A lot of people like to say that history repeats itself. People will make the same mistakes, for the same reasons, over and over again. That’s pretty much one of the fundamental laws of the human race. That’s essentially one of the rules by which we’ve operated for..well, centuries. Now, a lot of you are probably wondering where I’m going with this – what the hell some pseudo-philosophical nonsense has to do with Chrome, or even technology.
I’m getting to that.
Security and the Mac
Back in 2000-2006, the Mac platform was picking up speed. The way Apple marketed the Mac, it seemed new. It was unique. It was a hot, hip alternative to Windows. They were pretty confident in their new operating system, and anyone who watched TV would be virtually inundated with lauding the superiority of Macs over PCs. One of the often touted reasons? The Mac was supposedly a virus free platform (ironically enough; the very year that ad aired was when the first Mac OS X-specific Trojan was discovered). Now, for a time, Apple’s claims about the security of their system seem legit. Instances of malicious software on the Mac were rare, if not completely unheard of.
That would soon change.
As a result of its supposed immunity (and to be fair, the Mac platform was immune to traditional Windows viruses), most Macs generally didn’t contain security software. The problem with that, of course, was that when a Mac was hit by a virus, it was hit hard. See, once the crusty little virus-forging trolls realized that more and more people were using Macs, they began designing viruses for Macs. And once they did that, well…the holes in Apple’s security became blindingly obvious, and the once ‘secure’ Mac OS was left at the mercy of malware. All it took was the right virus.
Enter Mac Defender. Last month this new piece of malware caught the Mac platform completely off guard. It’s become a complete epidemic, apparently infecting somewhere between 60,000 and 120,000 systems. The worst part, though? It wasn’t the virus. It was Apple’s handling of the event. Apple flatly denied there was a problem- even going so far as to order their representatives not to assist customers with malware removal. They’ve since released a security update to rectify the problem with Mac Defender, but the whole snafu has opened the eyes of a lot of people- Macs aren’t safe from malicious software, not like Apple would have once liked their customers to believe. The foolish assumption that their system was immune, and their ham-handed attempts to perpetuate the image even in the face of overwhelming evidence to the contrary…well, it did a lot more harm than good to Apple’s rep.
Again, you’re probably wondering what this all has to do with Google- with Chrome.
Chrome’s Unique Security
Chrome is completely unlike any operating system we’ve seen to date, I’ll give it that. The fact that it operates entirely on the cloud- in a “sandboxed environment” as Google has been so fond of saying- gives it a massive leg up on every traditional operating system on the market as far as virus protection goes. Since every single application on Chrome’s OS runs in its own personal ‘sandbox’, infected applications can’t interact with other apps. Basically, every single program on Chrome runs in its own personal quarantine zone. What’s more, since all personal files and data are stored on a remote server, infected files can’t really do much. What’s more, in the nearly impossible event that a Chromebook should come down with a nasty case of malware, damage control is much more effective- since all your personal data is saved from the ravages of the viral infection. Of course, the likelihood of a Mac-I mean, a Chromebook – coming down with a virus is, well…nonexistent, right?
That’s the story Google’s been perpetuating, anyway. Rik Ferguson, director of security research at Trend Micro, isn’t buying it. He made a rather poignant post on his blog giving his take on the whole thing. ”While I applaud the impressive advances in security that are apparent in Chrome OS,” Ferguson says, “to a certain extent we are seeing marketing history repeat itself. How often did the mantra that Mac OS was immune to malware need to be repeated until the vast majority of users believed it and continue to do so, even after Apple went as far as incorporating rudimentary AV software into Mac OS?” He ultimately concludes that the belief Google is perpetuating about their operating system is foolish, to say the least. I’m inclined to agree- after all, it was basically assumptions of invulnerability that sunk the Titanic.
Okay, yeah, probably not a very good analogy. Let’s move on.
Holes in Chrome’s Security
Well, first and foremost, let’s take another look at sandboxing. What Google has said to the public rather insistently implies that operating on the Chrome platform means you’re operating in a completely sterile environment- any malicious infections will be isolated, confined to their own little bubbles, and unable to cause any real damage. Ferguson definitely didn’t neglect putting in his two cents about that little point in his blog post, either: ”Of course the sandboxing technology is designed to ensure that even a bad native app can’t misbehave. Well, exploits that break out of sandboxing have already been demonstrated for Internet Explorer, for Java, for Google Android and of course for the Chrome browser (to name but a few).”
So sandboxing prevents infected apps from interacting with other apps. Except when they can. That’s not all Ferguson has to say, either (he’s sort of ripping Google a new one here, isn’t he? But hey- they need to have their eyes opened just a touch.) Long story short, Google seems to be forgetting one very, very important aspect of spyware and malware- if a piece of malware exists, that means it was developed by someone. But not just anyone. These criminals are likely intelligent, resourceful, and cunning. Google’s Chromebooks have changed the game, so they’ll change their approach. Ferguson says it better than I could:
“In regards the notion of the operating system always reverting to a known good state at reboot and the security afforded by encrypted data being stored in Google’s cloud, well surely that’s just moving the goalposts for the bad guys. For much of today’s malware, one of the primary goals is persistence. This will be much more difficult (see how I hesitate to say impossible) in the Chrome environment, so the motivation will shift. If I can infect you for one session and steal your keys, well then I’ll get what I can while I’m in there and then continue accessing your stuff in the cloud, after all I’ve got your keys now, I don’t need your PC anymore. The beauty of that for criminals is that the victim may be even more unaware than they are now that they have been compromised.”
So, wait. Let me see if I’ve got this straight – not only is Chrome not one hundred percent secure against intrusion, but the way the system’s built could actually serve to aid cyber crime? That’s not exactly a comforting thought, is it?
Chrome’s security is above and beyond anything we’ve seen yet- but it’s not invincible. What’s more, there are sacrifices that need to be made to attain such a level of security- users aren’t going to be able to opt out of automatic updates, and there are going to be severe limitations on what desktop applications can be installed on the Chromebook. And even with all of this, even with Chrome’s Cloud platform and sandboxed applications and verified boot- it’s not indestructible. It’s still vulnerable to attack; we just don’t really know the avenue through which this attack might originate. Either way, Google’s perpetuating perhaps a rather dangerous mindset. When one thinks they’re invulnerable, one tends to take some rather dangerous- and foolish- risks.
Ultimately, Google risks going down the same road as Apple does with their marketing. Yes, their Chrome operating system is secure- perhaps one of the most secure operating systems to date. Even so, it’s not one hundred percent secure. No operating system is. Chrome has some weaknesses somewhere. But Google probably knows that, because if they don’t- well, I’m sure you all know what could happen.
How do you feel about Chrome’s security?