It's like we're taking away pens and pencils, since they can be used to mess up books, instead of teaching more people how to write.
Contrast this with the early days of UNIX where every system came with its source code, plus compiler and assembler, so it was very easy for users to become developers. Even DOS and 32-bit versions of Windows came with (not sure if they removed it now, but it's there in XP at least) a rather primitive but still "empowering" debugger, DEBUG, where you could write short programs in assembly language. I remember PC magazines came with listings of these programs --- they weren't particularly complex, (usually a few hundred bytes at most), but they did something useful and also make way for the more inquisitive users (like me) to wonder what all the instructions actually do, and what happens if you change them, and that's what can really motivate people from becoming just users to learning about programming and how computers work.
Now, you have to be really motivated to jump through all the hoops in place to make it much harder for anyone to just write some short and useful piece of code and share it in a form that everyone else can use. Even browsers are becoming like this. It's sad that the IMHO bureaucratic measures like code signing, overly protective OS policies, and near-paranoid antivirus/security software just get in the way of this process. They say it's all "for your protection", but if you think about it, one of the most secure places to live is in a prison. Is that really what society should be heading towards?
"Freedom is not worth having if it does not include the freedom to make mistakes."
Smartphones, Consoles, Smart TVs, Tablets - locked by default.
Yes, the "Year Of The Linux Desktop" joke is as funny as ever, but I definitely foresee a split in computing into passive consumers with no idea how things work and hackers who need full access to the things they own and want to experiment, learn and create.
I can still push apps to our customers on Windows and Mac desktops like I could in 1993.
Google on the other hand are pushing for everything being behind a web portal under strict control. All devices they promote ship apps which integrate with that ecosystem as lightweight app front ends and nothing else. Doing stuff whilst not connected to google is becoming increasingly difficult. The rate of change is also pretty extreme meaning that you have to work damn hard to keep up with things.
Linux (and FreeBSD possibly!) will never hit the desktop hard but we're not short of learning solutions whilst I can type csc at any windows command prompt and python at any OSX terminal and get somewhere. ChromeOS - not such a good picture.
> we’re enforcing the following changes starting in Chrome 33 Beta and stable channels for Windows
> Users can only install extensions hosted in the Chrome Web store, except for installs via enterprise policy or developer mode
This only affects Windows. Users who want to install extensions can still do so but the process has been made a little bit more explicit (i.e. do it via developer mode).
It sounds like this step was done to protect naive users who are not aware they are downloading malicious extensions.
Please point out if I am wrong in my assumptions.
Sounds a bit BS to me. In what reasonable threat model the attacker can run arbitrary code on the user's system, but will need a Chrome extension to do nasty things? The attacker could just replace the Chrome binary altogether, for instance.
I understand that there can be conceivable security benefits as a result of this change, but I think the real motivation is control, not security.
Watch for their next step - getting rid of all Adblockers in the store. This has nothing to do with security, or rather very little to do with it. The real agenda is something entirely different (not letting the user to install whatever extensions he wants: Adblock, TPB unblockers, Hulu/Netflix unblockers, Youtube downloaders, and so on). MPAA didn't get on W3C's board for nothing, after all.
I've warned before this would happen, when MPAA joined the W3C. They're going to demand more features be removed from the browsers that they think "facilitate piracy", and Google is totally going to go along with it, because many of the requests benefit them, too, especially if they get something in return from that from the big studios and so on. Some just benefit them directly (removing Adblock).
If Google removes ad blockers it will be because Google's revenue is based on ads, not because the MPAA or the W3C told them to.
But if a virus can get a perfectly valid program, with every reason to already be on the system, to do something that program already has permission to do... then it can circumvent the OS's strictures against running novel-and-unknown scripts and binaries.
I think it is obvious what their real motivation is.
What if the virus just installs the binary somewhere else, then updates the shortcut? There are hundreds of possible ways, it just seems futile to plug a particular leak.
It is the current solution. Unzip, go to extensions, enable developer mode, load extension. Which IMHO is much more dangerous than downloading crx
Even I still get confused sometimes, as a chrome-app developer, when I move a project folder and Chrome suddenly can't find my extension. It goes against how we think of "deploying to test" in any other development workflow.
Thanks to the toolbar-installing software on windows it gives a legitimate reason to Google to close the system down a bit more.
Note that they're only doing this for Windows. As someone who occasionally is roped in to providing tech support for a sibling who keeps installing malware - someone who is going to fall for those repackaged versions of VLC, or one of those 'your computer has viruses, click here to install Super Security 3000' or whatever* - I can tell you that malware for Chrome along the lines of browser toolbars and ad injectors are real and out there in the wild and being installed automatically by these kinds of things.
The computer has Norton Internet Security, of course. Which does sweet FA as far as I can tell.
* Note to self: Install AdBlock on that computer.
When/If this affects me, it will be an entertaining challenge to create a crack which disables the "allowed to install?" instruction. Seems quite simple.
I'm switching back to Firefox and will make a conscious decision to start deleting all my Google data. The tin foil conspiracy theorists were right all along it seems, I'll do my best to support companies that fight for my privacy and are open source.
Firefox, I'm sorry I ever left you - happy to be back.
I know you're in a different state of mind atm, but you will be back to Chrome within a couple weeks.
At this point I cannot in good faith support a company such as Google.
For several months now I have been torn between Chrome and Firefox, not able to decide which I like better, switching back and forth depending on mood. Well, I guess this settles it. I was already using Firefox on my Android exclusively, because it's the only mobile browser that has extensions, whereas Google decided that extensions are a nuisance on Android and even if they don't admit it, they probably hate the idea of AdBlock making it to Android.
Chrome has had a positive effect on the marketplace, but now the negative effects are starting to show up. Adobe for instance decided to drop the support they had for Flash on Linux and only support Chrome, so at present and going forward, if you want the latest Flash on Linux, you've got to use Chrome. My answer was just to disable it of course.
But do we really want a monoculture? Haven't we had enough with IExplorer 5/6? Are we really that dumb?
Either way, at the very least Chrome fans should start using Chromium, because the Chrome binary is not open-source and if you use it, you won't realize the true difference/cost between it and the competition. For example the PDF reader bundled in Chrome is something proprietary, whereas Mozilla bundled a PDF reader that's open-source, built in Javascript and that also works in Chromium - you see, whenever Mozilla does something, it usually benefits everybody.
I'm not sure what this means. This is the way it has always worked in Android.
In order to install apps from third-party sources, you have to enable developer mode. It's easy to do (just check a box in the right place), and is a reasonable precaution, IMO. Most of the malware that is available for Android comes from third-party sources.
I use both Chrome and Firefox interchangeably anyway so not using Chrome won't be a hardship.
If this makes you mad, vote with your feet. Firefox is a great browser.
I believe this policy shall reduce such abuse.
I guess there is a warning that shows up, but people will just ignore it (and once you've clicked through the UAC prompt the installer can do anything anyway, like hide the warning). And there is also the enterprise mode, can't the malicious installer just use that?
and the ones not found suspicious by Google's safe scan.[1] I remember once Chrome not letting me download a new version of Light table because it was found suspicious. Actually it will let you download it but will delet it as soon as it is done downloaded.
[1]http://www.nbcnews.com/id/46330156/ns/technology_and_science...
...because Google hate user customisability.
(disclaimer: I don't have any customers and I don't produce any Chrome extensions - just engaging in speculation)
Or did i just miss something easy - like turning a flag on somewhere? There are a few critical extensions, like youtube center (and a couple i've written myself) that aren't on the store.
