Slashdot Mirror
Chrome OS Remains Undefeated At Pwnium 3
hypnosec writes "Google has announced that its Chrome OS has managed to remain undefeated during the Pwnium 3 event that was held alongside Pwn2Own. Announced by Google on January 28, 2013 the Pwnium 3 event carried a prize money of $3.14 million. Researchers were asked to carry out attacks against a base Samsung Series 5 chromebook running the latest stable version of Chrome OS. It turns out security researchers were not able to come up with winning exploits even after the competition's deadline was extended. Google Chrome Team has revealed that partial exploit entries have been filled in but, no other details have been released."
From what I understand, there are, at the very least, local caches (similar to Google Drive/Docs/Email offline). Also, there would be all the info that Chrome keeps locally.
It only means that Chrome OS is not too badly engineered. As Chrome OS is pretty new, the number of people that had an in-depth look will be smaller. As it is quite a bit different from other OSes and offers a lot less functionality on the application side, other approaches may be required to crack it.
One could object to that that the kernel is still Linux. True, but the Linux kernel is one tough nut to crack. Even local exploits are in the vast majority not kernel-based, but some application messing up. If they are kernel based, it is typically a specific driver. I do not remember any remote exploits for the kernel at all in the last few years, except one in an exotic network protocol, and Chrome OS has no reason to enable anything in that class.
So while this is a good initial result, do not overvalue it. It is possible that Chrome OS gets broken in the next few years when people get more experience with it. Die to its limited functionality, it is also possible that it will remain very hard to break into or that nobody manages it. Personally, I would welcome a main-stream secure browsing solution establishing itself, but remember that you cannot do most things with Chrome OS that you can do with other OSes.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
To anyone who wants to play around with it: there are Chromium OS VM builds out there you can play with in VMWare or Virtualbox (legal, it's all opensource).
I tried it out a few weeks ago. It really *is* just a web browser. I have trouble understanding why someone would spent $1300 for a Pixel unless they planned to install a real OS on it. Yeah, I get that the display is nice, but for that kind of money I should be able to... I dunno... maybe run the aforementioned VMWare, like I do now on the $599 laptop I virtualized Chrome (and Win7 and PC-BSD) on. And played Portal on, etc.
You say that like it's a bad thing. A glorified web browser with incredible security is exactly what a good amount of people should be using. Hell, I know someone who would get along fine if their computer did nothing but Facebook, let alone the rest of the web.
I find it hard to believe (though it's getting easier) that even geeks who have trouble seeing the world outside their little techy bubble can complain about this. I've seen the idea of an internet "driver's license" come up on these boards but then something that protects people from themselves is shit all over. Well done.
Posting this from my series 5. :)
It runs Ubuntu/Xubuntu 13.04 quite nicely booting off an SD card. You'd be hard pressed to get a better laptop for the money, and it's massively more useful than any table I've ever used.
Considering how fast the various web browsers fall, it *is* impressive. Chrome OS machines are wonderful for giving to clueless relatives who just browse the web.
Learning HOW to think is more important than learning WHAT to think.
Tablet, I mean. It's not as useful as a table.
Gods yes. My father's Chromebook has probably saved him its price already in visits to the computer shop to get viruses removed.
Hail Eris, full of mischief...
E pluribus sanguinem
Typical geek-elitist drivel. For some (myself included) sure it's important to understand the nature of how computers do things. What you seem to fail to see, or are in denial about, is that computers have become ubiquitous appliances, and the average user doesn't give a shit about the 'nature of how we do these things.' They just want it to work.
I think what's important to note is that "nobody" uses ChromeOS. This means "nobody" researches bugs for it very hard (even thus its relatively well secured, actually).
All that too say, "nobody pwned haiku either"
Yes. Most people don't even have a clue how the light in their room comes on when they flip the switch and could care less about electricity as long as when they flip the switch the light comes on. Almost no one knows anything about internal combustion that drives a car daily they just know that when you turn the key it should start. The how and why is beyond them. Computers are even more complex to these people and it's crazy to think they'll ever know or care how they work.
That is why I don't understand why its included....do they include other thin clients? Because that is ALL it is, its a minimal kernel designed to have just enough to launch the browser interface, no different than one of the old Sun Ray thin clients. The ONLY difference between Chrome OS and any other classic thin client is Google provides the infrastructure in return for being able to datamine you for their real customers, which is of course the advertisers.
Now does this mean ChomeOS is "bad"? Of course not, if a thin client is all your company needs I would be happy to set one up, for some jobs a thin client is really all that is needed....BUT, and its a BIG BUT, there are a HELL of a lot of tasks that thin clients just aren't built for which is why I just don't get marketing this to consumers. Hell even my most boring home customers have SOME software they want to run, take the little old lady that was my last customer of the day, I had to load the little software that comes with her wireless printer into her new system because she uses that to make little announcements for her family, calendars made out of pictures of the new grandbaby, anniversary party invites, that kind of stuff. If she couldn't have her little software? The PC might as well be a paperweight for all the good it would do her.
So I really don't get why these rags keep lumping in ChromeOS with Windows and OSX because its really nothing like them at all, those are your classic "fat client" full OS while Chrome is a classic thin client "browser in a box". Hell feature wise its got less going for it than Android, Android you can side load and run third party programs easily and from what I've seen Chrome is strictly web based which is why they can get by with such little space on the drive, everything is supposed to be hosted by Google and run in the browser.
It just makes no sense at all to run a test of fat clients with Chrome, to use a /. car analogy it would be like having a test on which truck gets the best mileage and entering a moped. Sure its gonna get the best mileage but so what? It doesn't actually DO the jobs that you need a truck for in the first place!
ACs don't waste your time replying, your posts are never seen by me.
Your point is typical of the smart-ass remarks that get thrown around on site like this to score cheap points, that have no fucking relevance at all when they're actually considered. The responsibility for knowing how your car works, or ensuring your electricity functions correctly has been taken out of your hands and is handled by the people who made the vehicle or the house. Just like providing people with a simple, secure computing platform that does enough to satisfy their needs is not a bad idea.
But what about off line? Google docs off line lets you edit documents and presentations off line. They sync when you get the connection. When it first came it had no off line edits. Then they have introduced doc and presentations. Spreadsheets would be next I guess. Or may be not. Gmail offline can be customized to keep last so many days worth of email in the local cache. Google calender works off line, ( I think, need to go back and check.).
Off line music player works, off line video play back works. Source of the media could be the internal drive or any USB drive, including the USB powered hard disks. Kindle off line reader works, three books cached very quickly. Apps exist like "Read this link later" that works off line.
So off line, you can watch video, listen to music, read books, cached web pages. You will have read/access to all the google drive docs. And write access to docs and presentations. I think for 200$ it is way more than what I expected.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
The difference is that Chrome OS is a consumer-grade "thin client". It is aimed mainly at home and educational use, not the big corporate or government use most other thin clients aim for.
As such, yes, it makes sense to compare it to other consumer-grade operating systems. The results won't be quite comparable, as many duties normally handled by the OS are done remotely, in "the cloud", but it's still a worthwhile comparison.
Chrome OS is prehacked. It comes installed with a trojan/bot which collects all your information and sends it to Google.
A major theme here is "it doesn't run many apps, that's why it's secure". Yeah, that must be it - it probably has absolutely nothing to do with the way they've implemented Mandatory Access Controls in a rigorous fashion, and the way they isolate resources with heavy use of cgroups, and the read-only root filesystem and tmpfs /tmp, and how they've made every binary use ASLR and NX and DEP, and how they've rewritten several major typically-vulnerable daemons to not run as root, and how they've developed userland daemons to broker access to hardware, and how they don't allow any files in user home dirs to be executables, or how they've started to sandbox device drivers, or the way they implemented separate processing stacks for HTTP and HTTPS, or how they verify not just the boot record but the whole boot stack and partition table and nv ram on every boot and and and ...
...
Yeah, all those things probably don't matter. They probably don't play any role in exploits that work on Windows-based Chrome failing on Chrome OS. It's not more inherently secure than any other OS, riiiggghhhhhttttt
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
Maybe because some of us are still proponents of 'computers', not content-sipping machines. Awareness of computing means more than getting work done or being entertained, it also involves some learning about the nature of how we do these things can and should change over time.
So my mother who does nothing but play games and email should have a general purpose computer because you think a device should do more than just suck content?
we should all at least be aware of our ability to govern our processing needs, whether we enjoy the idea or not.
Yet you just said that everyone needs more than just content machines. My mom is aware of her needs, yet you want to force something more on her...
I am a developer. Unlike the masses, I need a general purpose computer. There will always be a market for them no matter how much we flood the market will less versatile devices like tablets and smartphones (which is where I believe the market is heading.)
For personal use, many people do not need a full computer, lets give them something simpler that better fits their needs. Even some business purposes can be done on a tablet now. Why should we force them to buy something more?
25 years ago would you have suggested that we all continue to use dumb terminals hooked up to mainframes? The modern computer decimated the market for mainframes, supercomputers, and minicomputers. Today, the market share of these large and powerful machines is significantly diminished, yet they still exist for the people have a need for them that a normal computer can not fulfill.
Plain and simple, not everyone needs a "computer" just because you think that they do. There will be a need for them and computers will not go extinct, but fewer and fewer people (as a percentage) will have that need and smaller devices will displace computers in the market.
Looking for a job?
Want your resume written professionally?
DON'T USE TUNAREZ!!!
Be careful. That typo set Microsoft's Surface tablet project back several years.
How can I believe you when you tell me what I don't want to hear?
The problem is 'computers' are far too complex devices for the average end user, it is irresponsible to let most people connect such a complex device to a public resource when they have no idea how it works.
Content-sipping machines managed by a third party are what the average user should have, 'computers' should be reserved for geeks who understand how to use them.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
No. Should they understand that giving a program administrative access means you're giving it full control of all your private information? Yes.
No. That's like saying that anyone who needs to drive a car need to understand how the choke works. The choke. Remember that? Back in the 1980s and earlier when you learned to drive, you had to learn to use it to start your car when the engine was cold. It altered the fuel/air mix by means of a valve in the carburettor. Everyone had to know what you needed to do with the choke, but only a minority knew what it was doing inside the engine. It became automated and then obsoleted when fuel injection replaced carburettors. In the modern car, the computer (engine management system) performs the same action of making a richer air/fuel mix when the engine is cold. And very few people realise that's happening.
That's the proper use of a computer in a consumer product. To reduce the amount of detail the user has to know about.
Consumers should not be expected to know about types of users. Ideally they shouldn't need to know the concept of user accounts at. The computer should just know who's operating them, and what they should have access to in the same way that a human clerk would. For the moment that may require credentials (bank card/username and pin/password) but biometrics that are more secure than that are probably not so far away.