Google Releases Chrome 6, Pays $4337 In Bounties

Trailrunner7 writes "Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released two years to the day after the company pushed out the first version of Chrome. Google Chrome 6 includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team." (Read on for more, below.) Also on the Chrome front, morsch writes "Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet to securely store saved browser passwords. Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text. On Windows, Chrome has always used a platform-specific crypto API call for encrypted storage. The corresponding Linux function was never implemented — until now. Unstable versions of Chrome 7 still disable the feature by default; it can be enabled using a parameter."

Wheel of Bug Chasers!

[LostCluster]

I'm not quite sure America has its value system on straight. Hit the right spaces on the Wheel of Fortune and solve two or more puzzles, and you could win $1,000,000. Answer 15 multiple choice trivia questions in the hotseat in front of Regis Philbin, wait, what it's now 12 questions in the new season walking around the stage with Meridith Vieira? Still $1,000,000. Ken Jennings is extremely smart, but he took Jeopardy! for multiple millions. Discover a flaw in Internet Explorer or Windows or just go after somebody else's research and count on the unpatched systems being still online... and you just got the ability to run a botnet if you're evil. Untold riches there. Discover flaws in Google's Chrome... and you get paid. But the entire panel of winners gets less than $5,000 for their trouble... Something's not right in the equity here.

Re:Wheel of Bug Chasers!

[ak_hepcat]

so, hunt down big companies willing to spend money advertising that they're sponsors of Chrome Bug-hunt.

Otherwise, you won't have that kind of money just waiting to be spent for every little null pointer dereference fix.

Re:Wheel of Bug Chasers!

[LostCluster]

What? Google's not big enough? They need to find sponsors in order to make money? Oh, wait a second...

Re:Wheel of Bug Chasers!

[Fluffeh]

so, hunt down big companies willing to spend money advertising that they're sponsors of Chrome Bug-hunt.

Otherwise, you won't have that kind of money just waiting to be spent for every little null pointer dereference fix.

Lets get that massive super multi billion dollar every-national company GOOGLE to sponsor the Chrome Bug-Hunt. Wait... what?

Re:Wheel of Bug Chasers!

[symbolset]

Maybe they could sell some advertising space on their website. I hear they get a lot of traffic.

Re:Wheel of Bug Chasers!

[bonch]

Give me a break. You turn a bug bounty into a statement on American values. Your gameshow references are completely baseless and random. What a load of crap!

Re:Wheel of Bug Chasers!

[kdub432]

This is one of the dumbest arguments I've ever seen on slashdot.

Re:Wheel of Bug Chasers!

[iamhassi]

"Discover flaws in Google's Chrome... and you get paid. But the entire panel of winners gets less than $5,000 for their trouble... Something's not right in the equity here."

Well, you could always find flaws in Firefox, Windows, IE, etc and get paid nothing if you like.

$4,337 > 0

I say good for Google. What do you want from them, $43,370? $433,700? They're already paying more than anyone else.

Re:Wheel of Bug Chasers!

[insufflate10mg]

Give ME a break. I can't believe the "bug bounty hunters" would really sell a Google vulnerability for a thousand dollars - I used to mindlessly wipe asses and roll people over for two weeks for that. It's an insult to their intelligence considering the amount of work they put into the penetration-testing/logic analysis involved. An average-sized college internet-portal exploit would be worth $1,000... let alone one of the largest web services company in the world. I think $10,000 is much more appropriate.

Re:Wheel of Bug Chasers!

[Tubal-Cain]

Mozilla also pays bug bounties.

Re:Wheel of Bug Chasers!

[Bill,+Shooter+of+Bul]

We've never paid based on the actual value of services. In a free economy, prices should be set by the supply and demand. Even if the demand for a service is great, the price may stil be incredibly low due to high supply. Like water. Can't quite live with out it. What kind of value does that bring to you? More or less than a huge flat screen tv. Less?? But isn't water more valuable to you??!!!

Explaining the economics of game shows, is a bit too much for me at this hour. Safe to say, they contestants aren't paid a bunch because they are rare. Its not a free market.

And I'll just end by pointing out you presenting a false choice. Most people would decide to pay many regular workers significantly more, rather than pay a few game show contestants more. Its not their choice, and its not anyone's choice.

Re:Wheel of Bug Chasers!

Fucking niggers!

Re:Wheel of Bug Chasers!

[mldi]

What're you expecting here? Google to pay out bigger? I imagine that people would submit these flaws with or without the bounties. Nobody's forcing them to search them out. I'm amazed by the fact they're willing to pay anything at all.

Re:Wheel of Bug Chasers!

GNAA is a giant pain in the ass.

Re:Wheel of Bug Chasers!

You're just mad because you didn't think to join while it was still cool.

Re:Wheel of Bug Chasers!

You question the American value system, and you invoke game shows. And you use the word "Discover" twice, which is awfully close to "Discovery", as in "Discovery Channel". You haven't posted a manifesto on your web site recently, have you?!

(ducks)

Re:Wheel of Bug Chasers!

[uxbn_kuribo]

"I used to mindlessly wipe asses and roll people over for two weeks for that." Whats up, fellow Nursing Assistant? :(

Re:Wheel of Bug Chasers!

[Mr.+Bad+Example]

You might want to do some research before you start casually using the term "bug chasers". Hint: it already has a meaning, and it's almost certainly not what you think it is.

Re:Wheel of Bug Chasers!

[Dhalka226]

Give ME a break. I can't believe the "bug bounty hunters" would really sell a Google vulnerability for a thousand dollars

And yet they did. That must really shake your world view.

Believe it or not, when normal people discover a vulnerability and their options are "run a bonet" and "tell the manufacturer," most of them tell the manufacturer. Getting $1000 for it is an added bonus, not the incentive to action.

True, it's not going to create a whole new generation of professional bug bounty hunters living off their bounties, but that was never the intent. If they wanted to hire an army of extra bug hunters they'd put you on the payroll. If you're looking to get rich, do something else. If you're into it for the challenge or to be helpful or you happen to be mucking about with their browser as part of your day job, make a little extra money as Google's way of saying "thank you" for doing the right thing and helping them to make their free product--one you evidently use, if you're finding bugs in it--a better one.

If that's not good enough for you, well, fine. Don't look for bugs. Don't pass Go, don't collect $1,000. Your time is apparently better spent trying to get yourself a spot on Wheel of Fortune.

Re:Wheel of Bug Chasers!

[Jurily]

This is one of the dumbest arguments I've ever seen on slashdot.

You must be new here.

Re:Wheel of Bug Chasers!

$4,337 > 0 I say good for Google.

I say it's too much. Should have been $1337

Re:Wheel of Bug Chasers!

[delinear]

Exactly - it's a way of the company saying thanks and that they appreciate the efforts of the bug hunters, which is a refreshing change to the attitudes of most companies who just want to pretend bugs don't exist because fixes cost money. They could probably get plenty more goodwill than those other companies just by sending out a hamper of beer and gaming snacks, or a few free pizzas, so the fact that they're paying out a grand is a very nice thank you. It's a reward for regular people, not an incentive for criminals to change their ways.

Re:Wheel of Bug Chasers!

[Wastl]

The "bounty" is mostly a marketing instrument, and not so much a reward (just a nice gesture). The rationale is: "our software is so good that we can afford to give out bounties for the few bugs that you will find". A message to the majority of users, not to potential bug hunters. :-)

Re:Wheel of Bug Chasers!

[ryry]

The incentive of money destroys nearly any type of creative work (e.g., bug finding, vulnerability testing, etc). The lower Google keeps the $$ reward for the bug, the more likely they are to get people who are in it for the experience, professionalism, notoriety, or satisfaction of bug finding ... not the money itself. I bet Google would prefer to have the former type of people on their 'payroll' as they will likely be more loyal, find bugs deeper in the code, and overall contribute more to the project than someone who sees it as a paycheck.

Where's the love for the Mac passwords?

[LostCluster]

Google's honoring a password security effort in Linux, and at least calling a cyrpto function in Windows... but why no support for the OSX Keyring?

Re:Where's the love for the Mac passwords?

[Netshroud]

Chrome already uses the Keyring... at least it does for me.

Re:Where's the love for the Mac passwords?

[rezonat0r]

Do you mean Keychain? According to Wikipedia and my experience, Chrome already uses it.

Re:Where's the love for the Mac passwords?

[Kristopeit,+M.+D.]

it does for me too... not sure what the problem is. chrome doesn't even offer a version for powerpc machines, so no clue OP is complaining about.

$4337 in bounties?

$ 4337 in bounties? So thats one real hard bug $ l337 and $ 3000 worth of bugs that the skript-kiddies could have got.

Re:$4337 in bounties?

Beat it dude. No bronze leaguers.

If only it were $1337

[nermaljcat]

Someone should fudge that 4 to be a 1 =P

Re:If only it were $1337

[Kristopeit,+M.+D.]

uh... they did. that total is the sum of multiple payouts.

Print Preview?

[bunratty]

Does Chrome 6 have print preview? Can you open files with helper applications without having to delete them manually later? Do Flash videos play the audio correctly?

Re:Print Preview?

no, no and yes

Re:Print Preview?

[LingNoi]

Well it's a free application so why don't you just check it out instead of posting here waiting for a reply.

Re:Print Preview?

[vlueboy]

no, no and yes

My kingdom, for a mod point!

The parent AC's words above are currently invisible in some /. threshholds, but his answer to the GP is valuable. Even the weirdo Win32 GUI Apple's browser had now feels right at home on my machine after some GUI de-alienation improvements these past two years.

Google's ignoring print preview without some visible explanation is another reason I not to like their already-alien interface and odd point of view. It's what kept me on the fence with Opera vs Firefox vs. Chrom[e|ium.] Opera won.

Re:Print Preview?

[Urza9814]

Uhh...my Chromium 5 for Linux has print preview and proper flash support. And the same file download behavior as browsers like Firefox - I open a file the browser doesn't handle, it downloads to the folder I've specified for downloads. How is that a problem? As I said, it's the same thing Mozilla does. I don't _want_ a browser to just start deleting my downloads on it's own. If I tell it 'yes, download this file', that file should stay where it is until I decide to delete it.

Re:Print Preview?

[dakameleon]

I think the behaviour being asked for above is the "open with" behaviour common on other browsers, where the file is download to a temporary folder (e.g. $WINUSER$\Local Settings\Temp for Windows) for use by an application selected right from the download dialog. The temp folder can be cleaned up by the browser at a random date in future, or more often than not just sits there until someone decides to clean it out.

This just means the file is out-of-sight out-of-mind for a one-time-use scenario and the user doesn't need to concern themselves with file management post-use.

(Some might say this goes hand-in-hand with private browsing modes. You wait til you're cleaning out a Temp folder for a friend of a friend and notice the number of 30 second video clips...)

Re:Print Preview?

Chrome 7 will have print preview.
http://code.google.com/p/chromium/issues/detail?id=173#c75

Re:Print Preview?

[delinear]

Maybe his time is important and he's planning on paying out a bounty to anyone who can deliver the information to him.

Re:Print Preview?

[butlerm]

I use Chrome all the time, but I always go to another browser to print anything. Internet Explorer's printing support isn't all that great (always cutting stuff off on the right instead of scaling for example), but Chrome's (at least on Windows XP) is positively pathetic. It looks like a kindergartner did the kerning. More or less unreadable. I am looking forward to a fix for that.

Re:Print Preview?

[LingNoi]

I was going with the presumption that his time was worthless since he's on Slashdot and commenting.

Yep. My practices are justified.

[icannotthinkofaname]

Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text.

I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

AEET!

Just seeing how much money they paid out makes me scream...

AEET! AEET! AEET!

Crazy Article

[bipbop]

I just looked at the article briefly, and it states "A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!

Re:Crazy Article

Yah, Gerald sits right next to the performance team... behind the locked door, down the stairs, inside the cubicle door marked 'beware of the cougar'.

Re:Crazy Article

[TooMuchToDo]

Notice that they're too busy working on finding holes in Chrome to be working on Adobe products ;)

I kid!

Re:Crazy Article

[n0-0p]

FWIW, they thanked members of the Chrome team a few months ago when they announced sandboxing support in an upcoming version of Acrobat Reader.

Re:Crazy Article

[stealth_finger]

two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!

No, they have a sandbox team, they just happened to messing around on a laptop while playing in their sandbox.

Re:Crazy Article

[silentcoder]

>Notice that they're too busy working on finding holes in Chrome to be working on Adobe products ;)

That's because unlike Adobe, Google actually PAYS them to find holes :P

Re:Crazy Article

[IllusionalForce]

Indeed, Adobe has a security team. They're just too busy fixing other people's stuff to find vulnerabilities in their own products.

Re:Crazy Article

Ugh... Ever since that video, I feel nauseous every time I see/read/hear the word sandbox.

Re:Crazy Article

Well, it depends on your definition. The security team is apparently intended to provide an extra stream of revenue by earning bounties from other software makers; they're too busy to find or fix vulnerabilities in their own software. :P

Re:Crazy Article

[elrous0]

I'll have you know that Zeke and Rufus are very hard workers. They've overcome a lot in life, and here you come along and insult them. Shame on you.

Re:Crazy Article

[Jesus_666]

Someone has to find and squash all those bugs that cause Adobe plugins to occasionally perform adequately.

Re:Crazy Article

[rvw]

I just looked at the article briefly, and it states "A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!

Not so crazy when you see the sandbox team members!

"paid out a total of $4,337 in bug bounties"

[Snufu]

How does this goggle company plan to stay solvent throwing money around like this? Don't they know we are in a recession?

Version bloat

[R.Mo_Robert]

Any reasion for the version-number bloat? I mean, I guess it looks a bit cooler next to IE 8, but I don't really think people are that naive.

Re:Version bloat

[ksandom]

In 2015.... Chrome 256 released!

Re:Version bloat

[rezonat0r]

I'm guessing you missed their highly re-reported blog post regarding the new release schedule.

Re:Version bloat

[greenguy]

You, sir, need to study your P.T. Barnum.

Re:Version bloat

[LostCluster]

Browser history is filled with skipped numbers to keep up with the competition... see also Netscape vs. IE.

Re:Version bloat

[maccodemonkey]

I was amazed they've already flown past an older browser (Safari) in version numbers, and they're inching toward IE territory.

Seriously Google. This sounds like a .1, or even a .0.1 release. Don't be afraid of little bumps. It didn't sound like any new significant features were introduced.

Re:Version bloat

[Tubal-Cain]

Firefox is older than Safari (OK, so it was Phoenix at the time...) and is only at 3.x or 4.0 (beta)

Re:Version bloat

Right because every company uses the exact same version scheme and their numbers all mean the same thing across the board. Why do people keep getting hung up on this. If you want a version number use the source revision.

Re:Version bloat

[dropadrop]

Is it out of beta already?

Re:Version bloat

[dougisfunny]

They figure once they get to 6 they can coast for years.

Re:Version bloat

[TaoPhoenix]

Then there's the Linux Kernel. When will they ever go to Kernel 3.0?

Re:Version bloat

[Ant+P.]

1 - 2 - 3 - 4 - 5 - 6 is a lot more sensible than 1.0 - 1.5 - 2.0 - 3.0 - 3.5 - 3.6 - 4.0.

Re:Version bloat

[RicktheBrick]

I have the 64 bit Linux version of chrome on my Ubuntu OS computer for close to two years now. I bet that I have downloaded about 500 million bytes of updates to it since. The program still will not play any youtube videos. The flash plugin states error wrong architecture i386. I keep hoping the next update will solve that problem.

Re:Version bloat

[kc2keo]

In 2025... Chrome 360 released!

Re:Version bloat

[DragonWriter]

Any reasion for the version-number bloat?

Chrome's versioning scheme seems to have always been that major version numbers are general feature releases, and almost everything else is bug-fix (third-number releases). Their versioning is pretty rational, the only thing is that the second number seems pretty superfluous, since they don't ever seem to have any releases that qualify for whatever standard they have for that (I can't remember every seeing a Chrome version that wasn't x.0.y.z [z being the build number))

Re:Version bloat

[DragonWriter]

Seriously Google. This sounds like a .1, or even a .0.1 release.

Scheduled releases with feature upgrades are major version numbers in the Chrome versioning scheme. This is such a release. Consequently its a major version bump.

Google scheme seems to me to be less arbitrary that what their competitors use, where a feature release may bump the major version by 1 or the minor version by 1 or more.

Re:Version bloat

[revlayle]

Version 6 also contains the new Chrome UI updates and all the other v6 stuff they have been working on the past few months. However, it is true that their major release number advancements are fast. This particular issue simply marks the stable release for v6.

Re:Version bloat

[delinear]

In [ad] 2101... war was beginning!

Re:Version bloat

They forgot it's ultimately all about the three point seven, seven,..,seven.. seven .. (sorry for an old, unfunny Friends joke)

Re:Version bloat

[__aailob1448]

The same reason Microsoft used the name xbox 360 instead of xbox 2. Because they'd rather not overestimate their consumer's intelligence.

Frankly, I can't say I blame them. All people are ignorant and stupid about most things, myself included.

Re:Version bloat

[treeves]

But also a bit less informative.
If they do it right, I know that the change from 3.5 to 3.6 is much less significant than the change from 3.6 to 4.0.
I have no idea what happens between Tiger, Snow Leopard, Polecat and Throat-Warbler Mangrove.

Comment removed

[account_deleted]

Comment removed based on user account deletion

$4,337 from a multi-billion dollar company?

[syousef]

It's nice that they're paying but if that's $4337/14 = roughly $310 per bug you'll just have to forgive me if I don't quit my day job to focus on debugging Chrome.

Re:$4,337 from a multi-billion dollar company?

[Kristopeit,+M.+D.]

yeah, and why aren't they charging us for chrome? stupid billionaires.

Re:$4,337 from a multi-billion dollar company?

[LingNoi]

Since you're not going to RTFA or even the summary i'll repost it here..

includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team.

The new release of Chrome also fixes an older bug, a Windows kernel flaw, that Google had thought it fixed in a previous version.The highest bug bounty, $1337, was paid for an integer error in WebSockets found by Keith Campbell. A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team.

Re:$4,337 from a multi-billion dollar company?

Well obviously they found somebody to do it for that price. So I guess the multi-billion dollar company has it valued just right.

Welcome to capitalism.

Re:$4,337 from a multi-billion dollar company?

[blai]

tl;dr

Re:$4,337 from a multi-billion dollar company?

[sirsnork]

Not that I don't like Chrome being better, but shouldn't the Adobe team work on their own products *cough* 64 bit flash player *cough* before find other products to fix?

Re:$4,337 from a multi-billion dollar company?

[Tubal-Cain]

When integrating your plugin with someone else's application and you run into a bug in the parent app, you have 2 options:

• Spend lots of time and effort working around the bug, duplicate the workaround in every plugin you make, and hope that other plugins encountering the same bug don't impact yours.
• Get the bug fixed.

Re:$4,337 from a multi-billion dollar company?

Yeah, like, the time it would take to properly document it would be what, 8 hours? That's like 10k or more in my bosses pockets, why would I waste a minute thinking about it?

Re:$4,337 from a multi-billion dollar company?

[dakameleon]

The highest bug bounty, $1337

$1337? Oh come on!

Re:$4,337 from a multi-billion dollar company?

It just goes to show how many stupid people there are. Work DAYS for $310, that's a great plan. What are you going to do with that? High five your friends at home and have a pizza party? Meanwhile google adds $millions of value to their name. Once a sucker, always a sucker.

Re:$4,337 from a multi-billion dollar company?

[sco08y]

It's nice that they're paying but if that's $4337/14 = roughly $310 per bug you'll just have to forgive me if I don't quit my day job to focus on debugging Chrome.

That $310 check from Google is worth a lot more than its face value in establishing your credibility as a security researcher.

Re:$4,337 from a multi-billion dollar company?

[sco08y]

The highest bug bounty, $1337

$1337? Oh come on!

Well, $5318008 was a bit much.

Re:$4,337 from a multi-billion dollar company?

[Yvanhoe]

That's not the intent. But if you find a bug, it gives you an incentive to make a complete and clean report.

Re:$4,337 from a multi-billion dollar company?

Help for the geek-impaired: 5318008 -> 8008135 -> BOOBIES

Re:$4,337 from a multi-billion dollar company?

[Tim+C]

Geek impaired? On slashdot?

Re:$4,337 from a multi-billion dollar company?

[delinear]

So previously they paid nothing for finding and reporting bugs, but nobody complained because that's the industry norm. Suddenly they start paying a token thank you gratuity and you're acting like this makes them villains? How much are MS paying? (I'll give you a clue, it rhymes with "hero" but it doesn't make them heros any more than this move makes Google villains...)

Re:$4,337 from a multi-billion dollar company?

[ryry]

Hm, that number doesn't look like an accident to me :-) Seems more like G's way of creatively rewarding people -- that is a decent chunk of change (although I'm not sure how much work was required to find it) and it's a nice little in-joke/recognition of the nature of both the work and the bug-finder :-)

It's too bad they couldn't pay out 7|-|4|\||5 ;-)

Re:$4,337 from a multi-billion dollar company?

[ryry]

Errr I screwed up that 1337-5p34k at the end there ...

WooHoo !! $4337.00 WooHoo !!

Google better watch out or it'll go BUST with a bounty such as this !! WooHoo !! Get cracking !! But then the mob pays that every day. Which shall I go with ??
    (
    }
      {
      |
KNEEL !!

My browser progression is a bit weird

I went from Netscape to Firefox to Opera to Chrome, without ever stopping at Internet Explorer (except at work, where it is the default).

I have to say, though, that I've removed everything but Chrome (and the ubiquitous and hard to remove IE8) from my home computer. It really is an excellent browser.

Re:Yep. My practices are justified.

You could also use Keepass. Not as safe as your head, but can store more than a few passwords.

Are you feeling safe punk ??

So you removed them all but Google. You're saying to yourself, if google reads my mail, and stores my searches, and takes pictures of where I live, do I feel like I can use their browser? You trust Google knowing this ?? YYu are one fucking idiot !!

that's

That's 0.0.082.78 per day!

Re:Yep. My practices are justified.

[vlueboy]

No virus that can live in my head can read my passwords out of there, A.F.A.I.K.

(emphasis mine)
Now THAT's an open mind!
*ducks*

Aeet?

First thing I thought when I saw 4337 was "What the fuck is Aeet?"

Re:Aeet?

[Chameleon+Man]

I was thinking more along the lines of "Deet", which is pretty good at repelling bugs :)

Re:Aeet?

[Anynomous+Coward]

Actually, $4337 is 'Saeet', a phonetic transcription of the middle eastern name 'Saïd'.

Re:Aeet?

[ian_from_brisbane]

First thing I thought when I saw 4337 was "What the fuck is Aeet?"

You may have only been joking, but I also seriously thought that.

Re:Aeet?

[ballpoint]

That's what she said...

Re:Aeet?

funny, I read it as heet...

Re:Aeet?

It's like "aight," isn't it?

Re:Aeet?

I thought Saïd was on Lost, but did not exist in real life.

Guess that is what I get for being an Anonymous Coward. 8->

Join cast of Jersey Shore if you want money

That butt-face dude makes 5 grand an appearance, just for showing up. He looks stupid. Must be to only get 5 grand.

Paris
Because I am the whore you always wanted

Linux Logins

[idcard_1]

FYI your linux logins on Ubuntu are stored in this file: /home/username/.config/google-chrome/Default/Login\ Data just do "strings Login\ Data" and you have those passwords. :(

Re:Linux Logins

[Zixaphir]

wtf is /home/username? In my days, we communicated home as "~/". You can read it as tilde slash or even tilde slash dot, but it doesn't matter. ~ sweet ~.

Re:Linux Logins

On my ubuntu 10.04 box, I have Chromium (not Chrome) from the Ubuntu repository and the file isn't located in the same location. Perhaps it's somewhere else, but haven't found it yet. So it could be Chromium is less vulnerable?

Re:Linux Logins

[LingNoi]

On ubuntu at least this should be in seahorse or something. Not in an unencrypted sqlite db. Very poor.

Re:Linux Logins

[moonbender]

Yes, that is what they are (finally) doing with Chrome 7.

Re:Linux Logins

[laci]

Even if you decline storage of your passwords some still make it into the "Web Data" file!

--Laci

Re:Linux Logins

[bipbop]

or $HOME, though that is of course not exactly the same thing.

ooh

Once it works with Murrine-ARGB and the Ubuntu appmenu bar, i don't see anything to pull me back to Epiphany again. It'll be just as native, and three orders of magnitude more performant on JS.

Re:ooh

I'm guessing you have no idea what "order of magnitude" means?

WTF, these passwords are stored in the clear

I've just confirmed the above, and it's the same on other Linux distros, not only on Ubuntu.

I hope this is some dreadful oversight! An application of Chrome's stature cannot be storing passwords in the clear by design, surely ...

Re:WTF, these passwords are stored in the clear

FYI, chromium stores them slightly differently on mine (replace google-chrome with chromium in the given path), but has the same problem.

Re:WTF, these passwords are stored in the clear

[Ant+P.]

They should've done like mozilla and stored them in Mork format, nobody would be able to read them then

Implement your own secure storage strategy

[nick1000]

As a Linux application developer who has used keyring/kwallet for saving secure passwords in the past. I'd recommend not to use them.

Various different distributions have different versions of the these utilities and their libraries. There are so many variations that it becomes hard to support all versions. Most desktop linux end users have never used them and when they see a warning window popping up (which these utilities tend to show). They cancel the window rather than going through the authentication process.

Just my 2 cents.

Re:Implement your own secure storage strategy

[tendays]

I agree the current situation is far from perfect (Ideally, the people at freedesktop.org would build a unified centralised password access protocol like they did with dbus etc, so applications developers wouldn't have to implement all existing protocols every time) but having each application implement its own strategy is worse.

Three reasons:

First, the user either has to type as many master password as there are implementations (Now I have to type three passwords when logging in: the session password, the kwallet password, and the firefox password because firefox doesn't integrate with kwallet) or store them in cleartext (or in an easily decrypted format). If I had to type one master password for each program that needs passwords (IM, browser, email, irc, gpg, ssh, etc), that would mostly defeat the purpose of them.

Secondly, having a single storage space enables sharing passwords securely between applications. Now I need to save my passwords separately for firefox, konqueror, and chrome. You'll say "stick to a single browser then" but it shouldn't have to be like that.

Third, writing your own implementation increases the risk of having bugs that lead to security holes, compared to a single implementation that got polished over time.

I'm not sure your statement that most users don't use those is right but know too little a sample to support my opinion (I don't know that many linux users but all of them, and not only experts, do use gnome keyring, and I use kwallet).

Re:Implement your own secure storage strategy

[Abcd1234]

Implement your own secure storage strategy

Yeah, that's always a good plan: reinventing the wheel and implementing your own encrypted storage solution. I'm sure your average Linux developer is qualified to do that. What could possibly go wrong?

Feel Save AND Fresh

You're on Linux, the most trusted, secured and freshest OS in the universe !!

Why do you care if Google leaves your creds in the clear? If someone can read them, you are already OWNED !!

Yours,
Shirley, the one and only Summer's Eve girl

Re:Feel Save AND Fresh

[mcgrew]

Shirley you jest!

Marusya

When integrating your plugin with someone else's application and you run into a bug in the parent app, you have 2 options
http://marusya-serial.ru/

Re:Yep. My practices are justified.

[tokul]

Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text.

What's your point?
If you ask browser to remember passwords, they will be stored somewhere in plain text or in some form that can be decrypted. Browser has no way to remember passwords without saving them somewhere. If passwords were stored on Google servers, then it would be an issue.

warning... haiku

[breman]

like a mirror,
only not really,
unless you shine it up,
you can see yourself in it.

Re:warning... haiku

[Superdarion]

That doesn't have any of the elements of a haiku. It's just a poem, you pompous ass.

Re:Yep. My practices are justified.

You could also use Keepass.

Really bad name for a program meant to keep something.

Video on the other hand...

> Do Flash videos play the audio correctly?
Yes. The video on the other hand, as in all browsers, is a different story. We're still waiting for the fix from Adobe. In the meantime, you can use the following user script:
----(start of file)----
// ==UserScript==
// @name YouTubeWMP
// @version 1.0
// @description Replaces Flash player with WMP in YouTube.
// @run-at document-start
// @include http://www.youtube.com/*
// ==/UserScript==

flp=document.getElementById("movie_player");
flp.outerHTML = "<EMBED type='application/x-mplayer2' width='" + flp.width + "' height='" + flp.height + "' src='" + unescape(flp.getAttribute("flashvars").match(/&fmt_url_map=[^&]*%7C([^&]*)/)[1]) + "' autostart='true' autosize='-1'></EMBED>";
----(end of file)----
This script is for YouTube, you can make similar ones for other sites easily. Just use the resources panel in the developer tools to figure out where to get the link to the flv stream.

Re:Yep. My practices are justified.

> AFAIK

What about rootkits?

Re:Yep. My practices are justified.

[selven]

Some kind of encryption as obfuscation, DRM-style, is still better than just plain text. One of the tricks used by people who steal hard drives is to try every possible chain of subsequent bits as a password. It's only at most a few trillion tries (less than brute-forcing an 8-char alphanumeric password, and quite feasible with a botnet or a few days of time), and often as few as a few billion, but it gets passwords right quite often. Encryption would defeat this attack.

And it's ACID3 compliant!

[VincenzoRomano]

At least the Linux version for x86_64.
Try it

Re:And it's ACID3 compliant!

Too bad a perfect score there hides flaws they didn't fix because they weren't in the test.
Only Firefox 4 nightly builds render this SVG SMIL animation of a simple counter properly.

Re:And it's ACID3 compliant!

[LingNoi]

Looks fine in Chrome on OSX to me. Animates and everything.

Re:And it's ACID3 compliant!

[VincenzoRomano]

Also under my Kubuntu 10.04 x86_64 is fine. But am not sure on how the correct rendering should look like ...

Re:And it's ACID3 compliant!

Does anyone have an opinion of SRWares Iron browser?
  * https://secure.wikimedia.org/wikipedia/en/wiki/SRWare_Iron

Its a version of Chromium which aims to remove all the user tracking information.

Might be wrong but it does not appear to be in any repositories, so its a (albeit simple) manual install.

Direct link to their website:
    * http://www.srware.net/en/software_srware_iron.php

Re:And it's ACID3 compliant!

[Woogiemonger]

If you clicked on the "A" after it's fully rendered, you see some of the timing issues with the tests that may have passed. For this version of Chrome, all I saw was: "Test 69 passed, but took 7 attempts (less than perfect)." From a Slashdotter's perspective, I'm happy to get even one attempt at THAT test!

Re:And it's ACID3 compliant!

[Woogiemonger]

Iron is supposedly a scam according to some web sites: http://chromium.hybridsource.org/the-iron-scam

Re:And it's ACID3 compliant!

[Nimey]

Mine said that test 26 passed, but took 35ms (less than 30fps). Nothing else to report.

Maybe not such a good idea

[cheezegeezer]

>>"Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet <<

There is one piece of bloat i remove every single time on any install it is the incredulous crass invasion that is the KDE Wallet system it should be a if you want it go looking for it and tick the box thing NOT an install by default ,

These central pass word depositories are not a good idea sorry devs but the idea SUCKS so big it is almost untrue

MOD PARENT UP

[cyclomedia]

There is no universal ISO IEEE Regulatory standard for software version numbers, it's meaningless to compare them. Personally I mostly ignore them and look at the release or file date.

Re:MOD PARENT UP

[Abstrackt]

There is no universal ISO IEEE Regulatory standard for software version numbers, it's meaningless to compare them. Personally I mostly ignore them and look at the release or file date.

My conversation with an average user:

Them: "What browser are you using?"
Me: "Firefox."
Them: "It looks neat. Is it any good?"
Me: "Yeah, I like it. You can try it if you want."
Them: "This is pretty good. What version are you running?"
Me: "Version 3.6."
Them: "Oh, if they're only on 3.6 I'll just stick with IE8."
Me: *facepalm*

I did give them the "version numbers don't mean much" spiel after that but their eyes had already glazed over when I said a number less than 8. Sometimes I think a standardized numbering system would be a good thing.

Re:MOD PARENT UP

[TheSeventh]

I don't think we should dumb things down for the lowest common denominator of intelligence out there. TV and Movies already do that way too much of the time.

What does that say about Windows then? They are only on Version 7, although I hear they used to have a 95 and a 2000 . . . So is IE8 more advanced than Windows 7? And is Windows 7 less advanced than Windows 95? After all, 95 is a bigger number.

Re:Yep. My practices are justified.

[tokul]

Some kind of encryption as obfuscation... Encryption would defeat this attack.

It does not defeat anything. Decryption password is stored in same location as encrypted data.

Re:What's the point of Encrypting if it's so easy.

[gazbo]

So that when someone steals your laptop they don't get access to your passwords/CC numbers? The only security that Firefox's master password provides that Chrome doesn't is if you happen to leave your computer logged in, unlocked and unattended but just happen not to have entered your master password into Firefox yet.

Re:What's the point of Encrypting if it's so easy.

[Richard_at_work]

Firefox, on the other hand uses a password that protects them either when you try to view the passwords through the dialog box, OR when the passwords have to get loaded in order to be used by a site.

Not by default it doesn't - "Use a master password" is unchecked by default, meaning very few people are actually protected by it.

Re:Yep. My practices are justified.

[noob749]

I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

No, dude! That's what they want you to think!!! Quick, forget all your passwords and go stand next to somebody that's thinking about windows xp...

Re:Yep. My practices are justified.

[silentcoder]

>I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

In other news Hacker Geneticists start breeding Meningitus that can talk...

It was released finally

[darkat]

I have been using 6 Beta for two months because of the instabilities of version 5.x. Typing something in the location bar was often enough to crash the browser. Chrome is not complete or flexible as the the other browsers on the market but for sure is the faster. This only thing makes me to prefer chrome over the others.

Does HTTPS over proxy work yet?

[MrCrassic]

It's a pretty big showstopper for me, since it makes using it at work extremely difficult to do. I do wish it had its own proxy engine like Firefox does.

Re:Does HTTPS over proxy work yet?

[domatic]

That lack of a proxy engine makes Chrome/Chromium mostly a no-go for me. I need to be able to switch which proxy I'm using in the browser on the fly without affecting the rest of the OS. Foxyproxy does this very well in Firefox but the closest Chrome equivalent I could find just does an awkward switch of the OS proxy settings.

Re:Does HTTPS over proxy work yet?

[z4ce]

You can use the command line switches of chrome (--proxy-server), which is kind of awkward but not too bad. http://www.chromeplugins.org/tips-tricks/chrome-command-line-switches/

Re:Does HTTPS over proxy work yet?

[domatic]

I knew about that but I ride herd on a number of buildings each having it's own proxy server. When I'm slinging issue tickets, it is much easier to switch among those proxies on the fly. For work such as verifying the operation of a proxy, Chrome's virtues like javascript and rendering speed don't make up for my ability to quickly switch the context Firefox operates under on the fly. I also maintain a ssh socks 5 proxy to my home connection if I want to verify whether or not an issue is confined to our network or is more general. Foxyproxy-like functionality at work really is a deal breaker as far Chrome is concerned.

I'd dearly love to have Chrome's greasy speed mated to Firefox's interface and versatility. Unfortunately, I have yet to see anything like that on the horizon.

Re:Yep. My practices are justified.

[Terrasque]

A password that only lives in your head is of little use. Sooner or later you'll have to use it somewhere, and a virus can easily read it from the keyboard buffer / form field. Maybe it's even more likely it reads the password from a form than from where it's stored at the disk. While there are A LOT of ways to store passwords on disk, it's pretty limited in the ways you can use them.

Re:Yep. My practices are justified.

[moonbender]

Firefox can optionally use a master password to encrypt the other stored passwords. You have to enter the master password once per session (or, if you prefer, every time you access the store). This doesn't prevent a determined attacker who has root from getting those passwords (he could use a keylogger to get the master password, etc.). But it does mean that sheer physical access is not enough, so if someone copies your Firefox profile, or restores it from an old HD, the passwords still would need to be decrypted. If I understand correctly, using the Gnome login keychain is just as safe as the Firefox master password, it's stored in an encrypted fashion and decrypted at login (using the user's password, I guess?).

Re:Yep. My practices are justified.

[moonbender]

The decryption password isn't stored anywhere. You have to remember it. But remembering one password beats remembering 10, 20 or 100.

Re:What's the point of Encrypting if it's so easy.

[blueg3]

The password-required feature is logging in to your user account. Chrome uses the Windows encryption facility that piggybacks off of Windows user logins.

Re:Yep. My practices are justified.

Not really, it's not. It gives a false sense of security when in reality the password is going to be easily retrieved from disk by a hacker. The only way to properly secure passwords is with another password, and proper encryption that uses this password somehow to derive its key. See: http://developer.pidgin.im/wiki/PlainTextPasswords

Re:Yep. My practices are justified.

Yup. If the browser can decrypt them, so can a virus.* But it is well-known that most people suck at remembering passwords and the security risk of choosing bad passwords is worse in most cases than that of the browser remembering them. And if the browser doesn't remember them, people *will* use easy to guess passwords, and are economically justified in doing so.
* Note: you can make the area where passwords are stored privileged so that the kernel can decide to only let the browser in. For this to work reasonably well, you'd also have to make sure that viruses can't infect the browser. It's possible, but neither Windows nor Linux do this, although I gather that the Mac does. But it doesn't run the software I want to use on the computer I want to use, so yeah.

Re:Yep. My practices are justified.

[barzok]

It uses Keychain on OS X AFAIK, and there's a 1Password plugin for it so you can use that as well.

Use LastPass for passwords

[Cato]

Try using http://lastpass.com/ for Chrome passwords - it encrypts the passwords on disk (of course), has a lot more features, and is a cross-browser plugin for Firefox, IE, Safari as well as Chrome, on Windows/Mac/Linux etc. It also has paid-for versions for iPhone, Android, etc, and syncs the passwords to the cloud.

Re:Yep. My practices are justified.

[arndawg]

You could also use Keepass. Not as safe as your head, but can store more than a few passwords.

this
I use keepass and dropbox to sync the keepass database between my most used computers. The downside is that I can't access stuff i don't remember when i'm not at one of those computers. Before keepass i just used 3 or 4 different passwords for every site.

Re:Yep. My practices are justified.

[Abcd1234]

If you ask browser to remember passwords, they will be stored somewhere in plain text or in some form that can be decrypted.

It's called a password-protected, encrypted keychain, and it's hardly new technology.

It refers to the independent testing community

[daemonenwind]

It's nice to see the broader technical community getting recognition from Google as.... ...bringin' the HEET

Re:Yep. My practices are justified.

It uses the Keyring on OSX which is secure AFAICT

Re:Yep. My practices are justified.

[delinear]

It was inspired by Pulp Fiction.

Re:What's the point of Encrypting if it's so easy.

[mehrotra.akash]

To see the passwords you need to enter the master password again, else the passwords can be used, but not revealed, so as soon as firefox is closed/crashes the passwords will be useless..

STEEL

You dummorz can't even R33d???

wouldn't a more effective strategy

[pyschopimp]

be posting a bug bounty for bugs of other browsers?

Re:Yep. My practices are justified.

[tokul]

The decryption password isn't stored anywhere.

Last time I've checked IE and Mozilla does not require any password to be set to remember passwords. Mozilla does have master password, but the only time I was confronted with it was when I didn't use it and lost all my IceDove passwords during upgrade. Konqueror can use Kwallet, but it is most annoying thing in KDE.

Re:Yep. My practices are justified.

[moonbender]

Not sure what your point is. The master password function in Firefox is optional. If you don't use it, you don't have to remember a password. If you do use it, you do have to remember a password, since obviously Firefox doesn't store it anywhere.