[Olpc-open] Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model

Daniel Weinreb dlw at alum.mit.edu
Sat Apr 12 09:47:17 EDT 2008 

M. Charbax,

Here are the points they seem to be making in the Patterson
paper that criticizes Bitfrost, as I read it:

Bitfrost isn't finished, but some OLPCs are in the field anyway.
[True.]

Eventually, it will be necessary to have a finalized and detailed
specification for Bifrost that can be audited and tested. [Sure.]

The prototypes that they saw did not have the LED's that show
that the camera and microphone are on.  [Current OLPC's
do have this, but they didn't know whether it would happen
or not.]

The stored digital identity includes the child's name and photograph,
so that you can authenticate whether a given person matches the
digital identity.  They "question the need for such invasive
measures."  [But they don't go into more detail about what the problem
is.]

"The data recovery process should be decoupled from the identity
and authentication component."  [I was not able to follow their
reasoning about why this is important.]

A sophisticated attacker could set up a bogus backup service
if they can gain access to the key store.  How would they do that?
The paper cites "black-bag cryptanalysis" and "aluminum-briefcase
cryptanalysis".  The former means burglary (the use of the word
"cryptanalysis" is sardonic/ironic).  The latter is a term that the
authors made up themselves (one of them boasts of this in
a blog entry) but apparently also means burglary. [Well, you
have to pick and choose what attacks you want to prevent
against.  What if someone goes to the real server and puts
a gun to the head of the operator?  You just can't protect
against every conceivable possibility.]

P_IDENT says that all communications such as email and
instant messaging are cryptographically signed.  It's not explained exactly
how this works, so they speculate.  They assert that signing
implies non-repudiability of all signed messages [non-repudiation
means that the receiver can prove that the sender really sent
this message, and the sender can't deny it unless he claims
that his own key has been compromised].  "Ergo, it is
impossible for XO users to use any form of anonymous
communication with confidence." They're saying that
the signing is bad because you can't turn it off, or you have
to know to turn it off.  So anyone who intercepts your messages
knows who you are, so speaking out against your government
or whistleblowing against a corporation could backfire on you.
It's also not good for doing secret ballots. [I guess this is all
true, but if I sent an email right now, I would hardly depend
on it to be untracable to me, even without a digital signature.
Perhaps anonymity should be added to the goals for Bitfrost,
if they intend for it to be used in those ways.  But it's really
for childhood education, not voting. It's a lot of work to add on every
requirement in the world and try to do them all.  If we were
designing a voting machine, security goals would be different.
There may be very good reasons that anonymity was not added
as a goal, too; I'd like to hear from OLPC about this.

Because of the digital signing, a child's Internet access can
be "cut off at the source", which would be traumatic.  [Oh,
come on!]

"Imagined Communities".  [I don't know what they're talking
about; evidently I'd have to read one of the citations.]

If Ivan says that it is factually inaccurate, then it probably is.
I don't know what he is specifically referring to.  One thing
he's referring to is the paper's claim that Ivan's paper was
not peer reviewed.  In fact, it was, and then it was
accepted at a high-prestige ACM conference.

-- Dan Weinreb



Charbax wrote:
> Ivan Kristic seems to have replied in the lwn.net <http://lwn.net> thread:
>
>     (...) it's factually inaccurate and thus
>     easily debunked. As for the Patterson paper, I'll be posting my thoughts over the next few
>     days, but generally find it uninteresting and academically sloppy flamebait.
>
>
> I'm not an expert in Bitfrost at all, but in the event of a natural 
> catastrophy, I think the Bitfrost keys can be updated using one $5 USB 
> stick and distributing the keys to all the other laptops using Mesh 
> networking.
>
> Criticizing Libya, Nigeria and Thailand for being anti free-speech is 
> irrelevant. Just because China has some human rights abuse problems, 
> and the chinese firewall, blogger and yahoo mail dissidents in jail, 
> does that mean that the 200 million chinese people who have access to 
> the Internet is a bad thing? That's just wrong. OLPC is a trojan horse 
> to bring knoledge and democracy to those countries. It doesn't really 
> matter what curriculum the governments are going to pre-load on the 
> laptops, or if they are going to try and filter the Internet access, 
> people always figure out to use the Internet for what they want. And 
> if a government wants to mass-disable laptops using Bitfrost, just 
> get  any amount of activating keys smuggled into the country using a 
> $5 USB key and those laptops are reactived.
>
> On Fri, Apr 11, 2008 at 1:54 PM, Stephane Bortzmeyer 
> <stephane at bortzmeyer.org <mailto:stephane at bortzmeyer.org>> wrote:
>
>     I did not read the paper yet, but it seems interesting:
>
>     The paper:
>     <http://www.cosic.esat.kuleuven.be/publications/article-1042.pdf>
>
>     A summary: In this paper, we discuss Bitfrost, the security model
>     developed by the One Laptop Per Child project for its XO laptop
>     computers. Bitfrost implements a number of security measures intended
>     primarily to deter theft and malware, but which also introduce severe
>     threats to data security and individual privacy. We describe several
>     of the technical provisions in Bitfrost, outline the risks they
>     enable, and consider their legal ramifications and the psychological
>     impact posed for children and society.
>
>     Some rebuttals: <http://lwn.net/Articles/277165/>
>     _______________________________________________
>     Olpc-open mailing list
>     Olpc-open at lists.laptop.org <mailto:Olpc-open at lists.laptop.org>
>     http://lists.laptop.org/listinfo/olpc-open
>
>
>
>
> -- 
> Charbax,
> Nicolas Charbonnier
> ------------------------------------------------------------------------
>
> _______________________________________________
> Olpc-open mailing list
> Olpc-open at lists.laptop.org
> http://lists.laptop.org/listinfo/olpc-open
>

More information about the Olpc-open mailing list