At the AusCERT 2007 conference in Queensland last week, keynote speaker Ivan Krstić, who is the director of security architecture for the One Laptop Per Child (OLPC) project, told attendees that desktop security was fundamentally broken. We asked several security experts who attended the conference if they agreed and how the problem could be fixed.
Krstić's conundrum, as he explained to ZDNet Australia shortly after his presentation, was that the industry's approach to desktop security has been to shift responsibility of security matters to the end user.
"We need to understand that users are not people who have degrees in computer science and a deep understanding of computer security -- they are people who are trying to get their job done.
"Weaseling off responsibility for security to users might make sense for some vendors to do in terms of legally protecting themselves, but its not actually helping the end users," he said.
Krstić advocates that the desktop should resolve more security matters automatically -- and not rely on input from a user that has as much potential to compromise a system as protect it.
The 'dialogue box', used by operating systems and security software vendors to warn or protect users when they are about to make a crucial decision, is the "scourge of desktop security", he said.
"If you go to a Web site whose security certificate is for any reason not checking out, you get a dialogue box that you [require] strong Internet security [skills] to decipher," he said. "For anyone else, they get to do a random guess between yes, no and cancel. That's no way to protect anyone," he added.
Tech-philosopher and hacker guru Richard Thieme said that Krstić was absolutely right: "He said things that everybody here knows are true, but we're trying to patch it and catch up with it".
James Turner, industry analyst at IBRS, said users should not be in complete control when it comes to important security measures. In his "dim, dark past" as a systems administrator, he took particular grievance when Microsoft's operating systems allowed the local user to have administrative rights on their own laptop.
"It was suicide for the organisation," he said. "And the people who were writing malware out there took massive advantage of that over the last few years."
Bradley Anstis, director of research and development for security vendor Marshal, said Krstić's theory was a thought-provoking one -- one in which he and the vendor's engineering team will be taking into consideration as they "start to write the applications of tomorrow".
Other participants at the conference were more critical -- claiming that Krstić wasn't taking into account neither the human desire for choice nor the gains recent operating systems have made into solving the issue.
"What bothers me the most is that he's leaving user choice out of the decision," said IBM chief security engineer, Anthony Nadalin. "I just don't think the policy decision should be made by the process itself. I still believe that the human needs some level of interaction."
"I agree that interaction has to be very minimal and very basic so people can understand it. But people have to have a choice," he said.
Alagu Periyannan, CTO of BlueCoat, said that the problem with older operating systems is that user privileges have automatically translated to the application the user is running, regardless of the type of application or how it was installed.
"You can start seeing in the newer versions of desktop Linux, or even Mac OS and Vista, they've started to separate that out," he said. "If applications are starting to do certain things, the user is prompted as to whether they want the system to do this."
Andy Solterbeck, vice president of enterprise security at SafeNet, agreed: "Windows Vista has had a significant improvement in the underlying security architecture," he said.
Better interface required
All of the attendees agreed the way security choices are presented to users is too complex.
"Most people are lay users -- you can't be prompting them to change file permission, they aren't going to know what that is," said Bluecoat's Periyannan. "The art really is in making that really simple. It's about giving them the right security aspects but not nagging the user with questions he's never going to be able to answer."
IBM's Nadalin said: "You have to have a metaphor presenting things to the user ... Today that metaphor is not very friendly and that's what has to change in the industry. We have to have better ways, better icons."
Nadalin believes the industry should agree on some basic symbols and modes of communication that users can learn and rely on, in the same way the world has (almost) universal codes for traffic signals.
"We've gone along and decided what street signs mean right across the world. Why can't we do the same things for privacy aspects or release of information?
"We have these universal icons that mean certain things. We could have a caution sign -- people understand caution -- we could have another particular icon [refer to] privacy. I think there's way to get around [Krstić's] particular set of concerns," said Nadalin.