- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
March 28, 2007 | Comments: (0)
OLPC security guru fires back
Ivan Krstić, director of security architecture for the nonprofit One Laptop per Child program, wasn't too happy with my recent coverage of a panel he sat on at the ShmooCon hacker show on March 25.
Much like the jabs that researchers at the confab leveled at the security implications of the project's plan to distribute tens of millions of the laptop devices to impoverished children, he thought the tone of my reporting was far too alarmist.
At the show, Krstić presented a litany of security upgrades made to the latest iteration of the OLPC devices, offering a convincing argument that the computers would be significantly safer than previous models based on the alterations, and perhaps in some ways even better protected from attacks than more traditional mobile computers.
However, the point of the panel was to allow the security pundits to take some shots at the project after Krstić's speech, and fire away they did.
Researchers Sean Coyne, Jason Scott and Scott Roberts offered praise for OLPC's work, but theorized that the project's laptops could be attacked for purposes ranging from creating a massive botnet to trying to kidnap children carrying the devices.
Were the theories offered alarmist? Probably.
Were those ideas truly far-fetched? In some cases maybe, yes, but overall it didn't seem so.
Krstić clearly felt that the researchers' ideas, and my story, didn't give OLPC enough credit.
"I can't help but feel you're marginalizing the security work that's been done and emphasizing the doomsday scenarios that are pure, made up speculation -- without, at present, any technical credit to them whatsoever," Krstić said in an e-mail to InfoWorld.
Saying that the OLPC devices could be turned into a 10 million node botnet is no fairer than saying that Windows machines could be turned into an 800 million node botnet.
That's probably true, but the fact is we've been trying to alert the world to the massive problem of botnets running on millions of Windows devices for years.
The more impressive aspects of Krstić's diatribe (and his ShmooCon presentation) are actually some of the milestones that OLPC has achieved with its revamped security.
In addition to impressing security researchers and other experts with its Bitfrost security architecture (which he wrote) and other improvements (list is here), Krstić said that security software vendors have been blown away by the quality of the work.
"I spent several hours with the technical head of threat management at one of the largest security vendors in the industry discussing the system in great detail," Krstić wrote. "By the end of the night, he gave up trying to find a hole in the system."
The security architect said further that a group of Harvard computer science professors invited him to present the work at a seminar and did not offer any negative technical feedback on the upgrades.
Personally, I think it's great that OLPC has made such a huge effort to improve security of the devices, because I think they've got a great idea that will help a lot of poor kids around the globe improve their educations.
However, you have to agree with the security researchers that as with any sizeable deployment of new technology, there likely will be security problems.
But Krstić has apparently had enough of the theorizing.
"While I am far from proposing that the system is in any way perfect, the expert consensus is that it will provide much stronger security than normal desktops, and that the doomsday scenarios entertained at today's panel are a problem not specific to OLPC, but potentially brought forth by any sufficiently large computer deployment -- but in our case, made significantly harder for attackers by our dedication to security," he wrote.
"Furthermore, such potential problems are still pure speculation, and no technical mechanisms for their emergence have been proposed. In my mind, this hardly makes them any more noteworthy than the equally silly conspiracy theories floating around the OLPC project."
In my defense, all I can say is that I was at the ShmooCon event to cover the panel's conclusions, not to smear OLPC.
Krstić seems like a good guy who is merely frustrated with all the OLPC security doom-speak.
Only time will tell whether or not he is justified to feel so slighted.
Posted by Matt Hines on March 28, 2007 12:20 PM
RATE THIS ARTICLE:
-
- COMMENTS
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
Sun to clarify JavaFX planMS's dev tool service packs
HP in talks to buy EDS
Developers' role shifting
MS: XP SP3 reboots OEMs' fault
Apple: iPhone out of stock
Can Sun rejuvenate Java?
Powerset unveils Google-killer
FBI worried about Cisco gear
AMD updates quad-core Opterons
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Is your smaller organization ready for High Availability?
- Is system maintenance doing more harm than good?
- Virtual Test Lab Automation: Manage development infrastructure
