Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Satori - distributed tamper-resistant circumvention tools

Nick liberationtech at njw.me.uk
Sun May 4 07:51:40 PDT 2014


Quoth Andrew Cady:
> On Sat, May 03, 2014 at 12:35:39PM -0400, Nick wrote:
> > if you're worried about an evil google, hey, they control the
> > browser, so you've already lost.
> 
> I use Chromium and update it through my distro, so no, Google
> does not control the browser (/usr/bin/chromium).

Me too, but I was thinking that if they were evil they could slip in 
a subtle vulnerability that would be really hard to find; it's a 
large codebase that (to my knowledge) is only well- understood by 
Google employees. I don't think it's likely, but considering how 
fast-moving the codebase is, something subtle like a fencepost error 
that they could just quietly use / give away "if it's really needed" 
is imaginable. Theoretically fixable by (e.g.) Debian, in practice, 
most of the time it wouldn't be. This is an inherant problem of 
large, fast-moving, complex software developed primarily by one 
close-knit and corporate-bound team.

> But they do,
> still, control the extensions installed through user accounts
> (~/.config/chromium/Default/Extensions/).  Google's control is
> hard-coded into the source.

What do you mean, they control the extensions through user accounts?  
That they auto-update? Or that Google are the primary source of 
extensions? What is hardcoded into the source?

I would like more diversity than 99.9% of extensions distributed 
through Google's infrastructure, but (like the 'app stores') it does 
provide a useful service; basic malware checking, that keeps most 
people safe from bad actors most of the time. At the expense of a 
single point of failure that can be compelled to fail by state 
action.



More information about the liberationtech mailing list