Slashdot Mirror

The ignorance of the drm really scares me. It makes clear that the silent tactic of introducing socalled trusted computing step by step actually works. I really would like to love Apple and get one of the MacBookPros but no way I spend money on this. People, take care, but maybe its to late already. What do you need to wake up? How about 'trusted' harddisk? https://www.trustedcomputinggroup.org/groups/stora ge/Storage_Use_Case_Whitepaper_v07.pdf

DRM is useless without Trusted Computing - but of-course, this is why MS, Apple, Intel, AMD, IBM, Sun, HP, Infenion etc are groupping together for this.

And here the problem arises. With Trusted Computing, the control is taken away from the user and placed in the hands of the company that produced the hardware. - no, you see noone can take away your right to build your own software. I contribute to Free Source for example. All that trusted computing does, is allowing the OS to protect memory, protect hd space, protect network connecitivity, printer connectivity, monitor, usb devices, basically all input and output devices. But the hardware work is minimal, it exchanges the keys with the OS and continues from there. The hardware manufacturers are not stupid to lock themselves into a specific propriatory OS, especially now, with IBM and Novell pushing GNU/Linux, with Google running on GNU/Linux. No, the job of the hardware manufacturers would be to ensure that the OS has full control over all resource permissions. That's it.

And as I've also pointed out, just because a person illegally downloads files, doesn't make him less likely to purchase content. - and as a content provider I am telling you that this does not actually matter. From my personal point of view this is the matter of a principle. I don't want my content to be 'shared' so I will welcome the DRM on the most used home OS that there is.

You don't want to use products from any vendors who support the "Trusted Computing Initiative"? Then you're going to be in a world of hurt. Here are just some of their members (listed on the Trusted Computing Group's home page here: http://www.trustedcomputinggroup.org/about/members /:

CPU vendors: AMD, Intel

BIOS vendors: American Megatrends, Inc. (AMI), Phoenix (who bought Award a few years ago)

Hard drive vendors: Fujitsu, Hitachi, Maxtor, Seagate, Western Digital

Flash drive vendors: Lexar, M-Systems

Chipset and graphics vendors: ATI, Nvidia, Intel

Network card vendors: Broadcom, National Semiconductor, Marvell Semiconductor, Inc.

So you think you can build a system without parts from any of those vendors? It may be more difficult to avoid "Trusted Computign" than you think.

You don't want to use products from any vendors who support the "Trusted Computing Initiative"? Then you're going to be in a world of hurt. Here are just some of their members (listed on the Trusted Computing Group's home page here: http://www.trustedcomputinggroup.org/about/members /:

CPU vendors: AMD, Intel

BIOS vendors: American Megatrends, Inc. (AMI), Phoenix (who bought Award a few years ago)

Hard drive vendors: Fujitsu, Hitachi, Maxtor, Seagate, Western Digital

Flash drive vendors: Lexar, M-Systems

Chipset and graphics vendors: ATI, Nvidia, Intel

Network card vendors: Broadcom, National Semiconductor, Marvell Semiconductor, Inc.

So you think you can build a system without parts from any of those vendors? It may be more difficult to avoid "Trusted Computign" than you think.

Perhaps a software solution like TOR or Freenet could help you sleep better at night?

Nope.
Are you familiar with Trusted Network Connect?

It is a new specification from the Trusted Computing Group to control and restrict network connections, and to control and restrict the networked computer.

"The TNC architecture enables network operators to enforce policies regarding endpoint integrity at or after network connection."

Of cource the Trusted Computing Group is advertizing it as a good thing, and is advertizing it as prortecting against viruses and network attacks, etc. However it is an incredibly powerful system to impose general restrictions and controls. Aside from being able to impose a global DRM system, it has the power to restrict and control and ultimately defeat TOR and Freenet and any other networked program you care to name.

Microsoft has already issed a press release that they are implementing this system.

The US President's Cyber Cecurity advisor gave the keynote speech at the Washington D.C. Global Tech Summit and the main thrust of his speech was to call on ISP's to plan on implenting exactly this sort of system. He called on them to implement such a system to fight viruses and to secure the "National Information Infrastructure" against Terrorist Attack. He called on them to make it a mandatory part of the Terms Of Service for internet acces. And the Global Tech Summit audience applauded his speech.

The EU and the UN have been running a large number of international workgroups on DRM and on establishing a new "Information Society". An Information Society which is to include exactly this sort of network control and DRM enforcement system. EU and UN have been running many workgroups on to work out a new system of Internet Governance to set up and manage this new Information Society. And in case you hadn't noticed, the EU and UN have been pushing pretty hard lately to remove control of the internet from the US and to place that control in the hands of a new UN Internet Governance organisation.

Intel, AMD, and IBM are all building new CPUs with this new Trusted Computing control and enforcment system built in. And it appears that by the end of *THIS YEAR* that all new new PCs will come standard with have this Trusted Comptuing DRM enforcement chip welded to the motherboard, if not built into the CPU itself. The hardware specification for Windows Vista requires this encorcement chip on the motherboard for full and correct Windows operation. And no PC manufacturer and no PC retailer can possibly survive selling new PCs that are not Certified Windows Compatible and which do cannot properly run the latest version of Windows. They cannot realistically survive selling hardware where Windows spits out error messages stating that that you have incompatible hardware, error messages saying that the full featured graphics interface and thenew hires graphics do not work because you have incompatible hardware.

Five,seven, ten years down the road the internet absolutely can be developed in a direction to defeat TOR and Freenet. And there are several hundred powerful coroporation, and many governments and international organistations that see that as a GOOD direction to go, and which are actively and forcefully pushing to establish such a network.

And the way to establish such a network would be to establish an international body for Internet Governance (the world would obviously never accept such a system imposed by the US), and for that international standards body to establish international agreement on new internet standards similar to or including Trusted Network Connect, and to establish such a system along the internet backbones, and from there to push it to the ISPs, and from there to have ISPs impose Trusted Network Connect on all connections. It would then be impossible to connect to the internet unless you are using the mandatory enforcment hardware and software

People keep repeating this and yes it's true you can emulate everything real easy, except for one tiny itsy-bitsy little thing -- The private key inside the chip. Remote attestation has been pretty much given a solid design. Platform Configuration Registers (PCRs), Attestation Identity Keys (AIKs), Endorsement Certs, RSA, SHA-1 are all part of the formula.

Secure Platform Attestation with TPMs One frequent system attack involves making unauthorized changes to a platform's configuration. This allows misuse of the device and its contents as well as access to the networks to which the device is connected. In devices that use TPM chips, platform integrity is protected by secure storage of the platform configuration values and by secure reporting of the values. This enables attestation of the device by verifying that its configuration is intact. The mechanism is based on the chain of trust used in creating the hash values of the pre-boot information of the platform. It is common industry practice to check the integrity of a platform by comparing configuration settings when a platform is rebooted against the settings when it was set up. A "hash" algorithm is used to calculate a value from information stored in the Platform Configuration Registers (PCRs) when the platform is setup. When the platform is re-booted, a new hash value is calculated and compared against the original. If the values match, the computer or cell phone or other platform starts up and login proceeds. In unprotected systems, PCRs are accessible and the hash values are stored in system memory that is subject to compromise. In TPM-capable platforms, the hash value is calculated using the SHA-1 algorithm, access to the PCRs requires trusted authorization, and the hash values are stored within the TPMs in secure, non-volatile memory. These values are used to create Attestation Identity Keys (AIKs) that cannot be used unless a hash value is the same at the time of use as when the AIK was created. This makes it possible to determine if trusted-state configuration parameters are corrupted. If they are corrupted, use of the device may be denied. TPM-Protected digital signatures: Protect the private signature keys. Keys are stored inside the TPM and are not exposed in system memory during signing operations. A true Random Number Generator (RNG) is used to create RSA key pairs internal to the TPM. The TPM chip's RNG generates the seed numbers for the cryptographic processor's encryption, decryption, and key generation functions. Performing the RSA calculations in the TPM instead of in the general system processor improves both system and encryption performance. The TPM generates, stores, and manages cryptographic keys in hardware, which "hardens" applications that originally relied on software-only encryption algorithms.

The main thing to get out of all that is that you never get the private keys.. Ever....
And the hash values can only be reset by rebooting.

the process of acquiring AIKs. 1. Owner bundles into an ID (request: New ID PubKey Endorsement Cert, Platform Cert, Conformance Cert) 2. Owner sends ID request to TTP 3. TTP verifies Certificates 4. TTP signs ID 5. Signed ID sent to TPM AIKs are created using Certificates (also called Credentials) available within the TPM. AIKs do not have any direct association with the EK or the credentials. AIKs are always bound to the platform and can be used to provide attestation to the platform's identification and configuration. It is important to note that the service provider (or challenger) trusts the Trusted Third Party (TTP) to do its due diligence before issuing AIKs to a platform.

You are hallucinating.

1. Business purchasers are consumers. Deal with it. IBM has millions of TPM systems deployed with software that actually makes use of the TPM module. Using your definition, educational institutions and the publishing industry are also not "mainstream consumers." Frankly, you're also ignoring the large numbers of individuals that buy IBM laptops because they're high quality and nigh indestructible.

2. The number of Windows based systems with installed TPM modules dwarfs anything that Apple has shipped in the last few months, even if you exclude IBM. Dell sells them. Fujitsu sells them (E8000, S7000, P1500, ST50XX. B6000, T4000). (Here's a whole list of manufacturers that have shipped TPM modules in Windows based machines.

3. Really, knock off the drugs. Intel invented USB. Intel pushed USB. Intel rammed USB down every whitebox manufacturer's throat well before Apple introduced its USB keyboards and mouse with those candy colored iMacs in January 2002. I have Microsoft USB keyboards that are older than that. Roundup of USB optical mice from August 2000.

Now that I've addressed the specific points therein, I'd appreciate external references to things that give sales numbers, introduction dates, and other points that prove that Apple got either of those technologies on the market before Windows PC suppliers. Otherwise, have a nice day, and seek counseling.

*Sigh*

Someday, TPM may be *required* to boot mainstream commercial operating systems, like Windows and Mac OS X, and be *required* to use mainstream consumer services, like, say, online video and music stores, and so on.

I'm not making any judgments about whether this is good or bad; just stating something that will likely happen.

So, if you want to go out and build a non-TPM PC and use a TPM-free OS on it, great. More power to you. But the commercial-quality products and the desirable consumer services (Iike movie downloads and mechanisms for mitigating or eliminating threats) will probably start requiring trusted computing. And most ordinary human beings will be using systems so-equipped.

TPM isn't any more or less inherently evil than any other technology. Yes, it is an element of control. And we've always had elements of control in societies based on rule of law and respect for property. There is always an authority in the form of the state that makes decisions about what is right and wrong, appropriate or no. Some may not appreciate or accept the balance, and that is their choice. Fundamentally, you can choose to ignore or circumvent such restrictions, or choose to avail yourself of products and technologies that aren't encumbered in this way.

The fact of the matter is that Apple has no interest in preventing the booting of alternate OSes on Intel-based Macs, and this proves that the current Intel-based Macs have no such restriction. You can argue that this could change in the future, but it could ALWAYS change in the future, with or without "TPM" proper. Some technology or mechanism could ALWAYS prevent or disallow something on some future iteration of machine. (If you think Apple could do that with the current machines, you'd be wrong, and lack a basic understanding of how a TPM implementation works. Read up at https://www.trustedcomputinggroup.org/)

The trusted computing group is a group of the big and heavy hitters in the industry, they have collaborated on this technology, and have made it quite robust in functionality.

A primary function of the tpm is the setup of a transitive trust mechanism, whereby in an enterprise a central policy mechanism can be setup and enforced, signing all computer operations and file system objects. This functionality also provides for remote auditing and administration.

Please see my unaccepted post

It's true that the era of trusted platforms is quickly coming upon us. After much controversy the Trusted Computing Group has posted its specifications for the whole world to review. Many of our industry's analysts, artists, and commentators have both supported and denounced the technology in equal measure.

After a complete review of the literature, it is my understanding that many excellent uses are proposed for the technology. As a network integrator and consulting system administrator I'm particularly excited about the remote management capabilities that the specification calls for, and the ability to lock the hardware, software and ensure that documents created in a business stay in the business without the appropriate trust level. The transitive trust nature of the TPM will allow me to set up group policies and enforce them in ways I've never experienced. Truly industrial grade tech.

As a slashdot reader, concerned with my privacy, I was pleased to note that the specification repeatedly called for privacy protection settings, including allowing the owner full control of the module. This is particularly good for home users who may not need these features enabled, particularly the remote auditing and administration functionality. In truth, the specification is quite balanced.

My question to slashdot readers is in light of this very balanced specification, which protects all stakeholders. Is it okay that Apple is currently implementing TPM in their new iMacs and Macbooks, and not documenting it in their system specifications ? Furthermore, is it also okay that they've failed to provide home users with the appropriate tools to monitor the trust mechanism and disable the module if it's not necessary?

Okay, that's two questions, but 'the third time's the charm' Is it okay that the specification describes remote auditing and administration capabilities, and I can't even see if that's enabled?

The trusted computing group is a group of the big and heavy hitters in the industry, they have collaborated on this technology, and have made it quite robust in functionality.

A primary function of the tpm is the setup of a transitive trust mechanism, whereby in an enterprise a central policy mechanism can be setup and enforced, signing all computer operations and file system objects. This functionality also provides for remote auditing and administration.

Please see my unaccepted post

It's true that the era of trusted platforms is quickly coming upon us. After much controversy the Trusted Computing Group has posted its specifications for the whole world to review. Many of our industry's analysts, artists, and commentators have both supported and denounced the technology in equal measure.

After a complete review of the literature, it is my understanding that many excellent uses are proposed for the technology. As a network integrator and consulting system administrator I'm particularly excited about the remote management capabilities that the specification calls for, and the ability to lock the hardware, software and ensure that documents created in a business stay in the business without the appropriate trust level. The transitive trust nature of the TPM will allow me to set up group policies and enforce them in ways I've never experienced. Truly industrial grade tech.

As a slashdot reader, concerned with my privacy, I was pleased to note that the specification repeatedly called for privacy protection settings, including allowing the owner full control of the module. This is particularly good for home users who may not need these features enabled, particularly the remote auditing and administration functionality. In truth, the specification is quite balanced.

My question to slashdot readers is in light of this very balanced specification, which protects all stakeholders. Is it okay that Apple is currently implementing TPM in their new iMacs and Macbooks, and not documenting it in their system specifications ? Furthermore, is it also okay that they've failed to provide home users with the appropriate tools to monitor the trust mechanism and disable the module if it's not necessary?

Okay, that's two questions, but 'the third time's the charm' Is it okay that the specification describes remote auditing and administration capabilities, and I can't even see if that's enabled?

The trusted computing group is a group of the big and heavy hitters in the industry, they have collaborated on this technology, and have made it quite robust in functionality.

A primary function of the tpm is the setup of a transitive trust mechanism, whereby in an enterprise a central policy mechanism can be setup and enforced, signing all computer operations and file system objects. This functionality also provides for remote auditing and administration.

Please see my unaccepted post

It's true that the era of trusted platforms is quickly coming upon us. After much controversy the Trusted Computing Group has posted its specifications for the whole world to review. Many of our industry's analysts, artists, and commentators have both supported and denounced the technology in equal measure.

After a complete review of the literature, it is my understanding that many excellent uses are proposed for the technology. As a network integrator and consulting system administrator I'm particularly excited about the remote management capabilities that the specification calls for, and the ability to lock the hardware, software and ensure that documents created in a business stay in the business without the appropriate trust level. The transitive trust nature of the TPM will allow me to set up group policies and enforce them in ways I've never experienced. Truly industrial grade tech.

As a slashdot reader, concerned with my privacy, I was pleased to note that the specification repeatedly called for privacy protection settings, including allowing the owner full control of the module. This is particularly good for home users who may not need these features enabled, particularly the remote auditing and administration functionality. In truth, the specification is quite balanced.

My question to slashdot readers is in light of this very balanced specification, which protects all stakeholders. Is it okay that Apple is currently implementing TPM in their new iMacs and Macbooks, and not documenting it in their system specifications ? Furthermore, is it also okay that they've failed to provide home users with the appropriate tools to monitor the trust mechanism and disable the module if it's not necessary?

Okay, that's two questions, but 'the third time's the charm' Is it okay that the specification describes remote auditing and administration capabilities, and I can't even see if that's enabled?

The trusted computing group is a group of the big and heavy hitters in the industry, they have collaborated on this technology, and have made it quite robust in functionality.

A primary function of the tpm is the setup of a transitive trust mechanism, whereby in an enterprise a central policy mechanism can be setup and enforced, signing all computer operations and file system objects. This functionality also provides for remote auditing and administration.

Please see my unaccepted post

It's true that the era of trusted platforms is quickly coming upon us. After much controversy the Trusted Computing Group has posted its specifications for the whole world to review. Many of our industry's analysts, artists, and commentators have both supported and denounced the technology in equal measure.

After a complete review of the literature, it is my understanding that many excellent uses are proposed for the technology. As a network integrator and consulting system administrator I'm particularly excited about the remote management capabilities that the specification calls for, and the ability to lock the hardware, software and ensure that documents created in a business stay in the business without the appropriate trust level. The transitive trust nature of the TPM will allow me to set up group policies and enforce them in ways I've never experienced. Truly industrial grade tech.

As a slashdot reader, concerned with my privacy, I was pleased to note that the specification repeatedly called for privacy protection settings, including allowing the owner full control of the module. This is particularly good for home users who may not need these features enabled, particularly the remote auditing and administration functionality. In truth, the specification is quite balanced.

My question to slashdot readers is in light of this very balanced specification, which protects all stakeholders. Is it okay that Apple is currently implementing TPM in their new iMacs and Macbooks, and not documenting it in their system specifications ? Furthermore, is it also okay that they've failed to provide home users with the appropriate tools to monitor the trust mechanism and disable the module if it's not necessary?

Okay, that's two questions, but 'the third time's the charm' Is it okay that the specification describes remote auditing and administration capabilities, and I can't even see if that's enabled?

That there's a TPM chip installed shipping enabled, with no end-user controls to verify the trust settings match the security context in which it's installed. Like my maxed out iMac Core Duo... Privacy Commissioner in T-10 days... still no response from Apple Privacy... Check the documentation http://www.trustedcomputinggroup.org/specs/bestpra ctices/ You'll see what I mean... Caveat Emptor.

Maybe you should ask the members of the Trusted Computing Group.

While it's true that the Trusted Computing Group (TCG) have completely documented their standard, you will also find that they recommend for the TPM to be an owner controllable device, which the current implementation does not provide. While I can agree that there are many useful benefits available through the proposed architecture, and in completely transparent implementations there can be huge wins in safety, security and the protections of all stakeholders rights.

Furthermore, Apple is not listed in membership of the Trusted Computing Group at the moment https://www.trustedcomputinggroup.org/about/member s/ what does this mean? Is there some subdivision of Apple that is a member so it's okay? As they aren't members, are they obliged to follow the standards?

It is also interesting to note that while the source for 10.4.4 for PPC is available, the source for Intel iMacs is not.

As you are coming to see, there are a few gaps in the docs here. This is precedent setting for a major vendor who by now should all know to have their work well documented before release day. Apple isn't new. If their implementation isn't any different from the standards proposed and maintained by the TCG perhaps they should become members and/or properly document their TPM module and provide customer access as recommended in the spec. This is even more important in light of the contentious nature of this product.

I look forward to your continued thoughts on the matter, but hope that you might refrain from derogatory comment in future.

Please don't get me wrong, this is not a crusade to burn Apple, it's about understanding technology, rtfm, and why isn't this documented?

a little digging finds treasures... https://www.trustedcomputinggroup.org/groups/tpm/T PM_1_2_Changes_final.pdf this means in short that the efi has been signed by apple and the only one that they will allow (currently) to boot their hardware. perhaps they need to get their legal team working on a disclaimer of liability for unsupported platforms and loosen their shorts a bit? I can't foresee anyone actually suing apple because windows crashes! that would be akin to suing ford because your chrysler spontaneously combusted. easy steve et all, we like the work, lets keep it going :D c. -Disclaimer: the statements made here are entirely suppositional based on personal experiences with corporate mentality, similarities to any real product incidents is entirely coincidental and statements made herein do not represent an endorsement or criticism of any persons, products or companies. comments distributed under creative commons license dot the i's and cross the tees

Was TCG formed to specify Digital Rights Management (DRM) technologies?
TCG specifications do not provide all the necessary technical elements required for DRM. It is conceivable that developers could build their own DRM solutions that would operate on systems with Trusted Platform Modules, but TCG specifications alone are not DRM solutions.

The problem is that Microsoft has the PC market by the stranglehold. You can't buy a new PC from Dell or HP without paying Microsoft. Most users still don't want to install Linux on their machines (and there is a lack of companies selling Linux or BSD machines ready to use out of the box), and we can forget about Apple releasing OS X for vanilla PCs (which will improve the OS situation on vanilla PCs, but may hurt the sales of Apple PCs).

And even if you make it past the operating system hurdle, remember that Microsoft has a stronghold on applications (through software developers only releasing applications for Windows), document formats and the Internet. Wine, OpenOffice, and (insert your favorite alternate browser here) are still not perfect. Finally, remember DRM. Vista has a lot of DRM (first, not being able to use certain monitors; next, not being able to install certain drivers), and even Apple is using DRM (but it is only to prevent OS X from being installed on vanilla x86s; the DRM isn't used for other things). All of the major processor companies now are part of the Trusted Computing Group. Intel and IBM has already came out with processors and motherboards with DRM chips, and AMD, Sun, ARM, and even Motorola/Freescale are also on the list. You can get the whole list here. Where are you going to buy your processors now when all of the processor manufacturers produce "trusted chips"? Finally, most of the media formats encountered when buying media online have DRM, which sucks for Linux and BSD users who don't have a player to play those files on. (They can create one, but then they'll have to deal with RIAA/MPAA/Apple/Google/Microsoft/etc. lawyers due to the DMCA; even though you don't intend on infringing copyrights (you just want to play your iTunes music on your Linux box), you broke the encryption method, so a few years of Bubba for you....). Imagine if every file made by every application (even documents) had DRM? Then Linux and BSD users will be breaking the law just to read their own documents.

So, no, Microsoft isn't dying. In fact, legal Linux and BSD might die if certain steps aren't taken now. The next few years are crucial in getting open source on the desktop if we don't want to deal with trusted computing and all of that crap.

AFAIK, Transmeta was the first x86 processor maker to support Trusted Computing, so it's a bad choice:

http://en.wikipedia.org/wiki/Trusted_Platform_Modu le

According to an unofficial member list, VIA is a member of the Trusted Computing Group.

http://www.againsttcpa.com/tcpa-members.html

Acoording to the offical list, it's not, so I'm a bit unsure about VIA.

https://www.trustedcomputinggroup.org/about/member s/

Regards,

Dennis B. Schramm

They both support Trusted Computing which makes me wish there was another option out there.

I don't see MOS Technology on the list...

Here's the CPU for you!

He is the master who has power over things which others wish to have or to avoid, the power to take these things away or bestow them: the power to inflict or to withhold. Whoever then wishes to be free, let him neither wish to have anything nor wish to avoid anything which depends on others. Who does not observe this rule, he must be a slave.--Epictetus

You see, people are catching on to big brother spying on them, and if they were to see 'intel inside', which could be short for 'intelligence inside', they might not buy the machine. So, when the new TPM machines start coming out, the buyers won't be scared away, and they will end up buying a machine that you can't trust.

I don't believe this.

Could you be a little more specific? I can provide links to back up almost everything in there. I'll document the major points of background for you and the other guy who asked.

Lets start with This FAQ at Microsoft.com: [note: Microsoft will obviously put best possible spin on things and they will completely neglect the very very ugly issues]

Q: What is the Next-Generation Secure Computing Base?

A: The Next-Generation Secure Computing Base (NGSCB) is new security technology for the Microsoft® Windows® platform. It will be included as part of an upcoming version of the Microsoft Windows operating system, code-named "Longhorn." [note: the official name for the new Windows release is now Vista] NGSCB employs a unique hardware and software design to enable new kinds of secure computing capabilities to provide enhanced data protection, privacy and system integrity.

NGSCB will transform the PC into a platform that can perform trusted operations spanning multiple computers under a trust policy that can be dynamically created and whose integrity anyone can authenticate. [note: this means people over the internet can authenticate and approve or reject the software you are running on you computer]

The technology being developed as part of NGSCB includes new software that will work on a new breed of PC hardware. This new architecture will provide unprecedented capabilities for enabling secure processing on the Microsoft Windows PC platform. [note: "secure" specifically means secure against the owner]

-

Q: What is the "SSC" component of NGSCB?

A: "SSC" refers to the Security Support Component, a new PC hardware component that will be introduced as part of the NGSCB architecture. The SSC is a hardware module that can perform certain cryptographic operations and securely store cryptographic keys that are used by the nexus and nexus computing agents (NCAs) to provide sealed storage and attestation functions. [note: "sealed storage" means that YOU cannot read your own files except with the Trust chip's permission and only with the approved software for it - in otherwords it is a hardware DRMed file. "attestation" means to send a spy report over the internet telling people exactly what hardware you have and exactly what software you are running - and you are denied any control over the contents of this spy report] At a minimum, the SSC provides RSA public-key operations (encryption, decryption, digital signature generation and verification), Advanced Encryption Standard (AES) encryption and decryption, and Secure Hash Algorithm 1 (SHA-1) hash computation. The SSC also contains at least one RSA private key and an AES symmetric key, both of which are private to the SSC and are never exported from the chip. [note: the fact that these master keys are "never exported from the chip" means that YOU the OWNER are FORBIDDEN to know your own keys, because if you knew them you would be able to unlock your DRM files and you could control or modify the "attestation" spy reports you send to other computers on the internet]

Q: What is the "TPM"? Is that the same as the SSC?

A: The term "SSC" is generally interchangeable with "TPM" or trusted platform module. The TPM is a secure computing hardware module specified by the Trusted Computing Group, an industry consortium made up of Advanced Micro Devices Inc. (AMD), HP, IBM Corp., Intel Corp., Microsoft and many other companies working together to promote open industry-standard specifications for trusted computing hardware building blocks. The upcoming version of the TPM (version 1.2) is expected to serve as the SSC in the NGSCB architecture.

And here's the Trusted Computing Group's home page and here's their Trusted Network Connect

I don't believe this.

Could you be a little more specific? I can provide links to back up almost everything in there. I'll document the major points of background for you and the other guy who asked.

Lets start with This FAQ at Microsoft.com: [note: Microsoft will obviously put best possible spin on things and they will completely neglect the very very ugly issues]

Q: What is the Next-Generation Secure Computing Base?

A: The Next-Generation Secure Computing Base (NGSCB) is new security technology for the Microsoft® Windows® platform. It will be included as part of an upcoming version of the Microsoft Windows operating system, code-named "Longhorn." [note: the official name for the new Windows release is now Vista] NGSCB employs a unique hardware and software design to enable new kinds of secure computing capabilities to provide enhanced data protection, privacy and system integrity.

NGSCB will transform the PC into a platform that can perform trusted operations spanning multiple computers under a trust policy that can be dynamically created and whose integrity anyone can authenticate. [note: this means people over the internet can authenticate and approve or reject the software you are running on you computer]

The technology being developed as part of NGSCB includes new software that will work on a new breed of PC hardware. This new architecture will provide unprecedented capabilities for enabling secure processing on the Microsoft Windows PC platform. [note: "secure" specifically means secure against the owner]

-

Q: What is the "SSC" component of NGSCB?

A: "SSC" refers to the Security Support Component, a new PC hardware component that will be introduced as part of the NGSCB architecture. The SSC is a hardware module that can perform certain cryptographic operations and securely store cryptographic keys that are used by the nexus and nexus computing agents (NCAs) to provide sealed storage and attestation functions. [note: "sealed storage" means that YOU cannot read your own files except with the Trust chip's permission and only with the approved software for it - in otherwords it is a hardware DRMed file. "attestation" means to send a spy report over the internet telling people exactly what hardware you have and exactly what software you are running - and you are denied any control over the contents of this spy report] At a minimum, the SSC provides RSA public-key operations (encryption, decryption, digital signature generation and verification), Advanced Encryption Standard (AES) encryption and decryption, and Secure Hash Algorithm 1 (SHA-1) hash computation. The SSC also contains at least one RSA private key and an AES symmetric key, both of which are private to the SSC and are never exported from the chip. [note: the fact that these master keys are "never exported from the chip" means that YOU the OWNER are FORBIDDEN to know your own keys, because if you knew them you would be able to unlock your DRM files and you could control or modify the "attestation" spy reports you send to other computers on the internet]

Q: What is the "TPM"? Is that the same as the SSC?

A: The term "SSC" is generally interchangeable with "TPM" or trusted platform module. The TPM is a secure computing hardware module specified by the Trusted Computing Group, an industry consortium made up of Advanced Micro Devices Inc. (AMD), HP, IBM Corp., Intel Corp., Microsoft and many other companies working together to promote open industry-standard specifications for trusted computing hardware building blocks. The upcoming version of the TPM (version 1.2) is expected to serve as the SSC in the NGSCB architecture.

And here's the Trusted Computing Group's home page and here's their Trusted Network Connect

https://www.trustedcomputinggroup.org/home

Yeah, sure dude.

They're a founding member of the Trusted Computing Group. You better believe they have a vested interest in the technology.

since every "secure" internet transaction would involve a transfer of a TPM number, wouldn't it be easy to figure out anyone else's TPM (if you can't figure out what it is, its useless). And once you do that, won't it be easy to tell your computer to send out a different TPM (say the one you stole from somone else) instead of yours.

That's a replay attack. The Trusted Computing TPM specification surely includes countermeasures against replay attacks.

Yeah, that just isn't going to happen, RTFS. The TPM ID is essentially the endorsement key, a private RSA key baked into the device. Without hardware analysis, you are not getting it out of the TPM.

They know my name, address, phone number, IP number, username, and password. What more is TPM going to give them?

A specification called "Trusted Network Connect" has been published on the TrustedComputingGroup.org web site. (Brief yourself using this FAQ (PDF)). Implementations of TNC collect "endpoint configuration information", allowing the owner of a network to deny a computer access to the network unless it meets the following requirements:

1. it has a TPM that is turned on,
2. it is running an operating system version that has been approved by the network owner and not modified, and
3. it is running a dialer program that has been approved by the network owner and not modified.

Dialer programs under TNC are charged with enforcing the integrity of the runtime environment on the computer being connected to the network. The integrity checks will often include the following features:

• scanning for viruses, worms, spyware, and spam zombies;
• verifying that the latest operating system patches and device drivers have been installed;
• scanning for popular file sharing software and scanning for all-rights-reserved works in shared folders;
• blocking access to resources deemed illegal by a government agency or by an entertainment industry trade association;
• enforcing quality of service guidelines such as bandwidth caps and low priority for traffic other than web browsing and receiving e-mail;
• blocking those incoming and outgoing ports dictated by the network owner;
• blocking programs other than those approved by the network owner from accessing the Internet; and
• other features that network owners would find useful.

TNC may initially sound benign or even desirable when the network owner is an employer. But imagine when the network is that of a residential Internet service provider, and customers have to pay extra per month to get some of the QOS changed or to unblock specific ports. Once almost all computers have a working TPM (possibly by 2015), both the local cable company and the local telephone company are likely to see TNC as a cash cow for their Internet access customers, and they're likely to deny you an IP address unless your machine is "trusted". Those 2 percent or fewer customers using a computer without a TPM would just be considered collateral damage who can just go back to dial-up.

And your infallable source for this information is... a Slashdot comment.

It's not my only source, just one that's useful for introducing the ramifications of the concepts introduced in the Trusted Network Connect FAQ (PDF).

Old News. TPM has been around for a few years.
The site is https://www.trustedcomputinggroup.org/home
For a discussion of some concerns check out EFF at http://www.eff.org/deeplinks/archives/003804.php

I had an opportunity recently to ask questions of a Microsoft officer who works on strategy and works in Europe. When I described many of the unpleasant aspects of TPM and the like, he said that European privacy laws would prevent the adoption of such policies. I found that to be an interesting viewpoint.

But good to see the mainstream press catching up to it. This chip is part of a larger effort by major software developers and hardware manufacturers to mostly stop piracy in all forms and control what you can do with your computer and when.

Read the TCPA FAQ, and take a look at Against TCPA, an anti-TCPA site if you're interested. For an alternate perspective, you can also view the official Trusted Computing Group site.

Personally, I hate it, I don't think it will succeed, and I will *never* buy a computer with such a module installed.

He would learn about trusted computing and the trend towards pervasive computing, make the connection, and regret he hadn't patented Big Brother.

BTW, some say TCPA was indeed a factor in the Apple switch to Intel.

Anyone who has any allusions about cracking this scheme might be in for a surprise. After thoroughly reading the TPM spec, I think that if the OS is looking for TPM_Owner = Apple's Value and doesn't find it, it ain't gonna run.

Changing TPM_Owner isn't exactly trivial, as you have to set the value during manufacturing.

The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer.

Easy. Just make the computer run a scan on itself (using an approved dialer program) and then prove, using Trusted Computing techniques, that it ran the scan that it says it ran. These PDFs explain the process.

Trusted Platform Module.

That's a specific specification. From the articles, I got the impression that he was referring to the generic term for technology protection measures. Otherwise he wouldn't have been using the plural form.

Come on people, I expected more from the /. crowd

https://www.trustedcomputinggroup.org/home

now do we realy believe that one of the creaters of such restrictions realy has our best intrest?

as jude JUDY would say "bap bap.. don't piss on my shoes and tell me it is raining!"

I have had acces to all my movies and song throughtout the home for years it is called, MP3 and XVID! Do I realy need MS and INTEL changing my network so that I can no longer acces my files?
PLEASE!!!!! YOUR REVOLUTION IS DE EVOLUTION of the worst kind! THANKS BUT NO THANKS I rather put my balls in a bat of acid!

Question: What's strange is their involvment in the Overheard a series of websites. What's interesting is that the TCG has ownership of Veritas. Answer: The company that did a test on MS Server 2003 and found it to be 300% faster than other OS's. They wereVeritest have actually merged with symantec, and who could forget the 1999 partner ship between Microsoft and symantec?

Wow, can I be cool like you and use 'M$' to prove to myself that I'm 'in the know' and efortlessly reinforce my vacuous arguments?

Here's a short list of dead competitors

With the exception of Digital Research all of those have commited coporate suicide. Where have you been living all these years?

Paladium/NGDRM

Take a look at who's behind the trusted computing initiative. Maybe you'll stop claiming this is a Microsoft-only evil plan (not that I'm disputing its evilness though).

Oh, I'm sorry. Did I say 'Microsoft' back there? I meant 'M$'.

Hence the technology formerly known as TCPA.

The same system that protects spyware from accessing your data files might also stop you from copying audio and video files. The same system that ensures that all the patches you download are legitimate might also prevent you from, well, doing pretty much anything.

At least someone that is talking to a larger group of those not-in-the-know gets it.

The only reason I can think of for all this Machiavellian maneuvering is that the TCG board of directors is making sure that the document doesn't apply to Vista. If the document isn't published until after Vista is released, then obviously it doesn't apply.

If only that were the case! Unfortunately it's something that's calculated, malicious, and devious.

From Best Practices Principles Document:

preserving privacy, backward compatibility, and owner control

This will accomplish NOTHING but promote an environment where people will continue to become accustomed to DRM being on their computers. It's not going to stop worms, spyware, viruses, and the like - they are going to continue to plague people's computers - it's all part of the desensitizing of DRM. Get people pissed off enough about spyware, etc, and they will be happy to accept DRM.

It's really sad that most people still don't know what spyware is or how to defeat it. When they do hear of it they see this "DRM" stuff in the future that will eliminate it. Instead of taking the 5 minutes daily to do routine maintenance that will keep their computers and themselves happy, they instead opt for having someone else do all the work for them at the loss of everything that was once great about computers.

Really? "The Trusted Computer Alliance" doesn't exist anymore. They disbanded.

Fine. Replace "TCPA" ("Trusted Computing Platform Alliance", not "Trusted Computer Alliance") with "TCG", for "Trusted Computing Group".

Then go look at the TCG's member list. Note the appearance of "AMD" and "IBM" on the list. Then please explain to the audience how saying ""The Trusted Computer Alliance" doesn't exist anymore. They disbanded." somehow renders the replies to Mr. "go AMD!" invalid. (Perhaps AMD won't have any chips that support DRM, and perhaps IBM wouldn't have added DRM to chips for Apple, but it's not as if AMD and IBM are brave members of the Rebel Alliance against Trusted Computing.)

Really? "The Trusted Computer Alliance" doesn't exist anymore. They disbanded.

Fine. Replace "TCPA" ("Trusted Computing Platform Alliance", not "Trusted Computer Alliance") with "TCG", for "Trusted Computing Group".

Then go look at the TCG's member list. Note the appearance of "AMD" and "IBM" on the list. Then please explain to the audience how saying ""The Trusted Computer Alliance" doesn't exist anymore. They disbanded." somehow renders the replies to Mr. "go AMD!" invalid. (Perhaps AMD won't have any chips that support DRM, and perhaps IBM wouldn't have added DRM to chips for Apple, but it's not as if AMD and IBM are brave members of the Rebel Alliance against Trusted Computing.)

Is Intel Good(tm) now?

No.

The new line of chips are LaGrande Compliant. LaGrande is Intel's CPU embedded implementation of the Trusted Computing Group's Trusted Platform Module.

So what does that mean?

All of the new CPUs have ID numbers again. Remember the Pentium 3 ID numbers that created so much outrage and backlash? Whell they are back with a vengance.

The new CPUs will hold crypto keys, and they are specifically designed to keep the keys (and encrypted files) secure against the owner. They are specifically boobytrapped to self destruct if you try to read out your own keys. IBM is currently using a a seperate non-CPU Trusted Computing chip and they explicitly advertize the self destruct aspect in their Man in Black Thinkpad TV commercial.

It can also act as a little spy inside your computer - this is called Remote Attestation - a spy that watches all of the software you run and send a spy report to other people over the internet. You are denied any control over this spy report. The only control you have is to turn this system off completely, and if you turn it off then you get locked out of your own files and it is impossible to run or install Trust-using software. In a five to ten years, under Trusted Network Connect, you can even be denied an internet connection unless you activate the system and send this spy report and you have an approved unmodified operating system and approved unmodified software.

It is basically a DRM enforcer CPU, but far far worse.

-

Is Intel Good(tm) now?

No.

The new line of chips are LaGrande Compliant. LaGrande is Intel's CPU embedded implementation of the Trusted Computing Group's Trusted Platform Module.

So what does that mean?

All of the new CPUs have ID numbers again. Remember the Pentium 3 ID numbers that created so much outrage and backlash? Whell they are back with a vengance.

The new CPUs will hold crypto keys, and they are specifically designed to keep the keys (and encrypted files) secure against the owner. They are specifically boobytrapped to self destruct if you try to read out your own keys. IBM is currently using a a seperate non-CPU Trusted Computing chip and they explicitly advertize the self destruct aspect in their Man in Black Thinkpad TV commercial.

It can also act as a little spy inside your computer - this is called Remote Attestation - a spy that watches all of the software you run and send a spy report to other people over the internet. You are denied any control over this spy report. The only control you have is to turn this system off completely, and if you turn it off then you get locked out of your own files and it is impossible to run or install Trust-using software. In a five to ten years, under Trusted Network Connect, you can even be denied an internet connection unless you activate the system and send this spy report and you have an approved unmodified operating system and approved unmodified software.

It is basically a DRM enforcer CPU, but far far worse.

-

You're a raving loony. "They" are out to get you. Go find a bunker somewhere, and leave us in peace, ok?

I really don't get where you're coming from. The 'trusted computing' storm has been on the horizon for years.

For an official description, why don't you read the Trusted Computing FAQ? The first paragraph of the second section, entitled "The Trusted Platform Module (TPM) and Implementation" has pertinent information.

For a description from the outside, try this link. Just the first paragraph under the first question is sufficient. Note also the date on the FAQ. It was written two years ago, when the Trusted Computing group was formed. These issues have been known for years, and have been discussed publicly many times.

If you are not aware of the music and movie industries' desires to distribute their collective assets using technologies that prevent unlicensed use, mention the words 'CDs', 'movies', and 'copy protection' to anyone on the street, and ask them how they are connected. For bonus points, you could find someone to point you to information about the RIAA's and MPAA's views on people sharing copyrighted works over the internet.

So... to bring this to a close, you could, perhaps, read the articles about trusted computing, or at the very least the paragraph in each which I mentioned specifically. After that, you could consider the opinions of powerful industry groups concerning the need for DRM-like technology to protect their assets. Finally, you could put two and two together. Maybe then you could stop bothering someone who actually reads things. I found the articles by typing 'trusted computing' into google. You could have tried it, too, but instead you trolled. Good bye.

Longhorn to Require Monitor-Based DRM

Aero Glass experience in Longhorn will be available only if the related hardware capabilities are present on the PC system supported by a signed driver based on the Longhorn Display Driver Model.

If you are not using a Microsoft approved and signed driver to fully lock down and enforce the DRM system then Longhorn/Vista LOCKS YOU OUT OF THE FULL GRAPHICS INTERFACE MODE. You get dumped back to the minimal desktop interface mode and I'm pretty sure the entire "security system" gets locked out as well. In other words you get dumpted back to the minimal desktop interface mode AND any software using the Wonderful new security system gets locked out. Half the software on your computer may drop dead.

But don't worry, it's all optional and all opt-in. Of course if you do not opt-in then don't expect anything to actually work anymore. Oh, and it's not Microsoft's fault. It's the software authors and the media file publishes and the websites that choose to use Microsoft's new Security System and it is THEY who decide that the software and media files and websites will refuse to work unless you opt-in to full lockdown mode.

Oh, and then there's Microsoft's Microsoft's Network Access Protection Architectures, specifically compatible with the Trusted Computing Group's Trusted Network Connect. Sure it will be a couple of years before this might become a signifigant issue, but if and when it is deployed... well it wouldn't be Microsoft doing anything to you... it would be your ISP choosing to use Microsoft's NAP system and your ISP choosing to refuse you an internet connection unless you are running a properly locked down system with an approved operating system and with all of the latest patches and with an approved and mandatory Firewall and with and approved and mandatory VirusScanner. You see your ISP just wants to protect you against viruses and worms and to protect their network.

In fact the term they use for this sort of policy is that they are checking the "health" of your computer before allowing you network access. They need the security system tyo be active to do the "health check", and of course only a fully locked down computer is "healthy".

But it's OK. The DRM system... correction the security system... it's all optional and opt-in. And if you don't opt-in and all of your software refuses to run and you are locked out all of the new filetypes and your ISP refuses to give you a network connection, well that's OK. That was your choice. Opting-in is purely optional. Microsoft isn't trying to force anything on to anyone.

-

I don't understand what all of the excitement surrounding these rumors of Apple including DRM technology on the Macintels is about.

It's about access to networks that use Trusted Network Connect. It's about continued access to the Internet once major ISPs require Trusted Network Connect by 2015.

The switch from IBM to Intel has nothing to do with speed, heat, or anything else anyone has suspected. It's control.

Its ironic that the Trusted Computing web site uses such an untrusworthy httpd as apache: HTTP/1.1 301 Moved Permanently Date: Wed, 27 Jul 2005 08:26:37 GMT Server: Apache Location: https://www.trustedcomputinggroup.org/home Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 I guess that the TC folks cant even trust themselves!