-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 21 June 2015 22:30:15 BST, hellekin <[email protected]> wrote: >Now that's nasty. Is Chromium in Parabola affected by this "bug" >(meaning: wiretapping device)? > >== >hk > > >-------- Forwarded Message -------- >Subject: Google has been stealth downloading audio listeners onto every >computer that runs Chrome >Date: Sun, 21 Jun 2015 13:06:19 -0700 >From: Seth <[email protected]> >To: [email protected] > >from >https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/ > > >Posted on June 18, 2015 by Rick Falkvinge > >Google Chrome Listening In To Your Room Shows The Importance Of Privacy >Defense In Depth > >Yesterday, news broke that Google has been stealth downloading audio >listeners onto every computer that runs Chrome, and transmits audio >data >back to Google. Effectively, this means that Google had taken itself >the >right to listen to every conversation in every room that runs Chrome >somewhere, without any kind of consent from the people eavesdropped on. >In >official statements, Google shrugged off the practice with what amounts >to >“we can do that”. > >It looked like just another bug report. "When I start Chromium, it >downloads something." Followed by strange status information that >notably >included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes". > >chrome-voicesearch > >Without consent, Google’s code had downloaded a black box of code that >– >according to itself – had turned on the microphone and was actively >listening to your room. > >A brief explanation of the Open-source / Free-software philosophy is >needed here. When you’re installing a version of GNU/Linux like Debian >or >Ubuntu onto a fresh computer, thousands of really smart people have >analyzed every line of human-readable source code before that operating >system was built into computer-executable binary code, to make it >common >and open knowledge what the machine actually does instead of trusting >corporate statements on what it’s supposed to be doing. Therefore, you >don’t install black boxes onto a Debian or Ubuntu system; you use >software >repositories that have gone through this source-code audit-then-build >process. Maintainers of operating systems like Debian and Ubuntu use >many >so-called “upstreams” of source code to build the final product. > >Chromium, the open-source version of Google Chrome, had abused its >position as trusted upstream to insert lines of source code that >bypassed >this audit-then-build process, and which downloaded and installed a >black >box of unverifiable executable code directly onto computers, >essentially >rendering them compromised. We don’t know and can’t know what this >black >box does. But we see reports that the microphone has been activated, >and >that Chromium considers audio capture permitted. > >This was supposedly to enable the “Ok, Google” behavior – that when you >say certain words, a search function is activated. Certainly a useful >feature. Certainly something that enables eavesdropping of every >conversation in the entire room, too. > >Obviously, your own computer isn’t the one to analyze the actual search >command. Google’s servers do. Which means that your computer had been >stealth configured to send what was being said in your room to somebody >else, to a private company in another country, without your consent or >knowledge, an audio transmission triggered by… an unknown and >unverifiable >set of conditions. > >Google had two responses to this. The first was to introduce a >practically-undocumented switch to opt out of this behavior, which is >not >a fix: the default install will still wiretap your room without your >consent, unless you opt out, and more importantly, know that you need >to >opt out, which is nowhere a reasonable requirement. But the second was >more of an official statement following technical discussions on Hacker >News and other places. That official statement amounted to three parts >(paraphrased, of course): > >1) Yes, we’re downloading and installing a wiretapping black-box to >your >computer. But we’re not actually activating it. We did take advantage >of >our position as trusted upstream to stealth-insert code into >open-source >software that installed this black box onto millions of computers, but >we >would never abuse the same trust in the same way to insert code that >activates the eavesdropping-blackbox we already downloaded and >installed >onto your computer without your consent or knowledge. You can look at >the >code as it looks right now to see that the code doesn’t do this right >now. > >2) Yes, Chromium is bypassing the entire source code auditing process >by >downloading a pre-built black box onto people’s computers. But that’s >not >something we care about, really. We’re concerned with building Google >Chrome, the product from Google. As part of that, we provide the source >code for others to package if they like. Anybody who uses our code for >their own purpose takes responsibility for it. When this happens in a >Debian installation, it is not Google Chrome’s behavior, this is Debian >Chromium’s behavior. It’s Debian’s responsibility entirely. > >3) Yes, we deliberately hid this listening module from the users, but >that’s because we consider this behavior to be part of the basic Google >Chrome experience. We don’t want to show all modules that we install >ourselves. > >If you think this is an excusable and responsible statement, raise your >hand now. > >Now, it should be noted that this was Chromium, the open-source version >of >Chrome. If somebody downloads the Google product Google Chrome, as in >the >prepackaged binary, you don’t even get a theoretical choice. You’re >already downloading a black box from a vendor. In Google Chrome, this >is >all included from the start. > >This episode highlights the need for hard, not soft, switches to all >devices – webcams, microphones – that can be used for surveillance. A >software on/off switch for a webcam is no longer enough, a hard shield >in >front of the lens is required. A software on/off switch for a >microphone >is no longer enough, a physical switch that breaks its electrical >connection is required. That’s how you defend against this in depth. > >Of course, people were quick to downplay the alarm. “It only listens >when >you say ‘Ok, Google’.” (Ok, so how does it know to start listening just >before I’m about to say ‘Ok, Google?’) “It’s no big deal.” (A company >stealth installs an audio listener that listens to every room in the >world >it can, and transmits audio data to the mothership when it encounters >an >unknown, possibly individually tailored, list of keywords – and it’s no >big deal!?) “You can opt out. It’s in the Terms of Service.” (No. Just >no. >This is not something that is the slightest amount of permissible just >because it’s hidden in legalese.) “It’s opt-in. It won’t really listen >unless you check that box.” (Perhaps. We don’t know, Google just >downloaded a black box onto my computer. And it may not be the same >black >box as was downloaded onto yours. ) > >Early last decade, privacy activists practically yelled and screamed >that >the NSA’s taps of various points of the Internet and telecom networks >had >the technical potential for enormous abuse against privacy. Everybody >else >dismissed those points as basically tinfoilhattery – until the Snowden >files came out, and it was revealed that precisely everybody involved >had >abused their technical capability for invasion of privacy as far as was >possible. > >Perhaps it would be wise to not repeat that exact mistake. Nobody, and >I >really mean nobody, is to be trusted with a technical capability to >listen >to every room in the world, with listening profiles customizable at the >identified-individual level, on the mere basis of “trust us”. > >Privacy remains your own responsibility. > >Rick Falkvinge >ABOUT RICK FALKVINGE >Rick is the founder of the first Pirate Party and is a political >evangelist, traveling around Europe and the world to talk and write >about >ideas of a sensible information policy. He has a tech entrepreneur >background and loves whisky. Read more of his articles on his website. > >Twitter |More Posts (91) > > > > >_______________________________________________ >Dev mailing list >[email protected] >https://lists.parabola.nu/mailman/listinfo/dev Of course: this is very funny. - -- Sent from my CyanogenMod device with K-9 Mail. -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQE7BAEBCgAlBQJVhzuDHhxKb3NlcGggR3JhaGFtIDxqb3NlcGhAdDY3LmV1PgAK CRD2o/UN/vt/KYyTB/9NpXGGQ5DEUtC4ZqzCGUMRQqGqfNNWYxrPm+srK7LBoDui AigkwQZKjKepbuUnjExPW870AytMvHQY8w9HrfaCmG98+dR4W3sXvHn39SqU6JI7 WR8kl26P7eeZCxWBJv/+1pHJY7+ORMZrq3XvY2cAJLOXu5lPvI+SZIib7JtJFl5p V0D0T8mWAkP1ob2qYyztPHPGQyzvd1NG7HuG7LO8HUGMLchoYXy0KSCRpCLhfJAP 8j9K4h7b/wBhWSf3X8sirBqfBd4aIh5Vyio6q4U9WXOrBLMYnUTiDizCDkux58IW SuXlKrOb6KbyGqJbPhBIiGBJK1dG5rT//LWnZLTy =fHW6 -----END PGP SIGNATURE----- _______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
