Online threats and security

From OLPC
Revision as of 10:37, 1 August 2009 by FGrose (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

OLPC is aware of online threats for its child owners, and takes these matters seriously. There is no one magic solution to all these problems, and no system can ever be perfectly protected, so continued work will always be necessary. However, certain decisions at the root of the OLPC design make these dangers less than they would be with other computers. An XO laptop is naturally far safer for a child's use than a standard Windows machine with antivirus installed.

The threats can be divided into 3 basic categories: malicious programs or "malware" (viruses, trojans, worms, spyware, spambots, etc.); online child predators or other individual criminals; and online vices such as violent pornography. Still, it is important to remember that in the real world both threats and defenses, though they concentrate in one or the other of these areas, tend to overlap somewhat into the other two. This is good news, as it means that combining effective defenses has a multiplicative effect.

Malware protection, aka "Antivirus"

OLPC is based on a revolutionary security paradigm called Bitfrost. Unlike traditional antivirus, which scans the computer for an ever-growing list of known threats, Bitfrost relies on preventing any program at all from doing the harmful things a virus would do. Programs cannot access private data: the only files that they can "see" at all are their internal configuration files and files that the user has explicitly opened. (To accomplish this, the "open file" dialog, which can see all the users files, is managed by the OS, not by the application). Programs cannot start themselves without the user specifically deciding when that should happen. Programs can copy themselves, but they cannot give the breath of life to that copy, so it becomes merely a file on the disk. Programs which use the camera or microphone are prohibited from using the internet or mesh, unless specifically enabled to by the user. The result is that a "virus", even if one existed, could find very little damage to do.

As an additional privacy guard, a light turns on whenever the microphone or camera are enabled. This is governed by hardware, and cannot be disabled by any program, even the OS.

All of these revolutionary security measures are in addition to the proven security record of the underlying Linux OS, a record considerably better than that of any version of Windows and comparable to that of MacOS. The result is a platform which, even in the hands of a child, is probably more secure than anything other general-purpose computer not administered by a security expert.

Online predators and criminals

Although there is no doubt that this issue is often overblown in the media, it is something that OLPC takes seriously. There is no official OLPC position on this issue, but certain principles apply:

- The best protections will always be education and a trusting relationship with reliable adults.

- There are often trade offs between protection and freedom, and if the laptop is to be useful, freedom must have a higher overall priority, though there may be appropriate exceptions.

- A predator who is physically nearby, in the mesh, will be visible to all users, and there are various possibilities for detecting the activities of such a person. Anyone who continued such activity would probably be risking physical capture, which would have dangerous consequences for them anywhere in the world.

- As mentioned above, the strong malware security of the OLPC does grant some protection against these threats too.

- OLPC is interested in solutions to these problems. If you have any ideas, share them with us, or, better yet, help us to implement them!

Online vices (Pornography, hate sites)

The first large-scale in-country deployment of XO's is using Dansguardian to filter the web at the server. This is content-based, not blacklist-based, so it is a more secure solution than many filters. (see Ivan Krstic's blog for more details). However, it can not be ironclad, as some children will be able to access the Internet by attaching directly to a nearby private wireless router instead of the government-provided servers. It is also not available to purchasers of G1G1 machines in the first world.

Also, in general, most of the same principles apply as with online predators, above.

In 2009, Paraguay is using Squidguard, http://wiki.paraguayeduca.org/index.php/Squidguard.

Birmingham, Alabama uses OpenDNS, http://www.opendns.com/solutions/k12/. See XS_Installing_Software#Internet_Filtering for assistance on configuration.

Related Pages

See Safe XO use and What links here.

Useful Links