trinity-users@lists.pearsoncomputing.net

Message: previous - next
Month: June 2015

Re: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob

From: Gene Heskett <gheskett@...>
Date: Wed, 17 Jun 2015 13:39:27 -0400
On Wednesday 17 June 2015 08:57:49 Dr. Nikolaus Klepp wrote:
> Just seen on the crypto mailing list, for all those chromium users ...
>
> Nik
>
> ----------  Forwarded Message  ----------
>
> Subject: [cryptography] chromium: unconditionally downloads binary
> blob Date: Mittwoch, 17. Juni 2015, 14:12:17
> From: Alexander Klimov <alserkli@...>
> An: cryptography@...
>
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909>
>
> After upgrading chromium to 43, I noticed that when it is running and
> immediately after the machine is on-line it silently starts
> downloading "Chrome Hotword Shared Module" extension, which contains a
> binary without source code. There seems no opt-out config.
>
> that extension:
> - doesn't appear in the extension list;
> - is apparently used to provide an “ok google” voice activation stuff.
>
> The fact that Audio Capture Allowed is set to yes, and that both the
> extension and the shared module are marked as “enabled” are definitely
> bothering me.

I didn't see that, didn't even look, but theres enough rumors floating 
around that I called up synaptic 2 days ago, and nuked it all with 
extreme prejudice.  I hope that got it all.

What has been the experience of others in a successful removal of it and 
all its sneaky stuffs?

> [...]
>
> We believe that the bug you reported is fixed in the latest version of
> chromium-browser, which is due to be installed in the Debian FTP
> archive.
>
> [...]
>
> Shouldn't we see a DSA [Debian Security Advisory] following this
> incident?
>
> Since no one really know which binaries have been downloaded there and
> what they actually do, and since it cannot be excluded that it was
> actually executed, such systems are basically to be considered
> compromised.
>
> Quite a deal of people choose open source just to prevent that - get
> untrustworthy / unverifiable code run on their systems - failed.
>
> --
> Regards,
> ASK
> -------------------------------------------------------

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>