One Laptop per Child security

Steven M. Bellovin smb at cs.columbia.edu
Wed Feb 7 21:26:41 EST 2007 

On Wed, 7 Feb 2007 15:04:40 -0800
"Saqib Ali" <docbook.xml at gmail.com> wrote:

> And here is the wired coverage of the BitFrost platform:
> 
> http://www.wired.com/news/technology/0,72669-0.html?tw=wn_culture_1
> 
> >From the article:
> But it should come as no surprise -- given how thoroughly the project
> has rewritten the conventions of what a laptop should be -- that the
> OLPC's security isn't built on firewalls and anti-virus software.
> 
> Instead, the XO will premiere a security system that takes a radical
> approach to computer protection. For starters, it does away with the
> ubiquitous security prompts so familiar to users of Windows and
> anti-virus software, said Ivan Krstic, a young security guru on break
> from Harvard, who's in charge of security for the XO.
> 
> "How can you expect a 6-year old to make a sensible decision when
> 40-year olds can't?" Krstic asked, in a session at the 2007 RSA
> Conference. Those boxes simply train users to check "yes," he argued.
> 
> Krstic's system, known as the BitFrost platform....Read more at:
> http://www.wired.com/news/technology/0,72669-0.html?tw=wn_culture_1
> 
We're digressing to general security topics here, but I'll take a
chance that our moderator will allow this through -- I do mention
"crypto"...

That firewalls should be omitted is no surprise.  A firewall is a
device for centralized policy enforcement; it's useful when policy to
the "outside" -- whatever that is -- is different than policy for the
"inside".  If you don't have a well-defined "inside" and "outside",
they're not very useful.  However, their primary benefit comes from
keeping the bad guys away from buggy code.  That problem, I predict,
will afflict this project as well -- just because a service uses
cryptographic authentication doesn't make it immune to bugs, including
bugs before the crypto authentication has succeeded.  Even if the
crypto authentication succeeds, all it means is that some process on
the other machine has access to the credentials; it says nothing about
whether or not the human in front of that machine wants to connect.

The AV decision is more problematic.  While a good security model can
prevent system files from being overwritten, most worms use purely
user-level abilities.  It would take a fairly radical OS design to
prevent a user-level worm from spreading.  (Thought experiment: explain
what OS facilities would have prevented the 1988 Internet worm from
succeeding. My conclusion, way back when, that nothing in, say, the
Orange Book would have stopped it was a major step in my evolution as a
security researcher.  It can be done, I suspect, but only by very
stringent restrictions on application privileges.  Have you designed
such restrictions?  Now assume it's a dual-mode worm, that attacks web
servers and web browsers.)



		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list