Chrome OS Remains Undefeated At Pwnium 3 178
hypnosec writes "Google has announced that its Chrome OS has managed to remain undefeated during the Pwnium 3 event that was held alongside Pwn2Own. Announced by Google on January 28, 2013 the Pwnium 3 event carried a prize money of $3.14 million. Researchers were asked to carry out attacks against a base Samsung Series 5 chromebook running the latest stable version of Chrome OS. It turns out security researchers were not able to come up with winning exploits even after the competition's deadline was extended. Google Chrome Team has revealed that partial exploit entries have been filled in but, no other details have been released."
OS that doesn't do anything isn't cracked.. (Score:2, Insightful)
The OS doesn't really do anything. It's a glorified web browser.
I'd be more impressed with OpenBSD not being hacked, and even that is essentially just an init process and sshd.
Don't overvalue this (Score:4, Insightful)
It only means that Chrome OS is not too badly engineered. As Chrome OS is pretty new, the number of people that had an in-depth look will be smaller. As it is quite a bit different from other OSes and offers a lot less functionality on the application side, other approaches may be required to crack it.
One could object to that that the kernel is still Linux. True, but the Linux kernel is one tough nut to crack. Even local exploits are in the vast majority not kernel-based, but some application messing up. If they are kernel based, it is typically a specific driver. I do not remember any remote exploits for the kernel at all in the last few years, except one in an exotic network protocol, and Chrome OS has no reason to enable anything in that class.
So while this is a good initial result, do not overvalue it. It is possible that Chrome OS gets broken in the next few years when people get more experience with it. Die to its limited functionality, it is also possible that it will remain very hard to break into or that nobody manages it. Personally, I would welcome a main-stream secure browsing solution establishing itself, but remember that you cannot do most things with Chrome OS that you can do with other OSes.
Re:OS that doesn't do anything isn't cracked.. (Score:5, Insightful)
You say that like it's a bad thing. A glorified web browser with incredible security is exactly what a good amount of people should be using. Hell, I know someone who would get along fine if their computer did nothing but Facebook, let alone the rest of the web.
I find it hard to believe (though it's getting easier) that even geeks who have trouble seeing the world outside their little techy bubble can complain about this. I've seen the idea of an internet "driver's license" come up on these boards but then something that protects people from themselves is shit all over. Well done.
Re:OS that doesn't do anything isn't cracked.. (Score:5, Insightful)
Considering how fast the various web browsers fall, it *is* impressive. Chrome OS machines are wonderful for giving to clueless relatives who just browse the web.
Re:OS that doesn't do anything isn't cracked.. (Score:2, Insightful)
Maybe because some of us are still proponents of 'computers', not content-sipping machines. Awareness of computing means more than getting work done or being entertained, it also involves some learning about the nature of how we do these things can and should change over time. Combined with ideas of open access this is important issue; we should all at least be aware of our ability to govern our processing needs, whether we enjoy the idea or not.
Re:OS that doesn't do anything isn't cracked.. (Score:5, Insightful)
I think what's important to note is that "nobody" uses ChromeOS. This means "nobody" researches bugs for it very hard (even thus its relatively well secured, actually).
All that too say, "nobody pwned haiku either"
Re:OS that doesn't do anything isn't cracked.. (Score:5, Insightful)
Prehacked (Score:4, Insightful)
Chrome OS is prehacked. It comes installed with a trojan/bot which collects all your information and sends it to Google.
Re:OS that doesn't do anything isn't cracked.. (Score:4, Insightful)
The problem is 'computers' are far too complex devices for the average end user, it is irresponsible to let most people connect such a complex device to a public resource when they have no idea how it works.
Content-sipping machines managed by a third party are what the average user should have, 'computers' should be reserved for geeks who understand how to use them.
Re:OS that doesn't do anything isn't cracked.. (Score:4, Insightful)
No. Should they understand that giving a program administrative access means you're giving it full control of all your private information? Yes.
No. That's like saying that anyone who needs to drive a car need to understand how the choke works. The choke. Remember that? Back in the 1980s and earlier when you learned to drive, you had to learn to use it to start your car when the engine was cold. It altered the fuel/air mix by means of a valve in the carburettor. Everyone had to know what you needed to do with the choke, but only a minority knew what it was doing inside the engine. It became automated and then obsoleted when fuel injection replaced carburettors. In the modern car, the computer (engine management system) performs the same action of making a richer air/fuel mix when the engine is cold. And very few people realise that's happening.
That's the proper use of a computer in a consumer product. To reduce the amount of detail the user has to know about.
Consumers should not be expected to know about types of users. Ideally they shouldn't need to know the concept of user accounts at. The computer should just know who's operating them, and what they should have access to in the same way that a human clerk would. For the moment that may require credentials (bank card/username and pin/password) but biometrics that are more secure than that are probably not so far away.