February 25, 2024

Archives for August 2007

OLPC Review Followup

Last week’s review of the One Laptop Per Child (OLPC) machine by twelve-year-old “SG” was one of our most-commented-upon posts ever. Today I want to follow up on a few items.

First, the machine I got for SG was the B2 (Beta 2) version of the OLPC system, which is not the latest. Folks from the OLPC project suggest that some of the problems SG found are fixed in the latest version. They have graciously offered to send an up to date OLPC machine for SG to review. SG has agreed to try out the new machine and review it here on Freedom to Tinker.

Second, I was intrigued by the back-and-forth in the comments over SG’s gender. I had originally planned to give SG a pseudonym that revealed SG’s gender, but a colleague suggested that I switch to a gender-neutral pseudonym. Most commenters didn’t seem to assume one gender or the other. A few assumed that SG is a boy, which generated some pushback from others who found that assumption sexist. My favorite comment in this series was from “Chris,” who wrote:

Why are you assuming the review was written by a boy?
At 12 we’re only two years from 8th grade level, the rumored grail (or natural default) of our national publications. SG, you’re clearly capable of writing for most any publication in this country, you go girl! (even if you are a boy)

Third, readers seem to be as impressed as I was by the quality of SG’s writing. Some found it hard to believe that a twelve-year-old could have written the post. But it was indeed SG’s work. I am assured that SG’s parents did not edit the post but only suggested in general terms the addition of a paragraph about what SG did with the machine. I suggested only one minor edit to preserve SG’s anonymity. Otherwise what you read is what SG wrote.

Though sentences like “My expectations for this computer were, I must admit, not very high.” seem unusual for a twelve-year-old, others show a kid’s point of view. One example: “Every time you hit a key, it provides a certain amount of satisfaction of how squishy and effortless it is. I just can’t get over that keyboard.”

SG is welcome to guest blog here in the future. Kids can do a lot, if we let them.

One Laptop Per Child, Reviewed by 12-Year-Old

[I recently got my hands on one of the One Laptop Per Child machines. I found the perfect person to review the machine. Today’s guest blogger, SG, is twelve years old and is the child of a close friend. I lent the laptop to SG and asked SG to write a review, which appears here just as SG wrote it, without any editing. –Ed]

I’ve spent all of my life around computers and laptops. I’m only 12 years old though, so I’m not about to go off and start programming a computer to do my homework for me or anything. My parents use computers a lot, so I know about HTML and mother boards and stuff, but still I’m not exactly what you would call an expert. I just use the computer for essays, surfing the web, etc.

Over the last few days, I spent a lot of time on this laptop. I went on the program for typing documents, took silly pictures with the camera, went on the web, played the matching game, recorded my voice on the music-making application, and longed for someone to join me on the laptop-to-laptop messaging system. Here is what I discovered about the OLPC laptops:

My expectations for this computer were, I must admit, not very high. But it completely took me by surprise. It was cleverly designed, imaginative, straightforward, easy to understand (I was given no instructions on how to use it. It was just, “Here. Figure it out yourself.”), useful and simple, entertaining, dependable, really a “stick to the basics” kind of computer. It’s the perfect laptop for the job. Great for first time users, it sets the mood by offering a bunch of entertaining and easy games and a camera. It also has an application that allows you to type things. The space is a little limited, but the actual thing was great. It doesn’t have one of those impossible-to-read fonts but it was still nice. When the so-so connection allows you to get on, the internet is one of the best features of the whole computer. With a clever and space-saving toolbar, it is compact, well designed, accessible, and fast.

But, unfortunately, the internet is the only fast element of the computer. My main problem with this laptop is how very slow it is. It’s true that I am used to faster computers, but that’s not the problem. It’s just really slow. I had to wait two minutes to get onto one application. That’s just a little longer than I can accept. Also, it got slower and slower and slower the longer I went without rebooting it. I had to reboot it all the time. We’re talking once every two or three hours of use! And one of the most frustrating things about the system was that it gave no warning when it was out of power (as it was often because it lost charge very quickly) but just shut down. It doesn’t matter if you’re working on your autobiography and you had gotten all the way to the day before yesterday and forgotten to save it, it just shuts off and devours the whole thing.

This laptop is definitely designed for harsh conditions. Covered in a green and white hard plastic casing, it is designed not to break if dropped. It has a very nice handle for easy transportation and two antennas in plastic that can be easily put up. Once you open it, you see the screen (pretty high resolution) and my favorite part of the computer: the keyboard. It’s green rubber so that dust and water won’t get in under the keys, and this makes the keyboard an awesome thing to type on. Every time you hit a key, it provides a certain amount of satisfaction of how squishy and effortless it is. I just can’t get over that keyboard. There is also a button that changes the brightness of the screen. The other cool thing is that the screen is on a swiveling base, so you can turn it backwards then close it. This makes the laptop into just a screen with a handle.

All in all, this laptop is great for its price, its job, and its value. It is almost perfect. Just speed it up, give it a little more battery charge hold, and you have yourself the perfect laptop. I’m sure kids around the world will really love, enjoy, and cherish these laptops. They will be so useful. This program is truly amazing.

Sony-BMG Sues Maker of Bad DRM

Major record company Sony-BMG has sued the company that made some of the dangerous DRM (anti-copying) software that shipped on Sony-BMG compact discs back in 2005, according to an Antony Bruno story in Billboard.

Longtime Freedom to Tinker readers will remember that back in 2005 Sony-BMG shipped CDs that opened security holes and invaded privacy when inserted into Windows PCs. The CDs contained anti-copying software from two companies, SunnComm and First4Internet. The companies’ attempts to fix the problems only made things worse. Sony-BMG ultimately had to recall some of the discs, and faced civil suits and government investigations that were ultimately settled. The whole episode must have cost Sony-BMG many millions of dollars. (Alex Halderman and I wrote an academic paper about it.)

One of the most interesting questions about this debacle is who deserved the blame. SunnComm and First4Internet made the dangerous products, but Sony-BMG licensed them and distributed them to the public. It’s tempting to blame the vendors, but the fact that Sony-BMG shipped two separate dangerous products has to be part of the calculus too. There’s plenty of blame to go around.

As it turned out, Sony-BMG took most of the public heat and shouldered most of the financial responsibility. That was pretty much inevitable considering that Sony-BMG had the deepest pockets, was the entity that consumers knew, and had by far the most valuable brand name. The lawsuit looks like an attempt by Sony-BMG to recoup some of its losses.

The suit will frustrate SunnComm’s latest attempt to run from its past. SunnComm had renamed itself as Amergence Group and was trying to build a new corporate image as some kind of venture capitalist or start-up incubator. (This isn’t the first swerve in SunnComm’s direction – the company started out as a booking agency for Elvis impersonators. No, I’m not making that up.) The suit and subsequent publicity won’t help the company’s image any.

The suit itself will be interesting, if it goes ahead. We have long wondered exactly what Sony knew and when, as well as how the decision to deploy the dangerous technology was made. Discovery in the lawsuit will drag all of that out, though it will probably stay behind closed doors unless the case makes it to court. Sadly for the curious public, a settlement seems likely. SunnComm/Amergence almost certainly lacks the funds to fight this suit, or to pay the $12 million Sony-BMG is asking for.

On the emotions you feel when you do a security review

[I’m happy to introduce Dan Wallach, who will be blogging here from time to time. Dan is an Associate Professor of Computer Science at Rice University. He’s a leading security expert who has done great work on several topics, including e-voting. – Ed]

I was one of the co-authors of the Hart InterCivic source code report, as part of California’s “top to bottom” analysis of its voting systems. As many Freedom to Tinker readers now know, we found problems. Lots of problems. I’ve done this sort of thing before, as have many others, and I realized that there’s a somewhat odd emotion that we all feel when we do it. You’re happy because you found how to break something, but you’re sad that the system is so poorly engineered. It’s a great accomplishment that we were able to discover so much, but it’s terrible that widely used systems have such easily exploitable vulnerabilities. What word can describe that good/bad emotion?

About a year ago, I started asking everybody I knew, speakers of any language, if their language had a word to describe that emotion. Somebody, somewhere, must have such a word. There are lots of close-but-no-cigar choices, such as:

Schadenfreude (German) – the pleasure you feel at somebody else’s pain (common example: laughing at Hollywood celebrities arrested for drunk driving)

Bathos (Greek) – mixing serious issues with humor (a common literary device)

Neither quite capture it. Finally, in a discussion with my colleague, Moshe Vardi, we came up with a Yiddish coinage that seems to do the trick: oy gevaldik.

Origin? Oy vey is a standard Yiddish expression of woe (similar to “oh boy”). Oy gevalt is a stronger version of the same expression (similar to “oh expletive” for milder expletives). Curiously, the Yiddish word for beautiful is gevaldik, which sounds similar to gevalt. Put it together, and you get oy gevaldik. Oh, beautiful. And that’s what security reviews are all about.

More California E-Voting Reports Released; More Bad News

Yesterday the California Secretary of State released the reports of three source code study teams that analyzed the source code of e-voting systems from Diebold, Hart InterCivic, and Sequoia.

All three reports found many serious vulnerabilities. It seems likely that computer viruses could be constructed that could infect any of the three systems, spread between voting machines, and steal votes on the infected machines. All three systems use central tabulators (machines at election headquarters that accumulate ballots and report election results) that can be penetrated without great effort.

It’s hard to convey the magnitude of the problems in a short blog post. You really have read through the reports – the shortest one is 78 pages – to appreciate the sheer volume and diversity of severe vulnerabilities.

It is interesting (at least to me as a computer security guy) to see how often the three companies made similar mistakes. They misuse cryptography in the same ways: using fixed unchangeable keys, using ciphers in ECB mode, using a cyclic redundancy code for data integrity, and so on. Their central tabulators use poorly protected database software. Their code suffers from buffer overflows, integer overflow errors, and format string vulnerabilities. They store votes in a way that compromises the secret ballot.

Some of these are problems that the vendors claimed to have fixed years ago. For example, Diebold claimed (p. 11) in 2003 that its use of hard-coded passwords was “resolved in subsequent versions of the software”. Yet the current version still uses at least two hard-coded passwords – one is “diebold” (report, p. 46) and another is the eight-byte sequence 1,2,3,4,5,6,7,8 (report, p. 45).

Similarly, Diebold in 2003 ridiculed (p. 6) the idea that their software could suffer from buffer overflows: “Unlike a Web server or other Internet enabled applications, the code is not vulnerable to most ‘buffer overflow attacks’ to which the authors [Kohno et al.] refer. This form of attack is almost entirely inapplicable to our application. In the limited number of cases in which it would apply, we have taken the steps necessary to ensure correctness.” Yet the California source code study found several buffer overflow vulnerabilities in Diebold’s systems (e.g., issues 5.1.6, 5.2.3 (“multiple buffer overflows”), and 5.2.18 in the report).

As far as I can tell, major news outlets haven’t taken much notice of these reports. That in itself may be the most eloquent commentary on the state of e-voting: reports of huge security holes in e-voting systems are barely even newsworthy any more.