Secure Software Is Static Software
But let's say that Google achieves the near-impossible, what no one else has done, and makes a perfectly secure OS. One of the key challenges for any software title is that as it becomes more popular, it must become more functional. Security alone does not make a product popular. Otherwise, software such as OpenBSD or anything written by Dr. D. J. Bernstein would have a much higher install base. These products are well-regarded for being extremely -- though not perfectly -- secure. Perhaps these products haven't gained broader acceptance because -- I 'm waiting for the flame mail -- they don't offer the functionality and experience that most users really want.
If a company fails to add functionality and features to its wares, its competitors will grab its customers.
However, adding new functionality and new features requires new code, which in turns increases complexity and the chances for security bugs.
For example, Adobe Acrobat was relatively secure when it simply read PDF text documents. To attract more customers and remain competitive, Adobe added a bunch of new features, such as the ability to run JavaScript and participate in encryption. By no small coincidence, Adobe Acrobat now has lots of security patches. You can say the same of any popular app.
Further, even if Google somehow manages to crank out a perfectly secure OS, it will still need to rely upon other organizations' software to work. That, in turn, will almost certainly create chinks in the OS's armor. For example, almost every Internet product relies on DNS, which has proved extremely hackable. Hack that, and you hack everything that relies on it, including otherwise secure browsers and OSes.
Beyond relying on DNS, how will the Google OS and browser render documents and content such as PDFs, Macromedia Flash files, iTunes music, and all other code and content that makes up the rich Internet experience? Google developers will have a hard time delivering all that functionality themselves. They would have to perfectly code every (or at least the most popular) content-type rendering engines. More than likely, Google will allow other vendors' products to interact with their products, and that brings up dozens of security issues in a given month.
I'm even ignoring for the moment the reports that the Google OS will be a Linux variant. Linux itself has many kernel bugs a year. Google Chrome, the browser, relies upon other components (such as Web Toolkit) with have their own vulnerabilities.
There are other hard questions: How will people be able to save content between sessions or send each other files? How will Google be able to perfectly distinguish between malicious and legitimate file attachments when no other company has been able to do it?
Ad Choices