Slashdot Mirror

http://www.trustedcomputinggro...

Real SED drives implement this standard, which includes the disk changing the key - it's how Instant Secure Erase works, among other things (old key is thrown out, new key is generated by the hard drive). If the WD product really behaves as described in that link, then I'd agree - that implementation of the controller is flawed (and also, not TCG/Opal compliant, I'd wager). More than likely, the drive inside the enclosure implements the standards correctly (or nearly so), and the problems are in the USB controller side of things. SED drives are not very user-friendly, and WD was probably trying to mask that.

I'm glad someone made a point about security by obscurity.

The OPAL 2 spec. does mention guarding firmware updates in section 5, but it does not appear to be compulsory (and no one I'm aware of from the HD industry has said anything yet...).

A: Use an OS that cordons off any possibility of accessing the HD or other firmwares to begin with. The Xen hypervisor prides itself on being more secure than most, and its only about 1MB in size. Using that small and hardened attack surface as the gatekeeper to all hardware functions (including NIC and graphics), and as the means of silo-ing one's computing life into work, personal, misc online, etc., its perhaps the best defence out there for PCs. The Qubes GUI even lets you sequester USB controllers inside specific VMs and as such its a line of defence against badUSB. To top it off, it gives you facilities like splitGPG, isolated TorVM, and a means of sanitizing pdfs.

Even if you only use it to separate "online" from "offline" stuff (or even if you only use it as an untrusted "online" system), Qubes will protect the core system such as BIOS and other firmware.

FWIW & BTW, I've read parts of the OPAL 2 spec. for hard drives that states a drive manufacturer should make functions like firmware update conditional on successful authentication (no firmware update without the correct password). But it isn't clear to me whether OEMs are complying with what appears to be a recommendation.

OTOH, you could get a high-security flash drive (the kind with signed updates or read-only firmware) then put your Qubes boot partition on that and enable the Anti-Evil-Mail feature. I think Kanguru and IronKey are two such drive vendors.

Oh, while I'm rambling (no sleep last night, nothing but amphetamines(100% legal, doctor's orders!) between me and empty):

What about touching on a case study of an interesting group of people who, rather nobly, decided to jump on top of emerging technology, given the trajectory of 'the future' a good hard shove, all very inspiring (and often backed by nontrival talent); but whose outcome is the sort of brutal ironic defeat that you usually associate with particularly mean-spirited Greek Mythology.

Remember the 'cypherpunk'? The bold, anti-authoritarian, vision of how the implications of number theory, the structures of math itself, would usher in a new era of strong crypto, surveillance-resistance, anonymity, all sorts of cool stuff, getting classified as a munition by The Man (who couldn't stop you, because your 'weapon' was a concise chunk of pure math, impossible to block), really very inspiring.

Well. Funny story. Y'know what else you can do with strong crypto? Locked down bootloaders. 'Trusted Computing'. DRM. 'Secure Remote Attestation'. powerful, elegant, 'tivoization' of basically every aspect of what used to be the general-purpose computer, the network it connected to, and the parts it was made of. Game. Fucking. Over. This particular coin had two faces (Just like 'Janus' the development codename for WMDRM...), and I think we can all agree which face landed up. I know of no more brutal irony than this in the recent history of computing. Fantastic lesson if you want to teach the kiddies about 'how students can influence change', though...

Well, for starters one of the BSI's requests was "the device owner must have a way of disabling the TPM"
The standard states that The platform manufacturer decides if it is possible to disable use of the TPM.
That alone is reason enough to be wary.

Oops, I meant to include the following link in my other post:
Here's the latest TPM Main Specification Level 2 Version 1.2 from the Trusted Computing Group

I dunno if you actually want to dig though that, it's pretty dense techno-jargon specifications for the microchip. I just wanted to include it as a official source for the specification-quotes in my post, and to generally back up my other claims and explanations.

-

I'll be quoting from this, the latest version from the Trusted Computing Group: TPM Main Specification Level 2 Version 1.2, Revision 116 Part 2 - Structures of the TPM

I'll paste quotes here in italics, key points in bold, and non-italics comments from myself in between.

An Endorsement Key (EK) has two parts, the public part and the private part. The private part the part in control, the public part allows anyone to verify signatures. The PrivEK is the highest level master key of a TPM. It's primary function is to sign messages sent out of the TPM to other people over the internet. PrivEKs are forbidden to ever exist outside a TPM. Anyone receiving a proper PrivEK -signed-message therefore knows that the message could only have been generated inside a TPM, secure under the controls and limitations of the TPM, and secure against tampering by anyone (including the owner).

Note that the PrivEK gets signed by a manufacturer key, securely identifying it as a genuine PrivEK securely locked inside a TPM. The manufacturer key is itself signed by the Trusted Computing Group's master key, authenticating the manufacturer key as a valid key of belonging to a valid and compliant manufacturer. If the Trusted Computing Group ever revokes a manufacturer's key then all TPMs made by that manufacturer are lo longer Trusted... for practical purposes those chips can be considered "dead". If some manufacturer's chips are found to be insecure the Trusted Computing Group can "close the security hole" by effectively killing all of those chips in one shot. And this is exactly how the Trusted Computing Group prohibits any manufacturer from making a non-compliant chip that allowed the owner to obtain control of his system.

5. Endorsement Key Creation
Start of informative comment
The TPM contains a 2048-bit RSA key pair called the endorsement key (EK). The public
portion of the key is the PUBEK and the private portion the PRIVEK. Due to the nature of
this key pair, both the PUBEK and the PRIVEK have privacy and security concerns.
The TPM has the EK generated before the end customer receives the platform. The Trusted
Platform Module Entity (TPME) that causes EK generation is also the entity that will create
and sign the EK credential attesting to the validity of the TPM and the EK. The TPME is
typically the TPM manufacturer.

So the chip's top key, the PrivEK, is inside the chip before the customer buys the computer or other device. This is generally done by the manufacturer.
You can skip/skim over this next section, I'm just including it to preserve continuity in copy/pasting from the source document.

The TPM can generate the EK internally using the TPM_CreateEndorsementKey or by using
an outside key generator. The EK needs to indicate the genealogy of the EK generation.
Subsequent attempts to either generate an EK or insert an EK must fail.
If the data structure TPM_ENDORSEMENT_CREDENTIAL is stored on a platform after an
Owner has taken ownership of that platform, it SHALL exist only in storage to which access
is controlled and is available to authorized entities.
End of
informative comment
1.
The EK MUST be a 2048-bit RSA key
a.
The public portion of the key is the PUBEK
b.
The private portion of the key is the PRIVEK

Here's where we start getting to the critical point you wanted, whether the owner is allowed to get his key:

c.
The PRIVEK SHALL exist only in a TPM-shielded location.
2.
Access to the PRIVEK and PUBEK MUST only be via TPM protected capabilities
a.
The protected capabilities MUST require TPM Owner authentication or operator
physical presence
3.
The generation of the EK may use a process external to the TPM and
TPM_CreateEndorsementKeyPair
a.
The external generation MUST res

Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.

Citation needed ;) I'm sure you're misinterpreting some physical tamper-resistence line.

Unfortunately, being sure is all too often completely unrealated with being right.

It's in some text explaining design intent, explaining why they require certain internal data be handled in a particular way. They specifically state they are doing it this way to prohibit a "rogue Owner" from being able to register an Identity with than one Privacy Certificate Authority.

TCPA_Main_TCG_Architecture_v1_1b.pdf
According to internal document page numbering it's on page 267, but the PDF viewer software calls it page 277. The exact sentence is:
This feature prevents a rogue Owner from assembling identity_binding data structures outside the TPM and hence obtaining attestation to the same TPM identity from multiple Privacy CAs.

They explicitly named the Owner as the primary focus of their threat model. They explicitly took steps to secure the the chip against an owner attempting to manage his privacy identities. And they did it because the underlying "security threat" was that an Owner could attempt to use the duplicate anonymous identity to gain local control to modify a "security property" that was demanded by someone else via Remote Attestation of the first anonymous identity. And in this case a "security property" being demanded by someone else via anonymous remote attestation is basically a generalized way of saying a DRM-style-enforcement-commitment, and using a duplicate anonymous identity to modify that "security" setting basically means being able to break/escape the DRM.

Remember - they explicitly stated the security threat here was the OWNER. Furthermore note that theses are anonymous identities used for remote attestation.... this has nothing to do with securely checking the state of the system for yourself. This is securing teh state of the computer against the owner for the benefit of a remote party - specifically a remote party to who the owner doesn't trust - someone to who the owner specifically wants to remain anonymous. That pretty much means some random corporation or random website he doesn't want tracking him, and which wants something like DRM enforcement in place on his computer. And again, this is all in the context of them declaring the OWNER to be the threat they are securing against.

I don't doubt you've looked at it. But clearly you've looked at it from the perspective of how you think it impinges on your liberty

I've considered it from all angles. I would fully support a similar chip which was designed as a legitimate pro-owner security system. However that's not this chip.

rather than from the perspective of a security engineer trying to achieve simple properties such as executing code that isn't manipulated by an attacker.

I fully understand that issue, and that can easily be achieved with a legitimate security system, one securing the system for the owner rather than securing it against the owner, one where the owner has the final say in control and security settings.
(Note that an owner "opt-in" for something like a DRM scheme is an owner having an initial say on security settings, but the owner having the final say on security settings means he has full control to modify the security settings later.)

Let's play this game. I'll propose an alternative system, one where the owner can have that final say if he wants it, thereby having the power to avoid or solve 100% of the objections to the system, and you go ahe

But *no* consumer board I'm aware of ships with the *chip.*

Then you obviously haven't been paying attention. Almost all laptops are now shipping with TPMs, and they are increasingly being shipped in desktops. When I was shopping for a PC last year I spotted TPM listed in several system specification lists from different major PC vendors.

According to the Trusted Computing Group more than a half billion PCs have already shipped with the Trusted Platform Module. Computer Weekly puts it at over 600 million PCs.

And according to "ZDNET "In January 2015, TPM 2.0 will be required on all certified Windows devices".

And according to Microsoft News Center, and I quote:
The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015

So the answer to the question, I think, remains "All of them."

You were trying so say that "all" personal computers were TPM-free, but it turns out that "All of them" is is what they plan to try and force on us starting less than a year and a half from now. And as noted, over a half billion already shipped.

-

They've been working themselves up to this for a while now, and it appears that the lead-in propaganda campaign has heated up. I can't believe that I haven't seen another post discussing this yet. It fits perfectly with TFA/TFS. Two words.

Trusted Computing.

Here is a paper by Ross Anderson on some of what implementing Trusted Computing will mean.

This had better be nipped before implementation or there won't be another chance. The internet is a tool with more than one use, just as with nearly any tool. While the internet has tremendous power to empower, inform, and enrich, it also has tremendous power to monitor, control, and suppress if Trusted Computing is allowed to be implemented.

Strat

According to the article, it uses this "Opal" storage spec. (didn't find it on wikipedia..)
Below from: http://www.trustedcomputinggroup.org/resources/storage_application_note_encrypting_drives_compliant_with_opal_ssc

Storage Application Note: Encrypting Drives Compliant with Opal SSC

This document provides examples of the communication between a host and a storage device implementing the TCG Storage Security Subsystem Class: Opal SSC and the TCG Storage Architecture Core Specification.

Examples are provided for the following scenarios:.

        * Discovering whether a storage device supports Opal SSC
        * Taking ownership of the storage device
        * Activating the Locking SP
        * Changing the Admin1 PIN in the Locking SP and adding users
        * Configuring Locking Objects (LBA ranges) *
        * Unlocking ranges
        * Erasing a range
        * Enabling the MBR shadow
        * Un-shadowing the MBR
        * Reverting the TPer
        * Reverting the Locking SP
        * Using the DataStore table

For further reading, here's what looks like the spec:
http://www.trustedcomputinggroup.org/files/static_page_files/9FE14508-1D09-3519-AD7D21A695E9B8EE/Opal_SSC_1.00_rev3.00-Final.pdf

According to the article, it uses this "Opal" storage spec. (didn't find it on wikipedia..)
Below from: http://www.trustedcomputinggroup.org/resources/storage_application_note_encrypting_drives_compliant_with_opal_ssc

Storage Application Note: Encrypting Drives Compliant with Opal SSC

This document provides examples of the communication between a host and a storage device implementing the TCG Storage Security Subsystem Class: Opal SSC and the TCG Storage Architecture Core Specification.

Examples are provided for the following scenarios:.

        * Discovering whether a storage device supports Opal SSC
        * Taking ownership of the storage device
        * Activating the Locking SP
        * Changing the Admin1 PIN in the Locking SP and adding users
        * Configuring Locking Objects (LBA ranges) *
        * Unlocking ranges
        * Erasing a range
        * Enabling the MBR shadow
        * Un-shadowing the MBR
        * Reverting the TPer
        * Reverting the Locking SP
        * Using the DataStore table

For further reading, here's what looks like the spec:
http://www.trustedcomputinggroup.org/files/static_page_files/9FE14508-1D09-3519-AD7D21A695E9B8EE/Opal_SSC_1.00_rev3.00-Final.pdf

Yesterday's story Senate Panel Approves Cybersecurity Bill would give the president an emergency 'kill switch' over the Internet, but added some restrictions to the bill. The president may no longer simply assert that the threat remains indefinitely, he must now seek Congressional approval after 120 days.

There is an important connection between these two stories. The "Trusted Identities in Cyberspace" system includes something called Trusted Network Connect. Technical PDF on Trusted Network Connect. Once the Trusted Identities in Cyberspace system is in place (lets call it ten years as a nice round number) Trusted Network Connect is designed to selectively ban noncompliant computers from getting internet access. In the event of an "cyber attack" or internet virus the U.S. government would have the power to shut down any or all internet connections for 120 days, and then asking Congress to extend it indefinitely. The Trusted Network Connect feature means that this shutdown can, and would, be limited to locking out computers that are not secured by the Trusted Identities system. Any computer that lacked a Trusted Platform Module would be unable to connect to the internet. The effect would be a global internet lockout against noncompliant computers. Anyone who declined to "voluntarily" opt-in to the Global Trusted Identities system would be denied internet access. Any nation that declined to comply would be locked out of the internet.

If the Trusted Identities system goes forward is is only a question of how many years it will take before noncompliant computers can and will be denied access to the Global Trusted Internet.

-

You don't stand a chance. The kids have physical access and you need to be able to run mainstream software. That means any knowledgeable kid can get administrative access in a heartbeat . Then 11+ year olds will tell each other how. You are done. As for remote monitor, they are on their home routers. They phone / cable company firewall is not going going to accept a TCP/IP connection you establish which means you can't do it.

The first thing you need to do is get realistic expectations or start constructed a much more secure system, which is not going to be a macbook you are talking encrypted drives, TPM chips, access keys on some pager which need to be plugged in for the system to work.... trusted computing group website.

Schools aren't going to pay for that sort of stuff. What you do is you set expectations reasonably, lock the system down badly, filter the minimum and have an easy way to re-image and that's it.

The grant is from the NSF, not the DoD which implies it is more scientific in nature.

Chuckle. I wish.

The friking NSF has been pouring tens of millions if not hundreds of millions of dollars into research grants on Trusted Computing and related stuff to lock down.... oops I mean to secure... computers and the internet.

Here, take a look. That is a "Trusted Computing" search of currently active NSF research grants. I count over $36 million right there alone. Not to mention that it's likely some relevant projects slipped past that simple search, and not to mention the fact that NSF computer-related grants have been primarily directed to Trusted Computing for quite some years now.

Hell, if you do a search of NSF funding (not merely computer related funding but a search of ALL NSF funding) you get 152 documents found in 578 documents searched. That is more than 26% of ALL searched documents hitting on Trusted Computing. It seems that Trusted Computing is likely the #1 "science research" item on the NSF agenda.

Between the government initiative to secure the National Information Infrastructure against Terrorist Cyber Attack, and the influence of corporate interests, the NSF and other government agencies have become pipelines for pouring grotesque sums of money into developing and pushing Trusted Computing.

The things going on towards Trusted Computing stuff can sound like a bad conspiracy theory, but there is really nothing secret or theoretical about it. It's all publicly admitted. There are more than a hundred companies publicly members of the Trusted Computing group - pretty well every computer-related company you can name. The CPU manufacturers (Intel AMD Motorola), the BIOS makers (phoenix AMI), all the major players (Microsoft IBM Sun HP), motherboard makers, the major PC brands, the wireless and networking companies, harddrive makers, virtually every significant company in the computer industry.

And the public NSF grants for it, linked above. And the public Homeland Security effort and money for "securing" the internet, and other other US government agencies, and policy initiatives suggesting a requirement for all government computer purchases to be Trusted Computing compliant - and get this - I've seen these initiatives literally STATE one of the purposes of the requirement being to bootstrap the market for such computers - explicitly STATING the purpose of huge government purchases of Trusted Computers being to establish a large and secure market demand for them so that computer companies can/will invest in mass producing Trusted Computers, in order to establish the supply of Trusted compliant computers to the general public market. I think the military did in fact adopt a policy requiring their purchases to be Trusted Compliant, but I'd have to double check on that. Ahh, I just googled, yes I was right. U.S. Army requires trusted computing.

The European Union is perhaps even more gung-ho on it than the US. They have been having all sorts of EU conferences on creating a new Information Society and securing the internet to enable that new Information Society. A google on EU "Information Society" "trusted computing" gets 18,800 hits. 23,400 hits if you search for EU "information society" DRM. There are countless published documents from these EU Information Society projects stating and detailing their desire and efforts to lock down computers and lock down the internet, for law enforcement reasons and copyright/commerce reasons a

• TPM_TakeOwnership - Sets the actual owner of the TPM, used by an OS upon installation.
• TPM_OwnerClear, TPM_ForceClear - Here's a relief! The physical owner of the computer can override the chip if needed...
• TPM_DisableOwnerClear, TPM_DisableForceClear - Disables the override commands, locking the TPM to the current owner. Incidentally, only the current owner can issue the disable commands.

If my bank asked me to go to "other bank" in order to pay money into my account at my bank and said "You'll be able to confirm that it really is other bank because they'll have paperwork signed by us to prove it" then yes, I would trust my bank.

I recently got redirect to this site when buying rail ticket from http://www.nationalexpresseastcoast.com/

https://www.securesuite.co.uk/rbs/tdsecure/opt_in.jsp?

I was using a natwest debit card (who happen to be owned by RBS).

The site didn't work properly (I just got a blank page) but it was supposed to be asking me for various letters from a password for my card for the "verified by visa" scheme.

Was it a scam site that didn't work or was it the real site that didn't work? Can you tell from the certificate?

Or should it have directed me to
https://secure1.securesite.co.uk/
instead?

(I've removed all the get parameters that were on the original URL)

What about if I'd ended up at:
https://sourceforge.net/

or
https://www.trustedcomputinggroup.org/?

How can I tell which one of those I should be trusting with my credit card details and which I should be afraid of?

Tim.

It has been around much longer. It started with the Trusted Computing Platform Alliance, which was founded somewhere between 2001 and 2002 (in the Wikipedia article, there's unfortunately not much information about its history. The organization is now called Trusted Computing Group (of course, with an SSL encrypted homepage! ;-) ).

The FSF and EFF have been upset about this for a long time, and for a good reason. The initial design of Windows Vista would have included a "trusted kernel" which would've allowed only trusted applications and documents. Luckily, they could not enforce the original design.

1. Installation of Windows 7: the OS communicates with the TPM and 'takes ownership' of the TPM. (The tech docs can't spell it out any clearer: the programmer controls the computer, not the user.) When taking ownership of the TPM, Windows provides the public key of Microsoft to the TPM.
2. Booting the computer: During installation, Windows installs a hash of the bootloader code and the OS code into the TPM. The bootloader performs a sanity check using the TPM to ensure that it has not been compromised. The bootloader then verifies the OS against the TPM and only loads 'genuine' copies of Windows. Note that the definition of genuine is entirely up to MS; at any time the TPM can be instructed, only by its owner, to invalidate any credentials. It's perfectly possible, and in fact designed into the specs, for the TPM owner to completely disable TPM protected software at any time. Irreversibly, because the binaries are encrypted and require the TPM's cooperation to run.
3. Updating Windows: Before updating, the OS instructs the TPM to provide a guarantee that it is a genuine TPM (using information manufactured into the chip), and the TPM signs MS's public key. This cryptographically proves that the computer has a TPM and that Microsoft owns the TPM. Microsoft then transmits the update to the computer, encrypting it with the TPM's key to prevent the native code from being revealed to the user or installed on a non-authenticated machine.
4. Installing a module: Similar to updating, but more insidious. The user purchases a certificate to run a module, then the module is securely transferred to the machine. The certificate is stored by the TPM itself to prevent it from being read from disk or RAM by a third party. This is done for all the TPM's information. The module is then installed if and only if it is authenticated by Microsoft. This may seem to have some flaws, but that's taken care of with the following...
5. Running a binary executable: The OS can require that every single binary be signed by a person who is authenticated by the owner. The TPM verifies this, and then either provides the OS with the decrypted binary or a failure notice. 'Configuration states' are a key principle here; at any time the state of the system (all programs that are running) can be saved into the TPM. This can be used for example by Windows update. The updater saves a configuration where only the core OS and the updater are running, and then can ensure that it will not update if not in this configuration. This keeps any on-the-fly memory editors out.

Probably the same way these guys did.

Seriously, this sounds very much like Trusted Computing, only making it mandatory (heh, good luck with that, Mr. Sherman). Install a Fritz chip in every computer and make all content slowly slide toward only being usable through the TC subsystem. Extend that to players and formats, and you've got your monopoly, especially when the operating system itself can only be used on a certified system and starts only running certified applications.

The TCPA FAQ gives an insightful perspective on it, what they want you think it can do, and what it will probably actually be used for.

If this Cell inclusion could become a trend, it could lead to a lot of interesting applications.

Yeah. Interesting applications indeed.

"Cell Broadband Engine Support for Privacy Security and Digital Rights Management"

Note that that is an official IBM published technical paper on the Cell and that that is IBM's own title.

And even with that link, someone ALWAYS manages to come along and call it a tinfoil hat fantasia when I state that the Cell CPU has explicitly designed with DRM support in the hardware. Every cell chip has one or more DRM enforcement crypto keys locked in the chip. I would gladly go into technical detail on this DRM system (I am a bit of an expert on the TPM technical specs), but apparently the only way to OBTAIN the full details on the cell system is by first signing a legal Non Disclosure contract before they'll let you see the full specs. That is the reason I had to say "one or more DRM enforcement crypto keys locked in the chip", the publicly available technical papers do explicitly state there is such a key locked in the ship and give some of the info on how it is used, but many important details are lacking. The Cell hardware is explicitly designed for some sort of Trusted Computing architecture, but too many details are missing to state exactly how the Cell system parallels or differs from the Trusted Computing Group's from of Trusted Computing.

P.S.
If anyone is aware of any available good detailed technical specifications on the Cell "security" hardware design, I would much appreciate any links you can offer to such a specification. I've seen this and other similar information, but I'm looking for something more technical and more resembling this TPM specification.

P.P.S.
If anyone has detailed knowledge on this design, please write something up on it in Cell_microprocessor. I raised this issue MORE THAN A YEAR AGO on the talk page, with the usual replies about "fantasia" and how hardware designed for DRM enforcement "is not Digital Rights Management, per se" and that "Using the term, DRM, would probably be unnecessarily inflammatory" (that last one is particularly amusing considering that it was IBM itself is the one being "unnecessarily inflammatory" in describing it's own product!).
I haven't actually written anything into the Wikipedia article on the Cell yet because I still only have a half-assed technical understanding on the design, and maybe I'm too much of a perfectionist but I don't want write something wildly vague and I don't want to write something that may be explicitly or implicitly inaccurate on the technical design and capabilities of the system.

-

If this Cell inclusion could become a trend, it could lead to a lot of interesting applications.

Yeah. Interesting applications indeed.

"Cell Broadband Engine Support for Privacy Security and Digital Rights Management"

Note that that is an official IBM published technical paper on the Cell and that that is IBM's own title.

And even with that link, someone ALWAYS manages to come along and call it a tinfoil hat fantasia when I state that the Cell CPU has explicitly designed with DRM support in the hardware. Every cell chip has one or more DRM enforcement crypto keys locked in the chip. I would gladly go into technical detail on this DRM system (I am a bit of an expert on the TPM technical specs), but apparently the only way to OBTAIN the full details on the cell system is by first signing a legal Non Disclosure contract before they'll let you see the full specs. That is the reason I had to say "one or more DRM enforcement crypto keys locked in the chip", the publicly available technical papers do explicitly state there is such a key locked in the ship and give some of the info on how it is used, but many important details are lacking. The Cell hardware is explicitly designed for some sort of Trusted Computing architecture, but too many details are missing to state exactly how the Cell system parallels or differs from the Trusted Computing Group's from of Trusted Computing.

P.S.
If anyone is aware of any available good detailed technical specifications on the Cell "security" hardware design, I would much appreciate any links you can offer to such a specification. I've seen this and other similar information, but I'm looking for something more technical and more resembling this TPM specification.

P.P.S.
If anyone has detailed knowledge on this design, please write something up on it in Cell_microprocessor. I raised this issue MORE THAN A YEAR AGO on the talk page, with the usual replies about "fantasia" and how hardware designed for DRM enforcement "is not Digital Rights Management, per se" and that "Using the term, DRM, would probably be unnecessarily inflammatory" (that last one is particularly amusing considering that it was IBM itself is the one being "unnecessarily inflammatory" in describing it's own product!).
I haven't actually written anything into the Wikipedia article on the Cell yet because I still only have a half-assed technical understanding on the design, and maybe I'm too much of a perfectionist but I don't want write something wildly vague and I don't want to write something that may be explicitly or implicitly inaccurate on the technical design and capabilities of the system.

-

we have already won on FAXs and on Caller-ID. Next will be eMails and executable codes. NO SIGNATURE? NO EXECUTE.

• Digital rights management
• Prevent users from being able to to modify software
• Remove control over or access to data from users
• Strip away anonymity
• Leave backdoors into computer systems
• Remote 'bricking' of computer
• Forced upgrade/downgrade of system

we have already won on FAXs and on Caller-ID. Next will be eMails and executable codes. NO SIGNATURE? NO EXECUTE.

• Digital rights management
• Prevent users from being able to to modify software
• Remove control over or access to data from users
• Strip away anonymity
• Leave backdoors into computer systems
• Remote 'bricking' of computer
• Forced upgrade/downgrade of system

Unfortunately there are several DIFFERENT, INCOMPATIBLE concepts being bandied about under the name Trusted Computing. This new "Trusted Computing Project" took on that name seemingly without being aware that there was substantial work already under way on a different concept with the same name.

Perhaps to try to remedy the confusion, we can distinguish between TC as proposed by the Trusted Computing Group and other forms of TC. The TCG is an industry consortium with Microsoft, Intel, HP etc., dating back several years, originally called TCPA. Their proposal has always been controversial but IMO misunderstood.

TCG's flavor of TC is fundamentally open. I would call it Open Trusted Computing, OTC. It does not lock down your computer or try to prevent anything from running. It most emphatically does NOT "only run signed code" despite what has been falsely claimed for years. What it does do is allow the computer to provide trustworthy, reliable reports about the software that is running. These reports (called "attestations") might indicate a hash of the software, or perhaps a key that signed the software, or perhaps other properties or characteristics of the software, such as that it is sandboxed. All these details are left up to the OS, and that part of the technology is still in development.

Open Trusted Computing runs any software you like, but gives the software the ability to make these attestations that are cryptographically signed by a hardware-protected key and which cannot be forged. Bogus software can't masquerade as something other than it is. Virus-infected software can't claim to be clean. Hacked software can't claim to be the original. You have trustworthy identification of software and/or its properties. This allows you to do many things that readers might consider either good or bad. You could vote online and the vote server could make sure your voting client wasn't infected. You can play online games and make sure the peers are not running cheat programs. And yes, the iTunes Music Store could make sure it was only downloading to a legitimate iTunes client that would follow the DRM rules. It's good and bad, but the point is that it is open and you can still use your computer for whatever you want.

This is in contrast to some other projects which may or may not call themselves TC but which are focused on locking down the computer and limiting what you can run. The most familiar example is cell phones. They're actually computers but you generally can't run whatever you want. The iPhone is the most recent controversial example. Now they are going to relax the rules but apparently it will still only run signed software. This new "Trusted Computing Project" is the same idea, it will limit what software can run. Rumors claim that the next version of Apple's OS X will also have some features along these lines, that code which is not signed may have to run in sandboxes and have restrictions.

This general approach I would call Closed Trusted Computing, CTC. It has many problematic aspects, most generally that the manufacturer and not the user decides which software to trust. Your system comes with a list of built-in keys that limit what software can be installed and run with full privileges. At best you can install more software but it is not a first-class citizen of your computer and runs with limitations. Closed Trusted Computing takes decisions out of your hands.

But Open Trusted Computing as defined by the TCG is different. It lets you run any software you want and makes all of its functionality equally available to anyone. P2P software, open-source software, anything can take full advantage of its functionality. You could even have a fully open-source DRM implementation that used OTC technology: DRM code that you could even compile and build yourself and use to download high-value content. You would not be able to steal content downloaded by software you had built yourself. And you could be sure there were no back doors,

Trusted Computing is only bad if the owner of the hardware does not have control over the software on the machine, the hardware keys etc.

So having a TPM in my box magically means my vendor wants to eat me, and I'm a stooge for wanting the virtually undefeatable security it would offer should I use it properly.

Even if an attacker physically stole my TPM-enabled computer and applied NSA-level secret awesome techniques to it, they could not get the keys I stored with the TPM. Which is the entire POINT of the module according to the spec .

No matter how many times I tell this to my friends who have the deep, unwavering belief that TPM = evil, their eyes glaze over and they change the subject. It REALLY irritates me, in case that wasn't bloody obvious.

-:sigma.SB

...more interesting than a link to a marketing blurb would be a link to the TPM-specifications. Actually, i do trust a platform - until it's "tpm-enabled".

Sure you would be able to run a compiler and debugger in your own virtual machine, but all the "trusted" operating system and media player /viewer code would be required to run in the hypervisor... And you would need an appropriate certificate and vetting in order to be one of the inner circle of the hypervisor programmers.

All of this creates a platform where can not trust your computer because you do not know if your unscrupulous multinational corporate competitor has hypervisor certificate that is reading your product designs...

Of course it will be presented as an "optional" feature for you.... If you want to connect to the internet or watch a movie or listen to music, you must be in "trusted" mode.

--jeffk++

One company is buckling to industry pressure and including DRM, the other has a fricking Trusted Platform Module in every new computer it makes. The double standard is infuriating.

TPM isn't restricted to the Apple line, so there's no double standard. A quote from https://www.trustedcomputinggroup.org/faq/TPMFAQ/:

Are systems with TPMs available?
Desktop, notebook and tablet PCs with TPMs are available from Dell, Fujitsu, HP, Intel, Lenovo, Toshiba and others.

More here and here. In fact, it's becoming more difficult to find a manufacturer that *doesn't* implement a TPM.

Besides, it's not the addition of a chip on the motherboard that's the problem, rather how and where it's used. As far as I'm aware, it's currently unused on Apple hardware; Microsoft however require it for BitLocker in Vista.

You need a private key (or whatever bit of proprietary information -- I'm not an expert on this stuff), and you can't get one unless you're a member of the Trusted Computing Group. And even if you were a member, they wouldn't let you do something contrary to their goal, which this most emphatically would be.

But that USB key must be kept somewhere, and unless you have a safe to keep it in, it's never going to be very secure.

Nonsense. It's extremely useful to lots of the population. Not really home users, but businesses have *lots* of uses for it. I design and build high-security applications for a living, primarily around smart cards and PCI-based crypto coprocessors, and TPMs provide a solution to dozens of otherwise insoluble (actually, too-expensive-to-solve) problems.

I really shouldn't even respond to a statement like this, especially from an AC, but you're dead wrong. What I described is exactly how TPMs work, and there are already a couple of projects to build high-security Linux systems that make use of a TPM in this way. Signing of software is irrelevant. I'm not sure what you mean by "locked down" software. In order to get useful security out of a TPM you do have to ensure that your software is sufficiently secure that an unauthorized person can't use your TPM when the machine is booted into the correct configuration. That sort of locking down is necessary, and very hard to achieve.

If you want to understand, in great detail, exactly what TPM's do, the specs are online. If signed, "locked down" software is really required, by all means point out the section of the spec that describes it.

The product mentioned in TFA is all about controlling your computer and your data and keeping unauthorised people from abusing it. What kind of crack is the parent smoking?!

The "crack" he is smoking is that he appears to be well informed on the subject, and was almost certainly aware of certain information and facts that did not appear in the TFA.

TFA is essentially a corporate press release, and of course they don't dicuss DRM, and they spin the hell out of it to advertize it as a Good Thing for you. A perceptive reader could have picked up on that fact when the article said:

"Seagate said it has already implemented the technology into one of its drives for laptops and another for digital video recorders. "

Yes... digital video recorders... because of course customers like you and I have been in desperate need of strong cryptographic locking to protect our recording of American Idol when someone steals the harddrive out of our DVR while leaving the DVR unit itself behind.

This Segate DriveTrust system is in fact designed for DRM and it is in fact designed as a component of Trusted Computing, to secure computers against their owners.

Just because a product/technolofy (and the story about it) story does not mention DRM or Trusted Computing does not mean that it is not actually a Trusted Computing DRM system. Companies know that people do not like or want DRM, and that they do not like or want Trusted Computing, and that their products will receive hatred and very bad press from some people if they know about that, so they bury the DRM / Trusted Computing aspect and hype the hell out of the supposedly pro-consumer angles and they abuse the hell out of the word "security. They use the word "security" in a sense that actually means securing the product against the owner, and rely on the fact that people assume that the word "security" is a positive thing for their benefit.

Every two weeks or so, I spot exactly this situation with some product or technology story running on Slashdot. A story on something that covertly incorporates Trusted Computing, and the story completely misses that aspect. In fact I last caught this just 10 days ago in the Networking For Overconvenience story. The story made it sound like it was about fairly boring ordinary pro-consumer networking for home appliances. But as I posted here, I located the technical PDF on it specifying the securit chip and the encryption to be secure against the owner.

The anti-consumer anti-owner Trusted Computing is proceeding full speed ahead. The primary plan to sucessfully deploy Trusted Computing is to do it by stealth to avoid criticism, backlash, and consumer rejection. Countless products and projects are going Trusted Computing based, and burying that fact in obscure technical specification documents and without using the words "Trusted Computing".

It's not paranoia or a tinfoil hat consiracy theory when there is an industry consortium involving hundreds of companies OPENLY dedicated to it. It's not paranoia or a tinfoil hat consiracy theory when the technical specification documents for various products and projects include it. It's not paranoia or a tinfoil hat consiracy theory when Intel and AMD and the new Cell Processor all publically document the fact that they are introducing CPU support for it. It's not paranoia or a tinfoil hat consiracy theory when IBM runs

The product mentioned in TFA is all about controlling your computer and your data and keeping unauthorised people from abusing it. What kind of crack is the parent smoking?!

The "crack" he is smoking is that he appears to be well informed on the subject, and was almost certainly aware of certain information and facts that did not appear in the TFA.

TFA is essentially a corporate press release, and of course they don't dicuss DRM, and they spin the hell out of it to advertize it as a Good Thing for you. A perceptive reader could have picked up on that fact when the article said:

"Seagate said it has already implemented the technology into one of its drives for laptops and another for digital video recorders. "

Yes... digital video recorders... because of course customers like you and I have been in desperate need of strong cryptographic locking to protect our recording of American Idol when someone steals the harddrive out of our DVR while leaving the DVR unit itself behind.

This Segate DriveTrust system is in fact designed for DRM and it is in fact designed as a component of Trusted Computing, to secure computers against their owners.

Just because a product/technolofy (and the story about it) story does not mention DRM or Trusted Computing does not mean that it is not actually a Trusted Computing DRM system. Companies know that people do not like or want DRM, and that they do not like or want Trusted Computing, and that their products will receive hatred and very bad press from some people if they know about that, so they bury the DRM / Trusted Computing aspect and hype the hell out of the supposedly pro-consumer angles and they abuse the hell out of the word "security. They use the word "security" in a sense that actually means securing the product against the owner, and rely on the fact that people assume that the word "security" is a positive thing for their benefit.

Every two weeks or so, I spot exactly this situation with some product or technology story running on Slashdot. A story on something that covertly incorporates Trusted Computing, and the story completely misses that aspect. In fact I last caught this just 10 days ago in the Networking For Overconvenience story. The story made it sound like it was about fairly boring ordinary pro-consumer networking for home appliances. But as I posted here, I located the technical PDF on it specifying the securit chip and the encryption to be secure against the owner.

The anti-consumer anti-owner Trusted Computing is proceeding full speed ahead. The primary plan to sucessfully deploy Trusted Computing is to do it by stealth to avoid criticism, backlash, and consumer rejection. Countless products and projects are going Trusted Computing based, and burying that fact in obscure technical specification documents and without using the words "Trusted Computing".

It's not paranoia or a tinfoil hat consiracy theory when there is an industry consortium involving hundreds of companies OPENLY dedicated to it. It's not paranoia or a tinfoil hat consiracy theory when the technical specification documents for various products and projects include it. It's not paranoia or a tinfoil hat consiracy theory when Intel and AMD and the new Cell Processor all publically document the fact that they are introducing CPU support for it. It's not paranoia or a tinfoil hat consiracy theory when IBM runs

So let me get this straight. What you are basically saying is "Don't judge them by what they do, judge them by what they say!".

Not in the slightest. I know what they have done, and I know that it sucks, and I make it clear that I think it sucks, but I don't assume that it's a guarantee that they're going to exploit it in the way other companies will in the future. Apple could just as well have made their own chip for this purpose and no one would be the wiser. (This is an argument that could swing both ways, yes, but I think it was because they needed a good dongle, and this saved time and cost.)

Why is Microsoft (to take the most prominent actor in all this) doing this? Because one of the few legitimate excuses for the TPM initiative - and the one Microsoft pimps, naturally - is to restrain access to sensitive corporate data. (Nothing that couldn't be done in software with a number of other techniques, though, but they wouldn't tell you that.) Microsoft is already big in business and they want to anchor their position even more with this technology.

Then consider Apple. Not historically great within corporations but looking to expand, sure. The trouble is, they already launched their solution to the same problem. (Their solution is called FileVault and hardwires an encrypted disk image within the actual home folder to mount as the home folder.) What excuse would Apple use to promote the "trusted computing" features (note: the actual features, not the mere presence of the TPM chip) if they were to implement them? What upside would there be to customers? And perhaps the most important question: when this technology strikes on the Windows side of things, why wouldn't Apple want to say "come here, we don't serve their kind" and make it another argument for their platform?

I don't think it'd make business sense to implement "trusted computing" features for Apple, and I certainly don't think it'd make business sense for them not to exploit the fact that they don't have it when it starts appearing as a fixture in the pedestrian PC a few years into the future. I don't deem it completely impossible for Apple to sneak in "trusted computing" into the Mac platform, but I do think it's very unlikely (especially when taking into account the image Apple wants their computers to project), and I don't think you'll be worse off on a platform that has the chip but doesn't use it than you'd be on a platform that's planning to integrate the chip and use it but hasn't gotten around to it yet.

One last thing: Apple is not in the list of members or adopters on the Trusted Computing Group's web site, even though they carry the chip. I take this to be in favor of my "it's just a dongle" theory.

As far as the principles of cryptography are concerned, it is. You apparently don't understand this.

Dude, it's not. I already explained this in other comments, but I'll repeat here:

- a message is compromised when an attacker can perceive it with eyes, ears, or analog recording devices.

- media is only compromised when an attacker can access original, digital, undegraded source material.

You have to present an unencrypted version of the content to the user.

Only in analog form. There is no requirement that you present an unencrypted digital version of the content to the user. Analog content is already degraded.

On a more practical note, it is already possible to simulate the operation of a TPM chip.

Yes, but your simulated TPM chip will not have the private keys that your real TPM has. It is possible to put infrastructure in place that certifies that a TPM's public key corresponds to a hardware-base, "trusted" TPM. The Trusted Computing Architectural Overview defines a series of credentials which cryptographically certify things about a TPM or a computing platform. TPM-enabled software could be written that does not trust a TPM (and its key) until it sees a signed credential that the TPM is conformant and based in hardware.

Also, TPM is not the only means for doing this: the private keys can be embedded into the display hardware itself, so that no component of the computer itself ever sees unencrypted content.

It has never been about creating an impenetrable fortress that you cannot in theory get around beyond using brute-force methods. Because this is impossible, and the theory says so. Ignore me if you want, but it's true.

It is possible to create systems where no part of the system but some silicon in your display device ever sees unencrypted digital data. You have no effective rebuttal to this.

leaves much room for speculation as to the true 'security' of this system.

While it's all well and good to discuss system security from the standpoint of the software, it is a moot point in light of an insecure hardware implementation.

'I don't want to get on a rant here but...'

The Trusted Computing Group (the industry group responsible for TPM (previously known as Palladium, TCPA etc.))has posted their best practices and principles for the use of TPM.

You will note (if you bother to read these) that the aims of the TCG are to:

i. preserving privacy, backward compatibility, and owner control
ii. promoting ease-of-use
iii. designing the technology so that it is interoperable
iv. ensuring that the user's data, while secure and protected, remains portable and accessible as needed in alternative modalities

Is it me, or is it curious that Apple is not a member of the TCG, nor have they implemented the TPM Control panel that is requisite with its implementation? There is NO end-user control or validation of the settings of the TPM. Therefore, no-one, save your remote Cupertino overlords will know who it's set up to trust! How cool is that?

Given the properties of transitive trust relationships, I'm sure you ALL want to trust Apple, and hell, while you're at it, ANYONE they trust (No Such Agency comes to mind here) How cool is that?

At least with all of the Windows based offerings, as flawed as their software implementation is, they give you the OWNER of the PC hardware the respect of letting you see how it's set up. That makes me feel a damn sight more secure than what Apple is currently foisting on an unsuspecting public.

With an Apple computer it turns out you're not BUYING a PC, but RENTING an EXPERIENCE. Because with the TPM shipping enabled, it's definitely remotely owned.

Both of these technologies are great for corporate networks, but I hope you can see where this leads if they become mandatory on your personal machine.

AC

"It is a interoperability hell from a competition perspective and a interoperability paradise from a plattform perspective. Happiness in proprietary slavery?"

"Hypocrite much? Microsoft pushes Trusted Computing on you, is threatening to lock users out of hardware space altogether, and you're going to talk to us about Open Standards and Proprietary Slavery?"

You sir are the hypocrite. Apple's Intel Macs already contain a Trusted Platform Module chip, currently used by Apple to make sure that OSX doesn't run on a non-Apple Intel system.

These people are on the active promoters list on the official website of the trusted computing initiative.

I can tell you one thing about their future, it won't involve my dollars.

The medium IS the message...

The message is buy a macintosh...
The only TPM equipped machine that is shipping with the TPM ENABLED by default, completely contrary to the specification. For those of you that can read a chip spec please feel free to go to TCG and read up on the chip and what it does. Enlightenment is a fine thing. One of the most interesting things to note is that in all specs the DEFAULT setting recommended is disabled. By shipping the TPM enabled, it implies remote ownership. This means, although you have a macintosh in your possession, you don't actually 'own' it, Apple does. But we all trust Apple with all of our data, don't we?
Interesting that there's a 'perfect storm' with a media confluence supporting the uptake of Apple equipment, yet the equipment is not HIPAA nor PIPEDA compliant, in that there has been a complete lack of disclosure of the presence of the chip. Check their system specs to find out.
Isn't it more interesting to note that Microsoft is unable for the first time in more than a decade to release an OS?
Transitive trust for everyone!

in which case if you dont buy the restricted hardware, then you dont buy at all.. thank you trusted computing group.. (or whatever it is name you are this week to try to avoid people calling a spade a spade by warning about the draconian DRM youre pushing)

Hi all,

TCG/TCPM stuff, though not completely finished (the DAA mechanism that was introduced in v1.2 is a good example of how the TCG adapted to outside criticisms, and they're starting to work on v1.3) and surely not understood (the word "trust" is a huge factor in that), is having the same effect as PKI a few years back. Except that nowadays times of ignorance and fear (in particular of the big companies behing the TCG) multiply this effect by thousands. "Trust" is more and more acting like the point of concentration of the security problems, its complexity being coupled with new emerging (and very innovative) threats.

First think of the TPM as a chip that provides standard cryptographic functions (RAS SHA-1, HMAC, AES), so instead of doing it in software anyone will be able to use hardware implementations. Furthermore there are facilities for key creation and management. With the special focus on this "security chip" (such chips already existed in various forms), the designers hope to improve drastically the level of security of modern computer science (95% of emails are spam, botnets of millions of computers, hackers make huge money out of their job, ransomware, etc. etc.).

Obviously this TECHNOLOGY (and please always keep this in mind: it's a tool, it is to be used by other applications, most importantly OSs, to improve security; apart from secure boot, that is not compulsory at the moment, there's no obligation to use the TPM even if it's here) is not perfect, it will evolve. It will have to CONVINCE, to get TRUST. As I'm saying to most of my Trusted Computing colleagues, I think that challenges set by the opponents of TCG are actually a means to improve the security of this technology (but beware of popularity-seeking criticisms, not all the criticisms are well-founded).

Read tha FAQ:
https://www.trustedcomputinggroup.org/faq/TPMFAQ/

If you don't know what the fuck you're talking about, then don't post at all! Obviously, you've never heard of the "Trusted" Platform Module, which implements the DRM in hardware where the private key can't be recovered by doing anything short of disassembling and analysing the chip itself.

In other words, even if your proposal made sense, it would still play right into their hands!

So you think you control your PC or tape deck ? Think again.

Woh! Who put a third image on that page.
I'm now convinced. It's this:

https://www.trustedcomputinggroup.org/news/press/m ember_releases/2005/Infineon_Release_053105.pdf """
Infineon Announces Trusted Platform Module to Enhance PC Security;

Technical details on Infineon's TPM (SLB 9635 TT 1.2).
"""

Which is the serial number in that lower photo.

I said I could easily be persuaded, didn't I? :-)

I'm a firm anti-copyright believer, I see no reason for copyright anymore now that information is so readily available (high supply, low demand, zero price). DRM is merely an attempt at the media distribution cartels to try to strangehold the market of the various media.

I don't know about being "anti-copyright". Copyright in small doses is useful for encouraging the creation of new works (just as it was intended to be). The problem is that, like most things, we seem to have headed down the road of "if a little is good... a lot must be even better."

Besides that, DRM is nothing to do with copyright. Copyright is a smoke-screen... DRM is about control. To enforce DRM, you must control what applications can run. You must control, centrally, the development and deployment of all digital devices. It's madness... unless, of course, you happen to be one of the companies that will hold the keys and control development. For anyone else, it's Big Brother time... because as we should all know by now... DRM isn't just about music and video. It's about digital information -- from word processing documents, to emails, to spreadsheets, to applications themselves.

StarForce encrypts the executables, so for it to run you need their special driver (causing system crashes, etc.) Once TPM chips are in our new motherboards companies don't have to worry about the side effects of invasive copy protection, it will be incorporated seemlessly into our new hardware. Problems Solved! http://trustedcomputinggroup.org/

You know, IBM *does* like TPM