Just seen on the crypto mailing list, for all those chromium users ...
Nik
---------- Forwarded Message ----------
Subject: [cryptography] chromium: unconditionally downloads binary blob Date: Mittwoch, 17. Juni 2015, 14:12:17 From: Alexander Klimov alserkli@inbox.ru An: cryptography@randombit.net
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading "Chrome Hotword Shared Module" extension, which contains a binary without source code. There seems no opt-out config.
that extension: - doesn't appear in the extension list; - is apparently used to provide an “ok google” voice activation stuff.
The fact that Audio Capture Allowed is set to yes, and that both the extension and the shared module are marked as “enabled” are definitely bothering me.
[...]
We believe that the bug you reported is fixed in the latest version of chromium-browser, which is due to be installed in the Debian FTP archive.
[...]
Shouldn't we see a DSA [Debian Security Advisory] following this incident?
Since no one really know which binaries have been downloaded there and what they actually do, and since it cannot be excluded that it was actually executed, such systems are basically to be considered compromised.
Quite a deal of people choose open source just to prevent that - get untrustworthy / unverifiable code run on their systems - failed.
On Wednesday 17 June 2015 08:57:49 Dr. Nikolaus Klepp wrote:
Just seen on the crypto mailing list, for all those chromium users ...
Nik
---------- Forwarded Message ----------
Subject: [cryptography] chromium: unconditionally downloads binary blob Date: Mittwoch, 17. Juni 2015, 14:12:17 From: Alexander Klimov alserkli@inbox.ru An: cryptography@randombit.net
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading "Chrome Hotword Shared Module" extension, which contains a binary without source code. There seems no opt-out config.
that extension:
- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.
The fact that Audio Capture Allowed is set to yes, and that both the extension and the shared module are marked as “enabled” are definitely bothering me.
I didn't see that, didn't even look, but theres enough rumors floating around that I called up synaptic 2 days ago, and nuked it all with extreme prejudice. I hope that got it all.
What has been the experience of others in a successful removal of it and all its sneaky stuffs?
[...]
We believe that the bug you reported is fixed in the latest version of chromium-browser, which is due to be installed in the Debian FTP archive.
[...]
Shouldn't we see a DSA [Debian Security Advisory] following this incident?
Since no one really know which binaries have been downloaded there and what they actually do, and since it cannot be excluded that it was actually executed, such systems are basically to be considered compromised.
Quite a deal of people choose open source just to prevent that - get untrustworthy / unverifiable code run on their systems - failed.
-- Regards, ASK
Cheers, Gene Heskett
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224
On Wednesday 17 June 2015 08:57:49 Dr. Nikolaus Klepp wrote:
Just seen on the crypto mailing list, for all those chromium users ...
Nik
---------- Forwarded Message ----------
Subject: [cryptography] chromium: unconditionally downloads binary blob Date: Mittwoch, 17. Juni 2015, 14:12:17 From: Alexander Klimov alserkli@inbox.ru An: cryptography@randombit.net
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading "Chrome Hotword Shared Module" extension, which contains a binary without source code. There seems no opt-out config.
that extension:
- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.
The fact that Audio Capture Allowed is set to yes, and that both the extension and the shared module are marked as “enabled” are definitely bothering me.
I didn't see that, didn't even look, but theres enough rumors floating around that I called up synaptic 2 days ago, and nuked it all with extreme prejudice. I hope that got it all.
What has been the experience of others in a successful removal of it and all its sneaky stuffs?
[...]
We believe that the bug you reported is fixed in the latest version of chromium-browser, which is due to be installed in the Debian FTP archive.
[...]
Shouldn't we see a DSA [Debian Security Advisory] following this incident?
Since no one really know which binaries have been downloaded there and what they actually do, and since it cannot be excluded that it was actually executed, such systems are basically to be considered compromised.
Quite a deal of people choose open source just to prevent that - get untrustworthy / unverifiable code run on their systems - failed.
-- Regards, ASK
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene
Thank you for the heads up! It's disconcerting that Debian did not issue a security advisory on this one, though somewhat understandable. Perhaps we need both "security advisories" and "privacy advisories" these days?
Tim
On Wed, Jun 17, 2015 at 2:27 PM, Timothy Pearson kb9vqf@pearsoncomputing.net wrote:
Perhaps we need both "security advisories" and "privacy advisories" these days?
Agreed. I would go so far as to say that a violation of privacy _is_ a violation of security.
Having a package go out and grab something without my permission, or knowledge, is a security hole.
Curt-
On Wed, 17 Jun 2015, Curt Howland wrote:
On Wed, Jun 17, 2015 at 2:27 PM, Timothy Pearson wrote:
Perhaps we need both "security advisories" and "privacy advisories" these days?
Agreed. I would go so far as to say that a violation of privacy _is_ a violation of security.
Having a package go out and grab something without my permission, or knowledge, is a security hole.
Found in many .sig's on unsenet:
Don't be evil - Google 2004 We have a new policy - Google 2012
Jonesy
On Wednesday 17 June 2015 19:38:31 Curt Howland wrote:
On Wed, Jun 17, 2015 at 2:27 PM, Timothy Pearson
kb9vqf@pearsoncomputing.net wrote:
Perhaps we need both "security advisories" and "privacy advisories" these days?
Agreed. I would go so far as to say that a violation of privacy _is_ a violation of security.
Having a package go out and grab something without my permission, or knowledge, is a security hole.
Curt-
+1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224
On Wed, Jun 17, 2015 at 2:27 PM, Timothy Pearson kb9vqf@pearsoncomputing.net wrote:
Perhaps we need both "security advisories" and "privacy advisories" these days?
Agreed. I would go so far as to say that a violation of privacy _is_ a violation of security.
Having a package go out and grab something without my permission, or knowledge, is a security hole.
Curt-
I agree in principle, however the current use of the phrase "security advisory" tends to imply that some kind of advanced persistent threat could be installed on the user's machine. From what I understand this is not possible in this case due to NaCl's sandboxing, however it becomes a security risk if any sensitive information is made available to the sandbox (e.g. privileged human to human voice conversations near the computer's microphone).
Yes, I'm nitpicking. :-)
Tim
On Wednesday 17 June 2015 16:12:24 Timothy Pearson wrote:
On Wed, Jun 17, 2015 at 2:27 PM, Timothy Pearson
kb9vqf@pearsoncomputing.net wrote:
Perhaps we need both "security advisories" and "privacy advisories" these days?
Agreed. I would go so far as to say that a violation of privacy _is_ a violation of security.
Having a package go out and grab something without my permission, or knowledge, is a security hole.
Curt-
I agree in principle, however the current use of the phrase "security advisory" tends to imply that some kind of advanced persistent threat could be installed on the user's machine. From what I understand this is not possible in this case due to NaCl's sandboxing, however it becomes a security risk if any sensitive information is made available to the sandbox (e.g. privileged human to human voice conversations near the computer's microphone).
Yes, I'm nitpicking. :-)
Tim
No you are not Tim, its a real security hole, and one of the reasons I have not had a microphone plugged into any of my machines in several years. If I should buy a new machine, notebook lappy whatever, that had a mic in it, the wire will be cut as soon as I can locate it. And I am a C.E.T....
Cheers, Gene Heskett
On Wednesday 17 June 2015 04:57:49 am Dr. Nikolaus Klepp wrote:
Just seen on the crypto mailing list, for all those chromium users ...
Nik
---------- Forwarded Message ----------
Subject: [cryptography] chromium: unconditionally downloads binary blob Date: Mittwoch, 17. Juni 2015, 14:12:17 From: Alexander Klimov alserkli@inbox.ru An: cryptography@randombit.net
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading "Chrome Hotword Shared Module" extension, which contains a binary without source code. There seems no opt-out config.
that extension:
- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.
The fact that Audio Capture Allowed is set to yes, and that both the extension and the shared module are marked as “enabled” are definitely bothering me.
[...]
We believe that the bug you reported is fixed in the latest version of chromium-browser, which is due to be installed in the Debian FTP archive.
[...]
Shouldn't we see a DSA [Debian Security Advisory] following this incident?
Since no one really know which binaries have been downloaded there and what they actually do, and since it cannot be excluded that it was actually executed, such systems are basically to be considered compromised.
Quite a deal of people choose open source just to prevent that - get untrustworthy / unverifiable code run on their systems - failed.
-- Regards, ASK
I use Google stuff as little as possible on my pc's. Not to vear to far OT, my new Andoid phone gives deault pernmissions to Google for ...everything ..to freaky for words.
-
Baron -
Curt Howland -
Dr. Nikolaus Klepp -
Gene Heskett -
Greg Madden -
Jonesy -
Timothy Pearson