30 November 2009

Fix bricked XOs automatically

I've been getting increasing numbers of requests from donors in the first OLPC Give 1 Get 1, many of whom are just getting around to opening their XOs, to have their laptops repaired. As is now widely known, due to a manufacturing glitch the first few batches of OLPC XO-1s that were shipped to consumers had a faulty motherboard battery holder. This alone wouldn't be a problem, if only two other things hadn't happened at the same time:

  • The XO-1s were shipped with Open Firmware's security enabled. This caused them to have the same anti-theft protection as laptops deployed in the third world, without any of the benefits of a remote killswitch or tracking

  • The XO-1s had a version of OFW which would fail to boot when the clock was below a certain value


The above two issues combined with the manufacturing fault was a recipe for disaster. Owners who discovered this in the first 30 days were able to get a RMA and a working laptop, but OLPC lacked the resources to support those outside of this minimal warranty. I've been running an OLPC repair center, OLPC DC Repair, (charging only minimal fees for labor and shipping) since mid-2008, and have handled dozens of these "unbricking" problems.

The procedure for repairing the above is straightforward and well documented. However, it can be tedious, especially for those who are unfamiliar with the tools involved. Since I needed the programming practice anyway, I decided to write a rudimentary Python script to automate the process.


Thus enters d6.py. d6.py makes it (hopefully) amazingly simple to unbrick your XO, so that you can get up and running as soon as possible. You can clone the git repo, or download it directly (permalink). To download and run in a single command:
python -c "import urllib2; exec urllib2.urlopen('http://dev.laptop.org/git/activities/olpc-contrib/tree/d6.py').read();

Plug in your OLPC Serial Adapter (or one of the compatible alternatives), and run the script as a user which has access to /dev/ttyUSB0 (or as root, not recommended) or change the path inside the script to something suitable to your system. This script is in the alpha state, is poorly documented, and may not handle all edge cases (read: other people's systems) well. I'm not responsible if it kills your cat, lights your XO on fire, or makes your wife leave you, but hopefully it'll be of some use. Expect a GUI shortly.

Limitations:

  • Does not handle all error conditions

  • No command line params

  • Hard-coded path to serial adapter


Therefore, the code does not run on other platforms other than Linux. You might also encounter problems if you're running it on a system with brltty installed, removing it should fix the conflict.

Feedback is more than welcome in the comments.
I've been running an OLPC repair center

03 July 2009

NComputing and Sugar

Apologies for not posting recently, but I've been really busy with various events and tasks for the summer. I just got back from NECC09, where ISTE had been nice enough to give Sugar and other FLOSS projects their own presentation room, gratis.

While assisting with the various presentations at the Open Source Center and staffing the Sugar/OLPC booth, I ran into some of the folks from NComputing. Their corporation has some similiar goals with that of OLPC, as both involve low-cost computing for the third world and elsewhere. Providing multi-seat technology, which is similar to thin-clients without the lag and network overhead, they enable multiple displays and mice to function off a single computer. Since they support both Ubuntu and SuSE Linux with their (admittedly closed) hardware, I decided to investigate their technology as a means of enhancing deployment of Sugar.

The method to activate the NComputing software (requires registration to download) is not obvious; one must navigate to the console, select "Serial Numbers" from the side menu, and then right click the empty license list and choose "Manage". Many users would not be able to do so without the manual; maybe it would be easier to prompt for a license key in the debconf install process?

Unfortunately, I wasn't able to test their software with Sugar; the most recent version of Ubuntu they support is 8.04, and I can't even insmod their kernel module on 9.04.

aside: meant to put this out an age ago, just got around to hitting "publish" today. (2009-08-16)

http://en.wikipedia.org/wiki/Free_and_open_source_software

14 May 2009

Personal Security: the Secret Question and Answer

In this session, we'll explore some parts of infosec which should be taught in primary school.

We're all too smart to use the same password on multiple sites, right?

While most people, I included, cannot say "yes" to the first question (at least not for everything), that alone is not enough. This is because no matter how secure your password is, be it 20 letters long with various dingbats and ?? characters, there is a weak link in this system. Or rather, two:

Your email is an obvious vulnerability: if someone was able to gain access to that, it would be trivial to reset your password for Facebook, YouTube, Meebo, etc.

What if you have a strong email password, you ask? In that case, we get on to the heart of the matter (which is also the most relevant to all those social networking users out there): secret questions.

Secret Q&As (SQAs) were initially a good idea: provide an alternative in case one has lost access to one's email, or never set one in the first place. (as with Gmail or Yahoo) It presents an interesting problem, however: while the average netizine is unlikely to know the mother's maiden name of dogggzlover98382374@hotmail.com, if even your name can be figured from your email address (or the attacker knows you personally), it is trivial to use sites such as Facebook and MySpace to find the answers to SQAs. A rather public example of this vulnerability can be seen when Sarah Palin's email account was broken into last summer: all of the information needed could be found out using public records.

An example of a possible attack against Facebook in particular:

  • Gain access to someone's profile by either friend-requesting outright them or by masquerading as someone they know (and don't already despise)

  • Look for an email address on the profile or in wall posts.

  • Visit their email provider and reset their email password via the information in their profile.

  • Now reset their Facebook password. This will send an email to their address, which you already have access to.


This works against any site that uses a email-loop, even if it is well designed to avoid common SQAs. Social networking sites, however, are particularly vulnerable because of the wealth of personal information one shares freely on them.

This is because, as they are part of your personal history and not transactional, SQAs are almost always the same between sites. So, if you're truly concerned about your information security: use something random for your SQAs and store them in a safe place.