[OLPC Security] Application bundles and delegation

Simson Garfinkel simsong at acm.org
Sat Feb 10 10:43:25 EST 2007 

Hi, Xuan. Let me take a try at answering your questions:
> In "software installation" part,
> 1. >After installation, the per-program permission list is only  
> modifiable by the user
>     >through a graphical interface.
> This may cause problems when some program trick the user to change  
> permission list to access the other programs.

This is certainly possible. The alternative is to not allow users to  
change permissions after a program is installed. Do you think that  
this would be a better approach?


> 2. >As a final note, programs cryptographically signed by OLPC or the
>    > individual countries may bypass the permission request limits,  
> and request
>    > any permissions they wish at installation time.
> This guarantees too much power and responsibility to OLPC which I  
> find unnecessary.  The other programs just have their own rights to  
> announce the access limits to their own files, which means all the  
> programs are all fair, and when one program use another program, it  
> needs permission, just like the real user use the programs. The  
> user may have the right of execute all files, but some programs  
> which are not supposed to be executed directly by the user can just  
> put a "non-executable by John" sign to itself.

I'm sorry; I do not understand the problem here. Could you give a  
specific example?

>
> Another thing in the spec, the "first boot" part.
> 1. The identity information is centralized, and the server may  
> cause insecurity, as there are always some ways to hack into it.

Yes, but what is the alternative?

> 2. With only the photo, SN and id,  how can we find the thief or  
> dis function the machine after the a boy lost his laptop, who  
> possibly has  no idea whom to report to except telling his own  
> friends?

The students who have the laptop are students, so they have teachers.  
They need the laptop for school. They report the theft to their school.

>
> How about this? At the first time, the child input his name. Then  
> every time the laptop is turned on ever since, it automatically use  
> the real name to log into the p2p net as long as there's another  
> laptop in a range of, say, 1km. In this net, everyone else  can see  
> who's online, even if no one's in the Internet. Then the thief  
> takes risks everywhere as long as there might be someone else using  
> XO in this range, because that one may know the name that logged  
> in, and may know that he has lost his XO.


The goal of the anti-theft system is not to recover laptops. The goal  
is to disable stolen laptops to act as a deterrent.

>
> I always believe in the power of people, especially lots of people  
> who know each other. Also, I don't like the idea of supervisor of  
> supervisor of supervisor, and so on. Instead, I'd like to be a  
> supervisor and a supervised at the same time, fairly.

I believe in the power of the people as well, but as the father of  
two five year olds' and a ten year old, I also realize the limits of  
this power.

More information about the Security mailing list