Linux and Open Source

Steven J. Vaughan-Nichols & Paula Rooney
Home / News & Blogs / Linux and Open Source

Chrome OS will rise or fall on the safety dance

By | November 24, 2009, 6:37am PST

Summary: It’s not just about what Google’s programmers do in terms of security that will drive Chrome OS. Google needs application developers to accept its security development framework as well.

Google has the chance to make desktop Linux secure.

By starting with a blank sheet of paper, and lessons learned while developing its browser, Google wants to build a lightweight OS for netbooks that avoids the weekly “security update” hassles of its big-time rival.

This means the processes Google is addressing with Chrome — system hardening, process isolation, secure auto-update, verified boot, intuitive account management, defenses in depth, and devices secure by default — have to be more than buzzwords.

But there is something even more important Chrome OS has to do in terms of security. That is it has to develop  an ecosystem of applications around itself that are themselves secure.

This is something it has yet to do with the underlying browser (and Google is clear that the browser is the technology under its operating system). Most Chrome add-ons are Google-written. Compare it to what Firefox offers — there is no comparison.

Google has to find a way to reach out to the creators of add-ons and plug-ins, as well as applications, and not only get them supporting the OS but supporting it in the same secure way Google supports it.

This will not be easy.

An alternative is to focus on the Linux application space rather than the browser space, even though, as Google says, all Chrome OS applications will run from the browser.

In this case Google must convince Linux application developers to emulate its secure process, promising massive distribution for apps that may not now be ready for prime time.

So it’s not just about what Google’s programmers do in terms of security that will drive Chrome OS. Google needs application developers to accept its security development framework as well. That means doing the kind of marketing to developers (developers, developers, developers, developers) Microsoft has been doing for decades.

And it’s not just about doing the Ballmer dance. It’s about getting those developers to do the safety dance.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Linux and Open Source”

Topics

Developer, Google Inc., Web Browser, Linux, Web Browsers, Security, Operating Systems, Software, Internet, Dana Blankenhorn

Dana Blankenhorn has been a business journalist for 30 years, a tech freelancer since 1983.

Disclosure

Dana Blankenhorn

Dana Blankenhorn has been a journalist, writer and part-time futurist for over 30 years.

At the present moment I run only a personal blog in addition to my ZDNet open source blog.

DanaBlankenhorn.Com has the subtitle The War Against Oil. In the past I have used it to write about political history, e-commerce, personal matters, some ideas related to open source, and The World of Always On, which is the idea of using sensors, motes and RFID to turn WiFi links into platforms for applications which live in the air.

My IRA account at Schwab holds a few tech shares, most notably some Intel and Applied Materials, but there are no open source companies in it. I don’t even own any CBS stock.

Biography

Dana Blankenhorn

Dana Blankenhorn has been a business journalist for nearly 25 years and has covered the online world professionally since 1985. He founded the Interactive Age Daily for CMP Media, and has written for the Chicago Tribune, Advertising Age's "NetMarketing" supplement, and dozens of other publications over the years.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
46
Comments
Add Your Opinion

Join the conversation!

Just In

Really?
Ceridan Updated - 25th Nov 2009
The problem with your premise is simple: You forget that it's plausable to affect the kernel by using a chain of flaws. If the kernel is affected then your machine is no longer trustable.

remember if the Kernel is compromised, no security mesures are effective because the Kernel controls how your computer works, it's the heart of the OS and there's nothing you can do to fix this exept reinstall the OS.


As for data stored in the cloud... who in it's right mind would use Google's services for personnal data storage... Google's goal is to have access to your life to give you ads(oh and chromeOS migth also be ad supported...)
View in thread
0 Votes
+ -
Scare tactics against Chrome OS
linux_kernel Updated - 24th Nov 2009
I can see Microsoft really did the 'safety dance' with Windows it has been so successful...

Chrome_OS is an entirely different modular approach plus they are using Open_Source with NO limitation of how high they can reach.

I find it amazing anyone with a straight face say how great MS has done over the years.

Conficker $9 BILLION in damages last year!

The safety dance with Microsoft worked GREAT!
0 Votes
+ -
"Conficker $9 BILLION in damages last year!"
Ceridan Updated - 24th Nov 2009
That could have been avoided if everyone updated their OS...

Oh and ChromeOS is just a browser and a Kernel... nothing to see here.

PS: Mr Cultist, please recompile yourself with the "Intelligence" module enabled and intergrated in your kernel and remove the faulty "Opaque Pink Googles" module.
0 Votes
+ -
Conficker affected Windows NOT Linux/Unix distro's
linux_kernel 24th Nov 2009
So blame the end user, I thought it was the security that was so important?

More dribble from MS Drones.

P.S.
Blaming the end user for everything and not acknowledging the inherit INSECURE Windows OS as fault is YOUR fault.
0 Votes
+ -
Yet 800.000 sites running Linux Apache infected
honeymonster 24th Nov 2009
and spreading malware and scareware. Do we need
more Linux than that?

How much do you think those sites are responsible
for in damages every second?
0 Votes
+ -
In which part of my response I said
Ceridan 24th Nov 2009
that Conficker affected Linux?, No where. I know that Conficker affected windows throught a flaw in the printer network interface.

However the flaw was fixed BEFORE conficker was out.

In this case, the end-user is to blame because they did not download a patch to fix a security flaw. The end-user is not always to blame, but those pseudo-experts that disable Auto-update and then does not update their computers and then cries because they got infected by a worm exploiting a flaw fixed months aggo...

PS: I have auto-update disabled but I do update my different windows systems every second tuesday of the month I just want to be sure what enter my computers..
0 Votes
+ -
It's not the OS that people are worried about.
CPPDEV Updated - 24th Nov 2009
They're worried about monopolistic power wielded by Google...and how they manipulate your data, limit your computing choices, who they sell your data to.

Technically, Chrome OS and its browser are sweet. That's not the problem, however. Google is trying to lock you into Google: Chrome OS runs only what Google wants you to run.

This is a big deal. This is about who controls the future of computing itself: the little guy or a monopolistic "cloud computing" marketing corporate giant.
0 Votes
+ -
Bingo.
bmonsterman 24th Nov 2009
Well said. So many of these guys see Google as the giant dragon slayer. Google is just the next dragon.
0 Votes
+ -
It's part of the reason... [NT]
Ceridan 24th Nov 2009
0 Votes
+ -
Chrome OS is inherently insecure
jorjitop 24th Nov 2009
It is built by Google to serve Google's aims and needs. No need to worry about outside attacks. The spyware is built in.
0 Votes
+ -
Google as evil
DanaBlankenhorn 24th Nov 2009
When did this become conventional wisdom? It seems a switch was pulled at some point in the past so that now everything Google does is suspect, and the Red Queen is out screaming "off with its head" not to mention "sentence first, trial later."
0 Votes
+ -
Just learning from the past
yozzman 25th Nov 2009
We're just learning from the past Dana. Blind trust lead to IBM and then MS near monopolies going unchecked. Here, by being careful, we try to identify upfront what the potential risks are. And Google, with all it's data gathering, seriously has more evil potential than IBM or MS ever had. Has it abused it yet? Not to my knowledge. Should we be wary? Definitely.
0 Votes
+ -
Conficker ran wild thanks to pirates who didn't want to turn on updates
connor33 24th Nov 2009
I'd like to see a lot of third-world pirates switch to Linux so they at least aren't acting a receptors for malware.

However like most consumers I don't think pirates will be excited about turning their computer into a browser.

0 Votes
+ -
Scare tactics against non-Chrome OSes
CobraA1 24th Nov 2009
"Chrome_OS is an entirely different modular
approach"

So modular it can only ever run one app - the
browser.

Well, geeze - any OS can run a browser. So I
guess every OS is modular.

"plus they are using Open_Source with NO
limitation of how high they can reach."

As opposed to Linux, which apparently limits
how high you wan reach with open source -
somehow.

You imagine barriers for other OSes that simply
aren't there?

"I find it amazing anyone with a straight face
say how great MS has done over the years."

Microsoft has made incredible progress in
security with Vista and usability (and less
annoyance) with 7.

Continue to be amazed, as this is only the
beginning.

"Conficker $9 BILLION in damages last year!"

That would be about $1000 per computer infected
- I have my doubts about that figure. I'm
guessing you found the biggest number you could
possibly find and went with that.

Yeah, okay - Windows is a favorite target, and
yes, just like any other OS it has holes.

"The safety dance with Microsoft worked GREAT!"

It did for me, haven't got conficker or
anything else for a few years now.

IMHO if Windows had Linux's mostly techie users
and small market share, it too wouldn't have
any viruses.
0 Votes
+ -
These battles are all very interesting, and the competition is VERY good.
DonnieBoy 24th Nov 2009
Even die hard Windows fans have to love the more
rapid innovation, and the lower prices.

But, it looks like innovation on the security front
is going to really heat up, and MS will have to
respond. Google OS could be a great secure OS for
the masses in corporations that only need to access
corporate applications, email, browser, simple word
processing and spreadsheets, etc.
0 Votes
+ -
I agree about competition
DanaBlankenhorn 24th Nov 2009
I'm not one of those who insist that everything Microsoft does is evil, or that Windows is terrible. I think they have responded to competition as best they can. And I agree that Google has provided real competition.

I'm most interested in having a netbook OS that will boot up fast and not waste my time with constant updates each time I turn the thing on. And that will run common applications -- the ones I have all run under both Linux and Windows.
0 Votes
+ -
I think Moblin provides more competition for Windows
connor33 24th Nov 2009
ChromeOS just isn't built around the needs to the typical mobile user.

They should have focused local mini apps instead of web apps. Internet access isn't ubiquitous enough in the US, especially in rural areas.

Moblin at least tries to provide alternatives to what people are used to. ChromeOS just provides a browser

0 Votes
+ -
Since Chrome OS is a badly crippled operating system...
Tom12Tom 24th Nov 2009
Since Chrome OS is a badly crippled operating system that can't even run local applications, the Google Dumb Terminal should be easier to secure than a real computer running a fully functional operating sytem.
0 Votes
+ -
RE: Chrome OS will rise or fall on the safety dance
Loverock Davidson 24th Nov 2009
Chrome OS will fall flat. Its an idea that has already been invented by others, and poorly at that. The only way to make it secure is if Google decided to not use linux.

Google wants to build a lightweight OS for netbooks that avoids the weekly ?security update? hassles of its big-time rival.

So they used an OS that requires daily updates and recompilations. I don't know what they were thinking either.
0 Votes
+ -
... wrong
Ceridan 24th Nov 2009
"Chrome OS will fall flat. Its an idea that has already been invented by others, and poorly at that. The only way to make it secure is if Google decided to not use linux."

Actually the Linux kernel is not the reason why ChromeOS will fail. The mere idea of a browser for a OS is idiotic at best.

Here, let's combine a software that runs code from a remote website and an OS and think it will be secure.

Oh and once aggain since Chrome does not offer to turn off JavaScript, do you really think ChromeOS will NOT have remote execution flaws that may even go over the sandbox...
0 Votes
+ -
Do you spend a lot of time recompiling software?
B.O.F.H. Updated - 24th Nov 2009
I suspect that you have a lot of free time, given your posts and desire to build everything from source. If you have a real tech job, maybe you would have a better use of your time.

Flashbacks of Windows 98!
0 Votes
+ -
"badly crippled" or just locked-down?
dave@... 24th Nov 2009
The idea behind ChromeOS is to make a 100% network-centered operating system. It's not a terminal, it's an execution environment. It runs programs like a personal computer, but only those which come from the network. There simply is no concept of a "local" program at all.

I wouldn't call that crippled, I'd call that locked-down. The level of trust I need to run programs from a network are entirely different than the level of trust needed to run programs from a single piece of hardware. Of course the security models will be correspondingly different.
0 Votes
+ -
Yes, that's spot on....
CPPDEV Updated - 24th Nov 2009
And, therefore, this is the same battle I saw between the mainframe crowd and the PC crowd back in the seventies and eighties...except this time the warring parties aren't techies, they're CEOs.

Google is trying to monopolize the consumer computing space...so it can keep its stock price high by selling eyeballs to advertisers. Google is not really an IT firm at all; it's a marketing company. That's the key to understanding the Chrome OS...that's what it is for. Google is out-Microsofting Microsoft here...they're really being crafty!

Consumers get nothing from the Chrome OS that they can't get right now with any current OS. Businesses oughtn't to touch it with a ten-foot pole. Chrome OS is about the needs of Google and its shareholders, only.
0 Votes
+ -
Answer: Locked-in
honeymonster 24th Nov 2009
With Chrome OS you need to run Googles cloud
applications (and hand over your privacy) if
you want any functionality.

No OpenOffice or MS Office. Only Google Docs
with documents stored on Googles servers.

Servers where Google will traverse and index
your documents to find out what your interests
are, company you work for, your customers and
suppliers etc.

No local spreadsheet. Everything you calculate
you also accept is traversed by Google.

0 Votes
+ -
Chrome security model.....
Lester Young Updated - 24th Nov 2009
....is an all-in bet on the security of web apps and servers. Client side security simplified, web side security complexified. Not my gamble.
0 Votes
+ -
ChromeOS could fall, but not rise
Li1t 24th Nov 2009
End users won't be swayed by the safety on offer, unless it proves to be monumentally poor. Realize the number of people in the world with virus-ridden PCs, and the fact that many users just don't give a four-letter-word when it comes to security.

If it proves insecure, it will fall. If it proves to be more secure, people will continue to use windows as that's what their hardware runs. If it proves to be more secure and they allow people to run it as a quick-boot alternative OS on their current hardware and the range of web apps available grows to the point at which it rivals desktop apps, I think it stands a chance.
0 Votes
+ -
True
Cylon Centurion 24th Nov 2009
People just don't care (Or don't know enough) about security.


Which is a shame, because knowledge is the battle.
0 Votes
+ -
I'll countinue to say...
Ceridan 24th Nov 2009
that Chrome OS is a bad idea. The simple fact of running a browser as an OS that can execute code from a remote, not always trusted, source makes me cringe.
0 Votes
+ -
You should be scared
billwerth2@... 24th Nov 2009
Yes, you should be scared if you are running a browser under Windows and executing code from the network. That is the whole point of building the OS from scratch... Windows was never designed for this and no amount of patches will ever make it secure.
0 Votes
+ -
from scratch?
Ceridan Updated - 24th Nov 2009
Google is just building a custom distro of Linux (using the kernel) and putting it's web browser on top...

it will STILL execute code from a remote, untrusty, source...

then put in hypotetical situation:
Buffer overflow flaw in the browser component of ChromeOS combined with a sandbox violation flaw combined with a process elevation flaw that would allow malicious code to run at the kernel level and then you get malware.

Most of the recent browser flaws (if not all) are attributed to JavaScript... as long as you can't prevent javascript from running amock you will have a potetial security breach vector.

And that's just invection vectors, ChromeOS wont do a thing aggaint social engenierring attacks because it's almost impossible to prevent that from a software point of view ( without a sofisticated AI).
0 Votes
+ -
Well not completely from scratch
billwerth2@... 24th Nov 2009
Just after I pressed send, I realized I didn't mean from scratch happy

So what if your netbook is compromised? This seems to be the big fear everyone is concerned with here. Then you reboot, it securely patches itself, or maybe not. Do you care that much? None of your actual data is stored on the netbook, it is all in the cloud.

It isn't like you have to reinstall the OS, and every app you own, and spend the next week getting your system back up and running, maybe loosing all your digital snapshots in the process, because who really backs up as much as they should?
0 Votes
+ -
Really?
Ceridan Updated - 25th Nov 2009
The problem with your premise is simple: You forget that it's plausable to affect the kernel by using a chain of flaws. If the kernel is affected then your machine is no longer trustable.

remember if the Kernel is compromised, no security mesures are effective because the Kernel controls how your computer works, it's the heart of the OS and there's nothing you can do to fix this exept reinstall the OS.


As for data stored in the cloud... who in it's right mind would use Google's services for personnal data storage... Google's goal is to have access to your life to give you ads(oh and chromeOS migth also be ad supported...)
0 Votes
+ -
Don't put it all on developers...
CPPDEV 24th Nov 2009
DB: "And it?s not just about doing the Ballmer dance. It?s about getting those developers to do the safety dance."
~~~~~~~~~~~~~~~~~~~~~~~

And, it's about getting those Google CEOs to do the safety dance...the real danger is Google selling your data on its cloud servers to advertisers, the NSA, the IRS,...

The real risk resides on the Google cloud, not on the client.
0 Votes
+ -
Rise no, fall on lack of users yes.
No_Ax_to_Grind 24th Nov 2009
Sorry but it doesn't appeal to anyoine but geeks.
0 Votes
+ -
The ignorant poster speaks for the masses... (nt)
Economister 24th Nov 2009
nt
0 Votes
+ -
So, No_Ax_to_Grind finds Chrome OS appealing?
B.O.F.H. 24th Nov 2009
I am sure the geeks at Google will be happy now.

btw, thank you for contributing your work (MS Office add-ons) to Office 2010 for free.
0 Votes
+ -
Hit with geeks?
wizard57m@... 24th Nov 2009
I'm not so sure it would even be a hit with geeks, who for the most part get sheer enjoyment out of tinkering with their hardware, fine-tuning whatever operating system they choose, picking applications they want to control and getting the most performance out of a given system configuration possible. Contrasted with the proposed Google OS w/Chrome browser "netbook" form factor, they might get an initial "Oooo, ahhh", but then it would most likely end up on a shelf somewhere, not doing anything, because any effort to boost performance, or change system configuration, different applications, etc. would result in the Chrome OS reloading itself from protected ROM, essentially wiping out whatever tinkering they just did.
0 Votes
+ -
I think
Cylon Centurion 24th Nov 2009
It will make a business companion. Nothing more.

I don't understand how anyone can *seriously* contend giving up desktop computing for this junk.
0 Votes
+ -
Chrome OS is doomed
LarryPTL 24th Nov 2009
It will not work with the general public. The people want convenience. Chrome is so secure that it is too inconvenient.

But for the safety conscious, it can be marketed as a specialty product. I could load it on an old computer (with an AMD K6-500, for example) and use it for secure web browsing of my bank and credit card accounts.
0 Votes
+ -
Google Brother is Watching You
CPPDEV 24th Nov 2009
And, they'll scan what you do, so "secure web browsing of my bank and credit card accounts" might not be as secure as you think. Google will track you and sell that data. It has to do that in order to survive, to keep its stock price high, to pacify its shareholders. Google is a lure to draw your eyeballs to advertisers, to suck in your data and hand it to advertisers,...Google is a marketing firm, not an IT firm.
0 Votes
+ -
Very true...
Kromaethius 24th Nov 2009
NT
0 Votes
+ -
No! This is not about the geeks!
CPPDEV Updated - 24th Nov 2009
Google doesn't waste its time: it's not out to just 'play around with Linux' for fun and to satisfy its technical curiosity. This has serious appeal to the end-user: it's simple, reliable and elegant. Don't underestimate the appeal of this to the masses: it's a game changer.

Which presents a problem: the Chrome OS is Google-centric...it's what Microsoft always wanted in their own OSes but the Feds and the Euros never let them have: this is like going back to the old TV days when all you had were three channels (CBS, NBC and ABC). Why does Google want that? That gives them lots of eyeballs and marketing data to SELL to advertisers; that rakes in $$$ and jacks up the stock price.

The key to understanding the Chrome OS: you can't run OpenOffice, you can't use the GIMP, you can't run Firefox, you can use Google Docs, you can use the Chrome browser,...see a pattern here?
0 Votes
+ -
My prediction: FAIL. I'll save a link to this post for future reference
Qbt Updated - 24th Nov 2009
When Chrome Dumb Terminal OS finally ships, people will realize it is even more limited than Linux was on netbooks, and it will quickly become yet another footnote in computer history, once again proving that to take on Windows, you need a real OS. LOL, not even Apple's OS can get more than 5% share. How pathetic.

So in 12-18 months when it becomes clear that Chrome OS is failing, I'll post a link to this thread and all the "smart" people that reply to this post saying how MS is "doomed" or whatever. It should be fun.

Let's watch...
0 Votes
+ -
Thanks for that...
DanaBlankenhorn 24th Nov 2009
Why don't you e-mail that to me as well? I think it would be worth a post on its own.
0 Votes
+ -
OK I'll email you as well when Chrome OS fails. This will be my reminder.
Qbt 24th Nov 2009
.
0 Votes
+ -
In a sense you are right
Cylon Centurion Updated - 24th Nov 2009
There are a number of applications for both Linux and Windows that have yet to have an online equivalent. Also, there are some applications that I can see never having an online partner.

I fail to understand why Google is making an OS for netbooks, that my cellphone can do on its own without breaking a sweat. It sounds as if all it will be capable of is editing business documents on the fly... Something I can do with my Windows/Linux based netbook already, without the need for an even more crippled OS.

That combined with the fact that Google is insisting that "all your data are belong to us", uptake will be slow if at all.


Sorry, Google, But online operating systems are Fail.
0 Votes
+ -
Dana you are right that Google will need developer support
connor33 24th Nov 2009
but there is no way they will get enough support in time for release.

Building a web version of itunes would take years and there isn't even one being planned.

What about Skype? Photo editing software?

A lot of the web apps that do exist don't offer equal quality to native apps. There's still a noticable lag and they can only be used when online.

Some people will buy this for relatives who just want to get on the web safely but the vast majority won't be interested, even as a secondary computer.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix