One Laptop per Child security

Nicolas Williams Nicolas.Williams at
Thu Feb 8 16:09:41 EST 2007

On Thu, Feb 08, 2007 at 12:23:40PM -0800, Ivan Krstić wrote:
> Hi Nico,
> Nicolas Williams wrote:
> > If this means pop-up dialogs for every little thing an application wants
> > to do then the result may well be further training users to click 'OK'.
> It really does help to read at least the introduction to the document in
> question before hitting 'reply' to an e-mail :)

The text you quote doesn't answer the question; the rest of the wiki
frontpage says little more.  It tends to make me think that if an
application wants to do something that I've not enabled it to do ahead
of time then it fails.  Failure is incovenient.  So as near as I can
tell from the text you quote BitFrost sets its convenience/security
parameters differently than other OSes, but there's nothing truly Earth
shatteringly new there.  Now, if it's a new OS presumably you start from
scratch in terms of applications, so you get to have usable profiles for
all of them initially, and maybe _that_ is what is truly new.

I'm imagining BitFrost as something like OpenBSD's systrace facility + a
small number of well-profiled apps.  If this is a good analogy, please
confirm it.  If it isn't and there is another similarly simple analogy,
then tell me what it is -- simple analogies, imprecise though they might
be, can help provide a good starting point to understand something new.

> > As for browsers, you'd have to make sure that every window/tab/frame is
> > treated as a separate application, and even then that probably wouldn't
> > be enough.  Remember, the browser is a sort of operating system itself
> > -- applying policy to it is akin to applying policy to the open-ended
> > set of applications that it runs.
> The browser is an environment, which makes it an edge case. Even so,
> Bitfrost provides guarantees on what happens if you take over the
> browser: it's very hard to violate the user's privacy, you can't harm
> the machine in any way, you can't get unauthorized access to the user's
> documents. From a systems security point of view, that's all I could
> hope for. Security within the browser cannot lie in the scope of the
> spec. (Not to say that I don't care about it, though -- I'm meeting with
> Mozilla's CSO later today to talk about what we can do to make the
> browsing experience more secure.)

In a world where web-based applications are all the applications you
need, this attitude towards the browser leaves BitFrost with a big hole
in it.

I think you have to think of each site as a separate application, and
profile that, if I understood BitFrost correctly.  And that seems


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list