Message: previous - next
Month: June 2015

Re: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob

From: "Timothy Pearson" <kb9vqf@...>
Date: Wed, 17 Jun 2015 13:27:28 -0500
Hash: SHA224

> On Wednesday 17 June 2015 08:57:49 Dr. Nikolaus Klepp wrote:
>> Just seen on the crypto mailing list, for all those chromium users ...
>> Nik
>> ----------  Forwarded Message  ----------
>> Subject: [cryptography] chromium: unconditionally downloads binary
>> blob Date: Mittwoch, 17. Juni 2015, 14:12:17
>> From: Alexander Klimov <alserkli@...>
>> An: cryptography@...
>> <>
>> After upgrading chromium to 43, I noticed that when it is running and
>> immediately after the machine is on-line it silently starts
>> downloading "Chrome Hotword Shared Module" extension, which contains a
>> binary without source code. There seems no opt-out config.
>> that extension:
>> - doesn't appear in the extension list;
>> - is apparently used to provide an “ok google” voice activation stuff.
>> The fact that Audio Capture Allowed is set to yes, and that both the
>> extension and the shared module are marked as “enabled” are definitely
>> bothering me.
> I didn't see that, didn't even look, but theres enough rumors floating
> around that I called up synaptic 2 days ago, and nuked it all with
> extreme prejudice.  I hope that got it all.
> What has been the experience of others in a successful removal of it and
> all its sneaky stuffs?
>> [...]
>> We believe that the bug you reported is fixed in the latest version of
>> chromium-browser, which is due to be installed in the Debian FTP
>> archive.
>> [...]
>> Shouldn't we see a DSA [Debian Security Advisory] following this
>> incident?
>> Since no one really know which binaries have been downloaded there and
>> what they actually do, and since it cannot be excluded that it was
>> actually executed, such systems are basically to be considered
>> compromised.
>> Quite a deal of people choose open source just to prevent that - get
>> untrustworthy / unverifiable code run on their systems - failed.
>> --
>> Regards,
>> ASK
>> -------------------------------------------------------
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
>  soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page <>

Thank you for the heads up!  It's disconcerting that Debian did not issue
a security advisory on this one, though somewhat understandable.  Perhaps
we need both "security advisories" and "privacy advisories" these days?

Version: GnuPG v1.4.11 (GNU/Linux)