Google

[carinder]

Not OK, Google: Chromium voice extension pulled after spying concerns Company agreed that a closed source module wasn't a good fit for an open source browser.

by Peter Bright - Jun 24, 2015 11:37pm BST

• Share
• Tweet

92

Google has removed an extension from Chromium, the open source sibling to the Chrome browser, after accusations that the extension was installed surreptitiously and subsequently eavesdropped on Chromium users.

The issue first came to light in late May when a bug was filed in the Debian bug tracker. Chromium version 43 was seen downloading a binary extension from Google, and there was neither any ability to prevent this download, nor any source code available for the extension. The extension, called "Chrome Hotword," was found to be responsible for providing the browser's "OK, Google" functionality. Although off by default, both Chrome and Chromium, when set to use Google as their default search engine, can permanently listen to the microphone and respond instantly to voice queries, with "OK Google" used as the trigger keyword.

Concern about the nature and purpose of the extension was compounded by the way the browser did and didn't disclose the extension's existence. The list of extensions visible at chrome://extensions/ doesn't include Hotword. Conversely, Hotword's own status page, chrome://voicesearch/ said that by default the extension was enabled and had access to the microphone.

This looked like an egregious privacy violation; Google silently installing software that listens in to the microphone (and potentially reports back everything it hears to the mothership), and doing so not only in its partially closed source Chrome browser, but the free and open Chromium browser. The extension is supposed to detect the "OK Google" phrase locally, sending only search phrases to Google, but as no source code is available, there's no easy way to determine this. Other trigger phrases could be included that start transmission, and nobody outside Google would be any the wiser.

This issue came to wider notice after a write-up on Linux Weekly News and another by Pirate Party founder Rick Falkvinge.

In a bug filed in the Chromium bug tracker, Google offered explanations for the behavior. Chrome and Chromium have various built-in features that are implemented as extensions, which Google calls "component extensions." Some are built in; others are downloaded automatically when the browser is run. By default, these component extensions are not listed alongside normal extensions on chrome://extensions/, though there is a command-line switch, --show-component-extension-options, that will reveal them.

Similarly, Google developers explained that the page showing that the Hotword extension was enabled was being misinterpreted. Enabled in this context does not mean "loaded" or "listening"; it just means "not disabled." The extension isn't actually active unless the "OK Google" feature is turned on. This can be verified in Chrome's own task manager: it lists each loaded extension, and by default the one for Hotwords isn't loaded.

Check the "OK Google" option and the extension can load. However, it doesn't simply load once and then stay loaded. When you turn it on, it loads, but a few seconds later, unloads. Subsequently, it only loads on the new tab page (which includes a Google search box) or when visiting google.com. Navigate away from these pages and a few seconds later, the extension unloads again. Turn off "OK Google" and the same thing happens; if the extension is running, it unloads after a few seconds.

Even with the "OK Google" feature turned off, when you start Chrome, the extension is loaded for a few seconds, and then unloaded.

This constant loading and unloading likely explains the experience of developer Ofer Zelig, who noticed that his webcam's activation light (enabled whenever the webcam's camera or microphone are accessed) kept turning on apparently at random. This likely coincided with his visits to Google's home page or when starting a new tab.

For users of Chrome, there doesn't seem to be any serious issue. Chrome users already have to trust Google to a greater or lesser extent, because the browser isn't fully open source and contains proprietary Google code. That the extension loads when the browser is started—and appears to access the microphone when it does so—even when "OK Google" is disabled seems a little undesirable. It may be that this is simply how Google's extension system works, but it's not really consistent with user expectations.

For Chromium, the situation is a little more complex. One of the reasons that people use open source software is precisely so they can inspect the source code and know precisely what is going on: automatically downloading and installing a binary extension with no source code clearly runs very contrary to this spirit.

In the light of this, Google developers announced today that they would make a change to Chromium; as of today, builds of Chromium 45 will no longer download the module by default.

[carinder]

Cisco Announces Intent to Acquire OpenDNS Acquisition to Accelerate Cisco's Cloud Delivered Security Portfolio

SAN JOSE, Calif. – June 30, 2015 – Today, Cisco announced its intent to acquire OpenDNS, a privately held security company based in San Francisco. OpenDNS provides advanced threat protection for any device, anywhere, anytime. The acquisition will boost Cisco's Security Everywhere approach by adding broad visibility and threat intelligence from the OpenDNS cloud delivered platform.

The burgeoning digital economy and the Internet of Everything (IoE) are expected to spur the connection of nearly 50 billion devices by 2020, creating a vast new wave of opportunities for security breaches across networks. The faster customers can deploy a solution, the faster they can detect, block and remediate these emerging security threats. OpenDNS' cloud platform offers security delivered in a Software-as-a- Service (SaaS) model, making it quick and easy for customers to deploy and integrate as part of their defense architecture or incident response strategies. By providing comprehensive threat awareness and pervasive visibility, the combination of Cisco and OpenDNS will enhance advanced threat protection across the full attack continuum—before, during and after an attack.

Typically devices and people connected to the network are easier to identify and track for potential security threats. However in a world in which devices and people can connect from anywhere at anytime, enterprise IT teams have increasingly limited visibility into potential threats from these unmonitored and potentially unsecure entry points into the network, creating tremendous security risk. Combining OpenDNS' broad visibility, unique predictive threat intelligence and cloud platform with Cisco's robust security and threat capabilities will increase awareness across the extended network, both on- and off-premise, reduce the time to detect and respond to threats, and mitigate risk of a security breach.

"As more people, processes, data and things become connected, opportunities for security breaches and malicious threats grow exponentially when away from secure enterprise networks," said Hilton Romanski, Cisco chief technology and strategy officer. "OpenDNS has a strong team with deep security expertise and key technology that complements Cisco's security vision. Together, we will help customers protect their extended network wherever the user is and regardless of the device."

The OpenDNS team will join the Cisco Security Business Group organization led by David Goeckeler, senior vice president and general manager. Under the terms of the agreement, Cisco will pay $635 million in cash and assumed equity awards, plus retention based incentives for OpenDNS. The acquisition is expected to close in the first quarter of fiscal year 2016, subject to customary closing conditions.

About Cisco

Cisco (NASDAQ: CSCO) is the worldwide leader in IT that helps companies seize the opportunities of tomorrow by proving that amazing things can happen when you connect the previously unconnected. For ongoing news, please go to http://thenetwork.cisco.com.