Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Kaspersky promises the impossible: A fully secure OS

Ted Samson | Oct. 18, 2012
Eugene Kaspersky says his company is developing a bulletproof OS, but in the big picture, he's just selling snake oil

First, Kaspersky made a somewhat broad and misleading assertion. He told Threatpost that "no one else ever tried to make a secure operating system. This may sound weird because of the many efforts Microsoft, Apple, and the open source community have made to make their platforms as secure as possible."

Au contraire, Mr. Kaspersky. Plenty of people have tried and succeeded at making fairly secure operating systems. Many are in private use, often by the military and private companies. The fact that these platforms aren't widely used contributes to their relative security, sort of like how Macs were seemingly immune to malware for years, until the platform became popular enough for hackers to start targeting it. In the words of InfoWorld Security Adviser blogger Roger Grimes, "To make a private, dedicated OS that is more secure than a popular OS is not that hard."

More important is the fact that no software is supersecure. It is impossible to code without bugs. Daniel J. Bernstein, considered one of the most secure programmers in the world, has developed small applications, such as DJBDNS and QMAIL, and even they have been known to contain bugs.

Or as a more popular example, there's Apple. For years, the company clung to the notion that Mac OS was immune to malware. That's all changed, as the platform has risen from relative obscurity to broad adoption for home and business use.

But suppose for a moment that Kaspersky Labs somehow develops an entirely incorruptible, utterly bulletproof operating system. And suppose that Kaspersky -- as well as companies that adopt the OS -- manage to keep the code from falling into the hands of bad guys (bearing in mind that company secrets are often just one slip-up or bribe away from falling into the hands of the enemy), thus making it impossible to reverse-engineer the code and develop malware. That's an awful lot of supposing.

There are still other entry points for wreaking havocs on critical ICSes and SCADA systems. Part of Kaspersky's vision here is to run existing ICS and SCADA software atop this new OS. What's to prevent a savvy hacker from gaining access to a buggy application and, using stolen admin credentials, dumping sewage into the river or shutting down power grids or carrying out any other number of permissible tasks? Today, most exploits are already targeting applications and not the OS; it's been that way for a few years now. A more secure OS can only be helpful, but if you look at the risk, it's almost all application-side.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.