News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Michael R. Farnum's picture
Michael R. Farnum

Hitting the Security Nerve

More posts | Read bio

February 7, 2008 - 10:54 A.M.

OLPC Security Fears

6 comments

There is an article at The Guardian that is talking about the security fears of the One Laptop Per Child (OLPC) project going on across the world. If you have not heard about OLPC, it is basically a mission to get computers in the hands of kids in developing nations so they can have opportunities that they would not otherwise have. And I, for one, am totally for this.

However, there are issues that need to be addressed. I blogged about this over a year ago, and there were some comments on what security measures were getting thought through and put in place (probably mostly outdated by now). But my main concern with the project was the mesh that will be created by default with these machines. After some investigation, I found this article on the OLPC wiki. A direct quote says, "The current implementation of the mesh in OLPC does not provide mechanisms to control access to the network nor to ensure confidentiality." So this has not been addressed according to the wiki. This kinda scares me.

You can search the wiki for security topics and find all kinds of information, and there are probably topics that I have not seen that will help alleviate some fears. But this machine is rolling and it ain't gonna stop. I am sincerely all for this project as far as its desire to help underprivileged children in developing nations. But I also sincerely hope this does not become a huge problem that criminals start exploiting. These kids need help. They DON'T need to become members of botnets.

What People Are Saying

Add new comment

You don't know...

Submitted by Anonymous on February 28, 2008 - 1:26 P.M.

Well, your certainly spreading the FUD arn't you.

Encryption means higher power consumption.

You ever heard of ssh?

most people use unencrypted wireless points?

it's not windows!!!!

Why put extra barriers in a learning environment?

okay, security is important, but tcp was invented
for the sharing of data? not the lock down of
corporate bank sites.

SSL? You even heard of this?

So, I'd rather have 4 hours more batterly life
in a remote location than be safe in the knowlege
some ones not incepted photo's of me via the mesh!

Stop spreading the FUD.

Reply | Report this comment

More concerns

Submitted by Michael R. Farnum on February 7, 2008 - 1:26 P.M.

Read this post from my friend Martin McKeay here at CW back in March '07. Interesting read from a first-hand experience with Ivan Krstic.

Michael R. Farnum

Better to be despised for too anxious apprehensions than ruined by too confident a security.
Edmund Burke (1729 - 1797)

Reply | Report this comment

do you really know technology at all?

Submitted by Anonymous on February 7, 2008 - 11:20 A.M.

bot-net? really? 'mesh' is more accuratly known as 802.11s. now how exactly are you going to connect to this supposed botnet without an 802.11s NIC? and how is this supposed botnet get out to cause harm..3rd world schools dont exactly have a backbone connection on the internet.. and since the 'mesh' of computers would be connected over a single slow connection, damage would be extreamly minimal.. this is all from an infastructure point of view only

the XO has securety measures built in to be able to stop hacking at the machine level as well. why dont you actually look into the wiki over at laptop.org before you spout your opinion.. i think you will find your bot-net scenerio is pretty far fetched..about as far fetched as a wii botnet.. which is much greater in number, as well as a much better connection to the internet

Reply | Report this comment

Mesh botnet

Submitted by Michael R. Farnum on February 7, 2008 - 12:28 P.M.

anon,

"do you really know technology at all?"

Well, I have to ask you the same question. It matters not if you have a 802.11s NIC if there is an Internet gateway that the laptops use for connection to the Internet. That's like saying that you have to connect directly to every computer with a crossover cable to install a bot...

And I agree that the Internet connections are likely slow in that part of the world. Heck, I would question whether some have any connection at all. But is that going to stay the same forever? Isn't the point of this type of project to grow technology in developing nations?

And why are you so sensitive? I am not slamming the project. I just think the concerns need to be voiced. I know I am not the only one who has thought about this. Obviously the article I linked shows that others have the same concerns.

And I have read through some of the wiki. Have I plowed through every doc? No. Maybe you have, and I am glad for you. But I look for one example and I find a security concern immediately. Literally in a matter of a couple of minutes. That brings up a red flag for me.

And whenever someone says something like, "the XO has securety measures built in to be able to stop hacking at the machine level as well", I immediately think that there have been a lot of people who have said the same thing about a lot of products. Nothing is absolute. See my signature for a quote from a famous man to see what I am talking about.

Michael R. Farnum

Better to be despised for too anxious apprehensions than ruined by too confident a security.
Edmund Burke (1729 - 1797)

Reply | Report this comment

OLPC security

Submitted by Ivan Krstić on February 7, 2008 - 5:33 P.M.

Hi Michael,

OLPC takes security extremely seriously, and has done precedent-setting security work for the XO laptops. The right document to read is the specification for our security system, Bitfrost:

http://wiki.laptop.org/go/OLPC_Bitfrost

If you're looking for a quick read, consult sections 1, 8 and 10 of that document.

You might also find it interesting to read my slides and watch the short video from the AusCERT 2007 conference where I elaborate on OLPC security (and the state of security in general). Both the slides and video are linked from http://radian.org/talks .

Cheers,
Ivan.

Reply | Report this comment

Honored

Submitted by Michael R. Farnum on February 8, 2008 - 8:26 A.M.

Mr. Krstic',

Thank you for commenting. I appreciate it very much. I will take a look at the resources you are suggesting and will come back and comment on my impressions.

I also want to express my sincere appreciation for your maturity on the subject. I have read many articles that call into question OLPC in some way or fashion, and I fail to understand the visceral reaction to criticism. I assume the project is viewed by some people as unassailable because of its political nature, but if these type of things become out of bounds for questions, then security has a huge problem.

Michael R. Farnum

Better to be despised for too anxious apprehensions than ruined by too confident a security.
Edmund Burke (1729 - 1797)

Reply | Report this comment

Related Posts

Virtualization news will be heavy in the next few weeks
MSNBC Spam-O-Rama
The best desktop OS is...
Negroponte says OLPC is 'scaling up' Sugar kids' software platform

Today's Top Stories

Context-aware mobility: What is it and how will it change the business world?
Vista Ultimate users fume, rant over Windows 7 deals
Elgan: The carrier coup must be stopped
DOJ officially opens investigation into Google Book Search
Judge temporarily dismisses MySpace cyberbully case
Mozilla slates first Firefox 3.5 patch
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.