[Server-devel] [Sugar-devel] Schoolserver security

Anna aschoolf at gmail.com
Tue Jul 6 16:56:01 EDT 2010 

On Tue, Jul 6, 2010 at 12:09 PM, Martin Langhoff
<martin.langhoff at gmail.com>wrote:

> On Sat, Jul 3, 2010 at 8:09 AM, Bernie Innocenti <bernie at codewiz.org>
> wrote:
> > El Thu, 01-07-2010 a las 20:55 -0600, Daniel Drake escribió:
> >> Child connects to a network, perhaps just to go online outside of
> >> school. The network has an XS. The laptop registers. The journal is
> >> backed up to the server.
> >
> > Ok, this is a serious security issue.
>
> Ho hum. Remove the "serious" and I'll agree. Low pri at the moment.
>

I definitely agree, while possible in theory, this is not really plausible.
A malicious person would have to set up and configure an XS, complete with
networking, then get the whole contraption in range of children so they can
register?  Unlikely scenario for multiple reasons:

1.  Setting up an XS is beyond the skills of the vast majority of people,
even the most committed weirdoes
2.  The XS and its AP would have to be within physical proximity of target
children.  Unless you live next door to a school or playground populated
with XO users, you're going to call attention to yourself if you set up a
generator in the school parking lot and plug up a bunch of equipment.
3.  The XOs will not only have not registered to a legitimate XS, but the
children will go on to register to a "rogue" XS?  In my experience, most
(though not all) children don't select the "Register this XO" option unless
explicitly told to.

I addressed a similar issue in concerns about the XS and the school
networks.  While technically a creep could sit in the parking lot with an XO
or Sugar emulator, connect to the school's wifi and the XS jabber server and
chat with kids, really the bigger issue is that there's a creep loitering
around a school.  There are already mechanisms in place (school security and
police officers) to deter that.

Just because something is "technically" possible, doesn't mean it's even
close to likely.  It's possible kids might get struck by lightning, but we
still let them go outside.

Anna Schoolfield
Birmingham
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/server-devel/attachments/20100706/27202268/attachment.htm

More information about the Server-devel mailing list