Mr Krstic criticised software vendors' efforts to secure their products at the opening session of the annual AusCERT computer security conference on the Gold Coast yesterday, where he was keynote speaker. The 21-year-old has taken leave from his undergraduate studies at Harvard to head security for One Laptop Per Child, a program founded by Nicholas Negroponte of the renowned Media Lab at MIT in Boston.

Mr Krstic says the computing industry relies on utterly obsolete concepts and assumptions that first surfaced in the early 1970s. "The way modern desktop security works is by relying on the user to make informed and sensible choices on things they don't understand," Mr Krstic told conference delegates. He said the idea that software executed by a computer user should operate with the same level of privilege that the user has - an approach that has been ingrained in operating system architecture since 1971 - was proof the approach is deeply flawed.

"There's a bunch of programs that ship with the default install of all major operating systems, including Linux and Mac OS and Windows, that can do things like format your hard drive, erase all your documents, corrupt them randomly, send them to Russia (or) pretend to be you," he said. "The program is Minesweeper. There is absolutely nothing in place that would make it so that Minesweeper cannot do any of (those) things . . . That tells me that something is pretty badly broken."

Operating system interfaces were also a problem, Mr Krstic said. Computer users were constantly bombarded with complicated dialogue and decision boxes they had no hope of understanding. "Why do we have these idiotic dialogues that aren't protecting anyone?" he said. Mr Krstic cited early consumer experiences with personal firewall products as an example of the problems created when users have the power to change things they don't understand. "A dialogue would pop up and say 'Hi, we've intercepted this packet with this TCP sequence number and these flags set, and SYN and FIN are both on, and here are the destination ports and the source ports and here is a hex dump of the packet. Allow or deny? What do you think?'. Who is that protecting? It's protecting me, but I don't need that kind of protection in the first place."

During an interview after his keynote speech, Mr Krstic said that security was a high priority. It would be "absolutely tragic if the project failed because all the machines locked up or stopped working because the security was compromised. That's probably the No. 1 nightmare scenario that I can come up with," he said.

Mr Krstic will use several approaches to secure the OLPC laptop, but says his approach will not be revolutionary, merely a mix of proven ideas. "We're trying to take a bunch of technologies that we've known about . . . and combine them in a meaningful way to provide a lot of the security guarantees that we're after," he said. "It hasn't been about trying to invent brand-new things, nearly as much as it's been trying to look at the past and pick out some of the good solutions that have been out there but not used and put them together in the right way." The project will begin distributing the laptops, which currently cost $US175 ($A213) to produce, in September. The project anticipates 2 to 5 million children will be using the laptops by the end of the year.

To hear Patrick Gray's interview with Ivan Krstic, download his podcast from http://ITRadio.com.au/security. Patrick Gray's accommodation at the conference was provided by AusCERT.