An alternative anti-theft mechanism for OLPC
A potential problem with the OLPC XO laptop is that it could be stolen. Various techniques are used to try to prevent this, for example it is supposed to look unattractive to adults but attractive to children. There's also an optional DRM-like anti-theft mechanism. This requests (through the internet) permission to continue working every day. If the laptop has been reported as stolen, permission to continue functioning won't be granted by OLPC, and if the laptop doesn't get permission for a certain amount of time (say three weeks), it will disable itself.This article will discuss some problems with that anti-theft mechanism and suggest a different strategy.
Both the child that owns the laptop and its parents cannot be expected to report theft, simply because they may not have the resources to contact the OLPC organization, so a teacher will have to do it. Even if the teacher can be trusted, this is a problem: stealing a single laptop and threatening the owner to make sure the theft won't be reported isn't worth the effort, but threatening the teacher and then stealing many laptops is.
Another problem: perhaps someone doesn't like what is taught in a certain school (evolution?), and wants to do some book burning. This is easy if the books are stored in laptops that will be disabled when some far away person can be led to believe they have been stolen.
The result is that whenever there are reports of many laptops being stolen, someone from OLPC will have to come to see what really happened. So what does a smart thief do? He will cause false reports until the OLPC organization gives up and stops visiting.
All these problems (we bet there are even more) are caused by the fact this anti-theft mechanism is organized as a tree, with children/laptops at the leaves, teachers in the middle and OLPC at the root. If you attack a node higher in the tree (odd but true, computer scientists put the root at the top), all those below will be affected. If we want to avoid these issues, the laptop can only rely on itself and its peers to determine if it should refuse to work.
We will now describe an alternative anti-theft mechanism that is not tree-shaped and which relies only on the laptops. Note this isn't a set of ideas that can be implemented separately, they are only effective when combined.
The laptop observes the user
The laptop tries to answer some questions about the user that could give a hint about the device being stolen or not. These could, for example, be:
- Does the main user (the person who uses the laptop most of the time) look different? The XO has a built-in camera, however face recognition may be difficult.
- Does the main user look like an adult? This may be easier than recognizing the face of a particular person, and doesn't require a learning phase. On the other hand, some children may be consistently mistaken for adults.
- Does the main user look much older than before?
- Did the input patterns from the main user change? E.g. much faster or slower typing, change from using mostly the keyboard to mostly the pointing device, a large change of the set of most often used words, change of most often used applications... Of course this should be measured over multiple days.
- Hasn't the laptop been switched on for a few days (perhaps waiting to be sold)?.
- Etcetera.
The laptop asks other laptops it trusts for advice
Biometric and statistic data as described in the previous section aren't good enough for a laptop to decide to disable itself. Even if it does so only when multiple of the conditions are combined, the risk of mistakes is too high. We'll solve that problem by communicating with other laptops.
- The laptop maintains a list of "friend" laptops that are wirelessly communicated with often. "Seeing" them once a week should be enough.
- If one or two of those aren't seen for multiple weeks, they are replaced in the list by others.
- If most friends aren't seen for a long time, that is: they disappear within the same week and don't reappear for another, say, two weeks, disable the laptop until at least two friends are seen again within a week.
- If, after making the observations described in the previous section, the laptop believes it may have been stolen, it asks its friends if they also think they were stolen. If most were, the laptop disables itself. It does continue to answer requests for advice from other laptops.
Now, a stolen laptop can only work if it stays close to its friends. This is good: a child can ask the laptop of a friend where in the wireless mesh its own laptop is, send a few adults to retrieve it and then continue using it without needing to re-request permission.
With a few laptops it's even possible to pinpoint the stolen one by triangulation (using wireless signal strength). Triangulation is also useful for finding lost but not stolen laptops, and of course for a cooperative mapping application (which we believe the children would love).
New problems
There are a few problems with our new strategy:
- If a child moves to a different village or neighborhood, the laptop will lose sight of its friends. Solution: the child gives the laptop back to the teacher and receives a new laptop at its destination.
- If a child graduates from school (or moves), its laptop cannot be given to another child. Solution: the person who delivers new laptops every year (and who should be trusted anyway) can reset the anti-theft mechanism.
FAQ
- Q: Why not use only the friends list? A: A thief could steal a few laptops from houses that are close to each other, and those laptops would continue seeing each other and therefore wouldn't disable themselves.
- Q: What about the child going on a vacation? A: The laptop will continue working for a large part of a long vacation, and re-enable itself when the child gets home.
- Q: What if the thief sells the laptop before it stops working? A: Note this problem already existed in the original anti-theft mechanism. A disabled laptop should display a message explaining why it's not working and asking to return it. A few laptops will be stolen and sold, but people will learn not to waste their money on them soon enough.
Thanks
Thanks to libervisco and dylunio for commenting on the draft. Answering your questions led to finding better solutions!
Also thanks to those who pointed o2's promising (although a bit too ambitious) project for securing mobile phones and laptop-theft. Hopefully this becomes the future of portable gadget security. -- libervisco
© copyright 2007 Taco Buitenhuis for mobiliberty.com. This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.
FAQ addition:
Q: Isn't observing the user spying?
A: Not if the observations aren't sent to anyone. In my humble opinion, contacting an authority every day a laptop is used is closer to spying.
Q: What if a child wants to let its parents use the laptop for a while?
A: Because we're not trusting the biometrics and asking other laptops for their opinions, and only shut down if the friend laptops aren't seen for a long time, this will only be a problem when [b]most[/b] children decide to let their parents use their laptops, all at the same time!
... said the guy whose mobile is always switched off
Hi,
You talk about how the laptop requests permission to work (which is true) and will shut down if it doesn't get it, and then in the next paragraph you talk about the problems of humans filing theft reports.
Why does a human need to file a theft report? The laptop will shut down after a few weeks of not receiving a new lease from the school server; there's no theft report involved in that, and certainly no OLPC inspections.
A theft report is optional if you want the laptop to shut down immediately rather than when the lease runs out.
- Chris.
Hi Chris,
You're right theft reports are optional. Not having the possibility of theft reports would close quite a can of worms, and it would be odd theft reports (especially lots of laptops) that would cause OLPC inspections.
This suggests that "get rid of theft reports" solves the problems. Not so.
If a theft isn't reported, one could in principle steal a laptop and let it continue functioning by taking it near the school every three weeks. One could even give it internet access through some other access point than the school, but maybe OLPC can detect it's connecting from the wrong place. On the other hand, it's possible some children who live far away from their schools will make legitimate use of an "unofficial" access point. Their laptops shouldn't be disabled.
It's possible a certain school won't have an internet connection for more than three weeks (or whatever period is chosen). To prevent the laptops from disabling themselves because of that, one would need to give the teacher some kind of password or device that resets the anti-theft mechanism. Both passwords and devices can be stolen... Let's try to fix that.
Maybe the passwords should be usable only one time? Then the problem reappears after six weeks. How about letting the teacher make a phone call to get the next password? ... but if you can make phone calls, you can have (slow) internet! Send the password by mail? Do we trust the mailman?
What about a secured device that can only be used by the teacher (for example it may contain a fingerprint reader)? Then what if the teacher gets replaced by another? And how difficult is it to modify the security mechanism of the unlocking device? Make the device password-protected? Oh wait... never mind.
Thank you,
TB
... said the guy whose mobile is always switched off
Very complex situation! It is due a more deep understanding/reading (by me) to get the whole thing. But just like a rapid sugestion I could mention one possibility: Make use of the ever present - in poor countries - AM (amplitude modulated) radios operating on the 550 khz to 1600 khz band. To implement a micro receiver to AM/medium waves is trivial. Generally, governement has statal radios que could broadcasting (hiden into the radio modulation) codes that could turn on/off one specific OLPC.
Just my two cents.
I have some experience on long distance traveling in
Southeast Asia somewhere with trucks -> problem of
pirates, robbers, and the like. A few, hopefully useful,
analogies might be made.
** Truck's drivers don't travel at night in given areas,
they stop at restaurants they know--which means: they
don't drive beyond restaurant[i] past some time in the
afternoon/evening, when the next known restaurant[i+1]
on the street is too far.
Laptops for children do not work past some given time
at night (with exceptions--see next).
** Under circumstances, not as method and in a subset
of the above mentioned areas, drivers may take the
risk and drive at night in convoys of two (a bit
dangerous still), three, four trucks--every truck
driver knowing well most of the others (two drivers x
truck in general).
A similar model can be made to use at night the laptops
for the children, exceptionally.
** Too odd patterns. Debris (rocks, branches, etc.) are
put on the asphalt, so to force a truck (20-35 tonnes)
to slow down as needed, and let it begin zigzagging;
the truck passes under a selected tree, or under a not
too tall bridge; the robbers jump on the truck from
the branch of the chosen tree, or from the bridge;
cut the tarpaulin; if there is no metal net under the
tarpaulin, they start grabbing merchandise and throwing
it from the top on the side of the street (forest,
given spots), for maybe 5-10-15 kilometers, till a
complementary zigzagging is met, for leaving the victim
truck; a pick-up follows, minutes later, to collect the
items. The same can be achieved via plenty of others
means and tricks. And a partial solution is: convoys
again, plus frequent rotation, so to *protect* the last
truck in the convoy [you can typically see nothing, or
very little, of what happens on your truck behind];
A similar model can be made for the laptops of the
children: behaviors which deviate too much, and for
too long [hours], from some typical children use, need
peer's [laptop for children] validation/input.
** And so on.
Anyway, too banal anti-theft schemes would lead to denials
of service quite likely, deliberate and involuntary, till
the every given mechanism becomes disabled eventually. The
article intelligently underlines or hints at it. Single
point of failure are generally bad from the perspective of
*securing* something.
Beyond the fact that reporting thefts is definitively NOT
peanuts [and that for m reasons] in developing countries,
calling teachers at just every glitch, doesn't take the
problem of *corruption* under many forms (I could tell
enough *real-world* [developing country] examples),
which it exists at a _different_ level than in developed
countries, and be it only as a game of power to become
more influential fast and make a better *career* at
the school, into account; nor does it considers the
administrative burden (time, e.g.) and the ambient
situation.
The situation is not much circumventable at its roots, on
the other hand: if the anti-theft mechanism works well,
the *local* [to speak] mafia may *seize* [can be done in
different ways] the laptops anyway, and tout court--with
everyone knowing where the *stolen* laptops are--and ask
a ransom/toll for the laptops [I could make a couple
of examples of similar cases, will not of course]. The
teachers would at least not have to endure the pressure
directly.
Criminals "kidnapping" the laptops without planning to use them is a whole different kind of problem. I'm afraid there's no technical solution against that except for the following two:
- make the computers immobile (not laptops)
- make stolen laptops explode!
Neither option is a good idea. I guess you have found a problem that could make the whole project fail in countries with too much criminality.
... said the guy whose mobile is always switched off
> I'm afraid there's no technical solution against that
> except for the following two [etc.]
Disagree ... but perhaps you were merely kidding.
- just follow the standard trade off scheme in anti-theft,
make the project of robbing/recycling a given item
uninteresting, or look unfavorable. (Too much work,
resources, risks, etc. to invest for the effective value
of the merchandise.)
> said the guy whose mobile is always switched off
Why always switched off?
In our case--the laptops for the children--it should
even be possible to accomplish the above mentioned step
relatively transparently, from the perspective of the
users; and easily, in a sense and technically speaking,
given that the laptops are not generic ones.
Care should be used in letting know well, and in
instructing people around that the laptops are worthless
unless used--by children--as originally intended; in
making the laptops for the children well distinguishable
and recognizable from the others laptops; and in not
moving them in huge numbers at once.
Nothing of impossible.
In most developing countries, children go to school for
half-day a day [for different reasons]; maybe from 08:00
to 13:00 one week, and from 13:00 to 17:30 the next one,
Saturdays inclusive. Hence they have enough remaining time
to stay together.
Moreover, just an university professor such Nicklaus
Wirth, from the Swiss Federal Polytechnic in Zurich, used
to assign (obligatory) exercises to his students that
complex and time consuming, so to force the students to
work and solve problems collectively--not individually. A
good principle.
If children from developing countries learn to do the
same early, it only comes as a plus, beyond getting the
laptops.
What I mean is that if criminals steal laptops with the intent of making schools pay for getting them back, it doesn't matter to those criminals if those laptops stop working after having been stolen. Only if the laptops are disabled permanently, so the school won't be interested in getting them back, that could matter to the criminals. On the other hand, laptops that can't be re-enabled after a theft are rather wasteful.
... said the guy whose mobile is always switched off
> What I mean is that if criminals steal laptops with the
> intent of
This is not easy to be done without getting some
complicity, cover up and sponsoring [money input, e.g.]
from *higher places*. It would not pass unnoticed at the
international level, with all its consequences. Too much
risk for ?!
Most importantly, it's hardly feasible once the
laptops--with no-nonsense alternative mechanism
enabled--are distributed to the children. Who would pay,
the schools, the parents of the children, ...?!
Political manipulation in the interest of some unpopular,
or in *difficulty*, administration [not necessarily
from the same given destination country], or even some
kind of *sabotage*, are another thing. And, actually, I
was thinking more at those, putting in difficulties and
setting under pressure selected groups and categories of
the population.
(The examples of the truck drivers [students] confronted
with the *pirates* [student's enemies] I have given,
should be interpreted more ... how to say?, abstractly,
algebraically.)
Here you can read a couple of [recent] high level
articles, selected more or less at random [I just have
finished reading them], but which illustrate--though off
topic per se--the implications and complexities of a
project such the laptops for the children well [think at
the *pirates*]:
** http://www.voltairenet.org/article145808.html
L'oligarchie venezuelienne tente de provoquer un crise
alimentaire, par Salim Lamrani
** http://globalresearch.ca/index.php?context=viewArticle&code=KEN20070307&...
Brazil's Ethanol Plan Breeds Rural Poverty,
Environmental Degradation
by Isabella Kenfield
And this is, just for comparison, an article on the
situation of a *developed country*
** www.globalresearch.ca/index.php?context=viewArticle&code=20070310&articl...
The Human Rights Record in the United States in 2006
China's report on Human Rights Violations in America
by China's State Council [March 13, 2007]
I slept with this problem and this is my dream :)
SXO - propably stolen laptop (Stolen XO)
NXO - laptops from old neighbourhood(Neighbourhood XO)
UXO - XO user
XO_ID - identification number of every XO
After 3 weeks out of known neighbourhood (long holidays?) send to old neighbourhood (NXO): Am_I_Stolen(SXO_ID, UXO_Name, UXO_Surname, UXO_Nick)
{
if answers<5 then wait 1 day and ask again (7 times?, then go to eternal sleep)
else
{
if Stolen > NotStolen then
{
I'll shot my head
Buum!
Dead
}
else
{
I'm not stolen
Start learning new neighbourhood
}
}
}
Am_I_Stolen(SXO_ID, UserName, USerSurname, UserNick)
{
if my neighbourhood is OK then
{
ask my UXO: do you know: SXO_ID, UserName, USerSurname, UserNick?
if YES then
{
if (SXO was stolen?)=true then
{
send to SXO: YES, YOU ARE STOLEN
}
else
{
send to SXO: NO, YOU ARE NOT STOLEN
}
}
else
{
do nothing
}
}
else
{
do nothing
}
}
Of course it's only idea.