Jobs (was Re: Chilling Effects paper at USENIX UPSEC)
On Fri, Apr 11, 2008 at 6:16 AM, C. Scott Ananian [EMAIL PROTECTED] wrote: ...OLPC is hiring again, which means that hopefully soon we will only be underappreciated, not quite so much overworked. We're more than doubling our devel team, hiring QA folk (finally!), and I'm excited. If y'all have high quality candidates, send them our way! --scott -- ( http://cscott.net/ ) I see five jobs listed at http://laptop.org/en/jobs.shtml. It sounds like you have heard of others. Any chance of a Doc Lead to organize hardware and software manuals, training materials, and textbooks? or some paid Volunteer Coordinators? -- Edward Cherlin End Poverty at a Profit by teaching children business http://www.EarthTreasury.org/ The best way to predict the future is to invent it.--Alan Kay ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Jobs (was Re: Chilling Effects paper at USENIX UPSEC)
Weren't you just posting bitter rantings how OLPC was all lost yesterday? On Sat, Apr 12, 2008 at 1:20 AM, Edward Cherlin [EMAIL PROTECTED] wrote: On Fri, Apr 11, 2008 at 6:16 AM, C. Scott Ananian [EMAIL PROTECTED] wrote: ...OLPC is hiring again, which means that hopefully soon we will only be underappreciated, not quite so much overworked. We're more than doubling our devel team, hiring QA folk (finally!), and I'm excited. If y'all have high quality candidates, send them our way! --scott -- ( http://cscott.net/ ) I see five jobs listed at http://laptop.org/en/jobs.shtml. It sounds like you have heard of others. Any chance of a Doc Lead to organize hardware and software manuals, training materials, and textbooks? or some paid Volunteer Coordinators? -- Edward Cherlin End Poverty at a Profit by teaching children business http://www.EarthTreasury.org/ The best way to predict the future is to invent it.--Alan Kay ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Jobs (was Re: Chilling Effects paper at USENIX UPSEC)
Sorry, that was meant to be a reply not reply to all. mea culpa On Sat, Apr 12, 2008 at 6:47 AM, Charles Merriam [EMAIL PROTECTED] wrote: Weren't you just posting bitter rantings how OLPC was all lost yesterday? On Sat, Apr 12, 2008 at 1:20 AM, Edward Cherlin [EMAIL PROTECTED] wrote: On Fri, Apr 11, 2008 at 6:16 AM, C. Scott Ananian [EMAIL PROTECTED] wrote: ...OLPC is hiring again, which means that hopefully soon we will only be underappreciated, not quite so much overworked. We're more than doubling our devel team, hiring QA folk (finally!), and I'm excited. If y'all have high quality candidates, send them our way! --scott -- ( http://cscott.net/ ) I see five jobs listed at http://laptop.org/en/jobs.shtml. It sounds like you have heard of others. Any chance of a Doc Lead to organize hardware and software manuals, training materials, and textbooks? or some paid Volunteer Coordinators? -- Edward Cherlin End Poverty at a Profit by teaching children business http://www.EarthTreasury.org/ The best way to predict the future is to invent it.--Alan Kay ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Chilling Effects paper at USENIX UPSEC
On Thu, Apr 10, 2008 at 3:08 AM, John Gilmore [EMAIL PROTECTED] wrote: 4. It is unfortunate that a respected conference did not do a better job at vetting this paper. I don't know who wrote the response that you are replying to, John, but I for one welcome both the paper and broader discussion of our security plans implementations in general. We can't be so sensitive about things! I have given generously of my time to OLPC by following the project for some three years now; testing B1, B2, B4, and MP machines; supporting G1G1 users; recruiting and paying others to contribute; researching SD card protocols; contributing to discussions by email, phone, and IM; and filing dozens of bug reports. OLPC has seldom graciously addressed my concerns on fundamental design issues, such as BitFrost, activation, developer keys, GPL compliance, game keys, or anything else. When I wasn't ignored, I was criticized for attacking OLPC, or for failing to write up my concerns as a properly tested source code patch. It has been hard -- indeed, impossible -- for me to gin up the requisite perseverence to actually implement anything for OLPC, except small patches to SimCity. (Making those patches turned up numerous bugs, which I reported, which are still largely being ignored.) First: Thank you! It's hard to say what OLPC feels about things, but I for one certainly appreciate all you've done for the project. (If you get a chance, could you post a pointer to the bugs you referenced? Or should I just search trac for [EMAIL PROTECTED] It's true that SimCity is not high on our priority list right now, but I know that our trac triage has not lacking recently and your bugs tend to deserve close attention.) The BitFrost spec was so clearly a personal hobbyhorse of Ivan that questioning its basic assumptions was heresy, grudgingly tolerated due to my reputation, but otherwise ignored. I decided very early on that it wasn't worth wasting my time and making people mad by criticizing BitFrost in detail, partly because I expected it to fall flat on its face. The parts that were worth focusing on were the pervasive DRM (maybe now that Ivan's gone, I can go back to using the right name for crypto that disables the owner's control). And I was ignored and vilified on *that* until I escalated the DRM issue to Richard Stallman over OLPC's ongoing non-compliance with GPLv3 (and also pointed out non-compliance with GPLv2, which is ongoing). Mako's been your liason on these issues -- I didn't know that we were still deficient. Please follow up, either to me or to Mako. OLPC staff are overworked and underappreciated. Working in the glare of publicity has not made their jobs easier. But giving OLPC an opportunity to address your concerns is pretty much a null concept. OLPC barely has the opportunity to address its own opportunities. This is true, but OLPC is hiring again, which means that hopefully soon we will only be underappreciated, not quite so much overworked. We're more than doubling our devel team, hiring QA folk (finally!), and I'm excited. If y'all have high quality candidates, send them our way! --scott -- ( http://cscott.net/ ) ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Chilling Effects paper at USENIX UPSEC
4. It is unfortunate that a respected conference did not do a better job at vetting this paper. The conference is a small USENIX workshop (Usability, Psychology and Security). USENIX workshops generally involve fewer than 100 participants, more timely work, and less pre-publication peer review. BitFrost (and criticism of the design, the spec, and the implementation of BitFrost) are directly on-point for this workshop. The paper appears in a short papers session, along with papers on RFID and authentication via electronic pets. 1. The BitFrost Specification is documentation, not detailed implementation. The author does not read code. Indeed, the paper would've been better if they had also been able to review the implementation, but based on the paper deadline and what they had available (a prototype XO from B3 or earlier), most of BitFrost was not implemented in what they had access to. 2. BitFrost does not promise anonymity to school children. This is a valid criticism of a social scheme such as give one laptop to every child, and as pointed out by the authors, a scheme being rolled out in some very violent, repressive countries like Nigeria. It would have been nice if the criticisms had been delivered directly to OLPC, instead of broadcast in a public forum, ... Almost every OLPC forum, including olpc-security, is a public forum. If the enemies of OLPC aren't reading its open mailing lists, they aren't very competent enemies. It's actually more likely that they would notice OLPC criticisms in OLPC forums, rather than at a small USENIX workshop. Indeed, it's the discussion of the paper here that has probably tipped off OLPC's enemies. Shh!!! I believe that the prevailing ethos in the white hat security community is to report newly-discovered vulnerabilities first to the company in question, thus giving them some amount of time to develop a patch before the public announcement. The authors didn't identify any buffer overflows or similar issues. The things they identified were wrong at the fundamental design level, and are not trivially patchable. Luckily, some of them were design goals that never got implemented, like signing everything with the child's private key. Thus, many of the BitFrost mistakes which they point out, are not actual problems in the current shipping XO. The authors appear to be academics, however, so they would get little credit for having contributed to OLPC security by privately contacting OLPC and giving us an opportunity to address their concerns. Ahem. I have given generously of my time to OLPC by following the project for some three years now; testing B1, B2, B4, and MP machines; supporting G1G1 users; recruiting and paying others to contribute; researching SD card protocols; contributing to discussions by email, phone, and IM; and filing dozens of bug reports. OLPC has seldom graciously addressed my concerns on fundamental design issues, such as BitFrost, activation, developer keys, GPL compliance, game keys, or anything else. When I wasn't ignored, I was criticized for attacking OLPC, or for failing to write up my concerns as a properly tested source code patch. It has been hard -- indeed, impossible -- for me to gin up the requisite perseverence to actually implement anything for OLPC, except small patches to SimCity. (Making those patches turned up numerous bugs, which I reported, which are still largely being ignored.) The BitFrost spec was so clearly a personal hobbyhorse of Ivan that questioning its basic assumptions was heresy, grudgingly tolerated due to my reputation, but otherwise ignored. I decided very early on that it wasn't worth wasting my time and making people mad by criticizing BitFrost in detail, partly because I expected it to fall flat on its face. The parts that were worth focusing on were the pervasive DRM (maybe now that Ivan's gone, I can go back to using the right name for crypto that disables the owner's control). And I was ignored and vilified on *that* until I escalated the DRM issue to Richard Stallman over OLPC's ongoing non-compliance with GPLv3 (and also pointed out non-compliance with GPLv2, which is ongoing). OLPC staff are overworked and underappreciated. Working in the glare of publicity has not made their jobs easier. But giving OLPC an opportunity to address your concerns is pretty much a null concept. OLPC barely has the opportunity to address its own opportunities. John ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Chilling Effects paper at USENIX UPSEC
The most represive school systems we have been talking to have been the ones in the U.S.They even claim that they have a legal obligation to break internet access on the laptop everywhere but the school, to ensure compliance with the law. I personally configured the server to not log IP addresses on HTTP requests, but that will only be used in developing countries. You can bet that most school systems running their own cache/filter/proxy WILL log this info. Forget BitFrost, these kids are being betrayed by basic networking mechanisms (such as persistent MAC and IP addresses.) wad 2. BitFrost does not promise anonymity to school children. This is a valid criticism of a social scheme such as give one laptop to every child, and as pointed out by the authors, a scheme being rolled out in some very violent, repressive countries like Nigeria. It would have been nice if the criticisms had been delivered directly to OLPC, instead of broadcast in a public forum, ... Almost every OLPC forum, including olpc-security, is a public forum. If the enemies of OLPC aren't reading its open mailing lists, they aren't very competent enemies. It's actually more likely that they would notice OLPC criticisms in OLPC forums, rather than at a small USENIX workshop. Indeed, it's the discussion of the paper here that has probably tipped off OLPC's enemies. Shh!!! I believe that the prevailing ethos in the white hat security community is to report newly-discovered vulnerabilities first to the company in question, thus giving them some amount of time to develop a patch before the public announcement. The authors didn't identify any buffer overflows or similar issues. The things they identified were wrong at the fundamental design level, and are not trivially patchable. Luckily, some of them were design goals that never got implemented, like signing everything with the child's private key. Thus, many of the BitFrost mistakes which they point out, are not actual problems in the current shipping XO. The authors appear to be academics, however, so they would get little credit for having contributed to OLPC security by privately contacting OLPC and giving us an opportunity to address their concerns. Ahem. I have given generously of my time to OLPC by following the project for some three years now; testing B1, B2, B4, and MP machines; supporting G1G1 users; recruiting and paying others to contribute; researching SD card protocols; contributing to discussions by email, phone, and IM; and filing dozens of bug reports. OLPC has seldom graciously addressed my concerns on fundamental design issues, such as BitFrost, activation, developer keys, GPL compliance, game keys, or anything else. When I wasn't ignored, I was criticized for attacking OLPC, or for failing to write up my concerns as a properly tested source code patch. It has been hard -- indeed, impossible -- for me to gin up the requisite perseverence to actually implement anything for OLPC, except small patches to SimCity. (Making those patches turned up numerous bugs, which I reported, which are still largely being ignored.) The BitFrost spec was so clearly a personal hobbyhorse of Ivan that questioning its basic assumptions was heresy, grudgingly tolerated due to my reputation, but otherwise ignored. I decided very early on that it wasn't worth wasting my time and making people mad by criticizing BitFrost in detail, partly because I expected it to fall flat on its face. The parts that were worth focusing on were the pervasive DRM (maybe now that Ivan's gone, I can go back to using the right name for crypto that disables the owner's control). And I was ignored and vilified on *that* until I escalated the DRM issue to Richard Stallman over OLPC's ongoing non-compliance with GPLv3 (and also pointed out non-compliance with GPLv2, which is ongoing). OLPC staff are overworked and underappreciated. Working in the glare of publicity has not made their jobs easier. But giving OLPC an opportunity to address your concerns is pretty much a null concept. OLPC barely has the opportunity to address its own opportunities. John ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
