Google's OS security claims called 'idiotic'

Security experts disagree on whether the Google OS can live up to the company's promises

Google, while announcing its new Chrome operating system late Tuesday, said users would no longer have to worry about viruses, malware and security updates, but security experts disagreed on whether Google can deliver on those promises.

Google said in a blog post that it was "going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates." An operating system should "just work," the company said.

Bruce Schneier, the chief security technology officer at BT, scoffed at Google's promise.

"It's an idiotic claim," Schneier wrote in an e-mail. "It was mathematically proved decades ago that it is impossible -- not an engineering impossibility, not technologically impossible, but the 2+2=3 kind of impossible -- to create an operating system that is immune to viruses."

Redesigning an operating system from scratch, "[taking] security into account all the way up and down," could make for a more secure OS than ones that have been developed so far, Schneier said. But that's different from Google's promise that users won't have to deal with viruses or malware, he added.

Other security experts suggested that it's possible for Google to at least make a more secure and user-friendly operating system.

"Operating system vendors can do a much better job of hiding security from the users -- taking care of changes without forcing outages and reboots and managing the security of all the other applications installed on top of the OS," said Alan Paller, research director at the SANS Institute, a cybersecurity training organization.

"Google is all about the user experience, so perhaps they learned from the mistakes of the earlier, less-user-friendly OS providers."

Brian Chess, cofounder and chief security officer at cybersecurity vendor Fortify Software, said he's optimistic that Google seems to be making security a priority as it develops the Chrome OS.

"With the caveat that nothing out there is going to be 100 percent secure, and new systems ... are going to have more problems than code that's been battle-tested for a long time, I think the Google guys are right," Chess said.

"They could make a system that is significantly better from a security standpoint than the systems most people use today."

Google has a chance to start over from a user expectation point of view, Chess said. The company has several research projects focused on cybersecurity, he noted.

Google could, for example, make top security a default setting in the OS, instead of requiring users to change their setting to make their OS more secure, he said.

And Google could build in safeguards that stop users from downloading a virus when they click on a link in an e-mail, he added.

"From a security standpoint, this is a great day," Chess said. "The question is, is the system going to be able to do a reasonable job of defending itself even in the face of a certain amount of user error? I think they've got a pretty good shot at it."

Join the CSO newsletter!

Error: Please check your email address.

Tags LinuxChrome OSGooglesecurityvirusoperating systemsbruce schneiermalwareGoogle Chrome OS

More about BT AustralasiaGoogleSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place