Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Releases Chrome 6, Pays $4337 In Bounties

timothy posted more than 3 years ago | from the working-in-the-background dept.

Google 177

Trailrunner7 writes "Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released two years to the day after the company pushed out the first version of Chrome. Google Chrome 6 includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team." (Read on for more, below.)Also on the Chrome front, morsch writes "Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet to securely store saved browser passwords. Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text. On Windows, Chrome has always used a platform-specific crypto API call for encrypted storage. The corresponding Linux function was never implemented — until now. Unstable versions of Chrome 7 still disable the feature by default; it can be enabled using a parameter."

cancel ×

177 comments

Sorry! There are no comments related to the filter you selected.

Wheel of Bug Chasers! (-1, Offtopic)

LostCluster (625375) | more than 3 years ago | (#33461086)

I'm not quite sure America has its value system on straight. Hit the right spaces on the Wheel of Fortune and solve two or more puzzles, and you could win $1,000,000. Answer 15 multiple choice trivia questions in the hotseat in front of Regis Philbin, wait, what it's now 12 questions in the new season walking around the stage with Meridith Vieira? Still $1,000,000. Ken Jennings is extremely smart, but he took Jeopardy! for multiple millions. Discover a flaw in Internet Explorer or Windows or just go after somebody else's research and count on the unpatched systems being still online... and you just got the ability to run a botnet if you're evil. Untold riches there. Discover flaws in Google's Chrome... and you get paid. But the entire panel of winners gets less than $5,000 for their trouble... Something's not right in the equity here.

Re:Wheel of Bug Chasers! (1)

ak_hepcat (468765) | more than 3 years ago | (#33461164)

so, hunt down big companies willing to spend money advertising that they're sponsors of Chrome Bug-hunt.

Otherwise, you won't have that kind of money just waiting to be spent for every little null pointer dereference fix.

Re:Wheel of Bug Chasers! (1)

LostCluster (625375) | more than 3 years ago | (#33461178)

What? Google's not big enough? They need to find sponsors in order to make money? Oh, wait a second...

Re:Wheel of Bug Chasers! (1)

symbolset (646467) | more than 3 years ago | (#33461386)

Maybe they could sell some advertising space on their website. I hear they get a lot of traffic.

Re:Wheel of Bug Chasers! (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33461720)

Fucking niggers!

Re:Wheel of Bug Chasers! (0)

Anonymous Coward | more than 3 years ago | (#33461864)

GNAA is a giant pain in the ass.

Re:Wheel of Bug Chasers! (0)

Anonymous Coward | more than 3 years ago | (#33462008)

You're just mad because you didn't think to join while it was still cool.

Re:Wheel of Bug Chasers! (1)

Fluffeh (1273756) | more than 3 years ago | (#33461188)

so, hunt down big companies willing to spend money advertising that they're sponsors of Chrome Bug-hunt.

Otherwise, you won't have that kind of money just waiting to be spent for every little null pointer dereference fix.

Lets get that massive super multi billion dollar every-national company GOOGLE to sponsor the Chrome Bug-Hunt. Wait... what?

Re:Wheel of Bug Chasers! (5, Insightful)

bonch (38532) | more than 3 years ago | (#33461422)

Give me a break. You turn a bug bounty into a statement on American values. Your gameshow references are completely baseless and random. What a load of crap!

Re:Wheel of Bug Chasers! (1, Troll)

insufflate10mg (1711356) | more than 3 years ago | (#33461594)

Give ME a break. I can't believe the "bug bounty hunters" would really sell a Google vulnerability for a thousand dollars - I used to mindlessly wipe asses and roll people over for two weeks for that. It's an insult to their intelligence considering the amount of work they put into the penetration-testing/logic analysis involved. An average-sized college internet-portal exploit would be worth $1,000... let alone one of the largest web services company in the world. I think $10,000 is much more appropriate.

Re:Wheel of Bug Chasers! (3, Insightful)

kdub432 (1586397) | more than 3 years ago | (#33461564)

This is one of the dumbest arguments I've ever seen on slashdot.

Re:Wheel of Bug Chasers! (2, Insightful)

iamhassi (659463) | more than 3 years ago | (#33461584)

"Discover flaws in Google's Chrome... and you get paid. But the entire panel of winners gets less than $5,000 for their trouble... Something's not right in the equity here."

Well, you could always find flaws in Firefox, Windows, IE, etc and get paid nothing if you like.

$4,337 > 0

I say good for Google. What do you want from them, $43,370? $433,700? They're already paying more than anyone else.

Re:Wheel of Bug Chasers! (3, Informative)

Tubal-Cain (1289912) | more than 3 years ago | (#33461636)

Mozilla also pays bug bounties.

Join cast of Jersey Shore if you want money (0)

Anonymous Coward | more than 3 years ago | (#33461640)

That butt-face dude makes 5 grand an appearance, just for showing up. He looks stupid. Must be to only get 5 grand.

Paris
Because I am the whore you always wanted

Re:Wheel of Bug Chasers! (1, Informative)

Bill, Shooter of Bul (629286) | more than 3 years ago | (#33461660)

We've never paid based on the actual value of services. In a free economy, prices should be set by the supply and demand. Even if the demand for a service is great, the price may stil be incredibly low due to high supply. Like water. Can't quite live with out it. What kind of value does that bring to you? More or less than a huge flat screen tv. Less?? But isn't water more valuable to you??!!!

Explaining the economics of game shows, is a bit too much for me at this hour. Safe to say, they contestants aren't paid a bunch because they are rare. Its not a free market.

And I'll just end by pointing out you presenting a false choice. Most people would decide to pay many regular workers significantly more, rather than pay a few game show contestants more. Its not their choice, and its not anyone's choice.

Re:Wheel of Bug Chasers! (1)

mldi (1598123) | more than 3 years ago | (#33461830)

What're you expecting here? Google to pay out bigger? I imagine that people would submit these flaws with or without the bounties. Nobody's forcing them to search them out. I'm amazed by the fact they're willing to pay anything at all.

Re:Wheel of Bug Chasers! (0)

Anonymous Coward | more than 3 years ago | (#33462220)

You question the American value system, and you invoke game shows. And you use the word "Discover" twice, which is awfully close to "Discovery", as in "Discovery Channel". You haven't posted a manifesto on your web site recently, have you?!

(ducks)

Where's the love for the Mac passwords? (1)

LostCluster (625375) | more than 3 years ago | (#33461126)

Google's honoring a password security effort in Linux, and at least calling a cyrpto function in Windows... but why no support for the OSX Keyring?

Re:Where's the love for the Mac passwords? (4, Informative)

Netshroud (1856624) | more than 3 years ago | (#33461318)

Chrome already uses the Keyring... at least it does for me.

Re:Where's the love for the Mac passwords? (1)

Kristopeit, M. D. (1892582) | more than 3 years ago | (#33461384)

it does for me too... not sure what the problem is. chrome doesn't even offer a version for powerpc machines, so no clue OP is complaining about.

Re:Where's the love for the Mac passwords? (1)

rezonat0r (409674) | more than 3 years ago | (#33461336)

Do you mean Keychain [wikipedia.org] ? According to Wikipedia and my experience, Chrome already uses it.

$4337 in bounties? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33461190)

$ 4337 in bounties? So thats one real hard bug $ l337 and $ 3000 worth of bugs that the skript-kiddies could have got.

If only it were $1337 (-1, Redundant)

nermaljcat (895576) | more than 3 years ago | (#33461222)

Someone should fudge that 4 to be a 1 =P

Re:If only it were $1337 (1)

Kristopeit, M. D. (1892582) | more than 3 years ago | (#33461344)

uh... they did. that total is the sum of multiple payouts.

Print Preview? (1, Interesting)

bunratty (545641) | more than 3 years ago | (#33461230)

Does Chrome 6 have print preview? Can you open files with helper applications without having to delete them manually later? Do Flash videos play the audio correctly?

Re:Print Preview? (5, Informative)

Anonymous Coward | more than 3 years ago | (#33461402)

no, no and yes

Re:Print Preview? (1)

vlueboy (1799360) | more than 3 years ago | (#33461534)

no, no and yes

My kingdom, for a mod point!

The parent AC's words above are currently invisible in some /. threshholds, but his answer to the GP is valuable. Even the weirdo Win32 GUI Apple's browser had now feels right at home on my machine after some GUI de-alienation improvements these past two years.

Google's ignoring print preview without some visible explanation is another reason I not to like their already-alien interface and odd point of view. It's what kept me on the fence with Opera vs Firefox vs. Chrom[e|ium.] Opera won.

Re:Print Preview? (1)

LingNoi (1066278) | more than 3 years ago | (#33461438)

Well it's a free application so why don't you just check it out instead of posting here waiting for a reply.

Re:Print Preview? (3, Interesting)

Urza9814 (883915) | more than 3 years ago | (#33461624)

Uhh...my Chromium 5 for Linux has print preview and proper flash support. And the same file download behavior as browsers like Firefox - I open a file the browser doesn't handle, it downloads to the folder I've specified for downloads. How is that a problem? As I said, it's the same thing Mozilla does. I don't _want_ a browser to just start deleting my downloads on it's own. If I tell it 'yes, download this file', that file should stay where it is until I decide to delete it.

Re:Print Preview? (2, Informative)

dakameleon (1126377) | more than 3 years ago | (#33462032)

I think the behaviour being asked for above is the "open with" behaviour common on other browsers, where the file is download to a temporary folder (e.g. $WINUSER$\Local Settings\Temp for Windows) for use by an application selected right from the download dialog. The temp folder can be cleaned up by the browser at a random date in future, or more often than not just sits there until someone decides to clean it out.

This just means the file is out-of-sight out-of-mind for a one-time-use scenario and the user doesn't need to concern themselves with file management post-use.

(Some might say this goes hand-in-hand with private browsing modes. You wait til you're cleaning out a Temp folder for a friend of a friend and notice the number of 30 second video clips...)

Video on the other hand... (2, Informative)

Anonymous Coward | more than 3 years ago | (#33462012)

> Do Flash videos play the audio correctly?
Yes. The video on the other hand, as in all browsers, is a different story. We're still waiting for the fix from Adobe. In the meantime, you can use the following user script:
----(start of file)----
// ==UserScript==
// @name YouTubeWMP
// @version 1.0
// @description Replaces Flash player with WMP in YouTube.
// @run-at document-start
// @include http://www.youtube.com/*
// ==/UserScript==

flp=document.getElementById("movie_player");
flp.outerHTML = "<EMBED type='application/x-mplayer2' width='" + flp.width + "' height='" + flp.height + "' src='" + unescape(flp.getAttribute("flashvars").match(/&fmt_url_map=[^&]*%7C([^&]*)/)[1]) + "' autostart='true' autosize='-1'></EMBED>";
----(end of file)----
This script is for YouTube, you can make similar ones for other sites easily. Just use the resources panel in the developer tools to figure out where to get the link to the flv stream.

Yep. My practices are justified. (2)

icannotthinkofaname (1480543) | more than 3 years ago | (#33461232)

Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text.

I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

Re:Yep. My practices are justified. (0)

Anonymous Coward | more than 3 years ago | (#33461404)

You could also use Keepass. Not as safe as your head, but can store more than a few passwords.

Re:Yep. My practices are justified. (1, Funny)

Anonymous Coward | more than 3 years ago | (#33461972)

You could also use Keepass.

Really bad name for a program meant to keep something.

Re:Yep. My practices are justified. (1)

vlueboy (1799360) | more than 3 years ago | (#33461548)

No virus that can live in my head can read my passwords out of there, A.F.A.I.K.

(emphasis mine)
Now THAT's an open mind!
*ducks*

Re:Yep. My practices are justified. (1)

tokul (682258) | more than 3 years ago | (#33461908)

Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text.

What's your point?
If you ask browser to remember passwords, they will be stored somewhere in plain text or in some form that can be decrypted. Browser has no way to remember passwords without saving them somewhere. If passwords were stored on Google servers, then it would be an issue.

Re:Yep. My practices are justified. (2, Informative)

selven (1556643) | more than 3 years ago | (#33462128)

Some kind of encryption as obfuscation, DRM-style, is still better than just plain text. One of the tricks used by people who steal hard drives is to try every possible chain of subsequent bits as a password. It's only at most a few trillion tries (less than brute-forcing an 8-char alphanumeric password, and quite feasible with a botnet or a few days of time), and often as few as a few billion, but it gets passwords right quite often. Encryption would defeat this attack.

Re:Yep. My practices are justified. (1)

tokul (682258) | more than 3 years ago | (#33462370)

Some kind of encryption as obfuscation... Encryption would defeat this attack.

It does not defeat anything. Decryption password is stored in same location as encrypted data.

Re:Yep. My practices are justified. (0)

Anonymous Coward | more than 3 years ago | (#33462090)

> AFAIK

What about rootkits?

Re:Yep. My practices are justified. (1)

noob749 (1285846) | more than 3 years ago | (#33462564)

I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

No, dude! That's what they want you to think!!! Quick, forget all your passwords and go stand next to somebody that's thinking about windows xp...

Re:Yep. My practices are justified. (1)

silentcoder (1241496) | more than 3 years ago | (#33462566)

>I see. So that's why I keep my passwords stored in my head. No virus that can live in my head can read my passwords out of there, AFAIK.

In other news Hacker Geneticists start breeding Meningitus that can talk...

AEET! (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33461234)

Just seeing how much money they paid out makes me scream...

AEET! AEET! AEET!

Crazy Article (4, Funny)

bipbop (1144919) | more than 3 years ago | (#33461244)

I just looked at the article briefly, and it states "A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!

Re:Crazy Article (0)

Anonymous Coward | more than 3 years ago | (#33461346)

Yah, Gerald sits right next to the performance team... behind the locked door, down the stairs, inside the cubicle door marked 'beware of the cougar'.

Re:Crazy Article (4, Funny)

TooMuchToDo (882796) | more than 3 years ago | (#33461510)

Notice that they're too busy working on finding holes in Chrome to be working on Adobe products ;)

I kid!

Re:Crazy Article (2, Interesting)

n0-0p (325773) | more than 3 years ago | (#33461750)

FWIW, they thanked members of the Chrome team a few months ago when they announced sandboxing support in an upcoming version of Acrobat Reader.

Re:Crazy Article (1)

silentcoder (1241496) | more than 3 years ago | (#33462582)

>Notice that they're too busy working on finding holes in Chrome to be working on Adobe products ;)

That's because unlike Adobe, Google actually PAYS them to find holes :P

Re:Crazy Article (1)

stealth_finger (1809752) | more than 3 years ago | (#33462324)

two members of Adobe's Reader Sandbox Team." What the--Adobe has a security team? That's crazy talk!

No, they have a sandbox team, they just happened to messing around on a laptop while playing in their sandbox.

"paid out a total of $4,337 in bug bounties" (1, Funny)

Snufu (1049644) | more than 3 years ago | (#33461258)

How does this goggle company plan to stay solvent throwing money around like this? Don't they know we are in a recession?

Version bloat (2, Interesting)

R.Mo_Robert (737913) | more than 3 years ago | (#33461284)

Any reasion for the version-number bloat? I mean, I guess it looks a bit cooler next to IE 8, but I don't really think people are that naive.

Re:Version bloat (3, Funny)

ksandom (718283) | more than 3 years ago | (#33461330)

In 2015.... Chrome 256 released!

Re:Version bloat (4, Informative)

rezonat0r (409674) | more than 3 years ago | (#33461354)

I'm guessing you missed their highly re-reported blog post [chromium.org] regarding the new release schedule.

Re:Version bloat (1)

greenguy (162630) | more than 3 years ago | (#33461508)

You, sir, need to study your P.T. Barnum.

Re:Version bloat (0, Redundant)

LostCluster (625375) | more than 3 years ago | (#33461556)

Browser history is filled with skipped numbers to keep up with the competition... see also Netscape vs. IE.

Re:Version bloat (2, Insightful)

maccodemonkey (1438585) | more than 3 years ago | (#33461596)

I was amazed they've already flown past an older browser (Safari) in version numbers, and they're inching toward IE territory.

Seriously Google. This sounds like a .1, or even a .0.1 release. Don't be afraid of little bumps. It didn't sound like any new significant features were introduced.

Re:Version bloat (2, Informative)

Tubal-Cain (1289912) | more than 3 years ago | (#33461648)

Firefox is older than Safari (OK, so it was Phoenix at the time...) and is only at 3.x or 4.0 (beta)

Re:Version bloat (0)

Anonymous Coward | more than 3 years ago | (#33461694)

Right because every company uses the exact same version scheme and their numbers all mean the same thing across the board. Why do people keep getting hung up on this. If you want a version number use the source revision.

MOD PARENT UP (1)

cyclomedia (882859) | more than 3 years ago | (#33462366)

There is no universal ISO IEEE Regulatory standard for software version numbers, it's meaningless to compare them. Personally I mostly ignore them and look at the release or file date.

Re:Version bloat (1)

dropadrop (1057046) | more than 3 years ago | (#33461814)

Is it out of beta already?

Re:Version bloat (4, Funny)

dougisfunny (1200171) | more than 3 years ago | (#33461966)

They figure once they get to 6 they can coast for years.

What's the point of Encrypting if it's so easy... (2, Interesting)

MasterEvilAce (792905) | more than 3 years ago | (#33461288)

What's the point of the encrypting in Windows if you can easily go to Tools -> Personal Stuff -> Show Saved Passwords, and clicking Show Password? Chrome doesn't appear to have any password-required feature to get INTO those settings and/or launch the browser. Firefox, on the other hand uses a password that protects them either when you try to view the passwords through the dialog box, OR when the passwords have to get loaded in order to be used by a site. It boggles the mind even more when you consider Chrome lets you store and view your credit card information if you choose to save it (on by default I think)

Re:What's the point of Encrypting if it's so easy. (1)

gazbo (517111) | more than 3 years ago | (#33462416)

So that when someone steals your laptop they don't get access to your passwords/CC numbers? The only security that Firefox's master password provides that Chrome doesn't is if you happen to leave your computer logged in, unlocked and unattended but just happen not to have entered your master password into Firefox yet.

Re:What's the point of Encrypting if it's so easy. (1)

Richard_at_work (517087) | more than 3 years ago | (#33462558)

Firefox, on the other hand uses a password that protects them either when you try to view the passwords through the dialog box, OR when the passwords have to get loaded in order to be used by a site.

Not by default it doesn't - "Use a master password" is unchecked by default, meaning very few people are actually protected by it.

$4,337 from a multi-billion dollar company? (1, Insightful)

syousef (465911) | more than 3 years ago | (#33461312)

It's nice that they're paying but if that's $4337/14 = roughly $310 per bug you'll just have to forgive me if I don't quit my day job to focus on debugging Chrome.

Re:$4,337 from a multi-billion dollar company? (1, Interesting)

Kristopeit, M. D. (1892582) | more than 3 years ago | (#33461366)

yeah, and why aren't they charging us for chrome? stupid billionaires.

Re:$4,337 from a multi-billion dollar company? (4, Informative)

LingNoi (1066278) | more than 3 years ago | (#33461478)

Since you're not going to RTFA or even the summary i'll repost it here..

includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team.

The new release of Chrome also fixes an older bug, a Windows kernel flaw, that Google had thought it fixed in a previous version.The highest bug bounty, $1337, was paid for an integer error in WebSockets found by Keith Campbell. A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe's Reader Sandbox Team.

Re:$4,337 from a multi-billion dollar company? (2, Informative)

blai (1380673) | more than 3 years ago | (#33461540)

tl;dr

Re:$4,337 from a multi-billion dollar company? (1)

sirsnork (530512) | more than 3 years ago | (#33461574)

Not that I don't like Chrome being better, but shouldn't the Adobe team work on their own products *cough* 64 bit flash player *cough* before find other products to fix?

Re:$4,337 from a multi-billion dollar company? (1)

Tubal-Cain (1289912) | more than 3 years ago | (#33461666)

When integrating your plugin with someone else's application and you run into a bug in the parent app, you have 2 options:
  • Spend lots of time and effort working around the bug, duplicate the workaround in every plugin you make, and hope that other plugins encountering the same bug don't impact yours.
  • Get the bug fixed.

Re:$4,337 from a multi-billion dollar company? (1)

dakameleon (1126377) | more than 3 years ago | (#33462056)

The highest bug bounty, $1337

$1337? Oh come on!

Re:$4,337 from a multi-billion dollar company? (4, Funny)

sco08y (615665) | more than 3 years ago | (#33462532)

The highest bug bounty, $1337

$1337? Oh come on!

Well, $5318008 was a bit much.

Re:$4,337 from a multi-billion dollar company? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33461484)

Well obviously they found somebody to do it for that price. So I guess the multi-billion dollar company has it valued just right.

Welcome to capitalism.

Re:$4,337 from a multi-billion dollar company? (0)

Anonymous Coward | more than 3 years ago | (#33461832)

Yeah, like, the time it would take to properly document it would be what, 8 hours? That's like 10k or more in my bosses pockets, why would I waste a minute thinking about it?

Re:$4,337 from a multi-billion dollar company? (0)

Anonymous Coward | more than 3 years ago | (#33462282)

It just goes to show how many stupid people there are. Work DAYS for $310, that's a great plan. What are you going to do with that? High five your friends at home and have a pizza party? Meanwhile google adds $millions of value to their name. Once a sucker, always a sucker.

Re:$4,337 from a multi-billion dollar company? (1)

sco08y (615665) | more than 3 years ago | (#33462530)

It's nice that they're paying but if that's $4337/14 = roughly $310 per bug you'll just have to forgive me if I don't quit my day job to focus on debugging Chrome.

That $310 check from Google is worth a lot more than its face value in establishing your credibility as a security researcher.

WooHoo !! $4337.00 WooHoo !! (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33461348)

Google better watch out or it'll go BUST with a bounty such as this !! WooHoo !! Get cracking !! But then the mob pays that every day. Which shall I go with ??
    (
    }
      {
      |
KNEEL !!

My browser progression is a bit weird (0)

Anonymous Coward | more than 3 years ago | (#33461398)

I went from Netscape to Firefox to Opera to Chrome, without ever stopping at Internet Explorer (except at work, where it is the default).

I have to say, though, that I've removed everything but Chrome (and the ubiquitous and hard to remove IE8) from my home computer. It really is an excellent browser.

Are you feeling safe punk ?? (0, Troll)

Anonymous Coward | more than 3 years ago | (#33461440)

So you removed them all but Google. You're saying to yourself, if google reads my mail, and stores my searches, and takes pictures of where I live, do I feel like I can use their browser? You trust Google knowing this ?? YYu are one fucking idiot !!

that's (0)

Anonymous Coward | more than 3 years ago | (#33461528)

That's 0.0.082.78 per day!

Aeet? (5, Funny)

Anonymous Coward | more than 3 years ago | (#33461560)

First thing I thought when I saw 4337 was "What the fuck is Aeet?"

Re:Aeet? (1)

Chameleon Man (1304729) | more than 3 years ago | (#33461658)

I was thinking more along the lines of "Deet", which is pretty good at repelling bugs :)

Re:Aeet? (2, Insightful)

Anynomous Coward (841063) | more than 3 years ago | (#33462288)

Actually, $4337 is 'Saeet', a phonetic transcription of the middle eastern name 'Saïd'.

Linux Logins (5, Interesting)

idcard_1 (953648) | more than 3 years ago | (#33461662)

FYI your linux logins on Ubuntu are stored in this file: /home/username/.config/google-chrome/Default/Login\ Data just do "strings Login\ Data" and you have those passwords. :(

WTF, these passwords are stored in the clear (1, Informative)

Anonymous Coward | more than 3 years ago | (#33461792)

I've just confirmed the above, and it's the same on other Linux distros, not only on Ubuntu.

I hope this is some dreadful oversight! An application of Chrome's stature cannot be storing passwords in the clear by design, surely ...

Re:WTF, these passwords are stored in the clear (0)

Anonymous Coward | more than 3 years ago | (#33462232)

FYI, chromium stores them slightly differently on mine (replace google-chrome with chromium in the given path), but has the same problem.

Feel Save AND Fresh (2, Funny)

Anonymous Coward | more than 3 years ago | (#33461874)

You're on Linux, the most trusted, secured and freshest OS in the universe !!

Why do you care if Google leaves your creds in the clear? If someone can read them, you are already OWNED !!

Yours,
Shirley, the one and only Summer's Eve girl

Re:Linux Logins (2, Informative)

Zixaphir (845917) | more than 3 years ago | (#33462044)

wtf is /home/username? In my days, we communicated home as "~/". You can read it as tilde slash or even tilde slash dot, but it doesn't matter. ~ sweet ~.

Re:Linux Logins (0)

Anonymous Coward | more than 3 years ago | (#33462246)

On my ubuntu 10.04 box, I have Chromium (not Chrome) from the Ubuntu repository and the file isn't located in the same location. Perhaps it's somewhere else, but haven't found it yet. So it could be Chromium is less vulnerable?

Re:Linux Logins (1)

LingNoi (1066278) | more than 3 years ago | (#33462292)

On ubuntu at least this should be in seahorse or something. Not in an unencrypted sqlite db. Very poor.

ooh (0)

Anonymous Coward | more than 3 years ago | (#33461680)

Once it works with Murrine-ARGB and the Ubuntu appmenu bar, i don't see anything to pull me back to Epiphany again. It'll be just as native, and three orders of magnitude more performant on JS.

Re:ooh (0)

Anonymous Coward | more than 3 years ago | (#33461818)

I'm guessing you have no idea what "order of magnitude" means?

Implement your own secure storage strategy (2, Interesting)

nick1000 (914998) | more than 3 years ago | (#33461836)

As a Linux application developer who has used keyring/kwallet for saving secure passwords in the past. I'd recommend not to use them.

Various different distributions have different versions of the these utilities and their libraries. There are so many variations that it becomes hard to support all versions. Most desktop linux end users have never used them and when they see a warning window popping up (which these utilities tend to show). They cancel the window rather than going through the authentication process.

Just my 2 cents.

Re:Implement your own secure storage strategy (1)

tendays (890391) | more than 3 years ago | (#33462398)

I agree the current situation is far from perfect (Ideally, the people at freedesktop.org would build a unified centralised password access protocol like they did with dbus etc, so applications developers wouldn't have to implement all existing protocols every time) but having each application implement its own strategy is worse.

Three reasons:

First, the user either has to type as many master password as there are implementations (Now I have to type three passwords when logging in: the session password, the kwallet password, and the firefox password because firefox doesn't integrate with kwallet) or store them in cleartext (or in an easily decrypted format). If I had to type one master password for each program that needs passwords (IM, browser, email, irc, gpg, ssh, etc), that would mostly defeat the purpose of them.

Secondly, having a single storage space enables sharing passwords securely between applications. Now I need to save my passwords separately for firefox, konqueror, and chrome. You'll say "stick to a single browser then" but it shouldn't have to be like that.

Third, writing your own implementation increases the risk of having bugs that lead to security holes, compared to a single implementation that got polished over time.

I'm not sure your statement that most users don't use those is right but know too little a sample to support my opinion (I don't know that many linux users but all of them, and not only experts, do use gnome keyring, and I use kwallet).

Marusya (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33461878)

When integrating your plugin with someone else's application and you run into a bug in the parent app, you have 2 options
http://marusya-serial.ru/

warning... haiku (1)

breman (683776) | more than 3 years ago | (#33461964)

like a mirror,
only not really,
unless you shine it up,
you can see yourself in it.

Re:warning... haiku (0, Troll)

Superdarion (1286310) | more than 3 years ago | (#33462138)

That doesn't have any of the elements of a haiku. It's just a poem, you pompous ass.

And it's ACID3 compliant! (3, Informative)

VincenzoRomano (881055) | more than 3 years ago | (#33462180)

At least the Linux version for x86_64.
Try it [acidtests.org]

Re:And it's ACID3 compliant! (0)

Anonymous Coward | more than 3 years ago | (#33462340)

Too bad a perfect score there hides flaws they didn't fix because they weren't in the test.
Only Firefox 4 nightly builds render this SVG SMIL animation of a simple counter [imgh.us] properly.

Re:And it's ACID3 compliant! (1)

LingNoi (1066278) | more than 3 years ago | (#33462544)

Looks fine in Chrome on OSX to me. Animates and everything.

Maybe not such a good idea (1)

cheezegeezer (1765936) | more than 3 years ago | (#33462250)

>>"Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet <<

There is one piece of bloat i remove every single time on any install it is the incredulous crass invasion that is the KDE Wallet system it should be a if you want it go looking for it and tick the box thing NOT an install by default ,

These central pass word depositories are not a good idea sorry devs but the idea SUCKS so big it is almost untrue
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>