Here are some of the security constraints for the $100 laptop being designed by the One Laptop per Child (OLPC) project. The laptop must not be plagued by the viruses, worms, and Trojan horses that are common on Windows, yet the children who use the laptop must be able to download and run software at will. The computer must not allow students to fake e-mail and instant messages to one another, but students must not be required to use passwords. Shipments of laptops must not be a target of theft even though they are being sent to countries where official corruption is endemic and more than half of the economy is illegal.

Is this possible? I think so. For the past few months I've been collaborating with Ivan Krstić on a workable security model that incorporates some of the latest ideas and research findings from the HCI-SEC community. Krstić released the security model at the RSA Data Security Conference on Tuesday. Ryan Singel wrote a nice article about the model yesterday, and you can view the entire security document online.

One of the guiding principles of the security model is that programs running on the user's computer should run with a restricted set of privileges--rather than with the privileges of the computer's user. For example, there is no reason why your copy of Solitaire should be able to browse through your tax records and send interesting tidbits to organized criminals in Russia. Today's generation of antivirus, antispyware programs work by having a list of all these bad programs and scanning for them. The OLPC approach is to simply deny your Solitare program from being able to access the network or browse your files. Why should it need those capabilities, anyway?

The so-called Bitfrost security model builds upon a lot of research ideas in virtual machines, declaratory installation bundles, and intentional computing. It gives users--many of whom will be children--the tools for the easy management of their own security.

I don't know if it will work, but it's the best thing going. And if Bitfrost does work, you can be sure that we'll see these same ideas showing up in many desktop and handheld environments.

The main thrust of the article is that Blink will be able to find and detect brand-new viruses by running suspect programs in a virtual machine and observing their behavior:

The Norman SandBox, Maiffret described, is a fast, stand-alone virtual machine, which tests the code of executables to see whether they'll do interesting things, such as changing the Windows System Registry startup keys, or some very interesting things, such as connect to an IRC chat server somewhere in Russia.

Rather than scan everything all the time, however, the new Blink will scan newly discovered executables, and may perhaps rescan them if, for instance, their patterns or file size appears to have changed. But if it's the same executable, by default, Blink will only scan it once.

Unfortunately, this approach is pretty easy for a would-be virus writer to avoid. For example, the "virus" could perform its malicious activity only if it receives user input (which it is unlikely to receive in a virtual machine but likely to receive if it pops up a window). Or the virus could check to see if it is running in a virtual machine using technology that is now readily available.

Of course, the real problem with this approach is that it's theoretically impossible to look at a program and figure out what it's going to do. This is just another recasting of Turing's famous "halting problem." Even running the program in a virtual machine won't tell you what it's going to do once you run it in the wild.

Last week I got a letter in the mail from the Mendoza College of Business at the University of Notre Dame. Apparently, the school had put information about me, including my social-security number (SSN) and demographic information, on the Internet. "We have no evidence to date that this information was used inappropriately," the school wrote, but I might want to take "prudent ... precautions" by periodically checking my credit report with the three major bureaus.

What's so infuriating about this is that I never had anything to do with the University of Notre Dame.

In 2001, I was thinking about going back to graduate school, so I took the GMAT, LSAT, and GRE exams. I checked off the boxes that said that my information could be forwarded to schools so that they could recruit me. A few schools contacted me, and that was that. Or so I thought. It seems that the Graduate Management Admissions Council didn't just provide my test scores and demographic information: it also provided my SSN.

But why did the Mendoza College of Business keep that information for six years? And how did it make it available on the Internet?

I called Notre Dame to find out what had happened and was told that a file of GMAT names, scores, SSNs, and other information had been inadvertently left on a computer that was decommissioned. At some later point in time this computer was turned back on and plugged into the Internet, and it made the files available through some kind of file-sharing program. Google picked up the files, indexed them, and added them to its archive. How was this discovered? Somebody did a Google search on his or her own name and found the jackpot of personal information.

The woman I spoke with from Notre Dame said that the school had looked at the log files on the computer, and there were no other signs of access other than by the one person who had accessed his or her files. I'm not sure that this makes sense because she said that there was also no evidence that Google had accessed the files, and clearly Google had. Besides, if the information was cached by Google, bad guys could have downloaded it directly from the cache and avoided leaving traces at Notre Dame.

I called a friend who works in the privacy industry. He said that the GMAT never should have distributed my SSN with this file--there was no reason to do so--and he added that it has since stopped the practice. He also said that universities like Notre Dame are responsible for the majority of the privacy breaches that have been disclosed to date. (That's true, but the flip side is that more names have been released by businesses because they tend to have bigger databases.)

Where does this leave me? More annoyed than anything else. The real problem isn't that personal information keeps getting leaked, but that personal information is so valuable. The reason SSNs can be used for identity theft is that banks and other financial institutions think that if you know somebody's SSN, then you must be that person. This has got to change.