FUD: Google ditched Windows for security reasonsby Steve Ragan - Jun 1 2010, 12:00
The Financial Times said in a report over the holiday weekend that Google will ditch Windows due to security concerns. The reaction by those in the security community is that the FT.com report is FUD, promoting catchy headlines for clicks.
The Financial Times reported that, “Google is phasing out the internal use of Microsoft’s ubiquitous Windows operating system because of security concerns, according to several Google employees.”
The report says that the switch started full swing in January, shortly after the Aurora incident, and that it could “effectively end the use of Windows at Google.” The alternative to Windows, according to two unnamed employees cited in the story, is either a computer running a variation of the Linux Kernel or one running OS X. If one were to request a Windows-based system, CIO level approval is needed.
“We're not doing any more Windows. It is a security effort,” one employee told the Financial Times. Another added that, “particularly since the China scare, a lot of people here are using Macs for security”
A Google spokesperson told The Tech Herald that, “We’re always working to improve the efficiency of our business, but we don't comment on specific operational matters.”
Google develops applications and tools for Windows systems, on both the desktop level and snap-in products like those for Outlook. That business aspect alone is enough to keep Windows running on their enterprise network. However, while the big ‘G’ may offer an option in operating system choice, a fact some Googlers have confirmed, it is highly unlikely that Google will ditch Windows completely.
However, limiting the access of Windows to certain parts of the network makes sense, if there is a viable way to do so affordably and without compromise to productivity and bottom line. At the same time, those reasons are also why mixed networks are almost impossible to find. You may see a developer running Ubuntu or Slackware, and a marketing master running OS X, but the rest of the network is Windows.
Another reason the Financial Times article is seen as a traffic-play-only item comes from the quote that employees were moving to Macintosh due to their security.
The Windows box hit in the Aurora attacks ran outdated software, and had an end user assigned with administrative rights who clicked on a malicious link during an IM session. How exactly is OS X or any flavor of the Linux Kernel more secure in this scenario?
Switching to Snow Leopard or Ubuntu from Windows would exclude attacks aiming at Internet Explorer sure, but they will not prevent social engineering attacks, nor would they stop attacks aimed at the system through third-party software.
If the attacker knows that the user is on OS X, how hard would it be for them to go after any of the software that Apple has not patched and gain additional user permissions or run code? There are plenty of flaws for OS X, and Apple has a history for issuing patches long after the vendor has pushed them to users on other platforms.
One serious example would be the DNS flaw from 2008. BIND was patched by ISC three months before Apple pushed it to users on OS X. Even then, the patch did not fix the problem. Yet, other systems using the patch form ISC were protected.
For that matter, would systems used at Google, running Ubuntu for example, have all the proper package updates? If not, they can be attacked too. As with OS X, if an attacker knows the victim, then developing attacks aimed at the third-party software isn’t out of reach. Neither is using simple social engineering.
If an Enterprise is using Windows, then it is worth the time and money spent to deploy hardened images and restrict user permissions. Updating to the newest Windows version, as mentioned in more than one article based on the Financial Times report, will only fix some of the problem. It does no good to deploy a new OS if it isn’t managed.
Again, it is possible that Google will push alternatives over Windows. Even still, Windows is the platform with the largest user base on the planet. Google still develops for that platform, and until that changes, they will need to let some of their 20,621 employees use it on a regular basis.
Switching out operating systems is not the answer, isolation is. If there is a resource that needs protected, then it should be isolated, while only allowing the most essential systems and users access to them. Google knows this, and they know that the ball was dropped during the whole Aurora incident.
So if the Financial Times story is legit, even though general consensus says otherwise, then Google is seriously overreacting. Otherwise, you can mark the Google ditching Windows story as click campaigning.
Tell us, if the story is true, is Google making the right call? Does it make sense to simply walk away from Windows in an Enterprise environment and replace it with something like OS X or any given flavor of Linux?
[This editorial is the opinion of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to firstname.lastname@example.org]