http://www.guardian.co.uk/technology/2008/feb/07/olpc.security
By Pete Warren
The Guardian
February 7 2008
What if the plans to spread low-cost One Laptop Per Child (OLPC) and
Intel Classmate computers to the developing world work? What if in a few
years there are hundreds of millions of them out there? Many might
applaud. But among computer security experts, there's growing concern
that those scheme could inadvertently lead to a huge increase in
computer crime.
Initiatives such as the OLPC and the Classmate are intended to help
bridge the digital divide. But security experts warn that there could be
an unforeseen negative effect.
"There is the possibility of creating the largest botnet in the world,"
says Yuval Ben-Ithak of Finjan, a computer security company. This view
is borne out by a recent report by F-Secure identifying Africa as one of
the emerging cybercrime threats.
Phenomenal takeup
"Within the past few years, internet take-up in emerging markets has
been phenomenal," says Mikko Hypponen, chief research officer at
F-Secure. "The trend is expected to continue and spread into areas such
as Africa, India and central America. People are developing
sophisticated computer skills. But," he adds, "they have limited
opportunities to profit from them legally. There will be a delay before
legal systems catch up with developments in the IT sector. Computer
criminals may also be able to escape the law more easily in countries
which are undergoing serious political and security problems."
The case of Onel de Guzman, the student who wrote the 2000 Love Bug
virus and who escaped prosecution because the Philippines, his home, had
no offence with which to prosecute him, is a case in point. But Ivan
Krstic, OLPC's director of security hardware, points to the choice of
Linux as the operating system for the computers. "You cannot have one
program loading from the internet that can then go to your [email]
address book and then send out a spam message to everyone," Krstic
explains. "The program can only work in its own area and has no
functionality beyond that.
"For anything to be able to achieve that overall control, the attack
would have to be written to the system kernel, and those are the hardest
attacks to launch. Those vulnerabilities do exist, but they are patched
very quickly. It would be difficult to get them to run bots." However,
there is an option to run Windows XP on the machine - which means,
concedes Krstic, "they can be attacked. All of the connotations of
Windows security apply."
The Windows-based Intel Classmate also includes a nod at security.
Countries buying it can opt for antivirus software, included for a
higher price, but must negotiate that with AV companies themselves; and
a hardware setting disables the laptop if it is not connected to an
antivirus monitoring network for a certain period of time. This is to
safeguard the machine from becoming part of a botnet, which can disable
antivirus checking.
The bigger problem in the long term may be the developing world's choice
of operating system. "Most of the machines we are shipping have Windows
on them. That's the operating system most countries want," says Intel.
It adds that teachers will receive training from Intel to monitor the
network and will be able to see if changes have been made to the
machines: "Some schools using the computers will have a teacher who is
responsible for security on their networks, others will have an IT
person." As a last resort the Classmate, like the OLPC XO, can be wiped
clean and restored to its factory settings.
But while Windows has its problems, Linux may not offer much better
protection, says Guillaume Lovet, a botnet expert for Fortinet. "The
first botnets were Stacheldraht, Trinoo and TFN, and were built in
Linux," says Lovet. He also dismisses claims that the low bandwidth and
internet use in parts of the developing world - the World Economic
Forum's 2007 Africa Competitiveness Report estimated that African
internet use was just 3.4% of the world total - would act as a brake on
the development of botnets.
"It doesn't take any bandwidth to control or make a botnet," Lovet says.
"Aggregated bandwidth is what is important, and that would still be
massive. You could still build a huge cyber-weapon with only a thousand
of these machines."
For the botnet herders - the people who create and control botnets -
there would also be kudos in staking a claim in a new area. "We have
seen botnets involved in landgrab exercises in the past," says Greg Day,
a security analyst for McAfee.
Just as alarming for Mark Sunner, chief technology officer of
Messagelabs, which monitors email traffic on behalf of the government,
is that the machines could be used as a recruiting ground for criminals.
Herd goats, or bots?
"You can imagine a whole swathe of internet boiler-rooms being created
among people who can make more money from internet crime than herding
goats," says Sunner, who points to the fact that Africa already has the
highly technologically literate Nigerian 419 group, one of the oldest
cyber-crime organisations.
The latter are very dangerous, says a former head of the UK's now
disbanded West African Organised Crime Unit. "They are organised like a
business. They are already building most of the bogus bank sites on the
web. If you ship computers to Nigeria then a lot of them will inevitably
make their way to 419. I mentioned this to someone who is still
monitoring 419 and they said 'you might as well shut down the internet
and go back to pen and ink'."
Sunner, meanwhile, notes the dangers that the machines represent to
Africa's own emerging internet infrastructure. "There are a lot of
viruses are already heading for Africa and China and the consequences of
spam can be terrible if you do not have much bandwidth," he says.
Both Intel and OLPC point out that the laptops will often only have
intermittent connectivity. That might lower the risk of getting infected
- or the chances of getting security upgrades.
But the bleak picture may be avoidable, says Rolf Roessing, a security
expert for KPMG. "If we are to bring IT to Africa then it will not work
unless we bring security with it. Computer security in the west grew
because of a loss of innocence and there are still weaknesses in the
developed world because of a lack of awareness. If you bring IT to
developing countries then you have to develop awareness, too."
The rush for the developing market
The OLPC XO is a toughened, stripped-down laptop weighing 1.3kg that
uses a 433Mhz AMD chip, 2GB flash drive and mesh Wi-Fi to create a local
area network. The Linux-based OLPC, which is about to be tested by
Microsoft for use with XP, can connect to the internet and has three USB
ports.
Intel's Classmate is built with a 900Mhz Celeron M chip which can run
Windows XP or Linux, uses Wi-Fi and has a 2GB Flash drive for the
Windows variant and a 1GB Flash drive for the Linux version. The 1.4kg
Classmate comes with two USB ports and costs between 115 and 150.
The Asus Eee PC range is less rugged. There are four 7in models weighing
920g and sporting an Intel Celeron processor. Their Flash drives range
from 2GB to 8GB, with between 512MB and 1GB of Ram. They have three
high-speed USB 2.0 ports and Wi-Fi. All run Linux and can run Windows
XP, and cost around 200.
Acer, Gigabyte, Lenovo and Everex have all announced low-cost laptops
that can compete in this area.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments