Speaking at the AusCERT conference on Monday, Ivan Krstic, director of security architecture for the One Laptop per Child project, says the computing industry relies on “utterly obsolete concepts and assumptions” and has “massively failed when it comes to desktop security”.

The way modern desktop security works is by relying on the user to make informed and sensible choices on things they don’t understand.

The early personal firewall software was a classic example:

A dialogue would pop up and say ‘Hi, we’ve intercepted this packet with this TCP sequence number and these flags set, and SYN and FIN are both on, and here are the destination ports and the source ports and here is a hex dump of the packet. Allow or deny? What do you think?’. Who is that protecting? It’s protecting me, but I don’t need that kind of protection in the first place.

The Apple Blog was sarcastic when they reported Krstic’s speech — I suspect because arrogant OS X users think security issues don’t apply to them — so I posted a response…

Despite your sarcasm, when you ask…

So does that mean ‘there is nothing in place to say that’ OS X’s Chess game cannot format my hard drive or turn over control of my Mac to third parties?

… yes, you’re right on the money. Krstic is absolutely correct. This is exactly the “trust model” of every desktop operating system currently in use.

Software like Minesweeper in Windows, Chess in OS X or whatever — everything from Adobe Photoshop and Microsoft Office to that cute little widget you just downloaded from… who? — are supplied as pre-compiled binary programs. Unless you reverse-engineer them and do a complete audit, you have no way of knowing for sure what they do. Not 100%.

Even then you have to be really good at software auditing to know you’re not overlooking some trick. And you have to audit every software library they call. And, if you want to be completely sure, audit the microcode on the processor chip while you’re at it.

When you run any software, you’re trusting the author to do only what they claim they will do.

There is no global auditing program to ensure software does what it says and only what it says. In any event, how can you know whether the file you just downloaded is the same one that was audited?

And, despite the “I’m more secure than you” arrogance shown by so many OS X users, there’s nothing about OS X that makes it any different to Windows in this regard: run a program, and it runs with the same privileges as you have.

At this point open-source advocates will say that they have the source code so they’re OK — but honestly, when was the last time you read through the source code before compiling and running a program?

5 Random Semi-Related Posts

• Links for 26 June 2008 through 29 June 2008 (1 comments)
• The Internet, 1994 (0 comments)
• Ah, security through sincerity, gotta love it! (0 comments)
• The Chaser’s APEC charges dropped (0 comments)
• Why The Chaser’s charges were dropped (7 comments)

5 Random Semi-Related Posts

• Photos courtesy of a Nokia N80 (4 comments)
• Newtown Sunset, one month ago (0 comments)
• What comms? Part 2: Which phone? (2 comments)
• Pub plant at dusk (2 comments)
• At Town Hall station? You breathe this! (5 comments)

The full report on this prank shows how the store management couldn’t cope — they didn’t like it, and people get nervous when confronted with something “different”.

It’s also interesting reading the comments on Bruce Schneier’s write-up of this event, where so many commenters fail to see the difference between a “threat to the store” and a “threat to the perceived authority of the store managers”.

5 Random Semi-Related Posts

• Freakonomics interviews Bruce Schneier (0 comments)
• Who do you trust? Everyone! (4 comments)
• Apple becomes biggest music retailer in US (0 comments)
• Shirtless? Can’t buy a shirt, sorry (2 comments)
• Is Big Brother a Big Deal? (0 comments)