Chrome OS Doesn't Trust Apps Or Users 410
holy_calamity writes "Google's Chrome OS chiefs explain in Technology Review how most of the web-only OS's features flow from changing one core assumption of previous operating system designs. 'Operating systems today are centered on the idea that applications can be trusted to modify the system, and that users can be trusted to install applications that are trustworthy,' says Google VP Sundar Pichai. Chrome doesn't trust applications, or users — and neither can modify the system. Once users are banned from installing applications, or modifying the system security, usability, and more are improved, the Googlers claim."
A little problem... (Score:5, Insightful)
I trust me more than I trust Google.
Can't install an ap? That'll slow adoption (Score:3, Insightful)
Indeed (Score:2, Insightful)
It makes sense for the business market (Score:5, Insightful)
Companies don't trust their employees and Chrome is a sandbox within a sandbox. This is a good thing in the corporate world where centralized control is valuable.
Chrome is a very thin client that really works.
Re:Wait, what? (Score:1, Insightful)
No no no, this is Slashdot.
When Steve Jobs says "HTML5 web apps are all you need," it's naked, leering, monopolistic evil.
When Google VP Sundar Pichai says the same thing, it's for your own good, and the most sensible advance in computing since the GUI was invented.
Re:Wait, what? (Score:5, Insightful)
And I expect that to carry zero weight with 3rd party hardware vendors, who will undoubtedly lock the platforms down and, if they're like Motorola, they'll sign the kernel so you absolutely can't load other OSes.
Re:Wait, what? (Score:5, Insightful)
I was thinking the same thing. If iOS is a walled garden, this is a walled garden hermetically within a Plexiglas dome and a concrete floor and all the plants in sterilized pots.
But that might not be a bad thing. For the "my phone/computer is an appliance" crowd, this might be perfect. No fiddling around trying to download plugins or extensions, no overhead of antivirus, and no difference between multiple machines, and most importantly almost no tech support required. If I break something like this, I go out and buy a new one, present one username and password to it, and it's exactly like my old one used to be.
If you're selling an OS whose primary purpose is to surf da interwebz, it might not be a terribly bad idea to resurrect the concept of the "dumb terminal" in that context. I presume Google will push updates, so if they keep a current list of plugins and/or extensions that can be enabled/disabled by the user as desired, you have machines that are going to be really, really hard to compromise, and really, really easy to use. And really, really inexpensive.
Well, except by Google, so you'd better trust Google a LOT under this model (much like you have to trust Apple a good deal under the iOS model). If you want your computer to do anything outside what Google had in mind, you're done. If Google gets hacked, your data gets hacked and you might never know about it. And, of course, you'll never be able to do anything without Google knowing about it.
Re:Wait, what? (Score:5, Insightful)
The headline isn't really misleading, it's actually quite accurate - Chrome OS doesn't trust apps or users to be safe. That you can replace Chrome OS with something more trusting doesn't mean Chrome OS itself suddenly trusts those apps and users.
Re:This is what Google means by OPEN (Score:5, Insightful)
With Apple, by contrast, their portables are their OS or nothing, barring hacks that depend on mistakes they did not intend to make, and do tend to correct over time. What you see is what you are stuck with.
Re:A little problem... (Score:5, Insightful)
So don't buy one...
Re:Wait, what? (Score:2, Insightful)
After reading the article, I can't come to any other conclusion. This is *way* more closed than the iFamily stuff. It's on par with the attitude that Apple took with the initial release of the iPhone, before the App Store. Even then, Apple provided a fair number of local apps that you could use to perform a lot of basic PDA functions. This is literally a computer with one application installed. It has a web browser, that's it.
This is... pretty yucky. I mean... I consider the iPhone's level of lock down to be acceptable on a phone or PDA, but somewhat limiting on a tablet (one reason I don't have an iPad yet). This is a full fledged laptop and it's even more locked down?
Re:Can't install an ap? That'll slow adoption (Score:5, Insightful)
Google doesn't get advertising dollars from you running a local app and disconnecting from the network. They *do* get advertising dollars for every online app you regularly use because that's the only way for you to get anything done.
I spend most of my work day with a couple browsers, a couple Putty sessions, Outlook, Excel, and a few other apps open. Imagine how many page impressions that would generate if every single one of those apps was based in "the cloud" and had a little section where Google could insert ads?
Still wondering why this is being touted by Google as the most innovative and revolutionary feature ever in OS design?
Re:Wait, what? (Score:5, Insightful)
Reading the design docs, having an oem-unlock switch is a nice compromise between keeping Joe Sixpack from getting compromised by malware, then blaming it on Google/device maker's lack of security versus allowing a clued user to do what he or she wants.
With this in mind, one thing that would be nice to have are offline apps. This way, a glitch in Internet connectivity would not mean a corrupted term paper.
I just have one concern though -- the fact that everything you do is stored in the cloud. This means zero privacy. Even with the lack of privacy now, if an application started sifting through Word documents and uploading them to an ad agency, there would be Hell to pay. However, one can't have any assurance that someone isn't doing this when all the docs are stored remotely. There is a fundamental rule, "don't put anything on the Internet that you don't want everyone, including your worst enemy to know." So, trusting a cloud service with everything you do may have negative ramifications later on.
Re:Can't install an ap? That'll slow adoption (Score:5, Insightful)
The whole point of Chrome OS is to shift the application from running natively on the hardware to running in the cloud. You're thinking of the web browser as the application, Google is thinking of GMail as the application.
Close to a good security model (Score:4, Insightful)
One should never trust an application, I'm in agreement on that.
The user owns the machine, they should be trusted to decide what is done with it. If you think I'm wrong... let me explain...
The reason we don't want to trust users is because they have a demonstrated history of bad choices, which result in a lot of work for the geeks who have to clean up the mess. We have a better track record, so we ass u me that it must be because we are smarter than they are. This is only true to a limited extent.
The reason the user makes bad choices is because are given the wrong choice to make. Instead of asking what extent of permission a program should be granted, the user is given an all or nothing choice. It's not possible for them to "try out" a program without risking everything. This is just plain nuts.
Capability based security offers a way to express the wishes of the user in a manner which NEVER trusts an application... but rather places the responsibility for limiting system changes in the operating system, where it belongs.
It is only when we finally get out of or smug self congratulatory slumber that it's possible consider that the typical user is not an idiot prone to randomly pressing OK.
We need to offer sane choices, and a sane security model... Capability Based Security is the only way to go.
Google... unfortunately, isn't any wiser and misses the boat here, but by a slightly smaller margin.
Re:Wait, what? (Score:2, Insightful)
I'm almost sure that will be the case. I can see third party ChromeOS device vendors not just kernel signing, efuses, or autoreinstalls, but doing one or more of the following:
1: Keeping a manifest of all executables and having a process (kernel or user space) that kills with a -9 anything whose name, inode, and path isn't in on the guest list.
2: Throwing a hardware switch to brick the device (true bricking, as in blowing out sections of the BIOS chips) if the OS thinks its tampered with.
3: Autobanning people's Google accounts who have custom ROMs.
4: Keeping a list of who is rooting the machines, then hitting them with DMCA/ACTA charges in large busts covered by the media done all on one day (think Operation Sun Devil). Of course, jailbreaking is legal for now, but ACTA is going to be the law of the land in the most of the world soon.
What I fear that may end up happening is that the only ChromeOS device that will allow custom OS modifications will be the reference ones that Google does, similar to how Google phones are the only unlocked Android devices (ADP1, ADP2, Nexus 1, Nexus 1S) available commercially.
Re:Wait, what? (Score:5, Insightful)
If I read the article correctly, a purely "the web browser is everything" simply won't be worth a damn if you have no network connection.
It's also got no storage, so it's not like you could load it up with your MP3s or pictures.
So, it's a dumb-terminal that requires me to have constant access to the internet, can't store files, can't have actual programs installed on it. I just can't see who is going to want this.
Say what you will, but at least my iPad lets me install software, store my photos to browse, add eBooks, movies, and music ... and I can use it on an airplane.
Re:Wait, what? (Score:3, Insightful)
Come back in an hour when all those posts have been modded down to -1, Flamebait, and look at the stuff that's been marked up.
There are an awful lot of people here who are going through tortuous mental gymnastics to explain why Google locking down its OS so that the only thing you can do is run web apps is a good thing because you can wipe Chrome OS and install whatever else you want.
By that logic, Windows is the best OS ever, because you can wipe your new system from Dell and install something that's completely different from Windows on it. If the best thing you can say about Chrome OS is "you can replace it with something better," then it's not very good, is it?
Re:A little problem... (Score:5, Insightful)
It doesn't matter what levels of relative distrust I assign to Google or assign to you personally.
Google can do a lot more damage to me than you can.
Well, that rather depends on what volumes you assign to "you."
Dozens of zombie botnets around the world exist around the world, and consist of millions of compromised machines. All of these exist almost entirely because users are trusted to make the right decision with regard to program installation and access... and they're wrong often enough to get their machines infected.
The fact is these days even relatively knowledgeable users can't be expected to be able to easily vet the source code of every program they use, even when the source is available. When was the last time one of you audited the code for the entirety of your Linux install--or even just the kernel?--plus your Firefox/Chromium browser and Open/Libre Office? Have you manually combed through all the Javascript from every webpage you've browsed today, to make sure there are no exploits hidden in the code? Are you sure you haven't given a virus a backdoor into your system?
Maybe not trusting users by default is the right way to go. It's just an extension of the idea to not have everyone log in as Administrator/Superuser all the time, and instead differentiating between regular users and admins; you're just linking the Admin account to a physical switch on the hardware itself.
Re:Wait, what? (Score:5, Insightful)
3: Autobanning people's Google accounts who have custom ROMs.
Exactly how do you think that Sony, Samsung, HTC, Sprint, Verizon or even the Evil AT&T will ban your Google account?
Re:Wait, what? (Score:5, Insightful)
Please catch up. It is not what you think.
It's not a dumb terminal, it doesn't require you to have constant access to the Internet (some apps require it, others don't), it can store data locally, and you can install programs. They're registered in the cloud, and if you log in and one is missing, it's quickly synchronized to the local device.
http://www.w3.org/TR/html5/offline.html [w3.org]
http://dev.w3.org/html5/webstorage/ [w3.org]
http://www.html5rocks.com/tutorials/offline/storage/ [html5rocks.com]
http://code.google.com/chrome/apps/ [google.com]
Understanding the significance of ChromeOS requires that you abandon some old ways of thinking about how a computer should act. Yes, you're "losing" the desktop and the file folders. You're also losing slow boot times, viruses, the risk of losing your data in hard drive crashes or device theft, and the occasional maddening discovery that you left a critically important file on a hard drive at home|school|work.
This may not be the device for you, but it may be the device for a lot of people. It's worth pointing out that over half a million people buy smartphones every day that also walk away from a mountain of desktop-computer annoyances.
Re:A little problem... (Score:5, Insightful)
And for those comparing this to Apple's lockdown, that's ridiculous - Apple actively tries to prevent you from jailbreaking, while anyone can mod the Chrome OS.
Anyone can modify Linux, that doesn't mean that if you give me a Linux box with locked down guest account access, no alternate boot methods, and don't tell me the root password that I can modify this *particular* Linux installation. The fact that Chrome is Open Source won't help me install applications on my Chrome device. Unless I go out and install my own custom ChromeOS on the device, at which point why did I buy this thing? I could have just bought a conventional laptop and put Fedora on it.
It's ok to not trust the user, but.. (Score:4, Insightful)
..it better trust the machine's owner completely, or else these machines are just Trojan Horses. If the machine doesn't ultimately answer to you, then who does it answer to? Someone who isn't you, that's who.
Re:Wait, what? (Score:3, Insightful)
Then why does Google look the other way as manufacturers engage in blatant lockdown of this supposedly free and open code?
What's the alternative? They give the manufacturers a long list of terms and conditions as to what they are and aren't allowed to do with this supposedly free and open code?
This seems to be a pretty straightforward parallel to BSD freedom (the freedom to limit user's choices) vs GPL freedom (your choice is limited to giving users freedom)
Comment removed (Score:4, Insightful)
Re:Wait, what? (Score:4, Insightful)
What I see happening is big corps like Google paying for GPL V2 versions of code to be continued and updated, which they will lock down via eFuses and other TiVo tricks thus screwing the original developers unless they hire them to work for the corp.
There is basically no reason for a corporation to maintain a fork of GPL code all on their own. Half the point of using OSS is that you can make the changes you need and push them back into the tree without having to maintain your own version of everything in the world. If you're going to maintain it all yourself with no community involvement then you might as well just write the whole thing without using any GPL code. If that was Google's intent then why didn't they start with BSD and then never need to publish the source for their changes?
Meanwhile the GPL V3 code will be less used or fragmented, since you'll be able to use the GPL V2 code in the GPL V3 branch but not the other way around
So you're saying that because the GPL V3 version will have improvements made by certain corporations and the community instead of just the improvements made by those corporations, fewer people are going to use it?
But if you think the headset makers and telecos are actually gonna embrace openness?
Oh, they'll fight it. But right now they control the phones because they subsidize them and people buy their phones from the phone company to get the subsidy. What happens when the price comes down on phones to the point that they don't need a subsidy? They're going to turn away paying customers just because the customer bought their phone on Amazon without the lockdown package?
They have seen the iPhone app store model and have $$$ dancing in their eyes, they sure as hell ain't gonna let you install or do anything they don't get a cut of, sorry.
Someone was just telling me how the app store model doesn't make Apple very much money (they make much more by selling the device), and I'm not sure AT&T is making anything from it directly either. They certainly make more by selling ~$100/month service plans. Sure, AT&T likes that they can "discourage" apps that use cellular bandwidth to make VOIP calls instead of making AT&T voice calls, but all it takes is a wedge. One provider allowing open phones. Then it isn't a matter of losing a few bucks out of a $100/month wireless plan, it's a matter of losing the whole contract to the company that lets their customers save a few percent by using VOIP.