[OLPC Security] Periodic identity updates

Karl O. Pinc kop at meme.com
Wed Feb 21 01:16:38 EST 2007 

On 02/20/2007 03:16:03 PM, Matt Anderson wrote:
> On Mon, Feb 19, 2007 at 08:32:34PM +0000, Karl O. Pinc wrote:
> > On 02/18/2007 04:03:40 PM, Karl O. Pinc wrote:
> > >On 02/18/2007 03:18:50 PM, Karl O. Pinc wrote:
> > >> The concept is to annually update the child's identity;
> > >> the identity established in Bitfrost section 4.
> >
> > I think the right name for this would be P_PROVENANCE.
> >
> > It's purpose is twofold.  First, as an anti-theft/sale measure it
> > augments P_THEFT by making clearer the provenance
> > of the XO should it be transferred
<snip>

> > Second, it allows the
> > on-line image of the owner to develop in
> > correspondence with the owner's self-image.

> To me this second point is the strongest.

I think so too.  But I also wanted a response to the threat of
somebody, child, parent, teacher, government functionary,
simply transferring ownership of the XO to another child.
After all, because the child has no password to authenticate
herself to the XO this could be easily done without disabling
P_THEFT or otherwise bypassing _any_ Bitfrost protections,
so long as the XO was not reported stolen.  I can imagine
many circumstances, some legitimate, where an XO is transferred
from one child to another and the transfer/sale/theft goes unreported.
A password is no real protection either.  Because children
are so dependent they could be easily persuaded, willingly
or unwillingly, to give up their password.  (Don't
quote me but wasn't there a study where over 50% of
adults were persuaded to reveal their passwords
in exchange for 1 candy bar?)

Suppose a child gives her XO to a sibling, or to a
bully.  Suppose a school administrator declares
that all graduating students leave their XO's behind.
What if the village leaders decide some child should
or shouldn't have an XO.  Suppose a child dies.  I don't
know how much control OLPC has or wants to have over
what transfers are permissible and what arn't,
or what procedures must be followed when an XO is
transferred from child to child.  (Reset to first boot state, etc.)
I don't know what control governments have or want to have
either.  In any case there will be circumstances
where transfer of ownership occurs without "official" approval.
P_PROVENANCE would not prevent this, but it would at least
make clear what was going on to anybody who's looking.
The presumption is that this would then
make it possible to uncover systemic violations.
Whether it is possible to actually do anything
once a violation is discovered is probably more
a social question than a technical one but if
you don't know what's going on then you've
no hope of doing anything about it.

> I think you've covered a lot of cases in your proposal as well.

Thanks for the reply.  I'm happy to know that my
thoughts have reached somebody.

I think the major drawbacks of P_PROVENANCE are technical issues
I can't really speak to.  Things like whatever extra
CPU, time, and power would be required, or whatever
memory would be required to implement the policy or
store the identity series.  The work required
to produce a bug-free implimentation.  Security is a trade off
and I've no notion how to weight the advantages
and disadvantages of this suggestion.  Should
OLPC seriously consider this suggestion I'd
love to hear the trade offs discussed.


Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein

More information about the Security mailing list