Schneier on Security
A blog covering security and security technology.
« Information Week Interview |
| Interview with Me for LinuxWorld »
February 14, 2007
"One Laptop per Child" Security System
It's called "Bitfrost," and it's interesting:
We have set out to create a system that is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market. One result of the dedication to usability is that there is only one protection provided by the Bitfrost platform that requires user response, and even then, it's a simple 'yes or no' question understandable even by young children. The remainder of the security is provided behind the scenes. But pushing the envelope on both security and usability is a tall order, and it's important to note that we have neither tried to create, nor do we believe we have created, a "perfectly secure" system. Notions of perfect security in the real world are foolish, and we distance ourselves up front from any such claims.
Read the design principles and design goals. And there's an article on the Wired website, and there's a Slashdot thread.
What they propose to do is radical, and different -- just like the whole One Laptop Per Child program. Definitely worth paying attention to, and supporting if possible.
Posted on February 14, 2007 at 7:04 AM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The Bitfrost concept is radically different from the "security model" promoted by Microsoft since years, the famous one we all know as "believe all by default then kill processor power with cleaning / detection utilities.
I hope that proprietary softwares will never be usable on these laptops so children may learn via a better solutions than MS products and associates.
Ivan Krstić, the designer of BitFrost, had interesting email exchanges with the members of the Cryptography mailing list last week. The archived discussion (thread) is available @ http://www.xml-dev.com/lurker/message/...
Lot of good discussion and informative replies from Ivan.
Can't believe you think this is "good", it seems like a third rate dream of an out of work programmer.
And why is this security for children ? the whole thing smaks of of some UNO infected brain .. or may be someone trying to submitting an SBIR grant for "no child left behind -- without a laptop"
You can't design tomorrow's security with yesterdays technology, in this case yesteryears.
Bruce you have to point out the gem in the heap of shxx .. i fail to see it.
There is also a discussion including Ivan Krstić on the cap-talk mailing list:
This is good because the "mental shift" that Mr. Krstić started with -- moving from "security by not running bad code" to "security *while* running bad code" is one of the important points of divergence between capability access control theory and mainstream access control theory for the last 30 years.
(Mr. Krstić explicitly credits many of the early capability systems for inspiring his work.)
"You can't design tomorrow's security with yesterdays technology, in this case yesteryears."
Good point, but our major security problems have nothing to do with technology; they're all about applying technology. I think a fresh approach with existing technology on a completely new platform will result in some surprises.
I think the bigger security issue with these laptops is preventing their parents from selling them on eBay for a quick buck.
I had read the Bitfrost spec, and I was... intrigued... by the fact that any program signed by either OLPC or a governmental body (presumably of the same country the laptop was sold to ?) can bypass every protection. Scary.
Now, maybe it was a condition imposed by the countries so they would consider bulk buying, but it sounds too much like a good idea killed by a simple change.
Also, the "school servers" are an obvious point of attack, since subverting one pretty much automatically pwns all laptops it keeps under its wing, so to speak. Are these servers normal PCs ? I didn't see anything about these in the spec (though I didn't look at other documents), but there was this statement that they were aware of this and considered it a reasonable tradeoff. Hmmm...
Kind of related to the previous point anyway. A good idea that's got such a back door you wouldn't be able to miss it if you wanted to.
The idea's interesting anyway.
Also, about the reliance on the LEDs for mic/cam: I was wondering if it'd be possible to enable the cam for just one frame every few seconds or so - would the LED have time to "pop on", or would it effectively stay off due to the very short amount of time it was powered on ?
Coupled with the "govt can do anything" bypassing scheme, I found this scary.
Though with a dev key, you can rewrite this part of the kernel and/or BIOS. Probably.
Much easier for the govt to keep track of who has a dev key than tens of millions of laptops anyway.
"Information on the laptop will be replicated to some centralized storage
place so that the student can recover it in the event that the laptop is lost,
stolen or destroyed."
Generally, a nice idea - automated backups. However, the overall design (no passwords, etc.) seems to imply that this information will all be stored in the clear. That means the centralized repository can be regularly scanned by any party with access. Thus, this might not be the best "secure email" platform.
Maybe if they added functionality to allow for encrypted directories (or "drives", ala TrueCrypt), and ensured that the swap partition was always scrambled with a boot-specific randomized key...
I haven't delved into the full spec of the project, so maybe they don't intend to provide this type of data-security. But it seems like they're putting a lot of thought into security in general, to miss this issue.
Of course, maybe their main security concern is that they not be responsible for unleashing hundreds of millions of 'bots on an unsuspecting world. Certainly a valid concern, when the operators are going to be inexperienced and naive children as young as five years old.
"remote control"'s comment is right. The existence of mic and cam in these devices combined with the fact that the owner of the device doesn't have the full control of the machine sound very dangerous.
As I read the article, the machine needs user confirmation EACH time the camera is turned on. So you can't automate repeated snapshots.
@remote_control & aca,
IIRC, OLPC turns on an LED whenever the MIC (and camera?) is activated. By intentional design, this cannot be defeated by software. (Sorry I don't have a reference handy atm.)
From the Bitrfrost specification :
> 21 We acknowledge also a panel of reviewers that prefer to stay anonymous, who
>22 provided insightful comments and feedback on previous drafts of this
I take it then, Bruce, from your lack of disclaimer, that you weren't one of the reviewers.
This project is just another lead balloon.
The business plan of the entire thing is depressingly familiar:
1. Provide governments with another touchy-feely reason to tax their people.
2. Convince bureaucrats to part with some of the loot.
4. Profit. Er, Peace on Earth. Er... Whatever.
"I take it then, Bruce, from your lack of disclaimer, that you weren't one of the reviewers."
I was not.
It's okay; there are lots of smart security people out there.
I wonder whether I just can't read: how on earth does the X0 identify the user on startup? Biometrics by the photo? Or something else - what, since no passwords are required? They surely can't assume that the laptop is under lock and key while not in use.
The specification lays out nicely all the nitty-gritty details of how the system can authenticate itself to the outside. I ask you: how do you know that the user running the system that's doing the authentication is the authorized to do so?
"IIRC, OLPC turns on an LED whenever the MIC (and camera?) is activated. By intentional design, this cannot be defeated by software."
Yes. That's covered in the Bifrost spec. It *also* needs confirmation to turn it on each time, and the confirmation is only good for a limited time, and software is only allowed to even ask if at install time it was granted that privilege.
Crypto-signed software may be able to override the software protections if it has a signature saying it can - and the local government can crypto-sign the software to do that - but the LED is supposed to be done in hardware and so the local government would have to make actual hardware modifications in order to be able to turn the laptops into secret listening devices.
As far as the camera / mic go, I've never like the idea of having one that didn't also have a physical switch that would disable them. It can be that simple.
@Bruce Schneier: "It's okay; there are lots of smart security people out there."
There seems to be at least as many really stupid "security people" out there as well - lets hope they chose wisely ...
Some of the negativity against BitFrost here seems to miss the point. The security system is intended for young children, between the ages 5-10. This security is specifically designed for their needs, not for someone store tax data.
The authors specifically point out in the specs that the flash does not encrypt, or use any protection to guarantee the authentication of the user. They plan on adding an option for password protection and file by file encryption, possibly for the second generations. But most of the users have little need for heroic measures; they mostly need to avoid a worm dumping all the family photos, or their neighbor hacking into their machine and stealing their homework. And anyway, many users won't be able to use any significant password --- they're five or six years old, for God's sake.
If the machine itself is physically compromised by the kid next door, the solution is going to have to be the same for every generation; hit him in the back when he's not looking, and taunt him while he's on the ground crying.
Good security is customized to the needs of the client, not some mythical perfection. The complaints sound to me like a company that decides to protect everything by randomly generated 30 character passwords, fobs and biometrics; then the employees tie the fobs to computers and put the password on a sticky note next to the fob.
Seems like Bitfrost is going to make use of many of the possible features of SELinux. But they aren't talking about that aspect of it.
I think the most heartening thing is that the "One laptop per child" program which could so easily have degenerated into a mushy "were doing good in the world dont bother us with negative stuff.. " mess is taking the issues of useability , security, backups etc., far more seriously than most commercial OS vendors, and, in the process coming up with what look like good workable well thought out solutions.
Whats more they are doing it at the right time, at the begining of the project before there are thousands of installed apps.
Most of the MS security problems stem from the lack of security in the original DCOM apis. While activeX, .NET now have excellent security features its turned off by default to allow the '000s of legacy applications to run.
The capabilities aspect of it is very similar to process protection in Symbian OS
You have to remember what the goal of Bitfrost is. It is definitely not an aim to protect your bank account data or income figures. It is mainly against viruses, trojans, spyware etc.
" IIRC, OLPC turns on an LED whenever the MIC (and camera?) is activated. By intentional design, this cannot be defeated by software."
Yes, I did not miss that, and my point was building onto this, actually. I will reiterate:
1 - The user prompt, AFAICT, is *not* performed if the software that tries to enable the mic and/or cam is signed by a "trusted" party (eg, government).
2 - The LED comes on whenever these are on, leading the spec to say that, therefore, the potential for abuse is low (as the user would presumably notice the LEDs being on and smell a rat)
3 - I will discount all the possibilities that one will not always be sitting with the laptop where one can see the LEDs easily.
4 - my point was the following: I wonder if software signed by the government (which therefore was able to request the permission to use the cam at install time without the user having a say - I am unsure if the user can *remove* that permission without the software being able to forbid such a removal) may turn on the camera (without a user prompt, since it is signed by a "trusted" party) for a very short amount of time (eg, snapping just one frame) and turn it off again, such that the LED will come on, but for so short a time that unless you are peering it in the eye, you won't notice.
Essentially, my point was about hardware hysteresis. Would a LED actually visibly light up if it was powered for 1/60th of a second, say.
It probably wouldn't work for audio, but for video it would be very much enough for eavesdropping.
If you are worried then email the olpc people and tell them to implement a combined lens cover and physical switch which turns off the camera and microphone. Its use will be totally intuitive (if you can't see the camera lens then it's not working) and all the worries about abuse will be over since no software can turn something on which doesn't have any power due to an interrupted power supply.
My impression from the docs is that the kids will have full control over their system permissions, if they can figure them out -- they'll be able to even rewrite the BIOS.
The government exemption is for permissions. They can set the camera permission on, without requiring any user intervention at installation; they can even set conflicting permissions at installation which would usually require user intervention.
But the camera permission itself requires user intervention every time the camera is activated. Of course, since the govt code can start with all permissions activated, it could do rewriting of the permission system itself -- but that's not limited to the camera.
I don't see a way around that, for an actually functioning program. The administrator of the system, are going to need root access on every machine, being that the users are 5-10 years old. If the kids want strong privacy, their going to have to be smart enough to take it -- it definitely seems build for that.
Children need clean water not computers.
>Essentially, my point was about hardware hysteresis. Would a LED actually visibly light up if it was powered for 1/60th of a second, say.
The technical answer is that it would be too dim to notice, except perhaps at night or in a darkened room, and possibly only via peripheral vision. I'm figuring one shot per sec, so the LED is operating with a 1/60 duty cycle.
However, there may be hardware driving the LED that stretches pulses, to intentionally make it visible regardless of duty cycle.
I haven't seen any circuit schematics, so I'm reserving judgement on whether an observer could actually see the LED illuminate under such circumstances.
Even low-cost LEDs are more than fast enough to switch at such rates. And in peripheral vision, many people can see "flickering" that doesn't appear when looking directly at a light.
If it were an incandescent light, 1/60 sec would be invisible, except maybe to a long-IR camera.
"""Children need clean water not computers."""
Clean water is a short-term essential need.
Education is a long-term essential need.
We've tried meeting the short-term needs for dacades now.
Let's try meeting the long-term needs.
Anon: in the limit this would give us snazzy computer stuff and no kids to use it.
Sorry, not convinced. Dare I say: a geeky idea - with merit, or course - that will end up enriching industries and politicians while children's real needs for health care and schooling go on being neglected.
Clearly no one went to Africa and asked parents which they'd prefer for their kids.
And, yes, we could do both. But let's get the priorities straight and not get lost in fascination with our own technical ingenuity..
fusion, have *you* gone to the places this laptop will be deployed and figured out what people need? Or are you just armchair-theorizing? Do you think people shouldn't learn to read, or how to grow crops, just because water is a more urgent need than either of these?
Anonymous has it exactly right. People have more than one need. We can give people clean water and they'll drink for a day; we can teach them how to get clean water and they'll have it for the rest of their lives; we can give them the tools to learn and distribute that learning and if things go well, they and their descendents and everyone they know will have clean water.
I've worked with a different (unrelated to the OLPC guys) organization, helping to put in wireless networking in a rural third-world community. The organization has been working with the community for decades: water, schools, electricity, sponsoring people to learn medicine. And now it was time to improve communications, so we started working with wifi. The internet may be mostly a play-toy to you, but it can be much more than that. If you're a farmer, it can bring weather information and help you find markets for your goods. If you're sick, it can help you find how to heal yourself. If you have any problem, it lets you draw on the accumulated experience of the rest of the planet.
Speaking from a third world perspective... a BIG part of what is bad about the third world is not lack of resources, but corruption. As far as I know, the only effective way to fight corruption that has deep roots in a society is from the bottom up, through education, teaching how to think and making decisions, and this project has the potential of actually improving education (in the broad sense). It's a great project.
In addition to the other responses, the other comment that I've heard from people who have actually done fieldwork to in the places where OLPCs are being planned is that whilst watching the western news gives you the impression that everywhere is either doing very well or facing starvation, there are actually a _lot_ of places in Africa and the far east where where immediate needs like food and water are met by local crops, etc, but there's not remotely the kind of school structure to provide children with textbooks even when they're at school, let alone take-home for further study. (I.e., people aren't in immediate life-threatening physical deprivation but don't have a chance of progression beyond that on their own.) I don't know about you, but I doubt I'd have learned to read or write competently if I hadn't actually virtually any stuff to read. My understanding is that part of the aim is to make economic savings by moving most physical textbooks to electronic books.
Sorry, fusion, but Dave and the others are on track from my perspective, experiences in some of the likely OLPC intended countries (such as Mali, Congo, Senegal and Mongolia).
True, all are countries needing to have basic health needs, etc. met to varying degrees but they also countries where young people are just as smart and eager to learn and apply the benefits of technology (even to play computer games as my sons, who actually were born, if not raised by the average standards, in some of these countries).
Can you imagine what it might be like for someone, kid or otherwise, to have eventually access to books from libraries of the world via a laptop when it was often difficult for them to just have access to a textbook of their own...not having to copy a summary of one written on a blackboard by their teacher.
The OLPC generation in these countries may help more than others to move their countries notably forward, perhaps demanding a bit more for their lives and communicating a bit better with their governments.
I find it curious that Bruce Schneier is readily supporting a security model that relies on ethics of third world goverments.
In what way does this model rely on "ethics of third world countries"?
My comment aimed to bring the relative priorities involved to the surface.
The point is not that computer/ communications facilities would not be beneficial.
February 20, 2007, 1230 PT
Diarrhoeal cases [so far] today: 5,700,000
Diarrhoeal deaths [so far] today: 2,500
2.2 million children will die from diarrhoea and related diseases this year.
80% of them in the first two years of their life;
42,000 a week,
6,000 a day,
four every minute,
one every fourteen seconds.
Water Supply and Sanitation Collaborative Council by
IRC International Water and Sanitation Centre
Rehydration Project, a private, non-profit, non-sectarian, international development group.
Also see UNESCO
Would not anyone - forced to choose - trade a laptop for clean water?
Water supply itself is a complex societal/ technological subject, no less so than education/computer/ communications. Why is it that we seem to be prone to immerse ourselves in the one and ignore the other?
@Sleepy Russian, according to the linked story, government certified programs will run with higher privileges than other programs (by default). Government issued spyware, anyone? I can imagine many interested in whether these computers will be used to access opposition web sites or perhaps other information dangerous to minds of the civilians. As the system is required by desing to periodically synch with the goverment issued "central server", program downloading and data uploading should be easy to accomplish.
Also, it is not clear to me whether the governments can disable third party software entirely? If they can, they are in totalian control of the information flow.
thanks all.reely good site..
BTW, here's an interesting site/product that looks like it will do *something* similar.
When your gadget is stolen, you login to the GadgetTheft web site and turn on tracking for that device (you can set up several devices in one account). The next time your gadget is plugged in, GadgetTheft will attempt to recover the computer's IP address, location, Windows username, and computer name, among a few other tidbits. This information won't necessarily be enough to hunt down your iPod, but it's worth a try (people sometimes use surprisingly identifying usernames).GadgetTheft currently only works on Windows computers and requires the thief to fall an autorun trick that asks users to install a USB driver whenever the USB device is plugged in. Technically, then, GadgetTheft can be considered spyware - though it's a spyware designed to actually work for you, in this case.
What do you think?
Clean water? Is that what you need this month?
OK, then lets ask some of the school kids to do class projects making reports on how well diggers and well cleaners do their work.
1. More folks can learn how to get clean water.
2. Kids can learn how to make good reports.
3. Kids can help their communities improve.
4. Everybody can be empowered to help.
5. More folks will be ready to tackle next month's problems.
I was just mesmerized by the monumental naivete and hubris of the remote BIOS update security concept put forward by the OLPC crew.
CRAK Software broke the Quicken and Quickbooks password protection within a few nanoseconds in spite of its 3DES password protection scheme.
Oh they didn't break 3DES...didn't have to...
They just found the one bit in the code that Intuit used to specify whether or not the password presented by the user was good or was bad. They made any password always look good! They changed one bit!
So like breaking into a bank having a 100 ton steel vault front door the bad guys got in by breaking the glass on the sliding glass door in the back.
And so will some hacker who manages to set the write enable bit without permission...
Sigh...will they ever learn...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.