Monthly Archives: June 2015

Chrome, Google, Hardware, Privacy

Is Chrome spying on you? Nope.

Leave a comment

This past week there was a lot of noise on the web about Google sneakily installing an extension into Chrome that spies on you via your computer’s microphone.

There are several aspects to this story. First, Google did indeed automatically update installs of both Chrome (its closed-source web browser) and its open-source cousin Chromium, with an extension called Hotword. Note that both browsers are designed to update themselves automatically, so this isn’t anything new. But it seemed a bit sneaky in that Hotword is an extension, and as such, a) should probably only be installed after getting confirmation from the user; and b) should show up in the browser’s list of installed extensions.

Google explained this by pointing out that some Chrome/Chromium extensions are ‘component’ extensions, and these are handled more as core components of the browser than as extra add-ons. And Hotword was designated as a ‘component’ extension.

Second, people using the open source Chromium were particularly dismayed that the browser was updating itself with code that was itself not available for review (i.e. not open source). This concern was understandable, and Google’s response was to stop installing Hotword automatically on Chromium.

Third, there was some evidence of a bug in Hotword that could allow third parties (i.e. not the user, and not Google) to use Hotword to listen to users. A demonstration of this seems to bear out this claim, but at this point it’s not clear whether there is any basis for a serious privacy concern. I’ll post more about this as things progress.

It’s important to note that the Hotword extension is not enabled by default. Even if you’re using Chrome, and Hotword is installed automatically, it won’t do anything until it’s enabled. More about that below.

Background

As you may be aware, there’s a big push on to get voice control into the mainstream. For years, we’ve seen people in SF movies talking to their computers and thought it was pretty neat. The technology for actually doing this is finally here, and it’s being added to everything, starting with our mobile devices: iPhones have Siri, Windows phones have Cortana, and so on. Microsoft is pushing Cortana into Windows on PCs now as well, in Windows 10.

Google has been experimenting with voice recognition for its search site and in Chrome for some time now. The Hotword extension is just Google’s latest improvement. Once installed in Chrome/Chromium, the browser provides various indications about its status. Visiting the main Google search page, or just opening a new tab (which shows the Google search interface by default) will now show ‘Say “Ok Google”‘ at the far right of the search prompt. There’s also a microphone icon, which has actually been there for a while.

As long as Hotword is disabled, saying ‘Ok Google’ displays a dialog that says ‘Voice search has been turned off’. You’ll also notice a camera icon – with a red line through it – in the address bar. To enable Hotword, click the camera icon and select ‘Always allow google.* to access your microphone’. Now, when you’re on the Google search page and say ‘Ok Google’, the browser will start listening for your commands. If you don’t want to enable Hotword, but want to use voice commands, just click the microphone icon.

Note: if you switch away from the Google search tab, Hotword stops listening.

Legitimate concerns?

Here’s where some of the privacy concerns may perhaps be legitimate. Even if Hotword is disabled, Chrome is clearly still listening to you, even if it: a) ignores everything you say except ‘Ok Google’, and b) will only tell you that voice activation is disabled when you say ‘Ok Google’. It’s extremely unlikely that Google has any malicious intent here. They are simply trying to make voice control seamless.

For example, I have Cortana on my Windows phone (please keep your snickering to a minimum) and although I don’t use it much, it’s particularly handy for choosing music to play. I love being able to ask Cortana to play a particular song or artist when I’m in the car. There’s just one problem: to get Cortana to listen, I have to press a button on the phone. Microsoft is working on a ‘Hello Cortana’ feature that will allow users to get Cortana’s attention without needing to pick up the phone. Certainly this feature isn’t for people who worry about their privacy, but for the rest of us, it’s just going to be very handy.

General paranoia about Google

There’s a general feeling of distrust towards Google, and it seems to be growing. Google’s spectacular success, and their financial power, make it easy to think of them as just another huge corporation trying to run our lives. Google has certainly made their share of mistakes, and some of that distrust is perhaps warranted. But I think people get carried away with this. Sure, Google wants to make money from us, mostly in the form of advertising. But aside from that, I truly believe that they are just trying to provide excellent products and services. And I think they’re doing a remarkable job.

Adobe, Flash, Patches and updates, Security

Critical update for Flash

Leave a comment

Anyone who uses a web browser with Flash enabled should stop what they’re doing and install the latest Flash update from Adobe. The new version (18.0.0.194) was announced earlier today to address a critical vulnerability for which exploits have been observed in the wild.

Note that YouTube no longer uses Flash by default, so if you previously only used Flash for YouTube, you might be able to completely disable it in your browser. YouTube now uses a video player based on HTML5 technology.

Internet Explorer on Windows 8.x and Google Chrome will receive the new version of Flash via their own update mechanisms.

Brian Krebs has additional details on the vulnerability and the update. Krebs also recently wrote about his recent experiment in trying to live without Flash.

Update 2015Jul01: And just like that, the Cryptowall malware has been modified to take advantage of this vulnerability in unpatched Flash installations.

Google, Internet, JavaScript, Microsoft

Big web performance boost expected with WebAssembly

Leave a comment

Javascript is the universal programming language of the web. Almost all web sites use it to some extent, including this site (boot13). Although many users (including myself) use Noscript and similar systems to block Javascript when browsing unfamiliar sites, it’s difficult to use many popular sites without it. For example, I spend a lot of time using Google Analytics, and I’ve configured Noscript to allow JavaScript code to run on that site.

One of the problems with JavaScript is that it’s a scripted language. That means your web browser has to parse JavaScript code, one line at a time. This is a very slow process, and contributes to slow loading times on many major sites.

Various efforts to speed up JavaScript have come and gone, without much traction. Now, several major software developers have teamed up to try again. A new JavaScript assembler called WebAssembly (aka wasm) is under development by Mozilla, Microsoft, Google, and Apple. It’s too soon to know exactly when WebAssembly will start appearing in web browsers, but we’re hopeful that it will become the new standard when it does.

Internet, Internet crime, Security

Web-based password manager LastPass hacked

Leave a comment

One of the more popular online password managers has been hacked. LastPass’s servers were breached and user data stolen, including hashed user passwords, cryptographic salts, password reminders, and e-mail addresses.

According to LastPass staff, your passwords are still secure, because only the encrypted versions were obtained. Analysts have confirmed that the risk to LastPass users is minimal, mostly due to safeguards employed by the service.

Still, if you use LastPass, you should immediately change your master password. You will in fact be prompted to do so when you log in.

Although LastPass had effective safeguards in place, the fact that they were hacked (again) leaves me wondering whether it’s ever a good idea to use any Internet-based password manager. I strongly recommend using an offline password manager like the excellent Password Corral or Password Safe. Both are freeware.

Ars Technica and Brian Krebs have more details on the hack and its implications for users.

Internet, Security, WiFi

VPN doesn’t make open WiFi completely secure

Leave a comment

Public WiFi access points (APs) are extremely convenient. They’re also not very secure. Most WiFi APs are configured to use encryption, which is why you need a password to access them. Most also use strong encryption, in the form of WPA2. That sounds good, but if you’re at all concerned about security, it’s not enough.

Even with strong WiFi encryption, anyone who has the WiFi password and is within range of an AP is sharing the network with everyone else using that AP. That means they can use network sniffing tools to see all the traffic on that network. If you sign in to any web-based service (such as web mail, or your bank site), and that service doesn’t also provide encryption, your username and password can be obtained very easily.

Savvy public WiFi users know this, and use VPN (Virtual Private Network) software to further encrypt their network communications. VPN adds a layer of encryption that is dedicated to your computer and makes your communication indecipherable, even to the hacker at the next table.

Unfortunately, even with VPN software, your communications on a public WiFi network are vulnerable. That’s because – in a typical (i.e. default) setup – there’s a delay after you connect to the AP and before the VPN kicks in. During this delay, you are exposed.

To be truly secure, even with a VPN, you need to apply limitations on what your computer can do over public WiFi – especially what it can do during periods when the VPN is not yet active. Unfortunately, this can get complicated. The guides linked below should help.

Microsoft, Patches and updates, Windows 10, Windows 7, Windows 8.x

Windows 10 upgrade process now running on Windows 7 & 8 desktops

5 Comments

There’s a new process running on my Windows 8.1 desktop. I first noticed it just now, when I logged in for the first time after installing the June updates from Windows Update. Microsoft has confirmed that this new process was installed via the optional/recommended Windows Update KB3035583, which sports the somewhat misleading title “Update enables additional capabilities for Windows Update notifications in Windows 8.1 and Windows 7 SP1”.

The process name is GWX.exe. It appears in the notification area (aka system tray) as a white Windows logo. Right-clicking this icon shows the following options:

  • Get Windows 10 – pops up a dialog with some explanatory text (see below).
  • Reserve your free upgrade – pops up a dialog that says ‘Great, your upgrade is reserved!’ (see below)
  • Go to Windows Update – does exactly that
  • Get to know Windows 10 – opens a browser window and navigates to the Windows 10 FAQ

Reserve your free upgrade

On my computer, just before the upgrade reservation dialog appeared, another dialog flashed briefly on the screen. That dialog seemed to show information about the compatibility of the computer with Windows 10. All I managed to see was a bit of text that said something like ‘Windows 10 will work on this PC’.

Here’s the upgrade reservation dialog:

Get Windows 10 - Upgrade Reserved

In case you can’t read that, it says:

Once it’s available on July 29th, Windows 10 will be downloaded to your device. You’ll get a notification when it’s ready to install — install right away, or pick a time that’s good for you.

As you can imagine, I was somewhat alarmed at seeing this, since it seems to be telling me that I’ve agreed to upgrade my Windows 8 computer to Windows 10, or at least that Windows 10 will be automatically downloaded to my computer. I don’t actually want either of those things to happen; at least not that soon, and certainly not automatically. So I skipped the email confirmation step and simply closed the dialog, hoping that canceled the ‘reservation’.

Unfortunately, that didn’t seem to help. The notification icon’s menu changed from ‘Reserve your free upgrade’ to ‘Check your upgrade status’. Selecting that option just performs the compatibility check and shows the upgrade reservation dialog again.

Get Windows 10

Selecting this option displays another dialog, this one consisting of a series of five panels that explain ‘How this free upgrade works’. This again confirms that Windows 10 will automatically download when it becomes available. That’s a 3 GB download, which is apparently unavoidable at this point. Thankfully, I will apparently be given an opportunity to decide at that point whether I want to actually install Windows 10.

Another panel trumpets the fact that the Start menu is back in Windows 10. Thanks a lot, Microsoft. How about adding it back to Windows 8, you know, like you promised? Other panels mention Cortana and the new web browser in Windows 10.

Also on this dialog is a small ‘hamburger’ menu at the top left. Clicking it shows a menu that includes an option to ‘Check your PC’ (see below). Running that shows the compatibility checker that I previously observed flashing past when I clicked the ‘reserve’ option.

Another option on that menu is ‘View confirmation’. Clicking that shows yet another dialog, and this one includes a ‘Cancel reservation’ link. As you can imagine, I clicked that link. After confirming my decision, it was indeed canceled (hopefully). The notification icon’s menu reverted to ‘Reserve your free upgrade’ in any case.

Check your PC

According to the compatibility checker: ‘This PC can be upgraded but there may be some issues.’ It goes on to say:

  • Windows Media Center will be uninstalled during the upgrade. It isn’t available in Windows 10.
  • You’ll need to reinstall language packs after the upgrade is complete.
  • These apps will need to be reinstalled after the upgrade: Microsoft Network Monitor 3.

Details and limitations of the free Windows 10 upgrade

Much has been made of this free upgrade. Clearly, Microsoft wants to get everyone to upgrade to Windows 10. Especially if you’re running Windows 7 or 8, apparently. But if Microsoft was really serious about this, they would offer the free upgrade to users of Windows XP and Vista as well.

Here’s what you need to know about the reservation and upgrade:

  • You only have until July 29, 2016 to take advantage of this offer.
  • This is a full version of Windows, not a trial or introductory version.
  • When you reserve, you can confirm your device is compatible with Windows 10. Between reservation and when your upgrade is ready, the files you need for the upgrade will be downloaded to your PC to make the final installation go more quickly.
  • The only requirements are that a) your device is compatible, and b) you’re running genuine Windows 7 Service Pack 1 (SP1) or Windows 8.1 (Update).
  • There’s no obligation and you can cancel your reservation at any time.
  • Get Windows 10 is an app that’s designed to make the upgrade process easy push users to install Windows 10. It checks to make sure your device is compatible, and it reserves your free upgrade; it also has information to help you learn about the features in Windows 10. For devices running Windows 7 SP1 or Windows 8.1 Update with Windows Update enabled, the app shows up automatically as a Windows icon in your system tray at the bottom right-hand side of your screen.
  • The easiest way to get the free upgrade is to reserve, but you can upgrade even if you don’t reserve. Just open the Get Windows 10 app to schedule your upgrade.
  • You can get a free upgrade for each of your eligible Windows devices. Again, ‘eligible’ means ‘legally obtained and licensed’.
  • PCs that cannot run Windows 10 will not see the Get Windows 10 app before July 29, 2015. After July 29, 2015, the icon in the system tray will start to appear.
  • When you upgrade, you’ll stay on like-to-like editions of Windows. For example, Windows 7 Home Premium will upgrade to Windows 10 Home.

Getting rid of the upgrade app

Needless to say, I’d like to remove the Get Windows 10 app from the Windows startup process on my computer. If I want to upgrade, I’ll do it in my own time, thank you very much. I don’t need Microsoft constantly yelling at me to upgrade. Removing the app involves uninstalling update KB3035583 via Control Panel > Programs and Features.

Related articles

Update 2015Jun12: The KB3035583 update first became available from Windows Update in April 2015. I only started seeing it after I installed the June updates because I explicitly selected it from the list of optional updates, thinking it was actually something else. Mea culpa.