<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Dear John and all,<br>
<pre wrap="">I will share some personal points of view in relationship with the security
issue in Peru. I have work since 1979 with computers and I have trade and
repair more than 20,000 computers from those early years. I can say that
I know this field very deep from first hand.
<i><font color="#000099">"On the other hand, I was told at lunch today by members of the Peru
deployment that software activation is a critical and necessary feature."
</font></i>
is Software activation critical?
If the XOs are deployed in the poorest towns then there is small possibilities
for theft and robberies. In those small villages (with 100 families approximately)
all of them know each other: you can not enter or leave the village without
been noticed (or allowed). Those towns are from 3,500 to 5,000 meters altitude
and there is around 5,000 in Peru. No young gangs there.
If the XOs are deployed in bigger cities (that is the case for most of the XOs in
Peru from the information that we have got) then there is a theoretical risk.
<i><font color="#000099">"In previous deployments of computers, Peru saw a high theft rate in the
delivery process."
</font></i>
Previous deployments... do you mean "the Huascaran project" then we (the
public opinion, the media) doesn't have a clue about this. That delivery
is an old fact, very hard to track its accuracy (but not impossible).
If you mean "XOs previous deployment" then is the same: we, the public
opinion and the media, and the Congress... we don't know a bit about
that fact. In this case there would be high responsibilities for many
people involved in the deployment. And I am 99.99% that the robbery
has not happen without the participation of at least one person that
knows inner things about the deployment (that is common issue, ask
any police in your country where he would search).
If the robbery has happen as part of a bigger robbery then it was
an accident not related to some "bad guys" wanting to get some
XOs, it was a "general" robbery.
<font color="#000099"><i>"The activation process allows them to tell potential
thieves and potential purchasers of hot systems that the laptops will be
useless bricks."
</i></font>
No way. It is just another wall to climb. You know Russians? well...
we have some Peruvian groups that are as skillful as the Russians are. I don't say
that with proud, I just letting know what happens here. There are
Colombians experts that come to Peru to clone every bit of any digital
system that you can imagine: credit cards, bank codes, computer security
systems. It is, as you know, a matter of time, interest and resources.
<font color="#000099"><i>"Here in the US, the cost of disassembling, switching SPI flash chips,
and reassembling approaches $60 - $70 dollars (I asked several small job
shops for quotes.)"
</i></font>
well... some guys here will be more than happy to ask just $10 for doing
the same job (again my words come without any proud on them).
I think that the critical things for Peru are :
a) Guarantee that the XOs will be property of the children.
b) Guarantee that there will be REAL content (not the kind that exist today, with just one author (not very known) with more than 30 dark publications).
c) Guarantee that the XOs will be a COMMUNICATION system with the world (not only a communication tool between a very poor group of children that will "construct" their solutions based on their limited experiences without taking in account what the human race have develop during centuries).
I ask your pardon for these so biased points of view.
With the best regards,
Javier Rodriguez
Lima, Peru
</pre>
<br>
<br>
John Watlington wrote:
<blockquote cite="mid:3FDA579E-563E-460B-B102-BC3C668B6700@laptop.org"
type="cite">
<pre wrap="">On Apr 24, 2008, at 7:52 PM, Carl-Daniel Hailfinger wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 24.04.2008 20:32, C. Scott Ananian wrote:
</pre>
<blockquote type="cite">
<pre wrap="">11. Bitfrost: initial activation security.
...
For completeness, I will note that although passive and active kill
theft-deterrence systems have been implemented on Sugar/GNU/Linux,
only initial activation security has been deployed in the field.
Passive and active kill systems entail large support costs which OLPC
has chosen to date not to incur.
</pre>
</blockquote>
<pre wrap="">AFAIK the hardware side of P_THEFT alias theft protection alias
activation security/kill functionality has not been implemented,
rendering all software efforts moot.
</pre>
</blockquote>
<pre wrap=""><!---->
In my opinion, shared by other engineers at Quanta, the proposed
"hardware side" of P_THEFT would not have slowed you down much.
Dremel-ing off the epoxy wouldn't take long. The effect it WOULD have
is to add at least a hour (if not 24) of latency to the manufacturing
process, and to decrease the manufacturing yield, both of which would
have increased the price. I discussed this with numerous people at
Quanta.
On the other hand, I was told at lunch today by members of the Peru
deployment that software activation is a critical and necessary feature.
In previous deployments of computers, Peru saw a high theft rate in the
delivery process. The activation process allows them to tell potential
thieves and potential purchasers of hot systems that the laptops will be
useless bricks.
Have we made it impossible to steal and activate a laptop ? NO.
Have we made it much harder ? Yes.
</pre>
<blockquote type="cite">
<pre wrap="">Unless the manufacturing details have changed since my last inquiry, I
can unlock ~4 XO machines per hour WITHOUT having a developer key. The
only thing I need are some really affordable tools. If someone else
disassembles the machines for me, I think unlocking 10 machines per
hour
is well within the doable range.
</pre>
</blockquote>
<pre wrap=""><!---->
Here in the US, the cost of disassembling, switching SPI flash chips,
and
reassembling approaches $60 - $70 dollars (I asked several small job
shops for quotes.)
</pre>
<blockquote type="cite">
<pre wrap="">For the record: I will not take orders for mass-unlocking unless
ownership is proven.
</pre>
</blockquote>
<pre wrap=""><!---->
Thanks.
wad
_______________________________________________
Devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Devel@lists.laptop.org">Devel@lists.laptop.org</a>
<a class="moz-txt-link-freetext" href="http://lists.laptop.org/listinfo/devel">http://lists.laptop.org/listinfo/devel</a>
</pre>
</blockquote>
<br>
</body>
</html>