| Comments (6) | SYSSEC
Gizmodo covers the fully buzzword compliant CherryPal PC. The general idea is that it's a lightweight home device that relies on "cloud computing" for its backend computational operations. Some surprising security claims are also being made. Here's what's on Gizmodo (in what looks like a press release):
CherryPal is the only company that provides a patent-pending combination of both hardware and software encryption, making it highly secure. The CherryPal also offers a patent-pending single software layer technology. This collapses the operating system and browser into one layer, where there had traditionally been three separate layers. It makes the computer exponentially faster and virtually eliminates any risk of bugs or viruses for the user.

There appear to be two claims here. First, they are using "a combination of both hardware and software encryption", which makes things really secure. Now, it's true that there are settings in which hardware encryption is more secure than software encryption, but it's hard to see why they apply here. The major advantage of hardware encryption is that you can build hardware which makes the keying material inaccessible even if you have control of the device. So, for instance, if your device is remotely compromised the attacker wouldn't be able to steal the keys. As I said, there are situations where this is important, but it's not clear that this one; if your machine is remotely compromised, you're probably going to want to completely wipe it, and it's not really that hard to replace the crypto keys as well. Moreover, it's not clear from this material that they even are using hardware-based key isolation.

The second claim is this thing about the "patent-pending single software layer". I'm not sure what this means either. I usually think of the operating system and browser as two layers, so I'm not sure what the third layer is. It sounds like the claim is that the browser is running directly on the metal, which isn't impossible, but it's pretty unclear what the advantage is. One of the major features of modern systems is precisely that they separate the OS from the applications; this allows the OS to enforce policies on the application, as well as to contain compromise of the application (though of course you still have to worry about privilege escalation attacks.) I'm not aware of any security theory that indicates that it's more secure to have only one software component. While we're on the topic, since this sort of monolithic design is the way that systems used to work, it's not clear what's patentable here. (A little searching didn't turn up the patents, but if someone points me to them, I'll take a look.)

Oh, this is good too:

CherryPal is also the first company since Apple Computers to use a Power Architecture-based processor in a personal computer by employing the Freescale MPC5121e mobileGT processor. This chip allows for built-in graphics and audio processing, all while consuming only 400 MHz of power.

400 MHz isn't really that usual a unit of power. Am I supposed to multiply by Planck's constant here?


Hmm. It appears that they have an OS and applications.

From their "Values" page.

"We built CherryPal using open-source software including the Firefox browser and a Linux OS."

From their "FAQ" page:

"The office productivity suite, iTunes, a media player and instant messenger are all stored on the CherryPal desktop device, as well as in the CherryPalCloud."


"The C100 runs an embedded customized version of the Debian Linux operating system, but the machine's makers say its main operating system is the Firefox Internet browser. 'The operating system is not exposed to the user. So the user experience is, you turn it on, fire it up and then you see the log-in screen, user ID and password. The next thing you see is the mandatory landing page -- the Firefox browser,' Seybold told TechNewsWorld."

That sounds like some serious security innovation they've got there.

So it's a set-top box without video?

Technically, if you multiply MHz by Planck's constant, you get energy, which still isn't power.

It looks like every article is more or less a rewrite of the press release, although The Register has done some digging. I'm at least as skeptical as they are: these guys can reportedly get iTunes to run (legally) on their Linux-based OS, but they can't work out any kind of pre-order system except Paypal.

Google hit #1 for "Parkside Ventures", their PoC for the Paypal charges forwards you to, which will happily redirect you to a trojan-serving site if your browser presents a google Referer:. (If it doesn't, you get a "Coming Soon" one-liner.) Classy.

hydra:~ adam$ units500 units, 54 prefixesYou have: 400 MHzYou want: wattsconformability error 4e+08 / sec 1 kg m^2 / sec^3

Ugh. "you may use HTML tags for style" is not quite correct, as <br/> tags are elided. Preview doesn't work, so I can't check formatting before committing -- I'd have to say your blog is one of the most powerful anti-movable-type advertisements available on the web.

Wordpress should hire you.

Leave a comment