina requires all apps to be notorized, for the time being it is still possible to explicitly allow it on case by cases base, as root.
Which is a very good thing on my book.
Today it is Google's Keystone, tomorrow it is some scummy app downloaded by a grandpa thinking it was a link actually sent by one of his grandsons about their birthday party.
Have you tried going into System Preferences, Security, Advanced (I think it's "advanced", it's at the bottom right of the screen.) There you'll find a list of drivers, or something, that you can enable. I can't be more specific than that since my mac here is under IT control, and the feature is disabled.
Yep. I make some changes that SIP would catch, but I'm mostly comfortable with the boot into Recovery -> run a script -> boot back again. It's not kext stuff, though.
> Google, please tell me how to update Chrome without keystone.
That's easy, just regularly download a new Chrome. The difficulty is managing to stop keystone from reinstalling and re-enabling itself.
> This is baked into Apple's AppStore. It works very well. Use that.
I hate keystone with a passion, but TBF getting a modern browser into the appstore is not possible, even ignoring all the limitations the store puts upon its software, there's no way you can actually get a browser (as opposed to a shell UI around the platform webkit) in the appstore by its rules.
Keystone is Google's auto-updater program. It updates not only Chrome but also Earth and other Google programs. It's a notorious resource hog and it tries very hard not to let you ever turn it off. If you manage to uninstall it, it will try even harder to reinstall itself the next time you run a Google app.
Keystone is malware made by Google. The incident this week was the first time it contained an actual destructive payload, but it's been malware for years.
Super short version: Keystone appears to be the Google auto updater service. It has a bug that causes it to unlink /var, and since that's sort of an important piece of the OS, its absence breaks stuff.
There are a few legitimate reasons to disable SIP, but too often I see people turning it entirely off, rather than just disabling the parts that are in the way:
If you want to load some untrusted kernel extension, the first one will let you do so, but still keep all the other SIP protections on. If you want to use DTrace, use the corresponding flag. Etc. You can mix and match flags.
In the case of Chrome it's because some of the sandboxing can't be done by a regular user.
Same with both Linux and windows.
Bit of a design flaw with the OS - in all cases a process should be allowed to restrict itself to have fewer permissions and access to fewer API's without being root, but sadly that isn't universally the case.
> In the case of Chrome it's because some of the sandboxing can't be done by a regular user.
> Same with both Linux and windows.
This isn't true anymore on Linux. Chrome switched to using an unprivileged user namespace sandbox instead of the old SUID sandbox is Chrome 43 in 2015. It depends on a Linux 3.8+ kernel for the user namespaces support.
Could you clarify how this is the case on Windows? I thought Google Chrome installs and runs just fine without admin privileges. I'm not aware of any security downsides for doing so.
That's just because it wants to install machine-wide if possible. You can just tell it to continue without admin permissions and it tells you explicitly that it can be installed without that.
Note that Windows doesn't work like Linux with setuid bits and whatnot. The permissions a file is installed with don't dictate what permissions the program that executes it has. That's entirely a function of the program's security context. Hence, for a machine-wide installation to actually make a difference security-wise, Google would actually have to install e.g. a high-privilege service that would run when you try to start Chrome. I don't think it does such a thing.
So I think Windows is already designed correctly in this regard and hence I don't think this is an issue on Windows as claimed.
That doesn't seem right, unless you mean some specific version of sandboxing? Changing selinux/apparmor hats, setting up seccomp, creating namespaces, and others can be done just fine by regular users. They're all sandboxes.
On windows and linux most installers are intended for system-wide instead of per-user installation. You can get most of the sandboxing functionality without admin/root.
> > why is it running any time Chrome isn't?
> It runs updates in the background, so it needs to run when Chrome doesn't.
Gnah
> > why is a browser installing a root service?
> ¯\_(ツ)_/¯
Ok so it needs to replace the bundle - I feel Apple should add support for replacing binary A with binary B if A and B has the same signing key, although obviously there are a bunch of fun issues involved, I think that case shouldn't necessitate an update service running as root :-/
> > why is a piece of software changing root level symlinks in the first place? Clearly it doesn't need to because SIP prevents that nonsense
> Probably a bug.
Wah wah
> > Finally: is this enough to explain why SIP/rootless is a good feature?
> Well, a number of people decided that SIP was hindering them enough to turn it off, so I'm not sure…
The general problem is that it's still easier for developers to say "disable SIP by doing ..." without saying "we haven't written our [drivers/application/whatever] properly", rather than just writing the software properly. Which you know is possible because even in kernel driver land you hardly ever see driver's claiming that it's necessary.
e.g. its necessary from an end-user PoV but only because companies don't want to pay devs to put effort into working with SIP enabled when there's a much cheaper "tell the user to disable security" option available.
It took me hours to figure out that the failed boot was caused by the `/var` symlink being removed. I was literally a minute away from reinstalling the OS when I saw a post from 2014 that had a passing reference to the `/var` symlink.
Then I went through and disabled every conceivable startup program, and even created a bash script to fix `/var` when it randomly disappeared. I didn't even consider that it could be Chrome causing it.
I have no idea. After I fixed the issue, I even tried disabling SIP, then enabling it again. It's still randomly removing the symlink. (well, as of last night around 10pm. I haven't opened the computer since then)
That computer has been through a lot, though. So it's totally possible that I did something stupid to permafuck SIP.
To sum up most of the comments here: Google is the new Microsoft. Fascinating, how a company can go from "we will not do evil" to "fuck you all" in just 5 years.
Agreed. That's around the time I started using some weird setup where my google searches would go through Tor and I was blocking their cookies. It was overboard, probably unnecessary and probably didn't accomplish much, but it was the result of getting a creepy vibe from google. Once I discovered DDG, I switched and never looked back. It took a little while to get used to it, but the results are good enough that I keep using it. I run maybe a few google searches a year if I can't find what I need on DDG and I usually don't find it there either. I don't think google is significantly better, although it is noticeably faster. There's nothing about it that's appealing enough that I want to accept the bad things that also come with it.
I have SIP disabled and Chrome installed…will my /var be broken by sometime tomorrow when Keystone runs? Can I just disable the launch agent to fix this?
should fix it. That deletes Keystone and fixes the symlink. If it has been rebooted, these commands at a recovery console should repair the computer.
Chrome will subsequently ask for admin credentials to reinstall the updater next time you run it. This will not re-break the computer; the version of Keystone bundled with Chrome is older, and we have stopped serving the version affected by this issue.
The reason the AVID community popped it first seems to come down to the fact that this is their busy season, so a lot of their machines were active last night as this Keystone update was rolling out, editors for whatever reason (technical issues or superstition) reboot their workstations fairly often, and, crucially, a lot of editing workstations are using third-party GPUs that require them to disable SIP (whether this is particular to AVID or just an intrinsic property of using the Mac Pros with third-party GPUs, I don't know).
Some people wanted to use video cards with unsigned drivers. The hardware Mfr said “disable this malware blocking security feature in order to use our hardware”. As it happens most people with exotic video cards are avid users.
They disabled the malware protection and got killed by the malware.
On other platforms, those cards aren't "Exotic" (I run Premiere Pro on Windows 10 with a pair of 2080Ti cards for rendering. Premiere and After Effcts _fly_!
One problem is that Apple abandoned the Pro market, but some users are very loyal.
They're exotic in that their manufacturers can't be bothered signing their drivers. But at least there are drivers.
They're also exotic in the sense that only a very small proportion of the overall user base cares/requires them.
There are supported video cards / TB3 video systems that are natively supported but at the moment they are possibly even more exotic in the sense of shipping in low volume (per your second point). I really don't like "apple abandoned the XXX market, which I am in and wish they had just the right product for ME" statements but in this case, I think your comment is unfortunately correct.
Things like these (including secretly signing you into Search when you sign into YouTube† or refusing to support PiP on iPadOS/macOS) just solidify Google's image in my mind as a forever scummy, intrusive company that I wish I could leave behind like I did Microsoft, but sadly Google Search and YouTube still don't have good enough alternatives yet.
* (startup items usually reside in the LaunchAgents/ and LaunchDaemons/ folders in your user ~/Library/, the root /Library/ and /System/Library/)
† (you can fix this by deleting all Google cookies after signing into YouTube, on any OS)