[OLPC Security] olpc security - wetware issues

[Ivan Krstić]

Hi Sherri,

thanks for your feedback. Comments inline.

alien wrote:
> Since these laptops have a unique OS and hardware, simply by targeting
> a system with specific attributes, an attacker can be fairly confident
> that the victim system will be owned and operated by an impoverished
> child.

It is at present not at all easy to identify an OLPC device. It gets
easier if you're on the same network with one, to be sure.

> My understanding is that, unfortunately, OLPC does not currently
> provide tools or guidance for monitoring and controlling a child's
> online activity. 

We want to grow a software ecosystem around our platform. Standard
market rules apply: if there is demand for this kind of software,
companies will start supplying it. There is no point in OLPC putting
resources into rolling our own, especially when there are companies with
deep expertise in the subject matter.

> It is most certainly possible to include at least simple controls
> which filter for specific keywords, allow blacklists/whitelists of web
> sites, etc. This has already been implemented in the developed
> world. Are poor parents in developing countries entitled to less
> control over their children's web surfing habits than a suburban
> mother?

Figuring out how much control they're entitled to is something that each
country has a strong opinion about, and they're usually different
opinions. The same supply/demand argument applies. I remind you that our
participant countries are the ones choosing which software to load on
their XO systems; they are free to include filtering and parental
controls as they see fit.

> Just because there is no world-wide agreed-upon standard for
> inappropriate content does not mean that the issue can be ignored.

Not doing it ourselves is clearly not the same as ignoring the issue.

> We can-- and should-- simplify
> maintenence as much as possible, but ultimately every computer is a
> system that will sooner or later require human attention in order to
> continue functioning

You seem to be confusing software and hardware. Decades of real-world
systems say that your statement, as applied to software, is wrong.

> To take this a step further, the computer could even
> periodically remind its operator to "Check your logs!"  and guide them
> through the process-- much like teaching a child to brush his or her
> electronic teeth.

I couldn't disagree more. That normal users would ever have to know what
logs are, let alone check them frequently, is nothing but a gross
failing of our field, and a failing that Bitfrost is partially trying to
remedy.

Cheers,

-- 
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D