I agree completely. I feel the trend of excessive "security" and hiding things from the user "because it will confuse them", removing options because they "might cause irritation", "could be insecure if misused", etc. has gone too far. Modern devices are so locked-down and "polished" to the point that it makes it much harder for users to discover how they work, should they choose to, and takes away a lot of the incentive of doing so.
Contrast this with the early days of UNIX where every system came with its source code, plus compiler and assembler, so it was very easy for users to become developers. Even DOS and 32-bit versions of Windows came with (not sure if they removed it now, but it's there in XP at least) a rather primitive but still "empowering" debugger, DEBUG, where you could write short programs in assembly language. I remember PC magazines came with listings of these programs --- they weren't particularly complex, (usually a few hundred bytes at most), but they did something useful and also make way for the more inquisitive users (like me) to wonder what all the instructions actually do, and what happens if you change them, and that's what can really motivate people from becoming just users to learning about programming and how computers work.
Now, you have to be really motivated to jump through all the hoops in place to make it much harder for anyone to just write some short and useful piece of code and share it in a form that everyone else can use. Even browsers are becoming like this. It's sad that the IMHO bureaucratic measures like code signing, overly protective OS policies, and near-paranoid antivirus/security software just get in the way of this process. They say it's all "for your protection", but if you think about it, one of the most secure places to live is in a prison. Is that really what society should be heading towards?
"Freedom is not worth having if it does not include the freedom to make mistakes."
Heading towards - we are already there. The majority of devices sold on the market last year are locked and rootless. Only the PC is still holding the line but giving slowly.
Smartphones, Consoles, Smart TVs, Tablets - locked by default.
Google, Apple and MS, sure, but that's just Linux's gain.
Yes, the "Year Of The Linux Desktop" joke is as funny as ever, but I definitely foresee a split in computing into passive consumers with no idea how things work and hackers who need full access to the things they own and want to experiment, learn and create.
I'm not sure Apple and Microsoft fit that bill yet. They divide their empires into three separate concerns: walled garden consumer devices (phones, tablets), open enterprise/desktop and media. it's pretty easy to get into the internals of OSX and Windows still. In fact it's been made easier over the years.
I can still push apps to our customers on Windows and Mac desktops like I could in 1993.
Google on the other hand are pushing for everything being behind a web portal under strict control. All devices they promote ship apps which integrate with that ecosystem as lightweight app front ends and nothing else. Doing stuff whilst not connected to google is becoming increasingly difficult. The rate of change is also pretty extreme meaning that you have to work damn hard to keep up with things.
Linux (and FreeBSD possibly!) will never hit the desktop hard but we're not short of learning solutions whilst I can type csc at any windows command prompt and python at any OSX terminal and get somewhere. ChromeOS - not such a good picture.
I can still push apps to our customers on Windows and Mac desktops like I could in 1993.
Well, on OS X, you'd better have a $99/year developer program account or you cannot sign software. For most users it's a hasse to either disable Gatekeeper or to discover Ctrl/right-click to circumvent it.
Of course, signing software is good. But I'd rather like to accept/verify a key on a vendor-basis and have that used to validate updates. E.g. APT with GPG signing does this pretty well and makes installing signed software via e.g. Ubuntu's PPAs pretty nice.
Linux (and FreeBSD possibly!) will never hit the desktop hard
I agree. And this is why it is important that organisations such as Mozilla and CyanogenMod exist and are well-funded. As long as they keep up with their counterparts, people and vendors will have a choice.
The signing missing isn't a major effort. You can turn it off easily with spctl via ssh or allow an app for example. Same with windows domains if you have configured a root CA for your organisation. Even metro apps can be side loaded/self signed on Windows enterprise edition.
> I can still push apps to our customers on Windows and Mac desktops like I could in 1993.
That's true for now, but the trend is clear - OS X doesn't want to open apps downloaded from the Internet without the binary being signed by a registered developer. You can work around that, but I had to Google it (and I was trying to install YourKit Profiler - an otherwise very legit app from a well known and respected company). Microsoft only allows apps installed from their store on Windows RT. We are not talking about Windows Phone btw - Windows RT is Windows for ARM devices. Windows 8 has the same policy as OS X, both moved to the app store model, both now give warnings when installing from third-party sources.
BTW, Android is allowing app installs from third party sources. It always did. Not sure how long will that last, but iOS and Windows Phone 7 are completely locked down in that regard.
It's about time we stop thinking of these companies as being our friends. They aren't. They are partners at most and the free market doesn't work well if customers aren't prepared to vote with their wallet.
That's just logical. Windows uses loose code signing. SmartScreen is the same sort of thing but you have to buy a more expensive code signing cert from VeriSign etc. You can self sign or run a CA on windows domains, even for metro apps on enterprise edition (and RT).
OSX is easy enough to control via spctl as well. You can use this or pay $99. Several things I downloaded, including Logic Pro from Apple didn't come with a certificate. It's not a big deal.
Most of what you say is paranoia. Signing is overall a damn good thing.
Android is. If you flick a switch. Same with OSX and Windows. WP even allows you to install unsigned apps if register it as a dev handset. Same with iOS.
This is mainly about protecting both the end user from malware and protecting the app sellers' revenue stream.
ChromeOS is a browser based OS, so I would guess you could use JavaScript to do a lot of things you would do in C# or Pyhton on your old PCs.
Also, ChromeOS has a developer mode and you can always install a chroot Linux along side ChromeOS. In essence you can do pretty much everything if you are a programmer and you spend a few minutes searching online.
For the average user (read non programmer), less options is always better.
Well, most chromebooks are hackable to the point of installing a full Linux system on them to replace Chrome OS, at which point they just become a cheap laptop with a convoluted initial OS install process.
I'm ok with this as long as there is always an alternative to retreat to if we need to. Even if it means throwing all my consumer electronics in the street.
The real analogy is that we're taking away pencils because writing in the wrong book can cause you to lose all your money and cause months of problems. And these books are disguised as your own diary, cookbooks, maps and the TV guide.
No, it's like taking away books because you can give yourself a papercut, or pencils because you can stab yourself with one - if you use common sense, you won't.
As someone who has worked in the mobile pc support industry, what HN users would call "common sense" isn't really that common. I don't think developers and power users truly understand how common the huge gap is between them and non-technical users. I've given sessions on things as simple as mouse movement and basic GUI file management with drag and drop is a challenge.
Don't get me wrong, I absolutely do not support "walled gardens" that are now becoming common and I don't think they are the solution to this problem. Power should always be left in the hands of the user, the solution is education. This is of course a social issue and one of gigantic scale. There are so many strong political hurdles to overcome that I'm not surprised that the industry has taken the approach it currently has.
> Power should always be left in the hands of the user, the solution is education.
100% agreement. Of course, in some ways the industry doesn't want users to be educated, since then they would be hard to get to be under their control.
Not sure if everyone is reading the entire article. Here are two relevant points.
> we’re enforcing the following changes starting in Chrome 33 Beta and stable channels for Windows
> Users can only install extensions hosted in the Chrome Web store, except for installs via enterprise policy or developer mode
This only affects Windows. Users who want to install extensions can still do so but the process has been made a little bit more explicit (i.e. do it via developer mode).
It sounds like this step was done to protect naive users who are not aware they are downloading malicious extensions.
> Why couldn’t this problem be solved by having a setting/option to load extensions that are not hosted in the Chrome Web Store? Unlike modern mobile operating systems, Windows does not sandbox applications. Hence we wouldn’t be able to differentiate between a user opting in to this setting versus a malicious native app overriding the user’s setting.
Sounds a bit BS to me. In what reasonable threat model the attacker can run arbitrary code on the user's system, but will need a Chrome extension to do nasty things? The attacker could just replace the Chrome binary altogether, for instance.
I understand that there can be conceivable security benefits as a result of this change, but I think the real motivation is control, not security.
Because it is BS. The drag and drop "security feature" for external extensions was more than enough to protect against the vast majority of "evil extensions" (which I believe was a small amount to begin with, and Google never even bothered to show us any numbers behind these "scary external extensions that are totally going to destroy the world if we don't do this", before they even implemented the drag and drop restriction).
Watch for their next step - getting rid of all Adblockers in the store. This has nothing to do with security, or rather very little to do with it. The real agenda is something entirely different (not letting the user to install whatever extensions he wants: Adblock, TPB unblockers, Hulu/Netflix unblockers, Youtube downloaders, and so on). MPAA didn't get on W3C's board for nothing, after all.
I've warned before this would happen, when MPAA joined the W3C. They're going to demand more features be removed from the browsers that they think "facilitate piracy", and Google is totally going to go along with it, because many of the requests benefit them, too, especially if they get something in return from that from the big studios and so on. Some just benefit them directly (removing Adblock).
W3C doesn't dictate what features browsers have or do not have, they're concerned with web standards. The MPAA joined to make sure DRM showed up in HTML5, not to tell Google to take out ad blockers.
If Google removes ad blockers it will be because Google's revenue is based on ads, not because the MPAA or the W3C told them to.
This is defense-in-depth. Sometimes, the goal is to get a chrome extension installed. (One that, for example, creates pop-up advertisements at random intervals to generate grey-market PPM revenue for the extension author.) Windows (and it's inevitably Windows) knows enough to realize "hey, this Chrome isn't the Chrome that was here yesterday." Signed binaries and SmartScreen work together well enough that even when Chrome is installed to a user-writable directory, it'll get punted if a virus actually changes it.
But if a virus can get a perfectly valid program, with every reason to already be on the system, to do something that program already has permission to do... then it can circumvent the OS's strictures against running novel-and-unknown scripts and binaries.
Yeah, I'm sure you can construct very specific scenarios in which it would be a roadbump; I don't deny that (in your scenario, for example, you can just replace Chrome with the latest dev channel binary instead of a random patched binary.) I remain unconvinced about it as a "reasonable" threat model. Having native app access is a much greater security risk in an of itself. I wouldn't begin to worry about invalid browser extensions if I knew I have a rouge binary running.
I think it is obvious what their real motivation is.
Windows (and it's inevitably Windows) knows enough to realize "hey, this Chrome isn't the Chrome that was here yesterday." Signed binaries and SmartScreen work together well enough that even when Chrome is installed to a user-writable directory, it'll get punted if a virus actually changes it.
What if the virus just installs the binary somewhere else, then updates the shortcut? There are hundreds of possible ways, it just seems futile to plug a particular leak.
One of the main selling points of Chrome apps was a belief that they are safer than native apps. But on a lot of computers now the vast majority of sensitive information is held in browser sessions, not in the My Documents folder. Running code in a sand-boxed browser session with full permissions could be far more profitable for an attacker than running arbitrary code on the OS. The only way to maintain security is to control access to the particular ecosystem within which data exists (in the way Facebook does). At the moment Google are trying to control an ecosystem that includes everything the user does, which is impossible to secure in its entirety.
It's a lot more of a hassle, though, to ask users to keep an extracted directory sitting around which Chrome basically symbolically links to, than to just download a .crx, drop it on the extensions window, and then delete that .crx.
Even I still get confused sometimes, as a chrome-app developer, when I move a project folder and Chrome suddenly can't find my extension. It goes against how we think of "deploying to test" in any other development workflow.
You don't necessarily have to be a Chrome extension to do that if you can run a native app. You could read Chrome address space as a debugger, for instance.
There are extensions that are legitimate but can't be installed from Google's Play store because it breaks policy. For example YouTube options (https://spoi.com/software/yto/), or the LastPass binary extension (might be wrong on that one).
Thanks to the toolbar-installing software on windows it gives a legitimate reason to Google to close the system down a bit more.
I'm not saying it's great news, but I really can see where they're coming from for this.
Note that they're only doing this for Windows. As someone who occasionally is roped in to providing tech support for a sibling who keeps installing malware - someone who is going to fall for those repackaged versions of VLC, or one of those 'your computer has viruses, click here to install Super Security 3000' or whatever* - I can tell you that malware for Chrome along the lines of browser toolbars and ad injectors are real and out there in the wild and being installed automatically by these kinds of things.
The computer has Norton Internet Security, of course. Which does sweet FA as far as I can tell.
If you want to keep any extensions that you didn't install from Web Store, use the dev channel[1] of Chrome and they will work just fine. I use an extension and they warned me one month back to either install their Web Store version will fewer functionality or move to dev channel.
Why don't they simply give me a config flag to change the behaviour? I understand what they are trying to do but it annoys me to have to use non-stable releases just so that I can use a couple of useful extensions not available from the store.
Didn't you get the memo? Choice and customisability is decadent and goes against the wishes of Big Google. Why would you even need to customise a telesc^H^H^H^H^H^H Chrome Install anyway? Big Google knows best.
I'm curious. Which useful extensions are you talking about and why are they not listed in webstore? The one extension that I mentioned has two versions. The non-webstore version doesn't abide to Google's T&C [lets you download Youtube videos].
Some devs don't bother to put their extensions in the store, for instance this extension to play music files embedded in image files on 4chan: http://dnsev.github.io/4cs/
Nothing that OllyDBG and a free weekend cannot fix ;)
When/If this affects me, it will be an entertaining challenge to create a crack which disables the "allowed to install?" instruction. Seems quite simple.
Yep, this is the last straw for me. The final drop of water that overflowed the cup.
I'm switching back to Firefox and will make a conscious decision to start deleting all my Google data. The tin foil conspiracy theorists were right all along it seems, I'll do my best to support companies that fight for my privacy and are open source.
Firefox, I'm sorry I ever left you - happy to be back.
You'll be back man. Trust me. I've tried numerous times to go back to FF, but you enjoy the speed + ridiculous amount of available popular snooping extensions more than anything.
I know you're in a different state of mind atm, but you will be back to Chrome within a couple weeks.
I switched back to Firefox because Chrome started feeling slow, and Firefox feels now as fast as Chrome used to. Plus in Firefox I get to use extensions (I know there are some for Chrome, but I could never find ones as good as the ones I've always used on Firefox, for example, It's All Text or pentadactyl,). I bet at some point in the future Chrome might get faster than Firefox again, if so, maybe I'll switch back. If you tried Firefox recently and think Chrome is faster, then keep using it, but if you have an old impression of Firefox, give it a shot again.
Coming back to Firefox from Chromium was a wonderful experience for me. The majority of extensions I used on Chromium were inferior to their Firefox counterparts, due largely to limitations of the extension API. Aside from that, load speeds are fine, the devtools are phenomenal, and everything is great. I actually enjoy using my browser.
At some point Chromium is going to get forked by someone in a similar way to how Firefox emerged from Mozilla because Google's actions around it are simply too isolationist.
I'm a little disappointed with Google. I understand the rationale behind this decision, however instead of improving their browser's permissions system, instead of doing a better job reviewing all those crappy extensions that turn to mallware over night (e.g. Window Resizer - and btw, Mozilla is doing a much better job), instead of all of that, they decide to drop the ability to install extensions from third-party source. I predict a similar change will also come for Android. Because grandmas need protection of course.
For several months now I have been torn between Chrome and Firefox, not able to decide which I like better, switching back and forth depending on mood. Well, I guess this settles it. I was already using Firefox on my Android exclusively, because it's the only mobile browser that has extensions, whereas Google decided that extensions are a nuisance on Android and even if they don't admit it, they probably hate the idea of AdBlock making it to Android.
Chrome has had a positive effect on the marketplace, but now the negative effects are starting to show up. Adobe for instance decided to drop the support they had for Flash on Linux and only support Chrome, so at present and going forward, if you want the latest Flash on Linux, you've got to use Chrome. My answer was just to disable it of course.
But do we really want a monoculture? Haven't we had enough with IExplorer 5/6? Are we really that dumb?
Either way, at the very least Chrome fans should start using Chromium, because the Chrome binary is not open-source and if you use it, you won't realize the true difference/cost between it and the competition. For example the PDF reader bundled in Chrome is something proprietary, whereas Mozilla bundled a PDF reader that's open-source, built in Javascript and that also works in Chromium - you see, whenever Mozilla does something, it usually benefits everybody.
> I predict a similar change will also come for Android. Because grandmas need protection of course.
I'm not sure what this means. This is the way it has always worked in Android.
In order to install apps from third-party sources, you have to enable developer mode. It's easy to do (just check a box in the right place), and is a reasonable precaution, IMO. Most of the malware that is available for Android comes from third-party sources.
I don't really understand the righteous indignation. The only way you can presently install a Chrome extension outside of the web store is by going to chrome://extensions in your browser, then dragging and dropping a crx file (packaged extension) onto this page. Chrome will stop allowing this. Why is that a big deal?
If this makes you mad, vote with your feet. Firefox is a great browser.
There are a lot of windows application bundling malacious chrome extensions, Firefox and IE plugins with the windows installer. They are installed automatically with explicit permissions from users. Moreover, if you remove the adware from chrome extension settings, it gets installed again automatically upon your next reboot.
Does anyone know how this is supposed to protect users against AdWare and other bad extensions? I mean these are installed along other applications with a setup program anyway. Can't the installer just activate developer mode?
I guess there is a warning that shows up, but people will just ignore it (and once you've clicked through the UAC prompt the installer can do anything anyway, like hide the warning). And there is also the enterprise mode, can't the malicious installer just use that?
Note that downloading of executables via Chrome is mostly already restricted to those from Microsoft- or Apple-approved publishers, because of SmartScreen/Gatekeeper. (And Linux has a culture of looking for things in package management before hunting down an executable on the web, so you basically get the same effect there through convention.)
>Microsoft- or Apple-approved publishers, because of SmartScreen/Gatekeeper.
and the ones not found suspicious by Google's safe scan.[1] I remember once Chrome not letting me download a new version of Light table because it was found suspicious. Actually it will let you download it but will delet it as soon as it is done downloaded.
I doubt this is the reason. The reason is that less-educated users are being tricked into installing extensions they don't want and that make using their computer miserable for them. Meanwhile, anyone that wants to write their own extension need only click a checkbox.
But how does this protect against bad extensions? I mean they are installed along other programs as AdWare anyway, can't they just install themselves in developer or enterpise mode?
I assume this interacts with Windows in some way to make that more difficult, but I don't use Windows much so I don't know. According to the docs, the change doesn't apply to Linux or OS X.
I don't know. If you actually care you can probably ask on the mailing list; it is an open-source project after all.
(This week I read about attacks convincing users to open the dev console and paste Javascript code in there. Users will do anything as long as it harms their account or their computer, it seems.)
But if I have customers, and either don't want to or can't use the Play store, then I have to ask them to do that too, and most of them won't, so I am effectively walled off from any sales.
(disclaimer: I don't have any customers and I don't produce any Chrome extensions - just engaging in speculation)
please correct me if i m wrong, but is the only way to work around this is to unpack the extension and use the developer mode?
Or did i just miss something easy - like turning a flag on somewhere? There are a few critical extensions, like youtube center (and a couple i've written myself) that aren't on the store.
It's like we're taking away pens and pencils, since they can be used to mess up books, instead of teaching more people how to write.