[OLPC Security] Comments on the security properties of Scott's lease-delegation scheme

Michael Stone michael at laptop.org
Wed Jul 9 15:40:25 EDT 2008 

On Wed, Jul 09, 2008 at 02:09:32PM -0400, Benjamin M. Schwartz wrote:
> I find this e-mail is vague to the point of incomprehensibility.
>
> Michael Stone wrote:
> | 1. If the attacker wishes to resell "working" laptops (rather than, say,
> | components), then deploying this scheme may force attackers to
> | circumvent theft-deterrence protections more quickly.
>
> Vague.  What do attackers have to do more quickly?  Clearly reprogamming
> the SPI flash can be done even after all the timeouts expire, so you must
> be thinking of something else.

Replacing the SPI flash is a means of circumventing the theft-deterrence
protections. My claim is that the point of the scheme is to force
attackers who wish to resell laptops running something like our software
to employ such a circumvention.

> | 2. As more trust is placed in local infrastructure, it becomes easier to
> | circumvent theft-deterrence protections.
>
> In places without an internet uplink, there is presently no
> theft-deterrence protection to circumvent.  This would introduce some.

False. Leases can be delivered by any means capable of conveying bits;
in particular USB courier.

> Schools with internet access need not alter their operations at all.

Perhaps. In the presence of delgation, can attacks on a school server at
one school lower the cost of stealing laptops from another source?

> | 3. The major security effects derive from rearranging and hopefully
> | reducing the support costs of the theft-deterrence system (e.g. by
> | exchanging the cost of providing connectivity to the OLPC GTDS for the
> | cost of maintaining public key infrastructure) rather than as a result
> | of any technical improvement in the security afforded by the design or
> | the software.
>
> I would say that the main security effects derive from introducing theft
> deterrents in places without internet access.  Currently, there is no
> technical deterrent to theft in these schools.

As described above, regular internet access is not necessary for
deploying passive-kill. It is necessary for deploying active-kill. It
permits you to issue leases with shorter lifetimes which, it is argued,
will raise the cost of selling stolen laptops (and hence deter laptop
theft.)

> Calling this an exchange of connectivity for PKI is bizarre.  There is
> only an "exchange" if schools that would have had internet access will be
> denied it as a result of this infrastructure.  From my contact with
> deployment teams, that seems tremendously unlikely.

I believe that would be an exchange of benefits. I was talking about
simple change in the nature of the kind (and hopefully scale) of costs
that must be paid off in order deploy a theft deterrence system with
short leases.

Michael

More information about the Security mailing list