November 30th, 2007

Bug

Please read the spec and the discussion first, thanks. Was: Re: [OLPC Security] A mom's worries

Hi,

Please read the spec, the wiki discussion page, and the previous posts to this list before trying to discuss perceived flaws in the system that is being built. http://wiki.laptop.org/go/BitFrost , http://wiki.laptop.org/go/Talk:Bitfrost , and http://lists.laptop.org/pipermail/security/, respectively.

Discussion of weaknesses in standard Linux or UNIX systems are not necessarily applicable to the OLPC Bitfrost platform. Also, the spec is not fully implemented in the software, but the spec makes pretty clear what features are intended.

An example:

But any infected activity gets access to system resources in the same
way as the
"host" user. Last time I checked, rainbow/service.py didn't do
anything special
to try and really hunt-down any background processes created by an
activity,
so to say that the spam-bot (or any other unintended malware-type-thing)
dies when the activity gets cleaned up is horribly misleading.


Since, as you acknowledge earlier, each Activity is started in it's own UID, then it is trivial to make sure that all processes started by that user and all of their children die when the Activity is terminated, eg `slay 1003`. So, pointing out that 'weakness' is not particularly helpful, but submitting a patch that adds that command to activity tear-down might be.

Similarly, discussion of spamming is hopefully mitigated by the default network rate limiting and cpu usage limiting of the platform. If you see weakness in this plan that are not already discussed, please share. Or submit patches :)

Thanks,
Adric Net

Yes, again. *sigh*

  • Current Music
    Dethklok
  • Tags
Books

Rainbow interactions with Activity processes, rate limiting specs

Hi,

Thanks for correcting me and some clarification, and many thanks for bringing us back on topic. :)
And the rest is inline...


On Nov 30, 2007, at 1:24 AM, Michael Stone wrote:

Specifically, it's fairly clear from the needs of software like Browse
and Etoys that 'activity instances' are not in one-to-one correspondence
with processes or even process-groups. This means that you may not know
which uid to kill off in order to close a given activity instance and
that one uid may be hosting several unrelated activities.


Hmm, I'm not entirely sure I follow you here... If you could sketch out an
activity instance, please, so that I (we) see the bigger picture than the processes?
Or is there wiki on that already that I missed?


All of these kinds of communication create unknown levels of risk of
cross-instance contamination. The ones involving the datastore may
persist across reboots. Finally, each suggests the possibility of
running privilege-escalation attacks against system and session
components that I am hard-pressed to mitigate on any reasonable
timeframe.


Okay, now that I understand. And we have a lot of executable code/content
that we want them to share cross-Activity and even across the mesh. This is
going to be a vector.


To come to Marcus' defense here, he's one of the people who has
contributed most directly to implementing Bitfrost by code review, patch
submission, and regular testing to ensure that the code continues to run
under emulation.


Awesome!

Depends on whether you're able to specify workable limits and on the
rate at which exploits are developed for the activities that are endowed
with network access. (or for the underlying system as a whole).


And this is something still under development and scrutiny. We (I) should probably start testing this (on closed networks, at first) to see how bad things are in the current builds. I know that this stuff has limited implementation so far ? eg /etc/rainbow ?

Here's a potential weakness that concerns me: how rapidly can we
actually deploy a security patch to, say, avahi or the presence service?


This is a major concern, and one that may be out of spec because of the distribution methods. To my understanding once the XOs go out, laptop.org may never hear from them again, in many non-edge cases. Of course the sponsoring government and classrooms will be encouraged to distribute patches to all of their XOs, but ... *gulp*

When if ever are y'all on IRC? :)

Thanks,
Adric Net

Woot! Someone with a clue has called me down and gotten discussion moving forward again! Success? Later, 0830: Although I do seem to have derailed some of the noise back onto the topic (yay), I may have accidentally pissed off some of the real hackers (f---) at the same time, so I apologized in this post, and more directly in person to another in email.
olpc g1g1 fdd

Comment on olpcnews.com thread

The Browser Activity (a thin python wrap of xul-runner, btw), like may other aspects of the Sugar software is under rapid development, and features come (and go, and come back :). I'm not sure which build you tested, but there have bookmarks in the Browser activity for awhile. You click the star and the bookmarks appear in a shelf, pic: http://adric.net/img/olpc-bookmark-star.png . Browse home is here: http://wiki.laptop.org/go/Browse .

By way of discouraging the political flare up that prompted this news post, I would like to point out that g1g1 is an anomaly and not the stated mission or purpose of OLPC. OLPC works with governments and schools to arrange for mass distribution of XOs and support hardware. Customization is expected at the government and classroom level. To wit, they did not design these wonderful devices or their software to be sold to end users, but are giving us a opportunity to donate and get one to help jump start the project.

That said if you do have technical questions, please check the wiki, drop by the irc channel or the mailing lists, or post on this site, and someone will try and help.

On this thread of FUD and ignorance: http://www.olpcnews.com/internet/access/moms_worries_child_olpc_internet.html
  • Current Music
    NPR - Morning Edition
  • Tags
    ,
bolts, writing, nuts

Censorship is destructive

Data < Information < Knowledge < Wisdom

Censorship and dishonesty both serve the same goal of corrupting and disrupting the flow of data, without which we do not get new information, cannot form new knowledge, and will move no closer to wisdom.

Life is a series of choices, made with the data, information, knowledge, and wisdom available at the time. Don't you want (your children) to have the most and best of these available for every decision?

Data is raw, unfiltered, disorganized. Information is filtered, organized. Knowledge is tested, disprovable. And wisdom ? Wisdom is the result of the choices you already made and the consequences thereof.

This post brought to you by seething anger at a few so-called parents on the Internets. I really hate people sometimes. See links in previous few posts for ample upsetting material. Comments welcome.
Books

Carl Sagan's ghost disapproves.

Some notes from my place in my reading of the pro-science propaganda masterpiece, The Demon Haunted World*:

  • Bah. The ghost of Carl Sagan commands me to be a science teacher.
  • and then blames me for letting SciTrek close. Argh. Apparently they have one in Ithaca, NY, his home town.
  • Continuing his criticism of how I spend my free time and money, Sagan's shade wields Frederick Douglas to chide me about not teaching adult literacy classes.

Later Sagan criticizes** many other things (sooner, too) specifically the quality of the material on television, with the damning remark: "I haven't even seen a show on how television works, on television."

* A thoughtful birthday gift from kittyglitter which in no way dimishes the impact of the more provocative Zorba the Greek given me by luvadove and of course cosmiclola and I swap bags of books every year, and sotto_voce bought me the only book I ever asked her to, which I of course have not read ... see how this goes nowhere fast?

** Stupid Yankee dictionary wants me to spell words with zeds and not esses, how vulgar.