Dan Weinreb’s blog

The OLPC’s security mechanism is called Bitfrost and was designed by Ival Krstic. It is novel in two ways. First, the set of threats it is concerned with are tailored to the unusual mission of the OLPC. Second, the fundamental philosophy and mechanisms are different from what most of us are used to. Ivan gave a talk this week at ITA Software’s Technical Seminar series, explaining Bitfrost. You can read his paper about it here.

A paper castigating Bitfrost, called “Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model”, was recently written by Meredith Patterson (U. Iowa) and Len Sassaman and David Chaum (both of KULeuven in Belgium).

I could not find Patterson at U. Iowa’s web site or anywhere else, but she turns out to be Sassaman’s wife. Len Sassaman is a grad student, “cypherpunk”, and privacy advocate. He was the security architect for Anonymizer and wrote the Mixmaster anonymous remailer. David Chaum is well-known as the inventor of cryto protocols for anonymous electronic cash, and currently heads the Punchscan project, an end-to-end auditable voting interface.

As you will see, their paper has a lot to say about anonymity and voting. At first, you might not think of these as topic germane to the OLPC, but the authors feel otherwise. This is their primary area of interest, and so they have brought to bear their own agenda on OLPC. You can decide the extent to which that’s appropriate.

Here are the points they seem to be making, as far as I understand, with my comments and replies in square brackets.

Bitfrost isn’t finished, but some OLPCs are in the field anyway. [True.]

Eventually, it will be necessary to have a finalized and detailed specification for Bifrost that can be audited and tested. [Sure.]

Bitfrost has not been submitted to a recognized standards body. [First, so what? Second, it's clearly far too early to do that. The right time to standardize is after there has been a great deal of experience.]

The prototypes that they saw did not have the LED’s that show that the camera and microphone are on. [Current OLPC's do have this, but they didn't know whether it would happen or not.]

The stored digital identity includes the child’s name and photograph, so that you can authenticate whether a given person matches the digital identity. They “question the need for such invasive measures.” [But they don't go into more detail about what particular problem they are concerned with.]

“The data recovery process should be decoupled from the identity and authentication component.” [I was not able to follow their reasoning about why this is important.]

A sophisticated attacker could set up a bogus backup service if they can gain access to the key store. How would they do that? The paper cites “black-bag cryptanalysis” and “aluminum-briefcase cryptanalysis”. The former means burglary (the use of the word “cryptanalysis” is sardonic/ironic). The latter is a term that the authors made up themselves (one of them boasts of this in a blog entry) but apparently also means burglary. [Well, you have to pick and choose what attacks you want to prevent against. What if someone goes to the real server and puts a gun to the head of the operator? You just can't protect against every conceivable possibility.]

P_IDENT says that all communications such as email and instant messaging are cryptographically signed. It’s not explained exactly how this works, so they speculate. They assert that signing implies non-repudiability of all signed messages [note: non-repudiation means that the receiver can prove that the sender really sent this message, and the sender can't deny it unless he claims that his own key has been compromised]. “Ergo, it is impossible for XO users to use any form of anonymous communication with confidence.” They’re saying that the signing is bad because you can’t turn it off, or you have to know to turn it off. So anyone who intercepts your messages knows who you are, so speaking out against your government or whistleblowing against a corporation could backfire on you. It’s also not good for doing secret ballots. [I guess this is all true, but if I sent an email right now, I would hardly depend on it to be untraceable to me, even without a digital signature. Perhaps anonymity should be added to the goals for Bitfrost, if they intend for it to be used in those ways. But it's really for childhood education, not voting. It's a lot of work to add on every requirement in the world and try to do them all. If we were designing a voting machine, security goals would be different. There may be very good reasons that anonymity was not added as a goal, too; I'd like to hear from OLPC about this.

Because of the digital signing, a child's Internet access can be "cut off at the source", which would be traumatic. [Oh, come on!]

The point about “Imagined Communities”. [I don't know what they're talking about; evidently I'd have to read one of the citations.]

Most important, they do not provide any suggestions about what they’d do to mitigate what they consider to be problems. In my opinion, a criticism carries much less weight without specific counterproposals, since then you can evaluate the drawbacks and tradeoffs required by those counterproposals.

Now that Ivan Krstic has left OLPC, it is not clear to what extent Bitfrost’s implementation will be finished and polished. I heard one rumor on the net that OLPC plans to replace it with something else, but I have no idea whether that’s actually true. There are a lot of rumors going around about OLPC, and I’ll wait for positive confirmation before repeating any more of them.

Personal news, speaking of OLPC: Federal Express lost the OLPC that was originally sent to me (or it was stolen). It was basically impossible to get my money back from FedEx, since they required some paperwork from the shipper (Brightstar), who never answered my calls. I complained to OLPC, but for a while nothing happened. Meanwhile someone at ITA had bought one for his kid, who didn’t like it, so he sold his to me. Then, OLPC decided to simply send me another one! Good for them! I’m selling the second one to a friend.

So now I have my very own green-and-white ultra-cute laptop. I’ve upgraded it to the latest release and started to learn to use Sugar and the installed applications. Maybe someday I’ll punt Sugar and just use it as a Linux machine, but for now I want to try it out. The most important thing, as I knew it would be, is learning to touch-type on the little keyboard. But I can hunt-and-peck, more easily than I could on something like a Blackberry, so I can’t complain. I’m going to the European Common Lisp Meeting in Amsterdam next week, and I’ll bring it along and play with it more.

Dave Moon pointed me to this article, in which a BBC reporter brings an XO home from Nigeria and gives it to his nine-year-old son to try out. There’s also a 3:34 min video of the boy playing with the XO.

http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/1/hi/technology/7140443.stm

More stuff:

http://www.technorati.com/tag/One+Laptop+Per+Child

The rest of this blog pointing consists of some more fun facts about the XO/OLPC, from an interview with Mary Lou Gepsen (the CTO) in ACM Queue Nov/Dec 2007 (very slightly edited by me):

Generators make really weird power. Sometimes the frequency is as low as 35 hz, and the OLPC’s AC adapter has to do “really interesting” power conditioning. The laptop itself can take between negative 32 volts and 40 volts, and works well with anything from 11 to 18 volts. You can plug a car battery into it, or a solar cell, or a bicycle or wind powered generator. India has this cow-dung system that creates methane that drives a generator. Even that will work.

We run the mesh network at extremely low power: 400 milliwatts, compared with my ThinkPad laptop, which uses approximately 10 watts just to run Wi-Fi.

We had to fix a couple of bugs with the chipsets to make sure that they can talk to the flash memory, which operates at very high speed. We had to do wear leveling on the flash. Luckily we’ve got David Woodhouse, who wrote JFFS2 (Journaling Flash File System, Version 2), on the project.

We put memory into directly into the display itself. That means the screen can stay on while the rest of the motherboard or the chipset is off. The way to get to low power — the big secret — is to turn off stuff that you’re not using. But nobody has ever made a laptop with a screen that self-refreshes.

We also put a tiny ARM core into our Wi-Fi chip. We used the Marvell chip because it’s the only Wi-Fi chip with a tiny ARM core in it, which means the Wi-Fi can also stay up and running while the CPU is off. [This is important because the machine is part of a mesh network. -- DLW]

We put the motherboard behind the screen so the kid can use the XO machine on his or her lap and it won’t get too hot like a normal laptop. These are the first truly laptop-use computers made in the last decade.

In Libya, it gets up to 57 degrees C [134 degrees F -- DLW] in the desert. But the safe (read: don’t explode) NiMH (nickel-metal hydride) batteries won’t recharge above 45 degrees C. That’s a real problem because many spots in Libya are off the grid. But the lithium ferro-phosphate batteries charge in heat up to 60 degrees C. The machine can handle many different battery chemistries, which was a real pain. We did that in the embedded controller.

Our battery has a five-year life. You can go to 2,000 charge/recharge cycles. The lithium ion battery in my ThinkPad is supposed go to for 500 charges, but in practice it’s more like 200. So, moving to lithium-ferro-phosphate is really cool because you don’t have to spend additional money on periodic battery replacement costs, regardless of the environment.

We do 15 times better than Energy Star compliance. Where a typical laptop has maybe a one-, two-, or three-year maximum lifetime in office workplaces, ours is double that at five years — and we do this in extreme environments to boot. Our machines are half the size and weight of a typical laptop, and our laptops are repairable by children and by locals. You can change out plastic parts quite easily, including the screens. Five-year-olds can change the screen on our laptops because it’s actually that easy.

The first-ever real, non-pilot deployment site of OLPC XO laptops just happened in Uruguay. They sent Ivan Krstic, the security architect of the project, partially so that he could make sure that the security arrangements would be done properly and really work (to avoid theft, mainly). Read about some of the story and some technical details here.

For more news, posted frequently, look here and here.

There is an interesting “Sixty Minutes” segment here.

Another good site here.

For the amazing adventures of famous Lisp hacker Luke Gorrie, living in Kathmandu, writing all kinds of code using the FORTH interpreter in the XO’s firmware look here and here.

Luke says: Forth on the XO is in the firmware instead of a BIOS. Its most basic task is to initialize the hardware and boot Linux, but it can do other things too: open a REPL, run hardware diagnostics (e.g. copy camera data into the frame buffer), join a wireless network and make HTTP requests, mount file systems and copy files, etc. A great little self-documenting extensible operating system in 500KB or so of object code you should check out these links when you get your XO: here and here.

Why does this remind me of the FEP (front-end processor) in the Symbolics 3600, which could boot over the net, operate a hierarchical file system, and otherwise act like a dancing bear?

For Ivan Krstic’s fascinating talk at Google, which is what got me so excited about the XO, look here.

For a nice XO technical overview, see M. Tim Jones’s paper, here.

To learn about the nonprofit “powerful ideas education” Viewpoints
Research Institute, run by Alan Kay, look here.

For Bill Clementson’s blog entry entitled “Why you should buy an OLPC XO Laptop”, look here.

The “Give One Get One” offer has been extended to the end of the year, so you can still buy one of your very own, or just donate to the project. Look here.

For PC Magazine’s review of the XO. This is before the war with Intel ended, so that little section at the end is obsolete. I think it has more than 6 to 12 months to get traction; people are so impatient! The note “sluggish flash performance” should not be taken too seriously; they were reviewing a beta version on which a lot of performance improvement work has since been done, and more is coming. Look here, and for wonderful Internet video, look here.

My friend Olin Sibert says: That’s the thing that makes me most dubious about the project: it’s revolutionary in so many areas, so they’re trusting an awful lot of things to work (and integrate) reliably without having much experience.

I ran this by Ivan Krstic, and he agrees completely. And adds “But there’s only one way to find out if it’ll work.” I applaud their bravery. It’s all quite a daunting undertaking.

In case you didn’t read all the comments to my last blog entry about the XO, here are some interesting points:

OLPC has given serious thought to the theft problem. One point they make is that if an adult has one, it’ll be pretty clear that it was stolen; but I don’t know whether or not that would be a strong deterrent in some of the cultures of the world. The main theft-prevention feature is that the user must get a wireless crypto-token periodically from the school server. The tokens are transmitted every day and expire after a month. No token, and the laptop stops working. In situations without appropriate networking, the tokens can come in via the USB ports. I presume that the XO’s distributed here from Give One Get One won’t have this enabled. Look here.

I hope it’ll be easy to get a Scheme and a Common Lisp running. After all, it’s just another Linux/x86 port. Most Common Lisp implementations already run on Linux/x86 (I don’t know the story with Scheme but presumably it’s similar). I wonder how easy/hard it would be to bring up a good Scheme learning environment like DrScheme. You need the X Window System but apparently it already has that. The issue may mostly be whether there is enough demand for the various Common Lisp implementors to direct their effort this way; those folks all have a lot of priorities.

Regarding the price of the XO: Jim Gettys says in his blog that they have always said “$100 in late 2008-2009, which seems to get lost in the press”. So that’s in line with the point I made in my earlier comment: the price will come down, as prices always do.

There is a review of the XO written by SG, a twelve-year-old who writes as well as anyone I’ve ever read (which is astonishing). The comments on the posting are also interesting. I is mainly about the improvements in the Beta 4 XO as compared to the Beta 2 XO, so it gives you some idea of how things have been changing. Look here.

For SG’s earlier review of the Beta 2, scroll down here.

My old friend Brian Silverman, whom I have not seen in years, has co-authored a paper that helps explain the kind of educational philosophy behind the OLPC project, althhough it is not specifically about OLPC. Look here.

There is something called Squeak eToys, described as follow: Based on LOGO, Parc’s Smalltalk, Hypercard, and starLOGO. It is a media-rich authoring environment with a simple, powerful scripted object model for many kinds of objects created by end-users that runs on many platforms, and it is free and open source. It includes 2D and 3D graphics, images, text, particles, presentations, web-pages, videos, sound and MIDI, etc. It includes the ability to share desktops with other Etoy users in real-time, so many forms of immersive mentoring and play can be done over the Internet. It is multilingual, runs on more than 20 platforms bit-identically, and has been successfully used in the USA, Europe, South America (Brazil, Colombia, Argentina), Asia (Japan, Korea, India, Nepal), and elsewhere.

There’s a general description of it here.

And there’s a paper from Viewpoints Research Institute, written by Alan Kay, here.

I had originally been under the impression that the OLPC would contain a complete Squeak, which is a modern (but not very fast) implementation of Smalltalk-80, but Henry Lieberman of the Media Lab says that it won’t. I think eToys is written in it. I wrote about it in one of the long comments on my previous blog entry about the XO. Look here.

I have lots of friends who have been pursuing Seymour Papert’s and Alan Kay’s ideas about education for decades. (See, e.g., Seymour’s “Mindstorms: Children, Computers, and Powerful Ideas”, especially the powerful ideas.) There have been many successful projects based on these ideas, such as the Lego Mindstorms Kit, but they have not quite yet taken the world by storm (so to speak). I’m very much hoping that the OLPC project will do that. I don’t know if Seymour and Alan are right, but it would be so great if they are.

I have ordered a Quanta XO-1 (One Laptop Per Child) on the Give One, Get One deal, where you pay $400 plus shipping and you get an XO and donate one to the project ($200 tax deduction). This is just so cool that I have to have one. And I need a lightweight box that can do email and browsing that I can carry around easily. There are other good options but the XO is so novel and interesting! It’s just 3+ lb and runs on 2-3 watts with an amazing lithium ferro-phosphate battery, and physically extremely durable, waterproof, and dirtproof, and a great (but small, 7.5 inch) screen. No disk nor CD/DVD, but you can add them externally. And if the OLPC project is a big success, this may be the platform of the next generation of hackers. They are aiming to bring the price down to $100.

http://wiki.laptop.org/go/Hardware_specification

After watching a talk given at Google by Ivan Krstic, I got more and more excited hearing about the hardware and the software. A lot (14, apparently) of hackers, at least some of whom are famous superhackers (e.g. Jim Gettys), were involved in putting together the software. They have thought of and taken care of a huge number of issues. Perhaps I’ll end up contributing open source code to the project someday, although at the moment I’m too busy for that to be feasible.

The Give One Get One deal is only available for another 7 days. It may be hard to get them after that since they are going to be sold only to schools and other educational institutions and governments and in the third world. So if you want one, don’t hesitate:

http://www.laptopgiving.org/en/index.php www.xogiving.org

The only thing I’m worried about is that David Pogue in the New York Times says that the XO’s keyboard is too small for an adult to touchtype on. I asked around, and Luke Gorrie (of SLIME fame) says that it’s frustrating at first but then he learned to touchtype on it at high speed. (I was going to walk over to the Media Lab and try one but I have no time in the next seven days and I’m just too convinced now.) And so many people seem to get along fine on much smaller keyboards, such as those on the Blackberry or smart phones (not touchtyping, obviously, but good enough for email when I’m on the road). So I’ll chance it. Other drawbacks: 2 minutes to boot (hey, Lisp machines booted slowly), and switching between apps is “poky”. (But the apps are fast.)

In a previous post, I mentioned capability architectures. The XO’s “Bitfrost” is not a capability system, but it does deal with the issue of mutually-suspicious protection domains. Given how many XO-1′s there will be, if the project succeeds, it will be an obvious target for malware, and I think Bitfrost will be a big help there. Bitfrost works by dividing up protection domains at a coarse level, whereas I’m more interested in very-fine-level schemes. See:

http://en.wikipedia.org/wiki/Bitfrost

Great technical info in the video of the talk at Google by Ivan Krstic, who is the architect of Bitfrost but talks about all aspects of the system:

General info:

http://en.wikipedia.org/wiki/OLPC_XO-1

Main web site, but it seems to be down at the moment:

laptop.org

David Pogue’s review in The New York Times, both written and video. Pogue does lots of product reviews and I have a lot of confidence in his evaluations (and I love his books).

http://www.nytimes.com/2007/10/04/technology/circuits/04pogue.html?_r=1&oref=slogin

http://video.on.nytimes.com/?fr_story=6ffd976ed367bacae4171dd4999d36431c84b0f5

There’s plenty more if you Google for “OLPC”.

The XO does everything in Python. You can see all the code, with a single keystroke (that shows the code of what’s running) and even modify the code. In the video, the speaker (Ivan Krstic’) is asked “Why not just use Lisp or Smalltalk?”, and the questioner cites Lisp machines! See, our influence is still there! He replies that doing everything in Python “comes close to the general Lisp machine idea” (of course he, too, knows what a Lisp machine is!). Answer: he protests that it’s a lot like a Lisp machine except that the language doesn’t go all the way down to the metal (it’s based on Linux). Hey are also shipping Squeak (a modern Smalltalk). They used Python because of the “size and momentum” of the community, and because he feels that Lisp has a steeper learning curve than Python does for kids. I won’t object to those reasons.

Hey, Python, Lisp, what’s the difference? So, strange as it is to say, maybe this is the new Lisp machine!