When I worked at Google I got to hear a number of "My friends site is being accused of hosting malware but I know these guys they don't do that!" and almost without exception, what had happened was that someone had compromised the web server, downloaded the images, re-compressed them with an image based exploit (sometimes changing them from gif to jpg in the process) and put them back on the site. To Grandma and her friends the site hadn't changed in years, except that now it was doing a drive by injection of malware.

I don't doubt for a minute that if someone figured out how to create a twitpic app that could inject malware into the images you shared, they would try really hard to get it on to your phone. How great a coup to have all eleventybillion followers check out your latest 'woah!' picture and spread the malware. Its a primo target.

I'm not defending Google here, I'm just saying that putting malware into images is a primary goal of any number of advanced persistent threat shops. Keep that in mind and make sure you keep an offline MD5 hash of every picture on your web site for validation.

If that's what's happening here, then the warning seems good for everyone.. except that the wording is defamatory.

Rather than accusing Twitpic of being "a known distributor of malware", it might be better if the message said something like "The site appears to be infected with malware. This warning will be remain in place until the malware has been removed."

The other big vector for tripping malware detection is 3rd party ad networks. When you have multiple parties outside your control that can inject arbitrary HTML and JavaScript into your page, all it takes is one bad advertiser.

There's a reason Mozilla and Apple also use this service, and all the major browsers include something like it. Malware, injected malicious code (susceptible to XSS and social engineering attacks), and drive by downloads are a very real problem. You're going to have to suggest an alternative approach if you want to replace it.

I'd say by being the largest referrer on the internet and the developer of one of the most popular web browser, Google certainly has an excellent case to "police" the internet. If you don't want Google's advice, don't use Google's kit.

As a HN user you're most likely able to take care of yourself, but the vast majority of people are better off heeding Google's advice.

Google's "advice" in this case is a statement issued to millions of users accusing a competitor of a crime.

If it turns out to be true, that's fine. If it's not true, don't you think Google should be held responsible for the damage to their competitor's reputation?

Twitpic isn't a Google competitor and was not being accused of a crime.

I don't see how you reach that conclusion.

Twitpic is part of the Twitter ecosystem and is such is certainly competitive with Google's social and photo sharing efforts (i.e. Google+ and Picasa)

Being a known distributor of malware (described by Google as: software which causes things like identity theft, financial loss, and permanent file deletion) is a crime.

So yes, they are a competitor, and yes they are being accused of a crime.

The warnings are just that, warnings. Any user is free to proceed to the site if they desire. Just like any user is free to NOT use a browser that uses Google's blacklist if they desire (Chrome, Safari, Firefox use it). Though FWIW Google's malware detection is extremely accurate, so it's generally best to simply avoid blacklisted sites until they have been cleaned up.

It's their job to provide a good service to their users. Warning about malware seems to fit that bill.

Speaking realistically, somebody will have the ability to practically shut down websites at will (or actually in this case alter optional access, as Google can't actually shut down TwitPic). Your only options are going to be private industry via Google (or equivalent) or your friendly homeland security officer (or equivalent).

One is an opt-in completely private non-coercive entity, the other uses a gun and has real power over you. Don't like Google, don't use their search or Chrome or Gmail et al., there are plenty of alternatives and your adoption of those would help spur further activity in the way of competition. Don't like homeland security? Tough luck, obey or go to jail.

I agree, because I was just upset when Microsoft started blocking some links in the Windows Live Messenger. However, in this case at least they still allow you the choice to visit the site, while Microsoft was simply blocking the links completely. And this is why I also disagree with the iOS and Metro not allowing for sideloading, too, while the Android/Mac OS X model is a much better compromise between security and liberty/flexibility.