I'm enjoying this lively debate - views from both sides are interesting.
That is all.
I'm enjoying this lively debate - views from both sides are interesting.
That is all.
You say you don't like 3rd party applications that have security issues. That is a good attitude to have. None of us like them. However, we also have demands on us for functionality. So, we install Java. We install Flash Player. We install iTunes for our iPads. If you eliminate 3rd party programs with security holes, you eliminate a heck of a lot of the purpose that computers have. If I did that, I'd be sacked for not allowing people to actually do their jobs - teach.
We mitigate the security issues by having security policies. We implement things like firewalls and anti-virus. We put ACLs in on our switches to prevent propagation of malware. We keep software as up to date as possible (which some companies make difficult by releasing updates on a nearly daily basis!) We also have backups to recover from problems if and when they occur.
I'd be careful if I were you, you are basically saying that Google are committing illegal acts with no evidence. That in itself is actual a crime in every country I know of.Quote:
And you dont think that Google, with its huge server farms, and whose entire business is based on user data, is doing anything but whats in its terms and conditions?
I'm going to side with @CyberNerd here - you are engaging in a massive FUD campaign here, with basically no evidence to support your views.
You ignore the fact that the companies you are supporting (Microsoft, for example), engage in the exact same behaviour.
You also state that you have all external email providers blocked because someone might send something out. That doesn't stop people distributing your data. Do you also have all memory sticks blocked? Have you got all machines locked so no-one can install any software? Do you have security checks to prevent people bringing cameras in so they can't photograph things on screens? Can people not print? All of these things can do the exact same thing - your technical measure will do absolutely nothing to prevent what is a people problem. Going back to my security policy point - this is one we include in it. Rules that disallow data to be removed from the site in an unencrypted form etc, which is backed up with training and a disciplinary procedure to support it.
Hey everyone, lets all go around and uninstall antivirus and anti malware and any other security software on all our users desktops, and while we're at it, lets take down the firewall as well. We'll worry about the damage after its occurred...wait, that doesnt sound right.....
Your comments re: Chrome just continue to paint you as a fanboy....and i loathe fanboys
But then youre back to reactive again talking about backups in case it all goes horribly wrong....
So i'll say what i said a dozen messages ago or so, why install a product with a demonstrated and known high number of security issues in the first place? Wouldnt that be best answer to both my proactive, and your reactive styles of admin?
I wont be changing my name and fleeing to a country with no extradition with the US anytime soon.
Im glad to hear you at least have a policy to require data leaving the site to be encrypted. its just a shame youre willing to open up the possibility of it leaking via insecure software, via the internet, which is a much more likely path in this day and age.
Really am over this thread. Whoever ventures in here and agrees with the title "Chrome will bring about the ICT revolution in schools" is entering a fools paradise.
Vulnerability Reward Program and Mozilla's Bug Bounty Program could partly explain why their numbers are so high? People are more likely to report vulnerabilities (or sell them on the black market) if there is a cash incentive. Microsoft doesn't have an equivalent program.
Since this thread is mainly about devices that run Chrome OS, it's probably worth pointing out that Chrome OS had just 30 vulnerabilities during the same period (2011-2012).
Source: Secunia Vulnerability Review 2013Quote:
The following table lists the programs in the Top-50 software portfolio together with the type of program (MS: Microsoft, TP: third-party), market share as of December 2012 and the number of vulnerabilities (CVEs) affecting the program in 2011 and 2012.
The ranking and market share is derived from anonymous scans of the Secunia PSI in December 2012. Note that the sum of the vulnerabilities in this table does not reflect the total number of vulnerabilities in the portfolio as many products share vulnerabilities.
For example Adobe Flash Player (#5), Adobe Reader (#8), and Adobe AIR (#20) share code components and thereby also share numerous vulnerabilities. For each program the unique number of CVEs of this given program in the given year is listed.
I assume that Chrome OS runs the Chrome browser...so thats 30 + 291 = 321
How does that refute my argument? One would think it only serves to strengthen it.
Again, as i posted earlier, for me its about mitigating security vulnerabilities, and i argued that when you install software (Chrome) that has far far more vulnerabilities than the equivalent software already present in the OS, youre going against best security
practice. To further push the point i offered to let people add up the underlying Os vulnerabilities along with the IE ones and suggest that it came close to the number in chrome.
Honestly, i am truly leaving this thread and unsubscribing from the thread to stop the email updates for good as this is just like shooting fish in a barrel. People keep making my point for me.
That does depend on how they have implemented it, chrome is Googles second attempt to make their own OS and running it without a virtualisation container has to make it more than a little of a mess, just like Java. All of these browsers are little mini Cesers trying to eat their hosts and become an OS in their own right, ChromeOS, Firefox for mobile. By trying to make a document format into a programming language they have attempted to switch the power base. It's funny because in their quest they have always gone with the universality of access and now there is all of these sites that 'only' work on Chrome or Firefox. They are worming their way in with the exact same practices that everyone got pissed at Windows for but suprisingly are all for this new order of the same thing perpitrated less efficiently by their favorite companies.
What you fail to take into account however, is the type of vulnerability. You are just looking at the numbers, which doesn't paint the whole picture.
As you can see from the stats below, the majority of Chrome vulnerabilities are classed as denial of service, whereas most of the vulnerabilities for Firefox, Internet Explorer and Opera are code execution. I would think the latter is worse, wouldn't you? :confused:
Interestingly, while Google resists state requests for information where unenforceable, and even pulled out of China to protect its users against government intrusion into private and personal information, Microsoft seems to be to giving away personal information to governments when asked in most cases - and not just the US government, after all they want to sell Windows and Bing in Sudan, China, and other locations. This article says Microsoft provided personal information on 80% of government request worldwide.
Microsoft discloses requests from law enforcement agenies worldwide - Business - The Boston Globe
The privacy issue is a current FUD push by Microsoft to try to stifle Google's rapid ascendancy in education.
Student Privacy Should Not Be for Sale - Microsoft on the Issues - Site Home - TechNet Blogs
However it is complete and total hypocrisy. Unlike Google which does not sell private, personal or other data onto others, that is exactly what the Gates Foundation is doing with student personal data it has collected - in partnership with Rupert Murdoch, that other paragon of virtue when it comes to privacy issues.
K-12 student database jazzes tech startups, spooks parents | Reuters
All of these companies are driven by profit and so that can be trusted... to do whatever makes them the most money in the long run. This includes breaking the law if the penalties are not steep enough to make it not worthwhile.
To be transparent we are looking at using 365 once it is upgraded to migrate a lot of our public calendars and SharePoint stuff for homework. Staff email and core documents are still staying local though in a coexistence role. The stuff that does not really matter will be clouded but stuff that really does will be staying where we can keep an eye of them and a stack of firewalls and intrusion detection gear in-between them and the internet.
Personally and professionally I still would not trust Google as far as I can throw them, unimportant data or not.
I'm not going to go through that long post of nonsense that @stylemessiah posted, as it was nearly entirely pointless as it ignored a huge amount of info and focussed purely on perpetuating some idea that someone is a fanboy for using a piece of technology or not. Instead I'll focus on a few points.
Chrome offers a better experience on the Web. It has better standards compliance, better performance, better stability, better resource usage, a better UI etc... So there's your reason to use it.
The idea that security is either a proactive or reactive thing is nonsense - it is both. But eliminating products purely because you see numbers of security holes as being a massive problem is idiotic to say the least. What's that old saying 'lies, damn lies and statistics'. A lack of vulnerability reports for Internet Explorer does not mean they aren't there. As someone has mentioned, look at the vulnerability types too. Also, have a look at zero day exploits and their frequency in Windows + IE and compare with Chrome or Chrome OS. The prior has a *lot* more. Also take into consideration that Microsoft have a policy of not reporting about vulnerabilities unless they are releasing a patch to fix them. Chrome and others announce vulnerabilities before patching. So, how many are MS sitting on while they fix? Lack of statistics is not proof of their non-existence.
No, I'm not a fanboy - I'm doing my job. My job is to provide a network with which teachers can do their job easily and effectively. That job is teaching. If I remove Java, they lose access to a number of pieces of software which they use to teach with. If I remove Flash, we lose access to masses of sites. If I remove Chrome, they end up with a lower quality experience of the web. If I spend my entire time focussing on security, rather than balancing security against practicality, then I will be sacked, plain and simple. My employer wants a facilitator, not an obstacle.
I don't know what kind of world you live in where everything is logged if it is printed, but our MIS systems in the UK don't do that. We don't block USB sticks, we don't prevent staff from installing software on their computers either. Again, this is a balancing act of security vs functionality. Locking things down would definitely increase security, but it would also mean the school would need to hire more IT staff to be checking software that teachers want/need to teach with. It'd mean staff not being able to take their laptops home and use their home internet or printers. It'd be obstructing them in their execution of their jobs. It just isn't going to happen. A massive number of schools operate in this way.
I'm going to go out of my way here and judge that you have a different job to many of us - your job appears to be one of technical control only. One of ensuring PCs turn on, and that data is secure according to a predefined definition of secure. My job is to facilitate teaching and learning through technology.
Microsoft claims that the Aurora malware attacks against Google, for example, would have been prevented by EMET, even though the flaw exploited in those attacks was not patched at the time. (Source)
The data suggests that system administrators can significantly reduce their attack surface now by upgrading to the latest versions of their operating system and application software or by deploying EMET, or both. (Source)
EMET is a tool designed by the Microsoft team to specifically look for those mitigation techniques used such as a heap-spray and ROP to bypass popular mechanisms such as Address Space Randomization Layout (ASLR) or Data Execution Prevention (DEP). Firing up the tool, we choose to enable different exploit protection mechanisms such as enforcing hardware-based DEP, ensuring Safe Structure Handling, Detecting Heap-Sprays, … In this case, we are going to protect the Internet Explorer 8 web browser attacked in CVE-2012-4792.
Repeating the exploit with EMET 3.5 running, we see an interesting notification before Internet Explorer gracefully terminates. EMET detects the heap-spray and terminates. (Source)
Chrome is similar, but the difference is that it offers Native Client (which will become Portable Native Client this summer) for running C, C++, and C# code compiled into machine code locally. Unlike Native Client or Netscape Plug-ins which is just a way of running local apps in Netscape, the Portable Native Client technology is open and fully portable between any device regardless of CPU architecture, which is important for unifying the PC and non PC clients. The CPU independence will potentially make it a W3C standard candidate, unlike Netscape plug-ins but there is a lot of resistance to additions to the HTML standards by vested interests who keep blocking them, which is why video and audio standardization in HTML5 took so long. It is likely that Portable Native client will be a similar case with regard to HTML5 adoption for the same reason. Nevertheless with the addition of PNaCl and Google's spec for packaged offline apps, Chrome browser is a full OS in itself, capable of doing anything and everything that Windows can do.
The big difference between Chrome and Netscape browsers is that where Netscape's plug-in environment was an OS in a browser which allowed local apps to be run on any OS supported by Netscape browsers, Chrome allows those apps to be fully portable via the cloud, and between different CPU architectures - even in the case of locally running code or offline apps. Where local data or code is required to be stored on the local device, it is stored in the cloud and cached locally, so that it is portable across the cloud.
HTML5 is another big difference. Your comment about a document format was true of earlier versions of HTML, but not for HTML5 which is an asynchronous display format, not a static document format. It works exactly like your Windows desktop windowing environment, where individual elements in a window can be updated and can generate keyboard and mouse events, just like on Windows apps. Again, an HTML5 window can do anything and everything a Windows application can do and just as efficiently. The main difference is that Chrome web apps sync everything to the cloud automatically and only cache locally. It is not like the the old HTML markup language at all where you have to refresh the whole page to update any changed part of it. Basically HTML5 is like a universal, standardised windowing system that runs on every device conceivable. It will lead to a very rapid proliferation of web apps once it is formally ratified in 2014, although most of the pieces are in place now.
I agree with you about not being able to protect against the host OS's vulnerabilities, which is why it is probably better to use a Chromebook to run Chrome on, and if you need Windows at all, to virtualise it on a Windows terminal server and access it via a Chromebook. Indeed if you want the highest level of security with Windows desktop use, that is achieved by putting Windows on a Terminal server, blocking off all access to it other than https via Ericom Access Now, and not allowing download of files from it other than in a tightly restricted manner. Once files are downloaded to a PC or laptop, it is very difficult to secure them. Not allowing it off your server and requiring users to log in and use the https interface to run apps and other desktop tasks on the secure server, and using a secure web client like a Chromebook which doesn't store data locally (except encrypted local temporary caches if not disabled), it the most secure way to do Windows computing.