Replying out-of-band not out of privacy, but to avoid spamming the list. When we reach agreement, some record should be left on list and/or wiki.<br><br>Issue 1: sometimes you don't want to encrypt the backup.<br><div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>><br>> Great. The case I was asking was slightly different. My laptop is turned<br>
> off, my buddy wants to see the shared file for the first time, it happens to<br>> be on the server. It would be nice if the file was encrypted to a one-time<br>> key which is in turn encrypted to both mine and theirs, so they can get it.
<br>> Not a high priority.<br><br>Awh, I see now.<br><br>Generally speaking, the P_Ident service of Bitfrost says that, if it<br>is possible to encrypt a file securely (you trust the public key(s)<br>tied to the identity(ies) you wish to share with, you should encrypt.
<br>That is: if possible, encrypt the file. Now, if you are making<br>something open to anyone, or including untrusted peers, you are either<br>unable to encrypt, or we will be able to do some nice middle-ground<br>with a UI of yellow-light-esque "we sort of trust this person" if that
<br>makes sense. All that to say, yes, it will be a feature at some point.<br>Not necessarily at first ship, if only because of deadlines.</blockquote><div><br>We agree.<br><br></div>1a. Share UI - already agreed.<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> > > And don't tell me there will be no such thing - how does a student hand<br>> in a paper and then receive the comments back? Not all collaboration is<br>> real-time.<br>> ><br>> > You are quite right, it is not. In the homework turn-in case I suspect
<br>> > the student would encrypt the file in question with the teacher's<br>> > public key and offer it to download. How the UI presents this is<br>> > another discussion ('pressing a Turn In Homework' key of some sort?).
<br>><br>> Well, in the UI paradigm, the simplest would be: share it from my journal,<br>> my teacher can see it now, and by default my teacher's copy is shared with<br>> me in return, so when they grade it I see their modifications as the latest
<br>> version.<br><br>Sure.</blockquote><div><br>Issue 2: preventing invisible snooping.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> Let me redo my scenario.<br>><br>> At first boot, I create a key. I split it in two parts. I leave one part on<br>> the school server, and distribute copies of the other half to 3 (or so)<br>> random peers. By default, nobody keeps a record of who has whose key. All of
<br>> this is done by system software, which is pretty darn secure - it is signed<br>> by OLPC and separate from all the country-specific preloads, so I don't see<br>> an easy way to get a keylogger in there. The school server does not tell me
<br>> who to share with, my laptop decides on its own. The school server itself<br>> does have a password.<br>><br>> Now, for me to do a recovery OR for someone to snoop my files, they need<br>> help from my school authorities and at least one of my friends. In order to
<br>> have a good chance of getting the right friend, they have to poll at least<br>> 1/3 of the peers (that is, 1/3 of those which my computer saw in its first<br>> few days of life - it should offload the first copy relatively quickly,
<br>> within 2 hours say, but should be in no great hurry to offload the other<br>> two). This is fundamentally more secure than trusting just the authorities.<br><br>This is a clearer scenario (either this or the original, I understand
<br>your intentions better).<br><br>With that in mind, sure, being able to make the weight of the abuse of<br>power a more socially obvious problem is A Good Thing(TM). I can say<br>that, given the hectic state of things, something like this wouldn't
<br>be able to make it into FRS, but I like your thought process here.<br><br>> > This system requires that your adolescent peers are not susceptible to<br>> > social engineering....<br>><br>> No, it requires that at least SOME of my peers have at least SOME chance of...
<br><br>Yes. But ...</blockquote><div><br>We're splitting hairs here.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">> The game is to make the community aware of what
<br>> snooping is going on, which makes it at least potentially subject to<br>> community standards, WHATEVER they are. (The broadcast could just as well<br>> say "The local holy man wants to see X's files" as "X lost their laptop and
<br>> wants to recover their files to a new one". If at least one of the 3 peers<br>> says "yes, that's legitimate", the attempt is successful. But if the<br>> community then tells the server administrator "we'll have no more of that",
<br>> in the long term, the community standards of privacy are preserved.)<br>></blockquote><div><br>... <br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> No, they are not asked to confirm that the snoop request is legitimate, only<br>> that it's plausibly so. Much lower barrier. Again, the game is to make<br>> snooping public, not to stop it.<br><br>You're drawing a pretty fine line trying to separate the two. The only
<br>reason they would think it is not "plausible" that John is asking for<br>a confirmation of himself (essentially) is if Jane (the person being<br>asked for confirmation) has some reason to explicitly doubt that John
<br>isn't asking. Either by asking him outright, knowing that he is not at<br>his computer, or similar absolute means. Otherwise, being asked to<br>confirm that she has John's key could be done by any number of people,
<br>and if her gauge is "it is plausible that he might be doing this" is a<br>vague guideline.</blockquote><div><br>Yes. So she essentially always says "yes". But next time she sees John, she (or someone else who happened to notice the unobtrusive announcement) says, "so how did you lose your laptop, tell me the story" and if he says "huh?" people start to suspect things.
<br><br>With a million laptops per country, there's a big difference between "they can get your data whenever they want to, and you'll never know" and "they can get your data 99.9% of whenever they want to, but even if they do, there's a 5% chance you'll find out".
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">> > > Obviously, a committed big-brother could still twist two kids' arms and
<br>> convince the rest to ignore the message. But that doesn't scale well to<br>> stealing EVERYONE's data and mining it, which is the real threat.<br>> ><br>> > But they wouldn't need to get everyone. The handful of kids they
<br>> > choose to strong arm (or coerce or 'borrow' the laptops of, or analyze<br>> > while repairing, or, or, or...) would be--using your system--carrying<br>> > 1/2 of another person's key. Several halves, in fact. Get a large
<br>> > enough sample, then you are getting the private keys of children that<br>> > they didn't directly interact with. Would this be easy for a million<br>> > kids at once? Probably not. But at that point, you are also assuming a
<br>> > great number of things about your government, like that they didn't<br>> > install keyloggers on the XOs before shipping them out or during<br>> > repair.<br>><br>> Yes, true, a committed evildoer with the key-copies from 60% of the laptops
<br>> would be able to snoop on 1-((1-0.60)cubed) = 93.6% of the files on average.<br>> With 90%, they'd get 99.9%. Still, that is a lot of work to just get to<br>> EXACTLY where they would be from the start in your scenario. Also, remember
<br>> that if any kid puts a password on their laptop, the stolen-during-repair<br>> scenario should be preventable (assuming that there is a way to put it in<br>> unlocked "repair mode" which only protects the securest data like keys).
<br>><br>> Also, Bitfrost prevents keyloggers.<br><br>This should be clarified: Bitfrost *does not* stop keyloggers. And<br>this is important. Bitfrost *explicitly* makes it possible (though, it<br>is an abuse of the authority on the deepest level) for OLPC or the
<br>country to install software that can bypass security restrictions.<br>Keyloggers included. This can either work inside of Bitfrost or simply<br>ignore it entirely. Both the country and OLPC are able to sign binary<br>
patches that are installed on the machine. Kernel modules, X11, Sugar,<br>DBus, the firmware. You name it. Heck, they could even install a<br>hardware keylogger.<br><br>If they touch it, they own it. If they can install software on it,
<br>they own it. If they can convince you to install software on it, they<br>own it. [1] (Ironic that it is a microsoft site, I know)</blockquote><div><br>OK, granted. But here I live in Guatemala - a pretty run-of-the-mill 3rd world country. Not as well-run as Mexico (or another 20 like it) but much better-off than Haiti or most of Africa. Genocide in the living memory of many people I know, a government you can't trust, the policeman is NOT your friend, but no ongoing conflict. And I'm pretty sure that the government couldn't get it together enough to install special snooping software if they wanted, and 100% sure they couldn't do it without getting caught. And the more capacity to create such snoopers a country has, the more savvy its citizens are about catching it. Even in, say, Colombia, with plenty of motive and help from super CIA advisors, the chances of getting caught would be more than half. And so fine: they'd tough it out, say "the war on the narcos is more important than your privacy", and people might accept that. But at least they'd have the conversation.
<br><br>That "10 laws of security" site you pointed me to is essentially saying that one serious security flaw is enough to undermine all the rest. That's true collectively, too. Technical security can be undermined by human insecurity - and human security can be undermined by technical insecurity. You're essentially saying that the human failures mean it's not worth trying technically. I'm saying it's important to give security a chance - if you store the whole key on the same disk as the encrypted file, you're selling out the society without giving it a chance. Individual security will never be 100%, but collectively speaking incremental improvements can make night-and-day differences in "herd immunity".
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I think the realm we are getting into with this is missing the forest<br>through the trees. We are trying to find a way to make it difficult
<br>for The Man to get away with snooping. Yes, you said you didn't mean<br>to stop it, just to make it public, but the goal of making it public<br>is that the community will exercise social pressure to stop the spying
<br>(or to actively engage in communication outside the band of<br>compromise). The ends, I would argue, are the same. Either by<br>technical or social means, our discussion has been trying to<br>essentially stop a specific case of Bad Things from ever happening.
<br>This is entirely possible (ignoring the at gunpoint extreme cases),<br>but not without making the user take on an additional responsibility.</blockquote><div><br>A small one. Actually, 3 small ones. 1) The need to somehow get 1 out of 3 specific peers to respond "yes" in order to restore your data after your laptop is totalled, or you lose 1 person's data. (Remember, most people today don't even have good backups, and their laptops are far more breakable and stealable than these ones are). 2) There should be some finite chance that a given person would notice an illegitimate request - say, 1 in 100 - and then some finite chance that they'd raise a fuss about it - again, say 1%. 3) There should be some finite chance that a given person would notice BIOS or OS tampering on their laptop, say 1 in 10,000.
<br></div><br>...<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br><br>As mentioned above you are trusting that the users probed for<br>
information are aware enough to know that they are being probed and<br>not benignly misguided, outright tricked or otherwise worked around.<br>This is part of the limitation of not relying on the XO owner for a<br>token (password/passphrase, etc).
</blockquote><div><br>Most will not be aware. It only takes a few - and it only takes a possibility to make the snooper think twice.<br><br>3. Second level of backups - regional or peer-to-peer with the servers?<br></div>
<br>I think we're talking across each other. My point is: <br>A: a regional backup is only good for restoring the school server, because you can't rely on the local internet connection at the moment the kid wants their old data. There is no file that's you want to throw away locally that's still worth keeping regionally (after all, you have at least 3-5 gigs per kid at the local level, that's plenty.
<br>B: This process introduces a whole new level of risks of snooping.<br><br>Thinking about it more, I actually agree - a regional/countrywide backup center may be better than a peer-to-peer scheme, especially if they can deliver a replacement server already cloned from the backup and ready to boot. Yet it is really hard to introduce real security at this level. Even if the server data is encrypted to a password, many passwords will be weak, and many server admins will happily share them with the regional boss, so that's next-to-useless. And if it IS strong, there are a million ways to lose it or forget it, so it's more of a hassle.
<br><br>This only makes it all the more urgent to do the security right from step 1. I understand my scheme's not perfect, but it is much better than nothing. I think the extra hassles it introduces are minor, when you consider that without it the kids have NO SUBSTANTIAL PROTECTION WHATSOEVER versus snooping. Of course, the government is always the main risk - but even a hacker will find the keys if they're always under the same pot next to every door.
<br><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>--<br>Michael Burns * Intern<br> One Laptop Per Child<br></blockquote></div><br>
Cheers,<br>Jameson Quinn<br>