[OLPC-devel] Secure BIOS on the OLPC

Drew Van Zandt drew.vanzandt at gmail.com
Tue Aug 29 07:44:28 EDT 2006


Not to sound paranoid (though I suspect I am in this case) but what if
rather than a key compromise it's a crypto compromise - someone finds a way
to determine the public key from the private key, or finds a vulnerability
in the cryptosystem?  Link of interest (old):
http://pauillac.inria.fr/~doligez/ssl/  (40b session key only, but still...
new things come around the bend pretty often.)

Now a group pools computing power (or quantum computing becomes reality),
breaks three (or even two) keys, and you're vulnerable to automated
product-wide devestation.

Holding down a button doesn't protect against phishing... but phishing
doesn't get all machines overnight, and holding the button down again *may*
be enough to let you load a good BIOS again.  (Or not, in which case the
only reload vector I can think of would be JTAG or whatever the direct
programming method is.)

Is there any compelling reason not to use both the buttonpress and
signatures?  Belt, suspenders, as my dad used to say.

--DTVZ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/devel/attachments/20060829/d5d92625/attachment.html>


More information about the Devel mailing list