[Olpc-open] [possible improvement]built-in identity module

[Bipin Gautam]

>"Ongoing trends in law, policy, and technology threaten anonymity as
>never before, undermining our ability to speak and read freely online.
>

YOU MIS-UNDERSTOOD MY POINT.
Agreed! People must have right to be anonymous, right for privacy and
free speech. But too much on either side is always bad.

Freedom doesn't mean being able to kill someone and yet be anonymous.
Warrant less and full scale eavesdropping as NSA did is a threaten to
anonymity & privacy.Being able to stay anonymous even when it's
legally and morally right is threaten to law enforcement.

With all large scale technological development we have had so far...
it had a balance between PERSONAL PRIVECY yet the realization you can
be traced back and proved responsible in court of law if you do
something malicious. In my opinion, OLPC blurs this line of balance.

How much and what short of LOGS XO (router part and the OS part) keep
and for how long? (Accepting the fact we have limited storage)

To let you know I've gone through....

8.14. P_SANDBOX: program jails
8.19. P_THEFT: anti-theft protection
8.21 on P_SERVER_AUTH

But I still have few questions. Firstly accept these facts
- The OS WILL HAVE privilege escalation vulnerabilities no matter how
good the present effort is.
- The software's running (say browser) in it WILL have remotely
exploitable vulnerabilities.
- The OS will have to let users install new software's, let custom
built software's act as client/servers.
- The children using it WILL be lured into installing things that says
FUN, GAMES, JOKES, PUZZLES via email, chat room or any other means.

AGREED???

In that scenario the app. might me sandbox but still someone might be
able to break the jail. The BOX may have a anti-theft protection and
authentication mechanism but yet CAN BE OWNED by others in complete
anonymity. If someone wants to do something malicious with it they
need not OWN it physically.

In this case mentioned above and as my previous CONCERNS how are
evidence/logs preserved in XO to prove something is done by someone?
XO might be good from a security standpoint... but from a
forensic/anti-forensic standpoint???

I have further questions regarding,
- are data encrypted that goes to each other( XO) in the mesh network
for say p2p, chat, private networks etc
- I'd also like to further know on possibilities of dns/data poisoning
in the mesh network
- What features of laptop relies on Security through Obscurity

...but I'm still not yet finish reading the document.

Later....... ;)

with regards,
-bipin

On 2/7/07, Bipin Gautam <bipin.gautam at gmail.com> wrote:
> On 2/7/07, xuan wu <wuxuan.ecios at gmail.com> wrote:
> > hi all.
> >  I wonder if the XO has any kind of identity module? Would it be more
> > acceptable by the government if every operation can be traced back to the
> > very person who use the XO very easily, as the government's most
> > consideration is about the control and understanding of the people? As the
> > XO is for the children, it's better for them to learn to show as the real
> > "themselves" from the childhood. So isn't it a good idea both for persuading
> > the government and for the children's benefits? The problem is, how much
> > does that module cost?
>
> exactly!!! OLPC might be a global phenomenon. with free internet
> access... children as users all around and mesh topology its very hard
> to trace back of OLPC falls in a wrong hand, criminal? (it obviously
> will).
>
> anonymous internet access, limited storage which can be completely
> cleaned in minutes and new OS installed in no time. It could be a
> BIGGEST threat from DIGITAL FORENSICS and security standpoint.
>
> This is what we have been discussing and will be working on here in NEPAL.
>
> some sort of uniq identification mechanism should be in ROM chip that
> can be verified from network. but again some short of solution could
> cost much...... creating a cheap and tamper proof hardware for that
> purpose whould be a innovation on its own
>