Friday, July 10, 2009

Virus free OSes and Google Chrome OS

It's been buzzing all around about Google Chrome OS. Google announced they would create a new Linux-based OS called Google Chrome OS and they said "[they would make it] so that users don't have to deal with viruses, malware and security updates".

A lot of articles have reacted to the news, and to the claim. Bruce Schneier was quoted saying that it was an idiotic claim to pretend it would be a virus free OS. And he explained later that it was an answer on the phone, to a journalist, and that he hadn't read the news in the original text by then.

Indeed, Google didn't claim they would produce a virus free OS, and they did well. If I am not mistaken, it is always possible to create a virus on a Turing machine or equivalent. And, as Schneier quotes from Fred Cohen (1986), it's never possible to create a perfect antivirus program.

Google's claim is much more subtle and quite interesting. They said that the user would not have to deal with viruses, malware and security updates. And that seems quite possible to me, or at least quite feasible to improve on, compared to the current situation.
In my imagination, Google wants to silently push all that's needed from the web directly onto their OS. OS patches, antivirus definition files, and why not also manual patches when needed?

Take the example of the handling of spam by Gmail. They have a set of rules, which they can modify very quickly, and even modify "by hand" for a singular point. In comparison, at the workstation level:
  • in a typical open source environment, you would need an update command. Even if that's quick, that would require something like:
    # apt-get update; apt-get install last-spam-filter
  • in a typical closed source environment, it would require an update by hand.

Here, the rules, updates, patches, and even new versions of the soft immediately come through the browser. Even if the system makes no breakthrough in terms of fundamental security, you will get an excellent increase in overall security from the regular update of software. No more unpatched OS, unpatched browser, unpatched AV...

So far as I can tell, that would save companies big heaps of money on exploitation.

PS: That uncovers a lot of questions for me, such as: How will MS react? Why didn't MS try to do the same? How can competitors get a foot into the same market? Won't Google become a new empire of evil? Will Google's business survive to DoS attacks? How can any evil competitor prevent Google from getting into that market? How will the Google Chrome OS get onto the PCs in the first place, will it be shipped with PCs, or will users need to install it? Where do you set the limit between what Google remotely do and what they don't do? How will governments react? What about privacy of information? What about national spying issues?

3 comments:

  1. I think the user will only have to approve the installation and the browser (Chrome or a plugin for Firefox or IE) will backup the user data+profile, install the OS and restore the profile.

    The governments will oppose the new OS (at least due to Microsoft lobbying) and the privacy will not be an issue. I trust Google with my information more than I trust Microsoft. And Linux (even without Google's security hardening) is superior to any Windows version security-wise.

    As a side note: you have a free square in your free software stack. I wonder if Perl deserves a place there ;-)

    ReplyDelete
  2. Thanks for your comment!

    I think your scenario is most likely what's going to happen. However, the border-effects will be of great interest, like:
    - Governments surprisingly adopting the OS?
    - Reactions to the first occurrence of a big leakage on Google's part?
    - Remaining systems that will not be portable to the new OS? (I am thinking of Citrix applications for some reason.)
    - Governments' initiatives to eavesdrop on Google?

    Thanks for noticing the free software stack (a first). It's currently composed only of software with which I have worked a lot, which is not the case of Perl. Hopefully I will be able to add Perl some time next year :-)

    ReplyDelete
  3. I don't think the governments will adopt the OS, because there are too many people unable to use anything but Windows. Also, because it's new and because it will serve their fear of change, they will react worse to a Google leakage than they ever reacted to a Microsoft leakage. And, if Google is motivated, there will be a Linux client for Citrix, too :D

    ReplyDelete

I can read French, English, German and Romanian, please feel free to write in whichever language you prefer.