Comments on: Does Google's OS decrease or increase security risks?

Google's upcoming Chrome operating system could cut both ways when it comes to our risk of suffering Internet attacks.

[KonradK]

>If hackers were successful in launching an attack on Google,
> that would affect not only people's ability to use Google apps,
> but the integrity of their data

But how is that different from Windows? A security breach of Windows can also compromise the integrity of user's data.

[Bakkster]

Because a single hack on Google would be billions of user's remotely stored data. Otherwise, to steal the same number of people's data from a local windows HDD, you must hack each individual computer.

[Random_Walk]

"...you must hack each individual computer."

You may want to look up the word "botnet" ;)

While in principle you were moving in the right direction, in practice it is just as easy to suck down 100k individual Windows machines as it is to bust in and grab hold of 100k users' data ( and no, not "billions", since you'd need an OC-192 running to your house and your own personal server farm to get that much info in any sane amount of time).

[santuccie]

@Random_Walk:

XP machines, maybe. And even then, they'd have to have pretty poor security. A lot of AV vendors have integrated browser protection into their latest products, bridging the zero-day gap for average users. Sure, Conficker has infected somewhere in the neighborhood of 10 million machines, but compare that to 685 million. It's a minority, and a significant one given the number of XP-targeted attack variants belching out of the woodwork every day.

[jake3373]

If anyone here has ever gotten a virus, please reply.
I'm running Windows and I've never gotten one. Ever.

[santuccie]

@jake3373:

There are many types of infections, not just viruses. And viruses are far from being the most prevalent. I will say that I have not had a single infection of any kind (viruses, Trojans, exploits, spyware, adware, etc.) on any of my productive computers since mid October, 2006. The infections I have contracted since then have all been on virtual machines, and that's one of the purposes for which I use them.

At one time, I used IBM/ISS BlackICE as my main defense against Web-based threats. But I had an epiphany of sorts in the first months of 2007, when I tried disabling write-access to system32. Since then, the NT file system has been the only defense I've needed (along with Windows Firewall). And I don't just look at the news on my homepage and check my e-mail; I use autosurfs, manual surfs, and various intellectual resources all over the Web.

I won't say you're wrong, but have you ever been infected with a rootkit? And if not, what tools have you used to verify this? (Hint: Modern worms like Conficker do not slow down your computer; you can be infected and notice nothing. And most AV scanners won't be able to see a rootkit once it's installed and running on your machine.)

[Hunnter2k3]

This is why there HAS to be an Offline mode.

The Online mode should generally only be for syncing up data.
Obviously some things will not function offline, but for the most part, most things could run offline.

Gears Offline capabilities are pretty useful, so it isn't out of the realm of possibility.

[viper396]

An offline mode would then make it no different then running Windows or Linux or OSX. Damned if you do, damned if you don't.

[jake3373]

Ok, and what about Facebook? Twitter? AIM?

[monkeyfun14]

"Linux--which is the underpinning of Google Chrome--is not entirely exempt from malicious software but historically Linux machines are less likely to be infected. So it stands to reason that the more machines running non-Windows software, the safer we'll all be."

Giving a majority to Linux will sprout the same problems. There is no viruses that work for Vista without being authorized to run by UAC.

Most of these machines you are talking about are probably XP machines.

The problem has been fixed for the most part but any machine can be infected by malware.

Just put a idiot in front of it.

[Random_Walk]

"Giving a majority to Linux will sprout the same problems."

The majority of webservers run Apache on Linux, yet for some odd reason those 24/7/235 online servers don't seem to have a lot of malware floating around for them... methinks there's something wrong with your fanboy-addled logic.

"There is no viruses that work for Vista without being authorized to run by UAC."

Funny you should mention that, since someone already came up with a drop-stupid vbs script that pretty much disables UAC by emulating tabs and key presses... see for yourself:

http://www.withinwindows.com/2009/01/30/malware-can-turn-off-uac-in-windows-7-by-design-says-microsoft/

Dress it up as a "codec" and *poof* - what UAC?

[mbenedict]

@Penguinisto: Pity you know very little about security.

http://www.pcworld.com/article/141544/hack_attack_hits_10000_web_sites.html

"According to ScanSafe's data, approximately 10,000 sites hosted on Linux servers running Apache, the popular open-source Web server software, have been hacked."

[santuccie]

"The majority of webservers run Apache on Linux, yet for some odd reason those 24/7/235 online servers don't seem to have a lot of malware floating around for them... methinks there's something wrong with your fanboy-addled logic."
>>>>Really? Then how do criminal hackers get cross-site scripting attacks to work in the first place, and then plant drive-by downloads for Windows desktop users? Did you think the millions upon millions of Web sites hosting drive-by downloads are all running on Windows Server? Read it and weep:
http://www.computerworld.com/s/article/9057938/Mass_host_hack_bigger_than_first_thought_hits_10_000_sites
Methinks there's something VERY wrong with YOUR logic, befuddled by religious blind faith. Should you do your own homework every now and again, you might be a little less susceptible to these memes. How's that foot taste?

"Funny you should mention that, since someone already came up with a drop-stupid vbs script that pretty much disables UAC by emulating tabs and key presses... see for yourself:

"http://www.withinwindows.com/2009/01/30/malware-can-turn-off-uac-in-windows-7-by-design-says-microsoft/

"Dress it up as a "codec" and *poof* - what UAC?"
>>>>I know you were trying to address monkeyfun14's argument in context, but you do know better, as we've discussed UAC enough times. It's not UAC alone that prevents Vista and Windows 7 machines from being pwned remotely; UAC is more of a nudge for digital driver signing than an actual security barrier. Unlike Linux and Mac OS, there's much more to Windows security these days than a singular authentication mechanism, a single point of failure. Multiple barriers grind attacks to a halt. Can you show us an ItW drive-by download threatening anything post-XP? I'd like to see it.

[santuccie]

BTW...

"Dress it up as a "codec" and *poof*"
>>>>This kind of attack works on all platforms, and not just in theory. There are infected "codecs" for OS X and even Linux. Don't you know the difference between a Trojan horse and a drive-by download? You REALLY don't know what you're talking about.

[luckyXIII]

The Linux kernel itself enjoys relative security through obscurity, but it's misleading to suggest that it's inherently more secure than any other kernel. Beyond kernelspace, though, the issue is not so cut and dry because the myriad libraries and applications can have, and already have had, very serious vulnerabilities which expose unpatched systems to the same risks (such as pwnage) as any other OS. All you have to do is read through security advisories for any of the popular distros to see that security updates are frequent. Cross-platform browsers and e-mail clients seem to be among the most frequently updated packages.

Worse, the browser is now the primary vector of trouble. Your site even reported four years ago that browser-based attacks were already on the rise as virus attacks were waning.
http://news.cnet.com/Browser-based-attacks-increase-as-viruses-decrease/2100-7349_3-5747050.html

If Google succeeds, Linux machines -- servers and desktops -- could become more worthy targets than they currently are.

I think Josh Lowensohn's questions are much more germane than concerns about potential security risks. With all the Linux-advocate crackpots out there already spouting off about supposed backdoors for the NSA and CIA and MI5 to help Microsoft monitor DRM violators in Windows, will users really trust an operating system engineered by a company like Google if that OS is part of their efforts to collect and track user data and other metrics?

[hawkeyeaz1]

On the Chrome OS security issue, all they really need is the boot loader, Linux Kernel, an X server and Chrome, with a little bit of glue and an updater. They will include NaCl as well, . So securing that is painless compared to Windows or even a full blown Linux/Unix/BSD OS. The total footprint could be under 30Mb for the entire OS.

[srosenblatt]

Whatever the OS is, if it's entirely browser-based then it's possible that your local data could be even more vulnerable to XSS and other server-side Web site exploits. I think there's a lot of potential risk here, but it's unlikely that Google isn't thinking about that, either.

[jake3373]

If all my data is hosted on my computer, then I have to be careful and not get a virus. If all my data is hosted at Google, they're going to have to be careful and not get viruses.

[GEO2003]

I DON'T KNOW WHAT THE FUTURE WILL BRING - But we at this point are unable to tell how bad infections on Cloud Servers could be if a Web OS is implemented. Let's be logical about this. Right now 10 million computer are infected with bots, from this 10 million or more, undergroud hackers are making a ton of money selling private information. Are we to assume that because the Cloud OS is run by Google, that undergroud hackers won't find vectors to these servers, knowing that there would be countless amount of information that they can sell. I believe Cloud computing will have it's place, more of a colaborating center for certain projects, sharing info between family friends and co-workers.

I think however, that Google has put itself in a pickle. They think that keeping all information you search and use on the internet is free of PRIVACY, by keeping such information for years.

As more and more people realize and understand that they are given they privacy rights to Google and any other player that takes the possiton of Google, their whole Cloud computing and we (Google) will keep all your information for ever - ATTITUDE will fly out the window.

Corporations and Govenments that have sensitive data will never go for this kind of mentality.

I worked for a Import company of apparels, and when we started doing business with a new company we were told not to reveal any information of our current providers. The reasoning for this was that if the new company new, that they will alter their prices for our company. Reducing the competitive levels we would get. We are talking here about other companies names only, let's not get into the pricing information or quantities of purchase products.

If all these information is store in the Cloud and stolen, corporations all over the world would be affected.

Personally, I don't believe Google can provide a 100 percent Hacker Free Cloud Computing, not to mentioned the changes to Web standards that would have to take place for this to happen.

I do agree, however, that Web Standards should be change to keep us all safe without intruding in our Constitutional rights of Privacy.

[rootsmusic]

Larry, does Google Chrome (the browser on which their OS will be built) decrease or increase security risks?

[FF2009]

Ask yourself one question: Has Google ever been Hacked?

The answer is NO

so there you go..end of the story!

[clamenza]

That's really one of the dumbest post ever.

[innov8ion]

Two words. Google Gears.