Chrome OS Remains Undefeated At Pwnium 3

hypnosec writes "Google has announced that its Chrome OS has managed to remain undefeated during the Pwnium 3 event that was held alongside Pwn2Own. Announced by Google on January 28, 2013 the Pwnium 3 event carried a prize money of $3.14 million. Researchers were asked to carry out attacks against a base Samsung Series 5 chromebook running the latest stable version of Chrome OS. It turns out security researchers were not able to come up with winning exploits even after the competition's deadline was extended. Google Chrome Team has revealed that partial exploit entries have been filled in but, no other details have been released."

OS that doesn't do anything isn't cracked..

The OS doesn't really do anything. It's a glorified web browser.

I'd be more impressed with OpenBSD not being hacked, and even that is essentially just an init process and sshd.

Re:OS that doesn't do anything isn't cracked..

[DCstewieG]

You say that like it's a bad thing. A glorified web browser with incredible security is exactly what a good amount of people should be using. Hell, I know someone who would get along fine if their computer did nothing but Facebook, let alone the rest of the web.

I find it hard to believe (though it's getting easier) that even geeks who have trouble seeing the world outside their little techy bubble can complain about this. I've seen the idea of an internet "driver's license" come up on these boards but then something that protects people from themselves is shit all over. Well done.

Re:OS that doesn't do anything isn't cracked..

[chill]

Considering how fast the various web browsers fall, it *is* impressive. Chrome OS machines are wonderful for giving to clueless relatives who just browse the web.

Re:OS that doesn't do anything isn't cracked..

[fuzzyfuzzyfungus]

The OS doesn't really do anything. It's a glorified web browser.

I'd be more impressed with OpenBSD not being hacked, and even that is essentially just an init process and sshd.

It is a bit more interesting because Chrome, the browser, was among the fallen on Windows(not sure if they tested it on OSX).

ChromeOS is, indeed, mostly web browser sitting on top of a sparse-but-nowhere-near-as-weird-as-android linux distribution(Incidentally, might Google be the one to follow through on Mark Andresson's 1995 threat concerning reducing the OS to a collection of poorly debugged device drivers, albeit not the OS he was talking about?); but it wouldn't have struck me as obvious that it would behave notably different from Chrome running elsewhere, for exactly that reason.

Re:OS that doesn't do anything isn't cracked..

[islisis]

Maybe because some of us are still proponents of 'computers', not content-sipping machines. Awareness of computing means more than getting work done or being entertained, it also involves some learning about the nature of how we do these things can and should change over time. Combined with ideas of open access this is important issue; we should all at least be aware of our ability to govern our processing needs, whether we enjoy the idea or not.

Re:OS that doesn't do anything isn't cracked..

[Nimey]

Gods yes. My father's Chromebook has probably saved him its price already in visits to the computer shop to get viruses removed.

Re:OS that doesn't do anything isn't cracked..

[dreamchaser]

Typical geek-elitist drivel. For some (myself included) sure it's important to understand the nature of how computers do things. What you seem to fail to see, or are in denial about, is that computers have become ubiquitous appliances, and the average user doesn't give a shit about the 'nature of how we do these things.' They just want it to work.

Re:OS that doesn't do anything isn't cracked..

[kangsterizer]

I think what's important to note is that "nobody" uses ChromeOS. This means "nobody" researches bugs for it very hard (even thus its relatively well secured, actually).
All that too say, "nobody pwned haiku either"

Re:OS that doesn't do anything isn't cracked..

[kangsterizer]

You do realize that they all have large teams of people working on this for a YEAR before the competition come right? Not exactly "fast".

Re:OS that doesn't do anything isn't cracked..

[amiga3D]

Yes. Most people don't even have a clue how the light in their room comes on when they flip the switch and could care less about electricity as long as when they flip the switch the light comes on. Almost no one knows anything about internal combustion that drives a car daily they just know that when you turn the key it should start. The how and why is beyond them. Computers are even more complex to these people and it's crazy to think they'll ever know or care how they work.

Re:OS that doesn't do anything isn't cracked..

[hairyfeet]

That is why I don't understand why its included....do they include other thin clients? Because that is ALL it is, its a minimal kernel designed to have just enough to launch the browser interface, no different than one of the old Sun Ray thin clients. The ONLY difference between Chrome OS and any other classic thin client is Google provides the infrastructure in return for being able to datamine you for their real customers, which is of course the advertisers.

Now does this mean ChomeOS is "bad"? Of course not, if a thin client is all your company needs I would be happy to set one up, for some jobs a thin client is really all that is needed....BUT, and its a BIG BUT, there are a HELL of a lot of tasks that thin clients just aren't built for which is why I just don't get marketing this to consumers. Hell even my most boring home customers have SOME software they want to run, take the little old lady that was my last customer of the day, I had to load the little software that comes with her wireless printer into her new system because she uses that to make little announcements for her family, calendars made out of pictures of the new grandbaby, anniversary party invites, that kind of stuff. If she couldn't have her little software? The PC might as well be a paperweight for all the good it would do her.

So I really don't get why these rags keep lumping in ChromeOS with Windows and OSX because its really nothing like them at all, those are your classic "fat client" full OS while Chrome is a classic thin client "browser in a box". Hell feature wise its got less going for it than Android, Android you can side load and run third party programs easily and from what I've seen Chrome is strictly web based which is why they can get by with such little space on the drive, everything is supposed to be hosted by Google and run in the browser.

It just makes no sense at all to run a test of fat clients with Chrome, to use a /. car analogy it would be like having a test on which truck gets the best mileage and entering a moped. Sure its gonna get the best mileage but so what? It doesn't actually DO the jobs that you need a truck for in the first place!

Re:OS that doesn't do anything isn't cracked..

No , I think he understands perfectly, he is just saying that we shouldn't accept that state of affairs.

Re:OS that doesn't do anything isn't cracked..

Not knowing where the electricity comes from or how the car engine works won't allow someone to steal your savings account.

Re:OS that doesn't do anything isn't cracked..

[YukariHirai]

No-one's saying that all computers should be "content-sipping machines", just that such machines should be available to those who only ever sip content and want to remain absolutely clueless about how they work, rather than them get their shit exploited because they don't (and probably never will) know how to secure something themselves. "Proper" computers and operating systems should still be available to those of us who want them and can handle the responsibility.

Re:OS that doesn't do anything isn't cracked..

[SpectreBlofeld]

I thought that's what iPads were for!

Re:OS that doesn't do anything isn't cracked..

[SpectreBlofeld]

Well, there's the fact that Chrome only exists (officially) on devices built for/released with it. I'd wager that vulnerabilities would skyrocket if Chrome were turned into a real distro that could run on any hardware, because that would open the door to closed drivers, third-party repositories, etc, etc.

Re:OS that doesn't do anything isn't cracked..

[Mark+of+the+North]

Is there a $3.14 million bounty I can claim for pwning Haiku?

Re:OS that doesn't do anything isn't cracked..

[Clarious]

It seems that ChromeOS is based on hardened gentoo (clues can be found here https://sites.google.com/site/chromeoswikisite/home/what-s-new-in-dev-and-beta/shell-acess-with-verified-boot), and hardened gentoo is.... hard (grsec + pax + some kind of MAC mechanism). And while I agree that ChromeOS is very basic, just a browser on top of it. But all other browsers were successfully attacked, it means that the OS has protected the browser.

Re:OS that doesn't do anything isn't cracked..

Sad to say this is true...

Re:OS that doesn't do anything isn't cracked..

[ArchieBunker]

Use the right tool for the right job you idiot.

Re:OS that doesn't do anything isn't cracked..

[SpectreBlofeld]

You'll change your tune as soon as your (insert relative or friend here) asks you how to play (insert hot new videogame here) on their Chromebook. What will your advice be - 'Buy an XBox'?

People wanna do stuff on their computers, even the dumb ones...

Re:OS that doesn't do anything isn't cracked..

[McFadden]

Your point is typical of the smart-ass remarks that get thrown around on site like this to score cheap points, that have no fucking relevance at all when they're actually considered. The responsibility for knowing how your car works, or ensuring your electricity functions correctly has been taken out of your hands and is handled by the people who made the vehicle or the house. Just like providing people with a simple, secure computing platform that does enough to satisfy their needs is not a bad idea.

Re:OS that doesn't do anything isn't cracked..

And that's *EXACTLY* how it fucking should be with computers too, Einstein. That was whole point of this thread.

Re:OS that doesn't do anything isn't cracked..

Computers are even more complex to these people and it's crazy to think they'll ever know or care how they work.

Let's not kid ourselves. Most Slashdot readers don't really know how computers work either. (At least not beyond screwing the parts together and blundering their way through various installers.)

Re:OS that doesn't do anything isn't cracked..

[gman003]

The difference is that Chrome OS is a consumer-grade "thin client". It is aimed mainly at home and educational use, not the big corporate or government use most other thin clients aim for.

As such, yes, it makes sense to compare it to other consumer-grade operating systems. The results won't be quite comparable, as many duties normally handled by the OS are done remotely, in "the cloud", but it's still a worthwhile comparison.

Re:OS that doesn't do anything isn't cracked..

[ozmanjusri]

do they include other thin clients?

Such as?

CromeOS is on laptops that ordinary people can walk in, pick up from store shelves, buy and use right now. Of course it should be compared to Windows and OSX - it's competing with them. And those ordinary people want to know if it's a better choice for their purposes.

Re:OS that doesn't do anything isn't cracked..

[stretch0611]

Maybe because some of us are still proponents of 'computers', not content-sipping machines. Awareness of computing means more than getting work done or being entertained, it also involves some learning about the nature of how we do these things can and should change over time.

So my mother who does nothing but play games and email should have a general purpose computer because you think a device should do more than just suck content?

we should all at least be aware of our ability to govern our processing needs, whether we enjoy the idea or not.

Yet you just said that everyone needs more than just content machines. My mom is aware of her needs, yet you want to force something more on her...

I am a developer. Unlike the masses, I need a general purpose computer. There will always be a market for them no matter how much we flood the market will less versatile devices like tablets and smartphones (which is where I believe the market is heading.)

For personal use, many people do not need a full computer, lets give them something simpler that better fits their needs. Even some business purposes can be done on a tablet now. Why should we force them to buy something more?

25 years ago would you have suggested that we all continue to use dumb terminals hooked up to mainframes? The modern computer decimated the market for mainframes, supercomputers, and minicomputers. Today, the market share of these large and powerful machines is significantly diminished, yet they still exist for the people have a need for them that a normal computer can not fulfill.

Plain and simple, not everyone needs a "computer" just because you think that they do. There will be a need for them and computers will not go extinct, but fewer and fewer people (as a percentage) will have that need and smaller devices will displace computers in the market.

Re:OS that doesn't do anything isn't cracked..

Look under the hood. Chrome OS is just as capable of running X11 apps as your off the shelf distro. Granted, it's not designed to so it's difficult to make it do so, damn near impossible (as seen in article) without switching developer mode on.

But, switch developer mode on, turn off rootfs verification, remount as RW, and dump binaries on that it'll happily run. I don't typically categorize thin clients as a system running GNU/Linux w/ X11 support.

I think the ace in the hole for ChromeOS security is that any partitions writable are mounted noexec. Any partition mounted exec, is read only. How do you get around that without attacking the kernel itself?

Re:OS that doesn't do anything isn't cracked..

[SteveFoerster]

Hell, I know someone who would get along fine if their computer did nothing but Facebook, let alone the rest of the web.

"Announcing... the Facebookbook!"

Re:OS that doesn't do anything isn't cracked..

[ninetyninebottles]

That is why I don't understand why its included....do they include other thin clients?

I think you're confusing Pwnium with Pwn2own. Chrome OS was the only thing in the former. The latter did not include any thin clients, just Chrome on Windows, which failed along with every other browser offered for testing on Windows.

Re:OS that doesn't do anything isn't cracked..

[Bert64]

The problem is 'computers' are far too complex devices for the average end user, it is irresponsible to let most people connect such a complex device to a public resource when they have no idea how it works.
Content-sipping machines managed by a third party are what the average user should have, 'computers' should be reserved for geeks who understand how to use them.

Re:OS that doesn't do anything isn't cracked..

I'm not a professional developer, but I can write code and write some bash scripts.

I can also ride a motorcycle. On most motorcycles the front and rear brakes are independent. So the operator must balance breaking force and make dynamic adjustments to compensate for many variables. During the braking procedure your force balance will change. BTW I can also take most motorcycles apart and put them back together, and ride them.

Using your logic, I'm a proponent of mechanics, not baby-carriages. Certainly, anybody who gets into a motor vehicle should have in intimate understanding of the physics involved during turns and how the forces change throughout turning. Certainly you should know what every part in your car does.

Whether you enjoy it or not, you should know *exactly* what that magneto does. And how many valves you have, and where your cams are.

Re:OS that doesn't do anything isn't cracked..

[Bert64]

ChromeOS shares enough similarities with Linux and the Chrome browser that people will already have a decent level of familiarity with it... And $3.14 million is a pretty decent incentive to try.

Re:OS that doesn't do anything isn't cracked..

[mianne]

Chrome OS seems geared to those same folks who'd otherwise install trojans, spyware, etc. for the sake of getting an animated cat to chase their cursor. So these users are protected from themselves in not directly hosing their OS from sheer ignorance, and the geeks who purchased these systems might now be lulled into complacency in knowing that they aren't likely to need to LLF the drive and then explain to their relatives where all their funny pictures went...

The problem I foresee is that a user of Chrome OS will therefore have a large target painted on them they they'll be much more likely to fall prey to a phishing campaign. Have you trained Aunt Mabel well enough to know that when she receives that "Important message regarding your mortgage account" informing her that her payment wasn't properly credited, she won't immediately be clicking through to log into her account or calling the "customer service hotline" for assistance?

Re:OS that doesn't do anything isn't cracked..

[tlambert]

Maybe because some of us are still proponents of 'computers', not content-sipping machines.

Well, there's always the programmer switch on the devices; however, I have to say I know some Russian and Chinese hackers who really, really like everyone having general purpose computers with poor security so they can run their botnets.

Re:OS that doesn't do anything isn't cracked..

[mwvdlee]

Yet most people understand electicity well enough to not stick bits of wire in the lightbulb socket.
Should people know what a CPU is? No. Should they understand that giving a program administrative access means you're giving it full control of all your private information? Yes.

Re:OS that doesn't do anything isn't cracked..

[ozmanjusri]

you should know *exactly* what that magneto does.

Good advice for drivers in the 1930's...

Re:OS that doesn't do anything isn't cracked..

[TheRaven64]

The point is that, because everything of value is in the web server, on such a machine there is no need for a full client compromise. On my laptop, a web site needs an arbitrary code execution vulnerability and possibly a privilege escalation vulnerability to be able to compromise most of my data. On ChromeOS, it just needs a cross-site scripting vulnerability.

Re: OS that doesn't do anything isn't cracked..

[programmerar]

No, the average user should not have to understand what an administrative user is. No one outside of geekdom cares about different types of users. Compare it to a VCR, would you expect average users to log in as admin to. VCR? No. And computers are going the same route, thet are expected to just work, no fuss.

Re:OS that doesn't do anything isn't cracked..

[thetoadwarrior]

Once more than 3 people use Chrome OS it'll be hacked.

Re:OS that doesn't do anything isn't cracked..

[jones_supa]

Let's not kid ourselves. Most Slashdot readers don't really know how computers work either. (At least not beyond screwing the parts together and blundering their way through various installers.)

Well, let's throw some carrots then. FPGAs are a good, modern and fun way learn about digital technology. You use VHDL or Verilog to describe your hardware. Combine that with a general electronics hobby and along the way I'm sure you will be enlightened on how computers work. Try this stuff if it sounds interesting.

Re:OS that doesn't do anything isn't cracked..

[ilguido]

I'd be more impressed with OpenBSD not being hacked, and even that is essentially just an init process and sshd.

At the Pwn2Own 2008 contest Ubuntu was undefeated, and it was thew first and last time a Linux based OS was present at the contest. Well, if you don't include Android and Chrome OS.

Re:OS that doesn't do anything isn't cracked..

[cyber-vandal]

It would be "why did you buy a laptop if you want to play games?"

Re:OS that doesn't do anything isn't cracked..

This competition was created specifically for ChomeOS with Google putting up $3.14159 million dollar in prizes. That is why it is included, and indeed the only OS included in Pwnium.

If anyone else want to put up a decent amount of money for prizes, then I'm sure they can have their own competition to test the platform of their choice.

Re:OS that doesn't do anything isn't cracked..

Hell feature wise its got less going for it than Android, Android you can side load and run third party programs easily and from what I've seen Chrome is strictly web based which is why they can get by with such little space on the drive, everything is supposed to be hosted by Google and run in the browser.

Are you sure about this statement?

http://www.chromium.org/nativeclient

Just because they're aren't a lot of them out their yet it doesn't mean it doesn't support it! I just got a Chromebook and I'm loving it on vacation it does everything i'd need to work remotely and a killer battery life!

Re:OS that doesn't do anything isn't cracked..

[Curupira]

"Nobody" uses ChromeOS? Perhaps this will make you should rethink your conclusion...

Re:OS that doesn't do anything isn't cracked..

1930's bullshit, now. Don't look foor the distributoor on a jet engine. Or the APU that flops out if the power dies. Or how about looking at someone trying too mow their yard? what type of electrical system is that yardman using? Don't down the simple, it woorks fine for what it does. Maybe they should go back to it for modern cars, more power t the spark.

Re:OS that doesn't do anything isn't cracked..

[BasilBrush]

No. Should they understand that giving a program administrative access means you're giving it full control of all your private information? Yes.

No. That's like saying that anyone who needs to drive a car need to understand how the choke works. The choke. Remember that? Back in the 1980s and earlier when you learned to drive, you had to learn to use it to start your car when the engine was cold. It altered the fuel/air mix by means of a valve in the carburettor. Everyone had to know what you needed to do with the choke, but only a minority knew what it was doing inside the engine. It became automated and then obsoleted when fuel injection replaced carburettors. In the modern car, the computer (engine management system) performs the same action of making a richer air/fuel mix when the engine is cold. And very few people realise that's happening.

That's the proper use of a computer in a consumer product. To reduce the amount of detail the user has to know about.

Consumers should not be expected to know about types of users. Ideally they shouldn't need to know the concept of user accounts at. The computer should just know who's operating them, and what they should have access to in the same way that a human clerk would. For the moment that may require credentials (bank card/username and pin/password) but biometrics that are more secure than that are probably not so far away.

Re:OS that doesn't do anything isn't cracked..

[SpectreBlofeld]

This isn't 2000... plenty of laptops can game these days. Not an ultrabook, of course, but still.

Re:OS that doesn't do anything isn't cracked..

[BasilBrush]

So the operator must balance breaking force and make dynamic adjustments to compensate for many variables. During the braking procedure your force balance will change.

Sure. By how much? You are applying force to one with your fingers, and the other with your foot, using different length levers, and possibly even different brake types front and rear. (Disk/drum). You have no way of knowing how much force you're applying, you can only guess and learn through the trial and error of actually skidding with one wheel or the other.

I've not been a biker for 20 years, so I'm not sure how far bike brakes have progressed, but car brakes on mass market cars have improved tremendously. And good braking is more important for bikers than car drivers, so I'd hope they have with bikes too. In this day and age the bike should be calculating the balance of pressure to the front and back brakes. It shouldn't be leaving it to the rider to guess.

No, driving car or motorcycle should not involve physics. At no time during driving or riding is anything measured in Newtons, nor are vector diagrams for forces drawn. No more than for throwing and catching a ball. Like the braking, all the steering and speed bit is a learned skill through instruction, intuition and trial and error. And it too, in time, will be taken over by computer that does do it with real physics.

Whether you enjoy it or not, you should know *exactly* what that magneto does. And how many valves you have, and where your cams are.

Why? That information is completely useless to most drivers/riders. When it works, they are irrelevant. When it doesn't work, they call a mechanic.

Re:OS that doesn't do anything isn't cracked..

[BasilBrush]

P.S. This is the exact topic of one part of The Art of Motorcycle Maintenance. One of the most thought provoking books ever written.

Re:OS that doesn't do anything isn't cracked..

[BasilBrush]

P.P.S. Zen and...

Re:OS that doesn't do anything isn't cracked..

What to you expect?
Most people who think they are smart are in fact Malcolm in the Middle smart, aka a computer with no software.
What little facts they can pull out of thin-air and smash together with their big fat hands counts as fact for everyone else.

Smart people are just as ignorant as the non-smart people when it comes to these things.
They aren't even smart, they are just stupid. Smart counts as someone who isn't a complete moron and actually can understand these very trivial things.

Do you "smart" people understand every single thing you use, every single day?
Then get to it, stop being ignorant and stupid, if you don't understand how that road was built for the car you don't understand fully, you are everything wrong with this world, obviously, going by your own projections.
Some people don't need to know how a computer works, some people don't need to know how a car works, some people don't need to know how to perform heart surgery.
Want to know what happens when people do know too much? Overload. Then nothing gets done. And that is the main reason smart people are so depressed out the damn ass all the time and why there is such a high incidence of suicide in them.
It is time all of you start believing in Ignorance Is Bliss yourselves, it saves lives, literally.
Stop trying to be a computer, be a calculator.

Re:OS that doesn't do anything isn't cracked..

[Hal_Porter]

Linux people know that if most of the servers run OpenBSD and the most of the clients run ChromeOS they'd be out of a job.

So they push a much less secure OS which will have problems they can then fix, sort of like Munchausen By Proxy.

The odd thing is that they're not unlike Microsoft in this respect. MS know that a Windows installation will inevitably have a much larger attack surface than an OpenBSD server or a ChromeOS client but a move to those sorts of systems would spell doom for them so they'll keep pushing people towards Windows regardless. If Windows XP were secure after all, people would just keep using when MS decided to stop providing security patches. But because it is not they were forced to upgrade to the crappy Vista and then again to the XP like Windows 7.

Re:OS that doesn't do anything isn't cracked..

[Hal_Porter]

If we refer to people who say stupid things sarcastically as 'Einstein' does that mean we can call bad film directors 'Eisenstein'?

E.g. At the Uwe Boll press conference for his new film "Hack" about a financially and critically unsuccessful film director who murders his critics with a machete in a variety of groin centred ways after a hostile press conference.

"Hey Boll! Nice film, Eisenstein. What they hell were you thinking?"

Re:OS that doesn't do anything isn't cracked..

[K.+S.+Kyosuke]

The responsibility for knowing how your car works, or ensuring your electricity functions correctly has been taken out of your hands and is handled by the people who made the vehicle or the house.

I've recently read an article here how people are not smart enough to handle democracy. Is further removal of opportunities for people to exercise their brain cells from their lives and classrooms really such a good idea? Personally I've always cherished knowledge, even if it wasn't of immediate value. You're saying that like being clueless is somehow a virtue nowadays.

Re:OS that doesn't do anything isn't cracked..

But... but... but.... it's teh Googlezzz!!!!!!

Re:OS that doesn't do anything isn't cracked..

[K.+S.+Kyosuke]

Well, let's throw some carrots then. FPGAs [wikipedia.org] are a good, modern and fun way learn about digital technology. You use VHDL or Verilog to describe your hardware.

Uff, for basic understanding of digital technology, a nice visual tile-based simulator of raw silicon and a library of basic CMOS cells could be even nicer. Just paste the things on the screen, connect them with metallic interconnects and press "play". And people would have to learn neither VHDL, nor Verilog. (You weren't talking about VLSI+ scale circuitry, were you?)

Re:OS that doesn't do anything isn't cracked..

[Russ1642]

People who know little about cars are regularly taken advantage of. "Sir, it looks like the valve head displacement timing is off by a parsec. It'll cost around $500 to fix but do you want it breaking down when you're on the highway?"

Re:OS that doesn't do anything isn't cracked..

[BitZtream]

Welcome to 25 years ago.

Your mom doesn't know how to use a computer.

My kid can probably code you under the table in his sleep, though he'll probably misspell some of the text.

The solution is to make people smarter, not make things dumber.

Re:OS that doesn't do anything isn't cracked..

[BitZtream]

Right, because that story wasn't completely full of out of context bullshit that made it look like it was far more impressive than it was, when in reality it wasn't even a little bit.

Combined Chromebook sales beat sales of SOME single models of other laptops ... of course those other models where in a completely different class and price range, but you know, totally truthful article!

Re:OS that doesn't do anything isn't cracked..

The responsibility for knowing how your car works, or ensuring your electricity functions correctly has been taken out of your hands and is handled by the people who made the vehicle or the house.

I've recently read an article here how people are not smart enough to handle democracy. Is further removal of opportunities for people to exercise their brain cells from their lives and classrooms really such a good idea? Personally I've always cherished knowledge, even if it wasn't of immediate value. You're saying that like being clueless is somehow a virtue nowadays.

Balance is a good ability to have. Requiring people to walk a tightrope over a large drop to encourage them to develop balance is a nanny state intrusion in people's lives. If the free market offers cracker proof walled gardens, who has the right to say, "We don't want you to use those because you won't be exercising your brain to get to Facebook." If they wanted to exercise their brains, would they be going to Facebook?

Re:OS that doesn't do anything isn't cracked..

[couchslug]

We can do what we want, but other people do not have those needs or desires.

Most people only want to consume content. If they have a machine for that which is less likely to be taken over and used in botnets etc, the better for the rest of us. That sort of end user cannot be improved, but they can be sold equipment which suits them.

Re:OS that doesn't do anything isn't cracked..

Except running a full-blown office suite inside the HTML5 web browser. Yeah, tell me more M$ propaganda.

Re:OS that doesn't do anything isn't cracked..

You mean finally M$ and Intel get a taste of their own nasty propaganda to eat ? How horrible ist that !
Convicted monopolists getting some bad press ? Let me cry a fucking river for you slimeball creatures.

Re:OS that doesn't do anything isn't cracked..

I think you are also a M$ $hill sent to sow F.U.D. among the more capable computer operators. Among the people using Unixoid systems, more specifically. Go back your your little snail-hole, spineless creature.

Re:OS that doesn't do anything isn't cracked..

[inasity_rules]

While I'm a proponent of "if you can't design your own processor, you shouldn't be permitted to run one"(and yes, I have) I'll be the first to admit it is a stupid unpractical philosophy. Still, it is nice to dream... :P

Re:OS that doesn't do anything isn't cracked..

[Nimey]

The trouble with that attitude is that, taken to its logical conclusion, you'll end up with a permanent underclass of users who'll never know how to operate a Real Computer because they will never be exposed to one.

Re:OS that doesn't do anything isn't cracked..

[hairyfeet]

So in other words its like MSFT's "Get the facts" in that its total marketing BS based on carefully controlled conditions?

Frankly other than Pwn2own I haven't seen any of these tests where they didn't put it with so many stipulations that it was worthless, like how Starforce used to offer a million bucks if you could prove that Starforce bricked drives (which I can tell you YES it did, I threw away enough Starforced bricked drives in my day to know) but they had so many conditions that there was no way anybody would actually bother, the tests were too rigged in favor of Starforce.

So I wouldn't be surprised if they set up a bunch of bullshit conditions like "it has to be a local attack" (no MITM or luring the user to click on a malicious link, which is how you would attack a thin client) so there really wasn't any possibility that anybody would pass this "test" of their thin client OS.

Re:OS that doesn't do anything isn't cracked..

The solution is to stop being a single-solution person.

You make people smarter. AND. You make things easier ("dumber").

A focus on one to the exclusion of the other means you're one of the people we need to make smarter.

Re:OS that doesn't do anything isn't cracked..

Your russians and chinese hackers would certainly prefer lots of loosely securized windows machines instead of locked down devices.

Re:OS that doesn't do anything isn't cracked..

[Bert64]

Just like you have a permanent underclass of people who don't know how to service cars, or build houses, or etc etc.
Back in the days this "underclass" as you call it simply didn't use computers at all.

Kids can be exposed to proper computers in school, and decide for themselves if they want to learn anything about them or not. There will always be a few geeks who actually are interested.

Does it do anything at all?

[CharredMetal]

I mean Does chrome OS runs /have anything of value at all? all the data is kept on the server side. Most of the processing happens through browser. so if session is closed there is nothing of value left on the machine unless you re-login. Is that correct?

Re:Does it do anything at all?

There are a few minimal command-line functions that work like ping, but otherwise that's pretty much the case.

Re:Does it do anything at all?

[ThorGod]

I played with one at Best Buy a couple days ago. I think it comes down to this: Whatever you can do in Chrome (the browser) you can do on that machine.

There are "links" on the tab bar that function as shortcuts to places like gmail, google docs, and whatever. I think they just open up a browser window or tab to that respective place, though.

Re:Does it do anything at all?

[CannonballHead]

From what I understand, there are, at the very least, local caches (similar to Google Drive/Docs/Email offline). Also, there would be all the info that Chrome keeps locally.

Re:Does it do anything at all?

[Kenja]

In this case, the target was a Samsung Series 5 Chromebook which has 16GB of local storage. In theory, you could in theory get it to run code that could return data to you. However since the OS itself doesn't really run any services to exploit, you would have to do it via the browser.

Previous pwn2own contests have required someone on the notebook to open a URL emailed to them in order to initiate the attack. It is unclear form this article what the rules where in this case.

Re:Does it do anything at all?

[SpectreBlofeld]

To anyone who wants to play around with it: there are Chromium OS VM builds out there you can play with in VMWare or Virtualbox (legal, it's all opensource).

I tried it out a few weeks ago. It really *is* just a web browser. I have trouble understanding why someone would spent $1300 for a Pixel unless they planned to install a real OS on it. Yeah, I get that the display is nice, but for that kind of money I should be able to... I dunno... maybe run the aforementioned VMWare, like I do now on the $599 laptop I virtualized Chrome (and Win7 and PC-BSD) on. And played Portal on, etc.

Re:Does it do anything at all?

[AvitarX]

Well, it accesses my email, and documents I'm drafting with collaboration. It also saves credit card info (i think, not mine).

chrome fell, so I personally find this interesting.

my email is worth a decent amount at times, and there are people who have far more valuable emails.

Re:Does it do anything at all?

[simonbp]

Posting this from my series 5. :)

It runs Ubuntu/Xubuntu 13.04 quite nicely booting off an SD card. You'd be hard pressed to get a better laptop for the money, and it's massively more useful than any table I've ever used.

Re:Does it do anything at all?

[simonbp]

Tablet, I mean. It's not as useful as a table.

Re:Does it do anything at all?

[aztracker1]

I think that the thought is that with the addition of NaCl apps, WebGL, and WebRTC on a fast enough machine, that you can have most of those apps in a sandboxed environment. And there is merit to that... considering how many people now use their tablet as their primary device.. I agree the price point is way off.. given the touch display, they could have a reduced CPU, and it might be enticing in the $800 price range.. but at $1300, I'd rather have a Macbook.

Re:Does it do anything at all?

SD card I/O for storage is pretty slow, but then again so is the series 5 in general...

Re: Does it do anything at all?

Seeing as how most people only use their computer for the web it does what it needs to.

It might not fit everyone's needs but then again why would I buy a motorcycle to drive my family around in.

Re:Does it do anything at all?

What's stopping you from installing Ubuntu on it and running VMWare?

Re:Does it do anything at all?

[Pale+Dot]

With its bigger screen, the $1000 Chromebook Pixel looks like a better table. Just be sure to close the notebook lid first.

Re:Does it do anything at all?

[islisis]

What about a chair? Outside of Redmond that is...

Re:Does it do anything at all?

[SpectreBlofeld]

Nothing at all, and there's no reason you shouldn't, if you're buying it just for the hardware. But they're obviously not selling it just for the hardware, otherwise they'd preinstall it with a real OS, or no OS at all. They're selling it as a really fancy Chromebook - that's the sales pitch here - but at this point there's not a lot you can do with a Chromebook that's fancy enough to justify $1300 other than look at media on a really pretty screen.

In short, it's not the $1300 for the hardware that is wacky, it's the fact that such a machine is tremendously underutilized by the glorified web browser of an OS it runs. It also has too little storage for the price, but that's another issue.

In short, if you're spending $1300 for a laptop to put Linux on, you can do better - a MacBook would be a better deal, in terms of what hardware you get for the money.

Re:Does it do anything at all?

[dgatwood]

I think that the thought is that with the addition of NaCl apps, WebGL, and WebRTC on a fast enough machine, that you can have most of those apps in a sandboxed environment. And there is merit to that... considering how many people now use their tablet as their primary device.

Not really. I'm pretty sure there's a graveyard somewhere with the bones of all the companies who thought a browser would make a perfectly good OS and did not realize their mistake in time.

Odds are good that Chrome OS will fail to gain significant traction for exactly the same reason: HTML and CSS are really, really terrible for complicated user interfaces. Things that take fifteen seconds in Interface Builder can take hours or even days to do correctly with HTML/CSS, assuming you're designing to accommodate variably sized browser windows. And making what rightfully ought to be a tiny design change can force you to do a massive redesign of the CSS and HTML.

Speaking as somebody who has written some pretty complex web apps over the years, I've concluded that the state of web UIs is so horribly primitive compared with the state of native UIs in terms of the amount of effort required to get a usable result, and the documentation for the various toolkits is so mind-bogglingly poor compared with docs for pretty much any of the native UI systems, that I can't imagine anybody being crazy enough to think a web-based OS would succeed, particularly after Apple AND Palm/HP tried it and concluded that it wasn't practical.

Re:Does it do anything at all?

[pushing-robot]

Be careful. That typo set Microsoft's Surface tablet project back several years.

Re:Does it do anything at all?

[Bert64]

The keyboard, which you could log if you compromised the host.

Re:Does it do anything at all?

[Bert64]

For a lot of people, the interfaces they use on a daily basis have already been written in HTML and CSS...
I know many people who use a computer for:

email (webmail)
facebook
twitter
occasional searches for information via google
im (usually the one provided by facebook)
porn

All of these are usable via chromeos right now, and enable someone to just get on with it without having to worry about malware or keeping their os up to date (or even caring what an os is).

Re:Does it do anything at all?

[stephanruby]

I tried it out a few weeks ago. It really *is* just a web browser. I have trouble understanding why someone would spent $1300 for a Pixel unless they planned to install a real OS on it.

The price of the Chrome Pixel is minus $500 for some people (that's right, it's a negative number for some).

The people that are already paying $1,800 every three years for Google cloud storage get that three year subscription for free if they buy a Pixel at $1,300. Essentially, the Pixel is a loss leader for CEOs, or CTO, or the tech manager making the purchase decisions. Personally, I don't know anyone else who would use so much cloud storage in the first place except businesses. I suppose they're probably hoping that the Pixel will act as a Trojan horse in the Enterprise. If a CEO really likes his free complimentary supped up $1,300 Chromebook, he may try getting more cloud storage, and cheap $200 Chromebooks for every non-technical person in his company. Company-wide decisions can get made on much less than this.

Re:Does it do anything at all?

[Lincolnshire+Poacher]

In short, if you're spending $1300 for a laptop to put Linux on, you can do better - a MacBook would be a better deal, in terms of what hardware you get for the money.

Perhaps it would be a better deal, but do you not understand that there are a significant number of people who refuse to give Apple any money?

For us, the Chromebook Pixel is that machine for which we have been waiting several years.

Re:Does it do anything at all?

[SpectreBlofeld]

Yeah, I'm one of them. Was just making a hardware/price comparison.

Re:Does it do anything at all?

[ReeceTarbert]

Things that take fifteen seconds in Interface Builder can take hours or even days to do correctly with HTML/CSS, assuming you're designing to accommodate variably sized browser windows.

Not really a fair comparison, considering that there are no authoring tools worth mentioning for HTML5/CCS. Or, to rephrase that: would it still take 15 seconds to do the same things if you'd have to code everything yourself?

RT.

Re:Does it do anything at all?

[BitZtream]

So a chrome book would be fine for my 7 year old son as a toy, but not for anyone who actually wanted to accomplish anything? That's what you're saying?

Re:Does it do anything at all?

[BitZtream]

Perhaps it would be a better deal, but do you not understand that there are a significant number of people who refuse to give Apple any money?

You do not understand the stupidity of avoiding one wolf while actively crawling into the mouth of a wolf in sheeps clothing.

If you think Apple and Google are different, you are really really disconnected from reality. The only actual difference is Apple does what they do with pride, good or bad. Google tends to try to hide its bad a little better or at least appear more concerned like a good citizen. Appearances only.

Re:Does it do anything at all?

[dgatwood]

I'm pretty sure it would take less time to programmatically build an Objective-C UI than it does to do HTML/CSS, too, though I'll admit I haven't done much of that. HTML/CSS has more moving parts, but not the right moving parts for building user interfaces.

With a Cocoa or UIKit UI, you get to define how objects stretch, how they are aligned, etc. Everything is designed under the assumption that element size can change, and the layout must do something sensible.

With HTML/CSS, in contrast, you have to either hard-code positions of elements (and write your own layout code in JavaScript to accommodate scrolling and window size changes) or you get to deal with elements in a linear flow. Flow-based layouts are great for laying out pages of text (which is what HTML/CSS was designed for), but they are completely antithetical to designing user interfaces, and thus any UI built atop it is inherently fragile by design.

Heck, CSS didn't even have the concept of viewport-relative units until fairly recently, and Firefox just got support for them a few of months ago. And the calc() operation and box-sizing: border-box features have only gotten support fairly recently as well, without which the standard box model is broken almost beyond repair for UI purposes.

And don't get me started on the HTML editing parts of HTML5. I could rant for hours on all the bugs I've run into in that area.

IMO, doing HTML/CSS actually feels appreciably clumsier than my experience writing X11 code (Xlib-level), which is really saying something, because that's a pain in the ***.

Re:Does it do anything at all?

[dgatwood]

Err... a few months ago. This is what happens when you say "couple of" and then decide that five or six months stretches the meaning of that phrase a bit too much. *sigh*

Re:Does it do anything at all?

> I have trouble understanding why someone would spent $1300 for a Pixel

Right, because ChromeOS is available _ONLY_ on a 1300$ device. This means the 249.99$ Chromebook that I am typing this on must not be a chromebook.

Re:Does it do anything at all?

I have a feeling the only people who will be buying a Pixel will be installing a proper OS on it. I'm considering it myself for this very reason.

Re:Does it do anything at all?

[Bert64]

No, such a device would be terrible for your 7 year old, as would any modern mac, windows box or most user oriented linux distros. A young child needs to be exposed to a device they can learn about in detail, but also on thats safe and cannot be broken.

A Chromebook is perfect for adults who have no interest in learning about computers, and who only want to use them for basic tasks (such as those i listed), who don't want to learn how the system works and don't want to worry about installing updates, fixing broken software or worrying about malware. That would be the vast majority of adults.

Re:Does it do anything at all?

[aztracker1]

Chrome also supports NaCl (Native Client; C/C++) based applications, which are well sandboxed, and can have more comprehensive UI interactions. It doesn't *have* to be HTML based... I wouldn't be surprised to see Go as a supported language for NaCl SDK in the near future.

Attack surface reduction at it's finest

[dhavleak]

Have zero surface! (Apologies for the redundancy.. OS that does nothing jokes have already been cracked.. couldn't resist adding my own :P)

Re:Attack surface reduction at it's finest

[gweihir]

Good one!

Re:Attack surface reduction at it's finest

[Bert64]

Only it has a browser, exactly the thing that was successfully cracked in the other contests.

Re:Attack surface reduction at it's finest

Yep. This is what happens when you attack Surface.

Don't overvalue this

[gweihir]

It only means that Chrome OS is not too badly engineered. As Chrome OS is pretty new, the number of people that had an in-depth look will be smaller. As it is quite a bit different from other OSes and offers a lot less functionality on the application side, other approaches may be required to crack it.

One could object to that that the kernel is still Linux. True, but the Linux kernel is one tough nut to crack. Even local exploits are in the vast majority not kernel-based, but some application messing up. If they are kernel based, it is typically a specific driver. I do not remember any remote exploits for the kernel at all in the last few years, except one in an exotic network protocol, and Chrome OS has no reason to enable anything in that class.

So while this is a good initial result, do not overvalue it. It is possible that Chrome OS gets broken in the next few years when people get more experience with it. Die to its limited functionality, it is also possible that it will remain very hard to break into or that nobody manages it. Personally, I would welcome a main-stream secure browsing solution establishing itself, but remember that you cannot do most things with Chrome OS that you can do with other OSes.

Re:Don't overvalue this

"I do not remember any remote exploits for the kernel at all in the last few years"

Huh? This is just as rare for WIndows and OS X.

And most local system exploits these days _are_ kernel exploits. The days of subverting suid binaries are long gone. They're not the low hanging fruit anymore if you want to p0wn the entire system, especially because the proliferation of different software for SMTP, etc, has left the kernel as the least common denominator. Now if you want to elevate privileges, you focus on breaking the kernel, which unfortunately is not much of an impediment.

I would never give out shell accounts on a Linux server. It's sure to get hacked pretty quickly. Something like OpenBSD? Not so much. (I regularly see Linux shell systems hacked; same systems running OpenBSD before or after the fact... never.) Mostly because the code churn is far, far, far lower. Linux kernel exploits are actually rather regular, sadly. Code gets refactored, something stupid is committed, and 12 months later the bug is "discovered", never mind that the rootkit writers had been quietly exploiting it for months.

Re:Don't overvalue this

[Bert64]

Lack of experience? ChromeOS is a subset of linux, people are already sufficiently familiar with the parts of linux it does include.

Yes there have been bugs in the linux kernel, but remember that most distribution kernels are generic builds with a large number of drivers and functionality available. If you configure your own kernel, you can turn off what you don't need and this is what google will have done with chromeos. The basic common functionality will be well debugged and see a lot less code churn.

Re:Don't overvalue this

Code churn in Linux happens in even the most boring parts. Look at the way the BSDs implement, say, interval timers and you'll see code which hasn't been touched in a decade. Look at the subsystem in Linux and you'll see regular tweaks or refactoring going back forever. So, the issue isn't drivers or esoteric bits. Code churn at the core is pretty constant, even if because somebody is screwing around w/ a new locking scheme or something.

The beauty of ChromeOS is the hardware security, though.

Re:Don't overvalue this

You are right about Linux local exploits - for those not convinced, see https://lwn.net/Vulnerabilities/?n=20&offset=20 for one example in last few weeks, and scroll back for more.

Unlike OpenBSD, Linux doesn't have a program of proactive source code auditing for security holes, and it evolves much faster, creating the opportunity for new bugs of all kinds, including security vulnerabilities. The kernel team has an unfortunate policy of not openly disclosing when a kernel fix is security related, making it harder for all but kernel experts to figure out the impact of a hole. Fortunately the major distros do a reasonably good job but you are reliant on their time to patch.

Re:Don't overvalue this

All I can see from your references are rather obscure drivers and useless "convenience" kernel modules which allow for actual attacks. Very relevant, because only 0,1% of Linux users run that crap. I assume the "contributors" were paid by M$ for a good pissing into the Linux pool.

Thanks for the ugly show, now please disappear forever.

Maybe Google can focus on Android security now...

[Dahamma]

Or at least the Chrome OS developers could give the Android developers a few pointers...

http://tech.fortune.cnn.com/2013/03/07/apple-android-malware/

It's an "OS"

Chrome OS is more barebones than my phone.

Re:It's an "OS"

If you really need that, you can always open the lid a bit and install any of these 10000 world-class Linux programs from LaTeX to Scribus on the Chromebook. I doubt you get the same stuff for Android.

Maybe Google does not like that, but who cares ?

Re:Maybe Google can focus on Android security now.

Android is fairly secure (again, the base OS doesn't do much.) The mentality around apps is what's wrong.

There must exist a way to disable permissions on a per application basis, but Google will not allow it when it would kill search revenue. People must stop installing apps that access permissions they don't need, but they won't so long as they want their free app toys.

Security is good now, but there's a reason for tha

[Hadlock]

I wonder what will happen in another 15 years. When the "win95 generation" moves in to upper management and the "relatively virus free win7/osx generation" starts designing and managing their own pay-software.
 
The current crop of software devs dealt with stuxnet, *worm and all that other crap. They probably dealt with it on their parent's computers, their grand parents and neighbors. Designing secure, web connected software is in their interests.
 
Will the next generation of developers who entered middle school with facebook already being a thing have the same security concerns? People who survived the Great Depression are typically much more fiscally savvy than those born in the credit era of the 80s 90s and early 2000s.
 
Does this mean we're going to plunge in to a security trough as mediocre corporate software developers push out crap, insecure code, not knowing how insecure code causes problems down the road?

Chrome OS Remains Undefeated At Pwnium 3

Yet...

In other news

[jameshofo]

When researchers where asked to come up with an exploit for the operating system they replied, What is Chrome OS?

Re:Maybe Google can focus on Android security now.

[farble1670]

OMFG MALWARES! sigh ...

https://play.google.com/store/apps/details?id=com.fsecure.ms.dc&hl=en

that's f-secure's (the authors of the report) mobile app that costs $10.58. you think it's just coincidence that it's always someone with a product to sell that's behind these reports?

Why not just setup a true ESXi server?

[earls]

You could build a really nice server with the $1,100 left over after buying a $199 Acer Chromebook. A Pixel in this paradigm is the dick to the balls.

Re:Maybe Google can focus on Android security now.

Uhm, I will.

I don't give permission for shit to shit. I barely even give permission to my ass for shitting.

Seriously though, if I install something, it is either:
1. A commercial app made by a well known company (Doesn't guarantee it's secure, but it's probably not malware)
2. An open source program. (The person who compiled it could be evil though I suppose and have inserted his own special code to do whatever.. but it would need permissions that are suspicious).

In all seriousness, I don't get though why some people think that basic shit should be commercial or full of ads just because it's "mobile". Basic shit like FTP, calculator programs, SSH, VNC, etc. should be available for free by now. Just because the OS is new doesn't make these things groundbreaking. I really wish Google would take a stab at these basic apps in order to kill the overpriced commercial leaches and get rid of the ad infested junkware (I know they make money from ads, but there is such a thing as too junky).

Stick it online for four hours

[Trax3001BBS]

A router only to wifi to the Chrome OS and no active prevention measures (human intervention).
If it's still standing securely after that time then I'll be impressed. Until then this is just great
advertisement for the Chrome OS and nothing more.

Researchers is a broad term and the conditions kept many away.

"To enter the Program, visit the Google desk at CanSecWest 2013 in Vancouver, Canada during
the Program Period. Entrants are entirely responsible for all costs and fees associated with
attending the CanSecWest 2013, including (but not limited to) admission fees, transportation,
accommodation and living costs." http://www.chromium.org/Home/chromium-security/pwnium-3

Re:Stick it online for four hours

[dririan]

A router only to wifi to the Chrome OS and no active prevention measures (human intervention). If it's still standing securely after that time then I'll be impressed. Until then this is just great advertisement for the Chrome OS and nothing more.

To the best of my knowledge, Chrome OS doesn't listen on any ports out of the box. Even DMZing it would do nothing, because there's nothing for attackers to connect to. Perhaps you should learn more about Chrome OS before you come up with ideas like this.

Researchers is a broad term and the conditions kept many away.

Which explains why everything else there was broken, right? Nope, wait, also complete nonsense.

Re:Stick it online for four hours

[Trax3001BBS]

A router only to wifi to the Chrome OS and no active prevention measures (human intervention).
If it's still standing securely after that time then I'll be impressed. Until then this is just great
advertisement for the Chrome OS and nothing more.

To the best of my knowledge, Chrome OS doesn't listen on any ports out of the box. Even DMZing it would do nothing, because there's nothing for attackers to connect to. Perhaps you should learn more about Chrome OS before you come up with ideas like this.

The rules call for wifi access only to the Chrome OS the router is to connect to that wifi from the outside.

Re:Stick it online for four hours

[dririan]

First of all, I'm not sure exactly what you're saying. That being said, my point is that opening it up to the world (which is the most extreme option) wouldn't do anything, because there's no way for attackers to get in. The rules specifically allow the attackers to specify a website that will be navigated to. So leaving a Chrome OS laptop just sitting there won't do anything, because there's no way for attackers to get in; you're going to have to go to an attack page of some sort.

Re:Maybe Google can focus on Android security now.

[F.Ultra]

Well actually they could, all they have to do is to allow http(s) access to the adds-network (or a whitelist) and allow the user to deny everything else.

Not a SINGLE reply?!

Not even a downmod? This man speaks the turth!

Facebook browser (Funny)

I cant wait for me facebook browser!!!

hackers wont tell you

We long ago gave up helping corporations learn how to keep crap safe....and after these years we finally have a solid bunch and the last time someone said it was "unhackable" i myself hacked it and just never told anyone ....enjoy seeing someone whom cares not for money , nor can be bribed.

go on put it mission critical and put stuff there thats worth money on an open market or can lead to loads a press....and see what happens.

Google you have been warned.

I just bought a chrome book last week.

[140Mandak262Jamuna]

Quick review: When there is a network connection, it is a solid browser. It synched with my Chrome browser customizations from my previous use of chrome using windows or linux boxes. Including flashblock and adblock.

But what about off line? Google docs off line lets you edit documents and presentations off line. They sync when you get the connection. When it first came it had no off line edits. Then they have introduced doc and presentations. Spreadsheets would be next I guess. Or may be not. Gmail offline can be customized to keep last so many days worth of email in the local cache. Google calender works off line, ( I think, need to go back and check.).

Off line music player works, off line video play back works. Source of the media could be the internal drive or any USB drive, including the USB powered hard disks. Kindle off line reader works, three books cached very quickly. Apps exist like "Read this link later" that works off line.

So off line, you can watch video, listen to music, read books, cached web pages. You will have read/access to all the google drive docs. And write access to docs and presentations. I think for 200$ it is way more than what I expected.

Re:I just bought a chrome book last week.

[ThorGod]

Wow, thank you for your review. You successfully explained what it's like to own. Sounds like a good box for entertainment.

Re:I just bought a chrome book last week.

[140Mandak262Jamuna]

I thought I added some minor points yesterday. It is missing. May be posted to some wrong thread.

Boots very fast, less than 20 sec. Sleeps / wakes up instantly. Battery lasted three hours. No click buttons or scroll bars in the touch mouse pad. Two finger touch and click is "right click". Two finger click and one finger move is click-and-drag. Two finger swipe is scroll. What does one finger swipe do? Highlight maybe. Not sure. Functions keys to cycle through browser windows, full screen/part screen, back/forward, volume control, pop up app panel etc. App panel has the aspect ratio of a smart phone and pages and pages of icons. Bright screen. 13xx x 7xx . Battery meter is calibrated in minutes remaining. Approximate minutes I should say. We need to ask New York Times how accurate the battery meter is. That is about it. I still think it is a steal at 200$ for a plastic hard disk based net device. Decent at 250$ for solid state drive. Dont know if Samsung 250$ thingie is aluminum or plastic.

What about Safari?

Apparently Safari also hasn't been hacked. Odd that it wasn't mentioned...

Re:What about Safari?

Muharr. Moderately interesting M$ FUD. Won't eat this $nail now.

@Moderator: let this through please, little rodent.

Prehacked

[Frankie70]

Chrome OS is prehacked. It comes installed with a trojan/bot which collects all your information and sends it to Google.

Re:Prehacked

[pentadecagon]

You just repeat what everybody already knows and make it sound bad. Where have we seen this perfidious tactics before? Hint: not from Google. This is why people trust Google more than Microsoft. And, of course, with Chrome OS you exactly know what is being send and where. Good luck finding out what Windows sends home.

Re:Prehacked

What "tactic".. you idiot. Its common sense. Do you always love defending advertising companies or is it only google?

Good luck finding out what Windows sends home.

People already have. Its called a Packet Sniffer. And theres nothing even remotely interesting from a privacy standpoint. All MS cares about is whether you've paid for your copy. Nothing else.

I have a better test. If I block all traffic to MS servers at the router level, Windows continues to work. *Nothing* google *ever* makes could ever work independently without them sucking up all your personal data into their network. Email, docs, pictures.. the works.

If Google was so "open source" friendly how come I cant host my own gmail server? Hint: They will never open source anything that is directly linked with their advertising platform - otherwise people will find out what they're doing behind the scenes.

Re:Prehacked

Oh the irony!

And, of course, with Chrome OS you exactly know what is being send and where. Good luck finding out what Windows sends home.

Yes, Chrome OS sends *absolutely everything* to Google. If 'knowing' that you have given away any possibility of privacy is seen as an advantage then you really are clutching at straws.
I don't trust Microsoft but to trust Google any more than them would be exceedingly foolish.

Re:Prehacked

and where is the data stored? Google server? is that like in your basement, or some one elses location? So therefore you control the data? And who controls the results from your data, for what purpose? To advertise to you, give you free stuff, or to hog your browser. So you own the machine, and can access their networks, to access their research data. on you.

Re:Prehacked

If you are actually concerned, remove all the Google bits and install a proper Linux distro on the excellent hardware.

Enjoy the fact you support a British CPU design house, a Korean electronics enterprise and not these corrupt monopolists Intel and Micro$oft.

http://www.phoronix.com/scan.php?page=article&item=samsung_chrome_a15&num=1

http://money.cnn.com/2010/07/23/technology/dell_intel/index.htm?source=cnn_bin&hpt=Sbin

Misread the title.

[DarkProphet]

I read the title as "Chrome OS Remains Undefeated On A Pentium 3".

That would have been more interesting!

So many uninformed comments

[daboochmeister]

A major theme here is "it doesn't run many apps, that's why it's secure". Yeah, that must be it - it probably has absolutely nothing to do with the way they've implemented Mandatory Access Controls in a rigorous fashion, and the way they isolate resources with heavy use of cgroups, and the read-only root filesystem and tmpfs /tmp, and how they've made every binary use ASLR and NX and DEP, and how they've rewritten several major typically-vulnerable daemons to not run as root, and how they've developed userland daemons to broker access to hardware, and how they don't allow any files in user home dirs to be executables, or how they've started to sandbox device drivers, or the way they implemented separate processing stacks for HTTP and HTTPS, or how they verify not just the boot record but the whole boot stack and partition table and nv ram on every boot and and and ...

Yeah, all those things probably don't matter. They probably don't play any role in exploits that work on Windows-based Chrome failing on Chrome OS. It's not more inherently secure than any other OS, riiiggghhhhhttttt ...

Re:So many uninformed comments

Adding to this, many commenters forget that Chrome includes fairly sophisticated sandboxed execution of native code (NativeClient), so it is not 'just a browser' or a thin client. Google is actually funding research to formally prove the correctness of the sandbox mechanism, which is pretty commendable in itself.

Re:So many uninformed comments

[ThorGod]

Well, it's a question of "what the end user sees". So far it boils down to:

-Everything your browser can do (while connected to the web).
-Ability to play media online and offline (from another commenter).
-Very strong system security.

The /. crowd have a problem because they can't fire up actual applications or games like Quake 4 - I'm guessing.

Re:So many uninformed comments

[equex]

if there was a +6...

Re:So many uninformed comments

[xtracto]

Oh... thanks for this comment. It is so sad that the only really interesting comment (talking about the underlying technology) is sitting at the end of the thread. I cry for those /. days where all the points you touch would be themes for discussion... instead of the useless and stupid comments filling the thread right now.

Re:So many uninformed comments

[Bill_the_Engineer]

I think the main theme is that it only appears secure since the teams that tried to hack Chrome OS hasn't really had as much time to work on exploits. Compare this to Pwn2Own where they have a year (or even years) to find and torture their targets. Also the recent initiative to run an office suite as a native app within the ChromeOS browser is a very attractive target for an exploit, and I'm sure people will concentrate their efforts on testing the mechanisms that will eventually allow that to work in the released version of the OS.

Re:So many uninformed comments

[Bill_the_Engineer]

Implementing a sophisticated sandbox to run native code will actually add the possibility of an exploit not reduce it. If ChromeOS stuck with traditional web apps then I think the OS will remain relatively secure. However once you try to run native applications within the browser, you are opening the OS to the possibility of exploits. Sophisticated code is not always a good thing. The sandbox is sophisticated since securing native code is hard, not because it's an attribute that Google strived for.

I won't be surprised it the sandbox ends up with exploits. It's not like other companies haven't tried to deliver a similar function in other browsers.

Re:So many uninformed comments

I don't know of any other browser that implements a similar functionality. ActiveX, to my knowledge, did not have anything like that. NaCl restricts the *binaries* used, not only their execution, so as to give an alternative instruction set (in a sense) that can be disassembled deterministically. This makes the resulting binaries much more amenable to runtime monitoring.

It is true that NativeClient is probably the prime suspect for an exploit in ChromeOS, and it's quite possible that at the current stage the sandbox does have exploits, mainly because the x86 instruction set is huge. The formal proof as far as I know covers the integer part of x86; FPU, MMX and SSE should be possible but hard. Still, I would not be surprised if one day in the not-too-distant future the whole sandbox is proved correct, in which case NaCl won't be an avenue for exploits.

Re:So many uninformed comments

[BitZtream]

The irony of your post is just how stupid and useless it is ...

Re:Security is good now, but there's a reason for

[tibman]

I think the kids going through middle school now will be fine. When i was a kid there was no such thing as malware or fishing. It was worms and viruses. Spam was so rare that filters didn't exist. We didn't have wifi and didn't have to worry about wardrivers. The internet wasn't something you could carry in your pocket. We didn't have social media, we had Geocities.

I agree with you that their concerns will be different. But i don't think it will lead to completely insecure programming.

I wonder if it's any more secure

The big question is whether or not it will be more, or less, secure. And no, we didn't just settle that.

If I store things locally on an "oldschool" computer, but I store things "in the cloud" on a Chromebook, then attacks against my terminal are not a fair test of the system's security.

I hope you're right that this system "protects people from themselves" but I think that's going to depend on web programmers being more security-conscious than the previous generation of desktop programmers. On one hand: "HA! OMG! HA HA! Let me tell you about some things I have seen on the web..." On the other hand: Ok, Google has a fairly good track record.

By George, I think I've got it!

[hyades1]

So Chrome will show my what Google wants me to see much faster than Firefox will show me what I want to see.

Re:Maybe Google can focus on Android security now.

Android is always going to be poor in this area. It's developed by the Googlers who aren't good enough to work on search and who think basing their platform around the ghastly java ecosystem wasn't a stupid idea. You won't find much clue there.

Whilst that is impressive...

[smash]

.... did they hold the competition at the same time as pwn2own to ensure that the people who may be able to break it were otherwise engaged at a different event?

Re:Whilst that is impressive...

When there's pi million dollars at stake, you'd think people would make an effort...

ChromeOS doesn't need backdoors

Windows etc, and the apps that run on the same, including browsers, are riddled with NSA backdoors. It is this code, when 'discovered' by independent parties, that becomes the basis of so-called 'pwning'.

With ChromeOS, on the other hand, NSA's partner, Google, has crafted a service that spies on you by design, and in the open. No hacks are required to 'sniff' user activity. The very use of ChromeOS gives Google 100% access to all your data.

It should be noted that today, most cloud services, or server-side services, prohibit the use of data encryption in the TOS. Your 'private' files are required to be fully accessible to the service provider. Even file-locker services now prohibit or severely restrict the use of encrypted 'Zip' files, and will actually treat Zips that contain 'unknown' file types as illegal encryption.

ChromeOS isn't 100% secure. It is literally 100% insecure, by design and intent.

Re:Windows 8 was also undefeated

I'd say this was Ballmer posting but there are complete sentences so it can't be.

Appliance vs Computer

Simplicity and utility cannot be simultaneously optimized for. Computers are not appliances -- appliances are single-purpose. Any general purpose computer can perform any computable function.

"Secure" means restricting certain classes of computation, and so is also antagonistic to utility in most senses.

You may feel free to invent this "platform" if you wish, but please don't confuse other people by describing it as a computer.

Re:Appliance vs Computer

Security through who the fuck cares.

Canonical/Ubuntu perhaps?

"Where have we seen this perfidious tactics before?" - by pentadecagon (1926186) on Saturday March 09, @04:10AM (#43124621) Homepage

See my subject-line above...

* :)

APK

P.S.=> They've done a few good things in it, like demanding use of ASRL, DEP, & NX on Apps + Services/Daemons NOT running as "root" too, etc./et al!

HOWEVER:

Then again - How MANY folks are actively using ChromeOS vs. other widely attacked OS platforms?

(Thus making it attractive for hacker/cracker types to exploit it?)

Especially by comparison to Windows on the PC/Server (where it dominates, hugely) or on SmartPhones (where ANDROID dominates, another Linux variant, like ChromeOS iirc)??

That's "where the rubber meets the road", folks, especially in terms of "security"

AND

That's WHEN it will be TRULY tested (when it becomes that "attractive target" to the malicious online, & then only)...

... apk

Soo... the fact that nobody wanted the prize means

[kantos]

That it's secure according to this headline.... which doesn't make sense at all, it's arguing that security by obscurity works... and it doesn't... Period

Nice publicity stunt

[Bill_the_Engineer]

Let's see how well Chrome OS does next year after it's been released to the public for a while.

Re:Soo... the fact that nobody wanted the prize me

[BitZtream]

it's arguing that security by obscurity works

Spoken by someone who doesn't know what they are talking about.

All encryption and digital signatures are security through obscurity. All RSA hardware tokens, all passwords, all digital signatures including your precious PGP keys ... all security through obscurity.

In fact ALL computer security is security through obscurity at this stage unless that security happens to be something like 'bury it in 2000 meters of concrete.

Stop repeating things you don't understand.

Yeah, Mr M$ $hill

According to the latest Amazon sales statistics, ChromeBooks are doing very well indeed. But certainly the WIntel monopoly will badmouth everything that does not have an Pentium ball-heater and the Chinese Spying API (aka. "Windows").

The Chromebook is mainly an adapted Linux kernel and that already underpins many of the most successful operations around the globe. It is on the best path to replace many heavy-duty operating systems such as MVS, OS/400, VMS, HPUX and the like. The biggest systems on the globe generally run Linux these days. Yeah, it is also the core of Android.

You cannot compete, you can only think of dominating. You give $hit about security and quality and your only measure of success is $ales. Good Riddance to you !

Here are some alternatives:
BSD
MacOS X
Linux
ChromeOS
ARM
MIPS
PowerPC
QNX

Also Think About Chinese Intelligence

Really, how can you deny them access to your hard-won R&D and trade secrets ? China needs to close the technology gap and the fastest way for them is you using Windoze. Really, have a heart and think about these poor people so that they can flood the world markets with some ripoffs of your ideas and labour !

http://www.schneier.com/blog/archives/2011/08/details_of_the.html

So, Mr $hill

A proper operating system is evil because the evildoers will be so frustrated they use a non-technical route ? Yeah, very rational argument.
Keep doing the good work, as it implicitly acknowledges the truth - Windows and all the stuff running on it is hopelessly insecure. As soon as people are aware of this, your brand will be totally tainted forever and the market will finally give you the punishment you deserve.

NOT

"Hardware security" is certainly the most irrelevant aspect, as the malware will come in from the network WHILE THE COMPUTER RUNS. And you don't necessarily need to persist a virus inside executable code. It is entirely feasible to use a second weakness in some files access code to persist your virus inside a DATA FILE.

Look for Memory Safe Languages to fix that. Or for Formal Verification.

http://en.wikipedia.org/wiki/Memory_safety

A nice Little $hill For Me To Eat

..that's what you little fur-less creature are.

You know what, snail ? Routers are running the same kernel as ChromeOS. Large Telcos such as Deutsche Telekom distribute millions of DSL modems which run the Linux kernel. That kernel is "exposed to the internet" 24/7/365. If you wanted to, you could actually use the Chromebook and a "dumb" DSL stick to replace that DSL router. It would be entirely as secure as before.

The Linux kernel also is the heart of the world's premier firewall technology from Checkpoint Corporation. Your whole line of argument comes out of the extremely-shitty world of Windows Insecurity and it burns down to a few smelly speckles, because it typically is a Linux kernel protecting these crappy Windows and Oracle machines from being pwned remotely.

Was it turned off?

Only secure hardware is not powered on.

Slurrrsshssspppffffzzzz

$nail #53112 here. Should I add some more $hit from the brown propaganda roll here ?

Well Done !

I commend your intelligent strategy of associating Windows with the Mentally Challenged. Keep doing the good work and please convince your Burston-Marsteller colleagues to use the same tactics.

http://en.wikipedia.org/wiki/Burson-Marsteller

Weird pro-Windows propaganda clearly helps the cause of Liberty Software most.

Henry Wilbur McDonald III
Chief Propagandist
XE Services