

Chrome to be deployed by US State Department - 11031a
http://www.geek.com/articles/geek-pick/chrome-to-be-deployed-on-state-department-computers-worldwide-2012031/

======
niels_olson
Having read all the concerns on here, and having worked with field officers
from State, I think some folks have pointed out some great things to work on,
but State is still making the right decision. We can secure buildings
reasonably well, even in very dangerous parts of the world where we are the
prime targets by a factor of 10.

Securing the best vehicle for navigating the network has proven quite a bit
harder. Keep in mind, State is quite small compared to some other agencies,
and most people with secrets are pretty sharp, and they are working infinitely
more with information than with physical security.

Also, if we have stuff that obviously needs to be heavily secured, we use
other networks.

For the NIPRnet, firefox_vs_opera_vs_ie.jpg remains fairly relevant:
<http://imgur.com/SYgZ5>

~~~
jsight
I've worked at government agencies (recently) that banned all "third party
browsers". Compared to that kind of policy, I think choosing Chrome is
wonderful.

------
dpearson
While this is a great step forward, it could be rendered pointless if auto-
updating is disabled and updates are not pushed out quickly after going
through an approval process. Given how quickly Google pushes out major
updates, old versions of Chrome could simply be as prevalent as old versions
of IE, with little long term benefit.

~~~
homosaur
Great step forward for whom? Is it meaningful at all that the US State Dept is
letting people use Chrome now? Is this going to push adoption of modern
browsers in other circumstances? Remember, the State Dept has a massive group
of people that are working and monitoring social media and the like, so their
people were probably clamoring extra loud for this.

~~~
w1ntermute
> Remember, the State Dept has a massive group of people that are working and
> monitoring social media and the like, so their people were probably
> clamoring extra loud for this.

Every company probably has people clamoring for modern browsers. Don't sites
like Facebook and Gmail no longer function under older versions of IE? Those
versions are particularly prevalent at megacorps.

~~~
artursapek
Wait - these people aren't allowed to just install Chrome if they choose? (I'm
a student and have no idea what working at a big corp/for the government is
like)

~~~
trotsky
Nope - they don't have an administrator account and installing unsupported
software isn't allowed. You can't really manage or secure a sizable number of
seats without those rules.

~~~
artursapek
That makes sense. I wonder why this thread got downvoted

------
dbarlett
Quite a change from three years ago, when State was stuck on IE6 and Secretary
Clinton didn't know what Firefox was.
[http://www.theregister.co.uk/2009/07/13/firefox_and_us_state...](http://www.theregister.co.uk/2009/07/13/firefox_and_us_state_department/)

~~~
chimeracoder
The last line of the article is priceless:

"No doubt, the State Department will officially adopt Facebook at about the
same time the revenue-challenged site follows Friendster into social
networking oblivion"

------
alan_cx
Just a simpleton point here:

I read a lot of stuff, every day, about how evil google and its chromey thing
steal all our personal information and use it to advance their super villain
take over of the world.

So, um, why would any body bothered by security want to use google?

Its like "Q" department being supplied by Dr No.

~~~
richardw
Google with Evil turned up to 11 is trying to serve you more adverts. State is
more interested in the fact that Google is having to offer hackers _more_
money to hack Chrome in pwn2own. Last year they didn't even try.

[http://www.securitynewsdaily.com/496-hacking-contest-
smashes...](http://www.securitynewsdaily.com/496-hacking-contest-smashes-
safari-internet-explorer.html)

"Google’s Chrome Web browser managed to remain untouched. In fact, Computer
World reported that nobody even attempted to crack into Google Chrome ,
despite the $20,000 Google offered to anyone who could successfully exploit
it."

------
TazeTSchnitzel
Suddenly there is a huge interest in Chrome NaCl vulnerabilities on Windows...

~~~
nkassis
And there wasn't interest with a 25+% install share on the web?

Not sure what you are trying to get at with your post? Are you implying that
NaCL is vulnerable because of it's nature and now will be an major attack
vector?

But NaCL in my view can be made(or already is in my opinion) solid and with
more focus will become safer and coupled with fast updates, it should make it
a lot less of an issue as Flash or ActiveX vulnerabilities have been.

~~~
pyre
I think the point is that the State Department is a juicier (or at least more
high profile) target than 25% of people on the web.

~~~
spindritf
Is it though? 25% of people on the web has to include some pretty juicy
targets (like... Google itself, Chrome's probably pretty popular there).

------
Metapony
Now the State dept will get out of memory errors too!

~~~
jrockway
As an Emacs user, it makes me happy that some other piece of software finally
gets to be the butt of out-of-memory jokes. It only took 20 years.

------
robomartin
Bad idea: Chrome is dangerous for the uninformed!

It still has a pretty serious security hole: Passwords are visible in plain
text. A quick trip into "Personal Stuff" and "Manage saved passwords..." is
all you need in order to expose this info.

I ran a quick test. Without straining much, you can click the "show" button on
about 40 passwords in one minute. A quick Ctrl+P and the entire list is
printed in plain text! It probably wouldn't take much longer than that to
email it or transmit the plain text list via some other method.

If you have three to five minutes on someone's workstation you can walk away
with the login information for absolutely everything they've done through the
browser, banking, social, email, whatever.

What sucks is that people have been very vocal on the Chrome support forum
about this particular issue and, well, they've been summarily ignored.

Maybe I'm missing something fundamental here but I just can't understand why
Google would leave this huge gaping hole in there. It can't be that hard to at
least provide one more layer of security. You should not be able to see any
passwords without a master password.

I've looked at some of the arguments pointing out that this could provide a
false sense of security. My point (and that made by countless others) is very
simple: The way it works today a ten-year-old could steal all of your
passwords inside of five minutes without even having to work very hard. A
layer or two of security would make it so that a far more knowledgeable and
seriously involved process (or spying software) would have to be utilized to
steal your stuff. I vote for option #2.

I use Chrome as my primary browser, but I am not a civil servant at a
government office. I am keenly aware of the security hole.

That said, I don't recommend it to family and friends because a non-techie
will screw themselves in an instant with this browser. Imagine Uncle Pete
taking his laptop to be serviced and having all of his personal login data
fully exposed to the 17-year-old pimple-faced kid at the computer shop.
Terrible stuff.

Google: Please fix this before it becomes the source of embarrassment and huge
personal loss to lots of people.

~~~
spindritf
User access to user settings is not a "security hole". And I don't think there
is a way to protect your logged in, unattended session without demolishing
productivity. If you walk away from your computer, lock it. I would expect the
State Department to have some protections in place (proximity cards, mandated
timeout settings, etc) when actual privileged information is concerned and
being accessed.

Yes, it would probably be nice if Chrome had the kind of protection of
passwords database with a master password that Firefox does. But it still
isn't a "security hole".

~~~
silvestrov
There is: KeyChain on OS X does this correctly by encrypting the file and
asking for your account password when you want to view a saved password.

It might not be 100% hacker safe, but it is 100% employee safe at my
workplace, which makes a world of difference.

~~~
magicalist
I believe Chrome does use Keychain on OS X. The problem is people click the
"always allow" access button the first time Chrome tries to access an already
stored password, they enter their password, and then the user isn't prompted
anymore. Your passwords are safe and encrypted...Chrome can just display them
when it's open because it has access, as the user instructed.

------
dev1n
So is this Google inside the State Department, or the State Department inside
Google?

~~~
politician
I imagine that the answer is "less so than Microsoft is". What is with the
hellish trolling on this story? Did every shill for IE get some kind of bat
signal?

------
joejohnson
So, will Google have access to what State Dept officials browse and search?
How can this be legal?

