[OLPC Networking] Firewalling...

Xavier Alvarez xavi.alvarez at gmail.com
Sun Nov 5 09:40:27 EST 2006 

On Saturday 04 November 2006 16:58, MBurns wrote:
MB> On 11/4/06, Xavier Alvarez <xavi.alvarez at gmail.com> wrote:
MB> >
MB> > But on the digital world, how can the teacher ensure that
MB> > the students are really not disturbed by outside sources?
MB> > (ie: IMing with the buddy on the next classroom).
MB> >
MB> Interesting question. Because of the mesh network,
MB> inherently, there is no real way to 'turn off'
MB> collaboration.

Collaboration needs connectivity... not the other way around ;)

MB>Indeed, I don't think you'd want to. This is
MB> not a technical issue, however, it is really a social one. If
MB> students are disruptive, teachers will have to deal with
MB> them just as they do with passing notes and whispering.

Although I agree it's a social issue, we can't deny that 
technology here fosters new interactions for which the teacher is 
totally unaware of and can't really control (eg: the teen-only 
ringtone that older people can't hear, so the kids send and 
receive sms without the teacher's knowledge).  Passing notes is 
visible, whispering is audible, but an IM is neither... so 
putting your naughty kids in different corners of the room 
doesn't solve the problem... and the knee-jerk reaction could 
well be to take away the laptops from the kids... something that 
defeates the whole purpose of the OLPC... :(

...snip...
MB> But then, how this actually plays out in the schools will be
MB> interesting to see. Speculation on my part could be wildly
MB> off.

Mine too... :)
Kids are too darn smart (until we 'educate' them ;)


MB> > So, has anybody thought about this?
MB> >
MB> Maybe. But getting the conversation going in the public is a
MB> good thing regardless. :)
MB>

I think that the OLPC project should somehow address these issues 
with a more built-in solution, rather than leave each classroom 
work one out (which I mentioned might defeat the purpose of the 
OLPC by taking the kid's laptop away).

My idea was more like creating a sub-network of sorts.  Assuming 
that the teacher also gets a laptop, it could be configured to 
work as an access-point/gateway/firewall and the kid's simply 
connect to it.  Besides taking automatic attendance and other 
administrative tasks, the teacher's laptop could be set up to 
block all outside traffic, or create sub-subnets (MAC ids come to 
mind) so that collaborating workgroups could be created but only 
among themselves, while allowing even one-machine sub-nets (while 
in an exam).

... my rambling on the modes was moved to the end ...

A (possibly good) side-effect of the 'modes' is that a student 
laptop may be setup so that it *needs* to report to the teacher's 
laptop every X amount of days (sickdays, weekends and holidays 
need to be taken into consideration).  Failing to 'report', the 
laptop's connectivity decays rendering it useless unless it goes 
to school... kind of 'pushing' the kids to go, but also if the 
laptop is stolen it renders itself useless.

Although it'll be hackable, the issue here is creating and 
enforcing the sense within the community that the laptop is 
integrally connected to the school and that taking it (or the 
kid) out of it, is useless...  

Assuming that laptops will not enter the school in all grades at 
the same time, you have to provide some kind of deterrant for the 
bully to snatch a laptop and take it home or sell it.  At least 
initially.  Afterwards, this security lock will probably go the 
way of all security measures: rendered useless by hackers.  
Hopefully by then, there'll be enough laptops within the 
community so that nobody wants a stolen one... even a hacked one.

Comments?  Is it feasible?  Risks?


<rambling>
I'm well aware that this whole 'lock' issue could seem to be from 
a paranoid, dictatorial, arbitrary teacher's point of view... I 
assure you, it' not my case.

Let's suppose we have four connectivity modes: free, class, 
workgroup, and exam.  
- Free - obviously full-connectivity, no restrictions whatsoever.
- Class - can connect to the devices available in the sub-network.
- Workgroup - sub-network is smaller but still full connectivity.
- Exam - there's only one other 'visible' machine: the teacher's.

Note that I'm not talking about packet forwarding (which I assume 
is being controlled at the hardware level and fully operational), 
but opening and accepting connections and which programs can 
actually do it.  More like ZoneAlarm and similar 'firewalls'.

Also, it could be interesting to explore the idea that depending 
on the mode, certain applications could be off-limits (iow, would 
not open or not be able to connect).  

Which applications?  That could be configured by the teacher's 
laptop.  In the free-mode, no authorization is required.  In both 
the class and workgroup-mode, a simple log of running 
applications and launching could be reported to the teacher's 
laptop or stored locally (it would be upto the teacher to view 
the logs).  In the exam-mode, the most-restrictive mode, no 
application could launch (or take focus) unless the teacher's 
laptop authorizes it.  After all, you don't want the kids to open 
the calculator when the exam is on math... :P  But you would 
still like to have an open-book test (which could imply opening 
local as well as remote documents) but with some level of control 
(ie: you can't open the class' nerds notes on the subject ;)

Doubling this in-class security model as a theft-deterrent, a 
laptop that doesn't report to the school/teacher will gradually 
go from the free-mode to the exam-mode, and since no teacher 
laptop is available, it can't launch any applications, rendering 
it useless... outside of school.
</rambling>

-- 
XA
=========
Don't Panic!  The Answer is 42

More information about the Networking mailing list