[OLPC Security] olpc security - wetware issues

[alien]

Hi Krstic,

>It is at present not at all easy to identify an OLPC device. It gets
>easier if you're on the same network with one, to be sure.

Write a piece of malware that grabs system info, and only executes if
particular OS characteristics are present. Distribute.

>> maintenence as much as possible, but ultimately every computer is a
>> system that will sooner or later require human attention in order to
>You seem to be confusing software and hardware. Decades of real-world
>systems say that your statement, as applied to software, is wrong.

Every OS vendor distributes patches. Many software vendors do, too
(aned many more should). Software, like hardware, is not static and
does need to be updated as flaws are discovered and as fundamental
needs and the environment changes.

>companies will start supplying it. There is no point in OLPC putting
>resources into rolling our own, especially when there are companies with
>deep expertise in the subject matter.
>...their XO systems; they are free to include filtering and parental
>controls as they see fit.

Is there appropriate software available? Are the decision-makers aware
of its existence, and it is recommended?

In the developed world, kids who are solicited online often become
real-life victims of their online "friends." There is no point in
distributing these laptops for educational purposes without some basic
safety mechanisms that will prevent their owners from becoming
victimized as well. A tool which enables parental monitoring/controls
is a fundamental program and should be distributed by default with
each laptop. This is not "extra," and to fail to include it will
result in deaths. Really.

OLPC has said that it is "not at heart a technology program." If that
is the case, I expect it will do the socially responsible thing, and
ensure that this software is available and strongly recommended from
the very beginning, if not installed by default.

>I couldn't disagree more. That normal users would ever have to know what
>logs are, let alone check them frequently, is nothing but a gross
>failing of our field, and a failing that Bitfrost is partially trying to
>remedy.

Don't you want to know when someone has been in your house? You can't
rely on machines to take care of everything, especially when the
machine may be compromised. Occasional log review is the safety net,
the opportunity for a human to notice that he or she may have been
burglarized, or that something else is not functioning proprerly. This
should be massively simplified, of course. It could be accomplished
simply by touching a button on a screen, and presented in a very
simple manner. It is one of those fundamental safety checks that
children should learn about, and once they know it exists, they'll
probably be curious anyway.

You've gone to the trouble of having a "View Source" button on the
keyboard, to allow for transparency of code. Doesn't it make sense to
also have some "View System Activity" button, to allow for
transparency of OS functioning?

>Not doing it ourselves is clearly not the same as ignoring the issue.

OK, if you haven't been ignorning this issue, then please tell me what
you have done or discussed with other companies/government to address
it.

Thanks,

alien





=?UTF-8?B?SXZhbiBLcnN0acSH?= writes:
>Hi Sherri,
>
>thanks for your feedback. Comments inline.
>
>alien wrote:
>> Since these laptops have a unique OS and hardware, simply by targeting
>> a system with specific attributes, an attacker can be fairly confident
>> that the victim system will be owned and operated by an impoverished
>> child.
>
>It is at present not at all easy to identify an OLPC device. It gets
>easier if you're on the same network with one, to be sure.
>
>> My understanding is that, unfortunately, OLPC does not currently
>> provide tools or guidance for monitoring and controlling a child's
>> online activity. 
>
>We want to grow a software ecosystem around our platform. Standard
>market rules apply: if there is demand for this kind of software,
>companies will start supplying it. There is no point in OLPC putting
>resources into rolling our own, especially when there are companies with
>deep expertise in the subject matter.
>
>> It is most certainly possible to include at least simple controls
>> which filter for specific keywords, allow blacklists/whitelists of web
>> sites, etc. This has already been implemented in the developed
>> world. Are poor parents in developing countries entitled to less
>> control over their children's web surfing habits than a suburban
>> mother?
>
>Figuring out how much control they're entitled to is something that each
>country has a strong opinion about, and they're usually different
>opinions. The same supply/demand argument applies. I remind you that our
>participant countries are the ones choosing which software to load on
>their XO systems; they are free to include filtering and parental
>controls as they see fit.
>
>> Just because there is no world-wide agreed-upon standard for
>> inappropriate content does not mean that the issue can be ignored.
>
>Not doing it ourselves is clearly not the same as ignoring the issue.
>
>> We can-- and should-- simplify
>> maintenence as much as possible, but ultimately every computer is a
>> system that will sooner or later require human attention in order to
>> continue functioning
>
>You seem to be confusing software and hardware. Decades of real-world
>systems say that your statement, as applied to software, is wrong.
>
>> To take this a step further, the computer could even
>> periodically remind its operator to "Check your logs!"  and guide them
>> through the process-- much like teaching a child to brush his or her
>> electronic teeth.
>
>I couldn't disagree more. That normal users would ever have to know what
>logs are, let alone check them frequently, is nothing but a gross
>failing of our field, and a failing that Bitfrost is partially trying to
>remedy.
>
>Cheers,
>
>-- 
>Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D