Skip to main content

Home/ Open Web/ Group items tagged Chromium

Rss Feed Group items tagged

Paul Merrell

Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth - 0 views

  • Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to “we can do that”.It looked like just another bug report. "When I start Chromium, it downloads something." Followed by strange status information that notably included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes".
  • Without consent, Google’s code had downloaded a black box of code that – according to itself – had turned on the microphone and was actively listening to your room.A brief explanation of the Open-source / Free-software philosophy is needed here. When you’re installing a version of GNU/Linux like Debian or Ubuntu onto a fresh computer, thousands of really smart people have analyzed every line of human-readable source code before that operating system was built into computer-executable binary code, to make it common and open knowledge what the machine actually does instead of trusting corporate statements on what it’s supposed to be doing. Therefore, you don’t install black boxes onto a Debian or Ubuntu system; you use software repositories that have gone through this source-code audit-then-build process. Maintainers of operating systems like Debian and Ubuntu use many so-called “upstreams” of source code to build the final product.Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code that bypassed this audit-then-build process, and which downloaded and installed a black box of unverifiable executable code directly onto computers, essentially rendering them compromised. We don’t know and can’t know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted.
  • This was supposedly to enable the “Ok, Google” behavior – that when you say certain words, a search function is activated. Certainly a useful feature. Certainly something that enables eavesdropping of every conversation in the entire room, too.Obviously, your own computer isn’t the one to analyze the actual search command. Google’s servers do. Which means that your computer had been stealth configured to send what was being said in your room to somebody else, to a private company in another country, without your consent or knowledge, an audio transmission triggered by… an unknown and unverifiable set of conditions.Google had two responses to this. The first was to introduce a practically-undocumented switch to opt out of this behavior, which is not a fix: the default install will still wiretap your room without your consent, unless you opt out, and more importantly, know that you need to opt out, which is nowhere a reasonable requirement. But the second was more of an official statement following technical discussions on Hacker News and other places. That official statement amounted to three parts (paraphrased, of course):
  • ...4 more annotations...
  • 1) Yes, we’re downloading and installing a wiretapping black-box to your computer. But we’re not actually activating it. We did take advantage of our position as trusted upstream to stealth-insert code into open-source software that installed this black box onto millions of computers, but we would never abuse the same trust in the same way to insert code that activates the eavesdropping-blackbox we already downloaded and installed onto your computer without your consent or knowledge. You can look at the code as it looks right now to see that the code doesn’t do this right now.2) Yes, Chromium is bypassing the entire source code auditing process by downloading a pre-built black box onto people’s computers. But that’s not something we care about, really. We’re concerned with building Google Chrome, the product from Google. As part of that, we provide the source code for others to package if they like. Anybody who uses our code for their own purpose takes responsibility for it. When this happens in a Debian installation, it is not Google Chrome’s behavior, this is Debian Chromium’s behavior. It’s Debian’s responsibility entirely.3) Yes, we deliberately hid this listening module from the users, but that’s because we consider this behavior to be part of the basic Google Chrome experience. We don’t want to show all modules that we install ourselves.
  • If you think this is an excusable and responsible statement, raise your hand now.Now, it should be noted that this was Chromium, the open-source version of Chrome. If somebody downloads the Google product Google Chrome, as in the prepackaged binary, you don’t even get a theoretical choice. You’re already downloading a black box from a vendor. In Google Chrome, this is all included from the start.This episode highlights the need for hard, not soft, switches to all devices – webcams, microphones – that can be used for surveillance. A software on/off switch for a webcam is no longer enough, a hard shield in front of the lens is required. A software on/off switch for a microphone is no longer enough, a physical switch that breaks its electrical connection is required. That’s how you defend against this in depth.
  • Of course, people were quick to downplay the alarm. “It only listens when you say ‘Ok, Google’.” (Ok, so how does it know to start listening just before I’m about to say ‘Ok, Google?’) “It’s no big deal.” (A company stealth installs an audio listener that listens to every room in the world it can, and transmits audio data to the mothership when it encounters an unknown, possibly individually tailored, list of keywords – and it’s no big deal!?) “You can opt out. It’s in the Terms of Service.” (No. Just no. This is not something that is the slightest amount of permissible just because it’s hidden in legalese.) “It’s opt-in. It won’t really listen unless you check that box.” (Perhaps. We don’t know, Google just downloaded a black box onto my computer. And it may not be the same black box as was downloaded onto yours. )Early last decade, privacy activists practically yelled and screamed that the NSA’s taps of various points of the Internet and telecom networks had the technical potential for enormous abuse against privacy. Everybody else dismissed those points as basically tinfoilhattery – until the Snowden files came out, and it was revealed that precisely everybody involved had abused their technical capability for invasion of privacy as far as was possible.Perhaps it would be wise to not repeat that exact mistake. Nobody, and I really mean nobody, is to be trusted with a technical capability to listen to every room in the world, with listening profiles customizable at the identified-individual level, on the mere basis of “trust us”.
  • Privacy remains your own responsibility.
  •  
    And of course, Google would never succumb to a subpoena requiring it to turn over the audio stream to the NSA. The Tor Browser just keeps looking better and better. https://www.torproject.org/projects/torbrowser.html.en
Gary Edwards

WhiteHat Aviator - The most secure browser online - 1 views

  •  
    "FREQUENTLY ASKED QUESTIONS What is WhiteHat Aviator? WhiteHat Aviator; is the most secure , most private Web browser available anywhere. By default, it provides an easy way to bank, shop, and use social networks while stopping viruses from infecting computers, preventing accounts from being hacked, and blocking advertisers from invisibly spying on every click. Why do I need a secure Web browser? According to CA Technologies, 84 percent of hacker attacks in 2009 took advantage of vulnerabilities in Web browsers. Similarly, Symantec found that four of the top five vulnerabilities being exploited were client-side vulnerabilities that were frequently targeted by Web-based attacks. The fact is, that when you visit any website you run the risk of having your surfing history, passwords, real name, workplace, home address, phone number, email, gender, political affiliation, sexual preferences, income bracket, education level, and medical history stolen - and your computer infected with viruses. Sadly, this happens on millions of websites every day. Before you have any chance at protecting yourself, other browsers force you to follow complicated how-to guides, modify settings that only serve advertising empires and install obscure third-party software. What makes WhiteHat Aviator so secure? WhiteHat Aviator; is built on Chromium, the same open-source foundation used by Google Chrome. Chromium has several unique, powerful security features. One is a "sandbox" that prevents websites from stealing files off your computer or infecting it with viruses. As good as Chromium is, we went much further to create the safest online experience possible. WhiteHat Aviator comes ready-to-go with hardened security and privacy settings, giving hackers less to work with. And our browser downloads to you - without any hidden user-tracking functionality. Our default search engine is DuckDuckGo - not Google, which logs your activity. For good measure, Aviator integrates Disconnect
Paul Merrell

Chromium Blog: Extensions Status: On the Runway, Getting Ready for Take-Off - 0 views

  • Good news for extension developers: as of today, extensions are turned on by default on Google Chrome's dev channel. Extensions are small pieces of software that developers can write to customize the way Google Chrome works. We've been working on enabling extensions for a while, but until now, they were hidden behind a developer flag. As of today, this is no longer true. If you're on the dev channel, you can try installing some of our sample extensions. Removing the flag is the first step in our launch process, and it means we're ready for a few more people to start using extensions-- the kind of adventurous people who populate the dev channel.
Gary Edwards

Flow - Chromium OS builds by Hexxeh - 1 views

  •  
    Flow is the latest in the line of Hexxeh's hugely popular ChromiumOS builds. Flow is the most exciting version yet, bringing even more hardware support, an auto-updater, webcam support and an improved application menu & directory. All this, requires only a 2GB USB drive (download size is 327MB) ChromiumOS is a lightweight, lightning-fast operating system for your netbook, laptop or even desktop. With the familiar environment of Chromium/Chrome, the entire web is at your fingertips in seconds. HTML5 & Flash are fully supported, allowing you to enjoy the very best that the web has to offer.
Gary Edwards

WebKit Remote Debugging - Webkit Surfin Safari - 0 views

  •  
    excerpt:  As you might know, WebKit Web Inspector is implemented as an HTML + CSS + JavaScript web application. What you might not know is that Web Inspector can run outside of the browser environment and still provide complete set of its features to the end user. Debugging over the wire Running debugger outside the browser is interesting because mobile platforms do not often provide enough screen real estate for quality debugging; they have network stack and CPU specifics that often affect page load and runtime. Still, they are based on the WebCore rendering engine, they could have Web Inspector instrumentation running and hence expose valuable debugging information to the end user. Now that Web Inspector is functioning out-of-process over the serialized-message-channel, attaching Web Inspector window to the remote browser is possible. Here is an example of the remote debugging session using Chromium: 1. Start your target browser with the remote-debugging-port command line switch: Chromium --remote-debugging-port=9222
Gary Edwards

What ASP.NET Developers Should Know About jQuery - MIX Online - 0 views

  •  
    Recently the Rocketman and i have been arguing about webkit/Chromium DOM capabilities and limitations; like the failure to fully implement CSS3! Especially missing is support for CSS3 page layout / page break innovations. I realized that i didn't have a good understanding of browser DOM - client side issues, and came across this interesting post from Dave Ward concerning DOM and jQuery.
    The core issue behind my discussions with the Rocketman have to do with creating a DOM view from OpenXML and ODF documents, and then passing that view to the webkit/Chromium engine. So we weren't all that interested in cross browser support or in how IE8 handles DOM-JavaScript. Dave Ward however not only provides a good discussion about DOM-JavaScript and the importance of jQuery as a force of interoperability, he also points out that Microsoft supports jQuery - including direct support within Visual Studio!
    ".....Though JavaScript itself is a great programming language, the document object model (DOM) can be a web developer's worst nightmare.  The DOM is a method through which browsers expose an interface allowing JavaScript code to manipulate elements, handle events, and perform other tasks related to a document within the browser.  While almost every browser implements an ECMA standard version of JavaScript, their DOM implementations are inconsistent and quirky at best.  In fact, if you've had bad experiences with client-side programming in the past, it's likely that the DOM was the true source of your frustrations, not JavaScript itself.  This is exactly the pain point which jQuery addresses....
    ..... "Officially supported by Microsoft - For many Microsoft developers, this official blessing is the clincher. Not only will Microsoft begin including jQuery with Visual Studio, but it is part of the default ASP.NET MVC project template. What's more, Microsoft Product Support Services has already begun offering support for jQuery."....
Paul Merrell

Google to block Flash on Chrome, only 10 websites exempt - CNET - 0 views

  • The inexorable slide into a world without Flash continues, with Google revealing plans to phase out support for Adobe's Flash Player in its Chrome browser for all but a handful of websites. And the company expects the changes to roll out by the fourth quarter of 2016. While it says Flash might have "historically" been a good way to present rich media online, Google is now much more partial to HTML5, thanks to faster load times and lower power use. As a result, Flash will still come bundled with Chrome, but "its presence will not be advertised by default." Where the Flash Player is the only option for viewing content on a site, users will need to actively switch it on for individual sites. Enterprise Chrome users will also have the option of switching Flash off altogether. Google will maintain support in the short-term for the top 10 domains using the player, including YouTube, Facebook, Yahoo, Twitch and Amazon. But this "whitelist" is set to be periodically reviewed, with sites removed if they no longer warrant an exception, and the exemption list will expire after a year. A spokesperson for Adobe said it was working with Google in its goal of "an industry-wide transition to Open Web standards," including the adoption of HTML5. "At the same time, given that Flash continues to be used in areas such as education, web gaming and premium video, the responsible thing for Adobe to do is to continue to support Flash with updates and fixes, as we help the industry transition," Adobe said in an emailed statement. "Looking ahead, we encourage content creators to build with new web standards."
Paul Merrell

Chromium Blog: Bringing improved support for Adobe Flash Player to Google Chrome - 0 views

  • The traditional browser plug-in model has enabled tremendous innovation on the web, but it also presents challenges for both plug-ins and browsers. The browser plug-in interface is loosely specified, limited in capability and varies across browsers and operating systems. This can lead to incompatibilities, reduction in performance and some security headaches.That’s why we are working with Adobe, Mozilla and the broader community to help define the next generation browser plug-in API. This new API aims to address the shortcomings of the current browser plug-in model. There is much to do and we’re eager to get started.
  • As a first step, we’ve begun collaborating with Adobe to improve the Flash Player experience in Google Chrome. Today, we’re making available an initial integration of Flash Player with Chrome in the developer channel. We plan to bring this functionality to all Chrome users as quickly as we can.We believe this initiative will help our users in the following ways:When users download Chrome, they will also receive the latest version of Adobe Flash Player. There will be no need to install Flash Player separately.Users will automatically receive updates related to Flash Player using Google Chrome’s auto-update mechanism. This eliminates the need to manually download separate updates and reduces the security risk of using outdated versions.With Adobe's help, we plan to further protect users by extending Chrome's “sandbox” to web pages with Flash content.
Paul Merrell

Chromium Blog: Developer Tools for Google Chrome - 0 views

  • Since the initial launch of Google Chrome back in September we have had the Elements and Resources tabs of WebKit's Inspector available. We are now ready to present Inspector's Scripts and Profiles panels built on top of the V8 engine providing web developers with full-featured Javascript debugger and sample-based profiler in the dev channel release of Google Chrome. We are also re-introducing the Elements and Resources tabs running out of process for better robustness, security and support for the new debugger and profiler setup.
Paul Merrell

Report: Microsoft is scrapping Edge, switching to just another Chrome clone | Ars Technica - 0 views

  • Windows Central reports that Microsoft is planning to replace its Edge browser, which uses Microsoft's own EdgeHTML rendering engine and Chakra JavaScript engine, with a new browser built on Chromium, the open source counterpart to Google's Chrome. The new browser has the codename Anaheim.
Gary Edwards

Google shows Native Client built into HTML 5 | Webware - CNET- Shankland - 0 views

  •  
    Whoops. This is the better article! ZDNet got the dregs. CNET got the real thing: Google Native Client, HTML5, GWT, Wave, Web Worker Threads, webkit/chromium, Chrome, O3D "Google wants its Native Client technology to be a little more native. Google Native Client, still highly experimental, lets browsers run program modules natively on an x86 processor for higher performance than with Web programming technologies such as JavaScript or Flash that involve more software layers to process and execute the code. But to use it, there's a significant barrier: people must install a browser plug-in.
Gary Edwards

OpenCandy's Pokki Brings Web Apps To The Desktop, With Style - 0 views

  •  
    Pokki Web-to-Native App Framework.....  excerpt: So what exactly is Pokki? It's a framework built on Chromium that allows developers to build basic applications using standard web technologies, but with a few key additions. First, these applications support nice notification tags in the menu bar (similar to iOS's badge system). They're also handy by design - click one, and it will pop up in a small window that you can use to access your Facebook wall, Gmail inbox, or whatever other application you've installed. Click outside of the Pokki, and it disappears. It's very lightweight. Pokki is initially offering a set of eight applications to users, including apps for Gmail, Facebook, Groupon, eBay, the WSJ, Living Social, and Twitter. That's a solid start, but today's launch is primarily about introducing developers to the Pokki SDK, which isavailable beginning today, and will let developers turn whatever website they like (provided it has an API) into a Pokki. Note that most of the Pokkis launching today were built in-house by SweetLabs. To use Pokki, users have to install the basic framework first, but this will come bundled with all Pokki apps - the company expects users will download a Pokki from one of their favorite sites, and then continue to add more using the integrated Pokki app browser. The apps are launching with support for Windows today, with Mac and Linux support coming down the line.
Gary Edwards

Google Bets Big on HTML 5: News from Google I/O - O'Reilly Radar - 0 views

  •  
    "Never underestimate the web," says Google VP of Engineering Vic Gundotra in his keynote at Google I/O this morning..... Tim O'Reilly provides us with his play-by-play account of the Google I/O event. Amazing stuff. The Web has arrived and it is no longer the "network of networks". It's rather quickly becoming the mother of all platforms. Great coverage.
  •  
    That article includes a link to an amazing web page, amazing if you've got a bleeding edge HTML 5 browser. http://htmlfive.appspot.com/ The browsers and versions needed are listed on that page. If you've got Google Chrome, upgrade to Chrome 2.0 (hot off the presses) from About Google Chrome (on the customization menu). Playtime with the bleeding edge of the Open Web.
1 - 13 of 13
Showing 20 items per page