[OLPC Security] Periodic identity updates

[Karl O. Pinc]

On 02/21/2007 05:38:39 AM, Simson Garfinkel wrote:
> Hi, Karl. I'm very confused by the message that you had posted:
> 
>> I think so too.  But I also wanted a response to the threat of
>> somebody, child, parent, teacher, government functionary,
>> simply transferring ownership of the XO to another child.
> 
> My understanding is that it is the governments that are OLPC's  
> customers, and not the 5-to-16-year-old-children. If the customer  
> decides that it's going to transfer ownership of an XO to another  
> child, that's going to happen.  The XO is going to be reflashed and  
> given to someone else.

Ok, the national government is the customer.  There's going to
be transfers of ownership that occur without approval of the
national government.

Offtopic: I'm not trying to question your assessment of who
the customer is, Bitfrost being my only contact with
an official OLPC information source.
But if the national government is your customer then I don't
really understand the developer key concept -- which puts
control of the XO wholly in the hands of the child.  I would think
that most governments would be most comfortable if the
government retained control of the XOs, in which case
the developer key is an unnecessary security risk.
As you point out, the government can always reflash the XO.
My working assumption was that the child is the customer.

> Perhaps the problem is that I'm really not sure what your role is in  
> OLPC.  My role is that of a hired consultant who is helping Ivan work  
> on the security specification. My goal is to make sure that the  
> threats that we have identified are reasonable, and that we have  
> reasonable responses to these threats.
> 
> What is your role in this project and what is your goal? Are you  
> pursuing an ideological agenda for some theoretical role of computers  
> in our society, or are you actually working to improve this  
> particular security model for this particular project?

I have no role in the OLPC what so ever.  OLPC called for open
comment on Bitfrost.  I read the spec and believe I've identified
two areas that I think could be improved upon.  An element of Bitfrost,  
the disjunction between digital and self-image, where the security
design is to the detriment of user satisfaction.  And an omission
in the threat model; familial, local or regional, but
not national or international sanctioned laptop ownership
transferal in the later years of the XO's lifetime.

I wrote because I saw a approach I thought might address these
issues.  Those with roles in the OLPC are certainly free to
decide the issues need not, can not, or should not be addressed.

Having written initially and gotten no feedback I kept writing
partially because my thoughts developed and partially because
I had no assurance that I was not being mis-understood.
At this point I'm confident I've been heard and understood
and see no need for further comment.

I would hope that because the OLPC project is using FOSS software
as it's base that the project would leverage the community
and welcome 3rd party comment, contribution, and code.
In other words, I would hope that the OLPC project is a
FOSS project.  Media reports lead me to believe that it
is, as does the hackable XO design goal.

Assuming OLPC is FOSS, that means both interaction with
folks like myself and acceptance of outside code and ideas.
As contributions are accepted the project founders may
find development to be more rapid in unexpected areas,
changes that drift the project in un-anticipated directions.
This drift in response to community input, and the
time it takes to engage in dialog, is the price you
pay for community involvement.
Naturally, project leaders must maintain the project's focus,
but if the project leaders do not engage in dialog with
the community or a history of ignoring community
contributions develops the project may find itself
relegated to the periphery and progress less
rapidly that it otherwise could.  For historical examples
of the development of rifts between project leaders and
the community see XFree86/x.org, Mambo/Joomla!,
Compiere/Adempiere and many others.

All of which leads up to some advice: Chill out.
I write this with no disrespect.  And I in no way
want to imply that OLPC, the Bitfrost team, or you
are less than enthusiastic about suggestions
for improvement, public examination of
Bitfrost, or are otherwise unwilling to
accept public participation.  I am a little put
off by the heretofore lack of dialog and by the
tone of your reply, and think it's important to let
you know how you are received by the public.
If the Bitfrost team is uninterested in my thoughts
in this area, and there's many reasons why they might be,
then just say so and we can all get on with doing
something else.  It'd be enough to say: "We don't
wish to address your concerns."  (Another traditional
answer is: "Ok, go write the code.")   I did put some
effort into my communications and feel that, although
politeness is not required, some sort of reply in acknowledgment
would be polite.  In turn, I apologize for being rude
by giving you the above unsolicited advice.
But hey, it's  important to me to feel I can speak
informally and in an  offhand manner.  It's just no
fun being wound tight.

Perhaps I'm overly sensitive.  If so I apologize again.

So, I guess the answer to your question is that my role
is to have fun!  Which is different from wasting
time and does not imply the absence of production.
Making things is fun.  If you don't want to have fun
with me then I'll go play somewhere else.  Otherwise
I'd like to have fun together and hope we can
do that.

No worries,

Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein