Bruce Schneier, chief technologist at BT, has scoffed at Google's claims about its new OS, just announced yesterday. According to the Google blog post, Chrome OS represents a complete redesign of the underlying security architecture of the OS "so that users don't have to deal with viruses, malware, and security updates." A bold statement to say the least...and apparently one Schneier doesn't think too much of. "It's an idiotic claim," he says.Noted security guru
In a Yahoo News story, it's reported that Schneier isn't completely buying Google's promises. "It was mathematically proved decades ago that it is impossible -- not an engineering impossibility, not technologically impossible, but the 2+2=3 kind of impossible -- to create an operating system that is immune to viruses."
That seems to us like he's picking on the semantics of Google's statement just a bit. Google says that users "won't have to deal with viruses," and Schneier is noting that it's simply not possible to create an OS that can't be taken down by malware. While that may be the case, it's likely that Chrome OS is going to be arguably more secure than the other consumer operating systems currently in use today. In fact, we didn't take Google's statement to mean that Chrome OS couldn't get a virus EVER; we just figured they meant it was a lot harder to get one on their new OS - didn't you?
Even Schneier himself admits that an OS redesign which takes security into account "all the way up and down" could make for a more secure OS than the ones available today. However, that's different than saying that users won't have to deal with malware, he added.
Carl Leonard, security research manager of Websense EMEA, also shares Schneier's beliefs. "All software is susceptible to issues - it just depends on how much effort the malware author wants to go to and how much profit can be made," he said. "Already we have seen vulnerabilities and issues with the Chrome browser, and Google even ran a contest in which two well-known security researchers found 12 exploitable security flaws in the company's Native Client system."
OK, we get it: Chrome OS can get malware...technically speaking. But won't it get less of it?
Forrester Research analyst Andrew Jaquith, on the other hand, has more positive things to say about Google's new OS. He notes that the company has made strong security strides through its Native Client code technology and Chrome web browser, which includes features such as "sandboxing" which could help contain malware. "If [Google] brings that kind of thinking to the operating system and looks at it from a clean sheet of paper, they should be able to introduce some significant improvements," he said.
Do you think the security community is making a mountain out of a molehill when it comes to Google's security claims? Or do you think they were right to point out that no OS is invulnerable to attack?