On Chrome Privacy - Mike West

Responding to a comment about 'Facebook’s “frictionless sharing”' and how Google could do the same thing with Chrome, Mike West, A Chrome Privacy Team Member, writes:

On Chrome Privacy - Mike West

 

Good article, not that anyone will ever hear it because it's not calling Google out.

Most of what I hear about Chrome is "omg but in the future it MIGHT be evil."

I'd love to see some people actually read an article that isn't pointing a finger at every company.

 

I'd just love to see a thread where you don't have something to say. Even when you don't have anything to say you feel the need to chime in. I guess that's how you rack up 2,600 posts in 4 months. That's 140 posts a week!

Do you work? Eat? Sleep?

 

Lol, damn Hungry, this must be all out assault night, eh?

 

not even my most active forum!

Yeah, I have school during the day. I make all of my posts before school and come home and reply.

Yes, well, I was just on a bus for 4 hours and was pretty bored.

 

Lmao! Enjoy

 

Oh, I will. I'm just waiting for the ad hominems to start flying. Actually they already have in a few topics!

 

@ LockBox, This is way out of line.
I consider Hungry Man's posts to be very worthwhile contributions.

@ Searching_ _ _ , Thanks for the Chrome Privacy article!

 

@Hungry Man: What's your WPM?

As for Chrome privacy, I don't really care about it. Probably not much worse than using Google search which almost everyone does.

 

My school has a typing class =p 100WPM or you don't move on to 9th grade.

And I agree, if you want to look at privacy issues you should look at Google search and not Chrome. Not that I'm saying Google search has privacy issues... but at least there's a debate there.

 

God I'm glad I graduated from school long ago, lol. Anyway, I think the issue with Chrome, is that it is so closely tied into search. Therefore, it is possible to make the same connections to privacy. Google is going to take privacy heat no matter what it does, simply because it chose to use advertising to keep it afloat.

 

Yup, pretty much.

 

I think it's cool that Chrome founded a privacy team... a group of devs who "care about making Chrome’s use of data transparent" is just a fine idea.

When West mentions that his team, among other things, "reviews features built by other teams for potential impact on user’s private information", do you think this is part of the vetting process for Chrome extensions? Is that (partially) what he is referring to?

 

I would think so. It's not super clear.

 

I mean, the warnings on some of the extensions are (gulp) extreme...

So West's words leave me wondering if he is alluding to the extension warnings.

Maybe I'll email him and see what he says.

 

Could be.

Yeah, some of those really do come off as a bit scary. I mean "ALL OF YOUR DATA ON EVERY WEBSITE" you know? lol it's a bit much

I am convinced that at some point we're going to see socially engineered malware in the form of browser extensions.

 

I suppose that hasn't happened yet (socially engineered malware in the form of browser extensions), or we would have heard about it, right?
PS- Email sent to MW about vetting process. I'll post back any reply.

 

If it's happened I haven't heard anything about it. I'm not sure how much access extensions can have but I know they're javascript and I could imagine them being malicious if the API allowed for it.

 

I have a new strategy I've been using and seems to be keeping me out of trouble.
1. Don't antagonise other posters. (Mostly )
2. Avoid responding to inflammatory posts. (I ain't no chicken! )
3. Provide relevant and possibly unique information to the Wilder's community that will keep discussion going and hopefully doesn't create flame wars.

There has been a lot of privacy related news lately, a boon for this section.

 

I got a reply from Mike West.

I asked him if, when he mentioned that his team, "reviews features built by other teams for potential impact on user’s private information", he was referring even in part to the vetting process for Chrome extensions?

He replied that he was not.... "that's the security team, not privacy".

So in the article, when he said that his team, "reviews features built by other teams for potential impact on user’s private information", he was referring to Chrome features, not externally written extensions.

The extension warnings, he said, "are explicitly not a judgement from the privacy team".

 

LOL 100WPM that is classic.

Probably but as malware evolves, our security setups must evolve with it IMO.

 

With what we know about google it makes you wonder WHAT WE DONT KNOW about Chrome! (I think its best to be questioned)

 

Without regard to the term used to describe the malware container ("browser extension" vs browser addon vs browser plugin vs browser toolbar vs BHO), yes, "that has happened" repeatedly through the years. A few examples:

BitDefender labeled this one "Trojan.Agent.20577":
http://www.spamfighter.com/News-14287-Fake-Google-Chrome-Extension-Used-to-Distribute-Malware.htm

MS labeled this one "Win32/7FaSSt"
(browser search hijacker, users wound up at 7search)
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Program:Win32/7FaSSt

TrendMicro labeled this spyware "TROJ_DROP.BP"
(payload of a FF addon)
http://blog.trendmicro.com/cyber-crimainals-target-firefox-users/

RFSEARCHHANDLER.DLL
(payload of RegFreeze browser extension)
CLSID {CDB280E8-BE43-4128-8A5A-3FCD094E2D88}


further reading:
www.mike.tl/publications/virology08-4-3-tlv.pdf
and
www.cs.uic.edu/~venkat/research/.../extensible-browser-dimva07.pdf
also ref
"Crimeware: understanding new attacks and defenses"
by Markus Jakobsson and Zulfikar Ramzan

 

What we don't know about Chrome?

Uh, it's an open source browser. You can have a look at the code yourself. If you honestly believe there aren't people scrutinizing the details of the code looking for privacy issues... I don't know what to tell you.

I'm almost curious to see what you think you know about Google though... almost.

 

Again, it's just the nature of their business that spooks people (including me to an extent, admittedly). They rely on advertising and personal data. Without it, they're done, cooked, extinct. I don't think anyone who has ever bothered to actually read about online advertising would disagree that it's very often a shady business. With Google relying on such a business, they, by the nature of most people, get lumped into it. Plus, it never helped that Eric Schmidt opened his mouth a little too often about his lack of concern for privacy.

You see the same thing happening to Mark Zuckerberg and Facebook. When the companies and their leaders openly blow off concerns, it gets under skins. Google has themselves to blame for a lot of this backlash, they've shot themselves in the foot quite a few times. Do I think they have their own little section over at Ft. Meade? No. Do I think they'll skirt around things and stay in the "gray area" as long as they can for the extra cash? Yes, I do, and they've proven they will.