Google's OS Security Claims Called 'idiotic'
Google, while announcing its new Chrome operating system late Tuesday, said users would no longer have to worry about viruses, malware and security updates, but security experts disagreed on whether Google can deliver on those promises.
Google said in a blog post that it was "going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates." An operating system should "just work," the company said.
Bruce Schneier, the chief security technology officer at BT, scoffed at Google's promise. "It's an idiotic claim," Schneier wrote in an e-mail. "It was mathematically proved decades ago that it is impossible -- not an engineering impossibility, not technologically impossible, but the 2+2=3 kind of impossible -- to create an operating system that is immune to viruses."
Redesigning an operating system from scratch, "[taking] security into account all the way up and down," could make for a more secure OS than ones that have been developed so far, Schneier said. But that's different from Google's promise that users won't have to deal with viruses or malware, he added.
Other security experts suggested that it's possible for Google to at least make a more secure and user-friendly operating system.
"Operating system vendors can do a much better job of hiding security from the users -- taking care of changes without forcing outages and reboots and managing the security of all the other applications installed on top of the OS," said Alan Paller, research director at the SANS Institute, a cybersecurity training organization. "Google is all about the user experience, so perhaps they learned from the mistakes of the earlier, less-user-friendly OS providers."
Brian Chess, cofounder and chief security officer at cybersecurity vendor Fortify Software, said he's optimistic that Google seems to be making security a priority as it develops the Chrome OS.
"With the caveat that nothing out there is going to be 100 percent secure, and new systems ... are going to have more problems than code that's been battle-tested for a long time, I think the Google guys are right," Chess said. "They could make a system that is significantly better from a security standpoint than the systems most people use today."
Google has a chance to start over from a user expectation point of view, Chess said. The company has several research projects focused on cybersecurity, he noted.
Google could, for example, make top security a default setting in the OS, instead of requiring users to change their setting to make their OS more secure, he said. And Google could build in safeguards that stop users from downloading a virus when they click on a link in an e-mail, he added.
"From a security standpoint, this is a great day," Chess said. "The question is, is the system going to be able to do a reasonable job of defending itself even in the face of a certain amount of user error? I think they've got a pretty good shot at it."