[OLPC Security] olpc security - wetware issues

[alien]

Having perused the Bitfrost paper and followed OLPC activity for some
time, I'm concerned that some important security issues have been
either written off as "out of scope" or are simply not being
addressed. These issues include:

1) Child exploitation
2) Inappropriate web surfing/spam/etc
3) Security maintenence
4) Hacking ethics

Distributing laptops to children around the world without addressing
these issues as part of the security model would be simply
irresponsible. Taking these issues in order:

1) Child exploitation

According to the National Center for Missing and Exploited Children, 1
in 7 children receives a sexual solicitation online. Imagine what that
will become when you can identify a child's computer just by looking
for a specific customized OS.

Since these laptops have a unique OS and hardware, simply by targeting
a system with specific attributes, an attacker can be fairly confident
that the victim system will be owned and operated by an impoverished
child.  Imagine spyware targeted at this unique OS which collects
childrens' IM names, which are then sold to pedophiles around the
world...

This is in addition to traditional online exploitation techniques,
which may be even more effective given the childrens' poverty. (ie. An
online "friend" from New York City buys a child a plane ticket? What
an opportunity!)

My understanding is that, unfortunately, OLPC does not currently
provide tools or guidance for monitoring and controlling a child's
online activity. A first step toward preventing child exploitation is
to educate the children and parents regarding online dangers, and
include software which allows parents to monitor and restrict IM/email
usage.


2) Inappropriate web surfing/spam/etc

In section 9.7.2 of the Bitfrost specification, Ivan Krstic wrote:

"Given that 'objectionable content' lacks any kind of technical
definition, and is instead a purely social construct, filtering such
content lies wholly outside of the scope of the security platform and
this document."

It is most certainly possible to include at least simple controls
which filter for specific keywords, allow blacklists/whitelists of web
sites, etc. This has already been implemented in the developed
world. Are poor parents in developing countries entitled to less
control over their children's web surfing habits than a suburban
mother?

It's all well and good to think that these kids will be surfing
Wikipedia and Open Courseware and talking to their friends the whole
time, but that is simply not what's going to happen. (Just wait until
the first kid says, "What's goatse?") The problem of spam of course
dramatically exacerbates this issue; children may be bombarded with
links to pornography.

Just because there is no world-wide agreed-upon standard for
inappropriate content does not mean that the issue can be ignored.  If
we have any respect for the adults in these faraway communities, we
should at least provide tools which allow parents and teachers to
locally monitor and control a child's web surfing.

It's true that parents in poor countries likely have little to no
experience with computer technology. However, rather than overlooking
them, the project should distribute matierials which provide some
basic education, and include simple-to-use software tools which by
default will allow parents to monitor and control their childrens' web
surfing habits.

It's not a perfect system and it requires parent/teacher involvement,
but we owe it to the parents and their children to at least make this
possible.


3) Security maintenence

In section 0.4 of the Bitfrost specification, Ivan Krstic wrote:
"Whenever possible, the security on the machines must be behind the
scenes... the laptop should be both usable and secure
out-of-the-box..."

It's certainly the case that OS-level security needs to be
simplified. However, it's equally important to teach children the
fundamental components of "computer hygiene."  As many people have
said, security is a process. We can-- and should-- simplify
maintenence as much as possible, but ultimately every computer is a
system that will sooner or later require human attention in order to
continue functioning-- like automobiles, airplanes, and any other
machinery. To provide children with this powerful tool and fail to
teach them this fundamental lesson would be doing them a disservice.

Fortunately, OLPC has created a perfect opportunity to instill good
security "habits" in a generation of new users, and it should
capitalize on this.  For example, making log review trivial and
well-configured by default would be an excellent goal. (Unfortunately,
logging was not even mentioned in the Bitfrost security
specification.) To take this a step further, the computer could even
periodically remind its operator to "Check your logs!"  and guide them
through the process-- much like teaching a child to brush his or her
electronic teeth.

It's great that most configuration on the XO laptop is "behind the
scenes" so as not to overwhelm the user. However, certain elements of
the security maintenence should be obvious. When it's time for me to
change the oil in my car, an indicator light helps. When the brake
pads are due for changing, it's good that they squeak. The users of
these computers are children, but they won't be children forever. We
should teach them to take responsibility for their computer's health
and show them how to take care of their system. 

OLPC should include clear guidelines and educational software that
teaches children to responsibly maintain their computer. This would
improve system security, and also help OLPC achieve their educational
mission.

4) Hacking ethics

In section 0.2 of the Bitfrost specification, Ivan Krstic wrote:

"OLPC is, by design, striving to be an eminently malleable platform,
allowing the children to modify, customize, or "hack", their own
machines any way they see fit."

This is terrific. A computer is not simply a gateway to the online
world; it is also a powerful tool, and it's great to see that OLPC is
treating it as such.  However, as with automobiles, or any tool, these
laptops must be distributed with some form of training material--
whether educational software or stickers-- which teaches ethical
online behavior. Otherwise, we will breed a generation of
irresponsible network citizens, and the children will be a danger to
themselves, each other, and society.

Roof and tunnel hackers at MIT often print up an orange card which is
handy for opening doors. On this card are printed "hacking ethics."
That way, every time you use the card, you are reminded what
constitutes appropriate safe and non-destructive behavior. Along these
lines, OLPC could, for example, print computer ethics and safety
guidelines on the cover of the computers themselves, in addition to
including more detailed training software-- for the benefit of the
children, and everyone online.

- Conclusion

Attackers take the easy route, and these days the easy route involves
social engineering. This problem is magnified when the user is a
child. I'm glad to see that so much attention has been paid to the
technical details of security, but unless the user-level security
issues are addressed, this work will have been in vain.

The XO laptop needs to include easy-to-use software which will allow
parents and teachers to monitor and control their childrens' online
activity. Without this, children will get hurt. Children will die. It
happens all the time in the developed world, and unless these laptops
are distributed with some sort of parental controls and educational
material, many more children will be hurt unnecessarily. It is also
important for the safety of the internet community as a whole that
these children are introduced to basic security and ethical hacking
concepts.

I hope that OLPC carefully considers and addresses the social issues,
in particular child exploitation and content filtering. OLPC states
that "learning is our main goal"-- but /what/ a child learns is as
important as the learning process itself. Before giving these children
powerful tools, please make sure to include appropriate ethical and
safety guidelines, for both children and their parents.