Speed, simplicity and security are the key aspects of Google Chrome OS. We’re designing the OS to be fast and lightweight, to start-up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web. And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. It should just work.

It’s an interesting and somewhat bold statement.

Trusting The Grid

I’m personally not into pushing computing too much onto the web, and suspect that while general consumers don’t mind it, most who work in technology, share my distrust. The internet is rather resilient, but it’s hardly flawless. Very few ISP’s guarantee uptime for anyone but corporate customers who pay dearly for that guarantee. Sure offline support is on the way thanks to HTML5 and Google Gears, but it’s not a true substitute for local data and applications as online applications generally feel crippled when they are offline.

Cloud Computing is also at its infancy and not showing the uptime most expect. Even Google can’t seem to keep Gmail up enough to keep complaints to a minimum. If anyone has the capacity to do so it’s them. I think that’s more a sign of the state of technology than a reflection of Google. Some may note search has higher reliability, but search is a different beast. Search is a lookup against generic data. You can bounce users to different clusters with nobody knowing anything. Gmail replicates your data in multiple places, but not every server in every data center they own. That’s why most outages effect a percentage of users.

I’m even more skeptical of the security of online applications. Besides the obvious question of who can access your data on any given website, do they even need to notify you of a breach? Are warrants needed for law enforcement to browse around? Who really owns it? What happens if the website’s operator goes out of business, are they required to give you a chance to get your data out? Can they sell it to someone else? There doesn’t seem to be any real consensus as most countries laws don’t really account for digital property and electronic privacy. We’re still years away from knowing how rights in the physical world extend into the digital age, if at all.

As I’ve discussed before that controlling your own data is still important.

Security

Regarding the claims of minimizing security risks. One thing folks like Bruce Schneier (Wikipedia bio) keep saying like a broken record is that attacks will always improve, and there is no such thing as perfect security. I know I’m the minority for believing the pro’s rather than the marketing. Just take a look at the work of Marc Weber Tobias if you believe security can be perfect (long article + videos, but well worth it).

Sure desktops are prone to viruses, malware, etc. However you can drastically reduce your risk by simply running an AntiVirus and using a modern browser. You can further reduce your risk by keeping backups which are dead simple to do with modern OS’s or with one of the many backup utilities out there. If you have a Mac with 10.5 you already have Time Machine, just need to plug-in an external hard drive. Despite scary stories, there are actually pretty few instances of data being stolen from a personal computer by someone who didn’t have direct access to it (such as an ex, or a coworker).

Previous attempts

This isn’t a new concept. Most recently Palm’s webOS is based on essentially the same concept, except webOS is targeting handhelds. In fact webOS runs WebKit as well. Don’t be surprised if Palm tries to retool webOS a little bit and bring back the Palm Foleo idea. I should note webOS seems to be well liked by users.

Some will also note that before Apple released its native SDK it was trying to do the same thing with the iPhone, though Apple never quite integrated WebKit’s UI into the OS instead preferring to just launch Safari.

There’s also the CrunchPad an interesting but yet to be released product Michael Arrington is behind.

There have also been several attempts at running a browser-based desktop environment, which effectively turns your computer and browser into a terminal. This concept never really caught on due to performance and limitations in what the technology could do.

Android

Even Google acknowledges that this overlaps on Android a little bit. Personally I think this is a little bit of a blow to Android. If I can use web technologies and target desktops, Netbooks and all modern smart phones, why would I really want to bother with Android’s sandboxed environment? If it’s good enough for a Netbook experience, I would suspect it’s good enough for a phone experience, which has always been even more scaled down. This doesn’t make Android irrelevant, but it means anything that runs on Android will likely run on Palm’s webOS or Apple’s iPhone OS.

The perks

There are some perks to Google’s Chrome OS regardless of its actual success in the market. First of all anything that drives innovation (as this will) is a win. Secondly Google’s announcement now is because it needs to start working in a more public way with the open source community. Even if Chrome OS goes nowhere, the benefits of Google’s engineers contributing enhancements and fixes to open source projects will live on.

Lastly, Google Chrome OS is putting a lot of faith in HTML5, and that’s seemingly good for everyone who wants to see the internet evolve and mature.

Conclusion

I’m skeptical of putting everything in the cloud. Security breaches are inevitable and building larger honeypots just makes it more tempting. While Google is a reputable and stable company, there are companies out there who don’t really care about safeguarding data and may disappear tomorrow without any notice taking your data with it. This is why I still prefer to control my own data. That requires a little more than what this OS is likely going to deliver.

That said, I’m hopeful that the Google’s push to make the web the ultimate SDK will pay off and benefit everyone. Google’s contributions to open source will also benefit everyone using it directly or indirectly.

I suspect it will have a tough time competing, especially if Apple releases a Netbook or Tablet utilizing what they’ve learned from the MacBook Air and iPhone. Apple is rumored to have a tablet in the works, though that rumor has surfaced several times over the past 8 or 9 years.

1. Use SSL When Available – Many sites offer SSL interfaces to make them more secure. Sometimes it’s used by default, sometimes it’s not. You can often test yourself by just changing the http:// in the url to https:. For example, you can do this for virtually all Google services including, Google Docs, Gmail, Google Calendar, etc. For Gmail there’s even an option to force SSL. If you still haven’t enabled this, do so now. Many non-Google products offer this too, for example Meebo.
2. Be Cautious Of Open Networks – Just because you see a WiFi hotspot doesn’t mean it’s safe. It’s trivial for someone to sit in a coffee shop with a laptop and pretend to be free internet access. Once someone connects they can essentially snoop on all that persons traffic. Connect only to networks you know and only use services over a VPN or HTTPS so that your traffic isn’t in plain text. To be extra cautious limit the amount of high risk activities you do on these networks (do your banking from home).
3. Don’t Connect To The Internet Directly – Even if you have only one computer, it’s still advisable to have an access point between you and your internet connection. Virtually all access points today provide decent firewall protection that will shield you from any of the horrors that exist on the internet. Any NAT device will provide a degree of protection (though NAT isn’t a firewall replacement). Access points can often be found for under $50 making this a very sound investment. Yes there are software firewalls, but they have downsides. The minimum is a hardware device between your computer and your broadband modem
4. Use Encryption For Your Home WiFi – If you have a home wireless network, make sure you have encryption enabled and use it. Ideally you should be using WPA2/AES since it’s the most secure at this point, though anything is better than nothing. While sites you browse over HTTPS are encrypted, you still want the entire tunnel encrypted. This does hurt performance slightly but most modern hardware (even the cheap stuff) is more than capable of handling this. Odds are you run an 802.11g network and your wireless is way faster than your broadband anyway. If you don’t have this enabled or don’t know how, check the manual, the manufacturer’s website or call tech support for help. You should be doing this.
5. Don’t Trust IM or Email For Confidential Information – IM and Email aren’t very secure mechanisms for sending information. They should never be trusted for things like sending credit cards, social security numbers, medical information, etc. If you ever see a merchant using IM to process a credit card (so they only need 1 terminal rather than one per location), pay cash or walk away. Sadly it happens. It’s perfectly fine for chatting with your friends, but not good for secure information. It’s possible to encrypt email with PGP or GPG, and IM’s with OTR or an encryption certificate but they require both parties to utilize them and are somewhat technical in nature and therefore few actually use them.
6. Only Download From Trusted Sources – Download only from trusted places. Download software only from the developer’s website, not just any place that has it. Look for software at places like Tucows, FileForum, download.com (operated by my employer) and other well trusted download locations. There’s a lot of hoax sites out there trying to distribute malware (malicious software). Also be suspicious of anyone offering commercial software for free.
7. Keep your AntiVirus Up To Date – Just installing AntiVirus software isn’t enough. The program is useless unless you keep the virus definitions (the files which tell the software what is a virus and what isn’t) up to date. All modern AntiVirus software does this automatically for the duration of the subscription. When your subscription expires either upgrade to a new version or renew the subscription. There are enough free AntiVirus solutions out there for Windows to make it inexcusable to not have protection. For paid AntiVirus, Norton AntiVirus 2009 is pretty good (I use it and reviewed it myself). So is Kaspersky. Avast and AVG would be my personal recommendations for free.
8. Use AntiSpyware – AntiVirus products go a long way, but you’re much better off if you use an AntiSpyware product as well. Many of them are free downloads, just make sure you get them from reputable places. I’d recommend Spybot S&D, AdAware and Windows Defender. Make sure to run the updater within the product at least once a week, and scan on occasion (weekly, biweekly, whatever). Mac users don’t really need to do anything here as Spyware isn’t much of an issue thus far.
9. Be Aware Of Phishing – Never open links in email unless you’re sure of its origin. If your bank wants you to login and do something, visit the banks website by going to the site yourself rather than clicking on a suspicious link. No business will ask you to verify your password. Microsoft has some more tips.
10. Use A Secure Browser – Firefox 3, IE 7+, Safari 3.2 all offer Phishing protection. This isn’t perfect (nothing really is), but it can greatly reduce your chances of being a victim of a phishing attack. Enough browsers support protection that you shouldn’t be browsing without it. Firefox 3 also includes malware protection. I have a Firefox bias though that doesn’t mean you can ignore this. Use a modern browser with phishing protection.
11. Secure Your Computer – If you have a laptop you should have a password when logging in. If you don’t, correct this. It’s easy to do on Windows or Mac OS X. This will at least stop dumb thieves, which are fairly numerous. Even if your laptop never leaves your home this is still a good idea. It’s not impossible for the cable guy, phone guy, refrigerator repair man, etc. to try and steal something like a laptop. This is such a small step that can save you some trouble later on.
12. Secure Your Cell Phone – It’s not going overboard to secure your cell phone. If you’re like a growing number of people, your cell phone is a much more complicated device than it was just a few years ago. It can contain a lot of data including phone numbers, your calendar, photos, browsing history, email, even financial data. Just this week someone sued because they lost their cell phone, which happened to contain nude pictures that they claim were leaked online. Most phones include the ability to add some form of a password or passcode. The iPhone even has an option to wipe data after a certain number of unsuccessful attempts. Securing this compact hard drive isn’t a bad idea.
13. Don’t Put Things Online You May Regret – People who do this admittedly deserve what they get. Posting information regarding your personal lows may work out to your advantage in the future. Already 1 in 10 college admissions officers check social networking profiles according to Kaplan. When I graduated college in 2006 I could tell who actually looked at my job application by looking at the log files for this blog. All but one or two potential employers went to Google to screen me. In more than one case I actually used tail -f and watched them (live!) browsing this blog from their corporate network while they screened me over the phone. Only one actually brought it up in an interview (and he said he was impressed by depth of my technical posts). That was way back in 2006. Employers and colleges are much more savvy now. I get emails from headhunters constantly because of this blog. Because of this I know it’s not scaremongering. People out there really do use the Internet to screen strangers. This is standard practice, especially if you’re under 30 (and more likely to have some digital trace online) or if you apply for a tech/internet job.
14. Backup – Backing up is important. Get an external hard drive and backup all data you care about on a routine basis. I’d suggest at least once a week. I’d also suggest having some sort of off-site backup for things you wouldn’t want to loose in the event of a fire or natural disaster (email, financial records, etc.). You could use online services like Amazon’s S3, though make sure to use encryption, or the offline method of saving them to a disk and putting that disk either at a parents home, safe deposit box, etc. Just make sure that disk is either encrypted or in a secure location where it won’t fall into the wrong hands. A fireproof safe is another way to go though you’ll want to make sure you use a UL Class 125 safe rated for at least 1hr. They can withstand fire and keep the internal climate at no more than 125°F and 80% humidity, suitable for magnetic media. If it’s not UL tested make sure it’s suitable for the media you are trying to store for at least 1hr, preferably more.

I think many who has spent some time on the project found that recent TechCrunch post was more an effort to scaremonger and generate buzz, than anything else. I guess one could argue “there’s no such thing as bad publicity”. Just my personal $0.02.

I’ll put a few noteworthy chunks of that thread in this blog post for those who don’t have too much time to read, and leave anyone interested to read the entire thread. All of this has been published out in the open on dev.planning today.

From Mitchell Baker, Chairman of the Mozilla Foundation:

…
Some people have jumped to the conclusion that this means Mozilla would adulterate our core values and the primacy of user control. They assert, or assume, or worry that thinking about data means somehow that Mozilla will simply join the existing model of gathering and commercializing personal data.

This is us not the case.
…

From Mike Beltzner, “phenomenologist” (I’m pretty sure he made up his own title, but he can get away with that):

…
- no, there is no secret data project.
- no, there is no secret plan to snoop or collect user data
- no, we are not already secretly collecting data
- yes, we are trying to figure out how we can accumulate better data about how users are using their browsers, and what they’re trying to accomplish; as with everything we do, this starts with public discussion to make sure we do it right in terms of respecting user privacy and our own community ideals – that’s what Lilly was saying.
- yes, any such program would be opt-in, not opt-out
…

Mozilla Corporation CEO John Lilly blogged about the topic recently as well.

Considering the past efforts to keep user data private, you’d have to wonder when your talking about one of the only websites on the internet to hold public discussions before using Omniture for analytics. (I should mention there’s an opt-out page for that). Not to mention a rather lengthy post from Mitchell about the topic.

So go ahead and download Firefox 3.0 and future releases knowing that nobody really cares if you like to watch videos of gorilla’s doing it. Err… did I say that?

If any data collection is done on users browsing the web. I propose it be done like this, so at least it’s comical to use for research purposes.