Slashdot Mirror
Chrome OS Doesn't Trust Apps Or Users
holy_calamity writes "Google's Chrome OS chiefs explain in Technology Review how most of the web-only OS's features flow from changing one core assumption of previous operating system designs. 'Operating systems today are centered on the idea that applications can be trusted to modify the system, and that users can be trusted to install applications that are trustworthy,' says Google VP Sundar Pichai. Chrome doesn't trust applications, or users — and neither can modify the system. Once users are banned from installing applications, or modifying the system security, usability, and more are improved, the Googlers claim."
Doesn't that make it even more closed than an iProduct?
I trust me more than I trust Google.
Really, not letting most users or applications modify the OS is a good thing. Microsoft (and others) have had a TERRIBLE model in permitting this. Third-party stuff has no business altering the foundation of the system's operation. Now, not letting an application that doesn't want to monkey with the OS get installed is probably going too far. I mean, who's gonna run an OS they can't put an app on? That's broken.
Keep them from installing the OS and the box will be very secure, though usability may suffer a bit. I've always thought that security wonks are only really happy with a system while it's powered off or still in the box.
It must have been something you assimilated. . . .
Great idea Mr. Jobs, I mean Schmidt. Sorry.
Link to the printable version - skips the two overly obnoxious ads that get in the way before you could read the article.
http://www.technologyreview.com/printer_friendly_article.aspx?id=26882
Companies don't trust their employees and Chrome is a sandbox within a sandbox. This is a good thing in the corporate world where centralized control is valuable.
Chrome is a very thin client that really works.
... now back to the bit mines.
ChromeOS is not a PC or tablet. It's designed to use "cloud" applications only.
If you could install an app, or adjust the system as a user, then maybe you wouldn't provide as much data to Google. Google do not make money from computers or operating systems, they make it from the information they extract from you.
Never underestimate the dark side of the Source
Then it's not the part they care about. A malicious application installed by a naïve user will always be able to send emails (because the user will demand the ability to do that), and therefore send spam. And it'll still be able to delete the user's files.
I am trolling
The difference(at least according to design docs, we'll see what happens on release when we come to that) is that ChromeOS devices give one the (advanced; but non-hack) option to tell the command and control system to shove it. Their shipping image, and the one you get if you restore, is built on a no trust model; but if you wish to put a different one on there(including a modified build of the open portions of ChromeOS) that is your call.
With Apple, by contrast, their portables are their OS or nothing, barring hacks that depend on mistakes they did not intend to make, and do tend to correct over time. What you see is what you are stuck with.
Hah! Shows how much you know! My luggage combination is nothing like that!
[click][click][click][click]
[rattle]
[rattle rattle]
WTF? Did Chrome just change my luggage combo?
Welcome to the Panopticon. Used to be a prison, now it's your home.
Now we're just a hop and a skip away from "Once users are banned from browsing non-Google-approved websites or attempting to use non-Google services, security, usability and more are improved."
For those that always say "but you can modify it!" or "well you don't have to use it" (the latter of which is true even for Apple's iEcosphere), that doesn't address the problem. The problem is that a whole lot of people will see the convenience and the stability and they won't modify it and they will use it, making the whole concept of walled gardens and lockin more popular among consumers who want ease (as opposed to choice) and companies who want to make money. Large groups of people will forget that they ever had a choice to begin with. I'm not trying to evoke 1984 here or say that we're all going to be slaves to Google, but in the world of consumer technology right now, the leading idea that is getting the most users and making the most money is "step into the [Apple/Microsoft/Google/Facebook] world and bask in the luxury of having everything work together and not having to make choices."
Just like the old adage about privacy and security, is it worth trading choice for convenience?
Google doesn't get advertising dollars from you running a local app and disconnecting from the network. They *do* get advertising dollars for every online app you regularly use because that's the only way for you to get anything done.
I spend most of my work day with a couple browsers, a couple Putty sessions, Outlook, Excel, and a few other apps open. Imagine how many page impressions that would generate if every single one of those apps was based in "the cloud" and had a little section where Google could insert ads?
Still wondering why this is being touted by Google as the most innovative and revolutionary feature ever in OS design?
Sorry, but I don't trust having all my apps run from the web. Just the other day I was on a tight deadline trying to print a document from Docs when it crapped out on me refusing to print. It was late at night, so it's understandable if they needed to do some server maintenance. Or possibly it wasn't even Google's fault because there may have been issues with my ISP, but either way I was helpless to do anything. I would prefer to having things run locally and automatically sync to the cloud when possible.
The whole point of Chrome OS is to shift the application from running natively on the hardware to running in the cloud. You're thinking of the web browser as the application, Google is thinking of GMail as the application.
One should never trust an application, I'm in agreement on that.
The user owns the machine, they should be trusted to decide what is done with it. If you think I'm wrong... let me explain...
The reason we don't want to trust users is because they have a demonstrated history of bad choices, which result in a lot of work for the geeks who have to clean up the mess. We have a better track record, so we ass u me that it must be because we are smarter than they are. This is only true to a limited extent.
The reason the user makes bad choices is because are given the wrong choice to make. Instead of asking what extent of permission a program should be granted, the user is given an all or nothing choice. It's not possible for them to "try out" a program without risking everything. This is just plain nuts.
Capability based security offers a way to express the wishes of the user in a manner which NEVER trusts an application... but rather places the responsibility for limiting system changes in the operating system, where it belongs.
It is only when we finally get out of or smug self congratulatory slumber that it's possible consider that the typical user is not an idiot prone to randomly pressing OK.
We need to offer sane choices, and a sane security model... Capability Based Security is the only way to go.
Google... unfortunately, isn't any wiser and misses the boat here, but by a slightly smaller margin.
This is a great security model. In fact, in order to keep my home safe I won't allow any devices in that are controlled by an outside third party either.
"Once users are banned from installing applications, or modifying the system security, usability, and more are improved, the Googlers claim."
No security is perfect, there WILL eventually be a remote execution exploit, and the users will be banned from installing applications, or modifying the system in order to fix it. I hope it comes with a USB drive I can boot from to wipe the system clean...
However, there WILL also eventually be a remote execution exploit that enables the users to install applications, or modify the system security to provide additional usability, and more functionality than the Googlers intended.
ChromeOS is just begging to be sprung free of the Google jail.
Hint: When the "Attackers" are the folks who purchased the device, their physical access to the device will render all "defenses" useless.
Also: DO NOT WANT, will simply use any other unrestricted laptop or tablet PC available.
Jolicloud, a competitor to Google OS, has an app at the Chrome Web Store. Jollicloud decided to integrate its platform inside the Chrome browser. You can use Jolicloud services instead for Google's. Though definitely restrictive, Google is not locking you into its services.
No oxygen, no problems?
I think you just solved both the fire and the user problems! Two birds with one stone!
If I have been able to see further than others, it is because I bought a pair of binoculars.
"Operating systems today are centered on the idea that applications can be trusted to modify the system" only applies to Microsoft operating systems. Unix and Linux don't trust applications. Application packaging systems are often trusted by users to properly install an app, but Unix/Linux requires the user to have sufficient privileges to allow the app installer to perform the installation. Few Unix/Linux apps are given root privileges.
Yeah, but they still can't get HTTPS on their own damn cloud products. Here's a quick look at Google's security beyond the local device:
I turn on my laptop, turn on my VPN, surf. In the process I got owned by my buddy running Firesheep. Here's how:
Laptop has tabs open.
Wifi connects before VPN kicks in.
Chrome tries to refresh a tab containing a PUBLIC Google Doc where I was not logged in, and Chrome sends out my authentication without HTTPS on it.
Firesheep grabbed the Google account, which is my Reset password account for everything else. Owned.
Later we learned that Chrome's sync bookmarks tool also sends your Google account authentication without HTTPS. All the time.
So if you're on an open network, Google is spamming your authentication to anyone who's listening, because they can't get their shit together to use HTTPS when they authenticate.
So, yeah. Security. Good job.
Really, not letting most users or applications modify the OS is a good thing. Microsoft (and others) have had a TERRIBLE model in permitting this. Third-party stuff has no business altering the foundation of the system's operation.
Now, not letting an application that doesn't want to monkey with the OS get installed is probably going too far. I mean, who's gonna run an OS they can't put an app on? That's broken.
Define "app".
ChromeOS allows the offline install of webapps like Google Docs, which allows you to use every regular function of google docs offline, with no web connection. You can create, save, and edit documents, including saving them to external media, without an internet connection. You can even print them if you have a network connection, even if there is no internet.
How is that not an app?
ChromeOS is not an operating system like you are used to. That doesn't automatically mean its a bad idea.
-Taylor
Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
No, the whole point of Chrome OS is to shift applications from targetting the OS to targetting the browser (thereby commoditizing the OS.)
This differs from a shift from "running natively" to "running in the cloud" in that one of the major areas where Google has put effort to enable the browser to be the platform for more robust applications is in allowing browser-based applications to run disconnected from the internet and leverage local hardware resources in a way that previously was restricted to native applications. Features and technologies related to that that Google has actively sought to develop and/or promote leading and that are included in Chrome OS include (off the top of my head):
* HTML 5 local storage and other offline-functionality related APIs,
* Native Client
* O3D
* Cloud print
* More robust in-browser media support, including bundled-in Flash and PDF support
...and I'm not buying a portable computer that only works when it can talk to Google's servers (though I'll happily beta test one!). Preventing apps from mucking around with system files is a no-brainer, but that doesn't mean they have to live in the cloud. For corn's sake, they make portable apps for Windows that work fine without touching the OS.
Never let a lack of data get in the way of a good rant.
First off, you're way out of date. Windows has supported the permissions structure you're advocating since NT 3.1 came out (it pre-dates Windows 95, although until XP came out the permission-less 9x systems existed in parallel). The first user created had root permissions, but nothing required that you do everything as that user; my day-to-day XP account had limited permissions. For Vista and Win7, by default even members of the Administrators security group run programs with limited permissions, though they can get root (Admin) access on-demand. Except for installers (and not always for those) Windows programs aren't usually given root permissions either.
Also, there's a difference between trusing users (logon credentials) and trusting apps. The usual behavior is that an app has whatever permissions the user running it has. Linux, through AppArmor or SELinux, offers some ways to limit the trust in an application, but most default installs don't use these. The Windows application-level trust system, Mandatory Integrity Control, is less fine-grained than something like AppArmor, but is easy to apply and is used on several out-of-the-box programs, including Internet Explorer. Such apps are marked as being "Low Integrity Level" and therefore are not permitted to write to any portion of the filesystem not *also* marked as Low IL, regardless of the permissions of the user running the program. Similarly, a program can't send messages to a program with a higher IL, so for example standard limited-user programs (default Medium IL) can't attempt to take over Administrator-level (High IL) programs. MIC is only available on NT 6.x (Vista, Server 2008, and Win7) but so far as I know OS X has nothing even vaguely equivalent.
There's no place I could be, since I've found Serenity...
..it better trust the machine's owner completely, or else these machines are just Trojan Horses. If the machine doesn't ultimately answer to you, then who does it answer to? Someone who isn't you, that's who.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Microsoft (and others) have had a TERRIBLE model in permitting this. Third-party stuff has no business altering the foundation of the system's operation.
Microsoft fixed this issue almost ten years ago with .Net. The .Net framework allows you to grant or deny any permission to any application (or to every application). The default configuration is that applications launched from storage outside the local machine are not trusted to do anything other than display a user interface, regardless of the permissions of the user running the application. It would be trivial to change the configuration so that only Microsoft software could modify the OS. The only problem is that vendors of shrink-wrap software have predominantly chosen to not use .Net.
Comment removed based on user account deletion