I'm glad you asked. If we're moving toward building the browser as the application or as the operating system, I mean, look at Google Chrome. The browser has a task manager. It is an operating system for all intents and purposes. It's not things you're installing on your desktop anymore, it's things you visit in your browser. This whole idea of storing things in the cloud to protect data, you're essentially yielding control to the people who write these latest and greatest Web apps. And it's like OK, what do these people know about security? It's kind of the same way the mid-90s desktop developers got their butts kicked. The same way desktop developers didn't know security, we're finding out Web app developers don't know security very well. They're not getting the types of training they need. You say cross-site scripting to them and they think that's stealing a cookie or popping up a little message dialogue. And you have to look at them and say, "Why do you think that message dialogue is appearing?" It's because it's code execution, I executed arbitrary code on your box. That's about as bad as you can get. The difficult part is, security used to be something the IT guys dealt with. That's something my IT guy put a little box on the perimeter to take care
Ah, once upon a time when I was young and silly. I was a student at Georgia Tech and I learned about our campus Buzz Card system and I found some security flaws in it and kind of learned firsthand the difficulty one can have in trying to do the right thing and letting them know there are issues, and how to remediate and solve when you discover vulnerabilities. Actually, this is a problem in the Web application security space as well, because people can reverse engineer or decompile and find buffer overflows and how it process and track changes of a Word doc. That stuff's processed on a desktop. For Web app security researchers, they have a really hard time. If I happen to inadvertently discover one of these things, how do I let them know? They own all the code. And by definition, you can't discover vulnerabilities on their apps without breaking the law. What are your thoughts so far on Google Chrome and what you've seen?