"Chilling Effects" paper at USENIX

Charles Merriam charles.merriam at gmail.com
Wed Apr 9 05:12:05 EDT 2008


I'm a bit slow, being a "bugbear of very little brain".

I read the paper, and it seems to summarize as:
   1.  The BitFrost Specification is documentation, not detailed
implementation.  The author does not read code.
   2.  BitFrost does not promise anonymity.
   3.  BitFrost does not cover how to secure the Country Key Store.
   4.  If used as a specification, and all packets are signed and the
Country's Key Store is compromised, then bad things can happen.

It seems like OLPC F. should issue an immediate (preemptive) response saying:
   1.  BitFrost is an open-source implementation.  The "BitFrost
Specification" is a high level document and not an engineering
specification.  Engineers can read the implementation source code.
   2.  BitFrost does not promise anonymity to school children.  [If
factcheck says HTTP packets are not generally signed then add]
However, it does not enable the pervasive montoring the author
suggests.
   3.  BitFrost does not specify general security measures for the
country wide servers.
   4.  It is unfortunate that a respected conference did not do a
better job at vetting this paper.

Below is my blow-by-blow.  If no one else writes a Wiki page on it by
next week, I may do it.

Charles Merriam.


Concerns seem to be:
2.2  - BitFrost has poor documentation and is not on standards track.
   Could someone let me know if *all* the BitFrost implementation is opensource?
2.3 - ECC Keypair does not specify keysize
   Anyone shed light on this?
2.3 - Long lived photograph/name/laptop pairing is made.
  Um, yes.  Author questions, but does not support reasoning for
question, this linkage.
  Also, is this Photograph transmitted as the P in her tuple?  Or is P
a crypto P?
     If the photo is not transmitted, then her assertion of being
linkable falls down.  I hate it reviews let an article publish without
checking all the terms.
  The author incorrectly lumps this under "Compromising Privacy".
  The "Compromising Privacy" under Bitfrost 7.2, 8.16, 9.2 addresses
stealing documents from a user; anonymity is not part of the BitFrost
specification or goals.
   The author also starts a poor researcher's tool here:  "It's not
said why this happens, but if it is because of X then it is wrong".
2.4 - Keys/User
   This appears to summarize as "BitFrost doesn't tell you how to
protect your country's key store."
2.5
   Bitfrost does not specify anonymous communication.  If done like X,
you can't get anonymous communication.
2.6
   Is it true that "calling home" for an XO does not include the local
School Server?
   If it does include the local School Server, the author's assertion
of remote villages bricking until Internet Access is restored is
incorrect.
   Also points out that an authority could turn off a child's laptop
at will.  (part of the spec.)
2.7
   Spec doesn't cover some bios implementation details.
3.1
   The lack of anonymity makes this a bad tool for overthrowing corrupt regimes.
3.2
   If author is correct about how packets are signed and an oppressive
government monitors all traffic and overtly punishes children for
saying anti-government things online, then it could hurt the child's
esteeem.
   Again, would someone in the code answer if all HTTP packets are signed?
3.3
  If government monitors all communication, children may be surprised
that things said within their school are monitored.

4.0 Conclusions
  Finds BitFrost doesn't support anonymity, and believes it to be in the spec.
  Brings up spec addresses user space programs, not the implementing
operating system.
Footnotes, etc:
  Didn't check to see if shipping version have a led on the camera.



More information about the Devel mailing list