[OLPC Security] "Correlating bitfrost and threats"
Ivan Krstić
krstic at solarsail.hcs.harvard.edu
Tue Jul 31 13:50:18 EDT 2007
On Jul 30, 2007, at 2:01 AM, Jameson Chema Quinn wrote:
> A quick "yeah, we've seen it, looks mostly [good/bad/indifferent]"
> would be fine as a reply
The OLPC security working group, of which Marc is a member, discussed
this document in some detail at our March summit.
> The installation of applications under Bitfrost should be tweaked
> so that, in addition to asking the application for a list of
> requested endowments, the user is asked what kind of application is
> being installed ("category-based installation").
I rejected this because I don't want the user to _have_ to perform an
interaction at install-time by default. I'd like to add this feature
after we ship such that more experienced users can enable it to have
greater control over their system, but I will not make it mandatory.
> A computer-based training system that makes olpc owners resistant
> to nigerian hoaxes should be explicitly included in the security
> specification.
User training isn't part of system security and thus isn't covered by
Bitfrost, but I'm exploring several different approaches to providing
some kind of security training on the machine.
> The Bitfrost mechanism for updating firmware should be given a
> detailed end-to-end security review to ensure attackers cannot
> breach the system and render olpc computers unrecoverable.
This was already going to be done, and is currently in progress.
--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
More information about the Security
mailing list