[liberationtech] Satori - distributed tamper-resistant circumvention tools
Nick
liberationtech at njw.me.uk
Sun May 4 07:51:40 PDT 2014
Quoth Andrew Cady:
> On Sat, May 03, 2014 at 12:35:39PM -0400, Nick wrote:
> > if you're worried about an evil google, hey, they control the
> > browser, so you've already lost.
>
> I use Chromium and update it through my distro, so no, Google
> does not control the browser (/usr/bin/chromium).
Me too, but I was thinking that if they were evil they could slip in
a subtle vulnerability that would be really hard to find; it's a
large codebase that (to my knowledge) is only well- understood by
Google employees. I don't think it's likely, but considering how
fast-moving the codebase is, something subtle like a fencepost error
that they could just quietly use / give away "if it's really needed"
is imaginable. Theoretically fixable by (e.g.) Debian, in practice,
most of the time it wouldn't be. This is an inherant problem of
large, fast-moving, complex software developed primarily by one
close-knit and corporate-bound team.
> But they do,
> still, control the extensions installed through user accounts
> (~/.config/chromium/Default/Extensions/). Google's control is
> hard-coded into the source.
What do you mean, they control the extensions through user accounts?
That they auto-update? Or that Google are the primary source of
extensions? What is hardcoded into the source?
I would like more diversity than 99.9% of extensions distributed
through Google's infrastructure, but (like the 'app stores') it does
provide a useful service; basic malware checking, that keeps most
people safe from bad actors most of the time. At the expense of a
single point of failure that can be compelled to fail by state
action.
More information about the liberationtech
mailing list