trinity-users@lists.pearsoncomputing.net

Message: previous - next
Month: June 2015

Re: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob

From: "Timothy Pearson" <kb9vqf@...>
Date: Wed, 17 Jun 2015 13:27:28 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA224

> On Wednesday 17 June 2015 08:57:49 Dr. Nikolaus Klepp wrote:
>> Just seen on the crypto mailing list, for all those chromium users ...
>>
>> Nik
>>
>> ----------  Forwarded Message  ----------
>>
>> Subject: [cryptography] chromium: unconditionally downloads binary
>> blob Date: Mittwoch, 17. Juni 2015, 14:12:17
>> From: Alexander Klimov <alserkli@...>
>> An: cryptography@...
>>
>> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909>
>>
>> After upgrading chromium to 43, I noticed that when it is running and
>> immediately after the machine is on-line it silently starts
>> downloading "Chrome Hotword Shared Module" extension, which contains a
>> binary without source code. There seems no opt-out config.
>>
>> that extension:
>> - doesn't appear in the extension list;
>> - is apparently used to provide an “ok google” voice activation stuff.
>>
>> The fact that Audio Capture Allowed is set to yes, and that both the
>> extension and the shared module are marked as “enabled” are definitely
>> bothering me.
>
> I didn't see that, didn't even look, but theres enough rumors floating
> around that I called up synaptic 2 days ago, and nuked it all with
> extreme prejudice.  I hope that got it all.
>
> What has been the experience of others in a successful removal of it and
> all its sneaky stuffs?
>
>> [...]
>>
>> We believe that the bug you reported is fixed in the latest version of
>> chromium-browser, which is due to be installed in the Debian FTP
>> archive.
>>
>> [...]
>>
>> Shouldn't we see a DSA [Debian Security Advisory] following this
>> incident?
>>
>> Since no one really know which binaries have been downloaded there and
>> what they actually do, and since it cannot be excluded that it was
>> actually executed, such systems are basically to be considered
>> compromised.
>>
>> Quite a deal of people choose open source just to prevent that - get
>> untrustworthy / unverifiable code run on their systems - failed.
>>
>> --
>> Regards,
>> ASK
>> -------------------------------------------------------
>
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
>  soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page <http://geneslinuxbox.net:6309/gene>

Thank you for the heads up!  It's disconcerting that Debian did not issue
a security advisory on this one, though somewhat understandable.  Perhaps
we need both "security advisories" and "privacy advisories" these days?

Tim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iFYEARELAAYFAlWBvBAACgkQLaxZSoRZrGH41gDgqA+o794zMUaLpwk5ettLu4rb
bDR+ziKJpKdsYADgwJYmkawDDQAK1rDEtPQ4ZUb5lHytASCkhDA4RA==
=DSUk
-----END PGP SIGNATURE-----