Kaspersky promises the impossible: A fully secure OS

Eugene Kaspersky says his company is developing a bulletproof OS, but in the big picture, he's just selling snake oil

Page 2 of 2

Au contraire, Mr. Kaspersky. Plenty of people have tried and succeeded at making fairly secure operating systems. Many are in private use, often by the military and private companies. The fact that these platforms aren't widely used contributes to their relative security, sort of like how Macs were seemingly immune to malware for years, until the platform became popular enough for hackers to start targeting it. In the words of InfoWorld Security Adviser blogger Roger Grimes, "To make a private, dedicated OS that is more secure than a popular OS is not that hard."

More important is the fact that no software is supersecure. It is impossible to code without bugs. Daniel J. Bernstein, considered one of the most secure programmers in the world, has developed small applications, such as DJBDNS and QMAIL, and even they have been known to contain bugs.

Or as a more popular example, there's Apple. For years, the company clung to the notion that Mac OS was immune to malware. That's all changed, as the platform has risen from relative obscurity to broad adoption for home and business use.

But suppose for a moment that Kaspersky Labs somehow develops an entirely incorruptible, utterly bulletproof operating system. And suppose that Kaspersky -- as well as companies that adopt the OS -- manage to keep the code from falling into the hands of bad guys (bearing in mind that company secrets are often just one slip-up or bribe away from falling into the hands of the enemy), thus making it impossible to reverse-engineer the code and develop malware. That's an awful lot of supposing.

There are still other entry points for wreaking havocs on critical ICSes and SCADA systems. Part of Kaspersky's vision here is to run existing ICS and SCADA software atop this new OS. What's to prevent a savvy hacker from gaining access to a buggy application and, using stolen admin credentials, dumping sewage into the river or shutting down power grids or carrying out any other number of permissible tasks? Today, most exploits are already targeting applications and not the OS; it's been that way for a few years now. A more secure OS can only be helpful, but if you look at the risk, it's almost all application-side.

There's no denying we need to find ways to secure our nation's critical infrastructure systems. As it stands, ICSes and SCADA systems in use today weren't developed with the Internet in mind. They're vulnerable and need to be secured. A more secure underlying operating system might be a step in the right direction, though perhaps trying to push a single, universal, uber-secure OS for all things ICS and SCADA is an invitation for unwanted attention from malicious hackers. I'll say it again: Security comes with obscurity.

But focusing simply on the OS to solve this pressing problem without considering the big security picture, including the undeniably insecure nature of the Internet, end-user ignorance, and programmer laziness, is akin to whistling in the dark. Thus, pushing a single OS as the be-all, end-all solution is akin to selling snake oil.

This story, "Kaspersky promises the impossible: A fully secure OS," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

| 1 2 Page 2