IT industry has failed in desktop security

Summary:The director of security architecture for the One Laptop per Child project and AusCERT 2007 keynote speaker has blasted desktop computer security -- including that of Windows, Linux and Mac -- because it is based on a 35-year-old premise where software can run with the same privilege as a user.

The AusCERT 2007 conference kicked off this morning with a keynote speaker who blasted desktop computer security -- including that of Windows, Linux and Mac -- because it is based on a 35-year-old premise where software can run with the same privilege as a user.

Ivan Krstić, director of security architecture for the One Laptop per Child project, told delegates that the IT industry has failed when it comes to desktop security.

"The number one broken assumption of desktop security ... is this very simple premise that all executing software should execute with the full permission that its user possesses.

"There are a bunch of programs that ship with all major operating systems -- including Linux, Mac OS and Windows -- that can format your hard drive, spy on your computer, spy on you with your microphone and camera and turn over control of your computer to third parties," said Krstić.

One example of such a program, said Krstić, is Minesweeper -- a game that has shipped with virtually all versions of Microsoft Windows.

"This is no exaggeration. There is nothing in place to say that Minesweeper cannot do these things. That tells me something is pretty badly broken," he said.

Krstić explained that programs such as Minesweeper have the ability to affect other programs because of a premise that dates back to 1971, when the first version of Unix was released by Ken Thompson and Dennis Ritchie, and loading code onto a computer was no trivial matter.

"[In 1971] the only way that code could get from one place to another was with punch-cards or tapes. You carried it physically, put it on the machine and then ran it. If you did that then you should take responsibility for whatever that program does to your computer.

"Thirty-five years later we are using the same fundamental premise of security," said Krstić, who reminded the delegates that modern computers "run un-trusted code every time they visit a Web site".

Topics: Security, Apple, Linux, Microsoft, Open Source, Operating Systems, Windows

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.