“Google Chrome OS is designed around the concept of “expendable” terminals that you can lose, drop or simply throw away without fear of losing your data, which is safely stored into the cloud. [However, one] thing is certain, with all your data being available into the cloud, in one place, available 24/7 through a fast internet link, this will be a goldmine for cybercriminals. All that is necessary here is to get hold of the authentication tokens required to access the cloud account.”
Chromebook: A New Class of Risks
2011-05-16 9:40 amWereCatf
Chrome isn’t impervious to security issues either. There just was recently a working proof-of-concept that bypassed all of Chrome’s built-in security features and ASLR and DEP. As such it’s still possible to infect a Chromebook, atleast until it is rebooted if the malware payload is only resident in memory. As such getting the credentials is still quite easy. Google should go for two-factor authentication, not just username/password.
2011-05-16 10:04 amdvhh
In my opinion, even if the browser security is compromised, chromebook are running a restricted number of processes, that should be (hopefully ) easier to control. Note that it doesn’t prevent from rewriting executing code (covered by NX flag and address space randomization).
Of course we are not in a ideal world, and security probably have been overlooked.
However, I fell more concerned about Using an OS that is not self contained for development .
2011-05-16 12:08 pmSoulbender
If you’re talking about the exploit by that French “security company” who refuses to show any proof of their claim nor have any plans to tell Google what it is instead selling their exploit to the highest bidder, well that is a bunch of horsecrap.
That’s not saying Chrome won’t have issues but this is probably not it.
2011-05-16 12:36 pmLennie
It was hardly in Chrome, it was actually in Flash. But because of the way Flash is build they had to warp it in a ‘weaker sandbox’ than their normal sandbox.
Also this was on Windows, not sure what effect it would have had on Linux.
2011-05-16 3:06 pmPraxis
That exploit was windows only, Chromebooks are linux based at heart. That particular exploit is not in play here, others could show up in the future though.
2011-05-16 12:02 pmSoulbender
That is – as long as you trust the “do no evil” corporation behind the cloud storage.
Anyone who trusts that is incredibly gullible.
2011-05-16 12:14 pmflanque
Evil is but a point of view.
I’d be far more worried about where my data is. Are the servers in China in a floodplain? What about if there’s an internet outage of some type and I can’t access any of my files?
2011-05-16 12:15 pmflanque
Stick with Windows – it was designed to be offline. 😉
2011-05-16 1:51 pmVanders
I’d be far more worried about where my data is. Are the servers in China in a floodplain?
Any reputable cloud provider will tell you exactly where their data centres are located and allow you to choose which one(s) you wish to store your data in.
2011-05-16 3:14 pmshotsman
How long before the location of these data centres become a matter of national security? They are after all pretty obvious targets for the ‘bad guys’.
I know one DC that is totally below ground. The only thing above ground is a small building which houses the lift shaft and a car pak for 5-6 vehicles. Try blowing that one up….
The Cloud — great for document collaboration and sharing, free software like Google Docs, no worries for me about backups, and other advantages.
But also The Cloud — who knows where your data is stored or who can see it? Security and backups may be well handled or not… it’s not longer in your power to control them. And as far as using Google for the Cloud… their entire business plan is based on using other peoples’ data (OPD).
The Cloud is great for many informal uses. But the companies and individuals who naively use it without probing — deeply — about specifics are taking big chances.
My slogan for the Cloud — caveat emptor!
Going after Amazon, IBM, Microsoft and VmWare. And Chromebooks will play a major part. Google just has to convince people that this a good way to go. The only thing that bothers me is that I haven’t seen anything like Windows Azure Appliance announced by Google.
I’ve been watching GoogleIO 2011 videos for a few days straight and I like what I am seeing. HTML5 is cool stuff. For once, HTML is really impressive. I realize that we’re in the very early stages of a HTML5 web but the potential is real.
PS: While watching the videos, I kept thinking Minecraft rendered in HTML5.
Getting those “security tokens” will be a bit harder. Spyware should be out, though the platform has not yet been grilled – exploits might still be possible somehow, but the intend of the platform is to eliminate these risks.
You still have the same ‘social engineering’, phishing and man-in-the-middle attack problem, and the impact is much higher, but compared to the current spyware/trojan situation, I don’t think it’s that bad. That is – as long as you trust the “do no evil” corporation behind the cloud storage.