On 09.07.2008 21:40, Michael Stone wrote: > On Wed, Jul 09, 2008 at 02:09:32PM -0400, Benjamin M. Schwartz wrote: > >> I find this e-mail is vague to the point of incomprehensibility. >> >> Michael Stone wrote: >> | 1. If the attacker wishes to resell "working" laptops (rather than, say, >> | components), then deploying this scheme may force attackers to >> | circumvent theft-deterrence protections more quickly. >> >> Vague. What do attackers have to do more quickly? Clearly reprogamming >> the SPI flash can be done even after all the timeouts expire, so you must >> be thinking of something else. >> > > Replacing the SPI flash is a means of circumventing the theft-deterrence > protections. My claim is that the point of the scheme is to force > attackers who wish to resell laptops running something like our software > to employ such a circumvention. > [...] > >> | 3. The major security effects derive from rearranging and hopefully >> | reducing the support costs of the theft-deterrence system (e.g. by >> | exchanging the cost of providing connectivity to the OLPC GTDS for the >> | cost of maintaining public key infrastructure) rather than as a result >> | of any technical improvement in the security afforded by the design or >> | the software. >> >> I would say that the main security effects derive from introducing theft >> deterrents in places without internet access. Currently, there is no >> technical deterrent to theft in these schools. >>
So you both are saying that right now theft deterrence - can be circumvented easily even without hardware modifications and - does not even exist in some places. Ouch. That's not security, it's a disaster. I really hope this is not the case. Regards, Carl-Daniel -- http://www.hailfinger.org/ _______________________________________________ Security mailing list [email protected] http://lists.laptop.org/listinfo/security
