Edward Morbius - Google+

Edward Morbius

Technological Archaeologist

Edward's interests

View all

Media / Tech
Edward Morbius
Follow

Institutions
Edward Morbius
Follow

Plussology: Google Meta
Edward Morbius
Follow

Mirth & Diversion
Edward Morbius
Follow

Edward's posts

Pinned

Post has shared content

Edward Morbius

Public

25w

Google secretly installs mic-enabling spyware / surveillance on all systems with Chrome or Chromium browsers

What the actual fuck?
https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/

Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code that bypassed this audit-then-build process, and which downloaded and installed a black box of unverifiable executable code directly onto computers, essentially rendering them compromised. We don’t know and can’t know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted.

I've confirmed this is present and installed on my own Debian system and that my system mic (typically disabled / zeroed via software) was enabled. I may need to physically cut the circuit.

I also see a need to start firewalling off Google IP and network space.

Seriously: YOU DO NOT FUCKING DO THIS SHIT, GOOGLE.

I've been meaning to nuke Chrome for a while (fucking Stylebot's the monkey on my back). If I can eliminate all Google software from my Debian repos that's not too much.

Correcting one error in the article: Debian don't audit every line of code. There's too much, and the security team's too small. But Debian do have a policy and constitution, and key among the elements of that is that user rights come first.

Also: anyone with tips on physically disabling Thinkpad T520 mics, I'd appreciate the info.

⚫ https://news.ycombinator.com/item?id=9738140
⚫ https://www.reddit.com/r/technology/comments/3ab0lq/google_chrome_listening_in_to_your_room_shows_the/
⚫ https://www.reddit.com/r/dredmorbius/search?q=%22Google+Chrome+Listening+In+To+Your+Room+Shows+The+Importance+Of+Privacy+Defense+In+Depth%22&sort=relevance&t=all
⚫ https://duckduckgo.com/?q=%22Google+Chrome+Listening+In+To+Your+Room+Shows+The+Importance+Of+Privacy+Defense+In+Depth%22

+Yonatan Zunger +Andreas Schou +Lea Kissner +Larry Page +Sergey Brin +Eric Schmidt +Bradley Horowitz +Peter Kasting

+Steve Faktor +Stephen Shankland +Dan Gillmor +Danny O'Brien +Danny Sullivan +Tess Vigeland

Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth

+Private Internet Access

Originally shared by Rick Falkvinge

Google Chrome listening in to your room shows the importance of privacy defense-in-depth. New column on Privacy News.

Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to “we can do that”.

It looked like just another bug report. "When I start Chromium, it downloads something." Followed by strange status information that notably included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes".

Without consent, Google’s code had downloaded a black box of code that – according to itself – had turned on the microphone and was actively listening to your room.

This episode highlights the need for hard, not soft, switches to all devices – webcams, microphones – that can be used for surveillance. A software on/off switch for a webcam is no longer enough, a hard shield in front of the lens is required. A software on/off switch for a microphone is no longer enough, a physical switch that breaks its electrical connection is required. That’s how you defend against this in depth.

Early last decade, privacy activists practically yelled and screamed that the NSA’s taps of various points of the Internet and telecom networks had the technical potential for enormous abuse against privacy. Everybody dismissed those points as basically tinfoilhattery – until the Snowden files came out, and it was revealed that precisely everybody involved had abused their technical capability for invasion of privacy as far as was possible.

Perhaps it would be wise to not repeat that exact mistake. Nobody, and I really mean nobody, is to be trusted with a technical capability to listen to every room in the world, with listening profiles customizable at the identified-individual level, on the mere basis of “trust us”.

https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/

Peter Kasting: +Edward Morbius Regarding (1), your reasoning seems faulty to me. You argue that applications can't be trusted with the microphone and we need OS- or hardware-level controls. Ignoring that you have OS-level controls in all OSes I'm aware of (Chrome can't record from a microphone you've muted), and that OS-level controls are just software and presumably no more trustworthy than controls in Chrome (where does the mistrust stop?), this means it doesn't matter whether Google ostensibly builds capabilities into Chrome that use the mic or they don't: they could, and because they can't be trusted, all applications should be equally suspect.

That means the comments about us "choosing to play in this space" miss your own point. You're intentionally not relying on whether vendors claim to be choosing to play in the space or not. You're saying you don't want to trust what people claim to do, and in that sense, Chrome is equally untrustworthy as everything else, regardless of this incident or of any feature we do or don't claim to build, no matter the opt-in state.

And as I noted, this is far from the only feature in Chrome capable of using the microphone, yet even among privacy advocates I don't see people having been up in arms for years about the other mic capabilities of the software (e.g. allowing websites to access your mic with your permission). To me this suggests that very few people take the sort of full-paranoia stance that the software can't be trusted at all; if we build something and make it opt-in, that seems to be good enough in general.

So the swearing about us being "fucking adults", which implies not only that we're not acting like adults but that you're fed up with it, seems itself childishly petulant to me.

Regarding (2), we're not playing in the free software space. We don't release Chrome as free software, and we don't release Chromium as a product at all. Debian are playing in the free software space, and if they want to ship and support a product, they need to ship and support it -- and in this case, have done so, by managing the bug request in their system, communicating to us upstream what they need, etc. So we're not trying to make free software advocates happy. And it's not valid to claim this is a red herring. The vast majority of angry feedback ON THIS SPECIFIC TOPIC has been about the closed nature of the source code, NOT about microphone access to begin with. This may be a red herring to you personally, but your position is not representative even of everyone who is upset, so it's not valid for you to dismiss this concern as irrelevant.

Regarding (3), I think there's a false sense that, because we didn't happen to put the bits for this feature in the same .zip as our installer, there is some sort of reasonable expectation of user control. If we ship 10 megs in the initial installer, 10 megs in software the installer downloads, and 10 megs in software that the software the installer downloads itself downloads, why is it suddenly the case that with one of those 10 meg chunks we need to ask and notify users? This is a low-level, technical implementation detail of when the bits get downloaded. It is not an optional, configurable part of the program, from the perspective of users. And our fix for Debian didn't make it one: we made it possible to throw compile-time switches to pull out the feature, just as there are compile-time switches for h.264 decoding support. Those switches don't mean we have a moral obligation to users to ask if they want h.264 support; that's up to the people packaging the product to decide.

For (4), none of your stated principles demand that the opt-in must come before downloading a piece of code, rather than before executing it. You've simply decided that that's the standard. And, again, the analogous functionality in the same product -- mic access for webpages in Chrome -- isn't causing mass hysteria even among privacy advocates. So while you're welcome to any position you want, it isn't mandated under your own justifications and it isn't one that seems widely adhered to or compelling for me. So, pardon me if I don't particularly mind that we don't live up to your standard and won't in the future, and neither does ANY OTHER MAJOR BROWSER currently. (Life is hard when you're going to make demands that no one else makes.) As for the specific four rules you propose, I don't see why you're putting text in bold and (again) swearing at me about items Chrome isn't even accused of doing, e.g. not remembering user choice. I happen to agree with you that we should remember such user choices. And, in fact, we do, so why the rant?

For (5), the distinction absolutely matters, in the same way that you don't get to bitch at OpenSSL maintainers if Microsoft includes SSL code in Windows that doesn't do something Microsoft's customers want. That's Microsoft's issue. OpenSSL isn't shipping or supporting Windows, and it's not their responsibility to do so. Neither is it our responsibility to uphold Debian's principles in a product that Debian constructs and ships to their users. We are happy to support their requests as upstream vendors of a piece of their software, and have done so in this case. Claiming this distinction is immaterial is foolish and blatantly contradictory to reality, and it smacks of "I'll blame whoever I darn well wish to blame".

For (6-9), I don't see why you're concluding we haven't had precisely those discussions, and are extremely comfortable with the results.

So I stand by my initial statement. We've considered this, we're taking what I think is a reasonable position, and while I can understand and respect your disagreement, I don't think that we are obligated to cater to your individual concerns, merely to listen to them and take them into account. If after doing so we don't wind up where you'd like, well, you will need to decide how to respond to that. If you decide you don't wish to use Chrome, by all means, please use an alternative that makes you more comfortable, based on whatever criteria you choose. We released Chrome's source precisely to drive additional competition and improvement in the browser space, it would be poor of us to bemoan when other products succeed.

As I think we've covered the major points and anything further is likely to mostly be a retread, I am unlikely to respond further in this thread. Hope it was helpful, even if you don't agree with where we stand.

Jeff Bond: +Edward Morbius ...you cannot hard block that mic, it is on-board and always a software command away from being enabled.

anyone who says BIOS lockdown is 100% secure is silly, or a tool ...

in all fairness to google ... this has been going on since before audio was integrated onto motherboards (i.e hacking a soundblaster card with a HAM radio is old school) ... ugly what a computer reveals with #resonance ;(

and it's expected to hear "it's not my department" when striking close to the TRUTH ...

again in all fairness, some people work for google ... so can only expect so much ?

in support of +Yonatan Zunger ... overall he provides WAY MORE fact than any other SVP i know (including my ~~shit head of a~~ brother, who is SVP of IR at +Oracle)

pisses me off 5% of the time, but 95% of the time he's awesomely open & honest, way better than any experience i've had even with my #family ;(

build an "old school PC" with an old MB, ditch ALL a/v ... you're still ~~fucked~~ open to google & gov't., but at least you minimize rogue attack vectors

p.s. try nitro browser from maxthon, or opera ... less common, offers a better chance of remaining "sub-rosa", quite a sad state of affairs ;(

Edward Morbius: Followup: Google are apparently disabling Google Now on Chrome and elsewhere.

https://plus.google.com/+JRRaphael/posts/3EkdBvPiDxh

NB: one of the annoyances of my Samsung Tab A + Logitech keyboard, the <fn>-<alt> keypress toggles Google Now search, but is something I'm used to hitting for keyboard-based text selection. I enter this quite often without meaning to, and it's annoying. Every. Damned. Time.

Post has attachment

Edward Morbius

Mirth & Diversion

11h

Speed

@trentonleetiemeyer is one of the things that keeps me going back to Ello.

Ello | trentonleetiemeyer | @ellowrites @ellopoetry

Post has attachment

TIL: Tony Abbott was a Rhodes Scholar

Of the 200 or so scholars who have spent their careers in government, "most of them have had solid, but undistinguished careers," while "perhaps forty or can be said to have had a significant, national impact in their particular areas."[52] Several Scholars subsequently became heads of government or heads of state, including Wasim Sajjad (Pakistan), Bill Clinton (United States), Dom Mintoff (Malta), John Turner (Canada), and three Australian Prime Ministers: Bob Hawke, Tony Abbott and Malcolm Turnbull. In the United States, the current U.S. Secretary of Defense Ashton Carter, U.S. National Security Advisor Susan Rice, U.S. Secretary of Health and Human Services Sylvia Burwell, Mayor of South Bend, Indiana Pete Buttigieg, and Mayor of Los Angeles, California Eric Garcetti are Rhodes Scholars.

This I wouldn't have guessed.

Rhodes Scholarship - Wikipedia, the free encyclopedia

en.m.wikipedia.org

Post has shared content

Edward Morbius

Institutions

21h

Let’s not let fear defeat our values

I came to the US from India 22 years ago. I was fortunate enough to gain entry to a university here, and time after time…

+Medium

Originally shared by Peter Kasting - 1 comment

Google CEO Sundar Pichai comments about intolerance of immigrants.

https://medium.com/@sundar_pichai/let-s-not-let-fear-defeat-our-values-af2e5ca92371

I find anti-immigrant sentiment frustrating because it's often so grounded in fear rather than logic. For example, people fear the possible loss of their jobs, and they see immigrants as more competition for jobs, so they oppose immigration, even though economically speaking immigrants are overall an incredible positive for the economy; few people have studied economics, though.

In recent days, the primary fear is a fear of violence rather than an economic fear, but illogic is still present. I saw a reference the other day that the number of people killed in mass shootings in the U.S. annually is roughly equal to the number killed by lightning strikes -- in other words, a tiny number that doesn't even register as a terribly meaningful risk. But humans are notoriously bad at risk estimation, and the salient stories of "Muslim man guns down innocent bystanders" are far more powerful than boring numbers. So, much like with the insanity of the TSA's airport scanning, we begin proposing spending billions of dollars and impacting an enormous number of lives in order to achieve at most an extraordinarily tiny amount of good.

Fear is powerful, and it's not wrong to react with fear, distaste, and anger when we hear of crime and violence. But it is wrong to let that emotional response sweep away the rational considerations we need to make about what reaction would result in the most justice for the most people. Immigrants in America are not just a crucial part of our history, they're also human beings whose lives are as inherently valuable as those of American citizens. We have a moral responsibility to treat them with the same respect and concern we treat everyone else. Demonizing groups of them isn't just illogical, it's unethical.

Post has attachment

Edward Morbius

Institutions

Invented in the 1980s: "Tax and spend liberals"

Another dose of truth from the Ngram viewer.

Looks as if National Journal was there from the start (1983)
https://www.google.com/search?q=%22tax+and+spend+liberals%22&lr=lang_en&source=lnt&tbs=lr%3Alang_1en%2Ccdr%3A1%2Ccd_min%3A1%2F1%2F1980%2Ccd_max%3A12%2F31%2F1986&tbm=bks#q=%22tax+and+spend+liberals%22&lr=lang_en&tbs=lr:lang_1en,cdr:1,cd_min:1/1/1980,cd_max:12/31/1986&tbm=bks&start=10

And (sorry, +Lev Osherovich), but Monsanto:
https://books.google.com/books?id=9c7nAAAAMAAJ&q=%22tax+and+spend+liberals%22&dq=%22tax+and+spend+liberals%22&hl=en&sa=X&ved=0ahUKEwjxjv_48NXJAhXMeT4KHY97BvkQ6AEIQzAH

Google Ngram Viewer

Google Ngram Viewer: '[tax and spend liberals]', 1950-2000 in English.

What's the larger social threat, ultimately? Crime? Or Political upheaval?

+Ronald Parker called out the following quote in the Atlantic interview of UC Davis CompSci professor Philip Rogaway:

"Fortunately, criminal behavior has never been such a drag on society that it’s foreclosed entire areas of technological advance."

Unfortunately, political behavior has. -- Ronald Parker

From which my question, taking Rogaway's comments one step further.

Most crime is unorganised, the exception being organised crime, though that almost always has quasi-political or outright political overtones, with corruption and failed states (themselves forms of political failure) almost always playing roles.

Political violence is of necessity organised. And ... can be absolutely brutal. Krystalnacht. The Hololcaust. The Great Irish Famine. The Ukrainian Holdomor.

In its lesser forms, Political failure and overthrow become frighteningly close to what's become the norm in North America and Europe -- feeding the Plutonomy. Corruption of the legal and economic systems to oppress, take property and livelihoods, destroy lives, or kill directly. With impudence.

With general lawlessness you end up with stories such as the Bronx is Burning episodes of the 1970s (though many if not most of the fires were arson, set by property owners, often for insurance payouts), or Detroit of the past two decades. Or of Venezuela or Honduras, the latter with the highest murder rates in the world.

Widespread organised crime leads to situations such as have afflicted Mexico for the past two decades, with tens of thousands dead in what's very literally been a drug war. The political element of this is hugely significant though -- local and state police, and even the military are involved in both the drugs trade and violence.

And the ultimate degenerate case is outright civil war. The American Civil war remains the bloodiest the country's ever experienced, far the more when casualties as a proportion of the population are considered.

Which suggests again that Rogaway's focus on the political rather than criminal potentials for computer science and technology abuse are very well considered. Tools for magnifying and amplifying power, governmental or otherwise, without the social, civil society, legal, and institutional protections against abuse could be massively dangerous. +David Brin's Transparent Society strikes me as very thin shield.

Post has shared content

Edward Morbius

Media / Tech

12h

"[S]cience and technology are inherently political, and whether we want to think about it that way or not, it’s the nature of the beast. Our training as scientists and engineers tends to deemphasize the social positioning of what we do, and most of us scientists don’t give a whole lot of thought to how our work impacts society. But it obviously does."

Phillip Rogaway, professor of Computer Science at the University of California at Davis.

I myself had been thinking increasingly in these terms when the Snowden revelations came out. Those revelations made me confront more directly our failings as a community to have done anything effectual about stemming this transition of the Internet to this amazing tool for surveilling entire populations....

Q: Is there any inherent danger in politicizing an academic discipline?...

Rogaway: My sense is that politics is there, whether one acknowledges it or not. When you have an ostensibly apolitical department, but you scratch beneath the covers and discover that three-quarters of the faculty are funded by the Department of Defense, well, in fact that’s not apolitical....

I don’t think terrorism has much to do with the mass-surveillance issue at all. This is a convenient storyline to be weaving in the present day, but the NSA’s own mission statement says that they’re there to serve their customers. And while some of those customers are interested in terrorism, other NSA customers have completely unrelated interests, and I don’t think that surveilling is particularly aimed at confronting terrorism. It wouldn’t be effective even if it were....

If every contact a journalist makes—and the weight of that contact: the number of minutes, the frequency, and such—is something that hundreds of thousands of analysts can get from a Google-like search tool, I think that this makes serious investigative journalism effectively impossible.

Really good stuff.

The Moral Failure of Computer Scientists - The Atlantic

+The Atlantic

Originally shared by Brett Coburn - 1 comment

Dan Weese: And here's some insider chit-chat: FBI is currently on its seventh or eighth - depends how you count them - iteration of trying to compile a national criminal database, every single one a failure. FBI is the least of your worries. FBI is a case study in failure. If you're really interested in protecting your privacy, you might cast the Stink Eye upon the credit reporting agencies, who have more troublesome information on you - and will sell it to anyone - than any government agency could dream of collecting.

Edward Morbius: +Dan Weese I actually raise just that question (what's worse, crime or political failure) in another post. Part of my hypothesis: criminal activity at that scale entails severe political breakdown.

As I'm writing this the ansible's announcing a U.S. State Department warning against travel to Burundi: 90 killings ... since a political crisis struct the country.

These things aren't unrelated.

https://plus.google.com/104092656004159577193/posts/3NvmWKbzCAV

Dan Weese: +Nila Jones Nigeria and Guatemala feature parasitic armies run by corrupt incompetents and political sycophants, with the assistance of civilian contractors. Some of that is true here in the USA, and where this is true, we see multiple tiers of contractors at work on these classified systems, people such as myself. And guys like Ed Snowden, who was a lot higher up the food chain than I ever was, but I've seen enough of it to no longer do any more government contracting. It was one thing to have CAC card in the service. It's another to see it from the civilian side.

Post has attachment

Edward Morbius

Institutions

19h

On how dissipative evolving structures are self-sustaining and self-preserving

Useful selective pressures must come from the outside.

More later.

Academic B.S. as artificial barriers to entry

noahpinionblog.blogspot.com

Post has shared content

Edward Morbius

Economics

23h

What's needed is sufficient pay and specifically targeted public subsidies. Not more loans.

The argument for consumer debt of all types, from mortgages to microloans to revolving credit to educational loans to "payday loans" is that they provide ready access to cash, increase access to some good or service (housing, education, spending in general). Only one is directly defended as providing business opportunity (microlending), though those arguments appear possibly specious.

Debt as a short-term measure to cover temporary cash shortfalls, or as a means of converting some tangible asset to liquid currency (e.g., ongoing business loans) is defensible.

Debt as a means to fund current expenses on a going basis, or to access services or goods from which the borrower will not or can not benefit, serves only the lenders. If the argument is "provide more cash in the economy" then the answer is pay people more.

Debt is a financing instrument with obligation to repay, almost always coupled to compound accruing interest, meaning that these obligations increase with time, with no regard to the capacity of the borrower to repay.

The result is an increased ratchet on the cost of assets, including housing, education, and healthcare, without regard to their actual economic benefit.

It's part of the great risk shift, from todays optimates, the empowered, wealthy, ruling class, to the populares -- the people generally, the proletariate, the working classes. Ultimately the fix isn't more loans, or easier financing terms, but one or both of:

1. Increased pay to lower classes. Sufficient to cover housing, food, healthcare, education, and retirement, on a generational timescale.

2. A shift of risk back to the financial system as a whole. Structured bankruptcies, maximum loan repayment periods, caps on real interest, loan forgiveness for failures to deliver fully (e.g., non-graduation from college programs), etc. Society is a web of mutually shared risks, giving rise to mutual interests. Not a grab-me-all-I-can.

Who's Profiting From $1.2 Trillion of Federal Student Loans?

+Bloomberg News

Originally shared by Joerg Fliege - 2 comments

Who's Profiting From $1.2 Trillion of Federal Student Loans?

Follow the money.

Edward Morbius

Mirth & Diversion

Asking (or answering) questions is no end of trouble.

I was wondering what made a good University town the other day. A week later, I'm realising that the trivium is actually an early form of an input-process-output system, or an OODA loop, and pondering planting an olive grove a short ways out of town.

I won't even start with what happens when I start asking for the meaning and purpose of everything.

Wait while more posts are being loaded

Media / TechEdward MorbiusFollow

InstitutionsEdward MorbiusFollow

Plussology: Google MetaEdward MorbiusFollow

Mirth & DiversionEdward MorbiusFollow

Media / Tech
Edward Morbius
Follow

Institutions
Edward Morbius
Follow

Plussology: Google Meta
Edward Morbius
Follow

Mirth & Diversion
Edward Morbius
Follow