[OLPC Security] While we're on Cerebro, Telepathy, etc... Cerebro + bitfrost?
Bert Freudenberg
bert at freudenbergs.de
Wed Jun 11 05:08:43 EDT 2008
On 11.06.2008, at 03:37, Jameson Chema Quinn wrote:
> Thus, there would be three kinds of activities:
>
> those with full network access, able to talk to arbitrary IP
> addresses (browse is inescapably in this category);
>
> those with some kind of "telepathy-only" access, which would only
> let them talk to IP addresses that correspond to a friend sharing
> the specific activity instance (Chat might fit here; certainly,
> Write would);
>
> and those with no network permissions.
>
> The telepathy-only, middle security level would allow the last two
> "good" use cases, while preventing the last two "bad" use cases. It
> could be implemented by sugar giving them some kind of key, valid
> only for that specific instance (and renewed when the instance is
> resumed) that they could use to "unlock" access to a given IP. I
> understand that the middle security level would not necessarily be
> perfect - a man-in-the-middle attack could well subvert any gains,
> and, especially in early versions, it would be hard to guarantee
> that any abstraction layer was 100% successful at keeping malformed
> requests from getting some illicit control over a lower layer - but
> it would drastically reduce the practicality of any large-scale
> snoop-net or bot-net for your average shareable activity. Assuming
> that the connection to friend X was compromised; an activity would
> still have to hope it was started with an instance that had been
> shared with friend X in order to leak any data.
Err, hasn't that been the plan all along? P_NETWORK is only given to
activities needing full network access. It is independent of sharing.
An activity wanting to share must use telepathy, period. Your "no
network permissions" above case does not exist separately, it is the
same as "telepathy-only".
- Bert -
More information about the Security
mailing list