[OLPC Security] "Correlating bitfrost and threats"

[MBurns]

Comments in-line

On 7/31/07, Jameson Chema Quinn <jquinn at cs.oberlin.edu> wrote:
>
> You're drawing a pretty fine line trying to separate the two. The only
> > reason they would think it is not "plausible" that John is asking for
> > a confirmation of himself (essentially) is if Jane (the person being
> > asked for confirmation) has some reason to explicitly doubt that John
> > isn't asking. Either by asking him outright, knowing that he is not at
> > his computer, or similar absolute means. Otherwise, being asked to
> > confirm that she has John's key could be done by any number of people,
> > and if her gauge is "it is plausible that he might be doing this" is a
> > vague guideline.
>
>
> Yes. So she essentially always says "yes". But next time she sees John,
> she (or someone else who happened to notice the unobtrusive announcement)
> says, "so how did you lose your laptop, tell me the story" and if he says
> "huh?" people start to suspect things.
>

The problem comes down to that by splitting up your key (either in a simple
half-n-half system, or a more rigid/proper 'secret sharing' (see below)
system, is that either way, the N peers that you split up your private key
have the potential to get at your private documents. Relying on some type of
hardware-level (UUID, or similar) component alongside the private key should
be able to get around this. Moving to a new laptop would require the social
process (asking a teacher to update the mapping of student->laptop pairing
previously talked about). Combining these two steps should create a secure
scheme that relies on your peers and your teachers to not conspire against
you but that keeps either individual party from being able to snoop on you
without raising big red 'what the hell are you doing' flags.

With a million laptops per country, there's a big difference between "they
> can get your data whenever they want to, and you'll never know" and "they
> can get your data 99.9% of whenever they want to, but even if they do,
> there's a 5% chance you'll find out".
>

As mentioned, this is not a gen-1 feature, but a secret sharing scheme [1]
like this is pretty reasonable. Note that we can have an 'N-friends I
trust', or even simply 'N-peers I know', and have it reliably safe to
distribute my private key amongst them. Wikipedia has a great article about
this, in fact. This allows for a secure means of key distribution, but also
allows for

[1] http://en.wikipedia.org/wiki/Secret_splitting

> > > Obviously, a committed big-brother could still twist two kids' arms
> > and
> > > convince the rest to ignore the message. But that doesn't scale well
> > to
> > > stealing EVERYONE's data and mining it, which is the real threat.
> > > >
> > > > But they wouldn't need to get everyone. The handful of kids they
> > > > choose to strong arm (or coerce or 'borrow' the laptops of, or
> > analyze
> > > > while repairing, or, or, or...) would be--using your
> > system--carrying
> > > > 1/2 of another person's key. Several halves, in fact. Get a large
> > > > enough sample, then you are getting the private keys of children
> > that
> > > > they didn't directly interact with. Would this be easy for a million
> > > > kids at once? Probably not. But at that point, you are also assuming
> > a
> > > > great number of things about your government, like that they didn't
> > > > install keyloggers on the XOs before shipping them out or during
> > > > repair.
> > >
> > > Yes, true, a committed evildoer with the key-copies from 60% of the
> > laptops
> > > would be able to snoop on 1-((1-0.60)cubed) = 93.6% of the files on
> > average.
> > > With 90%, they'd get 99.9%. Still, that is a lot of work to just get
> > to
> > > EXACTLY where they would be from the start in your scenario. Also,
> > remember
> > > that if any kid puts a password on their laptop, the
> > stolen-during-repair
> > > scenario should be preventable (assuming that there is a way to put it
> > in
> > > unlocked "repair mode" which only protects the securest data like
> > keys).
> > >
> > > Also, Bitfrost prevents keyloggers.
> >
> > This should be clarified: Bitfrost *does not* stop keyloggers. And
> > this is important. Bitfrost *explicitly* makes it possible (though, it
> > is an abuse of the authority on the deepest level) for OLPC or the
> > country to install software that can bypass security restrictions.
> > Keyloggers included. This can either work inside of Bitfrost or simply
> > ignore it entirely. Both the country and OLPC are able to sign binary
> > patches that are installed on the machine. Kernel modules, X11, Sugar,
> > DBus, the firmware. You name it. Heck, they could even install a
> > hardware keylogger.
> >
> > If they touch it, they own it. If they can install software on it,
> > they own it. If they can convince you to install software on it, they
> > own it. [1] (Ironic that it is a microsoft site, I know)
>
>
> OK, granted. But here I live in Guatemala - a pretty run-of-the-mill 3rd
> world country. Not as well-run as Mexico (or another 20 like it) but much
> better-off than Haiti or most of Africa. Genocide in the living memory of
> many people I know, a government you can't trust, the policeman is NOT your
> friend, but no ongoing conflict. And I'm pretty sure that the government
> couldn't get it together enough to install special snooping software if they
> wanted, and 100% sure they couldn't do it without getting caught. And the
> more capacity to create such snoopers a country has, the more savvy its
> citizens are about catching it. Even in, say, Colombia, with plenty of
> motive and help from super CIA advisors, the chances of getting caught would
> be more than half. And so fine: they'd tough it out, say "the war on the
> narcos is more important than your privacy", and people might accept that.
> But at least they'd have the conversation.
>

Agreed

As mentioned above you are trusting that the users probed for
> > information are aware enough to know that they are being probed and
> > not benignly misguided, outright tricked or otherwise worked around.
> > This is part of the limitation of not relying on the XO owner for a
> > token (password/passphrase, etc).
>
>
> Most will not be aware. It only takes a few - and it only takes a
> possibility to make the snooper think twice.
>
> 3. Second level of backups - regional or peer-to-peer with the servers?
>
> I think we're talking across each other. My point is:
> A: a regional backup is only good for restoring the school server, because
> you can't rely on the local internet connection at the moment the kid wants
> their old data. There is no file that's you want to throw away locally
> that's still worth keeping regionally (after all, you have at least 3-5 gigs
> per kid at the local level, that's plenty.
>

Agreed. Regional/Global backup is really about ensuring that we can restore
a given school server. I don't see the school server realistically ever
running out of space for a comprehensive storing of each child's data. If it
does, access to the R/G backup is available, and the liklihood that you (1)
need such a document that is sufficiently old (2) your school server is
maxed on storage and does not have it locally stored and (3) your satellite
is down is an exceptionally uncommon niche case.

Sorry for the delayed reply. Cheers!

-- 
Michael Burns * Intern
One Laptop Per Child
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/security/attachments/20070802/d948e6f5/attachment.htm