Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Off by default (Score 1) 85

The key point I made in my official response was overlooked by this article: the hotword module does not run at all unless you opt in, by going to Chromium's settings and turning on the "Ok Google" feature.

Once you turn it on, it's true that we don't send recordings to Google unless the hotword detector hears "Ok Google", but without explicit opt-in, this module is not listening. It is not even running.

Comment Re:Developer Mode still can install (Score 1) 225

Disclosure: I am a full-time engineer on the Google Chrome team. Sorry, but your solutions don't work -- believe me, we didn't want to do this but it was done to prevent malware injections and not to stop users from installing software they want (which is why we only block it on Windows, and we don't block it on Dev or Canary channels).

a) Block the extensions that don't come through the app store, but let the user enable them one by one -- without scary 'developer mode' (and opening up the floodgates)

Unfortunately, if we just let the user manually override the blocking, we would have to store that choice in a preference file. Malware on your computer could easily install a bad extension and set the override flag in the preference file, making the blocking effectively useless.

This is why the only way the user can opt in to side-loading (by turning on developer mode) prompts scary warnings every time you open Chrome -- so that if malware does this, users will know something is up. We can't let you opt in to side-loading and be silent at the same time.

b) Reputation systems -- allow 'reputable' extensions; revert to a) above for the rest. Google and the AV vendors don't want to get their hands dirty classifying useless shit nobody wants as the useless shit nobody wants, fine let the 'community' handle the reputation.

The reputation system just moves the responsibility around, but still fundamentally has the same problem. Now you need to run a full-time service that records the reputation for each extension, and needs to be resilient to gaming (for example, having a malware author controlling a botnet spam the reputation server with good reviews to increase their score).

And for anyone who really wants it, they can manually enable it.

That is exactly what the "developer mode" switch is for. Again, we can't have a preference to enable side-loading without also letting malware turn it on for unsuspecting users, unless it gives a scary warning. There are other ways to enable side-loading without having to see the warning every time you start Chrome:
- Use Mac OS or Linux.
- Use Dev or Canary channel.
- Use Chromium instead of Chrome.
I hope one of these solutions are acceptable.

Comment Re:Also in Chrome 33: Welcome to Walled Garden (Score 1) 125

This is simply not true. I've been an extension developer for quite a long time, and I've always hosted a beta version of my extension outside CWS, with auto-update, using update_url key in the manifest.

Ah OK. I didn't know about this feature. Then yeah, I guess your users won't be able to use that unless they're on dev.

Comment Re:Also in Chrome 33: Welcome to Walled Garden (Score 2) 125

(Disclosure: I am a Google Chrome engineer.)

It's not like I don't understand the problem, I've seen rampant Chrome crapware on clueless people's computers. But this is heavy-handed.

I'm glad you understand the severity of the problem. We took no joy in introducing these restrictions, but I think we made a good compromise between security and user freedom. If you don't want the extension side-loading policy, you have a number of options:

  • Use Mac or Linux.
  • Use Dev channel (but have potentially unstable code).
  • Load your extensions unpacked (but have Chrome warn you every time you start up).
  • Use Chromium (missing various features, but the option is there).

None of these options are ideal, but there are numerous escape hatches for people determined to side-load. The point is to stop side-loading in the default case only, where people are getting unknowingly infected. I would call this as far from "heavy-handed" as possible while still being effective.

or are content with loading extensions unpacked, with no auto-update.

Non-Web-Store extensions never had auto-update to begin with. The only difference between loading unpacked and side-loading is that it's a bit trickier to install unpacked, and Chrome will warn you every time you start up.

Comment Re:Open Source! At least it isnt DRM laden like St (Score 1) 88

I actually wonder why GOG doesn't improve their downloader app into a full Steam competitor, which automatically downloads, installs and keeps your games up to date. It wouldn't imply adding DRM -- you could still download the stand-alone .exe installers, and the GOG client could have a "save as .exe" button. Because as it stands, I have to keep making this trade-off between properly DRM-free games (GOG, and Humble Store for that matter, which is also nice in that it supports Linux) and the convenience of having a one-click download/install and always-up-to-date experience (Steam).

Comment Re:Great (Score 5, Informative) 194

Chrome developer here. If you are deleting your extensions and they are showing back up in a few minutes, you have malware on your system that is actively re-installing them (I have seen this in action).

Under normal circumstances, deleting an extension on one machine (assuming you have extensions sync turned on) will cause it to be deleted in your central account, and this delete will propagate to your other machines. Chrome won't push an extension back to your machine that you just deleted. Also, side-loaded extensions (ones that you didn't get from the Web Store) are never synced.

The problem is that many users have malware running in their system that continually installs a particular extension into Chrome, so if you delete it, it goes right back (through no fault of Chrome's). The only solution for now is to find and disable the malware. On Windows, we will soon be blocking side-loaded extensions to prevent this sort of thing from happening.

Comment Re:Open Source! At least it isnt DRM laden like St (Score 1) 88

The difference with GOG is that with Steam games -- even those that don't use Steamworks -- you need to use Steam AND have a working Internet connection to install the game, so you are not truly separated from Valve's ecosystem. With GOG, you can download all the games you own, back them up to a portable hard drive, and then you can play all the games regardless of your Internet connectivity or GOG's continued existence, even if you change or wipe your computer. With Steam, you can only play these "DRM-free" games until you next need to re-install them for whatever reason.

Back in, say, 2000--2004, a game that needed the Internet to phone home during installation (but not every time you play the game) would have been considered an unacceptably intrusive form of DRM by some. It's funny how the public perception of DRM has changed so much that phone-home-on-install is no longer considered to be DRM at all. Well, it still is, because it's a server that controls your ability to use a product you have already paid for. Granted, it's relatively mild DRM, but it's still DRM.

I suppose that once you install a non-Steamworks game, you could manually grab the files and zip them up and archive them, but Steam doesn't make it easy. If you had, for example, used Steam's "back up game" feature, you would find that it requires a phone-home to restore the backup. In addition, Steam doesn't make it easy to play these non-Steamworks games without using Steam. All the Start Menu and Desktop shortcuts launch Steam with a particular game ID, not the game .exe directly, so using these shortcuts either requires that you are signed in to Steam, or have explicitly put Steam into offline mode. It's actually quite difficult for the average user to figure out how to run these so-called "DRM-free" games without Steam. So yes, is absolutely more entitled to be praised as offering DRM-free games.

Comment Re:Why all the fuzz... (Score 2) 348

You're missing the point. DRM is not bad for independent site authors (of course they can ignore it). It's bad for users because it restricts the set of browsers / operating systems they are allowed to use. That is not the point of the Web -- the point of the Web is that anybody can implement a free web browser using open tools and information. If this goes through, then I will have to use Hollywood-approved browsers to access the web. I won't have any "problems" as long as I use browsers Hollywood trusts with their keys. That is NOT how the Web is supposed to work.

Well, if you object to having DRM in the standard, then you should also have to object to anything in the standard that replaces stuff like silverlight and flash..

If you object to Hitler, you should also object to anybody else who has a moustache....

This is not like Silverlight and Flash, because those are not part of the web, they are separate plugins. True, a fully open system cannot access their content. But at least it's limited to content that loads up in a box in a plugin. Inviting DRM into the HTML standard means we could soon start seeing images that can't be saved to disk, text that can't be copied, etc, by simply using the same EME technology already established for video. Basically, I am worried that a lot MORE content will become DRM-encumbered now that the W3C has said it is okay.

Comment Re:What to get? Copy protection only. (Score 1) 348

What do you mean "all it does is prevent copying"? You do realise that everything that a computer does is copying, right? Watching a video is copying, therefore, DRM prevents watching videos unless certain specific circumstances are met. You said it yourself:

All this mechanism should do is restrict a container of content to one or more specified devices.

How is that an appropriate mechanism for the Web? The Web is supposed to work on all devices. If there is a device that the Web doesn't work on (assuming it is technically powerful enough), I should be able to implement a Web browser on that device to make it work. I should not need permission from any company to do so. That is the whole point of the Web, and it's the reason it is better than all of the other proprietary Internet services (like AOL, MSN) that came before it.

Comment Re:MOD PARENT UP (Score 2, Interesting) 307

Chromebooks come with instructions on how to both:
a) unlock the bootloader and boot into a version of ChromeOS that gives you access to the Linux file system, allowing you to run arbitrary binaries including a modified kernel or Chrome executable, and
b) install alternative operating systems including Ubuntu, as well as running Ubuntu in a chroot (see: Crouton) so you can switch between ChromeOS and Ubuntu without rebooting.

There is nothing user-hostile down about Chromebook's boot protection. They just come with the security enabled by default (and make it a bit tricky to disable it so that an ordinary user does not accidentally flip the switch off). That is totally different from hardware that physically does not let the user install custom binaries.

Slashdot Top Deals

We don't really understand it, so we'll give it to the programmers.