Re: [Sugar-devel] Clocks on XOs
El Wed, 07-07-2010 a las 01:58 -0400, Kevin Mark escribió: On Tue, Jul 06, 2010 at 05:03:02PM -0400, Bernie Innocenti wrote: PS: I just found yet another laptop which won't activate because the clock was set to 15 July 2000 (not 2010!). Do you see many of these? just a query as I dont know the details of activation: if the rtc is off by a year or more (10 year?) the laptop will not activte using the required activation lease key? so the rtc must be up-to-date to use an activation lease key? Yes, because the leases have an expiration date. (BTW: you dropped my name off the cc list in your reply. This is why I did not notice your question sooner) -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On Tue, Jul 6, 2010 at 10:14 PM, Bernie Innocenti ber...@codewiz.org wrote: And that there are efforts to solve that in the future. Oh, I was unaware of this. Who is working on it, and what's the exact plan? http://dev.laptop.org/ticket/9564 Now, folks, please be careful here with all the exaggeration and drama. This list is full of people who don't understand humour or exaggeration. And who don't necesarily understand that security is never absolute, never perfect. Our antitheft scheme doesn't work in a vacuum -- it only works as a social device, to strongly discourage theft and grey-market sales. Tradeoffs is what it's all about. cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On Tue, Jul 06, 2010 at 05:03:02PM -0400, Bernie Innocenti wrote: PS: I just found yet another laptop which won't activate because the clock was set to 15 July 2000 (not 2010!). Do you see many of these? just a query as I dont know the details of activation: if the rtc is off by a year or more (10 year?) the laptop will not activte using the required activation lease key? so the rtc must be up-to-date to use an activation lease key? -- | .''`. == Debian GNU/Linux ==.| http://kevix.myopenid.com..| | : :' : The Universal OS| mysite.verizon.net/kevin.mark/.| | `. `' http://www.debian.org/.| http://counter.li.org [#238656]| |___`-Unless I ask to be CCd,.assume I am subscribed._| ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On Tue, Jul 06, 2010 at 04:36:55PM -0600, Daniel Drake wrote: PS: I just found yet another laptop which won't activate because the clock was set to 15 July 2000 (not 2010!). Do you see many of these? This was probably a human error in the Fix_clock repair process that happened on that laptop. from my understanding of the 'fix clock'/rtc issue, the clock would go back to about 1970? and not something as recent as 2000. -- | .''`. == Debian GNU/Linux ==.| http://kevix.myopenid.com..| | : :' : The Universal OS| mysite.verizon.net/kevin.mark/.| | `. `' http://www.debian.org/.| http://counter.li.org [#238656]| |___`-Unless I ask to be CCd,.assume I am subscribed._| ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On Sat, Jul 3, 2010 at 9:54 AM, Bernie Innocenti ber...@codewiz.org wrote: NetworkManager used to call ntpdate when it setup a connection. Was that an OLPC addition? Yes, although it's now present in litl's software builds as well. We figured out that the ntp package has never been present on the XO images. It was ntpdate, which was smaller than the whole ntp package. There's no way to practical way to implement effective anti-theft without taking away root from the user. And once we take away root access, we've also taken away olpc's principle #1: child ownership. See my recent message on this topic. Apart from the hardware fix (which avoids RTC dependency altogether), it is also possible to separate most of root's authority from the RTC priviledge. Installing software, for example, requires root access to the filesystem, but not access to the RTC. What are the school servers doing to keep their clocks reasonable? They're using ntp, with the Fedora pool of ntp servers. You should probably apply for your own pool: http://www.pool.ntp.org/en/vendors.html#open-source It's pretty painless, and makes you a better netizen. Why aren't we using ntp? ntp is probably overkill for XOs. Besides, who would want to give up that much ram? On top of that, ntpd doesn't get along with power saving mode. That's why you use ntpdate. --scott -- ( http://cscott.net/ ) ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On Mon, 2010-07-05 at 08:22 -0600, Daniel Drake wrote: On 3 July 2010 16:52, Bernie Innocenti ber...@codewiz.org wrote: I checked: olpc-update-query only sets the clock if it's off by more than 24hours, so it cannot serve as a replacement for ntpdate. What's the requirement for super-accurate clocks on the XO? It doesn't have to be super-accurate, just good enough to show a clock with a meaningful time. Laptops with anti-theft enabled can get the time from the OATS server when it's off by more than 24 hours. Unlocked laptops don't have a way to synchronize the time at all. All we need to fix it is a trivial shell script. Why not do it? NOTE: whoever is interested in supporting configurations that take away root access from users will probably want to remove this functionality as well. Very sad :-( -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On 6 July 2010 10:10, Bernie Innocenti ber...@codewiz.org wrote: Laptops with anti-theft enabled can get the time from the OATS server when it's off by more than 24 hours. Unlocked laptops don't have a way to synchronize the time at all. All we need to fix it is a trivial shell script. Why not do it? I think it's fine that individual deployments can do it. But it shouldn't be done globally because it weakens the security system. A globally acceptable solution could be to decrease the safety guard on the olpc-update-query check so that it corrects the time if it is (e.g.) more than 1 hour out. Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On Tue, 2010-07-06 at 11:21 -0600, Daniel Drake wrote: I think it's fine that individual deployments can do it. But it shouldn't be done globally because it weakens the security system. Which security system, the theft deterrence? Well, granting root access from the console already weakens it to the point of being useless. Who would bother to setup a fake DHCP, DNS and NTP server when it takes 20 seconds to crack it from the console? :-) Where you thinking of a different scenario? A globally acceptable solution could be to decrease the safety guard on the olpc-update-query check so that it corrects the time if it is (e.g.) more than 1 hour out. This isn't globally acceptable: many (most?) laptops run without a OATS server, so their clock would remain wrong forever. PS: I just found yet another laptop which won't activate because the clock was set to 15 July 2000 (not 2010!). Do you see many of these? -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On Sat, Jul 3, 2010 at 9:54 AM, Bernie Innocenti ber...@codewiz.org wrote: Likely so, but the software should be able to compensate for it. After discussing it on IRC, it seems that olpc-update-query should automatically update the clock from the OATS server. Do _not_ rely on this for accurate clock setting. It only kicks in if - the clock is really off - the XS has delegated OATS keys NetworkManager used to call ntpdate when it setup a connection. Was that an OLPC addition? We figured out that the ntp package has never been present on the XO images. Um? I thought it was there -- perhaps in much older builds? ... There's no way to practical way to implement effective anti-theft without taking away root from the user. And once we take away root access, we've also taken away olpc's principle #1: child ownership. Not true on several levels. We can control the clock in OFW for the case where the time is reset to the past. Not implemented (yet) but planned. cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On 6 July 2010 15:03, Bernie Innocenti ber...@codewiz.org wrote: Well, granting root access from the console already weakens it to the point of being useless. Who would bother to setup a fake DHCP, DNS and NTP server when it takes 20 seconds to crack it from the console? :-) Right. So with that logic, lets just throw out the whole security system. Ignoring the fact that some deployments ship without root access. And that there are efforts to solve that in the future. Having ntp sync like this weakens the security system because it means that when you fix one problem (of easy root access, for example), you still have other ones that make your system easily defeatable. Instead, if you choose not to add more holes, once you fix the existing ones then you have a fully secure system. This isn't globally acceptable: many (most?) laptops run without a OATS server, so their clock would remain wrong forever. This picture is rapidly changing. PS: I just found yet another laptop which won't activate because the clock was set to 15 July 2000 (not 2010!). Do you see many of these? This was probably a human error in the Fix_clock repair process that happened on that laptop. Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On Tue, 2010-07-06 at 16:36 -0600, Daniel Drake wrote: On 6 July 2010 15:03, Bernie Innocenti ber...@codewiz.org wrote: Well, granting root access from the console already weakens it to the point of being useless. Who would bother to setup a fake DHCP, DNS and NTP server when it takes 20 seconds to crack it from the console? :-) Right. So with that logic, lets just throw out the whole security system. Ignoring the fact that some deployments ship without root access. Is the practice of completely locking-down the laptops something we'd even want to encourage? Assuming we don't, why should we cripple time-syncing for everyone just to simplify an unsupported customization? And that there are efforts to solve that in the future. Oh, I was unaware of this. Who is working on it, and what's the exact plan? Having ntp sync like this weakens the security system because it means that when you fix one problem (of easy root access, for example), you still have other ones that make your system easily defeatable. Instead, if you choose not to add more holes, once you fix the existing ones then you have a fully secure system. Easy root access is not a security bug, it's a feature that OLPC deliberately chose to give to all users. I even submitted a mingetty patch adding --loginpause which we use to drop into the root console. Why? Because, without root access, children would own the XO the same way consumers own the iPhone and the TiVo. They could crash the physical thing on the floor and burn it, but not flip one bit without government's authorization. I may sound a bit melodramatic, but a project of this kind wouldn't have inspired me to volunteer even for one day. Moralities apart, I guess anyone would agree on the purely technical statement that we can't make OATS work effectively without also taking away root privileges (or the best parts of it). Any half-hearted compromise is likely to be as ineffective as it is annoying. This isn't globally acceptable: many (most?) laptops run without a OATS server, so their clock would remain wrong forever. This picture is rapidly changing. I thought the default was changed one year ago from locked to unlocked. I would be surprised if many deployments had the technical skills to deal comfortably with the complexity of the activation system, when it is very challenging even for us. We probably disagree here, but I think that in most cases OATS costs more to maintain than its actual economical benefit. Admittedly, it works very well at addressing a problem of fear that may play a big role in influencing decision makers. Come on, we all secretly know this and play dumb :-) -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On 3 July 2010 16:52, Bernie Innocenti ber...@codewiz.org wrote: I checked: olpc-update-query only sets the clock if it's off by more than 24hours, so it cannot serve as a replacement for ntpdate. What's the requirement for super-accurate clocks on the XO? Daniel ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
On Fri, Jul 02, 2010 at 08:15:38PM -0700, Hal Murray wrote: Was: Subject: =?ISO-8859-1?Q?Caacup=E9?= war bullettin -- day 1 ber...@codewiz.org said: * Date not being updated One laptop booted with clock set to the Epoch. Is that one of the old XOs that had troubles with the tiny battery feeding the TOY/RTC clock when the main battery and wall power are both disconnected? I forget the details, but I think there was a problem with the battery holder. the 'd6 bricking' has 2 common symptoms: the laptop boots with a dark screen and the mic light flashes and never goes further or the laptop boots with a message about an invalid date and goes no further. That is for non-lease-bound XOs. The lease complicates this as because when you have to re-image the laptop, you need to get a lease file onto the laptop to activate the laptop. See: http://wiki.laptop.org/go/Fix_Clock (let me know if you want to add a spanish translation) cheers, Kev -- | .''`. == Debian GNU/Linux ==.| http://kevix.myopenid.com..| | : :' : The Universal OS| mysite.verizon.net/kevin.mark/.| | `. `' http://www.debian.org/.| http://counter.li.org [#238656]| |___`-Unless I ask to be CCd,.assume I am subscribed._| ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
El Fri, 02-07-2010 a las 20:15 -0700, Hal Murray escribió: Is that one of the old XOs that had troubles with the tiny battery feeding the TOY/RTC clock when the main battery and wall power are both disconnected? I forget the details, but I think there was a problem with the battery holder. Likely so, but the software should be able to compensate for it. After discussing it on IRC, it seems that olpc-update-query should automatically update the clock from the OATS server. NetworkManager used to call ntpdate when it setup a connection. Was that an OLPC addition? We figured out that the ntp package has never been present on the XO images. I think this area gets tangled up with security and lease checking. Do we want/need two separate modes, one for the secure case and another for developers without a school server? Maybe. We discussed the security implications of using unauthenticated ntp on XOs with anti-theft enabled yesterday on IRC. The concern is that a clever thief could setup a LAN with DHCP, DNS and NTP to set a date in te past and thus subvert the leases expiration scheme. However, with root access on the laptop, one does not need to bother so much: they could simply change the time from the console or, better, in /etc/rc.local. There's no way to practical way to implement effective anti-theft without taking away root from the user. And once we take away root access, we've also taken away olpc's principle #1: child ownership. What are the school servers doing to keep their clocks reasonable? They're using ntp, with the Fedora pool of ntp servers. Why aren't we using ntp? ntp is probably overkill for XOs. Besides, who would want to give up that much ram? On top of that, ntpd doesn't get along with power saving mode. Wow, 2MB of RSS! I had no idea ntp was such a hog. Aside from quirks like this one, is time on the XO normally good enough? I would have to check... -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: [Sugar-devel] Clocks on XOs
El Sat, 03-07-2010 a las 09:54 -0400, Bernie Innocenti escribió: Likely so, but the software should be able to compensate for it. After discussing it on IRC, it seems that olpc-update-query should automatically update the clock from the OATS server. I checked: olpc-update-query only sets the clock if it's off by more than 24hours, so it cannot serve as a replacement for ntpdate. Besides, I can't find where NetworkManager would be running ntpdate... The most logical place would be /etc/NetworkManager/dispatcher.d, but there's nothing. The ntp packate drops a script in /etc/dhcp/dhclient.d, but it seems to kick into action only if the dhcp server provides an ntp server option. My conclusion: currently there's no straight-forward way to set the clock on the XO (even when we don't care about the time hijacking scenario). -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
