Computer malware is a big problem to society. When this is discussed in relation to children and the Internet (or politicians or parents), the advice has always been: updates, AV software, and firewalls for the computer and rules, restrictions, and filters for the children. With a special emphasis on installing more software and more updating. Illustrations of this attitude can be found in:
- Child Safety Online - Prevention Guidelines
- Cyber Security Tip ST05-002: Keeping Children Safe Online
- Computer Security for Children
But, is user education working? Obviously, primary school children (and older) cannot be made responsible for installing and managing security updates, AV software, and firewalls. In this view, getting millions of children in developing countries on-line on laptops they have to use unsupervised at home seems to be nothing short of a crime against humanity. Yet, is it really impossible to create a computer environment that can not only be used safely by children, but also managed safely by children?
All these security advices are very sensible given the current ICT landscape. But, these advices can also be seen as blaming the victim by the commercial software industry. This has been doubly insulting as most security problems, eg, the mere existence of computer viruses, is the result of the (very) bad coding practices and short sighted design decisions of commercial software companies. As a result, the complete AV industry catering to end-users is widely mistrusted. Its very existence has been seen as a stopgap for irresponsible coding practices
So it was a pleasant surprise to see the OLPC security model, Bitfrost.
Bitfrost was a design that started with a "the user cannot do wrong" approach to security. It showed how you could actually build a user-friendly computer that gave children full control over their laptop and, at the same time, made the laptop as secure as any security professional's private laptop could ever be. Here is a summary of the principles and goals of the Bitfrost design from the wikipage.
Bitfrost Principles:
- Open design:The laptop's security must not depend upon a secret design implemented in hardware or software
- No lockdown: Though in their default settings, the laptop's security systems may impose various prohibitions on the user's actions, there must exist a way for these security systems to be disabled
- No reading required: Security cannot depend upon the user's ability to read a message from the computer and act in an informed and sensible manner
- Unobtrusive security: Whenever possible, the security on the machines must be behind the scenes, making its presence known only through subtle visual or audio cues, and never getting in the user's way
Bitfrost Goals
- No user passwords: With users as young as 5 years old, the security of the laptop cannot depend on the user's ability to remember a password.
- No unencrypted authentication: Authentication of laptops or users will not depend upon identifiers that are sent unencrypted over the network
- Out-of-the-box security: The laptop should be both usable and secure out-of-the-box, without the need to download security updates when at all possible
- Limited institutional PKI: The laptop will be supplied with public keys from OLPC and the country or regional authority (e.g. the ministry or department of education), but these keys will not be used to validate the identity of laptop users
- No permanent data loss: Information on the laptop will be replicated to some centralized storage place so that the student can recover it in the event that the laptop is lost, stolen or destroyed.
These are all rather common sense starting points for any security system. And anyone who has experienced the trials and tribulations of securing an off-the-shelve computer system will immediately ask why this is not implemented in all computer systems sold? This is not the placed to go down that road. Suffice it to say that the Bitfrost principles and goals are all feasible with today's technology.
The implementation details might seem rather arcane, but they follow logically from the above lists. The Bitfrost document is a good read for anyone who wants to get a feeling how computer security should be done. Below there are some other links for further reading on this subject.
Further Reading:
- The Next 50 Years of Computer Security: An Interview with Alan Cox
- Aligning Security and Usability
- Reusability of Functionality-Based Application Confinement Policy Abstractions
- Bitfrost: The One Laptop per Child Security Model
- Understanding Android Security
Ivan Krstić must be recommended for creating a design that includes most of the state-of-the-art security knowledge but is still feasible on a small device. The security models for Apple's iPod and Google's Android and Chrome OS follow a similar design (Ivan Krstić currently works for Apple), but Bitfrost is even less forgiving to security breaches.
I think that Bitfrost will be one of the lasting legacies of the OLPC. As evidence that you can design a computer platform from the ground up that is both secure out of the box, and can be used and managed with ease, even by a child. There is no excuse anymore not to produce usable and secure software stacks.
This post is part of the ongoing series, "What Have We Learned From OLPC?"
http://www.cosic.esat.kuleuven.be/publications/article-1042.pdf
Thanks for the Bitfrost link Irv, but you might also explain what's there (a review of Bitfrost from April 2008) and the ensuing rebuttal found here: http://lwn.net/Articles/277165/
I don't think the few comments (some in favor, some against) amount to a "rebuttal".
In fact, Krstic himself participates and promises to address some of the more serious question, but I don't know if he actually did it.
It should be noted that this document only criticizes the anti-theft and user identification aspects of BitFrost, not the anti-malware features, which I think are really awesome. The authors seem unhappy that BitFrost is expressly not designed to protect user privacy or anonymity.
But I still think BitFrost makes a ton of sense in an educational environment, and OLPC's goal is naturally to educate children, not hide a machine's identity on the network or ensure communication cannot be traced back to the sending individual. And although default communication policies might not offer anonymity, that doesn't mean the machine is incapable of anonymous communication.
Thanks Irvin, that is a nice paper. On the whole it seems to strengthen my believe in Bitfrost. Did you actually study it, eg, in comparison to other on-line systems for children?
I have just glanced over the paper and will certainly look at it more closely. This is indeed interesting because it goes beyond the initial aims of Bitfrost.
Recently, there was a security paper on the Android platform. The Google Android implements some of the same design ideas as Bitfrost. The comparison is very informative. In general, both the Android framework and the security analysis of it do support the Bitfrost policies.
"Google Android: A State-of-the-Art Review of Security Mechanisms"
http://arxiv.org/abs/0912.5101
Now some first impressions on the paper "Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model"
First, I agree with the comments on
http://lwn.net/Articles/277165/
The authors clearly have not taken the effort of asking how Bitfrost policies have been, or will be, implemented. For instance, there is a subsection, 2.7, on the ability for children to reflash their firmware for access to the OS. There is a very ominous tone here, but nothing but "we did not bother to ask what is done" substance.
Another point is the treat model:
"In this paper, we have examined several pieces of the Bitfrost security policy, and conclude that it suffers from an inappropriate threat model..."
Sorry, but threat models are always incomplete. And I do not see what security would be left after the "inappropiate" part were to be removed.
The point is that a threat model is based on the premises that you can actually PREDICT all uses and all threats. Who wants to claim that? Anyhow, those working on Bitfrost will be happy to incorporate new threat models.
For more on threat models:
http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsThreatModeling.html
"...and an incomplete solution to the threats it outlines."
All security models are trade-offs. If a better trade off can be made, great. Bitfrost ALLOWS you to make these trade-offs. Unless certain other OS's.
The article seems to spend a lot of text on problems with children's on-line privacy and data security. I find this rather curious.
Do the authors actually advocate that children's (5-12yo!) activities on the XO must be kept secret from their parents and teachers?
Personally, I am all for more privacy for children. But I do not see the OLPC or DoEducation explaining to teachers and parents that they should not be able to know what the children are doing on-line.
Again, using the underlying ideas of Bitfrost, it is rather easy to see how this could be amended.
I am sure those developing serious security policies for children's computers will learn from this paper (I certainly will). To me, the weak points of Bitfrost found in this study only strengthen my conviction that Bitfrost was done pretty much right from the start.
The point is still that Bitfrost makes protecting the XO against malware a child's work.
Winter
Rainbow ( http://wiki.laptop.org/go/Rainbow ) is the implementation of that spec.
Rainbow is now packaged and available in Debian, Fedora, and Gentoo (I think), so it's just a matter of desktop environments beginning to make use of it.
http://cups.cs.cmu.edu/soups/2007/proceedings/p132_krstic.pdf
Based on this one paper, I am extremely impressed with BitFrost. I mean, it's incredibly rare to see a design that takes security so seriously that it affects how they attach components to the motherboard.
IMO, the most exciting part of BitFrost is the per-application fine-grained permissions, and the way applications are isolated from each other with virtual file systems. This can stop all sorts of malware dead in its tracks. It goes far beyond the standard security of Linux, and comparing Windows XP security to BitFrost would be something like comparing a public street to a maximum-security prison.
I love how BitFrost can do things like restricting apps to 5 MB of disk space and background applications to use 10% of the CPU. Not to mention security that makes remote-installing keyloggers next to impossible, or the little LEDs that make it impossible to eavesdrop on the webcam and microphone without tipping off the user.
As a Windows user I'm pretty jealous. Imagine how zippy we could make our PCs if we could place restrictions like that on our applications. Microsoft's (understandable) obsession with backward compatibility means they could never put security features like these in Windows, but I hope someday the Linux community will work together to make these kinds of features standard.
"Imagine how zippy we could make our PCs if we could place restrictions like that on our applications. Microsoft's (understandable) obsession with backward compatibility means they could never put security features like these in Windows"
While Microsoft never will, there is a commercial 3rd party application that provides something approaching the Bitfrost model, WinJail (http://www.winquota.com/wj/index.html) while I've never used it (and probably never will) it certainly sounds like it could be useful for running repeatedly vulnerable programs that are likely to be exploited, e.g. Adobe Reader, or Internet Explorer.
Personally, I think giving a kid such an open laptop and then saying, “oh, and by the way, everything you do can be traced” is pretty stifling, almost cruel. Teaches a bit of a wrong lesson, in my opinion.
Note that to give real on-line anonymity to children, their computers would have to connect to the Tor network. This is something neither the OLPC nor Bitfrost can manage. And I can understand that the OLPC does not feel it should set up their own anonymous router network.
Now your comment:
@bali:
"Personally, I think giving a kid such an open laptop and then saying, “oh, and by the way, everything you do can be traced” is pretty stifling, almost cruel. Teaches a bit of a wrong lesson, in my opinion."
First, it gives and does not take. The children get new possibilities they did not yet have. Nothing is taken away (personal diaries etc).
Second, I do not know whether you have children, but all parents I know want to be able to ensure the safety (in all senses) of their children.
The flip side of anonymity are peer-mobbing, stalking, and anonymous threats. If you offer children anonymity, you also have to think about protecting them.
Third, you will not be able to sell an educational information system to primary school children that allows perfect anonymity to children. The Departments of Education in most countries will require to be able to survey what is done with and on their systems.
And then we did not even talk about governments that actively fight their own subjects.
Winter
I'm with Winter 100%. Great points. It offers CYA with protections against malware.
So now I have my very own green-and-white ultra-cute laptop. I’ve upgraded it to the latest release and started to learn to use Sugar and the installed applications. Maybe someday I’ll punt Sugar and just use it as a Linux machine, but for now I want to try it out. The most important thing, as I knew it would be, is learning to touch-type on the little keyboard. But I can hunt-and-peck, more easily than I could on something like a Blackberry, so I can’t complain.