[OLPC Security] Anti-theft and Anti-Sale ideas for Nepal

[Bipin Gautam]

On 2/19/07, Simson Garfinkel <simsong at acm.org> wrote:
> Bipin,
>
> Thanks for explaining this. So your real issue is that there will be
> schools that do not have a school server.
>
> In a case such as this, the authentication server can easily be run
> on the teacher's laptop. I believe that the spec makes this clear. If
> it doesn't, it will.
>
> One serious risk that we wish to avoid is an attacker who steals all
> of the laptops that are destined for a school --- that is, they steal
> the shipment en route. The anti-theft system is specifically designed
> to address this risk.
>
> Peer-to-Peer systems have considerable complexity. I don't think that
> we need or want that complexity in the anti-theft system.
>
Simson,
I believe the solution would only be as complex as the popular
technology P2P, which are mostly OSS projects, pritty stable  and have
wide implimentation already! OLPC just need to add a a little
automation over the existing code with minor modification. Thats it.
;)

I believe enforcing P_THIEF through P2P for validity would address the
problem and fix it technically on OLPC developer room once and for
all. Remember, the basis of OLPC networking is mesh network! So
aquering new cryptographic token and publishing it to other XO in the
negbourhood to inforce P_THIEF mechanism will be very easy as XO's
will automatically find new nodes in the MESH for routing anyways. So
if one laptop on the negbourhood can have the token (say) through a
near by village all laptop will have the token immediately. This would
mean the use of less SERVER computers and teachers will have to worry
less about the mantinance.

I believe inforcing the cryptographic token through teachers laptop
will be far more complex because;

- If the teachers laptop is stolen the ID for all laptops of student
should be renewed for security reasons of the childrens laptop.

- If a laptop is stolen, teacher will have to manually blacklist the
laptop.  When powers like that is given to teacher, human factor is
involved... and people always tend to misuse power. They could be
bribed and the teacher may NOT block the REPORTED-STOLEN laptop. So
its better to only let very limited and strictly authorized people
have rights to enforce the mechanism.

-If student have to migrate school it 'might' pose problem.

- If there are entry of new laptop (say, for new junior batch) teacher
might have to UPDATE the signature in laptop for arrival of new XO.

-Teachers laptop can break and to make and process a new shipment it
might take weeks. Why have a single point of failure in design that
can AFFECT the working of all other laptops as the expire time for
P_THIEF mechanism might cross.

that is why i was stressing on the above point about P2P. With P2P the
country can make this process transperent to the user through a
regional server.
Simson, Thank you for your suggestions and concerns. Let me know if
i'm unclear or wrong about a point.

keep your better suggestions flowing as, like Nepal many other
countries maight not have adequate internet access to facilate all but
still have to enfoecr P_THIEF mechanism.


Offtopic: I was reading Bitfrost specification discussion in the
wiki... The discussion says kernel/firmware modification or for
installing new OS would require a REQUEST for uniq-developer key for
the specific laptop. Do note the fact we are still unclear about the
process of aquiring developers key and where should the key be entered
for authority before XO allows firmware upgrade or installing another
OS. Now consider this situation...

Suppose i request for a developer key making some cunning reasons (or
is it automated?) I wait 21 days for the key to arrive. Then I wipe
out the OS and have a firmware upgrade of BIOS with the DEVELOPER-KEY.
Then Install a NEW OS and sell the laptop. In this case what is
stoping me from selling the laptop?


with regards,
-bipin