Bitfrost is the OLPC proposed security specification. It does not cover all aspects, e.g. OLPC boot patches, which will likely "be enabled by default" according to author Ivan Krstić, who claims that "by default, whenever the laptop connects to the Internet, it will ask the school's server if there are patches or updates available. This will be in place even if you're not in contact with the school server, you can ask the OLPC server to push down the update" over mesh networks "all managed by schoolteachers and kids with no computer experience". He describes Bitfrost's goals:
- No user passwords
"With users as young as five years old, the security of the laptop cannot depend on the user's ability to remember a password. Users cannot be expected to choose passwords when they first receive computers."
- No unencrypted authentication
"Authentication of laptops or users will not depend upon identifiers that are sent unencrypted over the network. This means no cleartext passwords of any kind will be used in any OLPC protocol and Ethernet MAC addresses will never be used for authentication."
- Out-of-the-box security
"The laptop should be both usable and secure out-of-the-box, without the need to download security updates when at all possible."
- Limited institutional PKI'
"The laptop will be supplied with public keys from OLPC and the country or regional authority (e.g. the ministry or department of education), but these keys will not be used to validate the identity of laptop users. The sole purpose of these keys will be to verify the integrity of bundled software and content. Users will be identified through an organically-grown PKI without a certified chain of trust — in other words, our approach to PKI is KCM, or key continuity management."
- No permanent data loss
"Information on the laptop will be replicated to some centralized storage place so that the student can recover it in the even that the laptop is lost, stolen or destroyed." Data backup retains all versions
"The machine will also feature an anti-theft kill switch that gives school administrators the ability to permanently disable lost laptops. Krstić said the OLPC received "very strong requests from certain countries" for a powerful anti-theft mechanism, leading to the decision to add a call-home feature that pings an anti-theft server for authentication."
"The security process actually starts at the time the machine is manufactured, Krstić said, pointing out that a randomly generated serial and UUID number is fitted into each laptop at the manufacturing plant. A brand new OLPC machine is largely non-functional unless it it activated with the key and UUID number."
"This helps to deal with a potential weakness in the distribution component, when millions of machines are shipped internationally. The OLPC will generate and deliver the [software] keys on a [hardware] USB key to the schools and, once an OLPC server is installed, the keys for specific laptops can be turned on to bring the machine to life."
"The spec assumes the machines will be potential targets for many of the threats on mainstream computes — from data theft to viruses and malware to botnets — and Krstić said the threat model calls for the machine to be resilient even if an attacker is successful."