- From: Alex Russell <slightlyoff@google.com>
- Date: Tue, 29 Jul 2014 21:14:21 -0700
- To: Noah Mendelsohn <nrm@arcanedomain.com>
- Cc: Larry Masinter <masinter@adobe.com>, Marc Fawzi <marc.fawzi@gmail.com>, Marcos Caceres <w3c@marcosc.com>, "www-tag@w3.org List" <www-tag@w3.org>
- Message-ID: <CANr5HFUOPs=vJOoWbHXR6m0R=ebDbtmUYt9wKVG3ynpq2+9=Dg@mail.gmail.com>
On Tue, Jul 29, 2014 at 6:58 PM, Noah Mendelsohn <nrm@arcanedomain.com> wrote: > > On 7/29/2014 8:57 PM, Alex Russell wrote: > > Today, we know that TCO on a non-auto-updating windows computer managed by >> a central administrator is many times that of an equivalently spec'd >> auto-updating ChromeOS device. >> > > ...and you've demonstrated that what percentage of that claimed TCO saving > is due to auto-update? Well, it's hard to separate the long-term impact of verified boot from auto-update from agressive sandboxing. What we do know is that even well-designed sandboxes develop holes. We've seen this over time, and our biggest mitigation for that is ensuring that we can get patches out faster than the bad guys can pwn boxes and repair owned boxes automatically. We're not running randomized trials on users about this -- it would be unethical to deprive them of sandboxing or auto-update now that we know how effective they are -- but there are natural comparison points. OSes with slowly-updating software (which is the natural consequence of adding friction to updates, updates which users -- even admins -- are rarely in a position to reason about) are owned more frequently, incur higher operating costs in the form of mitigating software (bit9, AV, firewalls, etc.), even when running auto-updating software like Chrome. I don't think we've published comparative numbers on this point, however. > Could it also be due to the fact that the architectures of the systems are > tremendously different, They're really not. ChromeOS is Linux-derived. > the levels of functions provided by the systems are tremendously > different, Onus is on you to quantify this...and for us (the W3C and browser vendors) to shrink any capability gap to zero (excepting insecurities, of course). > the level of end user configurability e.g. for unusual attached devices as > much different, etc. > Chrome Apps and FirefoxOS apps allow programmatic connection to serial ports, USB, and many other sorts of "unusual attached devices". No, we're not in a world of downloading the drivers to the latest soundblaster card, but then most systems from most manufacturers are integrated to at least that point today. > I think you're over-simplifying the argument as least as much as you > suggest Larry is. I still say it's a tradeoff: auto-updates done right on > certain systems are likely to improve security. I've also seen updates that > compromised security, and in an auto-update environment you're delegating > the responsibility for ensuring that such updates aren't activated. I > really think this is a complex tradeoff: yes, there can be significant > advantages in security and for other reasons when auto-update is done; is > there any contradiction in also saying that there can be significant > disadvantages. No, but I didn't claim that there weren't both theoretical and practical disadvantages. Only that they're vastly outweighed by the advantages. > I still think it's a tradeoff and that the cost/benefit depends on the > system, who's creating the updates, what the threats are, etc., etc., etc. > Noah >
Received on Wednesday, 30 July 2014 04:15:18 UTC