Google’s defenestration – Security ≠ OS

I need to put a few things on the table before fully expressing my opinion on this story. I don’t like Windows. I don’t use Facebook. My heart and preferences lean towards Linux and other Unix variants (Yes, OS X too). Last but not least, I am a big security geek, which is likely no secret to my readers.

Defenestration art exhibit, San Fran courtesy of wallyg's Flickr photostream

Yesterday the Financial Times broke a story about Google pushing Microsoft Windows out the window. On the surface it sounds like a revelation that a company as large as Google could go window(s)less. One of the headlines from ZDNet reads, “Google dumps Windows; Is Microsoft’s OS headed down a troubled path?“. In a word? No.

That is not to say Microsoft’s strategy, nor its stranglehold on corporate desktops, is permanent, but few companies the size of Google, or for that matter few companies of any size, could eliminate or even dramatically reduce their dependence on the software from Redmond. Microsoft has fostered a delicate balance to lock us into their wares, and used their “embrace and extend” mantra to create even web applications that only work in their ecosystem.

Google employees who were willing to speak to the press about the move emphasized that it’s all about security. The “China” attack and ensuing analysis of what was at fault influenced the company’s decision to discourage Windows use. While plausible on the surface, there must be more at stake than that.

I like Google, and I hope that their strategy doesn’t equate security with the operating system they use. The attacks against Google in January were presented to the public as a Advanced Persistent Threat (APT). If this is true, will moving to Unix and Linux help fight these targeted attacks? If your operating system includes common tools useful to hackers like nmap, tcpdump, bash, perl, and php, it makes it more difficult to detect the presence of an attacker than with an operating system for which these tools are non-native.

Despite having a lot of friends in the media, I think the hype over this decision is more about marketing and PR than about defending against the red Chinese menace. Google is choosing an option that provides far less sophisticated tools, management, and detection capabilities than the much-maligned Windows platform.

This also may be a bit more of Google “dogfooding.” Microsoft has been an archrival, but more importantly Google will be heavily promoting their Android OS for phones and tablets, and the upcoming Chrome OS, both based on Linux.

Avoiding the massive hassles of managing a Windows environment will surely change the threat landscape for Google. It seems to be a trade-off between everyday threats and malware, which consume untold hours of patching, remediation and management and the “APT.” If Google’s concerns truly lie with APT, they are simply trading one devil for another.

But regardless of my professional reaction, the engineer in me says, “Good luck, Google! Viva la open source.”

Creative commons image courtesy of wallyg’s Flickr photostream.