M. Charbax, Here are the points they seem to be making in the Patterson paper that criticizes Bitfrost, as I read it:
Bitfrost isn't finished, but some OLPCs are in the field anyway. [True.] Eventually, it will be necessary to have a finalized and detailed specification for Bifrost that can be audited and tested. [Sure.] The prototypes that they saw did not have the LED's that show that the camera and microphone are on. [Current OLPC's do have this, but they didn't know whether it would happen or not.] The stored digital identity includes the child's name and photograph, so that you can authenticate whether a given person matches the digital identity. They "question the need for such invasive measures." [But they don't go into more detail about what the problem is.] "The data recovery process should be decoupled from the identity and authentication component." [I was not able to follow their reasoning about why this is important.] A sophisticated attacker could set up a bogus backup service if they can gain access to the key store. How would they do that? The paper cites "black-bag cryptanalysis" and "aluminum-briefcase cryptanalysis". The former means burglary (the use of the word "cryptanalysis" is sardonic/ironic). The latter is a term that the authors made up themselves (one of them boasts of this in a blog entry) but apparently also means burglary. [Well, you have to pick and choose what attacks you want to prevent against. What if someone goes to the real server and puts a gun to the head of the operator? You just can't protect against every conceivable possibility.] P_IDENT says that all communications such as email and instant messaging are cryptographically signed. It's not explained exactly how this works, so they speculate. They assert that signing implies non-repudiability of all signed messages [non-repudiation means that the receiver can prove that the sender really sent this message, and the sender can't deny it unless he claims that his own key has been compromised]. "Ergo, it is impossible for XO users to use any form of anonymous communication with confidence." They're saying that the signing is bad because you can't turn it off, or you have to know to turn it off. So anyone who intercepts your messages knows who you are, so speaking out against your government or whistleblowing against a corporation could backfire on you. It's also not good for doing secret ballots. [I guess this is all true, but if I sent an email right now, I would hardly depend on it to be untracable to me, even without a digital signature. Perhaps anonymity should be added to the goals for Bitfrost, if they intend for it to be used in those ways. But it's really for childhood education, not voting. It's a lot of work to add on every requirement in the world and try to do them all. If we were designing a voting machine, security goals would be different. There may be very good reasons that anonymity was not added as a goal, too; I'd like to hear from OLPC about this. Because of the digital signing, a child's Internet access can be "cut off at the source", which would be traumatic. [Oh, come on!] "Imagined Communities". [I don't know what they're talking about; evidently I'd have to read one of the citations.] If Ivan says that it is factually inaccurate, then it probably is. I don't know what he is specifically referring to. One thing he's referring to is the paper's claim that Ivan's paper was not peer reviewed. In fact, it was, and then it was accepted at a high-prestige ACM conference. -- Dan Weinreb Charbax wrote: > Ivan Kristic seems to have replied in the lwn.net <http://lwn.net> thread: > > (...) it's factually inaccurate and thus > easily debunked. As for the Patterson paper, I'll be posting my thoughts > over the next few > days, but generally find it uninteresting and academically sloppy > flamebait. > > > I'm not an expert in Bitfrost at all, but in the event of a natural > catastrophy, I think the Bitfrost keys can be updated using one $5 USB > stick and distributing the keys to all the other laptops using Mesh > networking. > > Criticizing Libya, Nigeria and Thailand for being anti free-speech is > irrelevant. Just because China has some human rights abuse problems, > and the chinese firewall, blogger and yahoo mail dissidents in jail, > does that mean that the 200 million chinese people who have access to > the Internet is a bad thing? That's just wrong. OLPC is a trojan horse > to bring knoledge and democracy to those countries. It doesn't really > matter what curriculum the governments are going to pre-load on the > laptops, or if they are going to try and filter the Internet access, > people always figure out to use the Internet for what they want. And > if a government wants to mass-disable laptops using Bitfrost, just > get any amount of activating keys smuggled into the country using a > $5 USB key and those laptops are reactived. > > On Fri, Apr 11, 2008 at 1:54 PM, Stephane Bortzmeyer > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > > I did not read the paper yet, but it seems interesting: > > The paper: > <http://www.cosic.esat.kuleuven.be/publications/article-1042.pdf> > > A summary: In this paper, we discuss Bitfrost, the security model > developed by the One Laptop Per Child project for its XO laptop > computers. Bitfrost implements a number of security measures intended > primarily to deter theft and malware, but which also introduce severe > threats to data security and individual privacy. We describe several > of the technical provisions in Bitfrost, outline the risks they > enable, and consider their legal ramifications and the psychological > impact posed for children and society. > > Some rebuttals: <http://lwn.net/Articles/277165/> > _______________________________________________ > Olpc-open mailing list > [email protected] <mailto:[email protected]> > http://lists.laptop.org/listinfo/olpc-open > > > > > -- > Charbax, > Nicolas Charbonnier > ------------------------------------------------------------------------ > > _______________________________________________ > Olpc-open mailing list > [email protected] > http://lists.laptop.org/listinfo/olpc-open > _______________________________________________ Olpc-open mailing list [email protected] http://lists.laptop.org/listinfo/olpc-open
