The OLPC’s security mechanism is called Bitfrost and was designed by Ival Krstic. It is novel in two ways. First, the set of threats it is concerned with are tailored to the unusual mission of the OLPC. Second, the fundamental philosophy and mechanisms are different from what most of us are used to. Ivan gave a talk this week at ITA Software’s Technical Seminar series, explaining Bitfrost. You can read his paper about it here.
A paper castigating Bitfrost, called “Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model”, was recently written by Meredith Patterson (U. Iowa) and Len Sassaman and David Chaum (both of KULeuven in Belgium).
I could not find Patterson at U. Iowa’s web site or anywhere else, but she turns out to be Sassaman’s wife. Len Sassaman is a grad student, “cypherpunk”, and privacy advocate. He was the security architect for Anonymizer and wrote the Mixmaster anonymous remailer. David Chaum is well-known as the inventor of cryto protocols for anonymous electronic cash, and currently heads the Punchscan project, an end-to-end auditable voting interface.
As you will see, their paper has a lot to say about anonymity and voting. At first, you might not think of these as topic germane to the OLPC, but the authors feel otherwise. This is their primary area of interest, and so they have brought to bear their own agenda on OLPC. You can decide the extent to which that’s appropriate.
Here are the points they seem to be making, as far as I understand, with my comments and replies in square brackets.
Bitfrost isn’t finished, but some OLPCs are in the field anyway. [True.]
Eventually, it will be necessary to have a finalized and detailed specification for Bifrost that can be audited and tested. [Sure.]
Bitfrost has not been submitted to a recognized standards body. [First, so what? Second, it's clearly far too early to do that. The right time to standardize is after there has been a great deal of experience.]
The prototypes that they saw did not have the LED’s that show that the camera and microphone are on. [Current OLPC's do have this, but they didn't know whether it would happen or not.]
The stored digital identity includes the child’s name and photograph, so that you can authenticate whether a given person matches the digital identity. They “question the need for such invasive measures.” [But they don't go into more detail about what particular problem they are concerned with.]
“The data recovery process should be decoupled from the identity and authentication component.” [I was not able to follow their reasoning about why this is important.]
A sophisticated attacker could set up a bogus backup service if they can gain access to the key store. How would they do that? The paper cites “black-bag cryptanalysis” and “aluminum-briefcase cryptanalysis”. The former means burglary (the use of the word “cryptanalysis” is sardonic/ironic). The latter is a term that the authors made up themselves (one of them boasts of this in a blog entry) but apparently also means burglary. [Well, you have to pick and choose what attacks you want to prevent against. What if someone goes to the real server and puts a gun to the head of the operator? You just can't protect against every conceivable possibility.]
P_IDENT says that all communications such as email and instant messaging are cryptographically signed. It’s not explained exactly how this works, so they speculate. They assert that signing implies non-repudiability of all signed messages [note: non-repudiation means that the receiver can prove that the sender really sent this message, and the sender can't deny it unless he claims that his own key has been compromised]. “Ergo, it is impossible for XO users to use any form of anonymous communication with confidence.” They’re saying that the signing is bad because you can’t turn it off, or you have to know to turn it off. So anyone who intercepts your messages knows who you are, so speaking out against your government or whistleblowing against a corporation could backfire on you. It’s also not good for doing secret ballots. [I guess this is all true, but if I sent an email right now, I would hardly depend on it to be untraceable to me, even without a digital signature. Perhaps anonymity should be added to the goals for Bitfrost, if they intend for it to be used in those ways. But it's really for childhood education, not voting. It's a lot of work to add on every requirement in the world and try to do them all. If we were designing a voting machine, security goals would be different. There may be very good reasons that anonymity was not added as a goal, too; I'd like to hear from OLPC about this.
Because of the digital signing, a child's Internet access can be "cut off at the source", which would be traumatic. [Oh, come on!]
The point about “Imagined Communities”. [I don't know what they're talking about; evidently I'd have to read one of the citations.]
Most important, they do not provide any suggestions about what they’d do to mitigate what they consider to be problems. In my opinion, a criticism carries much less weight without specific counterproposals, since then you can evaluate the drawbacks and tradeoffs required by those counterproposals.
Now that Ivan Krstic has left OLPC, it is not clear to what extent Bitfrost’s implementation will be finished and polished. I heard one rumor on the net that OLPC plans to replace it with something else, but I have no idea whether that’s actually true. There are a lot of rumors going around about OLPC, and I’ll wait for positive confirmation before repeating any more of them.
Personal news, speaking of OLPC: Federal Express lost the OLPC that was originally sent to me (or it was stolen). It was basically impossible to get my money back from FedEx, since they required some paperwork from the shipper (Brightstar), who never answered my calls. I complained to OLPC, but for a while nothing happened. Meanwhile someone at ITA had bought one for his kid, who didn’t like it, so he sold his to me. Then, OLPC decided to simply send me another one! Good for them! I’m selling the second one to a friend.
So now I have my very own green-and-white ultra-cute laptop. I’ve upgraded it to the latest release and started to learn to use Sugar and the installed applications. Maybe someday I’ll punt Sugar and just use it as a Linux machine, but for now I want to try it out. The most important thing, as I knew it would be, is learning to touch-type on the little keyboard. But I can hunt-and-peck, more easily than I could on something like a Blackberry, so I can’t complain. I’m going to the European Common Lisp Meeting in Amsterdam next week, and I’ll bring it along and play with it more.