trinity-users@lists.pearsoncomputing.net

Message: previous - next
Month: June 2015

Re: [trinity-users] Fwd: [cryptography] chromium: unconditionally downloads binary blob

From: Greg Madden <gomadtroll@...>
Date: Wed, 17 Jun 2015 12:34:04 -0800

On Wednesday 17 June 2015 04:57:49 am Dr. Nikolaus Klepp wrote:
> Just seen on the crypto mailing list, for all those chromium users ...
>
> Nik
>
> ----------  Forwarded Message  ----------
>
> Subject: [cryptography] chromium: unconditionally downloads binary blob
> Date: Mittwoch, 17. Juni 2015, 14:12:17
> From: Alexander Klimov <alserkli@...>
> An: cryptography@...
>
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909>
>
> After upgrading chromium to 43, I noticed that when it is running and
> immediately after the machine is on-line it silently starts
> downloading "Chrome Hotword Shared Module" extension, which contains a
> binary without source code. There seems no opt-out config.
>
> that extension:
> - doesn't appear in the extension list;
> - is apparently used to provide an “ok google” voice activation stuff.
>
> The fact that Audio Capture Allowed is set to yes, and that both the
> extension and the shared module are marked as “enabled” are definitely
> bothering me.
>
> [...]
>
> We believe that the bug you reported is fixed in the latest version of
> chromium-browser, which is due to be installed in the Debian FTP
> archive.
>
> [...]
>
> Shouldn't we see a DSA [Debian Security Advisory] following this
> incident?
>
> Since no one really know which binaries have been downloaded there and
> what they actually do, and since it cannot be excluded that it was
> actually executed, such systems are basically to be considered
> compromised.
>
> Quite a deal of people choose open source just to prevent that - get
> untrustworthy / unverifiable code run on their systems - failed.
>
> --
> Regards,
> ASK
> -------------------------------------------------------

I use Google stuff as little as possible on my pc's. Not to vear to far OT, my 
new Andoid phone gives deault pernmissions to Google  for ...everything ..to 
freaky for words.

-- 

Greg M