[OLPC Security] olpc security - wetware issues

Ivan Krstić krstic at solarsail.hcs.harvard.edu
Thu Feb 8 21:40:06 EST 2007 

alien wrote:
> Write a piece of malware that grabs system info, and only executes if
> particular OS characteristics are present. Distribute.

Okay, and what does the malware do? You mentioned malware that collects
the kids' IM names, which is a non-starter with Bitfrost.

> Is there appropriate software available? Are the decision-makers aware
> of its existence, and it is recommended?

The software will be available. We will stay out of policy matters.

> A tool which enables parental monitoring/controls
> is a fundamental program and should be distributed by default with
> each laptop. This is not "extra," and to fail to include it will
> result in deaths. Really.

Parental monitoring and controls make a bevy of assumptions that do not
hold in many of the places where we're deploying laptops. Instead of
trying to do a one-size-fits-all "solution" which ends up fitting no
one, we're letting countries decide on policy, just as they decide on
all the software that ships on their laptops.

> You've gone to the trouble of having a "View Source" button on the
> keyboard, to allow for transparency of code. Doesn't it make sense to
> also have some "View System Activity" button, to allow for
> transparency of OS functioning?

Viewing system activity and short-term log files will be made easy for
interested kids, but not something we go out of our way to portray as a
required activity, particularly one with some kind of necessary
frequency. You were advocating a "view logs as you brush your teeth"
approach, which I find unreasonable and will not support.

> OK, if you haven't been ignorning this issue, then please tell me what
> you have done or discussed with other companies/government to address
> it.

I am making sure that there is high-quality software out there that can
address some of these needs and integrate with our platform, but we're
not going to be the ones writing it.

Someone thoughtfully mailed me off-list to point out that I was sounding
too harsh. I'm not trying to sound harsh or be confrontational, and I'm
thankful for the time you're taking to offer your comments. I do feel
very strongly about OLPC staying out of certain kinds of policy
decisions, however, and about certain kinds of security simply being out
of the scope of the _system_ security spec.

Cheers,

-- 
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D

More information about the Security mailing list