Quis Custodiet Ipsos Custodes? – Who Will Guard the Guards Themselves

One of the many advantages of running your own command line based Linux server is that you can easily set up web space for both you and your students. I like to take advantage of this to really bring home a point about phishing attacks and being ever vigilant. The purpose of this exercise is to dramatically demonstrate for students how easy it is to clone a website and it has been used for sixth grade through college levels.

I start by logging into my Linux server with ssh and execute the following commands:

cd /var/www/html
mkdir boa
cd boa
wget bankofamerica.com

Students are then asked to go to <my server domain>/boa and are immediately in awe of a perfect replica of the Bank of America website. My hope is to really bringing home why students have to be ever so careful where they click by showing that it only took me a few seconds to create what I affectionately call “Bonk of America”. “Imagine what a dedicated bad actor could do with a mere 60 minutes?”, I ask them.

Here is where things get interesting, though. After doing this exercise for years, I recently did what I always do and my entire domain was flagged by Google for containing malware because of suspected phishing. There is a quick and happy ending, I appealed and Google removed the flagging in under a few hours, but it brings up something that has increasingly concerned me.

More and more, we have these services which do business with the very explicit intent of never allowing the customer to interact with a human being. I realize this is the business model of the Facebooks and Googles of the world and I realize that this is one of the downsides of the free service model, which is truly anything but free.

This is bad enough with things like Facebook’s recent terrible UI update, but at least the recourse there is to simply switch to a new service. If Facebook continues to make bad choices, new services will appear. I know I am looking.

But this thing with Google has me more concerned. Google flagged my website for everyone on the Internet. I can’t just switch to a different “service” if I think Google has made a mistake. To the credit of Google, they quickly and correctly processed my appeal, however, they were under no obligation to do so. Market forces may, to some degree, encourage them to fix such things, however the increasingly automated decision making of these companies makes me very concerned about the impossibility of reaching a human being, even if you are a paying customer (I do pay for some Google services), but especially if you are not a paying customer.

Which begets the question: If Google is the guard, who will guard the guards themselves?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: