Does Google's OS decrease or increase security risks?
Wednesday's two big technology stories--Google's Chrome-based operating system and cyberattacks against U.S. and South Korean government Web sites are oddly related. The stories are connected because if Google does well at gaining market share for its browser, we could see fewer successful attacks. Or maybe we'll see more attacks.
The reason hackers succeeded in launching denial-of-service attacks against government computers in the U.S. and South Korea is because they were able to enlist an army of "zombie" computers to carry out the attack. And what do those computers likely have in common? The vast majority of them likely run Microsoft Windows.
Whether Windows is inherently less secure than Mac OS X or Linux is debatable, but one thing is for sure--it's more popular and therefore a more attractive target to hackers. Indeed with nearly 90 percent of the world's PCs running Windows, it's something of a "single point of failure." Figure out how to infect Windows PCs and you can stage a very successful attack.
Linux--which is the underpinning of Google Chrome--is not entirely exempt from malicious software but historically Linux machines are less likely to be infected. So it stands to reason that the more machines running non-Windows software, the safer we'll all be.
But there's another side to this story. The Chrome OS will be far more Web-centric than Windows, which means that many--if not most--of its applications will be running over the Internet. What's more, people's data will be stored "in the cloud," much of it on servers run by Google. So while Google may help reduce Microsoft's potential as a single point of failure, it increases its own. If hackers were successful in launching an attack on Google, that would affect not only people's ability to use Google apps, but the integrity of their data.
Although there weren't any reported data breaches, there was a day in May of this year when Google sites were partially inaccessible as a result of a technical glitch. On that day, millions of people were unable to use Google services, including Google Docs and Spreadsheets. Say what you want about Microsoft, but even if the company totally shut down its Web operations, its operating system and PC applications would still run.
Personally, I'm a big believer in competition and like cloud computing, so I welcome Google's entry into the operating system arena. But like almost anything worthwhile, it's not without risk.
Larry Magid is a technology journalist and an Internet safety advocate. He's been writing and speaking about Internet safety since he wrote Internet safety guide "Child Safety on the Information Highway" in 1994. He is co-director of ConnectSafely.org, founder of SafeKids.com and SafeTeens.com, and a board member of the National Center for Missing & Exploited Children. Larry's technology analysis and commentary can be heard on CBS News and CBS affiliates, and read on CBSNews.com. He also writes a personal-tech column for the San Jose Mercury News. You can e-mail Larry or follow him on Twitter @larrymagid. 
> that would affect not only people's ability to use Google apps,
> but the integrity of their data
But how is that different from Windows? A security breach of Windows can also compromise the integrity of user's data.
You may want to look up the word "botnet" ;)
While in principle you were moving in the right direction, in practice it is just as easy to suck down 100k individual Windows machines as it is to bust in and grab hold of 100k users' data ( and no, not "billions", since you'd need an OC-192 running to your house and your own personal server farm to get that much info in any sane amount of time).
XP machines, maybe. And even then, they'd have to have pretty poor security. A lot of AV vendors have integrated browser protection into their latest products, bridging the zero-day gap for average users. Sure, Conficker has infected somewhere in the neighborhood of 10 million machines, but compare that to 685 million. It's a minority, and a significant one given the number of XP-targeted attack variants belching out of the woodwork every day.
I'm running Windows and I've never gotten one. Ever.
There are many types of infections, not just viruses. And viruses are far from being the most prevalent. I will say that I have not had a single infection of any kind (viruses, Trojans, exploits, spyware, adware, etc.) on any of my productive computers since mid October, 2006. The infections I have contracted since then have all been on virtual machines, and that's one of the purposes for which I use them.
At one time, I used IBM/ISS BlackICE as my main defense against Web-based threats. But I had an epiphany of sorts in the first months of 2007, when I tried disabling write-access to system32. Since then, the NT file system has been the only defense I've needed (along with Windows Firewall). And I don't just look at the news on my homepage and check my e-mail; I use autosurfs, manual surfs, and various intellectual resources all over the Web.
I won't say you're wrong, but have you ever been infected with a rootkit? And if not, what tools have you used to verify this? (Hint: Modern worms like Conficker do not slow down your computer; you can be infected and notice nothing. And most AV scanners won't be able to see a rootkit once it's installed and running on your machine.)
The Online mode should generally only be for syncing up data.
Obviously some things will not function offline, but for the most part, most things could run offline.
Gears Offline capabilities are pretty useful, so it isn't out of the realm of possibility.
Giving a majority to Linux will sprout the same problems. There is no viruses that work for Vista without being authorized to run by UAC.
Most of these machines you are talking about are probably XP machines.
The problem has been fixed for the most part but any machine can be infected by malware.
Just put a idiot in front of it.
The majority of webservers run Apache on Linux, yet for some odd reason those 24/7/235 online servers don't seem to have a lot of malware floating around for them... methinks there's something wrong with your fanboy-addled logic.
"There is no viruses that work for Vista without being authorized to run by UAC."
Funny you should mention that, since someone already came up with a drop-stupid vbs script that pretty much disables UAC by emulating tabs and key presses... see for yourself:
http://www.withinwindows.com/2009/01/30/malware-can-turn-off-uac-in-windows-7-by-design-says-microsoft/
Dress it up as a "codec" and *poof* - what UAC?
http://www.pcworld.com/article/141544/hack_attack_hits_10000_web_sites.html
"According to ScanSafe's data, approximately 10,000 sites hosted on Linux servers running Apache, the popular open-source Web server software, have been hacked."
>>>>Really? Then how do criminal hackers get cross-site scripting attacks to work in the first place, and then plant drive-by downloads for Windows desktop users? Did you think the millions upon millions of Web sites hosting drive-by downloads are all running on Windows Server? Read it and weep:
http://www.computerworld.com/s/article/9057938/Mass_host_hack_bigger_than_first_thought_hits_10_000_sites
Methinks there's something VERY wrong with YOUR logic, befuddled by religious blind faith. Should you do your own homework every now and again, you might be a little less susceptible to these memes. How's that foot taste?
"Funny you should mention that, since someone already came up with a drop-stupid vbs script that pretty much disables UAC by emulating tabs and key presses... see for yourself:
"http://www.withinwindows.com/2009/01/30/malware-can-turn-off-uac-in-windows-7-by-design-says-microsoft/
"Dress it up as a "codec" and *poof* - what UAC?"
>>>>I know you were trying to address monkeyfun14's argument in context, but you do know better, as we've discussed UAC enough times. It's not UAC alone that prevents Vista and Windows 7 machines from being pwned remotely; UAC is more of a nudge for digital driver signing than an actual security barrier. Unlike Linux and Mac OS, there's much more to Windows security these days than a singular authentication mechanism, a single point of failure. Multiple barriers grind attacks to a halt. Can you show us an ItW drive-by download threatening anything post-XP? I'd like to see it.
"Dress it up as a "codec" and *poof*"
>>>>This kind of attack works on all platforms, and not just in theory. There are infected "codecs" for OS X and even Linux. Don't you know the difference between a Trojan horse and a drive-by download? You REALLY don't know what you're talking about.
Worse, the browser is now the primary vector of trouble. Your site even reported four years ago that browser-based attacks were already on the rise as virus attacks were waning.
http://news.cnet.com/Browser-based-attacks-increase-as-viruses-decrease/2100-7349_3-5747050.html
If Google succeeds, Linux machines -- servers and desktops -- could become more worthy targets than they currently are.
I think Josh Lowensohn's questions are much more germane than concerns about potential security risks. With all the Linux-advocate crackpots out there already spouting off about supposed backdoors for the NSA and CIA and MI5 to help Microsoft monitor DRM violators in Windows, will users really trust an operating system engineered by a company like Google if that OS is part of their efforts to collect and track user data and other metrics?
I think however, that Google has put itself in a pickle. They think that keeping all information you search and use on the internet is free of PRIVACY, by keeping such information for years.
As more and more people realize and understand that they are given they privacy rights to Google and any other player that takes the possiton of Google, their whole Cloud computing and we (Google) will keep all your information for ever - ATTITUDE will fly out the window.
Corporations and Govenments that have sensitive data will never go for this kind of mentality.
I worked for a Import company of apparels, and when we started doing business with a new company we were told not to reveal any information of our current providers. The reasoning for this was that if the new company new, that they will alter their prices for our company. Reducing the competitive levels we would get. We are talking here about other companies names only, let's not get into the pricing information or quantities of purchase products.
If all these information is store in the Cloud and stolen, corporations all over the world would be affected.
Personally, I don't believe Google can provide a 100 percent Hacker Free Cloud Computing, not to mentioned the changes to Web standards that would have to take place for this to happen.
I do agree, however, that Web Standards should be change to keep us all safe without intruding in our Constitutional rights of Privacy.
The answer is NO
so there you go..end of the story!
- by innov8ion July 11, 2009 7:54 AM PDT
- Two words. Google Gears.
- Reply to this comment
-
(23 Comments)