I warn you right now my tone might be harsher than I’d prefer here. I tried to tone it down (even waiting several hours after writing this to post it) but the whole thing really annoyed me. So I apologize in advance for the incivility.
That said this Forbes article is misleading or just plain wrong in just about every paragraph. Here are a few examples of what I mean…
Chromebooks are built to run nothing but a browser–unless they’re jailbroken, no executable files can be installed, neither antivirus software, nor the malicious software it’s meant to protect against. And if that web-only strategy catches on–still a big if, admittedly–it could spell real trouble for the antivirus companies like McAfee, Symantec, Kaspersky and Trend Micro.
This really isn’t true. There’s a whole SDK dedicated to writing native applications. I think Google has done everything they can to secure those apps with their double sandbox design. But to say “no executable files can be installed” is inaccurate.
Charlie Miller, a researcher for Independent Security Evaluators who has made a career out of disproving Apple’s security claims, has owned a Chromebook since February, when the machines were sent as freebies to winners of the Pwn2Own hacking competition in Vancouver. He hasn’t dug deeply into the device’s security, but he says the Web-only security model works in theory. While a hacker might exploit bugs in the Chrome browser to run code on a user’s machine, that exploit would only allow the attacker for a single session, and would disappear the moment the browser closed. “The way you stay persistent [as a hacker] is by installing software,” says Miller. “This is designed not to allow any persistence. You turn it off and on and you’re good to go.”
This is Stage One thinking at its worst. Yes, a hacker could only gain access to the Chromebook for one session. But the whole point of “hacking” (as defined in this context) is to access or cause damage to the user’s data. So gaining access to the Chromebook for more than one session is irrelevant. A virus targeting a Chromebook would be looking to harvest credentials from the user and then access their files off Google’s cloud.
So, in theory, all a malignant program would have to do is redirect the browser to a page that makes it appear the user has been logged out. The user enters their credentials and the harvesting program can do whatever damage it wants to the files in the cloud. In that way it actually presents more of a security threat because you can’t stop it by turning off your own computer (as you could with a traditional virus).
The Chromebook contributes to that larger post-PC problem McAfee and its ilk, [Perimeter E-Security’s Andrew Jaquith] argues. Jaquith points to data from Gartner Research that predicts sales of 1.4 billion post-PC devices (a category that he construes as including the Chromebook) by 2015 compared with 540 million traditional PCs. “Very few of these will need AV. That’s terrible news for security vendors because three-quarters of the market for their traditional products is about to go away,” says Jaquith. “That’s what happens when you build security in, instead of relying on the market to bolt it on. It’s great for customers, and terrible for the security aftermarket.”
Two things here. First the article quotes a security person whose company is shifting their focus to these post PC Devices (see here). That’s smart of his company but it gives him a bias. Because his company directly competes with McAfee and their focus on post-PC devices is a strategic advantage. So drawing focus to them makes his company look better over their competitors.
(I’ve already posted on how Analysts are almost always wrong with these types of numbers so I’ll just direct you to that post in regards to the Gartner claim)
The second thing is the claim that post-PC devices won’t require any security software. That really isn’t provable. Apple has had few to no security breaches because they lock down things so extensively. But we don’t know how many Android breaches are out there because people can side-load applications. Meaning there might be programs compromising Android phones right now that Google isn’t aware of. Google has had security breaches in its own Marketplace so I think it’s safe to assume there are malignant side-loaded apps out there.
In the end we really don’t know what the need for Anti Virus software will be in a post-PC era (not that we are anywhere close to being in a post-PC era). Which is why this article annoyed me so much. It is far too early to be writing off security for these post-PC devices. Telling people they “shouldn’t worry about it” is downright irresponsible and could be disastrous in the future.