back to article Google Chrome OS: Too secure to need security?

A leading security researcher has warned that Google risks repeating Apple's mistakes on security with its new Chrome OS. Google Chrome OS is a Linux-based operating system designed to work exclusively with web applications. Chrome netbooks running the new OS will be available from Google's partners Samsung and Acer from June …

COMMENTS

This topic is closed for new posts.

Page:

  1. NoneSuch Silver badge
    Pint

    I would think...

    that marketing material saying "Zombie Ready out of the Box" would be a great selling point for this OS.

    "Advance Slovakian Net Marketing with this one easy download." Etc. Etc.

  2. Captain Scarlet Silver badge
    Windows

    In regards the AV

    I don't remember Apple saying you don't need an AV, they marketted it as more secure and then I believe fanboys then said no av needed. I could be wrong (If I am feel free to flame me).

    1. Anonymous Coward
      Anonymous Coward

      Virus

      Not quite saying you can't get a virus, but certainly inferring it.

      http://www.youtube.com/watch?v=CHFy6egYcUg

      I know Apple will say it refers to not getting a PC virus, however for quite a lot of people PC is personal computer and if a Mac is neither personal or a computer then what is it?

      1. Andrew Hodgkinson
        Stop

        ...and so I'll say it *yet again*...

        If people believed they couldn't get a virus, they wouldn't have believed a fake web site telling them they had a virus, wouldn't have downloaded the fake anti-virus package and wouldn't have run it and clicked through the install process (with, or more recently without, having to type in admin privileges). And then typed in the credit card details too.

        The success of the recent phishing scam / trojan combo can only be put down to people believing that their Macs are definitely *not* immune to viruses. So, quite the opposite of what you suggest.

        1. Cameron Colley

          @Andrew Hodgkinson

          That doesn't quite follow. The rabid fanbois (for want of a better term) will probably not have fallen for the fake virus warning -- some would have genuinely thought that their machines were impenetrable and so it was a fake and others will have been IT literate and/or savvy enough to realise it was fake.

          However, there will the the smug gits who bought an Apple because a friend told them it was invulnerable and were so gullible that they believed the friend and so gullible that they believed the virus warning.

          Then there are the spouses, children and other family of people who own the Mac. For example if you're using daddy's PC and it says you got a virus when you're on a dodgy site then you'll try to cover it up -- it doesn't matter how much of a rabid fanboi your dad is, because he's not there. If you buy your dear old parents a Mac because it's "invulnerable to viruses" they don't necessarily hear you say that. Heck, if your wife uses your "super-invulnerable" Mac she'll probably not realise it -- especially if she spends her day at work using or administrating Windows machines.

          So, you may be right that the rabid fanbois may not have clicked on the warning -- but that doesn't mean their arrogance wasn't responsible for problems.

          1. ThomH

            @Cameron Colley

            The "rabid fanboi" of your imagination doesn't exist. It's just a cheap caricature, calculated to inflame, that you've conveniently picked upon to be a scapegoat.

            1. Cameron Colley

              @ThomH

              I was using a stereotype to make a point. If you'd like an essay on the modern brand and its followers I'm happy to write one for you for a modest fee.

          2. SuccessCase

            @Cameron Colley

            Yes but let's not forget there are always those other smug gits who like to dramatise the misfortune of others because it makes them feel better about their own inadequate lives.

        2. Anonymous Coward
          Linux

          people believe they couldn get a virus

          @Andrew Hodgkinson: If people believed they couldn't get a virus, they wouldn't have believed a fake web site telling them they had a virus, wouldn't have downloaded the fake anti-virus package and wouldn't have run it and clicked through the install process ..

          And you know who we have to thank for that .. :)

    2. Keith T

      It was said so much, so often, I have no doubt Apple was claiming it.

      There were no end of computer sales people here in Canada saying you couldn't get a virus from a Mac.

      And Apple press releases must have said it too, because people in the mainstream news media were repeating it, and it wouldn't be something an arts graduate would think of on their own.

      It was said so much, so often, I have no doubt Apple was claiming it.

      And during the current outbreak of Mac viruses some fanbois were still claiming that, using the really narrow technical IT security definition of virus that subdivides viruses into viruses, worms, trojans, etc.

  3. Anonymous Coward
    Anonymous Coward

    Some truth, some fud

    While there is truth in what he's saying it's also silly to suggest that a modern OS _cannot_ be completely locked down.

    Considering Linux has things like mandatory access control built in Google can choose to completely disallow any application from using any part of the OS, say it can define the browser to not be able to escalate its privileges, stopping even zero-day exploits from getting root if such an exploit was found at some point. In combination with other methods, ASLR, sandboxing etc etc the result is military level security on what is essentially just a laptop.

    Since this is a hands-off, no user-installed applications OS this is not a far fetch at all.

    We're not talking about sudo user prompts or balancing the fact that people need to be able to easily install applications from the web, like Apple and Microsoft have had to do here. The OS is just another service to the user in Google's mind.

    Now, he is correct in saying that the goal then becomes getting user credentials and gaining access to the server-side data but again, this is a solved problem that has been in use for decades now in e-commerce, online bank accounts and all google services.

    To say that it's suddenly going to become a bigger problem just because of Chrome is just spreading FUD.

    1. Keith T

      Only way prohibit programs not signed by google from running.

      The only way google or anyone else could prevent viruses getting into their customers computers would be to prohibit programs not signed by google from running.

      Which is basically what you are saying the could do. Could do. MS could do the same thing.

      But would an OS where you could only run the OS makers programs sell? Would consumers accept it? Yes, but Apple has filled the religious market already.

  4. Rik F
    Stop

    A solved problem?

    To say that protecting data stored remotely is a "solved problem" is false. You may want to look into banking losses from online fraud or maybe even have a chat with Sony, and yes, Google too, oh and Epsilon and play.com and Silverpop and tripadvisor and Lush, I could go on...

    Also, ChromeOS will not be a "no user installed applications OS".

    1. Anonymous Coward
      Anonymous Coward

      Exceptions don't make the rule

      I was referring to the authentication part actually, not storing of user data. Sure there have been several high profile cases where crooks have stolen data stored on remote servers. In all these cases there were basic fundamental errors in the security of the entire infastructure.

      On the flip side when's the last time someone managed to steal credentials for a high street online banking system of the lines of HSBC, Natwest etc? How about cracking into a bank's online banking system and stealing credit card info? If the security procedures of one Suffolk Bank are lax is it the fault of the security that they didn't use?

      1. Keith T

        and it is those fundamental flaws combined with complex flaws

        that make the cloud idea worse than what we have now.

  5. Flocke Kroes Silver badge

    Apple do not have a virus problem

    They have a Trojan problem. Perhaps they might get a virus problem later, but only after they fix the brain dead decision to give the first user account created continuous root access without explaining why that account should only be used for system administration.

    I doubt that Chrome will have a virus problem for a long time, if ever. They will have a phishing problem that is best countered by educating users. Google is quite correct not to install malware by default and hope that some magic anti-virus program will fix everything after the damage has been done. If there was some criticism of Google's efforts to educate users about spotting a phish then that could make sense.

    Anti-virus software should be required only for Windows until Microsoft and Windows application developers understand basic security techniques.

    1. Keith T

      Give it up, version 2 self-installed without user intervention.

      enough said.

  6. Anonymous Coward
    Anonymous Coward

    What AV ; what viruses

    Don't see how you can have anti-virus when there aren't actually any viruses known for Chrome OS

    1. Lord Elpuss Silver badge
      Linux

      It's possible

      Heuristics and behaviour/pattern recognition engines in most modern AV products enable them to detect and block viruses which haven't been created yet - based on recognition of what they are trying to do (access deep system files, replicate, add data strings to known-good files etc).

      It's perfectly possible to have an antivirus program which sits and waits for apps to demonstrate virus-like behaviour, then to quarantine and remove them - the success rate is a different question.

    2. Keith T

      just like you can have AV for windows 8 without there being any know windows 8 viruses

      Heuristics.

  7. damocles
    Coat

    Bot herders or Google

    Who do you trust more?

    Mine is the one with the tinfoil lining

  8. David 164

    I think it will be pretty safe

    Given that it 2 years to crack Chrome, and even then the exploit is said to rely of flaws with third part software flash. I think the cyber criminals will have a tough time trying to crack ChromeOS. Yes it will be possible, no software is perfect but there is so many ways which google have lock down the system that I suspect it will years before one does appear.

    One of the biggest mitigating factor will be chrome OS just being to small of target market, compare to the resources needed to cracked it, for instant the chrome browser exploit is rumor to have needed 6 months to developed, and the security firm admitted it was the most sophisticated attacked it has ever design, and the whole thing could be obsolete with in 6 to 12 weeks which does not give much time for them to make back there profits/. With Google regular update schedule's, aggressive tactics in buying up security flaws found by researchers.

    I think Chrome OS will be one of the safest OSes available on the market, outside of government. On other hand Google marketing department should not be setting themselves up for the fall that will happen when chrome OS is eventually crack. An Google must also make sure they respond quickly and fast to any threat, aka not act like apple and take three weeks to recognise the problem and provide a fixed, only for that fixed to become obsolete by an even sophiscated attack.

  9. Anonymous Coward
    Happy

    excellent document links

    I heartily recommend their document set as an excellent crib <<<< tutorial on the security issues facing a general purpose system

  10. Spearchucker Jones
    WTF?

    Defence in depth is not new.

    Nor is it a Google invention. It's also not the first OS that uses it. Microsoft's Security Development Lifecycle waxes lyrical about it (Microsoft didn't invent it either), and it's in all the newer generation software from Microsoft. Products like the Unified Access Gateway take it even further in that you can use it to safely provide Internet-based access to something inherently not secure like Peoplesoft (which was never designed for Internet access to begin with).

    1. Keith T

      term from the military security and commercial loss prevention industries.

      "Defence in depth" pre-dates computer security. It is a term from the military security and commercial loss prevention industries.

  11. Francis Fish
    Happy

    I do run AV on my Macbook

    I run ClamXav - never gets in my way, just keeps on keepin' on, doesn't lock the machine up.

    Oh, and it's Open Source

    1. jonathanb Silver badge

      But how useful is it

      ClamAV scans for Windows Viruses. I used to scan the incoming emails on my linux machine with ClamAV as part of my spam filtering routine, because at that time about 90% of incoming mail was viruses, and although they didn't harm my computer in any way it was still annoying to have to look through them to find the real mail. These days there aren't enough viruses in my mail to justify a separate virus scan and my spam filter deals with phishing scams etc.

  12. Anonymous Coward
    Anonymous Coward

    antiVirusless chocolateers may be repeating Apple's mistakes?

    > Google Chrome OS: Too secure to need security? .. Confident anti-virus-less chocolateers may be repeating Apple's mistakes ...

    Look someone downloading and running an app (as user) from an unknown source does not constitute a dilution in Apples desktop OS. Now show me where I can click and the core Operating System gets compromised, else all this Apple 'malware' talk is just so much waffle. Remember the original 'malware' problem was caused by download Antivirus over the web !

  13. Anonymous Coward
    Joke

    Chrome OS is unsafe says Anti Virus seller

    > A leading security researcher has warned that Google risks repeating Apple's mistakes on security with its new Chrome OS ..

    See, simple enough ...

    1. Anonymous Coward
      Anonymous Coward

      market changes, salesman made redundant

      That's how I read it.

  14. Saoir

    Nutter

    Rik Ferguson, a security consultant at Trend Micro, criticised this line as marketing rhetoric. Google risks repeating the security mistakes of Apple, he warns."

    Is this guy for real ? What "Mistakes" exactly, is he referring to by Apple ?

    Over a million malware items attacking Windows : Approximately one and a quarter items attacking Macs.....

    Who is this Ferguson nutter ???

    1. David 164

      I do not think Microsoft is doing that bad.

      Only 1 and a quarter times that of Apple.

      Actually that pretty impressive considering Windows markets is about 8 times bigger than Apple an it only get double the amount of attacks.

      They may be doing something right after all. May be Windows is not as easy to hack as Apple cult like us to believe

      1. Ole Juul

        misread

        I think you misread the post on which you were commenting. He said "Approximately one and a quarter items attacking Macs.....". That's "items" - not "times".

    2. Keith T
      FAIL

      There is a reason banks and the pentagon don't use Macs

      While published viruses and trojans are few for Macs, it is pretty easy to construct a custom one.

    3. multipharious

      OH come on.

      First of all to potentially keep the Apple fanbois and the Linux folks from prematurely clicking the downvote button - I use both as any proper techie ought to do. I have and do use various distributions of Linux. And I use Windows as well (especially in business but that depends on the project.)

      This is the purest question of econonics. If you have the misfortune of having a computing distro that maximizes the best return on investment for criminals who develop malware and viruses, then you are at risk. Windows has the market currently. Ignoring security like it is simply not required is basely asinine. I remember last summer seeing root access problems that were re-introduced with the very kernel that Google pretends is impervious despite their forks. And that is what is published.

      I don't really like watching your herd of smug sheep get hoof and mouth, but if you poo-poo it, and suddenly the scales of popularity and market share tip then you can be fucking sure that virus and malware writers will be on you like flies on your completely unprepared shit.

  15. Anonymous Coward
    Terminator

    Which is better?

    Which is better, build in your security at the design stage or glue on a sticking plaster AV product later on?

    1. John Miles
      Black Helicopters

      Both have their advantages

      Security designed in from day one - is good/essential, but it doesn't stop someone installing something suspect (or even hidden in something else they are installing) and once that suspect item is in it can render the good security useless

      An AV product stands a chance of blocking something dodgy being installed (a well known disk burning application got dumped by me once AV started complaining about what else it was installing) - and though often malware getting through renders AV useless it does have the potential to fight back

      The most important security is a cynical user who doesn't believe what a website/email is telling them if it seems very out of character

    2. Keith T

      Defense in depth means doing both

      Defense in depth means doing both, belt plus suspenders.

  16. Yet Another Anonymous coward Silver badge

    @Some truth, some fud

    You can stop a virus being able to install itself easily enough - a write protect switch will do that.

    But if when you go to your webmail, your browser pops up a dialog asking you to re-enter your webmail username and password which the xss attacker then users to get your email later does that count?

  17. Mike Moyle

    I know that I'm no expert...

    ...but it sounds to me like Google's "defense in depth" is actually marketing-speak for "a single point of failure".

    They may have sandboxing and whatever else going on on their thin client -- excuse me... Chrome OS device -- but as long as all user data is stored in the same cloud that Google's automatic updates are served from, then isn't it less a question of what OS is running the laptop than what OS is running the server(s)?

    With traditional malware, you're going after many targets and expecting to get some smallish percentage of successful takeovers. With Chrome, it seems to me that taking over the much smaller number of servers and shoving out one maliciously-crafted "update" gives you ALL of the Chrome clients. Figuring out how to make that "update" root Chrome OS/client and refuse delivery of any further updates would seem to make you nigh-invincible. Not a trivial exploit, I'm sure, but it seems that the reward would be enough to convince the crims to put major resources behind the effort.

    Does Google plan to serve Chrome OS data, apps, and updates off of Chrome OS-based servers? Is it "turtles all the way down" or is there, at some point, some single or small number of Master servers running some other OS that the attackers have already had plenty of time to learn how to compromise?

    Since this "single-point-of-failure" scenario seems so obvious to me and no one else mentions it, I have to presume that I'm missing something, but I'm not sure what it is.

    1. Charles 9

      You would probably need an insider.

      Normally servers such as you describe only get their content updated from the context of their corporate intranets. The Internet-facing side of the servers is generally read-only. Think of it like a properly-configured read-only network share. On the local machine, you can add, modify, and delete files, but on the network side, they can only see the contents, not make any changes to it. So to get to the intranet side of the server so you can alter the files, you'd need to get in there somehow: either through an exploit through some other gateway (which is conditional on the topology of the intranet) or (more likely) by getting a mole into Google itself and using the mole to slip the files in physically.

      1. Keith T

        Tell that to Sony

        Pretty much most of what servers store directly or indirectly comes from the outside in the form of data.

        All that is required is to get the data executed. That is standard malware authoring. Works on servers, clients, whatever.

  18. Nicolas Charbonnier

    Trend Micro sells anti-virus software

    Euhm, hello? Of course Trend Micro representatives are going to say Chrome OS isn't secure enough, it's Trend Micro's own future that is at stake. Chrome OS completely disrupts the anti-virus and PC security software industry.

  19. Volker Hett

    The world is bad and computers and the internet are part of the world :)

    So to stay 100% secure, switch off your computer and get a notebook, one of the paper ones,

    1. F111F
      Coat

      Live-in Virus?

      Sooo, when your four year old finds your paper notebook and scribbbles on every page, does that make him/her a virus or trojan?

      Mine's the one with the steno pad in the pocket...

      1. Volker Hett
        Devil

        hm,

        come to think of that, my nephews destroyed most of my Donald Duck collection. Wonder if my sister would approve anti malware measures against her sons :)

        Satanic Icon because I feel evil.

  20. Anonymous Coward
    Holmes

    Missing the point a bit?

    Okay, I accept that some malware is just some form of "See! I can make it do this! And you don't even know! Ha-ha!" basis.

    But the really serious stuff is using malware as a means to an end and like the consultant said why bother infecting a tablet when all that is needed is some authentication stuff?

    Add a dash of creativity to the malware coders, a new technology adding a splash of challenge with endgame "we had all yooz kredenshulz" enhanced with a modicum of human error makes it difficult to imagine a really secure bit of kit.

    That said, if the electronic device market wants to mature it really does need to address secure devices to mass markets.

  21. Anonymous Coward
    Anonymous Coward

    As the world moves slowly but inevitably away from windows

    A security researcher whose future employment depends on us buying his products, tells us all those other systems are insecure as well.

    Now there's a surprise /end_sarc

  22. Anonymous Coward
    Facepalm

    I see a train coming...

    ...and it will hit very hard the sandbox in the ass. I am not sure if the train conductor will be chinese or romanian though.

  23. A J Stiles
    Boffin

    It's not black and white

    You could build a system that was absoluty, completely invulnerable to viruses, but it would also be computationally incomplete as a direct side-effect of this. If one process can access persistent data created by another process, then you have the necessary and sufficient conditions for harmful software. No persistent data at all means no viruses, but it also means no files! Tying files to the application that created them, still breaks usability horribly -- and providing a "hidden" API for use in "official" apps only keeps you safe as long as the API *stays* hidden.

    Unix-like OSs *are* more secure by design than MS-DOS and Windows 95 / 98 / ME. That is just a fact. In the Unix camp, we screw on the door locks from the inside. In the Windows camp, before XP, they generally used to screw them on from the outside; and a lot of old Windows software, written by self-taught "developers" using pirated copies of Visual Studio and incomplete API documentation, expects outright access to the entire machine. And it can't be rewritten to do things "properly", because the Source Code is long gone. So even though modern Windows has proper security features, much software still relies on them being disabled. And Windows *has to* allow disabling security because if you have to get all your business-essential bespoke software rewritten, you may as well think about making it multi-platform this time around -- why tie it to Windows, now we know all we know?

    A really secure (still not totally secure, but about as good as you can get) system would have everything interpreted; this would be enforced through the use of a different instruction set and addressing schema in every physical implementation, so no way to run native code at all. Although this would not make malware impossible, it would at least make it much easier to spot and deal with when it appeared.

    However, this would also make Caged software impossible, so the world isn't quite ready for it yet.

Page:

This topic is closed for new posts.

Other stories you might like