Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Security and the $100 Laptop

Posted by timothy on Thu Oct 12, 2006 01:07 PM
from the what-about-the-single-girl dept.
Security Education Portables Hardware
gondaba writes "The One Laptop Per Child project is actively recruiting hackers to help crack the security model of the $100 laptop to avoid the obvious risks associated with what will effectively be the largest computing monoculture in history. From the article: 'The key design goal, Krstic explained, is to avoid irreversible damage to the machines. The laptops will force applications to run in a "walled garden" that isolates files from certain sensitive locations like the kernel. "If we discover vulnerabilities, the security model must hold up enough that even a machine that is unpatched won't be easily exploitable. This gives us a bit of diversity to avoid the monoculture trap," he added.'"
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Security and the $100 Laptop 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • Well, other than to build a zombie network I guess- but I can't imagine anybody being interested in some Libyan child's schoolwork.

  • Even bigger story in there... (Score:3, Funny)

    by Penguinisto (415985) on Thursday October 12 2006, @01:11PM (#16411359) Journal
    If they pull off 100 million laptops, Microsoft can no longer claim dominance in the desktop...

    Good Lord! The chairs are a'gonna fly in Redmond once this gets out!

    (props for the security testing, though :) )

    /P

    • If they pull off 100 million laptops, Microsoft can no longer claim dominance in the desktop...


      sure they can. Just not on the laptop.

      Though certainly a hundred million low-end Linux machines in use might change a lot in the marketplace, both as a source and a market for new software.
        • Not the best market when the people involved have no money.


          The people involved don't mostly have no money. They certainly will tend to have very little money by Western standards, but then (especially if its not retail boxes), software often has a very low marginal cost to deliver, so there may still be value in reaching such a market.
          • Particularly in a decade or so when all of those now-empowered youths learn enough English to take in http://www.paulgraham.com/ [paulgraham.com]
            Suddenly, Western civilization is flattened by a limitless swarm of Lisp-powered shopping carts.
            Not even OPEC will survive OLPC.
            Fear.
        • >> "Not the best market when the people involved have no money. However, I don't doubt that the OSS community might reap some benefit from it."

          Exactly. I compare this to the Soviet Russia where they didn't have the supercomputing power of the USA, but with a pencil and advanced mathematics used their brain power to develop the principles of stealth, and a few other fringe technologies.

          With 100 million laptops out there, chances are someone with one of these laptops is going to develop somethi

    • Could actually be a problem (Score:5, Interesting)

      by Sycraft-fu (314770) on Thursday October 12 2006, @01:20PM (#16411473)
      Not for MS but for MS's competitors. Can't really claim MS is a monopoly anymore if there's 100 million systems running a non-MS OS. That means that they are free to do as they please, for the most part, when it comes to locking people out of their OS. Most anti-competitiveness statues only affect monopolies. Companies that face competition are generally allowed to be as anti-competitive as they like.
      • Good point - this opens up a lot of dynamics.

        OTOH, Most OLPC units will likely be going to developing nations, which means that as far as US and EU jurisdiction is concerned, MSFT may still have to behave itself (well, relatively so).

        They may also be cozy in the knowledge that in the money end of the market (or, the parts of the market where the majority of money can be made), they'll likely remain and retain dominance for awhile longer.

        Long-term? Once/If said developing nations get along far enough t

      • "Not for MS but for MS's competitors. Can't really claim MS is a monopoly anymore if there's 100 million systems running a non-MS OS."

        A monopoly is defined based on a per country basis not a global basis. AT&T was a monopoly only in the US, Standard Oil was a monopoly only in the US.

        LetterRip

      • Not for MS but for MS's competitors. Can't really claim MS is a monopoly anymore if there's 100 million systems running a non-MS OS.

        100 million machines in developing countries running a non-MS OS won't, in and of themselves, change anything about whether or not Microsoft has a monopoly on some market in interstate commerce in the US. Likewise, I'd image they won't directly affect whether it has a monopoly under the terms relevant in EU law, either.

        OTOH, it make Microsoft safer from anti-trust actions in Th

      • You're saying it's actually in MS's competitors' interest to have MS stay a monopoly?

        That's it. I'm moving to a psychiatric ward.

        • Re: (Score:3, Insightful)

          by kthejoker (931838)
          That depends on how you define competitors.

          If you mean competitors among OSes (ie Apple and Red Hat), then no, it's not.

          But their competitors in other fields - antivirus (McAffee, Symantec, Norton), accounting (Quicken), PDF and presentation tools (Adobe) - greatly benefit from the limitations placed on Windows by antitrust settlements. Since Microsoft can't use their OS monopoly to further other monopolies, they have to compete on a much more level playing field with others to sell their software. So to th
    • (props for the security testing, though :) )

      Sure, but they're going about it all wrong. Everyone knows that the way you ensure secure computers is to make a proprietary OS and don't tell anyone where your buffer overflows are.

  • Biggest Monoculture (Score:4, Informative)

    by Doc Ruby (173196) on Thursday October 12 2006, @01:14PM (#16411405) Homepage Journal
    The many millions of SymbianOS [wikipedia.org] mobile "phones" is the largest computing monoculture in the world. Much more essential for the world's daily operation than these cool kids' PCs, and tied directly to the wallets, by the minute, of most people with any money.
    • That was my first thought: this OLPC is going to be bigger than Windows or cell phones? Pretty major hubris for an outfit that hasn't even started shipping in quantity yet!
    • I believe TRON [wikipedia.org] has been in millions of machines longer than Symbian. It most likely runs more devices as the project specifically targets more kinds of devices.
      • TRON (all the various flavours) are specifications, not implementations, and they're not followed consistently. It's hard enough writing apps for specific fooTRON devices, let alone an exploit that would effect more than a small subset of them.

    • Re: (Score:3, Informative)

      by Bender0x7D1 (536254)
      You missed the point that it is identical software AND hardware.

      Sure, there are more installs of Windows XP, but they aren't all running on the exact same hardware. Same goes for SymbianOS.

      Also, these laptop don't assume that someone is attached to a high-speed network where they can download patches every few weeks. If someone hacks your phone, or a vulnerability in Windows is found, they push a patch out - OLPC wants these to be secure from day 1. (Or at least as secure as possible.)

  • Hack the proprietary binary only WiFi firmware! (Score:2, Insightful)

    by Anonymous Coward
    Theo start your hex-editor and show them that it is no good idea to include
    closed components.
    • That was my first thought. If you want the system to be secure, step #1 is to ensure that there is no proprietary binary-only firmware that you can't check for bugs and that people can't fix and redistribute themselves.

      • Re: (Score:2, Informative)

        by EPAstor (933084)
        This issue is being worked on. As I understand it, the closed wireless firmware is planned to be completely replaced in the next revision of the laptop.

  • virtualize the applications (Score:4, Interesting)

    by xzvf (924443) on Thursday October 12 2006, @01:20PM (#16411483)
    Run each application in it's own virtual machine. Xen has a low enough overhead and is clean code. Browser compromised - reload from know good source.

    • Re: (Score:2, Insightful)

      by swarsron (612788)
      To do this you would need a shitload of RAM. I somehow doubt that that's an option for a machine ~100$

    • Run each application in it's own virtual machine. Xen has a low enough overhead and is clean code.

      I think the CPU and RAM requirements for running more than one or two programs at once would really add up on such a meager system. A jail that basically uses an ACL to separate the program, ala FreeBSD or SE Linux would have a similar amount of benefit, using fewer resources.

    • Re:virtualize the applications (Score:5, Insightful)

      by RAMMS+EIN (578166) on Thursday October 12 2006, @01:43PM (#16411821) Homepage Journal
      How are virtual machines going to help here? What protection do virtual machines grant that the operating itself doesn't grant? What undesireable restrictions do virtual machines impose? If you work around these restrictions, will the system be more or less secure than without virtual machines? If you don't work around these restrictions, will the system be usable?

      As far as I'm concerned, running applications should already be separated from one another. This leaves interaction through the file system and IPC (inter-process communication).

      Virtual machines take away the interaction through the filesystem, as well as local IPC. The latter doesn't actually necessarily make the system more secure, as it makes it more difficult to tell if IPC is safe (on the virtual network) or open to attacks (on the real network). At any rate, IPC will be less efficient, because you lose shared memory IPC.

      By taking away common filesystem access and complicating IPC, applications become less usable. How do you get the file Alice sent you by email to your word processor? How do you copy-paste from one application to another? How do you do process management, when the process management tools are made for a single machine, but you have everything runnig under virtual machines?

      Once you work around these restrictions, what will you be left with? Are you going to re-introduce common filesystem access and create a drag-and-drop interface that works accross virtual machines? When you've done so, won't you have a system that has pretty much the same capabilities as one that isn't based on loads of virtual machines, except that your system is much more complex? Won't that complexity introduce new bugs and vulnerabilities? Will the system not be too slow to be usable?

      • How are virtual machines going to help here? What protection do virtual machines grant that the operating itself doesn't grant?

        Most operating systems, including most Linux systems do not have strict access controls on an application level. Using a VM is one way to use existing tools to add much of that functionality to an OS not designed for it. I actually think VMs are going to be used more for this purpose in the future, since it also mitigates some of the cross-platform issues.

        The problem can also be

    • because two vectors are better than one !

  • Coming up next... (Score:3, Funny)

    by Funkcikle (630170) on Thursday October 12 2006, @01:23PM (#16411515)
    After they solve this dimension of the security issue, they can deal with a slightly more important one - securing the laptops against theft.

    DEAREST SIR MY NAME IS BARRISTER MUMBAGWE SMYTHE AND I WRITE TO YOU IN GRAVE NEED FOR ASSIST. RECENTLY MY GOVERNMENT UNCLE DIED AND LEFT ME MANY MILLION LAPTOP WHICH MUST BE EXITED FROM COUNTRY.

    I predict more dead third world children! Oh yes. Still, it makes a nice change from diamonds/oil/etc....instead there shall be many a colourful laptop for sale on eBay, due to demand created by Linux fetishists.

    If only they had used OS X - then there would be no desire for such hideous laptops by those OS fans. Sniffle.
  • Sounds like that need Novell's AppAmor software. It is an application-level firewall. You could take firefox and make a firewall around it so it can't do anything that you don't want it to (remote code execution, blah blah). Interestingly as well, you can wrap up apache with it to prevent web server hacks and whatnot. Not sure if you can put it around the kernel to prevent rootkits from installing, but if you cover your points of entrance (browser, e-mail, file sharing, etc) you should be pretty well co

  • Very simple to figure out how to hack these machines. Put Joe User on the system and in five minutes, I guarantee you the home page will be set to a pr0n site and the next thing you know, all his bases are belong to us.

  • 100 million laptops discovering goatse at the same time...
  • ``The One Laptop Per Child project is actively recruiting hackers to help crack the security model of the $100 laptop''

    Isn't the consensus among the security community that such ideas are mostly theater, and it's much more effective to actually employ hackers to _create_ the security?
  • They should use SELinux extensions. Have targeted policies for the web browser and email client at a minimum.

    Virutal machines will not work, the system is too underpowered for it.

  • Your overconfidence is your weakness (Score:4, Funny)

    by Rogerborg (306625) on Thursday October 12 2006, @02:11PM (#16412185) Homepage
    > "The machine, he said, will feature a completely secure BIOS solution that allows fully automatic upgrades without user intervention and fully protects against phishing and automated worm attacks."

    Also, it whitens your teeth while you sleep, and autodials Alyson Hannigan whenever she's feeling lonely and horny. All for $100!

  • Recruiting Hackers (Score:3, Insightful)

    by trongey (21550) on Thursday October 12 2006, @02:27PM (#16412437) Homepage
    Taken in context I would presume that they're referring to hackers in the negative sense. This is not a group that's known for being champions of safe computing.

    So let's see:
    1) l33t h4xx04z finds a nifty security hole.
    2) l33t h4xx04z determines that he could use this hole to create 100 million zombies.
    3) Decision - a) report the hole so that it can be fixed OR b) start working on exploit to create 100 million marketable zombies
    4) PROFIT.

    • Why not just do what corporate America does and lock the machines down administratively and then make all of the applications web based?

      Because a lot of them won't have Web access a significant portion of the time.

    • You digitally sign the update and the client machine checks the signature against an authority. So it adds an extra check - they'd have to compromise the update server and an authority too. Nothings foolproof and it just hs to be cracked once for total failure (as the crack can be easily disseminated over fast mediums such as the Internet). But two (or three, etc.) independent layers of security is pretty good protection.

    • Re: (Score:3, Informative)

      by geekoid (135745)
      no.

      Giving people tools so they can help themselves is the best thing you can do. This, like all comuters, is just a tool.
      Making someone dependent on hand outs is not the solution.

    • Re:Step in the Wrong Direction? (Score:4, Insightful)

      by 99BottlesOfBeerInMyF (813746) on Thursday October 12 2006, @03:04PM (#16412955)

      I don't mean to be a Johnny-Come-Lately, but isn't there other ways to improve a civilization/country/etc without computers?

      Sure there are. But just because there are other ways does not make this method any less beneficial.

      Why is that when Linux is mentioned, it's like being touched by the Hand of God (or Allah for that matter) ?

      Most things we can give or subsidize the cost of for developing nations have negative consequences. Giving them food, destroys the local market and kills their agricultural sector. Giving them GM crops that grow faster and better makes them dependent upon the companies who own the patent on that crop and who can later demand fees for its use. Giving them cheap Windows based PCs, may help in the short term, but it makes them dependent upon IP from an abusive foreign monopoly in the long term.

      Linux is a win-win situation because by nature it ships with all the blueprints and tools needed with the only strings being used to stop it from being exploited in ways that hurt the end user. It gives them access to technology and information and provides a secure foundation for them to build upon without undercutting any local development. Rather, it encourages local development.

      Imagine if instead of shipping food to African nations at below the market value, we shipped them a complete chain of tools and machinery needed to build from the ground up the entire industrial foundation for agricultural equipment and fertilizers. Basically, we gave them the whole setup of factories and education and patents we have. Then they would not be dependent upon us and could grow their own food the same way we do.

      To do that would be prohibitively expensive for agriculture, but for software development, Linux is that complete chain, with no strings attached. That is why it is so well regarded by those interested in helping developing nations.

    • Re: (Score:3, Informative)

      by Monsuco (998964)

      When the parts for laptops get cheap enough that someone could manufacture a $100 laptop, *then the market will be flooded with $100 laptops*. There are a dearth of hardware manufacturers out there already competing to make the cheapest laptop they can.

      It is cheap by leaving out stuff like a hard drive, and instead has 512 MB of flash (though I think some models might have 1GB). It will lack a CD drive. It will have a very slow 366 Mhz AMD Geode processor, so that it can run without fans and wont use much

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.