The iPod has caused a bit of a revolution in the music industry. By making the iPod incredibly user-friendly and providing affordable content, Apple has put more than 28 million iPods in the hands of consumers all over the world (with 10 million more expected to be sold before Christmas 2005). Consumers now expect that they can access legal music on demand for a dollar a song rather than having to go to the store to buy a CD for $15. And with the iPod you can listen to your massive music collection at home, in your iPod-enabled car, at the office, and at friends' parties. No more messing around with CD binders or a laptop full of music.
None of this is a surprise. We're all familiar with the iPod and its impact on society. It has become a household name. But from a security perspective, the iPod hasn't created the same ripple. Why should it? After all, it's simply a consumer electronic device.
Or is it?
Gartner issued a report in 2004 on how an iPod can be used to remove data from a corporate network. The iPod does double duty as a USB mass storage device and can serve the same role as a USB pen drive, but looks much more stealthy. Many people discounted Gartner's report, however, because USB storage tokens come in all shapes and sizes and it seems silly to single out the iPod for this purpose.
The big impact that the iPod will have on computer security is still in the future. Apple probably didn't intend it, but the iPod will likely prove to be an important stepping stone into solving a problem that has faced computer scientists for more than 30 years.
Controlling access to data and resources is essentially the foundation of computer security. Many methods and mechanisms can be used to accomplish this type of access control, but historically they're generally software-only solutions. Further, most access control mechanisms are vulnerable to software bugs and implementation errors that can lead to data compromise. Also, these access control mechanisms must trust the environment or host on which they're running, in order to control access to data. If the host itself is compromised, the access control provided by the software is generally completely violated.
In 1971, Butler Lampson authored a paper titled "Protection," in which he puts forth the idea of multiple domains of information running a on a single host. The general idea is that each domain would execute independently and with potentially different rights existing for programs in each domain. Lampson's ideas became a sort of Holy Grail for computer scientists—provable separation of data and processing running on the same host.
Lampson's vision has many implications. For many years, the U.S. Department of Defense has pursued multi-level security (MLS) systems, in which data from different classification levels could be examined and processed on one system. In current systems, data from multiple classification levels must run on different computers because existing security mechanisms are not strong enough to keep data separate. For content providers such as record companies, Lampson's idea will allow them to ensure that their content is accessed only in a manner of which they approve. For instance, a system that has these domains implemented could enforce that MP3 files be read only by trusted and authorized programs.
The problem with reaching Lampson's vision is that it's nearly impossible to achieve complete control of data with a software-only solution. Complex software is difficult to create in a 100% secure manner; therefore, the access control mechanisms are not fully trustworthy. Also, the access control mechanisms themselves are complicated and require interaction with the user, the data "owner," management entities, etc.... It may look simple on paper, but Lampson's vision has been elusive for more than three decades.