[OLPC Security] A mom's worries

Albert Cahalan acahalan at gmail.com
Wed Nov 28 22:27:08 EST 2007 

On Nov 28, 2007 3:47 PM, alien <alien at mit.edu> wrote:

>> hard to believe based on your experience with Microsoft Windows, but
>
> I'm a security professional specializing in Unix/Linux security.
> Linux isn't magic. There are plenty of issues with it.

First of all, me too. In fact, if you truly understand the
technical details of how security exploits operate, I can get
you a fun job. Send a resume.

Second of all, this isn't normal Unix/Linux security here.
You gave no suggestion that you understood this, and still
haven't. The XO security is essentially a capability-based
system.

If you mean to point out the possibility of theoretical holes
caused by bugs, please realize that not all of your audience
has the technical background to properly assess such risks.
It needs to be made absolutely clear that the XO is not just
another Windows or MacOS. Stuff is seriously more secure.

Saying "plenty of issues" without anything to back it up
is FUD. Please don't do that.

>> Viruses will be contained, and thus quite harmless.
>
> Wow, looks like the antivirus industry is out of business.

Shouldn't they be? They sell snake oil for defective products.

> For the past year, OLPC developers have been brushing aside issues
> surrounding viruses, spyware and user/parent awareness of security by
> suggesting that the XO model and code are invulnerable. This is
> completely unrealistic.

Given the extensive work that has gone into that security model,
it is not at all right to claim that issues have been brushed aside.

>> You can just ask to see what is on the laptop.
>
> I would like to see a built-in, very easy-to-use interface where parents
> can browse logs of web site surfing, email use and IM conversations.

Creepy! Would you have more or less trust of your parents if they
were silently spying on you? Is it perfectly OK to erode that trust?
Might a child be safer if they feel that they can trust their parents
more than some friendly pervert?

Note: I'm a parent too. I have 6 kids.

> You can't just wave your hand at a problem and make it go away. I know
> the folks over at OLPC have been working very hard on the security
> specifications of this system. But there is no perfect security. Viruses
> and malicious software that compromise the XO will emerge. We need to be
> prepared to handle that.

The last-resort solution is a refresh of the operating system.
You boot from cryptographicly signed media, verified by the
firmware, and any problems go away. The firmware is protected
and filesystem-aware, so you can reliably do this without even
losing the child's data.

More information about the Security mailing list