17 Jun
2015
17 Jun
'15
12:57 p.m.
Just seen on the crypto mailing list, for all those chromium users ...
Nik
---------- Forwarded Message ----------
Subject: [cryptography] chromium: unconditionally downloads binary blob
Date: Mittwoch, 17. Juni 2015, 14:12:17
From: Alexander Klimov <alserkli(a)inbox.ru>
An: cryptography(a)randombit.net
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909>
After upgrading chromium to 43, I noticed that when it is running and
immediately after the machine is on-line it silently starts
downloading "Chrome Hotword Shared Module" extension, which contains a
binary without source code. There seems no opt-out config.
that extension:
- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.
The fact that Audio Capture Allowed is set to yes, and that both the
extension and the shared module are marked as “enabled” are definitely
bothering me.
[...]
We believe that the bug you reported is fixed in the latest version of
chromium-browser, which is due to be installed in the Debian FTP
archive.
[...]
Shouldn't we see a DSA [Debian Security Advisory] following this
incident?
Since no one really know which binaries have been downloaded there and
what they actually do, and since it cannot be excluded that it was
actually executed, such systems are basically to be considered
compromised.
Quite a deal of people choose open source just to prevent that - get
untrustworthy / unverifiable code run on their systems - failed.
--
Regards,
ASK
-------------------------------------------------------
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
17 Jun
17 Jun
5:39 p.m.
New subject: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob
On Wednesday 17 June 2015 08:57:49 Dr. Nikolaus Klepp wrote:
Just seen on the crypto mailing list, for all those
chromium users ...
Nik
---------- Forwarded Message ----------
Subject: [cryptography] chromium: unconditionally downloads binary
blob Date: Mittwoch, 17. Juni 2015, 14:12:17
From: Alexander Klimov <alserkli(a)inbox.ru>
An: cryptography(a)randombit.net
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909>
After upgrading chromium to 43, I noticed that when it is running and
immediately after the machine is on-line it silently starts
downloading "Chrome Hotword Shared Module" extension, which contains a
binary without source code. There seems no opt-out config.
that extension:
- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.
The fact that Audio Capture Allowed is set to yes, and that both the
extension and the shared module are marked as “enabled” are definitely
bothering me.
I didn't see that, didn't even look, but theres enough rumors floating
around that I called up synaptic 2 days ago, and nuked it all with
extreme prejudice. I hope that got it all.
What has been the experience of others in a successful removal of it and
all its sneaky stuffs?
[...]
We believe that the bug you reported is fixed in the latest version of
chromium-browser, which is due to be installed in the Debian FTP
archive.
[...]
Shouldn't we see a DSA [Debian Security Advisory] following this
incident?
Since no one really know which binaries have been downloaded there and
what they actually do, and since it cannot be excluded that it was
actually executed, such systems are basically to be considered
compromised.
Quite a deal of people choose open source just to prevent that - get
untrustworthy / unverifiable code run on their systems - failed.
--
Regards,
ASK
-------------------------------------------------------
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
6:27 p.m.
New subject: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224
On Wednesday 17 June 2015 08:57:49 Dr. Nikolaus Klepp
wrote:
Thank you for the heads up! It's disconcerting that Debian did not issue
a security advisory on this one, though somewhat understandable. Perhaps
we need both "security advisories" and "privacy advisories" these
days?
Tim
Just seen on the crypto mailing list, for all
those chromium users ...
Nik
---------- Forwarded Message ----------
Subject: [cryptography] chromium: unconditionally downloads binary
blob Date: Mittwoch, 17. Juni 2015, 14:12:17
From: Alexander Klimov <alserkli(a)inbox.ru>
An: cryptography(a)randombit.net
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909>
After upgrading chromium to 43, I noticed that when it is running and
immediately after the machine is on-line it silently starts
downloading "Chrome Hotword Shared Module" extension, which contains a
binary without source code. There seems no opt-out config.
that extension:
- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.
The fact that Audio Capture Allowed is set to yes, and that both the
extension and the shared module are marked as “enabled” are definitely
bothering me.
I didn't see that, didn't even look, but theres enough rumors floating
around that I called up synaptic 2 days ago, and nuked it all with
extreme prejudice. I hope that got it all.
What has been the experience of others in a successful removal of it and
all its sneaky stuffs?
[...]
We believe that the bug you reported is fixed in the latest version of
chromium-browser, which is due to be installed in the Debian FTP
archive.
[...]
Shouldn't we see a DSA [Debian Security Advisory] following this
incident?
Since no one really know which binaries have been downloaded there and
what they actually do, and since it cannot be excluded that it was
actually executed, such systems are basically to be considered
compromised.
Quite a deal of people choose open source just to prevent that - get
untrustworthy / unverifiable code run on their systems - failed.
--
Regards,
ASK
-------------------------------------------------------
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene> -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iFYEARELAAYFAlWBvBAACgkQLaxZSoRZrGH41gDgqA+o794zMUaLpwk5ettLu4rb
bDR+ziKJpKdsYADgwJYmkawDDQAK1rDEtPQ4ZUb5lHytASCkhDA4RA==
=DSUk
-----END PGP SIGNATURE-----
6:38 p.m.
New subject: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob
On Wed, Jun 17, 2015 at 2:27 PM, Timothy Pearson
<kb9vqf(a)pearsoncomputing.net> wrote:
Perhaps
we need both "security advisories" and "privacy advisories" these
days?
Agreed. I would go so far as to say that a violation of privacy _is_ a
violation of security.
Having a package go out and grab something without my permission, or
knowledge, is a security hole.
Curt-
--
The secret of happiness is freedom,
and the secret of freedom is courage.
- Thucydides
6:56 p.m.
New subject: [trinity-users] chromium: unconditionally downloads binary blob
On Wed, 17 Jun 2015, Curt Howland wrote:
On Wed, Jun 17, 2015 at 2:27 PM, Timothy Pearson
wrote:
Found in many .sig's on unsenet:
Don't be evil - Google 2004
We have a new policy - Google 2012
Jonesy
--
Marvin L Jones | Marvin | W3DHJ | linux+TDE
Pueblo, Colorado | @ | Jonesy | FreeBSD __
38.238N 104.547W | jonz.net | DM78rf | OS/2 SK
Perhaps we need both "security advisories" and "privacy advisories"
these days?
Agreed. I would go so far as to say that a violation of privacy _is_ a
violation of security.
Having a package go out and grab something without my permission, or
knowledge, is a security hole. 
7:53 p.m.
New subject: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob
On Wednesday 17 June 2015 19:38:31 Curt Howland wrote:
On Wed, Jun 17, 2015 at 2:27 PM, Timothy Pearson
<kb9vqf(a)pearsoncomputing.net> wrote:
+1
--
Best Regards:
Baron
Perhaps
we need both "security advisories" and "privacy advisories" these
days?
Agreed. I would go so far as to say that a violation of privacy
_is_ a violation of security.
Having a package go out and grab something without my permission,
or knowledge, is a security hole.
Curt-
8:12 p.m.
New subject: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224
On Wed, Jun 17, 2015 at 2:27 PM, Timothy Pearson
<kb9vqf(a)pearsoncomputing.net> wrote:
I agree in principle, however the current use of the phrase "security
advisory" tends to imply that some kind of advanced persistent threat
could be installed on the user's machine. From what I understand this is
not possible in this case due to NaCl's sandboxing, however it becomes a
security risk if any sensitive information is made available to the
sandbox (e.g. privileged human to human voice conversations near the
computer's microphone).
Yes, I'm nitpicking. :-)
Tim
Perhaps
we need both "security advisories" and "privacy advisories" these
days?
Agreed. I would go so far as to say that a violation of privacy _is_ a
violation of security.
Having a package go out and grab something without my permission, or
knowledge, is a security hole.
Curt- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iFYEARELAAYFAlWB1KgACgkQLaxZSoRZrGEhRQDdEclOJI27JEwWnrKVuog6Sr3Z
Hm9VtOWxAY+8PgDfbS24BHgCgtTIiiY1YrjRYQ0SGeEzoJkg3+Y4sw==
=XhXK
-----END PGP SIGNATURE-----
10:32 p.m.
New subject: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob
On Wednesday 17 June 2015 16:12:24 Timothy Pearson wrote:
No you are not Tim, its a real security hole, and one of the reasons I
have not had a microphone plugged into any of my machines in several
years. If I should buy a new machine, notebook lappy whatever, that had
a mic in it, the wire will be cut as soon as I can locate it. And I am
a C.E.T....
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
On Wed, Jun
17, 2015 at 2:27 PM, Timothy Pearson
<kb9vqf(a)pearsoncomputing.net> wrote:
I agree in principle, however the current use of the phrase "security
advisory" tends to imply that some kind of advanced persistent threat
could be installed on the user's machine. From what I understand this
is not possible in this case due to NaCl's sandboxing, however it
becomes a security risk if any sensitive information is made available
to the sandbox (e.g. privileged human to human voice conversations
near the computer's microphone).
Yes, I'm nitpicking. :-)
Tim Perhaps
we need both "security advisories" and "privacy advisories" these
days?
Agreed. I would go so far as to say that a violation of privacy _is_
a violation of security.
Having a package go out and grab something without my permission, or
knowledge, is a security hole.
Curt- 
8:34 p.m.
New subject: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob
On Wednesday 17 June 2015 04:57:49 am Dr. Nikolaus Klepp wrote:
Just seen on the crypto mailing list, for all those
chromium users ...
Nik
---------- Forwarded Message ----------
Subject: [cryptography] chromium: unconditionally downloads binary blob
Date: Mittwoch, 17. Juni 2015, 14:12:17
From: Alexander Klimov <alserkli(a)inbox.ru>
An: cryptography(a)randombit.net
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909>
After upgrading chromium to 43, I noticed that when it is running and
immediately after the machine is on-line it silently starts
downloading "Chrome Hotword Shared Module" extension, which contains a
binary without source code. There seems no opt-out config.
that extension:
- doesn't appear in the extension list;
- is apparently used to provide an “ok google” voice activation stuff.
The fact that Audio Capture Allowed is set to yes, and that both the
extension and the shared module are marked as “enabled” are definitely
bothering me.
[...]
We believe that the bug you reported is fixed in the latest version of
chromium-browser, which is due to be installed in the Debian FTP
archive.
[...]
Shouldn't we see a DSA [Debian Security Advisory] following this
incident?
Since no one really know which binaries have been downloaded there and
what they actually do, and since it cannot be excluded that it was
actually executed, such systems are basically to be considered
compromised.
Quite a deal of people choose open source just to prevent that - get
untrustworthy / unverifiable code run on their systems - failed.
--
Regards,
ASK
-------------------------------------------------------
I use Google stuff as little as possible on my pc's. Not to vear to far OT, my
new Andoid phone gives deault pernmissions to Google for ...everything ..to
freaky for words.
--
Greg M
3476
days inactive
3476
days old
8 comments
7 participants
participants (7)
-
Baron -
Curt Howland -
Dr. Nikolaus Klepp -
Gene Heskett -
Greg Madden -
Jonesy -
Timothy Pearson