User: Password:
|
|
Subscribe / Log in / New account

Bitfrost: the OLPC security model

Bitfrost: the OLPC security model

Posted Feb 8, 2007 7:38 UTC (Thu) by bronson (subscriber, #4806)
In reply to: Bitfrost: the OLPC security model by dlang
Parent article: Bitfrost: the OLPC security model

But the OLPC is one of the most free computer projects ever undertaken. What if the GPLv3 can't be used for its low-level (read: important) parts? Isn't that a pretty bad sign?

This appears to be one situation where DRM can actually be a good thing. Like a knife or a car or a programming language, it's all just technology. People will use it for good and they will use it for bad.

That's why the FSF's "DRM is EVIL!!" stance is so foreign to me. It's like calling gunpowder evil.


(Log in to post comments)

Bitfrost: the OLPC security model

Posted Feb 8, 2007 12:47 UTC (Thu) by drag (subscriber, #31333) [Link]

With my infinate ignorance it seems here that the difference is allowing the owner/handler of the device greater control over it versus attempting to remove control from a owner and give it to a third party.

I wouldn't nessicarially call it 'DRM'. It certainly uses features that mirror what is used in DRM, but it's goal/purpose is different. Similarly how I wouldn't consider a signature on a E-mail DRM.

The only problem I see is that it's probably going to make the system much harder to hack around with versus if it was more PC-like. To bad there isn't a positive way to identify users and key the machine to them, like through voice recognition or fingerprint or something like that. I don't suppose something like that is reasonable for a machine like this.

Bitfrost: the OLPC security model

Posted Feb 8, 2007 14:28 UTC (Thu) by NAR (subscriber, #1313) [Link]

It certainly uses features that mirror what is used in DRM, but it's goal/purpose is different.

This feature is basically "the hardware doesn't run the code if it's not signed". Which is good, when it disables working around the anti-theft code in the OLPC, but which is bad, when disables creating graphics card drivers that dump their output into a file (to copy a DVD, etc.).

Bye,NAR

Bitfrost: the OLPC security model

Posted Feb 8, 2007 18:26 UTC (Thu) by bronson (subscriber, #4806) [Link]

The OLPC uses a private key to restrict the rights of the computer's owner. How can you not call this DRM?? It's exactly the same thing!

I'm not exactly clear on just who will own these devices: the student, the student's parents, the school, or the state? If the state keeps ownership of all the computers for itself, and just loans them to kids for a year at a time, would the GPLv3 still force the release of the private keys?

Would the answer change if they loaned them to random kids for an hour at a time rather than one kid for a year at a time?

Bitfrost: the OLPC security model

Posted Feb 8, 2007 19:29 UTC (Thu) by cjb (guest, #40354) [Link]

The OLPC uses a private key to restrict the rights of the computer's owner. How can you not call this DRM?? It's exactly the same thing!
It is DRM. However, GPLv3 doesn't say no-one can implement DRM, it says that if you implement DRM you must also make the key available so that the computer's owner has the freedom to turn off the DRM if they want to. That's what OLPC is doing, so it's all good.
I'm not exactly clear on just who will own these devices
I think the plan is that the devices are for the children to keep, even after they finish school.

Bitfrost: the OLPC security model

Posted Feb 8, 2007 20:18 UTC (Thu) by bronson (subscriber, #4806) [Link]

I'm not sure I buy that. If OLPC gets to do this, couldn't Tivo do the same thing?

Why doesn't Tivo set up a restricted developer program? The customers who really want can jump through hoops could get themselves a developer's key. Like OLPC, developers keys will be quite hard to come by. The vast majority of people won't know, won't bother, or won't qualify.

Is Tivoization possible under the GPLv3 after all?

Bitfrost: the OLPC security model

Posted Feb 8, 2007 20:50 UTC (Thu) by drag (subscriber, #31333) [Link]

And they wouldn't care either. Most people who own TiVOs don't care, and if I owned a TiVO I probably wouldn't care much either.

As long as they make the 'developer keys' (or equivelent) aviable to end users then that's all that matters. If they make significant barriers to this then that could be construed as a violation, but it's not like they have to make it easy for you either.

I'd say it would be reasonable to require you to call Tivo and provide some sort of proof (say a UUID number on the bottom of the case) that the device belongs to you and then they'll mail you a key on a cdrom or whatever for 5 bucks or whatever reasonable to cover their costs.

There is no reason why they would have to provide keys to all Tivos, just the ones you own.

And the reason I originally said it's not 'DRM' is because DRM is designed to restrict a person's rights in regards to copyrighted material. If this is DRM, then setting file permissions on your home folder is DRM also. Implimenting filesystem encryption is DRM also, then.

If you want to make the definition so broad to encompas everything then I suppose you can call any sort of security measure DRM if you want to.

Bitfrost: the OLPC security model

Posted Feb 8, 2007 23:04 UTC (Thu) by bronson (subscriber, #4806) [Link]

And the reason I originally said it's not 'DRM' is because DRM is designed to restrict a person's rights in regards to copyrighted material.
Exactly like the OLPC BIOS.
If this is DRM, then setting file permissions on your home folder is DRM also. Implimenting filesystem encryption is DRM also, then.
Neither of those scenarios involve an upstream party using private keys (or other technology) to inhibit your enjoyment of a product that you rightfully own. I don't see how they could be considered DRM.

Bitfrost: the OLPC security model

Posted Feb 9, 2007 7:22 UTC (Fri) by man_ls (guest, #15091) [Link]

Exactly like the OLPC BIOS.
Not really. The OLPC doesn't prevent access to copyrighted material; it shuts down the machine and turns it into a brick. Not even close.
Neither of those scenarios involve an upstream party using private keys (or other technology) to inhibit your enjoyment of a product that you rightfully own. I don't see how they could be considered DRM.
I don't see how you can call Bitfrost "DRM" when there is no copyrighted material and no digital "rights" to manage. DRM is not "using private keys to inhibit enjoyment of products", it involves limiting access to certain files. Drag's example (setting permissions on a directory) is actually closer to DRM than OLPC's Bitfrost, IMHO.

Bitfrost: the OLPC security model

Posted Feb 10, 2007 8:01 UTC (Sat) by bronson (subscriber, #4806) [Link]

DRM can be used with anything, not just copyrighted content (according to http://www.defectivebydesign.org/en/about anyway). When the OLPC turns into a brick, isn't that awfully similar to a DVD refusing to decript its content or a Vista computer refusing to run an executable? Sure seems it to me.

And both DRM and Bitfrost are very dissimilar to chmod a-rw ~/. Directory permissions don't involve a 3rd party, DRM and Bitfrost do, chmod a+rw ~/* undoes the damage; DRM and Bitfrost don't have any such exit, etc. Shall I continue?

I guess we'll just have to agree to disagree on this one.

DRM vs TM

Posted Feb 10, 2007 10:21 UTC (Sat) by man_ls (guest, #15091) [Link]

As the linked page takes pains to explain, DRM can be based (on computers) upon "Trusted Computing", which Stallman mimics as "Treacherous Computing". You are saying that DRM can be used for anything (and is indeed used on the OLPC), when in fact it is TM that you are speaking about. It seems like a pedantic point, but it is important for the discussion not to mix these concepts IMHO.

TM can be a chip used by the kernel with cryptographic keys under the control of the owner, in which case it can be a good thing. The keys can also be under the control of a third party, which is a disaster. In the case of the OLPC it can turn into a brick. As it is a government-sponsored program anyway, I guess they have thought about it: if it gets disabled by mistake, you can always take it to a hypothetic repair service. I personally don't like the idea, and think it is a weak point in the whole scheme, but inexplicably nobody asked me before implementing it ;)

DRM, as one of its main peddlers has just said, is always a bad idea. Notice that, in the case of a DVD player you don't even need TM, as it is a closed platform anyway; in this case the device can simply have its keys revoked and it will refuse to play protected content, which is different than turning into a brick. When it is a computer in disguise you need complicated schemes such as TM to make the device obey its true master, the manufacturer.

DRM vs TM

Posted Feb 10, 2007 20:03 UTC (Sat) by bronson (subscriber, #4806) [Link]

TC is now such a broad concept that it's nearly useless. The wikipedia page does make it sound like both Bitfrost and drectory permissions would fall under the TC umbrella. But so would AppArmor. And hardware virtualization extensions. That doesn't mean they have anything in common with each other.

We can at least agree that FairPlay, CSS, and Microsoft's incompatible flavor du jour are examples of DRM, yes? defectivebydesign says that Tivoization is a form of DRM. And Hasp HL claims to be DRM. Bitfrost's ultimate behavior is basically the same as these technologies and has only the most superficial resemblance to directory permissions. That's why I really don't think it's a stretch to consider it DRM.

Maybe you could point me to an authoritative definition of DRM? The definition at the top of the Wikipedia entry clearly includes Bitfrost but, alas, I'd hardly call it authoritative.

Perhaps the media is subverting the meaning of DRM like it did with hacker? At this point, though, I'm afraid the cat's pretty far out of the bag.

DRM vs TM

Posted Feb 10, 2007 20:27 UTC (Sat) by bronson (subscriber, #4806) [Link]

...*not a stretch* to call [Bitfrost] DRM. Gah.

DRM vs TM

Posted Feb 10, 2007 23:01 UTC (Sat) by man_ls (guest, #15091) [Link]

I would say that Trusted Computing is a well defined concept, or at least it was until vendors started marketing it. OTOH DRM was always snake oil, and still is today. Maybe that is why authoritative definitions are hard to find. Look at this one (in PDF):
Digital Rights Management (DRM) is a system to protect high-value digital assets and control the distribution and usage of those digital assets.
It comes from an academic paper, but the "high value" part is not very objective: DRM can also be used for low-value garbage.

As to the examples you cite: Tivoization is a form of DRM only because it is used to protect digital content (digitized TV in this case). The article in Dr Dobb's Journal talks about protection of content and restriction of document distribution.

Even if the press and the general public misuse the term, that is IMHO no excuse for spreading bad usage. DRM protects content by whatever means, even if it's just a remotely controlled daemon setting directory permissions. After all, Adobe's protected PDF's rely on something like a bit set on a file.

Bitfrost: the OLPC security model

Posted Feb 8, 2007 20:51 UTC (Thu) by cjb (guest, #40354) [Link]

I'm not sure I buy that. If OLPC gets to do this, couldn't Tivo do the same thing?
Remove their restrictions by bundling an offer to supply a developer key that gives you complete access to the machine if you want it? Sure, they could, and they'd be GPLv3-compliant by my interpretation if they did.

They presumably won't, because they don't want you to be able to (for example) use a public source of TV listings and stop paying them for monthly service.

The vast majority of people won't know, won't bother, or won't qualify.
No, if you've bought the device, it would be a breach of GPLv3 to not give you the key on request. A "restricted" developer program wouldn't suffice. (But no-one's suggesting the OLPC program will be restricted.)

Bitfrost: the OLPC security model

Posted Feb 8, 2007 22:52 UTC (Thu) by bronson (subscriber, #4806) [Link]

Of course the OLPC program is restricted.

From the article: "in general, the children will not have that functionality available to them."

From our editor's comment: "There is a delay built into the developer key mechanism; if the laptop is reported stolen during the wait, no key is issued."

This makes total sense. If there really were no restrictions, there would be no point to making the keys private in the first place. The thieves would just request the keys after they'd stolen the laptops.

I've read the v3 draft a few times. You'll notice that 6.3b doesn't specify any durations. How long could Tivo delay issuing a key before It's in violation? A few months? A year? And could Tivo pull the old tape trick used by a number of BSDs in the early 90s? (charging $400 for a $30 tape claiming "it's a reasonable cost of physically performing this conveying of source. Go ahead, take us to court -- it'll cost you a lot more than $400!")

From reading the license, it seems to me like they could.

Bitfrost: the OLPC security model

Posted Feb 8, 2007 23:56 UTC (Thu) by cjb (guest, #40354) [Link]

From the article: "in general, the children will not have that functionality available to them."
This doesn't mean that developer keys will be refused to some children, it means that before the child asks for the key, the (BIOS-writing) functionality won't work.
I've read the v3 draft a few times. You'll notice that 6.3b doesn't specify any durations.
The Bitfrost spec (section 8.19) says that the delay between asking for and receiving the key will be fourteen days. That seems entirely consistent with the delay one would expect from replying to a written offer of source code under the GPL that we've been using for the last twenty years.

I'm only really interested in talking about this to the extent of showing that the scheme is entirely in accord with GPLv3 and the spirit of the GPL. If your problem is that the GPL isn't free enough for you, you need to find some other people to talk to. :)

Bitfrost: the OLPC security model

Posted Feb 9, 2007 2:34 UTC (Fri) by bronson (subscriber, #4806) [Link]

I'm genuinely interested. I still don't understand how the GPLv3 can allow the OLPC to use DRM and at the same time prevent Tivo from abusing it. That's why I was asking about known modes of GPL abuse from the past. There will always be people who want to skirt the rules.

I *like* the GPLv2, and presumably I'll like the v3 when it ships. Ideally I'd like v3 to be able to be the go-to license for most projects. Other than the DRM language, which I'm unsure about, it looks like v3 could be that license.

Of course, I'm happy to let our discussion rest here and leave any further fine slicing to future litigators. :)

Bitfrost: the OLPC security model

Posted Feb 9, 2007 2:49 UTC (Fri) by cjb (guest, #40354) [Link]

I'm genuinely interested. I still don't understand how the GPLv3 can allow the OLPC to use DRM and at the same time prevent Tivo from abusing it.
So, my understanding is that the GPLv3's answer to DRM is to say "Sure, you can build DRM -- after all, you wouldn't have freedom if you couldn't -- but you must give the person who you distribute the code to the freedom to remove the DRM if they wish". That's what Bitfrost tries to do.

How do you think TiVo would claim to be following that, yet abusing it? The methods you mentioned (waiting too long, or charging too much) just aren't ones that we've seen people abuse over the last twenty years; I can't think of a single memorable example of either, so it certainly hasn't been common. If they *do* provide the source+key that gives you full control of the system in a timely manner, then it's Free Software.

Bitfrost: the OLPC security model

Posted Feb 9, 2007 11:56 UTC (Fri) by NAR (subscriber, #1313) [Link]

you must give the person who you distribute the code to the freedom to remove the DRM if they wish

I think I get it - the code is distributed to the child, but not to the thief, so the thief can't ask for the key. However, an other thing occured to me. As far as I know, the children can't sell or give away their laptops, i.e. can't distribute it (I could be wrong here). Can they distribute the software (including the OpenBIOS) on the laptop? GPL (even v2) gives them the right, but will the software work on any other laptop (even if they distribute the key, which is part of the software under GPLv3)?

Bye,NAR

Bitfrost: the OLPC security model

Posted Feb 8, 2007 21:04 UTC (Thu) by cjb (guest, #40354) [Link]

By the way, feel free to read the GPLv3 (draft) itself. It makes it clear that the key needed to change the Program is part of the Corresponding Source, and that it is valid to supply an offer to provide the Corresponding Source on request, rather than directly bundling the Corresponding Source with the Program itself.

http://gplv3.fsf.org/gpl-draft-2006-07-27.html

Bitfrost: the OLPC security model

Posted Feb 8, 2007 22:24 UTC (Thu) by dlang (subscriber, #313) [Link]

I think lots of people agree that it's a bad sign, everyone is split between

1. it's a bad sign for the GPLv3

and

2. it's a bad sign for the OPLC project

by the way, to throw a little gasoline around here, who is the 'owner' of these things, the govenments who pay for them, or the child who takes it home each night?

if it's defined as being the govenments who pay for them then all these requirements are within the limits of the GPLv3 as the owner of the devices has all the nessasary keys.

Bitfrost: the OLPC security model

Posted Feb 11, 2007 17:49 UTC (Sun) by JohnNilsson (guest, #41242) [Link]

Does the GPL really care about "owners"? It only mention "users". I would think even a theif would qualify as a "user".


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds