[olpc-help] Various thoughts

Michael Stone michael at laptop.org
Sun Mar 30 10:11:23 EDT 2008


Andrew,

Thanks very much for the first round of answers to my questions. Please
don't take it amiss that I've replied with more questions probing at
your assumptions; I ask simply because it's necessary to do so in order
to understand your goals and your concerns both precisely and accurately
enough to be able to fully assist you.

Michael



On Sun, Mar 30, 2008 at 12:26:36AM -0400, Andrew wrote:

> The mesh network's collaborative potential is VERY promising as well -
> it could take us to realms of more effective pedagogy, if applied
> smartly (and that's a big IF)

What failure mode do you anticipate here that leads you put such a large
disclaimer on your statement?

>What are you trying to protect by setting a password?
> 
> Well, first, it seems highly unconventional to have linux systems with
> null root passwords. It was my own first (and perhaps knee-jerk)
> reaction to raise the concern what appeared to me as a "security hole"
> here.

Without having previously stated a threat model, it seems difficult to
judge the security merits of any design decisions. The threat model we
ascribe to our users is presently best described in the Bitfrost
specification:
  
  http://dev.laptop.org/git?p=security;a=blob;f=bitfrost.txt
  
(along with a status report at http://wiki.laptop.org/go/Bitfrost)

You should contemplate this model and let us know whether and how it
differs from your own security goals and from the security goals that
you presently ascribe to your eventual users. (After all, what good are
security "conventions" designed for environments (e.g. physically secure
multi-user servers) that are wholly different from the realities faced
by our users (i.e.  where physical and mental coercion are for many,
sadly, daily routines)?)

> I understand that ssh-ing has been disabled for both users "root" and
> "olpc".  

Inbound ssh attempts for these users are disabled until passwords are
set (or until SSH public keys are authorized). Outbound SSH traffic is
unrestricted.

> But couldn't there be unwanted intrusions still? Statistically
> speaking, given the number of units in circulation, there will be
> several linux-savvy adults with access to a school-program XO, and, of
> those, perhaps a few might be compelled to make unwanted
> modifications. (I am just theorizing.)

Are you primarily concerned with linux-savvy adults with unrestricted
physical access [disassembly allowed], brief periods of restricted
physical access [no time for disassembly; USB keys & terminal access
only], or with remote access to the machines? If remote, are you
thinking about online, synchronous attacks (e.g. SSH exploits), network
mischief, trojans, or non-technical attacks that overwhelm the child's
judgement? Perhaps the answer is "all of the above"?

> And what about the possibility that the child inadvertently hoses the
> system, deleting system-critical files, or deleting good data (as
> root)?

First, delete the "writable" copy of the OS inside /versions/run. If the
system is still inconsistent after boot, then reflash via USB key.

If prioritised, this system could become even more straightforward; we
have good designs for how the stronger P_SF_CORE and P_SF_RUN Bitfrost
protections should operate that have not been realized, basically,
because the present arrangements have been good enough.

> >Who is supposed to know the password?
> 
> I suppose, any of the adults involved in the process, who are willing
> to do maintenance/updates should be able to have root access (after
> being trained, of course).

Why would you suppose that adults will be available who will be as
willing or as able to perform maintenance and updates than the people
who are most knowledgeable about the system and who have the most to
gain from improving it its direct users, the children? 

> What if we wanted to allow the XO-owning children to access the
> internet via ANY public access point - that would mean we could not
> implement dansguardian or the like. 

Why do you speak of "allowing XO-owning children to ... [outside of
school]"? I can understand your desire to take a conservative stance
toward their education for the period of each day in which the school
system stands "in loco parentis"; however, after hours, if the children
in question are truly the owners of the laptops you are considering
purchasing on their behalf, then what, other than direct parental
intervention, could possibly prevent them from accessing the internet
via any public access point they like?

> Nor would we be able to filter internet content on the child's local
> system (if they had root access they can remove and local filtering).

In present versions of the firmware, anyone can remove such filtering
without root access simply by reflashing with a publicly available build
that does not implement such filtering.

> Believe me, once they realize their content is being filtered, a lot
> of them WILL begin to explore ways to defeat the filter, and many of
> those will quickly understand the meaning and (high) value of being
> root.

Can I correctly translate your statement as "children like to climb
walls to show that they can and they like to open doors to discover
what's hidden behind them. We're afraid of the consequences of these
tendencies as they apply to the doors and walls we are building in order
to fetter their minds in the name of safety."?

> (Can you not see angry parents contacting the administration about
> their children loading inappropriate content onto the XO's?)

I suspect that you will receive some angry calls (and given that this is
America, perhaps even legal threats) regardless of whether appreciable
numbers of children study content that someone deems to be inappropriate
for them. Is this not a rather mundane, predicable consequence of
empowering children whose parents believe they have an absolute right to
dictate what their children will learn?

In my mind, better questions include: how much risk are you able to
undertake, can you apply social measures to reduce the risk you must
undertake, and finally, can you construct a plan for improving the
education you provide in a fashion consistent with the previous two
questions? (An interesting meta-question: which of these three questions
is the most difficult to answer confidently and how can you firm up your
answer?)

> >When do you want to set the passwords? (or reset them?)
> 
> Prior to handing them out to the pupils, i suppose.

We can return to this question when I (and others) better understand
both your security goals and the security goals you ascribe to the
people receiving laptops.

> >Please explain why (a unique password for each unit) would be your
> >ideal situation.
> 
> Security. Supposing, somehow, a pupil learns the root password for his
> or someone else's XO.  If every XO has the same root password, the
> entire batch is instantly compromised.

By what exact means do you anticipate one pupil's possession of
credentials adequate to gain root access to turning into "instant
compromise" of the entire batch? Why are you more concerned about these
credentials being in the hands of a pupil than in someone else's hands?



More information about the community-support mailing list