Chrome OS Doesn't Trust Apps Or Users

← Back to Stories (view on slashdot.org)

Chrome OS Doesn't Trust Apps Or Users

Posted by kdawson on Friday December 10, 2010 @07:25AM from the for-your-own-good dept.

holy_calamity writes "Google's Chrome OS chiefs explain in Technology Review how most of the web-only OS's features flow from changing one core assumption of previous operating system designs. 'Operating systems today are centered on the idea that applications can be trusted to modify the system, and that users can be trusted to install applications that are trustworthy,' says Google VP Sundar Pichai. Chrome doesn't trust applications, or users — and neither can modify the system. Once users are banned from installing applications, or modifying the system security, usability, and more are improved, the Googlers claim."

28 of 410 comments (clear)

Min score:

Reason:

Sort:

Wait, what? by Monkeedude1212 · 2010-12-10 07:25 · Score: 5, Interesting

Doesn't that make it even more closed than an iProduct?
1. Re:Wait, what? by 42forty-two42 · 2010-12-10 07:34 · Score: 5, Informative
  
  The headline's a bit misleading. Users _can_ replace the OS. However, the BIOS will check signatures on the OS, and offer to restore from a known-good backup on boot (without destroying user data). This ensures that if the OS is infected by a virus or something, it's very, very easy to restore.
  There are specific points in the design docs where they make it clear that they do want to support advanced users installing their own OS, to the extent that that does not cause trouble for less advanced users.
2. Re:Wait, what? by mrsteveman1 · 2010-12-10 07:35 · Score: 4, Informative
  
  MORE closed? No, because Google has always said that users could get into the core os if they wanted to without resorting to exploits and hacking.
3. Re:Wait, what? by Microlith · 2010-12-10 07:37 · Score: 5, Insightful
  
  And I expect that to carry zero weight with 3rd party hardware vendors, who will undoubtedly lock the platforms down and, if they're like Motorola, they'll sign the kernel so you absolutely can't load other OSes.
4. Re:Wait, what? by natehoy · 2010-12-10 07:40 · Score: 5, Insightful
  
  I was thinking the same thing. If iOS is a walled garden, this is a walled garden hermetically within a Plexiglas dome and a concrete floor and all the plants in sterilized pots.
  But that might not be a bad thing. For the "my phone/computer is an appliance" crowd, this might be perfect. No fiddling around trying to download plugins or extensions, no overhead of antivirus, and no difference between multiple machines, and most importantly almost no tech support required. If I break something like this, I go out and buy a new one, present one username and password to it, and it's exactly like my old one used to be.
  If you're selling an OS whose primary purpose is to surf da interwebz, it might not be a terribly bad idea to resurrect the concept of the "dumb terminal" in that context. I presume Google will push updates, so if they keep a current list of plugins and/or extensions that can be enabled/disabled by the user as desired, you have machines that are going to be really, really hard to compromise, and really, really easy to use. And really, really inexpensive.
  Well, except by Google, so you'd better trust Google a LOT under this model (much like you have to trust Apple a good deal under the iOS model). If you want your computer to do anything outside what Google had in mind, you're done. If Google gets hacked, your data gets hacked and you might never know about it. And, of course, you'll never be able to do anything without Google knowing about it.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
5. Re:Wait, what? by Americano · 2010-12-10 07:41 · Score: 5, Insightful
  
  The headline isn't really misleading, it's actually quite accurate - Chrome OS doesn't trust apps or users to be safe. That you can replace Chrome OS with something more trusting doesn't mean Chrome OS itself suddenly trusts those apps and users.
6. Re:Wait, what? by mlts · 2010-12-10 07:48 · Score: 5, Insightful
  
  Reading the design docs, having an oem-unlock switch is a nice compromise between keeping Joe Sixpack from getting compromised by malware, then blaming it on Google/device maker's lack of security versus allowing a clued user to do what he or she wants.
  With this in mind, one thing that would be nice to have are offline apps. This way, a glitch in Internet connectivity would not mean a corrupted term paper.
  I just have one concern though -- the fact that everything you do is stored in the cloud. This means zero privacy. Even with the lack of privacy now, if an application started sifting through Word documents and uploading them to an ad agency, there would be Hell to pay. However, one can't have any assurance that someone isn't doing this when all the docs are stored remotely. There is a fundamental rule, "don't put anything on the Internet that you don't want everyone, including your worst enemy to know." So, trusting a cloud service with everything you do may have negative ramifications later on.
7. Re:Wait, what? by gstoddart · 2010-12-10 07:58 · Score: 4, Insightful
  
  Doesn't that make it even more closed than an iProduct?
  If I read the article correctly, a purely "the web browser is everything" simply won't be worth a damn if you have no network connection.
  It's also got no storage, so it's not like you could load it up with your MP3s or pictures.
  So, it's a dumb-terminal that requires me to have constant access to the internet, can't store files, can't have actual programs installed on it. I just can't see who is going to want this.
  Say what you will, but at least my iPad lets me install software, store my photos to browse, add eBooks, movies, and music ... and I can use it on an airplane.
  
  --
  Lost at C:>. Found at C.
8. Re:Wait, what? by phoenix321 · 2010-12-10 08:09 · Score: 5, Interesting
  
  I can already replace my Windows installation and when the OS is infected by a virus or something, it's very, very easy to restore. Just hit a BIOS switch, reinstall from a truly hidden (and BIOS-protected) partition - or recovery DVD - and reinstall without destroying user data. (All user data is on D:, while reinstall will bomb C:)
  It doesn't work that well, let me tell you. User data is there, but programs need to be reinstalled to access it. System comes back squeaky clean, but everything needs to be changed to my personal liking.
  What it boils down is that a computer will be either vulnerable to users, useless for them or anything in between these extremes. Can't install programs? Useless but secure. Can install any program? Useful, but vulnerable.
  Without settings and mail saved *somewhere*, a mail client is useless. With settings and mail saved *anywhere*, a mail client is potentially vulnerable.
  Replacing the OS with a known-good image only works if someone can truly produce an image that is more useful than say a Windows default installation and still known to be good. Which gets increasingly doubtful the older the OS image is, the more programs are installed and the more data/configuration/specifics are kept in program installations somewhere.
9. Re:Wait, what? by Dishevel · 2010-12-10 08:22 · Score: 5, Insightful
  
  3: Autobanning people's Google accounts who have custom ROMs.
  Exactly how do you think that Sony, Samsung, HTC, Sprint, Verizon or even the Evil AT&T will ban your Google account?
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
10. Re:Wait, what? by yelvington · 2010-12-10 08:33 · Score: 5, Insightful
  
  So, it's a dumb-terminal that requires me to have constant access to the internet, can't store files, can't have actual programs installed on it.
  
  Please catch up. It is not what you think.
  It's not a dumb terminal, it doesn't require you to have constant access to the Internet (some apps require it, others don't), it can store data locally, and you can install programs. They're registered in the cloud, and if you log in and one is missing, it's quickly synchronized to the local device.
  http://www.w3.org/TR/html5/offline.html
  http://dev.w3.org/html5/webstorage/
  http://www.html5rocks.com/tutorials/offline/storage/
  http://code.google.com/chrome/apps/
  Understanding the significance of ChromeOS requires that you abandon some old ways of thinking about how a computer should act. Yes, you're "losing" the desktop and the file folders. You're also losing slow boot times, viruses, the risk of losing your data in hard drive crashes or device theft, and the occasional maddening discovery that you left a critically important file on a hard drive at home|school|work.
  This may not be the device for you, but it may be the device for a lot of people. It's worth pointing out that over half a million people buy smartphones every day that also walk away from a mountain of desktop-computer annoyances.
11. Re:Wait, what? by ghjm · 2010-12-10 08:33 · Score: 4, Funny
  
  June 29, 2007.
12. Re:Wait, what? by GWBasic · 2010-12-10 08:34 · Score: 5, Interesting
  
  With this in mind, one thing that would be nice to have are offline apps. This way, a glitch in Internet connectivity would not mean a corrupted term paper.
  That's what local storage in HTML 5 is for. When I played with Google Gears in 2007, there was a complete Javascript API for an in-browser SQLite database; AND I could specify which files would be served locally. Thus, I could make a web application that would work without an internet connection.
  Google Gears is now depricated because a lot of the lessons are applied to the HTML 5 spec.
  
  --
  No, I will not work for your startup
13. Re:Wait, what? by Daniel+Phillips · 2010-12-10 09:18 · Score: 4, Interesting
  
  Then why does Google look the other way as manufacturers engage in blatant lockdown of this supposedly free and open code?
  
  --
  Have you got your LWN subscription yet?
14. Re:Wait, what? by DragonWriter · 2010-12-10 09:35 · Score: 4, Informative
  
  So, unless the article is mistaken (which is possible) ... that would be a dumb terminal, with no storage.
  TFA is not merely "mistaken", it is either the product of gross ignorance of the subject matter or deliberate deception.
  Chrome OS does not require constant connectivity, contrary to what TFA claims. It does everything through the Chrome browser, of course, and so has requirements that are pretty similar to that -- browser based applications will require network connection to the extent that they don't take advantage of the features of HTML5 and other technologies implemented in the Chrome browser for the specific purpose of enabling offline web applications.
  And, yes, the Cr-48 at least has no hard drive but not no local storage: it uses an SSD for local storage. Applications can store information locally using the HMTL5 local storage APIs.
15. Re:Wait, what? by 3vi1 · 2010-12-10 10:54 · Score: 4, Informative
  
  >> "User data is there but programs need to be reinstalled to access it. System comes back squeaky clean, but everything needs to be changed to my personal liking." ...
  That's a defect specific to Windows and its bloated registry. In the *nix world, all your settings are stored in your user data directory. All programs can be reinstalled from your distros repository with a single package manager command, and their old settings (as well as all your desktop settings) will be just as you left them.
A little problem... by DoofusOfDeath · 2010-12-10 07:28 · Score: 5, Insightful

I trust me more than I trust Google.
1. Re:A little problem... by mozumder · 2010-12-10 07:39 · Score: 5, Funny
  
  I don't trust you more than I trust google.
2. Re:A little problem... by wiredog · 2010-12-10 07:44 · Score: 5, Insightful
  
  So don't buy one...
  
  --
  
  Best Slashdot Co
3. Re:A little problem... by TheEyes · 2010-12-10 08:20 · Score: 5, Insightful
  
  It doesn't matter what levels of relative distrust I assign to Google or assign to you personally.
  Google can do a lot more damage to me than you can.
  Well, that rather depends on what volumes you assign to "you."
  Dozens of zombie botnets around the world exist around the world, and consist of millions of compromised machines. All of these exist almost entirely because users are trusted to make the right decision with regard to program installation and access... and they're wrong often enough to get their machines infected.
  The fact is these days even relatively knowledgeable users can't be expected to be able to easily vet the source code of every program they use, even when the source is available. When was the last time one of you audited the code for the entirety of your Linux install--or even just the kernel?--plus your Firefox/Chromium browser and Open/Libre Office? Have you manually combed through all the Javascript from every webpage you've browsed today, to make sure there are no exploits hidden in the code? Are you sure you haven't given a virus a backdoor into your system?
  Maybe not trusting users by default is the right way to go. It's just an extension of the idea to not have everyone log in as Administrator/Superuser all the time, and instead differentiating between regular users and admins; you're just linking the Admin account to a physical switch on the hardware itself.
4. Re:A little problem... by DrgnDancer · 2010-12-10 08:37 · Score: 5, Insightful
  
  And for those comparing this to Apple's lockdown, that's ridiculous - Apple actively tries to prevent you from jailbreaking, while anyone can mod the Chrome OS.
  Anyone can modify Linux, that doesn't mean that if you give me a Linux box with locked down guest account access, no alternate boot methods, and don't tell me the root password that I can modify this *particular* Linux installation. The fact that Chrome is Open Source won't help me install applications on my Chrome device. Unless I go out and install my own custom ChromeOS on the device, at which point why did I buy this thing? I could have just bought a conventional laptop and put Fedora on it.
  
  --
  I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Printable version by asvravi · 2010-12-10 07:31 · Score: 4, Informative

Link to the printable version - skips the two overly obnoxious ads that get in the way before you could read the article.
http://www.technologyreview.com/printer_friendly_article.aspx?id=26882
It makes sense for the business market by lpaul55 · 2010-12-10 07:33 · Score: 5, Insightful

Companies don't trust their employees and Chrome is a sandbox within a sandbox. This is a good thing in the corporate world where centralized control is valuable.
Chrome is a very thin client that really works.

--
... now back to the bit mines.
Re:This is what Google means by OPEN by fuzzyfuzzyfungus · 2010-12-10 07:41 · Score: 5, Insightful

The difference(at least according to design docs, we'll see what happens on release when we come to that) is that ChromeOS devices give one the (advanced; but non-hack) option to tell the command and control system to shove it. Their shipping image, and the one you get if you restore, is built on a no trust model; but if you wish to put a different one on there(including a modified build of the open portions of ChromeOS) that is your call.

With Apple, by contrast, their portables are their OS or nothing, barring hacks that depend on mistakes they did not intend to make, and do tend to correct over time. What you see is what you are stuck with.
Just a hop and a skip away from... by nlawalker · 2010-12-10 07:42 · Score: 4, Interesting

Now we're just a hop and a skip away from "Once users are banned from browsing non-Google-approved websites or attempting to use non-Google services, security, usability and more are improved."
For those that always say "but you can modify it!" or "well you don't have to use it" (the latter of which is true even for Apple's iEcosphere), that doesn't address the problem. The problem is that a whole lot of people will see the convenience and the stability and they won't modify it and they will use it, making the whole concept of walled gardens and lockin more popular among consumers who want ease (as opposed to choice) and companies who want to make money. Large groups of people will forget that they ever had a choice to begin with. I'm not trying to evoke 1984 here or say that we're all going to be slaves to Google, but in the world of consumer technology right now, the leading idea that is getting the most users and making the most money is "step into the [Apple/Microsoft/Google/Facebook] world and bask in the luxury of having everything work together and not having to make choices."
Just like the old adage about privacy and security, is it worth trading choice for convenience?
Re:Can't install an ap? That'll slow adoption by Americano · 2010-12-10 07:45 · Score: 4, Insightful

Google doesn't get advertising dollars from you running a local app and disconnecting from the network. They *do* get advertising dollars for every online app you regularly use because that's the only way for you to get anything done.
I spend most of my work day with a couple browsers, a couple Putty sessions, Outlook, Excel, and a few other apps open. Imagine how many page impressions that would generate if every single one of those apps was based in "the cloud" and had a little section where Google could insert ads?
Still wondering why this is being touted by Google as the most innovative and revolutionary feature ever in OS design?
Re:Can't install an ap? That'll slow adoption by Eil · 2010-12-10 07:49 · Score: 5, Insightful

The whole point of Chrome OS is to shift the application from running natively on the hardware to running in the cloud. You're thinking of the web browser as the application, Google is thinking of GMail as the application.
Google security... by metrometro · 2010-12-10 09:18 · Score: 4, Informative

Yeah, but they still can't get HTTPS on their own damn cloud products. Here's a quick look at Google's security beyond the local device:
I turn on my laptop, turn on my VPN, surf. In the process I got owned by my buddy running Firesheep. Here's how:
Laptop has tabs open.
Wifi connects before VPN kicks in.
Chrome tries to refresh a tab containing a PUBLIC Google Doc where I was not logged in, and Chrome sends out my authentication without HTTPS on it.
Firesheep grabbed the Google account, which is my Reset password account for everything else. Owned.
Later we learned that Chrome's sync bookmarks tool also sends your Google account authentication without HTTPS. All the time.
So if you're on an open network, Google is spamming your authentication to anyone who's listening, because they can't get their shit together to use HTTPS when they authenticate.
So, yeah. Security. Good job.