Security and the One Laptop Per Child sensibility

Simplified, postdesktop computing models stand to improve network security

If you're one of the many people itching to try out a certain funny-looking green portable computer, your moment is at hand. The One Laptop per Child project's OLPC XO device went on sale to the general public on Nov. 12 at 6 a.m. ET -- albeit only for those who want to make a "buy two, donate one" deal in the process and only for a couple of weeks. [The "Get 1, Give 1" offer concludes on Nov. 26. -- Eds.]

There has been a lot of buzz about the Cambridge, Mass.-based project, not just for the famed (and slightly inaccurate) claim of providing a $100 computer, but also for the notion that a clean and uncomplicated design promotes better usability and security controls. With limited but well-tested features, the device promises to provide a productive experience for its users -- but not an open-ended system Ted Stevens might liken to a big truck.

The OLPC device is not unique in its approach. Recent news indicated that smart phones are now outselling PCs in Japan for some of the same functions. Apple Inc.'s introduction of the tightly-controlled iPhone caused a stir, mostly because the interface for functions already available on other devices is notably simple and slick. India has over the past couple of years adopted minimalist electronic voting systems that bypass the comparative vulnerabilities and tabulation errors of voting systems based on general-purpose operating systems.

What's the trend in all of these? Simplify, simplify, simplify.

All that baggage

What's driving this? Everywhere we look, we see systems and platforms collapsing under their own weight. That's generally good news for security professionals because complexity is the enemy of security. Windows systems are an easy target for security criticism. Vista is the current poster child for overwrought and obese operating systems that give rise to functional and security vulnerabilities through sheer volume of code.

Metrics often trotted out by Macintosh fanboys and Linux nerdistas indicate that modern Windows machines are subject to far more vulnerabilities with the base operating system. But as much fun as it is to grind Microsoft Corp. apologists with those numbers, it's an academic distinction.

A truer measure of risk is the security of the system as it's commonly used. Comparative measures of risk between a domain-member Windows Server against Mac OS X Server should include the likes of Open Directory and Samba, and Microsoft corporate desktop images should be compared with Linux desktops running Open Office and other equivalent corporate applications.

When all the application and interconnectivity baggage is loaded, none of the major operating system competitors comes off looking particularly good or performing well. Sometimes, even the applications intended to keep things safe reduce performance to a crawl, or complex interface tools can confuse users in creative ways.

Drill bits and holes

Eventually, though, most computer users become less fascinated with the device and more with the work or play for which they bought it. The point of Ted Levitt's classic rant to his students at Harvard Business School was, "People don't want to buy a quarter-inch drill. They want a quarter-inch hole." Some interpretations go even further, positing that most people don't want to have to think about holes or nails, just the result that the hole or nail facilitates: perhaps a shelf or a hung picture.

But this is the opposite end of the pendulum's arc from obsession with a device, and it assumes a severe level of disinterest in how things work. Perhaps this is a safe assumption in service cultures, where ignorance of processes or skill is regarded as a mark of status, but not so in much of the Western world, or Home Depot would be out of business tomorrow.

Somewhere between these two extremes are reasonably intelligent consumers of computer devices who know a little bit about the things they want to accomplish. When looking for many computer-enabled services such as music, video, e-mail and messaging, gaming, and social media, these people tend to settle on a good tool that does one (or a very few) jobs well.

But this is not what contemporary personal computers and server systems have become. Like the venerable Shopsmith, they have become a versatile platform that can be extended, upgraded to perform virtually any task imaginable -- but few of them particularly well. At some point, versatility of 10-in-one tools, six-passenger full-size pickup trucks, and "ultimate" operating systems becomes a liability in terms of usability and quality, not just security.

It's a bigger and longer-term version of the problem offices faced when WYSIWYG desktop word processing was introduced and packages with a few hundred typefaces became available. Invariably, some people used every typeface available, issuing office memos that resembled ransom notes or corporate publications that looked like they'd been typeset at clown school. Now the font problem has become an overwhelming number of application and configuration options at virtually every level of the computing experience. Significant portions of computer and consumer populations are growing up, becoming more interested in actual functions, getting a bit jaded or just plain losing interest in much of the whizbangery of do-it-all tools.

Back in the shop

Network architects, systems administrators and the like are getting a little tired of the noise as well, seeking simplicity in servers and network configurations. Often, this reflects a maturing attitude about the "crunchy outside, nougaty inside" network security model that security wonks have been ranting about for years. While not every organization is about to jump into the college network style of fanatical system-hardening and a healthy distrust of their own internal networks, there are few left who would argue against the reduction of services to the minimum necessary or firewall rules that permit only explicitly allowed communications.

It's not OK now, as it was a couple of years ago, to have dozens of services running on production servers. And more security assessors are rightfully flagging services on desktop computers as a risk -- not just for vulnerabilities in individual services, but for the aggregate risk.

For example, recent updates to the Payment Card Industry Data Security Standard (download PDF) require stringent protection of individual systems involved in cardholder data -- no more browsing exotic viral fauna available on MySpace using point-of-sale computers! They also strongly encourage single-purpose server systems and demand business-case documentation for excessive or what they call "risky" services allowed through firewalls.

Even further, many financial institutions still don't consider PCI an appropriate or sufficient measure of risk and prefer to do individual risk assessments using standards such as ISO 27001. In that standard, network isolation is only mentioned in one spot: "A.11.4.5 Groups of information services ... shall be segregated on networks." The trend is to spend much more time on the system-hardening side.

And interestingly, as more mobile devices are used for sensitive data, default treatment of network connectivity as untrusted opens the way for secure use of multimode and mesh networking such as that provided by the OLPC XO. It's not unthinkable that our little green friend might simplify entry into the realm of e-commerce for enterprising users -- more so than a cheap PC.

What's in store

PCs and giant operating systems won't go away anytime soon, but the trend is clear. Multiple communication modalities will persist, but increasingly they'll terminate in one place, likely in a device for one individual where voice, e-mail, instant messaging and various other message and alert services can be managed in a personal unified in-box.

Slightly larger multipurpose devices such as the OLPC XO will become more common, especially where simple hardened user systems are shared between individuals and user authentication remains important in the handling of sensitive data. We'll probably see a lot more events like last week, when the Nigerian government had to smack down a vendor who had apparently been encouraged by Microsoft (with a few hundred thousand dollars for "marketing") to wipe Linux off Intel Classmate computers and install XP, and more devices like the OLPC -- hardened and perhaps modifiable -- but easily restored or updated to a safe state.

Storage has and will continue to become a major consumer problem, especially with digital music collections of the average teenager running into the double-digit gigabytes and their parents snapping hundreds of 6-megapixel pictures on weekend outings. With simple network-attached storage devices such as those from ADS Technologies Inc. available for about $25, the next problems will be how to secure the gobs of data available on a home network and how to integrate with the security model of the handhelds and mesh-networked computers.

From the enterprise standpoint, IBM is leading the charge for virtualization when user and server processes become complex, but the organization wants to keep the underlying systems relatively unmolested over time. Major challenges remain in terms of public user identity, organizational device management and other issues, but it's clear that where core computing functions and security are concerned, less really is more.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.

Copyright © 2007 IDG Communications, Inc.

8 simple ways to clean data with Excel
Shop Tech Products at Amazon