Even linux and BSD systems are vulnerable if malicious programs are given the necessary permissions to run. If a casual user hears something like, "This OS is immune to viruses", they're likely to be a lot less cautious about running programs that might auto load from websites. By now most Windows users know better than to click OK when a website wants to install something on your PC.
The leading causes of malware are single-user machines and point-and-click software installation from the web. To the extent that any OS allows these, it's susceptable.
Have any data to back that up? Because my impression is the opposite.
It is doubtless the case that Schneier is fielding constant phone calls from trade reporters asking for his opinions on the security news of the day. Taking those calls, and writing the op-ed-style pieces that generate them, is probably the bulk of his job description. And so it's to be expected that he's going to be asked questions about things like Chrome's "virus-proofness", and having given no thought to Chrome or its architecture, be at a loss for pithy commentary. Hence, "2+2=3". Thanks, Bruce.
But before you feel too much sympathy for him, remember that he always has the ability to tell the reporter, "sorry, I don't know enough to comment intelligently on this story".
The reporter would have cut that part out. It's not controversial enough. You could do the same thing with his blog post on homomorphic encryption if you took the phrases, "Gentry’s scheme is completely impractical," and "I think he’s being optimistic with even this most simple of examples," in isolation from "practicality be damned -- this is an amazing piece of work," and "I never expected to see one [a secure fully homomorphic cryptosystem]."
I don't understand this need to pull Schneier down. He's a smart guy, most of his writing is good, and he helped design a cipher that came pretty close to being selected for AES. Anyone who enters the media game is going to end up getting a bit caricatured.
I have been interviewed by reporters. And I have, in fact, made lots of mistakes with them. Security researchers are unnaturally attractive to trade reporters, and there's business value in cultivating contacts with them, and I've definitely let that process run too far in the past.
So, a mistake is a mistake. And thus, regarding your first graf, two responses:
(1) I stand by my original argument that Schneier doesn't appear to be close enough to Chrome OS security to comment on it, and his comments appear to misconstrue what Chrome OS is aiming for, and
(2) I stand by my original argument that this is an example of Schneier's business objective of inserting himself into every conversation about computer security again coming at a cost of his credibility.
Finally, you want to understand my need to pull Schneier down. I don't care if he's smart. I care that he's a guru. He's listened to uncritically by lay professionals, and his opinions about the problems they face are often not valuable. I'll add that Schneier's reputation in cryptography --- a field I am not a part of --- is not ironclad. If you want to stick up for a scientist, start with their citation record. Let us know what you find.
Listen, Bruce, they don't literally mean that their OS will be completely and 100% totally impervious to any sort of malware or virus attack of any kind ever to exist ever in the future ever ever ever to infinity times infinity.
They mean that their OS will be considerably more resistant to any sort of reasonable malware attack in the foreseeable future, and they're 100% correct.
Windows, even just because of its target market, will be the low hanging fruit for as long as I think anybody can foresee. Simply because of this, linux and bsd-kernel based operating systems that are using proper user isolation (meaning not running as the freaking root account by default) are going to be more secure than windows.
By the way, that's what Microsoft meant when they released Windows 98... and 98SE and ME, and 2000, and XP, and 2003, and Vista, and 2008, and 7.
Pointless claim. Just deliver and we'll see.
Good marketing. Tough to live down when you're first discovered to be "human" (developed by software engineers) - as it will be when Apple's first takes a major hit [which news suggests the iPhone may be vulnerable to].
I'm guessing since most applications on Chrome will be web-based, the vendor will worry about them. They will be able to more easily and quickly detect + destroy phishing schemes, viruses etc. Kind of like how Facebook has responded to malicious wall posts.
For me the bigger concern would be the loss of productivity due to downtime of web services, or loss of internet connectivity.
Good marketing. Tough to live down when you're first discovered to be "human" (developed by software engineers) - as it will be when Apple's first takes a major hit [which news suggests the iPhone may be vulnerable to].
