[OLPC Security] "Correlating bitfrost and threats"
Jameson "Chema" Quinn
jquinn at cs.oberlin.edu
Mon Jul 30 19:07:36 EDT 2007
> Are documents that are explicitly world-shared stored unencrypted? How
> > about narrower shares - there could be a complicated system of group keys
> > and session keys, though the benefit is limited.
> Sharing is a transitive thing that is focused on the act of sharing an
> activity, not the resulting file output. At the end of a shared session,
> each user (as I understand it, mind you that I am not hacking on Sugar so I
> might be missing a step) participating in the share will get an entry into
> their Journal(datastore). They will, then, have a local copy of the file. It
> is not akin to read/write permissions of a file on a traditional machine.
Sorry if I have the wrong jargon. I mean file sharing, not activity sharing.
And don't tell me there will be no such thing - how does a student hand in a
paper and then receive the comments back? Not all collaboration is
Why would you want your data stored regionally or globally, if you don't
> > trust your net access?
> Don't trust the network access because of a (1)Big Brother or because of
> (2) inconsistent access?
> (1) The data is encrypted. Now, there is more to this. Encrypting the data
> with the default caveat that you can restore backups later (child's XO gets
> vaporized, need another issued to you) means that whatever token (private
> key, the serial number of the XO, etc) used to encrypt/decrypt the data must
> also be available to some teacher/administrator/government official. It is
> not possible (though I am happy to hear otherwise) for us to allow for data
> restoration without also making it possible for mean people in power to
> snoop on us.
Not true. As I state in the talk page of the wikipage that started this
thread, I could give 4 pieces of key to other random laptops from the same
batch, of which any 2 pieces were sufficient. I could also choose to give
duplicates of those 4 pieces to up to four friends, but no laptop would
accept more than 8 keypieces, all for separate keys, for storage. No central
record would record who has whose key. When I had to restore, there would be
a broadcast message to the whole batch: "Somebody wants so-and-so's key."
This would be a low-priority but visible event to all users. The 4 laptops
which had my key would allow their users to either approve or disapprove,
and also tell the server who they were (so that I could track them down).
Obviously, a committed big-brother could still twist two kids' arms and
convince the rest to ignore the message. But that doesn't scale well to
stealing EVERYONE's data and mining it, which is the real threat.
This does mean that if, say, Google was used as a backup farm for the entire
> world of XOs, they could not decrypt or read the data.
> A part of Bitfrost says that a child can (if not initially at launch, in
> the near future) assign a password, backup their private key and tell it to
> not be backed up to the school server, or provide some other personal token
> that moves the responsibility onto their shoulders for being able to restore
> their data from a backup but also removes the ability for prying eyes at any
> level to step in.
And what, the server just deletes the key at that moment? And then
re-encrypts all the backed-up files and deletes the old copy? Hmmm...
If you want security for your key, you need to have it from day 1, you can't
patch it back up later.
Let me know if I am being unclear here. I am happy to try again for clarity.
> (2) We are using rsync, which will let you resume interrupted downloads.
> Create a low-priority background process to upload to the local school
> server, if the network goes down, just pick up where you left off later.
I'm not talking about backup, I mean restore. What good is a backup to me if
it will take me two weeks of dropped connections to get it back?
Or are you imagining the case where a school server is stomped? Since the
ratio is 1 server per 100 laptops, most locales will have two servers, and
network considerations mean that you want these physically separated anyway.
Even if not, I'd rather have my secondary backup be peer-to-peer with my
nearest neighbor, not in the Google Dimension. I'm personally less worried
about data continuity after large natural disaster than I am about big
I am happy for you to CC this back to Sugar, if you like.
> Michael Burns * Intern
> One Laptop Per Child
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security