[IAEP] [Sugar-devel] A security vs. functionality question

Michael Stone michael at laptop.org
Thu Aug 6 22:05:53 EDT 2009

Lucian, Ben:

Here are a bunch of reactions. Apologies for the delay. :)


Lucian Branescu wrote:
> A chroot because afaik rainbow doesn't really work outside the XO
> distro My impression may be wrong, though.

Would you mind taking a look at 


for me and letting me know what questions you are left with?

Ben Schwartz wrote:
>Rainbow is not currently used much outside of the XO, but it should be,
>and it can be.  Michael Stone, who developed it, no longer works for OLPC,
>but he has continued to update it.  It can be packaged for any distro.
>There has been some bitrot; Sugar needs to be tweaked to regain
>compatibility. Someone will have to be bold enough to write the patches.

Sascha and I actually wrote the most important patches several months ago and
Tomeu merged them last weekend in response to #593. (Thanks, Tomeu and Sascha!)

(That being said, there's more fun to be had -- check out the "next steps"
Rainbow page!)

Lucian Branescu wrote:
> I had assumed everyone has root access, it is such a basic need for a
> machine you own.

The most notable existing Sugar users I know of who lack easy root access are
the kids using Sugar in Uruguay and Ethiopia. It's an unfortunate situation.

Ben Schwartz wrote:
> To educators:
> How concerned are you about a feature that allows one student to invite
> others to play on their computer?  Remote access is only granted if the
> user chooses to share a specific activity.  The effect is similar to
> letting someone walk over and type on your keyboard.

With current technology, it's a bit more like letting any stranger with a
nametag that reads "Jimmy" walk over and type on your keyboard when you
actually meant to invite your friend Jimmy over to help you. 

(Also, do note that your simile also describes the current security properties
of activity installation, web browsing, Adobe-Flash playing, and perhaps of
plugging in USB sticks -- that is: "non-existent".)

Ben Schwartz wrote:
> To engineers:
> Is sharing an activity a sufficient indication of intent from the user to
> execute a potentially dangerous action, such as sharing Terminal on a
> public collaboration server?  

Let's start with a more basic question: 

   what mental model(s) of software do we want to share with our learners?

Ben Schwartz wrote:
> An Activity can easily be stopped by a single click at any time.

Pff. On Sugar today, an activity can probably reformat your hard disk, reflash
your BIOS, or make toast on your IPv6-enabled toaster. (Such, by the way, is
the general state of desktop security.) Your only hope of stopping a malicious
activity is to cut the power.

Ben Schwartz wrote:
> One possibility that has occurred to me is to permit unsafe sharing only
> with users who have already been designated as Buddies.  Instead of "Share
> with My Neighborhood", the toolbar would only offer "Share with My Friends".

A good design exercise that I think might shed some light on your situation
would be to analyze your SharedTerm system, in both its current and in this
proposed form, in terms of Ka-Ping Yee's design principles for usable security:


(Also, do let me know if you would like to pursue this course -- I would enjoy
practicing with you.)

More information about the IAEP mailing list