Talk:Bitfrost: Difference between revisions

From OLPC
Jump to navigation Jump to search
Line 78: Line 78:
There can be no means for a government or master key holder to exert control. This control, for example, could simply be threats of shutting down the OLPC population used by an ethnic group unless a that group submits to a demand, such as placing one of its leaders into government custody.
There can be no means for a government or master key holder to exert control. This control, for example, could simply be threats of shutting down the OLPC population used by an ethnic group unless a that group submits to a demand, such as placing one of its leaders into government custody.


I think the complexity of the BitFrost security model is a bit heavy. Lets not apply western complexity appropriate for western security risks and sensitivities to what obstensibly is a small child's educational tool. There is no sensitive data of consequence, and once denied the mesh, terrorists or other kids won't want it. The V-tech 'laptops' found at Walmart don't have much of a security model, yet it's model is adequate to the social needs.
''I think the complexity of the BitFrost security model is a bit heavy. Lets not apply western complexity appropriate for western security risks and sensitivities to what obstensibly is a small child's educational tool. There is no sensitive data of consequence, and once denied the mesh, terrorists or other kids won't want it. The V-tech 'laptops' found at Walmart don't have much of a security model, yet it's model is adequate to the social needs.''


'''Why does the user even have to identify himself to the computer?''' Windows95 was good enough and demanded no login.
'''Why does the user even have to identify himself to the computer?''' Windows95 was good enough and demanded no login.

Revision as of 19:32, 9 March 2007

Correlating Bitfrost and Threats

A new page, Correlating Bitfrost and Threats, has been added that correlates the Bitfrost spec with the Threats and Mitigation page, which was published prior to publication of the spec.

Typos

  1. I can't edit the page, but the "No permanent data loss" box has a typo: in the event that
    Fixed

He / She / S/He

Discussion has been moved to Gender and OLPC.

Unix permissions

The author describes some version of typical Unix permissions and security model behind it and then complains that with this model "we can't stop viruses and malware" and that "anyone can send a user an executable program, and for many years the users' instinctive reaction was to open the attachment and run the program." The reality is quite different really. I use Unix systems since 15+ years. My machines were never eaten by a virus and I never have run a program directly from an attachment. The only problem with e-mail viruses is that they add to spam but it is very easy to filter viruses anyway.

If you start your design of new security model with such false assumptions your results may be still right at the end - or may be not.

I'm not the author, but I think the new security model is a pretty good idea. Sure, you or I may not have gotten viruses, but nearly every inexperienced computer user I know has gotten one. You are lucky that you know not to open attachments and that Unix is not a high target for virus writers -- because there are not many Unix machines, and most of their owners know better than to open attachments or run strange programs. But the OLPC changes this: it will bring online a huge population of inexperienced computer users. It will be a magnet for botnets and mischief-makers. It deserves a well-thought-out security system.
The benefit of the Unix permission system is that a user can only screw up their own files, not the files of other users or the operating system itself. As beneficial as this is, it is hardly a consolation to the user who has just lost all their files because they ran a program a "friend" sent them. Your solution is to advise the user never to run programs from other people, but this approach simply does not work, as we have seen with Windows. And, besides, one of the goals of OLPC is to allow its users to make new programs and share them with each other.
It sounds like the Bitfrost approach is to create a file system sandbox for each application so that it can't interfere with other applications. This seems entirely reasonable to me. After all, it's what Java, .NET, and Flash do to allow the user to run unsafe applets. Python, the main OLPC development system, doesn't have this kind of sandbox (yet), so it's a good thing if the underlying operating system can provide it. —Leejc 19:49, 7 February 2007 (EST)

One Brick per child?

"The sole purpose of these keys will be to verify the integrity of bundled software and content" - what is five years down the line, the child has got bored of Squeak etc and decides to install a different Linux distro, will the DRM brick the laptop?

Should not be a problem. The brick function looks like it is part of the XO's Linux operating system. If you replace the OS you remove the brick function. Note that you would need a developers key to replace the OS. -- tef 14:30, 8 February 2007 (EST)

Legitimizing "Big Brother" and DRM

We all know that DRM is the enemy of open source projects, and is in fact tagged with "Defective by design". Why are you taking away the kid's control over their laptop on SECURITY concerns. You should know by now, if hackers want to use it, they will. Remember windows genuine advantage? Hackers cracked it too. All it did was hurt the end user.

I implore you (laptop.org) not to make the same mistake that Microsoft did. As much as I am hyped about your creation, I cannot help but feel dread as this proposed "security" idea steals control from the child, who is learning about computers through interacting with it, and giving it to an arbitrary authority who may misuse their power at any time. - Teenage system admin for Los Gatos Highschool.

We all know what now? I thought the enemy of Open Source was Closed Source. DRM is not mentioned in the article, it also does not have to be closed source
Did you actually read the security specification? Nowhere does it discuss taking kid's control away, or DRM systems. --Jacobolus 12:19, 9 February 2007 (EST)
The theft protection servers activated by some countries means that a government administration could actually lock the machines off (theoretically if a machine was reported stolen, but also theoretically if an administration decided the machines were being used by an insurgency). That's part of the bitfrost security specification. It could be considered sort of DRMish. Given the complex issues facing the project, I don't think it's so bad. --Jeff 8:20, 16 Feb 2007 (EST)
What about a case where (due to financial, government policy , etc.) reasons, a government ends their OLPC project and shuts down authentication services (the server as well as the USB dongle distribution system) - is there a way to centrally bless all the laptops to continue working or give them a functionally infinite lease (provided that they can re-authenticate before the shutdown)? I'm reminded of Circuit City's problem with the DIVX pay-per-use DVD disks (news.com.com) -- Griffjon 12:28, 22 February 2007 (EST)
Should easily be handled by the same procedures as when the country's central XO organization sends out a USB-stick to the schools to extend the lease (if the school's internet access is down, if not just send the keys out over the internet). Wouldn't be hard to set the lease time to "forever". -- OskarLissheim-Boethius 21:52, 3 March 2007 (CET)

centralized storage

" Information on the laptop will be replicated to some centralized storage" OLPC is targeted at not so rich kids, do they all have internet access or are authors going to give blank cd/dvd and some stamps to send all those data from laptop to "some centralized storage"?

You don't need internet access to reach the school server, the wireless mesh will do just fine. And if that is not available (distances, obstacles, etc) you can see Motoman or UUCP for alternatives and Internet for the general outlook.
BTW, you would also need to ship some USB CD/DVD burners with the laptops... not just the stamps and blank media... --Xavi 13:52, 8 February 2007 (EST)

Open design

"The laptop's security must not depend upon a secret design implemented in hardware or software." Well, like Theo de Raadt pointed out in an open letter, the documentation of the Marvell chip is not publicly available. This is in contradiction to "must not depend on a secret design implemented in hardware and software". What is more secret? Documentation that's just available or documentation that's available under NDAs? For anyone interested, this is a link to Theo's mail archive about this issue: http://www.theos.com/deraadt/jg

If you want to argue about open design, do it on one of the hardware discussion pages. --69.136.111.100 14:11, 16 February 2007 (EST)

security that doesn't depend on passwords

the only simple secure option is voice authentication. someone from OLPC contact me - lkcl@lkcl.net - for details: i have a friend who has implemented a secure voice-authentication system. that actually works. it's being used in banks. 99.5% reliable. 100% accurate.

Security Should be Right-Sized!!!

Assume officals are self serving, and governments will use any central repository to coerce the users. Because of this, activiation, theft protection and user control must be fully decentrallized at the 'school level'.

There can be no means for a government or master key holder to exert control. This control, for example, could simply be threats of shutting down the OLPC population used by an ethnic group unless a that group submits to a demand, such as placing one of its leaders into government custody.

I think the complexity of the BitFrost security model is a bit heavy. Lets not apply western complexity appropriate for western security risks and sensitivities to what obstensibly is a small child's educational tool. There is no sensitive data of consequence, and once denied the mesh, terrorists or other kids won't want it. The V-tech 'laptops' found at Walmart don't have much of a security model, yet it's model is adequate to the social needs.

Why does the user even have to identify himself to the computer? Windows95 was good enough and demanded no login.

Why is theft protection so important? This assumes that unknown machines can't participate in any school mesh, so they becomes quite useless. If the machine reappears on the original mesh where it was lost, the administrator could disable it, until its user is identified.