[OLPC Security] "Correlating bitfrost and threats"
krstic at solarsail.hcs.harvard.edu
Tue Jul 31 13:50:18 EDT 2007
On Jul 30, 2007, at 2:01 AM, Jameson Chema Quinn wrote:
> A quick "yeah, we've seen it, looks mostly [good/bad/indifferent]"
> would be fine as a reply
The OLPC security working group, of which Marc is a member, discussed
this document in some detail at our March summit.
> The installation of applications under Bitfrost should be tweaked
> so that, in addition to asking the application for a list of
> requested endowments, the user is asked what kind of application is
> being installed ("category-based installation").
I rejected this because I don't want the user to _have_ to perform an
interaction at install-time by default. I'd like to add this feature
after we ship such that more experienced users can enable it to have
greater control over their system, but I will not make it mandatory.
> A computer-based training system that makes olpc owners resistant
> to nigerian hoaxes should be explicitly included in the security
User training isn't part of system security and thus isn't covered by
Bitfrost, but I'm exploring several different approaches to providing
some kind of security training on the machine.
> The Bitfrost mechanism for updating firmware should be given a
> detailed end-to-end security review to ensure attackers cannot
> breach the system and render olpc computers unrecoverable.
This was already going to be done, and is currently in progress.
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
More information about the Security