By Harry McCracken | Thursday, July 9, 2009 at 11:37 am
Among the things that Google says about its upcoming Chrome OS is that it’s going to shine from a security standpoint:
And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. It should just work.
IDG News Service’s Grant Gross talked to security guru Bruce Schneier, who isn’t just skeptical about Google’s promises–he’s downright insulting:
Bruce Schneier, the chief security technology officer at BT, scoffed at Google’s promise. “It’s an idiotic claim,” Schneier wrote in an e-mail. “It was mathematically proved decades ago that it is impossible — not an engineering impossibility, not technologically impossible, but the 2+2=3 kind of impossible — to create an operating system that is immune to viruses.”
Like much of what Google has said about Chrome OS so far, its claims about security are pretty darn vague, which leaves us on the outside who try to fact-check them at a disadvantage. It doesn’t say that the OS is virus- and malware-free–just that folks “won’t have to deal with” these threats. I “don’t have to deal with” viruses and malware on my Mac in the sense that I’ve never been infected. But that’s not the same thing as the OS being invulnerable. And while Google might be confident that it’s building something that won’t ever require Windows-style constant patching, I can’t quite believe it’s saying that there are no circumstances under which Chrome OS might need a security fix, period.
We still know very little about just how much of Chrome OS and users’ data will reside on the netbook, and how much will live remotely on Google’s servers. Maybe the local OS won’t do much more than boot the computer and provide drivers and a rendering engine. Maybe all user files will be stored in the cloud. If so, it’s possible that Chrome OS will be radically safer than traditional desktop OSes.
Even so, Schneier’s surely right that it’s impossible to write an OS that’s 100.000000% impervious to viruses. As long as computing involves the fallible devices known as human beings, there’s a chance that somebody will unwittingly allow a particularly piece of software onto the system.
Here’s a way of looking at it: In the post I quote at the top of this story, Google makes reference to the Chrome browser when touting the security of Chrome OS. Chrome the browser is indeed well-done from a security standpoint, but that doesn’t mean that Google hasn’t had to patch up holes. If Chrome-the-OS is as safe as the browser, it’ll be a point in its favor. But it won’t give users a license to fall asleep at the wheel.