Why Vista missed a trick
Don't give away your brand
A project that aims to provide laptops for poor children could teach Microsoft a thing or two about security and design.
You may well have come across Microsoft's "Secure by design, secure by default and secure in deployment" mantra and are wondering when some "trustworthy computing" will be delivered. Well, by now, you may even be aware that a new system is out, which might actually deliver on some of these promises.
In fact, it's probably the first new platform we've seen in a long time. From a security perspective, the lack of innovation is startling. When you take a system from the 1980s, designed before networks really existed, and link it to a vast, high-speed 21st-century network, it's hardly surprising that most of the time is spent patching to avoid incidents or responding to those you couldn't prevent.
The multi-user systems of the 1970s pioneered the development of the security models we have around today. Of course, Microsoft and Apple haven't stood still, but even with recent improvements, security has failed to counter the threats of the networked environment and provide systems that are both secure and usable. Until now.
Of course, I'm not talking about Windows Vista, but the One Laptop per Child (OLPC) project (www.laptop.org). This aims to create a low-cost, portable computing environment aimed at the educational needs of children in developing countries. There are a number of things that make this project interesting from a security perspective. First, it's the first PC in which the software and hardware have been designed together since the Apple Mac in the early 1980s.
Second, and perhaps most importantly, the design is entirely open. The specifications and source code for all components are publicly available. Today, no one would consider deploying a cryptographic algorithm that hadn't been made publicly available and subjected to intense peer review. The OLPC project extends this principle of openness to the entire system to enable any security weaknesses to be found before systems are deployed, and to really create a trustworthy environment.
Microsoft is also missing something quite important in their secure by design, default and deployment goals. This is the idea of "security and usability". Traditionally, these two don't go together. Even though Vista might have all the security features, if they get in the way, people will turn them off or bypass them. The increasing trend in security attacks is to exploit the user's weaknesses to compromise the system.
One of the leaders in the emerging field of HCI-SEC - human computer interaction married to the goal of security - is Simson Garfinkel. His most recent book, Security and Usability, is worth a read by any systems designer. Garfinkel has contributed to the security design of the OLPC. The platform, called Bitfrost, contains a number of interesting ideas - such as "no user passwords" and "no permanent data loss", along with less radical ideas such as "out-of-the-box security". The specification even extends to the manufacturing process and delivery chain, so that when the system arrives, there can be confidence that it has not been interfered with along the way.
Windows Vista does, of course, represent a significant milestone. It is the first product of Microsoft's Secure Development Lifecycle project. Unlike the OLPC project, the designs aren't open. We've only got sketchy marketing information, limited documentation for developers and the occasional snippet of something on one of Microsoft's blogs. So until significant deployment, or the first zero-day vulnerability with significant impact, it's going to be hard to judge the effectiveness of the system. If Vista does live up to the claims, the real weaknesses will be in the tension between "security" and "usability". Cynics have suggested that a lot of the security in Vista is about protecting the data of third parties from the user of the computer - whether it's a DVD, MP3 an eBook or just a collection of photographs. This is a worry, as this would be a deliberate case of security decreasing usability.
- Ian Castle, CISSP, is a senior consultant at ECSC and heads the internet defence division.