Talk:Security: Difference between revisions

From OLPC
Jump to navigation Jump to search
(Move those threads to the bottom.)
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== Encryption ==

Do you plan to encrypt the whole memory or does this cost too much power?

:Encrypting all files on the filesystem is definitely going to cost many CPU cycles, as well as power. Most children will not have anything sensitive enough to need ubiquitous encryption, anyway. --[[User:SamatJain|SamatJain]] 15:48, 25 July 2006 (EDT)

== signed code ==

Executing only signed code doesn't do any good unless the signed code is bullet proof. That seems highly unlikely.

I'm certain that at some point a critical mass will be reached where there are enough machines in use that there will be a general meltdown of the integrity of the system due to virus/trojan distribution. Given the slowness of these machines it will in effect render them useless.

Solving this problem requires solving problems that haven't been solved anywhere else yet. That would be a wonderful thing, but that task is perhaps 10 or 100 times bigger than the entire project of creating the OLPC hardware and software. It is in effect the tail wagging the dog.

--[[User:Sjhalasz|Sjhalasz]] 00:35, 19 August 2006 (EDT)

== OS security ==

I think you have to consider having the kernel and configuration in ROM and allowing the machine to run only in user mode. This prevents OS updates but might provide a good level of security.

== browser only ==

Probably the laptop should be a browser-only machine with all software in ROM. The only use of writeable memory should be caching, including caching of active browser software. There isn't anything of interest to children that can't be implemented in the browser and it's a technology that is reasonably well vetted. It also simplifies the interface. If you're going to also implement a browser, you should implement only the browser and simplify things. The browser cache cleans itself up and so users don't need to worry so much about cleaning up writeable memory. The browser should be modified, though, to only load from a server gateway that supplies signed content. This is especially important given that physical networking will be so open. Note that browser content and software can be used offline when not connected. Some can even be in ROM to start with. --[[User:Sjhalasz|Sjhalasz]] 02:04, 11 September 2006 (EDT)

== USB? ==

The machine should not have USB ports! If children have anything to connect to the machine, they're not really poor. USB consumes power and is a serious security problem. --[[User:Sjhalasz|Sjhalasz]] 02:12, 11 September 2006 (EDT)

== Threats and Mitigation ==

A discussion of specific OLPC threats, and mitigation proposals, can be found at [[Threats and Mitigation]]

Marc Stiegler

== Opinion on 'Zero Time' ==

IMHO, the endusers should have to spend '''zero''' time worrying about security.
IMHO, the endusers should have to spend '''zero''' time worrying about security.
The laptops have to be as trustworthy as a book.
The laptops have to be as trustworthy as a book.
Line 4: Line 40:
--[[User:BobBagwill|BobBagwill]] 09:20, 13 April 2006 (EDT)
--[[User:BobBagwill|BobBagwill]] 09:20, 13 April 2006 (EDT)


Just as you have to keep a book in your physical possession to guarantee it does not get written on, soiled, or destroyed, physical possession of the laptop will always allow malicious individuals to defeat its security. So ''trustworthy as a book'' and ''secure as a book'' are excellent goal statements but they do not equate to ''zero time worrying about security''.
:Just as you have to keep a book in your physical possession to guarantee it does not get written on, soiled, or destroyed, physical possession of the laptop will always allow malicious individuals to defeat its security. So ''trustworthy as a book'' and ''secure as a book'' are excellent goal statements but they do not equate to ''zero time worrying about security''.


--The Guy who used Negroponte's Q&A session to push Domestic Adoption
:--The Guy who used Negroponte's Q&A session to push Domestic Adoption


I disagree. If the OS is digitally signed, you can guarantee it hasn't been tampered with. If the laptop will only download/store/boot/execute signed images, updates will be trustworthy too. That leaves user data.
::I disagree. If the OS is digitally signed, you can guarantee it hasn't been tampered with. If the laptop will only download/store/boot/execute signed images, updates will be trustworthy too. That leaves user data.
Assuming the only authentication will be a password or challenge/response, the laptop will be vulnerable to shoulder-surfing. If the laptops backed up to a central server, you could always restore to a previous state.
::Assuming the only authentication will be a password or challenge/response, the laptop will be vulnerable to shoulder-surfing. If the laptops backed up to a central server, you could always restore to a previous state.


--[[User:BobBagwill|BobBagwill]]
::--[[User:BobBagwill|BobBagwill]]


''The more networked a computer gets, the more chances exist that a remote exploit will appear.'' Please make a list on the Wiki of any network-accessible services the OLPC will have, as they need to be scrutinised.
:::''The more networked a computer gets, the more chances exist that a remote exploit will appear.'' Please make a list on the Wiki of any network-accessible services the OLPC will have, as they need to be scrutinised.


--[[User:Simosx|SimosX]]
:::--[[User:Simosx|SimosX]]


== Physical security enhancements ==


Some security features that commercial laptops lack that I would like are:
Some security features that commercial laptops lack that I would like are:
Line 28: Line 65:
--
--
[[User:BobBagwill|BobBagwill]] 20:54, 5 June 2006 (EDT)
[[User:BobBagwill|BobBagwill]] 20:54, 5 June 2006 (EDT)

== Encryption ==

Do you plan to encrypt the whole memory or does this cost too much power?

:Encrypting all files on the filesystem is definitely going to cost many CPU cycles, as well as power. Most children will not have anything sensitive enough to need ubiquitous encryption, anyway. --[[User:SamatJain|SamatJain]] 15:48, 25 July 2006 (EDT)

Latest revision as of 10:21, 20 March 2008

Encryption

Do you plan to encrypt the whole memory or does this cost too much power?

Encrypting all files on the filesystem is definitely going to cost many CPU cycles, as well as power. Most children will not have anything sensitive enough to need ubiquitous encryption, anyway. --SamatJain 15:48, 25 July 2006 (EDT)

signed code

Executing only signed code doesn't do any good unless the signed code is bullet proof. That seems highly unlikely.

I'm certain that at some point a critical mass will be reached where there are enough machines in use that there will be a general meltdown of the integrity of the system due to virus/trojan distribution. Given the slowness of these machines it will in effect render them useless.

Solving this problem requires solving problems that haven't been solved anywhere else yet. That would be a wonderful thing, but that task is perhaps 10 or 100 times bigger than the entire project of creating the OLPC hardware and software. It is in effect the tail wagging the dog.

--Sjhalasz 00:35, 19 August 2006 (EDT)

OS security

I think you have to consider having the kernel and configuration in ROM and allowing the machine to run only in user mode. This prevents OS updates but might provide a good level of security.

browser only

Probably the laptop should be a browser-only machine with all software in ROM. The only use of writeable memory should be caching, including caching of active browser software. There isn't anything of interest to children that can't be implemented in the browser and it's a technology that is reasonably well vetted. It also simplifies the interface. If you're going to also implement a browser, you should implement only the browser and simplify things. The browser cache cleans itself up and so users don't need to worry so much about cleaning up writeable memory. The browser should be modified, though, to only load from a server gateway that supplies signed content. This is especially important given that physical networking will be so open. Note that browser content and software can be used offline when not connected. Some can even be in ROM to start with. --Sjhalasz 02:04, 11 September 2006 (EDT)

USB?

The machine should not have USB ports! If children have anything to connect to the machine, they're not really poor. USB consumes power and is a serious security problem. --Sjhalasz 02:12, 11 September 2006 (EDT)

Threats and Mitigation

A discussion of specific OLPC threats, and mitigation proposals, can be found at Threats and Mitigation

Marc Stiegler

Opinion on 'Zero Time'

IMHO, the endusers should have to spend zero time worrying about security. The laptops have to be as trustworthy as a book.

--BobBagwill 09:20, 13 April 2006 (EDT)

Just as you have to keep a book in your physical possession to guarantee it does not get written on, soiled, or destroyed, physical possession of the laptop will always allow malicious individuals to defeat its security. So trustworthy as a book and secure as a book are excellent goal statements but they do not equate to zero time worrying about security.
--The Guy who used Negroponte's Q&A session to push Domestic Adoption
I disagree. If the OS is digitally signed, you can guarantee it hasn't been tampered with. If the laptop will only download/store/boot/execute signed images, updates will be trustworthy too. That leaves user data.
Assuming the only authentication will be a password or challenge/response, the laptop will be vulnerable to shoulder-surfing. If the laptops backed up to a central server, you could always restore to a previous state.
--BobBagwill
The more networked a computer gets, the more chances exist that a remote exploit will appear. Please make a list on the Wiki of any network-accessible services the OLPC will have, as they need to be scrutinised.
--SimosX

Physical security enhancements

Some security features that commercial laptops lack that I would like are:

  1. a reinforced grommet through the laptop in the center hinge area that would let you secure it to a flat surface
  2. a reinforced eyelet for a cable lock
  3. a standard threaded tripod socket

That would let you

  • attach it to a wall
  • easily secure them for a lab or cafe
  • mount them on a swing arm or tilted table

-- BobBagwill 20:54, 5 June 2006 (EDT)