[OLPC Security] "Correlating bitfrost and threats"
Jameson "Chema" Quinn
jquinn at cs.oberlin.edu
Mon Jul 30 02:01:27 EDT 2007
Many of you are probably aware of the document on the wiki, "Correlating
Bitfrost and Threats", attributed to Marc Stiegler.
http://wiki.laptop.org/go/Correlating_Bitfrost_and_Threats . Still, browsing
the archive for this mailing list, I do not see that this document has been
discussed. So I'm writing this message to make sure all of the list
subscribers have had a chance to read it. A quick "yeah, we've seen it,
looks mostly [good/bad/indifferent]" would be fine as a reply, but
substantive discussion should go on the talk page of that page, or be
integrated into a new version of the bitfrost spec.
Here's a copy of the executive summary:
Shortly after the page Threats and
referred to as "T&M") was posted on the OLPC wiki, the
Bitfrost <http://wiki.laptop.org/go/Bitfrost> specification for the OLPC
security architecture was published. Those two documents developed
independently. Unsurprisingly, they are only weakly correlated. This
document, written by the author of T&M, attempts to correlate the security
with the threat.
The conclusions are as follows: the Bitfrost architecture is both stronger
and easier to use than the traditional model of security. It exceeds in many
ways both expectations and hopes of the author of T&M. However, Bitfrost
only weakly addresses the two threats considered, in T&M, to be the greatest
risks. These risks are, the use of the nigerian hoax for fraud, and the
transformation of olpc computers into spambots by use of email and chat
attachments. Key recommendations include:
- The installation of applications under Bitfrost should be tweaked so
that, in addition to asking the application for a list of requested
endowments, the user is asked what kind of application is being installed
("category-based installation"). The installation endowment becomes the
intersection of those endowments requested, and those endowments appropriate
for the application type.
- A computer-based training system that makes olpc owners resistant to
nigerian hoaxes should be explicitly included in the security specification.
- The Bitfrost mechanism for updating firmware should be given a
detailed end-to-end security review to ensure attackers cannot breach the
system and render olpc computers unrecoverable.
- Resources for these additional development efforts can be acquired
by postponing development of the centralized "anti-theft" user
identification system and the centralized backup system until a later
- If olpc is unable to abandon these centralized systems,
decentralized architectures are proposed that achieve the same goals while
reducing single point of failure risk and privacy risk.
...end of quote
Personally, I think that point 4(a) is far more realistic than point 4.
Otherwise, I agree with the document. Either way, it deserves wider
discussion. Go comment on the talk page.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security