[cap-talk] Correlating Bitfrost with Threats

Stiegler, Marc D marc.d.stiegler at hp.com
Fri Mar 2 20:43:36 CST 2007 

My last email was written quickly, and upon review, is written so poorly
that I am embarassed.

Bitfrost as a whole works hard to tradeoff flexibility and security in
the context of very young users. It does surprisingly well. Saying that
Bitfrost prevents the student from being the owner is just wrong. 

However, the antitheft system, which requires the great national
identity database in the sky, disturbs me deeply for several reasons,
only one of which is its hypothetical utility for tyrants. Much more
concerning from a practical perspective are the diverse risks with such
a rigidly centralized architecture:

-- The central service can apparently bring the whole nationwide mesh
down by failing to operate correctly. Visualize the headlines the first
time this happens.

-- The leasing system is surely going to create mysterious shutdowns of
computers, shutdowns that are so difficult to correct it will amaze the
onlookers: users may dream of the Windows box that can be brought back
to life merely by powering off and on. How much harm will this cause to
olpc's reputation? Supporting thugs is not even the most important
question here, it is the risk that olpc can be made a laughingstock.

-- And I am also confident (though I cannot prove, except with
historical anecdotes) that this system will work less well than a
localized system for preventing theft. If a child loses his laptop, if
the shutdown authority is hundreds of miles away, how many layers of
administrative bureaucracy will the villagers have to breached (or
worse, how many will they have to bribe) before the lease shutdown
system is activated? How many villagers will just throw up their hands
and say, good luck to the new user -- after all, the incentive to fight
a bureaucracy to shut down the missing computer is almost nonexistent.
Whether it is shut down or not, the villagers are never going to see it
again anyway, the only benefit goes to other people in other villages
who might not see their own laptops stolen. The system creates such a
large gulf between victim and correctional mechanism, it is hard to
imagine it working well.

Indeed I only thought through this last point clearly while writing this
email. I shall have to post it to the wiki :-)

--marcs    

> -----Original Message-----
> From: Stiegler, Marc D 
> Sent: Friday, March 02, 2007 4:29 PM
> To: 'General discussions concerning capability systems.'
> Cc: ted at squeakland.org; McGeer, Patrick C
> Subject: RE: [cap-talk] Correlating Bitfrost with Threats
> 
> 
> > You have a number of concerns about features of Bitfrost that make 
> > students insecure against their teachers and their governments.
> > 
> > The customers of Bitfrost are governments.  The customer is always 
> > right.  When it is sold to individuals, then it should be secure 
> > against governments.
> 
> I used to work for a company that had what I believe to have 
> been a better attitude toward this: "the customer may not 
> always be right, but the customer is always The Customer". 
> You always take him seriously, but you try to give him, not 
> merely what he claims he wants, but something that makes sense.
> 
> Well, the concept of "customer" is a little complicated here. 
> The government is paying the bill. The student is in some 
> sense the owner (a very weak sense given Bitfrost). Of 
> course, there are governments and there are governments. Some 
> governments attempt to ensure their citizens have rights. 
> Some governments are thugs. Governments that attempt to 
> protect the rights of the people can be distinguished easily, 
> they will applaud an alternate architecture that eliminates 
> central points of failure, and protects the citizens from 
> future governments that may not be as virtuous as the current ones. 
> 
> OLPC has the power to decide, should we empower thugs. I 
> confess, I made my choice over 20 years ago, when I worked 
> for a company that wanted to put me to work on a project to 
> build a national ID card system for the dictator of Egypt. I 
> declined. Indeed, I declined rather, uh, ferociously, sending 
> a memo to the CEO vigorously explaining why it was 
> unacceptable for that company, with the code of business 
> conduct that it held for itself, to engage in such activity.
> 
> Having said all that, please note, I also pointed out other 
> problems with the tyranny-friendly features, notably that, 
> from a strictly software architectural standpoint, the 
> centralized systems produce central points of failure. I also 
> offered alternatives that met the stated goals as well or 
> better. If the governments don't really want anti-theft, but 
> really really demand a national ID system, let us force them 
> to state so clearly. Just so we understand who we're are 
> talking to, and what evil we are bringing into the world. Let 
> there be no pretending.
> 
> --marcs

More information about the cap-talk mailing list