Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

One Laptop Per Child Security Spec Released

ScuttleMonkey posted more than 7 years ago | from the no-school-like-the-old-school dept.

Security 253

juwiley writes "The One Laptop Per Child project has released information about its advanced security platform called Bitfrost. Could children with a $100 laptop end up with a better security infrastructure than executives using $5000 laptops powered by Vista? 'What's deeply troubling — almost unbelievable — about [Unix style permissions] is that they've remained virtually the only real control mechanism that a user has over her personal documents today...In 1971, this might have been acceptable...We have set out to create a system that is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market.'"

Sorry! There are no comments related to the filter you selected.

fp (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17927226)

fp

times change (0, Offtopic)

ReidMaynard (161608) | more than 7 years ago | (#17927716)

People use to leave keys in their car all the time in the olden days.

But what about DCOM in my ActiveX? (4, Funny)

filesiteguy (695431) | more than 7 years ago | (#17927264)

If my OLPC applications are completely isolated, how am I going to implement this new idea I have for cross-application communication based on shared pipes among apps.

I'm thinking it would work well to implement such a feature so that the writing widget can talk to the chat widget and the spreadsheet widget. I was planning on calling it, Dynamic Communication Over Methods, or DCOM for short.

Now I'm bummed!

Re:But what about DCOM in my ActiveX? (2, Funny)

Original Replica (908688) | more than 7 years ago | (#17927870)

Please call it: Dynamic Methods Communication Application

One Treacherous computer per Child (0, Troll)

Marcion (876801) | more than 7 years ago | (#17928308)

Don't get me wrong I think the project is the best thing since Tim Berners Lee invented the WWW, however:

"The sole purpose of these keys will be to verify the integrity of bundled software and content."

Sounds a bit like DRM? What if the child gets bored and decides to install another Linux distribution?

"If the lease expires, the XO's internet connectivity is turned off, and shortly thereafter the whole computer becomes a brick."

Er nice...

It's worse than that, it prevents app partitioning (5, Insightful)

Morgaine (4316) | more than 7 years ago | (#17928452)

>> how am I going to implement this new idea I have for cross-application communication based on shared pipes among apps.

Actually, it's even worse than your funny (but accurate) comment suggests:

In the Unix model, applications are often built out of multiple cooperating processes, each of which is isolated into its own address space, with strong barriers between processes enforced by the MMU hardware. This makes each separate part more robust, more comprehensible, and more secure.

In contrast, when Bitfrost throws away the ability of programs to talk to other programs, it is intrinsically encouraging a monolithic approach to program design, which is a huge step backwards both for security and for complexity management.

Bitfrost is right to deny free access by programs to a user's filestore objects as an important part of its new security framework, but if the price for that is to disallow strong application factoring and partitioning into separate but communicating processes then the cure may be worse than the disease.

It's just the usual Trusted Computing fallacy (2, Insightful)

patchvonbraun (837509) | more than 7 years ago | (#17928482)

One could reasonably posit that at some point, you're going to want to use the OLPC to teach children
    computer programming.

That means that in order to execute any such programs on their OLPC, those programs are going to need to be
    "signed" by an "authority" before they can be executed. That gets old fairly quickly, so an alternative
    obvious policy is that any program that was compiled on *this* OLPC is "safe" for this OLPC. Right.

The problem with Trusted Computing world views is that computers are simply *appliances*, with some 3rd party
    in control of what this "appliance" can do. The end result is that rather than having a *truly* computer-literate
    population, we instead perpetuate the elite software priesthood. Imagine a world where only the "priesthood"
    are granted programming licenses, with technology like Trusted Computing (and this OLPC stuff) used to
    "enforce" such licensing schemes.

There are lots and lots and lots of situations where non-programmers have reasonable need to write programs
    from time to time. Think scientists writing simulations, engineers, artists, etc, etc. The minute you
    actually grant your "appliance" Turing Completeness, you've lost its Trusted Computing properties.

I see this as an unresolvable dicotomy.

So everything is in a jail(8)... (1, Flamebait)

dextromulous (627459) | more than 7 years ago | (#17927268)

I don't know if this is a good idea or an awesome idea.

jail is a hack (2, Informative)

DrSkwid (118965) | more than 7 years ago | (#17927378)

http://plan9.bell-labs.com/magic/man2html/2/fork [bell-labs.com]

RFCNAMEG If set, the new process starts with a clean name space. A new name space must be built from a mount of an open file descriptor.

Re:So everything is in a jail(8)... (1)

TheSHAD0W (258774) | more than 7 years ago | (#17927682)

Whichever it is, it's definitely DRASTIC.

chmod, chown, etc.? (1)

xxxJonBoyxxx (565205) | more than 7 years ago | (#17927288)

What's deeply troubling -- almost unbelievable -- about [Unix style permissions] is that they've remained virtually the only real control mechanism that a user has over her personal documents today
I wonder if the author's used chmod, chown, etc.? What's the essential difference between Unix style permissions and other permission systems?

there's a drawback to his system: It limits interactions between applications.
It would be nice if we knew if this means copy/paste is broken. (I'm thinking not, but I've been wrong before.)

Re:chmod, chown, etc.? (1)

abigor (540274) | more than 7 years ago | (#17927674)

"What's the essential difference between Unix style permissions and other permission systems?"

ACLs.

No, that's not it. (1)

xxxJonBoyxxx (565205) | more than 7 years ago | (#17927766)

No, that's not it. ACLs aren't unique to Unix.
http://en.wikipedia.org/wiki/Access_control_list [wikipedia.org]

Anyone else?

It isn't about ACLs. (4, Interesting)

jhantin (252660) | more than 7 years ago | (#17928146)

It's the sandboxing. A program run by a given user doesn't automatically get the user's full permissions -- it only gets a small subset. For example, it can't open files from the user's home directory other than by calling a trusted system File Open dialog, which allows the user to select the file and returns an open file handle to the application (or in OLPC's case hardlinks the file into the chroot jail).

In terms of research projects, see the secure scripting language E [erights.org] and the proof of concept CapDesk [combex.com] .

Interestingly, in the commercial world it only seems to turn up in safe bytecode runtimes -- there's very little out there for native code. For an example of something similar in concept look at JNLP [sun.com] or ClickOnce [microsoft.com] deployers.

Re:chmod, chown, etc.? (1, Informative)

AuMatar (183847) | more than 7 years ago | (#17927804)

An ACL is a group of people allowed to use a file. Its a different way of implementing the same thing, you can convert an ACL to a Unix group by ccreating a group and adding everyone you would add to the ACL to the group. Its just changing where the overhead is- per file overhead of an ACL and the high overhead of ACL checking on access, or a high number of groups in the OS, overhead to the user of group creation, and low run time overhead of checking group membership.

Re:chmod, chown, etc.? (0)

Anonymous Coward | more than 7 years ago | (#17927898)

You definition of ACL is a little weak and misses the true capabilities that a rich ACL system provides. ...or said another way you could map Unix file permissions into file related ACLs but you cannot always map ACLs into Unix permissions.

Re:chmod, chown, etc.? (0)

Anonymous Coward | more than 7 years ago | (#17927936)

Mind you, you can't always. For example, in Unix you can't give one group of people read access to a file and another group write access.

Re:chmod, chown, etc.? (1)

AuMatar (183847) | more than 7 years ago | (#17928010)

You could with a trivial tweak to the Unix model. I'm surprised someone hasn't done that to Linux yet.

Re:chmod, chown, etc.? (3, Interesting)

cduffy (652) | more than 7 years ago | (#17928126)

Once you do that, it isn't the traditional Unix model anymore -- it's something more like POSIX ACLs, which Linux *does* support, and which *does* provide the ability to give one group write while another has read.

I think the traditional UNIX model is too simple to call bolting on an List of names and permissions used for Access Control (in place of the user/group/mask approach) a "trivial tweak".

Re:chmod, chown, etc.? (5, Insightful)

pla (258480) | more than 7 years ago | (#17927814)

I wonder if the author's used chmod, chown, etc.? What's the essential difference between Unix style permissions and other permission systems?

Well, Windows uses the ACL system of permissions it stole from VMS. It actually does provide more control (that you don't need 99.9% of the time), such as multiple groups having different levels of permissions.

Increasingly complex file-level security does come with one major drawback, however... I can look at a file under Linux and instantly tell (possibly with a quick check of the members of a single group) who has what access to it. Under Windows, good luck with that. XP actually has an advanced security tab, "Effective Permissions", solely for the purpose of testing what access a given user has to a file or directory. Short of that tool, some of the more complex possible configurations (which don't take any sort of unrealistically contrived setups to get, such as a combination of local and domain groups having both inherited and locally set permissions) would leave you feeling very uncomfortable guessing who has access to a given file. And of course, that tab only lets you check one user or group at a time, so it proves utterly useless in answering the simple question "Who can overwrite this file".

In fairness, you could write a script to test every user and group against a given set of files and directories and generate a report off the output, but seriously, would anyone really consider that "better" than "0750, yup, that looks good"?

Windows ACL permissions are nice (2, Insightful)

Colin Smith (2679) | more than 7 years ago | (#17927976)

Pity they're so badly set by default. Unix could do with allowing groups within groups. It would allow admins to add group permissions to a resource and then add user groups to the resource group. Its sort of possible using NIS, but then you're stuck with NIS. The simplicity of Unix permissions is handy, but you can have that same simplicity using Windows just by managing the acls properly.

Still, the fact that Unix permissions are still around, being used and adequate for most people is a testament to the concept.
 

Re:chmod, chown, etc.? (1)

value_added (719364) | more than 7 years ago | (#17928278)

Well, Windows uses the ACL system of permissions ... does provide more control (that you don't need 99.9% of the time)

I'd add that "not needed" is often synonymous with "never used".

Increasingly complex file-level security does come with one major drawback, however... I can look at a file under Linux and instantly tell (possibly with a quick check of the members of a single group) who has what access to it.

That's the key. Unix file permissions are straightforward, standard, and in your face at all times. Granted, Windows has a philosophy of dumbing things down, or obscuring things to give give the user an appearance of simplicity, but past that, ACLs aren't very manageable by users or administrators without undue effort, time, and knowledge. Put another way, the Windows Explorer interface (or any registry tool) doesn't display permission information (requiring the use of tools like xcacls, etc., or rummaging through numerous dialog boxes, instead), and even if it could, few could make sense of it, let alone put it to good use.

Re:chmod, chown, etc.? (1)

oggiejnr (999258) | more than 7 years ago | (#17928450)

On a Windows XP Pro machine, the Explorer properties dialog will display all of the permissions providing Simple File Sharing is turned off

Re:chmod, chown, etc.? (0)

Anonymous Coward | more than 7 years ago | (#17928536)

Riiight.

Security setups are only as complicated as you make them. So I doubt you'll run into such cases very often (unless you're using deny permissions which makes everything more complicated).

Last week I saw a very simple and realistic setup on a directory tree. Developers can read and write (two). Users (the two people who can program the machine accessed with this system) can read and execute the code. Nobody else can touch it. How do you handle that with just an owner-group-all system?

I can right away tell who can write. Just look through the permission list and see that developers_XYZ are the only ones with write access, and get the list of users from that group.

Re:chmod, chown, etc.? (1)

dbIII (701233) | more than 7 years ago | (#17928062)

What's the essential difference between Unix style permissions and other permission systems?

There are people that propose shortcuts so users don't have to use chmod or chown in any form and can arbitrarily create new defacto groups. Some of these people have some good ideas, others consider the group controls too restrictive and requiring specific people to set things up and others just don't understand the concept of allowing groups of users to access files at all. Large organisations often need tight restictions but have time contraints on anyone who has the permission to set up groups and medium sized ones can have security policies lax enough to have financial database admin passwords written on bits of paper attached to monitors so they don't get this user/group/all permissions thing.

There's also stuff like preventing access to directories after 5PM which I see mainly as a reason to phone sysadmins at 3AM just waiting to happen. Personally I haven't yet hit a situation where I need more than the unix permissions and really see security problems with the concept of an inexperienced temp employee creating and dissolving defacto groups but other situations have other problems.

Re:chmod, chown, etc.? (1)

Goaway (82658) | more than 7 years ago | (#17928128)

I wonder if the author's used chmod, chown, etc.?

Obviously not. You are so much smarter than them.

Yes, better security... (5, Funny)

TinBromide (921574) | more than 7 years ago | (#17927320)

So, I bet that my cell phone has better security than a $5000 vista laptop, but you can do stuff on that laptop that you can't on my phone. (not sure what, but i'm sure there's something porn related)

Re:Yes, better security... (0, Redundant)

Nazlfrag (1035012) | more than 7 years ago | (#17927884)

To be fair, you can get porn on your mobile too, it just looks a lot like the porn you used to get on your C=64.

Re:Yes, better security... (0)

Anonymous Coward | more than 7 years ago | (#17928380)

au contraire, I'm not familiar with $5k laptops, but even free cellphones vibrate.

Re:Yes, better security... (2, Insightful)

supabeast! (84658) | more than 7 years ago | (#17928406)

On top of the functionality issue, there's also the time and skill of the users to consider. People who can afford high-end laptops can usually deal with reformatting the hard disk and grabbing documents from a network share, the last thing poor children need to do is stop their lives to reformat their laptops.

Drastic? (3, Insightful)

geomon (78680) | more than 7 years ago | (#17927322)

"drastically more secure and provides drastically more usable security"

Drastic?

I'd be willing to work toward "acceptable" or "workable".

The problem with "drastic" is that it often envisions high frontier technologies when all that is needed is a really well thought out plan.

If the UNIX system worked well for nearly 40 years, and was fairly simple to implement, then another 40 years *might* be had with something equally simple.

Re:Drastic? (2, Insightful)

kabocox (199019) | more than 7 years ago | (#17927550)

The problem with "drastic" is that it often envisions high frontier technologies when all that is needed is a really well thought out plan.
If the UNIX system worked well for nearly 40 years, and was fairly simple to implement, then another 40 years *might* be had with something equally simple.


Nah, we'd need something drastic to fix what we currently have. Linux/Unix wouldn't help if it became dominate and users gave out root passwords to every program that asked nicely for them. I've just read the intro, and this sounds like it would be awesome if it works. I'm taking await and see outlook for the entire project. When the project gets to the point where slashdot could buy 1 million of these and all slashdotters bought several $100 laptops for each family member then we'd find out the limits of this system. I'd like to see if my mom could play her AOL flash games on this thing without tons of spyware getting installed in the process. Until this system is rolled out and being used, we just don't know if it is better, worse, or about the same as our current security models. I'd wait 4-5 years after its been rolled out to a few million kids to see if hackers have owned the entire system or if it runs as they said it should. The hackers could always break into the system the way that a legimate program from the cert. authority would. What happens when poorly written AOL flash games or spyware is certified from the government purchaser or a hacker uses the gov. cert. keys to run on those computers?

Re:Drastic? (1)

Tom (822) | more than 7 years ago | (#17927762)

Until this system is rolled out and being used, we just don't know if it is better, worse, or about the same as our current security models
No, but heuristics tell us that it's worse. Every new security system is worse, because it doesn't yet have the flaws found. Crypto people (who do a similar job to security people, but more professional in almost all cases) consider every new crypot broken until it has sustained some scrutiny from experts and is still standing.

I am a strong supporter of taking the same approach with new security systems: Consider them insecure until the worst bugs have been ironed out.
 

Re:Drastic? (1)

monkeydo (173558) | more than 7 years ago | (#17927856)

Yes, it is less secure if "secure"=="verifiably secure". But that's not really a practical way of talking about security. On the day that you decide that the system is verifibly secure, it isn't really any more secure than it was when you started. However, you insurance costs should be lower.

Re:Drastic? (3, Insightful)

Harmonious Botch (921977) | more than 7 years ago | (#17927598)

I'll offer my 'well thought out plan': Real security only happens when there is a button ( with a missle-launch-type cover ) on the side of my computer, so that some tracks of disk and some banks of memory cannot be written to unless that button is pushed.

Re:Drastic? (3, Funny)

AuMatar (183847) | more than 7 years ago | (#17927832)

There already is, minus the cover. Its marked "Power". You can add the cover via a case mod.

Re:Drastic? (3, Insightful)

4e617474 (945414) | more than 7 years ago | (#17927940)

I just had to su change the permissions on a config file so I could change the settings on vegastrike to steer with the mouse. With your model (yes, I detected the humor) developers would design around the "they can just hit the button" principle, even when they are writing things to "just work" remotely. Security will happen when people learn:

  1. This is a computer. You need to know how it works and what you're doing as you use it. Alternatively, you can wash dishes for a living and go outside and play when nothing is on TV.
  2. Some people are your friends and give you a bunch of stuff for nothing. Some people are not your friends, but pretend to be.
  3. Even your friends do not need to borrow your identity.

They better get it right the first time (1)

NosTROLLdamus (979044) | more than 7 years ago | (#17927324)

They better get it right the first time because they might not have such an easy time rolling out those patches.

$5000 laptop? Pulleeze!! (0, Offtopic)

Anonymous Coward | more than 7 years ago | (#17927328)

Could children with a $100 laptop end up with a better security infrastructure than executives using $5000 laptops powered by Vista?

What executive, or any human being do you know is using a $5000 laptop? Even the most hardcore geeks I know spend only up to about $2k for the best laptops.

Sounds like more slashdot FUD to me. It's amazing that even though slashbots rail against FUD when Microsoft does it, they exaggerate and lie with the best of them.

This example on the front page is more evidence of that.

Re:$5000 laptop? Pulleeze!! (1)

p0tat03 (985078) | more than 7 years ago | (#17927450)

With all that proprietary software people love using, and the high cost of maintaining a corporate IT infrastructure, the cost-of-ownership for a single corporate laptop well exceeds $5000. It may in fact exceed $10K over its lifetime, especially if security is poor and requires constant IT intervention both in patching and rescuing/replacing dead machines.

The summary surely exaggerated, but if you think about it, companies are (in the end) paying very exorbitant prices for laptops, and most of that is for the guarantee that it will always work, or if not, the turnaround time for repair/replacement is short. I know IBM in the old days developed a lot of backend tools for ThinkPads to allow total replacement of a broken laptop with a new one - data intact and all, within hours. That costs money.

Re:$5000 laptop? Pulleeze!! (5, Informative)

Whiney Mac Fanboy (963289) | more than 7 years ago | (#17927454)

What executive, or any human being do you know is using a $5000 laptop? Even the most hardcore geeks I know spend only up to about $2k for the best laptops.

Hardcore geek != executive.

You've obviously never met an executive, they don't have the slightest problem splashing out (from the company account) well upwards of $5000. They think they're worth it.

Re:$5000 laptop? Pulleeze!! (0)

Anonymous Coward | more than 7 years ago | (#17928008)

You've obviously never met an executive, they don't have the slightest problem splashing out (from the company account) well upwards of $5000. They think they're worth it.

Umm, it's obvious you have no idea what you are talking about. At my company, one the largest in the world, executives are like all other employees and their computers are given and supported by the IT dept. I've seen this firsthand. Your "company account" in your scenario is fiction. If your scenario actually happened, they would be out the door pretty fast.

Please get a clue before you talk out of your ass like that. It's embarassing how clueless you are about the real world.

Re:$5000 laptop? Pulleeze!! (1)

Whiney Mac Fanboy (963289) | more than 7 years ago | (#17928144)

At my company, one the largest in the world, executives are like all other employees and their computers are given and supported by the IT dept.

You're basing your view of executives from one anecdotal experience in one company - and accusing me of being "clueless about the real world"?

When you've worked at a few more companies, you'll understand that executives in different companies have different behaviour!

In your company, they sound reasonable - but you point out that you work for "one of the largest" companies in the world.

In other companies (especially medium sized ones), executives have more power, more spending discretion and less restraint. Abuse of these powers is not uncommon.

Re:$5000 laptop? Pulleeze!! (1)

failedlogic (627314) | more than 7 years ago | (#17928104)

Hi, this is your boss. Its nice to know one person acknowledges this. My current laptop is too cheap. Its not worth as much as I know I am worth. I need a laptop with (I think my interns calll it "Bling" nowadays): 24K Gold outside and diamond encrusted keyboard keys. I have a meeting with CHAOS tomorrow and I need to impress (those groups striving for world domination, sheesh! a tough bunch). Oh did I mention? ... the supplier closes in 10 minutes. Have a flight at 06:00 tomorrow. Need it on my desk by 05:00. I just lost $100k typing this. My time is valuable. Hurry!

At the moment (2, Funny)

Peter Bonte (919202) | more than 7 years ago | (#17927360)

At the moment every other OS has better security than Windows, what's new?

Re:At the moment (1)

physicsboy500 (645835) | more than 7 years ago | (#17927708)

At the moment every other OS has better security than Windows, what's new?

That's true... even the brand new Linux "Backdoor" distro has better security!

Re:At the moment (0)

Anonymous Coward | more than 7 years ago | (#17928298)

At the moment, most childrens rooms have better security than windows - sure there may be no locks on the doors, but at least kids have the knowledge to close the doors when they want privacy! Windows may not exactly be the great advocate of open source - but lets just say all the Windows are open - and in the source community we see that as indirectly supporting us! (by building such a shitty alternative to OS).

Maybe the industry would improve things? (1)

gavink42 (1000674) | more than 7 years ago | (#17927372)

It would be nice (but completely unexpected) if the industry followed suit and built on some of those concepts. Perhaps the result would be improved security for everyone!

I'd rather hope not... they'll use it for DRM. (1)

gd23ka (324741) | more than 7 years ago | (#17927626)

See subject line. They're hell-bent on locking you out of your
machine, the latest Vista antics are just the start, wait til
they become enforced in silicone.

Re:I'd rather hope not... they'll use it for DRM. (2, Informative)

Anonymous Coward | more than 7 years ago | (#17928006)

Silicone is for tits. Silicon is for computers.

Re:I'd rather hope not... they'll use it for DRM. (0)

Anonymous Coward | more than 7 years ago | (#17928500)

Wait until they rights manage your tits then.

Getting barbaric on their @$$es (1)

eviloverlordx (99809) | more than 7 years ago | (#17927374)

So, if someone tries to break the security, does Heimtdallr come out and kick their butts?

Origin/rationale for name (5, Interesting)

dewarrn1 (985887) | more than 7 years ago | (#17928538)

From the spec [laptop.org] linked from the article, section 11:

1227 In Norse mythology, Bifrost is the bridge which keeps mortals, inhabitants of
1228 the realm of Midgard, from venturing into Asgard, the realm of the gods. In
1229 effect, Bifrost is a powerful security system designed to keep out unwanted
1230 intruders.
1231
1232 This is not why the OLPC security platform's name is a play on the name of the
1233 mythical bridge, however. What's particularly interesting about Bifrost is a
1234 story that 12th century Icelandic historian and poet Snorri Sturluson tells in
1235 the first part of his poetics manual called the Prose Edda. Here is the
1236 relevant excerpt from the 1916 translation by Arthur Gilchrist Brodeur:
1237
1238 Then said Gangleri: "What is the way to heaven from earth?"
1239
1240 Then Harr answered, and laughed aloud: "Now, that is not wisely asked; has
1241 it not been told thee, that the gods made a bridge from earth, to heaven,
1242 called Bifrost? Thou must have seen it; it may be that ye call it rainbow.'
1243 It is of three colors, and very strong, and made with cunning and with more
1244 magic art than other works of craftsmanship. But strong as it is, yet must
1245 it be broken, when the sons of Muspell shall go forth harrying and ride it,
1246 and swim their horses over great rivers; thus they shall proceed."
1247
1248 Then said Gangleri: "To my thinking the gods did not build the bridge
1249 honestly, seeing that it could be broken, and they able to make it as they
1250 would."
1251
1252 Then Harr replied: "The gods are not deserving of reproof because of this
1253 work of skill: a good bridge is Bifrost, but nothing in this world is of
1254 such nature that it may be relied on when the sons of Muspell go
1255 a-harrying."
1256
1257 This story is quite remarkable, as it amounts to a 13th century recognition of
1258 the idea that there's no such thing as a perfect security system.

Promising if they manage to follow through (2, Insightful)

Lifyre (960576) | more than 7 years ago | (#17927388)

This would indeed be a nice step forward in security if they manage to complete all their principles and goals. It would be nice to have a system that I can hand out to users (or famliy members) that is basically secure out of the box but with a little reading and changing of settings I can obtain full control over. The idea that it would be open is certainly a nice boost to credibility and would, if successful, push all security forward and not just their own.

Should have been in the summary: (0)

Anonymous Coward | more than 7 years ago | (#17927414)

The two links given in the summary give an overview of the goals of the security system; the actual details are at http://dev.laptop.org/git.do?p=security;a=blob;hb= HEAD;f=bitfrost.txt [laptop.org]

Re:Should have been in the summary: (1)

ThosLives (686517) | more than 7 years ago | (#17927602)

Reading through the details is still a bit discouraging. They seem to still give programs the ability to specify and manage privilege.

I would rather have a system that indicated to the person installing something what types of resources an application might use, and then the person explicitly making or not making connections. For instance, in the example of solitaire used in the link above, the installer should have a picture of the application, and maybe pictures of "the network", a pen (to represent the ability to write files) that then points to certain locations, and a...i don't know what icon would represent "read"...that you'd then link to various readable resources; perhaps a lightswitch to show which other programs a program might execute....

I don't care what a program wants to access, I would want the ability to control all of it. Even things like the scheduler....I hate it when programs just start running in the background without me telling them to run (most installers are notorious for not telling you what things they install beside the main application itself).

And, by the way, if the ideas I've proposed above haven't been proposed before, I now declare them in the public domain for free use.

Re:Should have been in the summary: (0)

Anonymous Coward | more than 7 years ago | (#17928032)

wow, thanks dude! you are so generous!

Re:Should have been in the summary: (1)

Edward Kmett (123105) | more than 7 years ago | (#17928296)

The problem is that offering total control out of the box goes against one of their design concerns. You can't rely on a little kid to respond intelligently to a dialog box asking for explicit permission management when they can't yet read.

You would prefer total control over initial application permissions. There doesn't appear to be anything fundamental preventing an advanced user from enabling that sort of thing in a security GUI so that every time a package is installed they get prompted, its just not a viable default.

Sand dunes (3, Insightful)

Space cowboy (13680) | more than 7 years ago | (#17927426)

The idea of putting every application into a virtual machine is a good one, but the truism is that security *is* a process, not a checkbox on a feature-list. There is (and always will be) an inverse relationship between security and usability - the more of one, the less of the other. Compartmentalising the applications in such a draconian fashion would appear to be heavily leaning towards the security side, and not the usability side of the argument.

The article talks about the picture-viewer not being able to access the web. What if I *want* the picture-viewer to access the web ?

I tihnk I take issue with 99% of applications not needing interaction. If that's true (and I doubt it to be honest), I think that's a failing of software today, not a goal to be strived for. Most of the apps I use daily require web/internet access. I think that's only going to increase over time.

Simon

Re:Sand dunes (1)

dave562 (969951) | more than 7 years ago | (#17927514)

Compartmentalising the applications in such a draconian fashion would appear to be heavily leaning towards the security side, and not the usability side of the argument. The article talks about the picture-viewer not being able to access the web. What if I *want* the picture-viewer to access the web ?

Given that the laptops are being given to children who will probably be doing research, it seems like they might run into problems when the kids want to "quote" from a website by "copying and pasting" from the browser app into the word processing application.

Re:Sand dunes (1)

Qzukk (229616) | more than 7 years ago | (#17927740)

I tihnk I take issue with 99% of applications not needing interaction.

So you absolutely need Word to mail merge with your IM clients, which are stored in your thunderbird contact list? Does your FTP client use an excel spreadsheet to keep track of your favorite warez sites and passwords?

I can think up dozens more cases where interaction could be used but I suspect that having excel browse the web for pr0n and forward random pictures to your buddy list is not high up on the list of things it needs.

Re:Sand dunes (1)

jonbryce (703250) | more than 7 years ago | (#17927866)

I do however have excel browse the web for today's stock prices, and push the values into an access database containing my financial information. This is of course what Bill Gates had in mind when he introduced this functionality. The difficult bit is letting me do this without it also doing what you describe above.

Re:Sand dunes (1)

complete loony (663508) | more than 7 years ago | (#17927868)

What we're talking about here is a stable distribution. Where the OS requirements and features of each application is already well known. Limiting these applications so the OS only allows them to do what they should be doing makes perfect sense. That way, if there is some kind of exploitable code, no further damage can be done.

Re:Sand dunes (1, Informative)

Anonymous Coward | more than 7 years ago | (#17927954)

Well, if you read the spec, and the picture viewer is a beign program, then you can grant the picture viewer web access permissions. It can request this access right at install time.

Of course, if the picture viewer has no ability to access the web (has no web features say) then it doesn't request that feature from the OS at install time, and thereafter if it is ever compromised (e.g., buffer overrun in the JPEG decoder), it still cannot access the web.

I think this forces developers to think about interprogram interaction and design good protocols for it instead of just ad hoc flinging data around.

Re:Sand dunes (0)

Anonymous Coward | more than 7 years ago | (#17928088)

The idea of putting every application into a virtual machine is a good one, Every app is essentially in its own VM. They all run within a private address space. System calls to the OS let it talk outside of that address space. You'd need the exact same mechanisms to poke holes in your proposed per-app VM to access shared network, disk, or other resources.

The question that you should be asking is how do those holes get opened, what scope do they have, and how do you revoke them later. The current OS model is sandbox/VM model is sententially all-or-nothing.

see http://www.ischool.berkeley.edu/~ping/sid/design.h tml [berkeley.edu]

Re:Sand dunes (4, Informative)

Edward Kmett (123105) | more than 7 years ago | (#17928212)

Read more closely.

The document said that it was not possible for the application to request P_DOCUMENT_RO access and network access simultaneously during installation.

But it also said that it was perfectly OK for a user to go in and explicitly grant P_NET access via the GUI to an application with P_DOCUMENT_RO access, thereby giving you an application that is able to read your images and mass upload them to teh interweb, but only to those users who know enough to explicitly use the security interface.

Also the OLPC or local government could issue a signed XO package that offered that functionality to younger children.

Internet, huh? (0)

Anonymous Coward | more than 7 years ago | (#17927436)

So, this company is going to provide a bunch of children in developing companies with laptops that need to be connected to the internet on a weekly basis to authenticate it's cryptography in order to keep working. I know the article says they have long range wifi but im sure Brazil has quite a hell of a lot of land that you can't get internet access from. Oh, and talk about a tempting target for hackers. If I manage to take down your authentication site then I get to nuke how many thousands of computers?

Even XP will let you use the OS if you don't authenticate, you just aren't privy to updates.

More Power to Em (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17927472)

This really is a good idea and hopefully others will follow suit. Applications simply are not all trustworthy and the assumption that they are is a huge failing of most modern OS's. I hope they get this right. There are a lot of pieces here no one has perfected. They need restrictions, proper services between applications and to them, granular levels of trust, or ACL profiles, means of easily and accurately assigning those trust levels, and a well crafted UI for programs that want to override their trust level. Best of luck to them.

Re:More Power to Em (3, Informative)

Tom (822) | more than 7 years ago | (#17927692)

RTFA. This only protects "against" benign software. Intentionally malicious software has a few hurdles to jump over, but at least the app permission part requires the cooperation of the software in question. In other words: It protects against misbehaving or misappropriated software only.

Plus it's only a matter of time before the first solitaire clone ships with a "request everything available (and not conflicting with their simple limits model)" setting, because the app dev was too lazy to tie things down.

If you want a glance at that, install SELinux in non-enforcing mode and look at the log. You'll be surprised what kinds of system calls and file accesses your simple applications make that they don't really need. Much of that is just routine init stuff from some library they use, and most fails silently and with no trouble if they can't get that port or file lock they request, but still...

Umm, how's this gonna work? (1)

kjkeefe (581605) | more than 7 years ago | (#17927474)

We have set out to create a system that is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market.'

More secure? Kind of... More usable? Ummm, no... From TFA it seems that they are securing apps by running each application in a separate VM sandbox. However, that's going to destroy usability because none of the apps will be able to talk to one another. Which sounds to me like TFA is just not digging in deep enough to what is really going on. Otherwise, they are going to be creating A LOT more work than they really need to...

Also, with such a hugely fundamental change to how applications function in the OS, what current software is going to work with it?

Re:Umm, how's this gonna work? (1)

Wesley Felter (138342) | more than 7 years ago | (#17928194)

The OLPC poject gave up on existing software years ago. All OLPC applications must be written (or ported) specifically for OLPC.

Re:Umm, how's this gonna work? (1)

Zerathdune (912589) | more than 7 years ago | (#17928466)

Also, with such a hugely fundamental change to how applications function in the OS, what current software is going to work with it?

Good question:

The laptops are also possibly the first time that a mainstream computing product has been willing to give up compatibility with legacy programs in order to achieve strong security.

Say It Ain't So (0)

humphrm (18130) | more than 7 years ago | (#17927520)

Unix security and file permissions aren't enough??? Say it ain't so, Joe!

Next we'll have dogs and cats living together.

Even worse (1, Interesting)

imipak (254310) | more than 7 years ago | (#17927532)

Even the crappy POSIX-compliant NT ACL model is far superior to the standard unix WRX model. No, before you start, as it happens I loathe Microsoft in particular (and proprietary vendors in general) and use Free software wherever possible even when it's technically inferior -- as is the case with filesystem permissions, where Linux has been behind Windows since NT 3.51, 1993 IIRC. Yes I know about the various security add-ons and kernel mods, grsec, SELinux, blah blah. Doesn't change a thing.

Netware was also better in this respect whilst it was still in mainstream use, despite being more of a runtime system than a real OS.

Re:Even worse (1)

vadim_t (324782) | more than 7 years ago | (#17927744)

So I don't understand, what's the problem?

If you want something better than what Windows has, use SELinux. Of course, it's quite headache inducing, but it's definitely far more advanced than ACLs.

If that's too complicated, use ACLs, that's in the kernel as well.

And there are always the standard UNIX permissions to fall back on, which aren't all that bad, by the way. Yes, the ACL model is more complete, but the old UNIX permissions are more straightforward. The nice thing of RWX is that you can condense the permissions in a few characters (or digits).

AFAIK, on Windows there's no way to do something like "ls -l" and see all the permissions info on every file in the directory at once, as the ACLs can be arbitrarily long. ACLs are great in their functionality, but a pain in that you can't easily know your security settings.

For example, is it possible, in a standard Windows installation, with nothing extra added, to find out whether all the files in one directory have the same permissions and find few ones that have the wrong ones? In Linux, it's ridiculously easy, "ls -l | sort". In Windows I have no clue how to do that without getting RSI.

Re:Even worse (2, Insightful)

imemyself (757318) | more than 7 years ago | (#17928132)

One of the problems that I have had with Unix permissions is that - irregardless of ACL's - RWX is not enough for file servers. Being able to choose more specifically what a user can do (for example, Windows supports things like create files, create folders, take ownership, change permissions, etc). The biggest problem I have is that there is no way to change ownership of files if you're not root. Same thing with changing permissions, if you're not the owner. There are also some instances where I do not want the owner to be able to change permissions. Windows and Netware/OES make it relatively easy to specify more granular permissions. While some of this may be possible on Linux, I doubt it would be as easy or quick to use as it would be on Windows/Novell.

Now, I admit that it can be a pain to do stuff from the command line on Windows, however, that hopefully will get a bit better with PowerShell.

Now SELinux might change some of that, but from my very limited experiences, it is (or atleast was a year and a half ago) a PITA to deal with. That being said, I'm sure its improved since I've tried it. However, isn't it more for limiting what a program can do (who it can talk to, network access, etc), than file permissions?

Re:Even worse (1)

djcapelis (587616) | more than 7 years ago | (#17928360)

Okay, first off:

> (for example, Windows supports things like create files, create folders, take ownership, change permissions, etc).

All of these except take ownership can be done with the standard RWX system. For multiple users changing permissions or multiple owners, read man setfacl. Take ownership can be implemented via CAP_FOWNER, or, for some types of setup, SUID or SGID... which, by the way, is not something windows allows. Windows also doesn't have symlinks, hardlinks or extended attributes such as chattr +a, chattr +i, or really any of them. (Hardlinks by the way, make the standard unix permissions system much more useful, but given that most people come over from windows and never really became at all familiar with the concept of hard links, using them is far out of their reach.)

Just because you don't know how to do this doesn't mean the capabilities to do so aren't built into the system in a well-documented and robust fashion. (Try the man pages for documentation, this is all there.)

> I doubt it would be as easy or quick to use as it would be on Windows/Novell.

Given that you haven't mastered RWX or hardlinks, I'd say this is little more than speculation. For me, the unix system is vastly easier to use as I can set it on ranges of files from my shell with a few keystrokes and windows I'd have to essentially navigate a series of really rather annoying brain-deadening dialogs. (Although to be fair, the windows command line ACL tools (yes, I know how to use them) aren't actually that bad but I'm guessing you don't know how to use those either...)

I think the one thing we can both agree on is SELinux is not the right solution for much of anything.

Re:Even worse (0)

Anonymous Coward | more than 7 years ago | (#17928188)

AFAIK, on Windows there's no way to do something like "ls -l" and see all the permissions info on every file in the directory at once, as the ACLs can be arbitrarily long. ACLs are great in their functionality, but a pain in that you can't easily know your security settings.

cacls *.*

The output isn't quite as concise as 'ls -l', but the info is there.

Re:Even worse (2, Informative)

patchvonbraun (837509) | more than 7 years ago | (#17928116)

Linux has had IRIX-style ACLs and POSIX ACLs for quite a long time: The the "chacl" and "setfacl" commands. This has
    been in all the popular distributions of Linux since forever. Unix permissions started out with just the RWX model, but
    ACLs were added a *long* time ago to mainstream Unixen, and Linux followed shortly after. The problem with ACL systems is
    that they're generally too complicated to manage by mere mortals, and they're a pain to maintain. That's true whether you're
    talking Winderz, Unix, Linux, Multics, whatever.

Further, the "sandboxing" model is nothing new. SELinux has facilities for doing this--quite ornate facilities, in fact.
    Formulating apprropriate "sandboxing" policy for every application is even more of a pain than ACLs. In fact, there's
    still a whole lot of "grad school fever" about automated methods for determining "correct" policy for systems like
    SELinux, both based on a formal description of programs behaviour, and runtime analysis. It ain't easy.

SELinux has been standard in Linux kernels for about 1 (or is it two?) years. Many of the distributions, including
    Fedora, include the high-level support tools for SELinux.

Parent Comment is GOOD (1)

ratboy666 (104074) | more than 7 years ago | (#17928420)

Sorry, I don't have mod points.

But, yes, I find ACLs *very* hard to manage. In general, RWX is easy to work with -- may need to create extra groups, but I can follow, document, and understand.

One Desktop per Village would be a better start (0, Offtopic)

ConfusedSelfHating (1000521) | more than 7 years ago | (#17927572)

I think it would be a lot easier to have a goal of putting one handcrankable desktop in every village. You could make something heavy, durable and difficult to steal. You may be able to set up a low bandwidth wireless connection so that isolated villages could communicate with the outside world (I'm thinking a low frequency radio signal with a lot of range, but low bandwidth). The BBC/UN/etc could broadcast news and other information on radio frequencies usually reserved for AM/FM radio. We are in such an information glut that we often forget that 2400 baud modems were useful in their day. We expect video, but text can still be very useful. The information technology needs of a Third World village are pretty limited and this would satisfy them. It would be very inexpensive and require little expertise to setup. If it failed, the consequences would be minimal. If it succeeded, then more elaborate steps could be taken.

The problem with the One Child Per Laptop is that it is too ambitous. The United States was quite capable of delivering one laptop per person trapped in New Orleans during Hurricane Katrina. Would that have solved their problem? No and that's in one of the most advanced countries in the world. If you give a laptop to a kid in Hati/Nigeria/Afghanistan, they are going to get it stolen. And that's just for the raw material of the laptop. Have you seen pictures of Chinese workers stripping old computers for their component materials? And there are countries a lot poorer than China. The idea of setting up reliable public wireless networks in the Third World is absurd. Talking someone with a non-technical university degree through a wireless setup for their house can quite frustrating. And we're supposed to believe that public wireless networks can be setup in the poorest cities in the world without a glitch? And for little money at that.

Why would we be concerned about security anyway? Wow, a poor kid just had his computer hacked and his homework was stolen. Does anyone think that any hacker would bother? It's much more likely that these laptops will be stolen and used for illegal purposes afterward. Unless they have terrible security, it won't be an issue.

Re:One Desktop per Village would be a better start (5, Insightful)

Goaway (82658) | more than 7 years ago | (#17928224)

I can't help but notice that the people working on this "too ambitious" project are actually out there doing it, while you are... posting on Slashdot?

Re:One Desktop per Village would be a better start (1)

SocialWorm (316263) | more than 7 years ago | (#17928340)

It's much more likely that these laptops will be stolen and used for illegal purposes afterward. Unless they have terrible security, it won't be an issue.

They've thought of this. These machines are essentially paperweights once they leave the factory until a student receives them. Regarding theft after that point, the full document says:

997 We do not expect the machines will be an appealing target for part resale. Save
998 for the custom display, all valuable parts of the XO laptops are soldered onto
999 the motherboard.

Also note the nearby information on the optional 'anti-theft deamon' which will shut down a laptop after some time if it's stolen.

Re:One Desktop per Village would be a better start (3, Insightful)

dbIII (701233) | more than 7 years ago | (#17928386)

Forget about the theft angle - the surpisingly large rate of mobile phone adoption in the third world shows valuble bits of easily stolen electronics are not all going to suddenly get sold back to westerners. These things are infrastructure and I see them as comparable to the Australian School of the Air run by radio to remote areas since the 1920s. The concept of the possibilites of such a thing is explored in fiction in "The Diamond Age" - connected to the net these things are books with a lot of answers.

very sceptical (5, Insightful)

Tom (822) | more than 7 years ago | (#17927580)

Security is a lot like crypto: Designing your own system is a recipe for desaster. Security is hard, and aside from the conceptual stages, small failures in implementation can destroy the best concept.

So anyone coming up with a "new and improved" security concept is selling an untested solution. Because security is always tested in the field, never (at least never properly) in the lab.

And yes, Unix permissions are primitive. But they work, they are reliable and we know their shortcomings and limitations.

Mod Parent Up (1)

Enderandrew (866215) | more than 7 years ago | (#17927760)

Ain't this the truth.

The one major difference to MS "trusted" computing (5, Insightful)

gd23ka (324741) | more than 7 years ago | (#17927596)

--"No lockdown. Though in their default settings, the laptop's security
  systems may impose various prohibitions on the user's actions, there
must exist a way for these security systems to be disabled. When that is
the case, the machine will grant the user complete control."

That is the one of the key differences between Bitfrost and Microsoft
"trusted computing" schemes: you as owner of the box can get around it.

YAY for Free Software (1)

ZachPruckowski (918562) | more than 7 years ago | (#17927616)

If it's good, then I'll probably see it in my Kubuntu in about a year and half (8.10 Irrepressible Iguana). See, this is what I like about free software. Borrow the good ideas from each other.

Re:YAY for Free Software (0)

Anonymous Coward | more than 7 years ago | (#17928432)

You really need to submit that name.

I am still laughing
.

OLPC's Wiki page (0)

Anonymous Coward | more than 7 years ago | (#17927630)

(damn Slashdot, just copy linked pages like this one!)

Bitfrost is the OLPC security platform. A non-technical introduction to the security problems we're attempting to solve, and our goals and principles in doing so, follow on this page. They're taken from the complete Bitfrost specification, which we invite you to peruse and discuss on the public OLPC security mailing list.

Introduction and summary

In 1971, AT&T programmers Ken Thompson and Dennis Ritchie released the first version of UNIX. The operating system, which started in 1969 as an unpaid project called UNICS, got a name change and some official funding by Bell Labs when the programmers offered to add text processing support. Many of the big design ideas behind UNIX persist to this day: popular server operating systems like Linux, FreeBSD, and a host of others all share much of the basic UNIX design.

The 1971 version of UNIX supported the following security permissions on user files:

  • non-owner can change file (write)
  • non-owner can read file
  • owner can change file (write)
  • owner can read file
  • file can be executed
  • file is set-uid

These permissions should look familiar, because they are very close to the same security permissions a user can set for her files today, in her operating system of choice. What's deeply troubling -- almost unbelievable -- about these permissions is that they've remained virtually the only real control mechanism that a user has over her personal documents today: a user can choose to protect her files from other people on the system, but has no control whatsoever over what her own programs are able to do with her files.

In 1971, this might have been acceptable: it was 20 years before the advent of the Web, and the threat model for most computer users was entirely different than the one that applies today. But how, then, is it a surprise that we can't stop viruses and malware now, when our defenses have remained largely unchanged from thirty-five years ago?

The crux of the problem lies in the assumption that any program executing on a system on the user's behalf should have the exact same abilities and permissions as any other program executing on behalf of the same user. 1971 was seven years before the first ever international packet-switched network came into existence. And the first wide-area network using TCP/IP, the communication suite used by the modern Internet, wasn't created until 1983, twelve years after Thompson and Ritchie designed the file permissions we're discussing. The bottom line is that in 1971, there was almost no conceivable way a program could "come to exist" on a computer except if the account owner -- the user -- physically transported it to a machine (for instance, on punched tape), or entered it there manually. And so the "all or nothing" security approach, where executing programs have full control over their owner's account, made quite a lot of sense: any code the user executed, she ipso facto trusted for all practical purposes.

Fast forward to today, and the situation couldn't be more different: the starkest contrast is perhaps the Web, where a user's web browser executes untrusted scripting code on just about every web page she visits! Browsers are growing increasingly complex sandboxing systems that try to restrict the abilities of such web scripts, but even the latest browser versions are still fixing bugs in their scripting engine implementations. And don't forget e-mail: anyone can send a user an executable program, and for many years the users' instinctive reaction was to open the attachment and run the program. Untrusted code is everywhere, and the only defense seems to be tedious user training and anti-virus software -- the latter assuming it's fully updated, and assuming the anti-virus makers have had time to deconstruct each latest virus and construct a defense for it.

Most technologies and approaches that constitute the Bitfrost platform do not represent original research: they have been known in the security literature for years, some of them have been deployed in the field, and others are being tested in the lab. What makes the OLPC XO laptops notable, however, is that they represent the first time that all these security measures have been carefully put together on a system slated to be introduced to tens or hundreds of millions of users. The laptops are also possibly the first time that a mainstream computing product has been willing to give up compatibility with legacy programs in order to achieve strong security. As an example, you'll find that talk about anti-virus and anti-spyware technology is conspicuously absent from the Bitfrost specification, because the security platform on the XO laptops largely renders these issues moot.

We have set out to create a system that is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market. One result of the dedication to usability is that there is only one protection provided by the Bitfrost platform that requires user response, and even then, it's a simple 'yes or no' question understandable even by young children. The remainder of the security is provided behind the scenes. But pushing the envelope on both security and usability is a tall order, and it's important to note that we have neither tried to create, nor do we believe we have created, a "perfectly secure" system. Notions of perfect security in the real world are foolish, and we distance ourselves up front from any such claims.

The Bitfrost approach

Principles

  • Open design

The laptop's security must not depend upon a secret design implemented in hardware or software.

  • No lockdown

Though in their default settings, the laptop's security systems may impose various prohibitions on the user's actions, there must exist a way for these security systems to be disabled. When that is the case, the machine will grant the user complete control.

  • No reading required

Security cannot depend upon the user's ability to read a message from the computer and act in an informed and sensible manner. While disabling a particular security mechanism may require reading, a machine must be secure out of the factory if given to a user who cannot yet read.

  • Unobtrusive security

Whenever possible, the security on the machines must be behind the scenes, making its presence known only through subtle visual or audio cues, and never getting in the user's way. Whenever in conflict with slight user convenience, strong unobtrusive security is to take precedence, though utmost care must be taken to ensure such allowances do not seriously or conspicuously reduce the usability of the machines. As an example, if a program is found attempting to violate a security setting, the user will not be prompted to permit the action; the action will simply be denied. If the user wishes to grant permission for such an action, she can do so through the graphical security center interface.

Goals

  • No user passwords

With users as young as 5 years old, the security of the laptop cannot depend on the user's ability to remember a password. Users cannot be expected to choose passwords when they first receive computers.

  • No unencrypted authentication

Authentication of laptops or users will not depend upon identifiers that are sent unencrypted over the network. This means no cleartext passwords of any kind will be used in any OLPC protocol and Ethernet MAC addresses will never be used for authentication.

  • Out-of-the-box security

The laptop should be both usable and secure out-of-the-box, without the need to download security updates when at all possible.

  • Limited institutional PKI

The laptop will be supplied with public keys from OLPC and the country or regional authority (e.g. the ministry or department of education), but these keys will not be used to validate the identity of laptop users. The sole purpose of these keys will be to verify the integrity of bundled software and content. Users will be identified through an organically-grown PKI without a certified chain of trust -- in other words, our approach to PKI is KCM, or key continuity management.

  • No permanent data loss

Information on the laptop will be replicated to some centralized storage place so that the student can recover it in the even that the laptop is lost, stolen or destroyed.

If this subject matter interests you, please read the complete Bitfrost specification, join the OLPC security mailing list, share your thoughts, and join the discussion.

Retrieved from "http://wiki.laptop.org/go/Bitfrost"

A Stink-Rose by any other name... (3, Interesting)

SilentMobius (10171) | more than 7 years ago | (#17927788)

From TFA
"Beyond cyberthreats, the XO laptop will have an anti-theft system designed to render stolen laptops useless. Each XO is assigned a "lease," secured by cryptography, that allows it to operate for a limited period of time. The laptop connects to the internet daily and checks in with a country-specific server to see if it's been reported stolen. If not, the lease is extended another few weeks."

Congratulations, you have destroyed this projects credibility, desirability and much of the good will that the open source community was providing.

I wonder this would rule out any interaction with the GPL v3?

I know several businesses & governments (1)

Colin Smith (2679) | more than 7 years ago | (#17928044)

Who would love this feature.

 

Re:A Stink-Rose by any other name... (1)

mypalmike (454265) | more than 7 years ago | (#17928098)

Even better is the next sentence:

"If the lease expires, the XO's internet connectivity is turned off, and shortly thereafter the whole computer becomes a brick."

Broken by design.

People pay $5,000 for laptops? (0)

Colin Smith (2679) | more than 7 years ago | (#17927844)

What do they imagine they're getting for that? Yeah yeah, I know, it's the status symbol of being able to blow $5,000 on a bit of $600 hardware.

 

Re:People pay $5,000 for laptops? (1)

Mr2001 (90979) | more than 7 years ago | (#17928094)

Yeah, it's crazy - for that much, you could almost get two 17" MacBook Pros!

It's not hard to do this. Just not compatible. (4, Insightful)

Animats (122034) | more than 7 years ago | (#17927900)

It's not hard to do this. Several groups had systems this tight working back in the 1980s. For that matter, Multics had it right in the late 1960s. Linux has it now, in NSA SELinux.

It breaks existing applications, of course. The OLPC people have a huge advantage - they don't care about existing applications. They can say to application developers, "these are the security constraints - design to them." That's a huge win.

Somebody should have done this by now for phones and palmtops, but, unfortunately, those things started out so underpowered they barely had an operating system. So they have their own legacy problems.

A couple of silly questions here... (0)

Anonymous Coward | more than 7 years ago | (#17927986)

Who are Pentagram? Why is the XO logo written as the jolly roger sign? Silly, I know, but still pretty fucking weird.

Takes Big Brother to the next level (2, Interesting)

Anonymous Coward | more than 7 years ago | (#17928182)

"Manufacturing data includes two unique identifiers: SN, the serial number, and U#, the randomly-generated UUID."

"On first boot, a program is run that asks the child for their name, takes their picture, and in the background generates an ECC key pair. The key pair is initially not protected by a passphrase, and is then used to sign the child's name and picture. This information and the signature are the child's 'digital identity'. The laptop transmits the (SN, UUID, digital identity) tuple to the activation server. The mapping between a laptop and the user's identity is maintained by the country or regional authority for anti-theft purposes, but never reaches OLPC."

Remember kids, file sharing is illegal and there is a database full of mugshots for the RIAA to find you.

Two Cents (3, Insightful)

kahrytan (913147) | more than 7 years ago | (#17928300)


I've got two things to say.

1. Bring these security additions to public linux distributions.

2. Would you (and the rest of /.ers) be willing to purchase 1 of these laptops for $200? I say $200 so the extra $100 goes toward a laptop for a child in third world country.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?