Google’s claim on Chrome security is nonsense
Written by Dan Blacharski on July 15, 2009
Last week, Google announced its new Chrome operating system amidst fanfare and excitement throughout the blogosphere. The new operating system is an open-source, Linux-based OS initially targeted at netbooks. I’ve not looked at the Chrome OS up close, but I have no reason to doubt the veracity of their claims of elegance and simplicity, but there’s one claim that Google is making that deserves a response. According to Google’s announcement, they are “completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates.”
Absolute nonsense. The announcement was written by Google’s Engineering Director, but it sounds more like it was written by their Marketing Director. No security expert in his or her right mind would claim that any operating system, open source or otherwise, is completely bullet-proof and immune to malware. It’s just not gonna happen. We’ve heard the same claim from Apple for years, but the fact is, the Mac is not immune to malware any more than a Chrome system, or for that matter, a Windows system. There are fewer Mac intrusions, but it is certainly possible for penetrate one and it is certainly possible for a hacker to create a Mac virus. There are more Windows machines, so opportunistic hackers simply realize that there is more economic incentive to attack those instead. The same principle applies to Chrome. How many people, in reality, will roll out the Chrome OS over the next few months? In the big picture, it’s likely to be a fraction of a percent of all PC users. As a result, the greatest protection afforded users of Chrome OS will be security through obscurity. Hackers just won’t be paying attention to it.
Beyond that, it’s simply impossible to create a foolproof operating system that is immune to all viruses. It is possible to make an OS more secure, and it’s done all the time. Some hardware firewall devices run on “hardened” OS platforms that are exceedingly difficult to penetrate. But to make one that is absolutely secure? Foolproof, and user-friendly to boot? Impossible. For one thing, malware writers are constantly at work, constantly innovating, and constantly looking for new vulnerabilities that weren’t considered by the OS’s engineers. That’s why patches and security updates are a good thing–because it’s not possible to consider absolutely every possible vulnerability at the get-go. For Chrome to say that users “won’t have to deal with” security updates frankly is a frightening thought. Nuisance though it may be, security updates are what keeps us a step ahead of the bad guys.
July 15th, 2009 at 6:52 pm
I had my people obtain (by means I cannot admit to) from the Google Labs a model of the new Google OS and even better than that, the platform they plan on running it on! It’s a radical new design slate computer! Sure enough it browses the internet, runs Google-Apps, has a task bar, prints and has a true chrome interface!
I will withhold judgement right now but I am not shaking in my boots over competition from this thing! I could be wrong, what do you guys think?
July 16th, 2009 at 5:49 am
Dan,
You are claiming ChromeOS security is nonsense but where exactly is your actual security evaluation of ChromeOS? The word of someone who hasn’t used it or even had the OS to perform even basic security checks isn’t exactly worth much.
Essentially you’ve based your evaluation on the Mac’s rare vulnerabilities, comparing those to Windows routine vulnerabilities.
While the Mac has rare security issues, anyone existing in reality has to wonder why almost all Windows vulnerabilities end in this phrase “…and gain complete control of your computer.”
It is the worst OS in the world on security with issues often going unpatched for years. Every version trots out the same tired marketing “more secure & reliable” ad’s…Hows that worked for us so far?
(Vista’s ultra-secure…right?)
Explaining this away with it being the OS that’s the largest target, doesn’t deny the fact it IS the largest unsecured target. You have more virulent attacks on the OS, Spyware, Personal data theft, difficult or impossible to remove rootkits and a company that seems incapable of understanding that security should be built into the foundation of an OS…not patched onto it.
Based on your own statements here, your comparison is not only invalid but invalidated by your own comments about the OS in hardware devices such as hardened firewalls.
Absoluely secure?
Are you HONESTLY counting local physical access to the machine, firmware and internal files…because not even business or military systems can withstand an inside job. Waving the it’s not “Absolutely secure” banner simply invalidates your own comments. Further claiming creating a foolproof easy to use OS is impossible, sounds very much like what your really saying is it’s impossible for you.
By your comments it IS possible to make an OS and hardware secure, if designed & built from the ground up for it’s function. (What computer isn’t “hardware”?)
You have in fact, accomplished something…Confirmed a secure ChromeOS is not only possible, but examples of similar secure devices exist everywhere hardware is sold.
Thank you.
July 18th, 2009 at 3:39 am
I think you fail to grasp how different Chrome OS is from a typical OS. The reason that these claims (though perhaps simplifications) have weight is that the attack surface for Chrome is smaller than any other operating system by far.
For instance, the OS and all system files (nay, all files besides cache, update packages, and things like bookmarks) are mounted read-only. “System calls” are exposed though JS APIs. The attack surfaces pretty much amount to: bugs in the JS engine, design flaws in the security model, and the auto-update process. Granted, there may well be vulnerabilities here, but compare that to Windows in which *every single DLL* is a potential target for attack. Refusing to execute any untrusted code has dramatic implications for security.
That said, Google’s claim, as I interpret it, is about “malware” and “viruses” as we see them today. Of course, the existence of an entirely cloud-based OS underscores the increase in risks associated with cross-site scripting bugs, phishing and other purely web-based threats as we move our computing off the client. But these issues are present on any operating system with a browser, so there’s not much to talk about with respect to Chrome specifically.
I think even if Google’s claim is a bit overzealous, it’s absolutely grounded in reality more so than previous claims by MS and Apple.
July 19th, 2009 at 11:12 am
Zenix,
Take a chill pill man. It was only obvious Blackarski was only blowing smoke, like you said, he hasn’t even tried the os out yet.
But he has a few of the fundamentals right. It is truly impossible to make an os or any program completely invulnerable to attack. Why? Because they are all written in code (obviously, some programming will be better than others but nevertheless they all have innate weaknesses). Ever met a human being that never had a cold, infection, or any medical trauma in their life? It’s in our nature to be weak but just the same, some are stronger than others.
In the end, it is impossible to build a program (as we know programming today) to be completely bullet proof.
July 24th, 2009 at 3:09 am
True enough, I was indeed blowing smoke, as was Google in their claim that Chrome would not need security. No need to evaluate the software to know an unrealistic marketing claim when I hear one. I’m not saying Chrome is a bad OS, it may well be the best thing since sliced bread, it’s just plain irresponsible for Google to lull users into a false sense of security with such a claim.