<< Building a Single Sign On Provider Using ASP.NET and WCF: Part 4 | Home | Migrating away from Blogger.com >>
kick it on DotNetKicks.com   Shout it  

Google Chrome OS: Speculations Abound, What Do You Think?

I'm very curious to watch how the new Chrome OS will develop. I've been reading some of the buzz around it today and have even been reading some of the comments around it. I use Chrome (the web browser) everyday, it's my main browser. As of this week I even got my wife to finally start using it after IE locked up her computer again and she decided it was the last time.

However, I doubt I will be ever using Chrome OS – or will I?

My prediction is that I am already using Chrome OS. If you follow the Chrome Dev Channel blog you've probably noticed that as the Google team is hard at work on v3 they are working on versions for Linux and Mac. They have been working on this since v2 was released back in May.

According to the Google blog Chrome OS will run on Linux and here are their stated goals:

  • run on both x86 as well as ARM chips
  • most of the user experience takes place on the web
  • Google Chrome running within a new windowing system on top of a Linux kernel
  • users don't have to deal with viruses, malware and security updates
  • data to be accessible to them wherever they are and not have to worry about losing their computer or forgetting to back up files
  • [users] don't want to spend hours configuring their computers to work with every new piece of hardware, or have to worry about constant software updates

These seemingly lofty goals are nothing new. For at least a year I've been hearing about software that allows you to bypass the OS and quickly boot straight to a “browser only mode”. Two examples are gOS and Presto. gOS is what I think Chrome OS will be like – the browser IS the OS. You boot directly into a web browser and your entire experience is inside the browser.

Applications

When Chrome was first released Google talked about how the browser was becoming (is?) its own platform for application development. They developed the Chrome JavaScript engine – V8 – to run JavaScript really fast to allow more to be done on the client. The idea is that if the JavaScript engine is “fast enough”, then it is adequate for most applications.

File Storage

Google Gears has been around for a while now and it means you don't need local storage, other than a local cache. Gears allows you to make cross-domain requests using a “cross-origin worker”. This would allow your files to be stored in the cloud by any service provider (Flickr, Picasa, Windows Live) and then you can use any web application (doesn't have to be the one provided by the aforementioned providers) to browse your photos as long as you grant it permission.

Video

The HTML 5 specification now makes video a first-class citizen of your web browser. Chrome supports playing video natively in the browser without needing a plug-in (pretty nice for Google since Chrome doesn't support plug-ins). Again, you store your videos in the cloud and watch them anywhere.

Security

At least for now Chrome is the most secure web browser available. The security (simplified) is two tiered. The second tier being the sandbox. There are current exploits for Chrome, but those exploits land the attacker in the sandbox. This means that a hacker's exploit must additionally exploit the sandbox. So a bug must expose both a problem with the browser's rendering engine (Webkit) and expose a bug in the sandbox. So far, this has not been done. Could it be done? In theory, but until that happens there are no exploits for Chrome. Because of this, if Chrome were your entire OS then (speaking of today) you're most likely you're secure.

Applications

As a programmer, would I ever use Chrome OS? Right now, no. Developers require an IDE and debugging tools, source control integration and other such tools. All this requires software running locally on my desktop, but will it always be that way? Maybe not, just consider the Mozilla Labs Bespin project. At the moment it's a far cry from Microsoft's Visual Studio IDE, but do most developers really need all the tools provided by Visual Studio? I know I probably don't use 10%. Statement completion, syntax highlighting and a compiler would be adequate. I'm not saying that's all I use, other features make me much more productive but I'm saying it's possible to provide many of the features in the cloud – even for an application developer.

For a graphics designer, you might think the browser might not be adequate either. But there are already services for the novice which allow you to edit photos, and with the addition of VML who's to say that we're so far from professional graphics programs hosted in the cloud either?

But for the average computer user, as time progresses people will become less objective of their files being located exclusively on the web. If Google can convince people that Google Docs has all the functionality they need along with other programs people use (photo/video editing) then it's very conceivable that Chrome OS (and other similar OS's) could be very successful.

Hardware Integration

So the only piece of this puzzle that isn't immediately apparent to me at this point is how they will integrate with hardware devices. Maybe because I'm a web programmer and not an OS programmer. Google will need to allow you to get images off your camera, videos off your camcorder. Or at least read from a card reader. Then you need to upload those files to your preferred cloud provider. You'll need to install devices like web cams and printers.

All this requires drivers and a way to access these devices. How do they plan on doing this without exposing vulnerabilities? Google has stated that if you want to develop applications for Chrome OS your platform is the web – HTML, JavaScript and any server side platform you choose. But the web is not currently allowed to access your devices (for good reason).

Conclusion

Chrome the web browser already does most of what Google has envisioned for their new OS. They just need to integrate it into a Linux distro (something they've already accomplished with Android) and provide an interface for managing/accessing hardware devices. I know that “just” is still a long stretch, but not that far away when you consider everything else they've already got done.

For now, I already have an operating system which loads in a matter of seconds - about 25, not much longer than it takes to fire up a web browser and load a web page. Windows 7 running on a SSD is pretty darn fast, I've written before about it. I've been running it for almost 2 months now and I still have free space on my drive and it's showing no signs of slowing down. So I've got no need for an OS that only will load 10-15 seconds faster, but who's to say.

Almost, 10 years ago, I said “hell no” when Ray Ozzy was talking about storing all our files on the web. But now I use Dropbox and Sky Drive. I've also used Google Docs a bit as well – but I don't really create many docs or spreadsheets and for blogging Live Writer is better at keeping my formatting. So you could say I've bought into that philosophy over the years. And gradually I'm sure many others will too.

What do you think?

I really would like to know what you think. Am I dead wrong? Or dead on? How do you think they'll integrate hardware? Do you think we'll ever completely ditch the bloated operating systems of today?

Print posted @ Wednesday, July 08, 2009 1:07 PM

kick it on DotNetKicks.com   Shout it  

Feedback

# 

Gravatar Nice - I heard a story on NPR yesterday about this and had a few thoughts on it then, but after reading your review, I have even more.

So, first off - I don't know why Firefox isn't your favorite, default browser. Have you been feeling okay? ;) I just can't live without the numerous extensions that I have become accustomed to with Firefox, and since Chrome has no extensions (it does, contrary to your information, provide for plugins - that's how Flash works within Chrome, for example). Compared to IE, almost any browser is better - compared to Firefox, I don't know how Chrome comes out to be better, especially with Firefox's latest release (3.5) being so good. But, that's not that big of a deal.

So, a few random points:

With regards to storing files in the cloud: I like it and do it as well, but if I went hog-wild with it and started storing ALL of my files in the cloud, I would quickly run out of free space, and I don't know that I really want to pay for something like storage space unless it is comparable to my hardware solution - and even then, local storage doesn't have the speed constraints of the internet connection, nor the costs to connect. All of that has to be taken into consideration too. The convenience and security of keeping files locally is hard to match.

With regards to the Chrome OS hooking into hardware - you ask how that would be done. Here is how I see it happening: there are already digital cameras that can hook directly into your local network via wired or wireless connections. I suppose a separate device could be sold that would connect all of the hardware to your local network via a local web server, etc. and allow you to obtain their data in that way. So, your camera, via either it's own capabilities or via an external device (i.e. not the Chrome OS device) would upload its data directly to Flickr or similar services. Something like that. It's late and I am not as lucid as I would like to be.

So, the biggie for me is this: Google's main goal is to show you advertising - right now, with Firefox and an extension, I don't have to see ads. I doubt Google's Chrome would allow you to block ads from Google websites, since that is their money maker. I am curious what they are planning on doing in that respect...who knows, maybe they are not expecting to make any money off of this thing. They just want to kill Microsoft.

Also, it's Ray Ozzie, not Ozzy - you are confusing Ray with Mr. Osbourne, perhaps? :P

Also, let me say this - I don't know squat about blogger.com's options, but commenting is an exercise in frustration because I am in this tiny little 300x200 pixel textarea and can't see the original post. There is a link "Show Original Post" which, upon clicking, shows the text of the original post, but it is all run-on with no paragraph breaks and shows up along the left side of the screen. I would rather have the comment text box be beneath the text of the actual post, like most blogs do. What is the deal with this, it is annoying at best! Get dasBlog hosted somewhere and get away from this crappy blog engine! 7/9/2009 9:37 PM | noreply@blogger.com (JasonBunting)

# 

Gravatar Jason,

Why isn't firefox my default? Actually, it is. When I'm developing I use firefox becuase of the firebug plugin - chrome has some good tools, they are better than IE, but they still don't match firebug. Since Visual Studio opens your default browser, mine is set to firefox. But when I'm browsing the web, I use Chrome because for the time being it is more secure and I don't need any plugins for just browsing.

As for advertising, I don't support ad blockers. In the past I have been a stakeholder in web properties where ad revenue was very important to us and as a publisher I use ads to try and monetize my free contributions to the web. While I may not click on many ads, I support them because they help support free content. Most of the time I don't notice ads, and if a site has so many that it ruins the experience then I won't visit the site anymore. Without ads, more content on the web would require subscriptions - and I am one cheap guy.

I agree with you about storing files in the cloud. I'm all about ownership and control. Plus, I hate waiting for files to download/upload over the internet. But some people really don't mind and more power to them. And I can see google giving away either unlimited storage space or enough for most people. If it were supported by enough ad revenue I wouldn't put it past them.

You also mentioned security, that and privacy will need to be addressed such that people trust them. As of right now, I think it's headed that way, but there will always be those who will never give their trust, I'm in the middle, but I lean more towards mistrust for the time being.

I still don't get the hardware. And maybe it's because I'm thinking more about how they intend their OS to "just work" when it would seem they would need the support of hardware vendors for the drivers. If they are looking to keep things secure, all while opening up your hardware to the browser (maybe not to web sites, but if you open it to the browser some hacker is gonna find a way in) then it would seem to be that the hardware wouldn't necessarily "just work". But I admit to being pretty weak on my knowledge of the inner workings of driver communication.

As for Ray Ozzie, well that's what I get for not proofreading well enough :P. And you're right about blogger's comment sections, I guess I could host it somewhere and point my blogger domain at it. I should have thought about it when I started marketing my blog I should have my own domain name instead of using blogger.com. 7/10/2009 10:19 AM | noreply@blogger.com (Mark J. Miller)

# 

Gravatar I concede that ads are a way of supporting things and perhaps I need to re-examine my stance on it in order to make sure I am not being hypocritical (you have to be vigilant against hypocrisy, it's an easy trap to fall into - at least for me).

Never thought much about how Chrome is more secure than Firefox - do you have examples? I am not aware of any problems, but I don't know everything either.

Sorry about bringing up your misspelling of Ray's last name - it's the editor in me. I just can't help it.

In my not-so-humble opinion, a blog isn't a blog unless it allows for comments; thus, the commenting capabilities of a given blogging engine are one of the most important features to evaluate when considering what to use for such. When commenting on as lengthy a post as this one, it is nice to review it while I am writing my comments, and this commenting facility gets one word from me: FAIL!

In other news, have you heard of Google Wave? I assume you have, since you seem to be a bit of a Google fanboy. ;)

J/K

Either way, check it out if you haven't heard of it already; it most likely factors in to their plans for world domination. Also, this month's issue of Wired has a great article talking about how the value of Google's search may be threatened by Facebook's leveraging of their social graph database. Interesting read, to say the least. If you can't obtain the article online, let me know and I will try to get it to you otherwise. It's worth considering. 7/14/2009 7:38 AM | noreply@blogger.com (JasonBunting)

# 

Gravatar Oh, and you make a good point about using FF for development purposes - it's hard to beat (although Chrome also has a similar tool built-in (at least, mine does) that mimics a lot of Firebug's core functionality).

I allude to this often, but it is SO relevant:

"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell

Perhaps you don't use Firefox for browsing because you are not aware of the cool extensions that make browsing in Firefox so much more enjoyable and *productive* than browsing in any other browser, including Chrome.

Someday, if you are interested, I can show you what I mean. I guess if I were enterprising enough, I would produce an entire blog series about it, huh? Yeah. That would be a good idea. :) 7/14/2009 7:43 AM | noreply@blogger.com (JasonBunting)

# 

Gravatar AFAIK, Chrome's sandbox is the reason it is so secure. I looked at Mozilla's security page and of course they talk about how secure it is, but mainly I'm basing my evaluation of it's security on the interview I referenced in this post about how Chrome was the only browser left uncracked.

[BEGIN QUOTE]
Google Chrome was the one target left standing. Surprised?

There are bugs in Chrome but they're very hard to exploit. I have a Chrome vulnerability right now but I don't know how to exploit it. It's really hard. The've got that sandbox model that's hard to get out of. With Chrome, it's a combination of things — you can't execute on the heap, the OS protections in Windows and the Sandbox.

I might have this bug and I might be able to get code execution. But now you'r ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar.
[END QUOTE]

I'm not naive enough to believe it can't be hacked, but since it hasn't been yet it is currently less vulnerable than any other browser. I suppose there is some hypocrisy in that, since I won't buy the same argument from any mac fanboy out there. But I honestly believe that the architecture is also secure, not just "hasn't been hacked, yet".

I don't care if you point out spelling, don't worry about it.

As far as updating my blogging software, it's one part lazyness, another part don't have the time. Between work, trying to post frequently and other projects I don't want to take the time right now. But your argument is solid, I just need to make time to do it.

I might be considered a Google fanboy, but I'm practical. For example, I'm setting up Chrome to use Bing as the default search engine. I want to give it a test drive and see how I like it. The reason I like most Google products is they are clean, and don't give me more than I need. I like "bare metal" stuff - not always. But I really don't like clutter, my office is a mess, you know that. But on my machine clutter bugs me.

That said, yes I watched a webcast on Google Wave. I'm mildly curious, but for now, I really don't see myself using it. Email, blogging and IM work fine for me at the moment. I'm on facebook, but just because it helped me find some friends. Social networking is one of those things that falls into the "clutter" category for me. Not that I'm entirely opposed to it, but I'm too busy for most of it. Wave is a collaboration tool, but that's more than I need and so I probably won't use it. But I like to keep up on stuff so I'll probably follow its progress.

I'm aware of Chrome's dev tools, but they just don't match Firebug's. I can't tell you how many times I've used the NET tab to debug communication problems.

As for FF extensions, I'd be willing to look, but I get around pretty well on the web as it is and I don't feel like I'm missing anything. The extensions are cool I'm sure, but I'd actually have to make an effort to download and install them. 7/14/2009 10:54 AM | noreply@blogger.com (Mark J. Miller)

# 

Gravatar Might be worth reading: www.msnbc.msn.com/.../technology_and_science-te... 7/16/2009 9:50 PM | noreply@blogger.com (JasonBunting)

# 

Gravatar Interesting. I agree, that google hasn't proved yet that they have developed a "silver bullet" (to use the term from the article). But they say, "We urge caution against using any of Google's products if security is paramount," without addressing wither or not Chrome itself is secure. They never talked specifically about Chrome.

I didn't know anything about Google Gadgets before the article, but to read it I assumed gmalware was specific to Chrome. But Google Gadgets have nothing to do with Chrome other than they run on all web browsers.

So the article is making Chrome/Chrome OS sound like it will be unsecure when in reality the problem is that it doesn't matter which web browser you're using you're vulnerable to javascript malware.

I really think the article was poorly written, or at least it was a poor title, since it doesn't really question the security of what could Chrome OS be vulnerable to. Sounds like they just grabbed hold of the fact that Google claims you won't need anti-virus and decided to pound Google for it. But Macheads have been making the same claim for years and I don't see MSNBC jumping to save Mac users from themselves.

In the end, I think browsers could certainly use good anti-virus to help detect malicious scripts. Wither they implement it themselves or you need a 3rd party component doesn't matter to me. At the moment I use Avast! anti-virus which does a good job of catching evil scripts in web pages. But I think the browsers could do a better job of heuristics themselves since companies continue to ignore good security practices when developing their websites which leave us vulnerable regardless of our OS or web browser. I shiver when I think about all the poor coding practices out there allowing XSS and other similar problems which could be greatly reduced with minimal effort and a little self-discipline. 7/17/2009 7:43 AM | noreply@blogger.com (Mark J. Miller)

# 

Gravatar I agree that the article was written poorly - however, I think the assumption, which they didn't document explicitly, though I don't think it is needed for those that know, is that Google Gears/Gadgets/whatever would be a key part of an OS based entirely on the idea of the browser being your main (only?) tool, and since those have been proven to have holes (regardless of the browser they are in) there is therefore a problem with the basic idea of a Chrome-based OS.

You said "Google Gadgets have nothing to do with Chrome other than they run on all web browsers," but that's just it - Chrome *is* a browser, and therefore susceptible to those problems, and if the OS features Chrome as the main means of interaction, there is immediately a potential problem.

Anyway, I wasn't touting the article as a Chrome-killer by any means, just thought it brought up some things to consider, notwithstanding the article being a good example of poorly-written copy. :) 7/17/2009 9:25 PM | noreply@blogger.com (JasonBunting)

# 

Gravatar Yes, I agree - my problem isn't with the assertion that a browser based OS is insecure. I believe it is important to raise awareness. But rather my problem is with the implication that the browser software is the problem, when the actual problem is the World-Wide-Web and the technologies which make up the web platform. Because pointing the finger at Google Chrome and saying "not secure" is implying that if MS, Apple or Mozilla produced a browser based OS it would be secure. The article implies that Chrome itself is the problem, when that isn't the case. Chrome hasn't been cracked yet, and until it is (and it will be eventually) it is the most secure connection between your computer and the web.

Just to clarify (for anyone following this thread), my assertion to the secureness of Chrome is there are not attack vectors through Chrome which currently make me vulnerable to a worm, trojan or virus which can install itself anywhere onto my hard disk or into my executable memory. Which means any number of things but to list a few that concern me most: my computer cannot be hijacked as a bot on some bot network, it will not run any trojan to steal any personal information or keys from my local machine, and it will not get attacked by any worm to be used as an endpoint to infect any other machines.

Yes, I run on Windows, so there are other vectors thru which I can be vulnerable to any or all of the above mentioned attacks. But not through Chrome.

As for the attack vectors through the web such as Cross Site Scripting, Cross Domain Forgery, phishing, SQL Injection (not me directly but the sites I visit) and others I can't even protect myself entirely by disconnecting from the web and never using it again. Because in the case of SQL injection my information is out on servers on the web already and I am at the mercy of the security polices of all the websites I have visited in the past. For the others, I am still at their mercy because the web is only as secure as the web sites I visit - now is that the fault of the browser just because it is the vehicle thru which I use the web?

As for the first category of vulnerabilities, that is the responsibility of the browser to protect us (as well as for any other software written to be installed on my machine). The second category of vulnerabilities is the responsibility of web sites to protect. So I feel the article was flawed because it was blaming the second category of vulnerabilities on the web browser.

That said, if I ignore the second category of vulnerabilities I can only blame myself when I fall victim to any of them. People must be aware that just because Google says "you won't need anti-virus" doesn't mean they are safe from everything. Anti-virus on your machine can't protect you from the second category of vulnerabilities because much of that problem is beyond your control and in the hands of website publishers. 7/20/2009 9:15 AM | noreply@blogger.com (Mark J. Miller)
Post a comment





 

Please add 3 and 5 and type the answer here:

 

 

Copyright © Mark J. Miller