Would you let users vouch for unknown software’s safety with an upvote? Google does

POLL Google has revealed that its internal anti-malware tools include a “social voting” scheme that lets staff vouch for code they want to install won’t do any damage.

The ad and search giant’s rationale is that blocking all unknown software works but may limit productivity, while blocking only known unsafe software requires a lot of vetting.

“The obvious difficulty is that the more freedom you want to allow over the software your workforce can install outside your pre-vetted software, the more unmanageable the policy becomes,” wrote Max Saltonstall, a developer advocate at Google Cloud.

Google’s answer is code called Upvote that it’s just posted to GitHub.

“Upvote consists of both a web-based frontend for user voting and a policy server that works with the Santa system for Mac OS and the Carbon Black Protection (formerly Bit9) system for Windows,” Saltonstall wrote.

Google reveals how its Borg clusters have evolved yet still only use about 60 percent of resources (Alibaba might do better)


“When a user (a Mac user, in this example) tries to run an unknown binary Santa—running in ’lockdown’ mode, allowing only allowed software to run—blocks the binary and Upvote allows the user to vote to allow it, surfacing a VirusTotal analysis so that they can make an informed decision.”

“If others also vote to allow it and the total number of votes reaches a certain threshold, the voters—and only these voters—can then run the software.”

“This threshold is the first of two thresholds—a ‘local’ one and a ‘global’ one—that Upvote enforces. Voting continues even after the local threshold has been reached and anyone else who wants to run the software will still need to vote to allow it before they can run it. The voting stops only when the higher global threshold is reached, and only then is the software allowed for all users. You set the levels for these thresholds.”

Even a single downvote, however, disables voting “until an admin reviews the binary and either unflags it or downvotes it further to deny it as malware.”

Admins can also approve software in advance, so that users can run it without voting.

Saltonstall admits that this approach is risky because users could be wrong in their assessment than code is not naughty.

But he thinks the threshold scheme limits the impact of mistaken assessments. “Any potential infection is restricted by default to the subset of computers whose users have voted,” he wrote. “The fleet as a whole is protected until the global threshold—which you’d naturally want to set as a very high bar—is reached.”

Google is still working on Upvote and Santa for its own use but has created GitHub repos of both. Upvote’s repo has not had much recent love. Santa’s seen action in February.

Over to you now, dear reader. What do you think of Google’s voting scheme? ®

JavaScript Disabled

Please Enable JavaScript to use this feature.