Forgot your password?
typodupeerror

Security and the $100 Laptop 144

Posted by timothy
from the what-about-the-single-girl dept.
gondaba writes "The One Laptop Per Child project is actively recruiting hackers to help crack the security model of the $100 laptop to avoid the obvious risks associated with what will effectively be the largest computing monoculture in history. From the article: 'The key design goal, Krstic explained, is to avoid irreversible damage to the machines. The laptops will force applications to run in a "walled garden" that isolates files from certain sensitive locations like the kernel. "If we discover vulnerabilities, the security model must hold up enough that even a machine that is unpatched won't be easily exploitable. This gives us a bit of diversity to avoid the monoculture trap," he added.'"
This discussion has been archived. No new comments can be posted.

Security and the $100 Laptop

Comments Filter:
  • Well, other than to build a zombie network I guess- but I can't imagine anybody being interested in some Libyan child's schoolwork.
  • Onepage 'Printable' (Score:1, Informative)

    by Anonymous Coward
  • by Penguinisto (415985) on Thursday October 12, 2006 @02:11PM (#16411359) Journal
    If they pull off 100 million laptops, Microsoft can no longer claim dominance in the desktop...

    Good Lord! The chairs are a'gonna fly in Redmond once this gets out!

    (props for the security testing, though :) )

    /P

    • ...but y'all know what I mean.

      /P

    • If they pull off 100 million laptops, Microsoft can no longer claim dominance in the desktop...


      sure they can. Just not on the laptop.

      Though certainly a hundred million low-end Linux machines in use might change a lot in the marketplace, both as a source and a market for new software.
      • by le0p (932717) *
        Not the best market when the people involved have no money. However, I don't doubt that the OSS community might reap some benefit from it.
        • Not the best market when the people involved have no money.


          The people involved don't mostly have no money. They certainly will tend to have very little money by Western standards, but then (especially if its not retail boxes), software often has a very low marginal cost to deliver, so there may still be value in reaching such a market.
          • Particularly in a decade or so when all of those now-empowered youths learn enough English to take in http://www.paulgraham.com/ [paulgraham.com]
            Suddenly, Western civilization is flattened by a limitless swarm of Lisp-powered shopping carts.
            Not even OPEC will survive OLPC.
            Fear.
        • by russ1337 (938915)
          >> "Not the best market when the people involved have no money. However, I don't doubt that the OSS community might reap some benefit from it."

          Exactly. I compare this to the Soviet Russia where they didn't have the supercomputing power of the USA, but with a pencil and advanced mathematics used their brain power to develop the principles of stealth, and a few other fringe technologies.

          With 100 million laptops out there, chances are someone with one of these laptops is going to develop somethi
    • by Sycraft-fu (314770) on Thursday October 12, 2006 @02:20PM (#16411473)
      Not for MS but for MS's competitors. Can't really claim MS is a monopoly anymore if there's 100 million systems running a non-MS OS. That means that they are free to do as they please, for the most part, when it comes to locking people out of their OS. Most anti-competitiveness statues only affect monopolies. Companies that face competition are generally allowed to be as anti-competitive as they like.
      • Good point - this opens up a lot of dynamics.

        OTOH, Most OLPC units will likely be going to developing nations, which means that as far as US and EU jurisdiction is concerned, MSFT may still have to behave itself (well, relatively so).

        They may also be cozy in the knowledge that in the money end of the market (or, the parts of the market where the majority of money can be made), they'll likely remain and retain dominance for awhile longer.

        Long-term? Once/If said developing nations get along far enough t

      • by LetterRip (30937)
        "Not for MS but for MS's competitors. Can't really claim MS is a monopoly anymore if there's 100 million systems running a non-MS OS."

        A monopoly is defined based on a per country basis not a global basis. AT&T was a monopoly only in the US, Standard Oil was a monopoly only in the US.

        LetterRip
      • Not for MS but for MS's competitors. Can't really claim MS is a monopoly anymore if there's 100 million systems running a non-MS OS.

        100 million machines in developing countries running a non-MS OS won't, in and of themselves, change anything about whether or not Microsoft has a monopoly on some market in interstate commerce in the US. Likewise, I'd image they won't directly affect whether it has a monopoly under the terms relevant in EU law, either.

        OTOH, it make Microsoft safer from anti-trust actions in Th

      • by RAMMS+EIN (578166)
        You're saying it's actually in MS's competitors' interest to have MS stay a monopoly?

        That's it. I'm moving to a psychiatric ward.
        • Re: (Score:3, Insightful)

          by kthejoker (931838)
          That depends on how you define competitors.

          If you mean competitors among OSes (ie Apple and Red Hat), then no, it's not.

          But their competitors in other fields - antivirus (McAffee, Symantec, Norton), accounting (Quicken), PDF and presentation tools (Adobe) - greatly benefit from the limitations placed on Windows by antitrust settlements. Since Microsoft can't use their OS monopoly to further other monopolies, they have to compete on a much more level playing field with others to sell their software. So to th
          • But their competitors in other fields - antivirus (McAffee, Symantec, Norton), accounting (Quicken), PDF and presentation tools (Adobe) - greatly benefit from the limitations placed on Windows by antitrust settlements.

            Only because Microsoft actually is a monopoly in certain existing fields (primarily, the desktop OS market.)

            Since Microsoft can't use their OS monopoly to further other monopolies, they have to compete on a much more level playing field with others to sell their software. So to those companie

      • by evilviper (135110)
        Can't really claim MS is a monopoly anymore if there's 100 million systems running a non-MS OS.

        What OS I use on my cell phone doesn't change the fact that Microsoft has a monopoly on desktop PCs.

        These laptops are PDAs by any measure, and are only competing with WinCE (not Windows) where Microsoft doesn't have a monopoly.
      • Can't really claim MS is a monopoly anymore if there's 100 million systems running a non-MS OS.

        Why not? Monopolies are defined by markets, not products. Mac OS X, for example, is not in the same market as Windows because Apple does not sell it to computer manufacturers, like Sony or Dell who are the main customers for Microsoft. The fact that the largest "competitor" is a nonprofit scheme that bypasses the traditional markets and is produced collaboratively by those who would normally buy such a computer

    • Re: (Score:3, Funny)

      by muellerr1 (868578)
      (props for the security testing, though :) )

      Sure, but they're going about it all wrong. Everyone knows that the way you ensure secure computers is to make a proprietary OS and don't tell anyone where your buffer overflows are.
    • ... has never lived in the third world. The $100 laptop is an attempt to fit a geek-driven square peg into a round hole. I'm a geek, but I also lived in rural Africa for 30 years and can speak two African languages (bit rusty now having been away for a few years). The geek in me would like to be able to apply my geek-knowledge in a way that can help, but in reality appropriate technology is far better suited to these situations.

      How exactly is a $100 PC going to improve the lives of third-worlder? Most third

      • "How exactly is a $100 PC going to improve the lives of third-worlder?"

        While I agree that there are lots of things that $100US can be spent on, consider:

        • a laptop donated (as opposed to individually bought, as I assume you're assuming) can hold numerous school textbooks. That alone increases its value immeasurably (and precludes most of the need for pencils, paper, etc) Saves money on having to buy multiple textbooks at the same time.
        • said laptop can also contain basic curricula that a nearby (and litera
        • by NtroP (649992)
          I was raised in a 3rd-world country, in the middle of (what Americans would call) a jungle. One use I haven't heard of before, but can see as a practical use for this is lighting. Yeah, it sounds stupid, but a "wind-up" device that cast even modest light into a darkened hut is a real boon. I don't know how bright the screens are, but I'd imagine, with a white background the laptop could provide a decent amount of illumination.
          • Seems like, if that's going to be one of the major uses of these laptops -- and in some ways I could see how lighting would be way more useful than a computer, to people living in an environment like that -- maybe we could save a lot of money by making a wind-up luminescent panel, like those quarter-watt green-glow nightlights that you can buy.

            I sure hope that the OLPC people did research into their target market and didn't just begin with the assumption that "every child wants/needs/could use a laptop," be
  • by celardore (844933) *
    The first line of the article is "If the plan is perfectly executed".

    That's quite a big IF. Out of the millions of plans ever executed, how many are done perfectly? I hope they're not basing everything with the hope that it will go perfectly.
  • Biggest Monoculture (Score:4, Informative)

    by Doc Ruby (173196) on Thursday October 12, 2006 @02:14PM (#16411405) Homepage Journal
    The many millions of SymbianOS [wikipedia.org] mobile "phones" is the largest computing monoculture in the world. Much more essential for the world's daily operation than these cool kids' PCs, and tied directly to the wallets, by the minute, of most people with any money.
    • That was my first thought: this OLPC is going to be bigger than Windows or cell phones? Pretty major hubris for an outfit that hasn't even started shipping in quantity yet!
    • I believe TRON [wikipedia.org] has been in millions of machines longer than Symbian. It most likely runs more devices as the project specifically targets more kinds of devices.
      • by Rogerborg (306625)
        TRON (all the various flavours) are specifications, not implementations, and they're not followed consistently. It's hard enough writing apps for specific fooTRON devices, let alone an exploit that would effect more than a small subset of them.
      • by British (51765)
        I believe TRON [wikipedia.org] has been in millions of machines longer than Symbian.

        Does it come on a frisbee? Are there problems from attacks on the MCP?
    • Re: (Score:3, Informative)

      by Bender0x7D1 (536254)
      You missed the point that it is identical software AND hardware.

      Sure, there are more installs of Windows XP, but they aren't all running on the exact same hardware. Same goes for SymbianOS.

      Also, these laptop don't assume that someone is attached to a high-speed network where they can download patches every few weeks. If someone hacks your phone, or a vulnerability in Windows is found, they push a patch out - OLPC wants these to be secure from day 1. (Or at least as secure as possible.)
      • by Doc Ruby (173196)
        I don't think HW differences matter much in the vulnerability of the Windows monoculture, excluding the tiny percentage of Windows running on non-Intel chips. Viruses aren't specific to the HW, they depend on the SW. The same is probably true of the Symbian phones.

        The disconnectedness from a "high speed network" also protects these OLPCs from infection as much as from patches, so that's probably a breakeven.

        But I didn't argue whether the OLPC monoculture is less vulnerable than the Symbian monoculture. Just
  • by Anonymous Coward
    Theo start your hex-editor and show them that it is no good idea to include
    closed components.
    • That was my first thought. If you want the system to be secure, step #1 is to ensure that there is no proprietary binary-only firmware that you can't check for bugs and that people can't fix and redistribute themselves.
      • Re: (Score:2, Informative)

        by EPAstor (933084)
        This issue is being worked on. As I understand it, the closed wireless firmware is planned to be completely replaced in the next revision of the laptop.
      • by LWATCDR (28044)
        Execpt that I doubt you can find any PC or server on the planet with all open firmware.
        If they use a single FPGA that isn't open sourced or a the processor uses microcode it has closed source firmware... Which means all of them.
    • by LWATCDR (28044)
      Actually it shouldn't be a problem. To hack the firmware blob on the drive you must have root. If you have root then game over anyway. Even if they did hack the binary on the drive there is a good chance that it might not load. I am guessing Mavell signs the blob. The FOSS driver should check the blob before it loads it. If you hack the firmware while it is running on the adaptor then the exploit will only last until the good firmware blog is reloaded for the drive. It would be a transitory hack at best. If
  • If they're going to find and fix exploits with the OS on these machines, then I hope they share this with the rest of the open source community, considering that these machines are running Linux.
  • by xzvf (924443) on Thursday October 12, 2006 @02:20PM (#16411483)
    Run each application in it's own virtual machine. Xen has a low enough overhead and is clean code. Browser compromised - reload from know good source.
    • Re: (Score:2, Insightful)

      by swarsron (612788)
      To do this you would need a shitload of RAM. I somehow doubt that that's an option for a machine ~100$
    • You could also boot the OS from a read only partition, like it was booting off of a live CD, and have a read/write partition for data and temp files. If something happened, an option at bootup could be for a clean bootup, bypassing any changes made to the OS that were stored in the second partition. Of course, patching and upgrading on a read only system would get a little tricky...but you guys should be able to come up with some solution to that.

      Transporter_ii
    • Run each application in it's own virtual machine. Xen has a low enough overhead and is clean code.

      I think the CPU and RAM requirements for running more than one or two programs at once would really add up on such a meager system. A jail that basically uses an ACL to separate the program, ala FreeBSD or SE Linux would have a similar amount of benefit, using fewer resources.

    • by NSIM (953498)
      Run each application in it's own virtual machine. Xen has a low enough overhead and is clean code. Browser compromised - reload from know good source.
      Are you fscking crazy, the whole design of the OLPC is about using the bare minimum to get the job done, very low-end CPU, tiny amount of memory, minimal storage etc And you want to load this thing up with a boatload of VM images that suck CPU, memory etc!
    • by RAMMS+EIN (578166) on Thursday October 12, 2006 @02:43PM (#16411821) Homepage Journal
      How are virtual machines going to help here? What protection do virtual machines grant that the operating itself doesn't grant? What undesireable restrictions do virtual machines impose? If you work around these restrictions, will the system be more or less secure than without virtual machines? If you don't work around these restrictions, will the system be usable?

      As far as I'm concerned, running applications should already be separated from one another. This leaves interaction through the file system and IPC (inter-process communication).

      Virtual machines take away the interaction through the filesystem, as well as local IPC. The latter doesn't actually necessarily make the system more secure, as it makes it more difficult to tell if IPC is safe (on the virtual network) or open to attacks (on the real network). At any rate, IPC will be less efficient, because you lose shared memory IPC.

      By taking away common filesystem access and complicating IPC, applications become less usable. How do you get the file Alice sent you by email to your word processor? How do you copy-paste from one application to another? How do you do process management, when the process management tools are made for a single machine, but you have everything runnig under virtual machines?

      Once you work around these restrictions, what will you be left with? Are you going to re-introduce common filesystem access and create a drag-and-drop interface that works accross virtual machines? When you've done so, won't you have a system that has pretty much the same capabilities as one that isn't based on loads of virtual machines, except that your system is much more complex? Won't that complexity introduce new bugs and vulnerabilities? Will the system not be too slow to be usable?
      • Re: (Score:3, Insightful)

        How are virtual machines going to help here? What protection do virtual machines grant that the operating itself doesn't grant?

        Most operating systems, including most Linux systems do not have strict access controls on an application level. Using a VM is one way to use existing tools to add much of that functionality to an OS not designed for it. I actually think VMs are going to be used more for this purpose in the future, since it also mitigates some of the cross-platform issues.

        The problem can also be

    • by DrSkwid (118965)
      because two vectors are better than one !
  • by Funkcikle (630170) on Thursday October 12, 2006 @02:23PM (#16411515)
    After they solve this dimension of the security issue, they can deal with a slightly more important one - securing the laptops against theft.

    DEAREST SIR MY NAME IS BARRISTER MUMBAGWE SMYTHE AND I WRITE TO YOU IN GRAVE NEED FOR ASSIST. RECENTLY MY GOVERNMENT UNCLE DIED AND LEFT ME MANY MILLION LAPTOP WHICH MUST BE EXITED FROM COUNTRY.

    I predict more dead third world children! Oh yes. Still, it makes a nice change from diamonds/oil/etc....instead there shall be many a colourful laptop for sale on eBay, due to demand created by Linux fetishists.

    If only they had used OS X - then there would be no desire for such hideous laptops by those OS fans. Sniffle.
  • Why not just do what corporate America does and lock the machines down administratively and then make all of the applications web based? Google just paired documents and spreadsheets in a browser. Keep nothing on the machine except a browser and gimp for those aspiring designers :)

    Sure, the ingenious kid will swap out the hard drive or hack root/registry/whatever, but that's pretty much expected. If they're worried about hardware hacking, just include those recalled Sony batteries and put in a secret hea
    • Why not just do what corporate America does and lock the machines down administratively and then make all of the applications web based?

      Because a lot of them won't have Web access a significant portion of the time.

  • It has "a completely secure BIOS solution that allows fully automatic upgrades without user intervention"...

    Does anyone else see the potential to change the routing table of the ISP, to a private network that updates the "completely secure bios" to something else?

    Hack from the outside in...
    • You digitally sign the update and the client machine checks the signature against an authority. So it adds an extra check - they'd have to compromise the update server and an authority too. Nothings foolproof and it just hs to be cracked once for total failure (as the crack can be easily disseminated over fast mediums such as the Internet). But two (or three, etc.) independent layers of security is pretty good protection.
  • Sounds like that need Novell's AppAmor software. It is an application-level firewall. You could take firefox and make a firewall around it so it can't do anything that you don't want it to (remote code execution, blah blah). Interestingly as well, you can wrap up apache with it to prevent web server hacks and whatnot. Not sure if you can put it around the kernel to prevent rootkits from installing, but if you cover your points of entrance (browser, e-mail, file sharing, etc) you should be pretty well co
  • Very simple to figure out how to hack these machines. Put Joe User on the system and in five minutes, I guarantee you the home page will be set to a pr0n site and the next thing you know, all his bases are belong to us.

  • by Anonymous Coward
    I agree that security is important. That part makes sense. But the line about " the largest computing monoculture in history". Wow. Drink that coolaid! Leave it to the boys at MIT.
  • by jo42 (227475)
    100 million laptops discovering goatse at the same time...
  • ``The One Laptop Per Child project is actively recruiting hackers to help crack the security model of the $100 laptop''

    Isn't the consensus among the security community that such ideas are mostly theater, and it's much more effective to actually employ hackers to _create_ the security?
    • You might have to actually pay security experts. Inviting crackers to attack systems is much cheaper, even though they will mostly be incompetent.
    • by xappax (876447)
      You've gotta do both. Get a skilled group of security-minded developers to design the code, and then get a seperate group of wily hackers to try to poke holes in it.
  • They should use SELinux extensions. Have targeted policies for the web browser and email client at a minimum.

    Virutal machines will not work, the system is too underpowered for it.
  • by Rogerborg (306625) on Thursday October 12, 2006 @03:11PM (#16412185) Homepage
    > "The machine, he said, will feature a completely secure BIOS solution that allows fully automatic upgrades without user intervention and fully protects against phishing and automated worm attacks."

    Also, it whitens your teeth while you sleep, and autodials Alyson Hannigan whenever she's feeling lonely and horny. All for $100!

  • I don't mean to be a Johnny-Come-Lately, but isn't there other ways to improve a civilization/country/etc without computers? Why is that when Linux is mentioned, it's like being touched by the Hand of God (or Allah for that matter) ?
    • Re: (Score:3, Informative)

      by geekoid (135745)
      no.

      Giving people tools so they can help themselves is the best thing you can do. This, like all comuters, is just a tool.
      Making someone dependent on hand outs is not the solution.

    • by 99BottlesOfBeerInMyF (813746) on Thursday October 12, 2006 @04:04PM (#16412955)

      I don't mean to be a Johnny-Come-Lately, but isn't there other ways to improve a civilization/country/etc without computers?

      Sure there are. But just because there are other ways does not make this method any less beneficial.

      Why is that when Linux is mentioned, it's like being touched by the Hand of God (or Allah for that matter) ?

      Most things we can give or subsidize the cost of for developing nations have negative consequences. Giving them food, destroys the local market and kills their agricultural sector. Giving them GM crops that grow faster and better makes them dependent upon the companies who own the patent on that crop and who can later demand fees for its use. Giving them cheap Windows based PCs, may help in the short term, but it makes them dependent upon IP from an abusive foreign monopoly in the long term.

      Linux is a win-win situation because by nature it ships with all the blueprints and tools needed with the only strings being used to stop it from being exploited in ways that hurt the end user. It gives them access to technology and information and provides a secure foundation for them to build upon without undercutting any local development. Rather, it encourages local development.

      Imagine if instead of shipping food to African nations at below the market value, we shipped them a complete chain of tools and machinery needed to build from the ground up the entire industrial foundation for agricultural equipment and fertilizers. Basically, we gave them the whole setup of factories and education and patents we have. Then they would not be dependent upon us and could grow their own food the same way we do.

      To do that would be prohibitively expensive for agriculture, but for software development, Linux is that complete chain, with no strings attached. That is why it is so well regarded by those interested in helping developing nations.

  • Just key thread the crank.
  • Can someone insightful please explain timothy's choice of dept for this summary. No idea what he meant.
  • "...what will effectively be the largest computing monoculture in history..."

    Okay, this is a really silly statement to make. It's like how Microsoft likes to say how Vista will be the most secure operating system it's ever released.

    YOU CAN'T MAKE STATEMENTS LIKE THIS AHEAD OF TIME! You have no idea what will happen in the future. As Steve Gibson likes to point out, Microsoft said (prior to launch) that XP would be the most secure version of Windows ever released - and look how THAT went.

    For all we know, the
  • Recruiting Hackers (Score:3, Insightful)

    by trongey (21550) on Thursday October 12, 2006 @03:27PM (#16412437) Homepage
    Taken in context I would presume that they're referring to hackers in the negative sense. This is not a group that's known for being champions of safe computing.

    So let's see:
    1) l33t h4xx04z finds a nifty security hole.
    2) l33t h4xx04z determines that he could use this hole to create 100 million zombies.
    3) Decision - a) report the hole so that it can be fixed OR b) start working on exploit to create 100 million marketable zombies
    4) PROFIT.
    • by geekoid (135745)
      1)150 hackers find hole.
      2)149 report it.
      3)no profit :(
  • by Anonymous Coward
    1f j00 seND mEh 4 k0upLE, 1'LL 7rY H4cK1N' 7HeM.

    N0, i 4I'n7 N0 d4mN scRIP7 KI77Y EI7HEr - I'M 4 L337 h4x0r

    8I9 D09

    COTDC Member #78215

    W0Rd 70 j00R M0m

"But this one goes to eleven." -- Nigel Tufnel

Working...