AMI Guy Talks About TCPA, Palladium, and Other BIOS Issues

We ran the "Call for questions" Monday, January 13, under the headline, Discuss BIOS and Palladium Issues With an AMIBIOS Rep. Note that Brian Richardson, AMI sales engineer, is a real engineer, not just a salesperson, and is also a staunch Slashdot reader who knows we have low tolerance for PR whitewashes around here. Brian's answers are real, not laundered, and he responded not only to the 10 questions we sent him but also to some he felt deserved answers even though they weren't moderated all the way up. Please note that in much of this interview he is speaking as "Brian Richardson, individual," and that his opinions do not necessarily reflect those of AMI's management. With that said, be prepared to learn a lot about the BIOS business, and how TCPA and Palladium relate (and don't relate) to it.

Preface:

I thought it might be handy for the audience to know who's handling their questions ...

My name is Brian Richardson. I work for American Megatrends, Inc . (AMI). AMI is a privately held company located in Norcross, GA (just north of Atlanta). We employ approximately 400 people worldwide (about 200 in the United States).

I am a "BIOS Sales Engineer", responsible for handling technical issues related to selling and marketing the AMIBIOS8 , our latest BIOS code revision. This includes writing whitepapers, demonstrating products, answering technical sales questions, speaking at industry conferences and handling requests from the press that may require more than a passing knowledge of technology (like this one).

I started at AMI in 1996. I've been in this job for two years. Before that I wrote BIOS code for our notebook team and helped design our Software Quality Automated Testing (SQuAT) system. I also maintain several company intranets and our Bugzilla server, used for tracking bugs during BIOS development.

In spare time, I serve on the board of directors of Tech Corps Georgia. I also managed the Hardware section of linux.com (old articles are archived at linux.omnipotent.net).

This interview covers BIOS in general, but the questions have a heavy slant towards TCPA & Palladium. I'm sure I won't address everybody's TCPA related questions here. AMI has a "TCPA and AMIBIOS8" whitepaper at our website which discusses AMI's implementation. There are also links to other information on TCPA.

To answer some of the more unusual questions that didn't make it into the Top 10:

• You use XOR to clear a register instead of a simple MOV instruction because of the instruction size (XOR uses a two byte opcode, MOV uses three bytes). The savings in space really adds up after a while.

• We haven't finished 1394 boot yet, but we do have USB & USB 2.0 boot support

• I don't know, I've never met Satan ... but I have been to WinHEC

Now on to the questions ...

1) On the Exclusionary Uses of TCPA

by the-banker

Is it (will it be) possible to use TCPA to effectively lock-out certain operating evironments from various services (software, media, etc) solely because the operating environment is not backed by a company, and has no mechanism for paying certification fees and licenses? Specifically, could TCPA be used against free OS's like Free/Open/netBSD and Linux to prevent those users from accessing the same content users of commercial OS's can?

Let me start out by reminding the audience I am not a security expert. I have been reading specs like a madman the past week, expecting such a question from the /. audience. I'm also not a professional TCPAadvocate ... my understanding of TCPA is in relation to what AMIBIOS must do to enable the TPM(a hardware component required by the spec). I'm going to refer toTCPA specifications & FAQ a lot, so verifying my answers will be an exercise left to the reader.

Your question brings up a lot of common issues people seem have with TCPA:

1. What does TCPA do?

2. What does AMIBIOS have to do with TCPA?

3. What is the licensing structure?

4. Can open-source software make use of TCPA?

5. Does this have anything to do with Digital Rights Management (DRM)?

Let's see if Brian can hash his way through these items in some sort of order ...

a) What does TCPA do? TCPA is an industry specification that defines mechanisms for "trusted" client/server interaction ("trust" and "security" are two different things).

TCPA works in a very similar fashion as other key-based security mechanisms (SSH, PGP, SSL). Transmissions are secured by hashing against a key. Keys tend to be very long (128 bits or more), so it is difficult for "bad people" to guess your key. In many mechanisms, the key also serves to identify the user (proof that they are who they say they are). This key is often contained in a file or some sort of removable media, like a smart card.

TCPA adds a few elements to this security scheme:

1. More keys and longer keys (some keys are 160 bits, most are 2048 bits)

2. A crypto-processor to speed key computations

3. Secure key storage on the system mainboard

4. Establish platform "trust". The two excerpts below are taken from the TCPA FAQ:
   12. What do you mean by trust?
   The ability to feel confident that the software environment in a platform is operating as expected. This is done by reliably measuring and reliably reporting (using aliasing) information about the platform.
   
   Another such benefit is improved control of access to data. Previously such access has depended upon authorization or authentication. Now such access can also be linked to the state of the software in the platform. This enables the denial of access to data if rogue software, such as a virus, is introduced into a platform, because such introduction necessarily changes the software state of the platform.

The crypto-processor and key storage are provided by the Trusted Platform Module (TPM). A TCPA enabled system will have a TPM on the motherboard. This TPM can be disabled, as per TCPA specification, if the user wants to opt-out.

One concern is that TCPA is equivalent to a unique identifier on your computer, which causes a large number of privacy concerns. There's a large section of the FAQ (Item #13) that covers this topic:

The solutions support privacy principles in a number of ways:

1. The owner controls personalization.

2. The owner and user control the trust relationship.

3. Provides private object storage and digital signature capability.

4. Private personalization information is never exposed.

5. User keys are encrypted prior to transmission.

6. Supports multiple certificate authorities giving the user choice.

It is also important to know what the solutions are not:

1. They are not global identifiers.

2. They are not personalized before user interaction.

3. They are not fixed functions - it can be disabled permanently.

4. They are not controlled by others (only the owner controls).

b) What does AMIBIOS have to do with TCPA? The TPM requires initialization during BIOS POST. This allows what they refer to as "metrics" to be stored that help establish that the BIOS & OS can be trusted (i.e. haven't been h4x0r3d). Our "TCPA & AMIBIOS8" whitepaper has more information.

c) What is the licensing structure? There isn't one. From the TCPA FAQ:

10. What are the licensing and/or royalty arrangements for the technologies outlined by the TCPA specification?

The TCPA spec is currently set up as a "just-publish" IP model.

d) Can open-source software make use of TCPA? Yes. From the TPM FAQ:

18. Does the TCPA support open source systems?

Yes. The ability to use the TPM functionality is available to all developers of software. An open source project could determine to use TPM functionally today. The concepts of measurement, protected storage and attestation of measurements are fundamental concepts that hold true for any type of OS or application. The platforms that support TCPA today are not limited to only one OS and if open source developers provided applications that used the TPM functionality they would find support.

Remember ... SSH, GPG and SSL aren't any less secure because they're open-source. The whole point of key-based security is that you can't see the data without the key, even if you know the decryption mechanism.

e) TCPA & DRM? This question wasn't directly asked, but it's on everybody's mind ...

TCPA has been connected to proposed legislation that would require "content protection" on most digital media devices (including PCs).

While somebody could write a DRM application using the TPM, they could also write one without it. Non-DRM applications can be developed under TCPA. The example I thought of is an improved VPN for companies that are super-paranoid about their data (think about it ... 2048 bit keys, no hash load on the system CPU, ability to tie accessibility to a unique platform).

Adding TCPA & a TPM to a system doesn't automatically add DRM to a platform. Some application has to tie the TPM to the "media" being "protected". Merely adding TCPA to AMIBIOS doesn't constitute DRM:

Captain: What happen?
Mechanic: Somebody set up us the DRM.
Cats: How are you gentlemen !! All your BIOS are belong to us.

2) Advantage

by TedCheshireAcad

What is the advantage to me, a Linux using consumer, to buying your product over those of your competitors?

First, the short answer: a proven and stable product based on nearly two decades in the PC industry, with support for the latest technology.

Now, the long answer: Let me give a little background on how BIOS gets onto your average motherboard. I know that's not what you asked, but it will explain product design and benefits to the end user.

AMI markets AMIBIOS directly to the motherboard manufacturer, who we see as the actual "BIOS customer". So many of our features are oriented to motherboard manufacturers or BIOS developer. The end result of using our codebase is to produce a stable BIOS for the motherboard manufacturer's customer (that's you, the end user).

You can break these down three major areas:

1. Code structure (ease of development, tools, source management, etc.)

2. Technology support (OS, chipsets, processors, peripherals, etc.)

3. Support after the sale

a) The "BIOS core" is a different code component from silicon support code. The same applies to our technology support modules (ACPI,USB, TCPA, ASF, SMBIOS, APM, etc.). This allows board developers to pick just the code they need for their system. An embedded Linux board for an industrial controller has different BIOS requirements than the typical "white box" motherboard (OS compatibility, supported hardware, power management, etc.).

AMI also developed a custom GUI to make BIOS development easier (Visual eBIOS, or VeB). Believe it or not, most BIOS development happens at the DOS prompt in x86 assembly code. We found it harder to get new engineers comfortable with DOS-based development (DOS is 22 years old, so is the average college graduate). VeB also incorporates source control, so engineers manage the code from the same place they edit the code.

b) Technology support is pretty broad. We have to work on new chipsets, technologies and devices while keeping backwards compatibility for older hardware we'd rather forget about. This involves a lot of work with hardware vendors (Intel, AMD, ServerWorks, nVIDIA, etc.), software companies (Microsoft, RedHat, etc.) and technical specification groups (there's one for most every acronym out there). As you might imagine, there's a lot of testing to make sure all these things play well together.

Technology support also applies to features that don't have cool three letter acronyms. One example of this is "Fast POST" (POST is Power On Self Test, BIOS execution from power-on to OS bootloader). There was customer demand to boot the PC faster. This pressure came from Microsoft for a better overall user experience (yes, the obvious joke is "boot speed doesn't matter when you don't have to reboot so often" ... but I'm taking the high road). So now Fast POST is standard in AMIBIOS8.

c) "Service after the sale" sounds like something you hear in a men's clothing store, but it applies to BIOS as well. Customers expect bugs to be fixed, new features to be added, and a voice on the phone when they can't quite figure out which bit goes where. Some customers develop using our source code (as a licensee), while others use our engineers to create their BIOS (as contractors).

That might have been more of a sales pitch than you were expecting (sorry). There's more product information at the AMIBIOS website.

3) Performance hit

by oliverthered

I assume that data pathways will be signable or encrypted in some way. What performance hit will the [operating system] take when using trusted system? e.g. How much extra data is added to form a signature, what methods are used for signing. and how will this benefit the end-user?

A: I assume this is in reference to TCPA, so I'll use what I know of that spec to answer the question.

Everybody who's used SSH or SCP has experienced computation overhead from data encryption. That's the main reason TCPA has the Trusted Platform Module (TPM). Along with storing keys, it had a dedicated crypto-processor to handle random number generation, hashing and digital signatures. Due to the size of a security key, these hash computations add overhead (overhead == delay).

In TCPA, the hash/generation stuff is offloaded to the TPM. Since this dedicated processor does the work, the main system processor doesn't have to. The TPM is also a function specific processor, meaning it's optimized for security tasks (translation: faster than your general purpose x86 CPU). This is a good thing, since most of the TPM keys are 2048 bits.

If you look at Transmeta's recent security press release, you see the same functionality. Although this story was reported as Transmeta releasing DRM, they are actually providing an integrated crypto-processor in the TM5800. This function-specific processor is accessible through an extension to the x86 instruction set (similar to MMX or 3DNow!). The difference between this & the TPM is how you access the functions.

Sidenote: does any open-source developer want to check if these extensions could be used to improve SSH, SCP or GPG performance?

The signing methods and potential benefits are outlined in the TCPA specification and FAQ.

4) Why are BIOSes closed source?

by mcelrath

Having recently had a lot of trouble with my laptop's BIOS, on an issue that I could most certainly fix if I had access to the code... I started wondering what benefit AMI and other vendors have by keeping BIOS code secret? I can think of none whatsoever.

An open-source TCPA BIOS might go a long way to alleviating the fears of the open source community, since we could see exactly what it is you're forcing on us. And hey, no doubt you'd get a few bug-fixing patches in return for your efforts.

So, is an open-source BIOS a possibility? (TCPA or otherwise)

Just to get this out of the way:

1. AMI isn't forcing anybody to take any product offering, TCPA or otherwise.

2. TCPA doesn't block open-source (see #18 in the TPM FAQ @ trustedpc.org).

3. The TPM Memory Present (MP) driver BIOS uses during POST isn't open-source (it's provided by the TPM manufacturer).

This was the focus of a linux.com article several years back. There's plenty of advantages to open-source, but there are two main reasons for closed source BIOS: Legal Restrictions & Economics.

The creation of an open-source BIOS isn't limited by the BIOS itself, but by the information required to create the BIOS. Let me take a second and explain how the BIOS works at a programming level. This may seem like a tangent, but it helps explain issues faced by open-source BIOS developers (just think of it as Good Eats for BIOS).

There's three major components of any BIOS:

1. Core Routines

2. Silicon Support Routines

3. Board Specific Routines

The core can be equated to the kernel of an operating system, except that it comprises a larger percentage of the codebase (both in functionality and actual code size). This is everything that's generic from one BIOS to the next.

Silicon Support applies to the chips on the board initialized by the BIOS (processor, northbridge, southbridge, I/O, flash). BIOS core routines will call silicon routines when hardware configuration is required. These routines are created according to an API, so swapping any of these code modules doesn't affect the structure of the core.

Board Specific Routines represent the motherboard manufacturer's configuration. If you look at motherboards from two manufacturers that use the exact same silicon components, you might expect the BIOS from one board to work on the other ... but you'd be wrong. The small hardware changes that differentiate Board Vendor A from Board Vendor B have a large impact on the BIOS. PCI Interrupt routing, chipset General Purpose I/O pins and other parts of vendor's "secret sauce" go into this BIOS layer.

"Fine," you say, "but what does this have to do with open-source BIOS?"

I'm sure you've noticed that there's a BIOS ready for a chipset the day it is announced. AMI and other BIOS companies don't just come along the day of the silicon release and slap a BIOS together. We work hand-in-hand with the chipset vendor for months before the release. They send us an alpha board, we boot it ... they send us a beta board, we add more features ... they send us final silicon, we validate it.

Now remember that this hardware isn't public when AMI gets it. AMI has to sign a has to sign a Non-Disclosure Agreement (NDA) to get a development board or advance specifications, which means we can't tell anybody what we know about the product. Vendor-supplied reference code (memory detection, bridge configuration, etc.) is also covered under NDA. AMI also signs NDAs to cover the motherboard manufacturer's confidential information.

So the BIOS that ends up on those motherboards is constructed using information we can't release to any party not covered by NDA. You might be able to understand how this doesn't fit into to the open-source model.

So an open-source BIOS developer has a big dilemma ... they need access to information, but legally can't include it in open-source code. Many chipset vendors provide information after their chipset is released, but not many board vendors hand out schematics. Reverse engineering might reveal this information, but some items controlled by the BIOS can damage the system if not set properly (data corruption, overheating, smoke, flame, etc.) ... so random bit flipping may not be the answer. And nobody wants to get into the legal issues of using disassembled code in place of reverse engineering.

I think the closing statement from the linux.com LinuxBIOS article still applies ... "The real question isn't if an open source BIOS will ever work on a handful of platforms, but if it will ever become viable for mass market across many platforms."

There's another issue that comes into keeping AMIBIOS source code closed (or for that matter anycommercial source code). This has to do with economics.

This is where I change hats from "AMI company representative" to "average techno-Joe". The next few paragraphs are my feelings, not necessarily those of my employer or anybody else on the planet.

I personally like the idea of open-source, and I use a lot of open-source programs at home and work (Mozilla, OpenOffice, RedHat, Mandrake, ClarkConnect, PostNuke, perl, php, Bugzilla). But I also buy and use regular closed-source programs (my DV editing and VCD/DVD authoring tools). The choice isn't whether or not the source is accessible, but if the tool fits my needs.

In either case, those programs are the product of somebody's time (in most cases, a large group of bodies). They're a conglomeration of people's ideas, a manifestation of their talents, and monetary investment (open-source isn't free to develop, somebody bought that computer hardware). Those people, and whatever company funded their efforts, have the choice to distribute their product anyway they choose.

If a company wants to go open-source, then they can't make money selling source or seat licenses. RedHat doesn't make money selling code, they make money selling a code package and support for that package. My company doesn't operate that way ... in the realm of BIOS, money is made licensing source and selling per-board licenses. That's the way every BIOS vendor makes money.

That doesn't mean there's no open-source within AMI (perl/php/PostNuke/apache intranets, Bugzilla bug tracking, ucLinux on our MegaRAC G2 management card). But the choice to go open-source is done product by product, company by company.

In an industry driven by innovation, many companies feel they loose competitive advantage by opening their source ... if everybody has access to their ideas, then why buy their product over another? That mentality may not fit well with open-source, but these inexpensive computers we currently enjoy are the product of market forces. If there was no profit in computing, would Intel and AMD even exist?

Thus ends my personal views ... back to the actual interview ...

5) Technical Explanation of BIOS Settings

by doppleganger871

I have been doing research on BIOS settings for many years, and I have found good articles on what the settings do, and how to tweak them for the best performance/stability mix. But, I would like to know if the BIOS manufacturer itself would be able to provide an in-depth manual of all the BIOS settings, and what exactly they do. All the manuals that come with motherboards are very short on explanations, and I would like to see someone within the company actually explain to us hardware enthusiasts the down 'n dirty, nitty gritty, dirt under the rug, needle in a haystack type of information that we could use to make our computers run the absolute best they can. Because, as we all know, optimizing software and firmware is a lot cheaper than upgrading parts.

A: I wish I had a great answer for this. Despite my verbose nature, there's not enough room in this interview to discuss every setting that is or will be in the BIOS. Some of the basic settings are covered in BIOS setup manuals, and a few websites do a good job of explain the ugly details. The problem is that those "cryptic" options change for every chipset on the market.

We're always looking at product improvements, and that includes documentation. Our setup manual is a generic template, designed for the motherboard customer as a starting point for their manuals. The "chipset specific setup information" is part of a new documentation effort within AMI (we talked about in meetings this week).

Outside of that, optimizing settings for a specific combination of board, memory and processor is still trial and error (tweak, reboot, benchmark, swear ... tweak, reboot, benchmark, swear ...). I don't know if better documentation will change that.

6) "Trusted" computer

by michael

A few related questions:

a) Isn't the goal of "trusted computing" to allow entities other than the owner of the computer to control what the owner does with his/her hardware? For example, "trusted computing" applied to music implies that the music publisher gains control over what the computer owner can do with the music data files. Isn't this the exact opposite of "trust" as that word is normally used - a trusted computer is one that can't be trusted by the computer's owner to perform the tasks asked of it, because other entities have veto power over the computer's actions?

b) Companies like AMI have repeatedly claimed that they aren't part of Palladium. However, isn't it true that without AMI's trusted BIOS (and all the other components necessary to build a "trusted computer"), Palladium wouldn't work? Why does AMI think they shouldn't be held responsible for enabling Palladium and similar schemes?

c) In what way does AMI benefit, financially or otherwise, from introducing a BIOS designed to make the computer it is installed in less useful to the purchaser of the computer? Please avoid saying that this is "optional"; AMI wouldn't create this BIOS if it wasn't intended to be used.

A: Let's take these in order ...

a) The Goal Of Trusted Computing: Despite the fact my company is a TCPA member company, the concept of trusted computing wasn't created by AMI (we're not even a founding member).

As far as the goals of the specification, I'm not the designated defender of TCPA. I'll let theTCPA speak to their own goals. You seem to automatically equate "trust" to DRM, but that's not what I get from reading the specifications and related materials (see part (e) of my answer to the first question).

b) Palladium & AMIBIOS: You are correct in understanding that Palladium will require some amount of BIOS support. The reason we keep saying "we're not a part of Palladium" is because Palladium doesn't exist in the marketplace ... it's a Microsoft initiative being developed under guarded care in a small circle of developers. It's not a public specification like TCPA, so our role in this scheme is unknown. My understanding is that we'll get a specification from Microsoft whenever they're ready to involve the BIOS developers, but I don't know under what terms it will be made public (my Magic 8 Ball says "Ask Again Later").

c) Financial Benefit: Yes, there is a financial benefit to supporting a technology that our customers ask for ... they continue to be our customers. Not every customer has asked for TCPA yet, but enough large customers have asked to make it financially reasonable. Keep in mind that this is just one more feature we offer, which the customer may or may not want to take.

So when a customer (or customers) comes to AMI and says "Our next motherboard will support TCPA, and we need a BIOS module", AMI has two choices:

1. Say yes, develop the code, make the customer happy

2. Say no

If we select option #2 (for whatever reason), our customer has one of two responses:

1. "No problem, we licensed your code ... we'll add the support ourselves."

2. "Too bad, you have a competitor who offers this support ... it was nice doing business with you."

Option B is an obvious downer, because customers give us money. Money can be exchanged for goods and services, like food ... and I find food to be an important part of a nutritious breakfast.

Option A presents another series of problems. Yes, we kept the customer, but now we have a forked version of our code floating around. If only one customer wants this feature, then it's not a big deal. If twenty customers want this feature, then there's twenty code forks. They're still our customers, so they expect support ... and this is a support nightmare.

Our decision to develop a TCPA option was driven by sufficient demand for the technology. We're not the only company in the marketplace offering TCPA. Phoenix, our largest competitor, has been working on TCPA for quite sometime. IBM is already shipping notebooks with TPM hardware (which run Linux, according to LinuxCare Labs). If AMI customers don't ship TCPA, they we spent time developing a feature nobody wanted (it wouldn't be the first time, but that's happens in cutting edge development), but we have customer goodwill because we're responsive to their needs. It's the same in our eyes as developing support for a chipset ... if nobody likes the chipset, then they don't buy the code to support it.

What we have done by choosing TCPA over any number of proprietary security solutions is present an option that isn't closed to third parties. If we enable TCPA on a board and you want to make use of it, read the spec and develop accordingly.

7) Hardware vendors

by cybermace5

Since a BIOS is only part of a motherboard: what steps will hardware vendors have to take, in order to incorporate your BIOS? Will they have to adhere to certain hardware design rules or controls in order to maintain the TCPA? Is there going to be a licensing procedure for hardware manufacturers?

A: Hardware vendors don't have to do much for AMIBIOS to support TCPA. The TCPA code module gets included as an add-on. The hardware manufacturer has to obtain a TPM to place on the motherboard, but that's available from a third party vendor.

The TCPA specification doesn't mandate licensing (see point #10 in the TCPA FAQ). It's not an AMI specification, so it's not our job to check for compliance. Third-party labs will most likely perform platform certification based on TCPA specifications.

8) Windows override

by Forkenhoppen

I have a question; on previous occassions on VIA hardware I've owned, I've noticed that occasionally, Windows will enable a feature even though I have turned it off in the BIOS.

My question is this; if I have TCPA disabled in my BIOS, will Windows drivers abide by this? Or will they still be able to use aspects of the BIOS originally put in place for use by TCPA even though I have it shut off?

What plans are in place to keep a Windows driver from hijacking TCPA-related information for it's own purposes?

A: A lot of that depends on how the motherboard vendor implements the TPM disable option mandated by the TCPA specification.

The TCPA specification has many options for disabling the TPM. It can be a BIOS setup question, jumper or software driven. The first two would be really hard to override in software (unless there's a robotic hand attached to the USB port). The third option could present a software override, but you would have to reboot to have the TPM enabled at power-on to set proper "root of trust" (you can't just turn it on midstream, since a TCPA system is supposed to hash the BIOS & bootloader).

9) TCPA & Palladium

by ignipotentis

Perhaps you can clarify the differences between the two (TCPA & Palladium). After reading up on both of them, i still find that they seem to be pretty much the same, just marketed differently.

A: From the information that's been made public concerning Palladium, I can try to elaborate on this. As I understand it, the major differences are listed below:

• Curtain Memory

• Control of Specification

• Intellectual Property (IP) Rights

The last two points are pretty self explanatory. Palladium it not a public specification, there may be licensing issues. TCPA is a public document created and reviewed by a number of different companies, with no licensing demands.

The first point is technical in nature. Here's how the Microsoft's Palladium FAQ describes "curtain memory":

The ability to wall off and hide pages of main memory so that each "Palladium" application can be assured that it is not modified or observed by any other application or even the operating system

This type of mechanism doesn't exist in TCPA, and would probably require some sort of support at the chipset level (which means it couldn't be implemented using current northbridge hardware). The total system impact isn't known, and it's any body's guess what this does to application development.

10) What do you think about Linux BIOS?

by lanner

At first, I was going to ask you about how you have cooperated, if at all, with the Linux BIOS project. After all, you often have historically cooperated with Microsoft and Novell. What are you doing to help Linux?

But then it occurred to me, if Linux BIOS was successful, it would put AMI out of the BIOS software development business. Linux BIOS is a competitor of AMI.

What is your personal perspective about Linux BIOS, and what does AMI think about it?

A: There's a lot of overlap with question #4 here. But there are two points I'd like to touch on:

1. Cooperation with Microsoft, Novell & Linux

2. Perspective on LinuxBIOS

a) Saying that we "cooperate" with Microsoft and Novell is misleading. AMI creates AMIBIOS for maximum hardware and software compatibility. For years, Microsoft and Novell were the primary OS vendors used by our customers. Microsoft also drives many PC specifications, and the majority of our customers use Microsoft operating systems. Development and testing are focused based on customer demand.

In the past few years, that situation has changed. Novell isn't a major consideration for our customers, but we still test compatibility. Linux is demanded by more customers, and our testing efforts have been increased to match that demand. We test RedHat, SuSe, Mandrake, Xandros, Lindows and FreeBSD by default (along with various beta distros).

Microsoft is still key to our testing and development (we test everything back to Win98). Customers still need that "Designed for Windows" sticker. But Linux is a major focus in our testing and development ... not just because we develop for compatibility, but because our customers ask for it by name.

b) In some areas, people see LinuxBIOS as competition to the other BIOS vendors.

• As far as the source licensing (open vs. closed), see my answer to question #4.

• In features, LinuxBIOS does some things that our BIOS doesn't (mostly in the areas of cluster management) ... AMI has advantages over LinuxBIOS as well (boot from USB/USB2, JPEG graphics as boot logo, broader chipset support, ACPI/APM power management, etc.).

• LinuxBIOS was developed for a specific application, but has broadened ... AMIBIOS aims to offer broad support in many market segments.

• AMIBIOS has been tested against a larger number of system configurations, works with a larger variety of hardware, and has a longer product history.

I'm not sure how others at AMI feel about LinuxBIOS, but all I have to say is "go for it". There's some neat stuff coming out of that project, and it's interesting to see what they've accomplished. Competition in the market is what makes technology improve ... one notch better than the last thing, one step ahead of the next guy.

Thus ends the interview. Thanks to Slashdot for the opportunity, and thanks to the readers for wading through the text.

#6

Good to see michael modded himself into the question bin (see question #6)...

Re:#6

Notice the answers to #6 boil down to "RTFA you idiot".

"For example, "trusted computing" applied to music implies that the music publisher gains control over what the computer owner can do with the music data files."

And of course, he couldn't resist his usual snide idiotic comments.

"Please avoid saying that this is "optional"; AMI wouldn't create this BIOS if it wasn't intended to be used."

The answers were well thought out and complete, and the questions were all very well posed and designed to get some good details. Except #6 which was a whiney "I want free music" rant.

What a fucking embarassment that guy is.

Re:#6

Gee, if this doesn't accurately show what a whiney, immature little bitch michael is, nothing will.

We have staunch stance on PR whitewashes here?

[inteller]

Wow I would have never guessed! So I guess all that Anti-MS/Pro-Linux stuff isn't PR.

Re:We have staunch stance on PR whitewashes here?

"we have low tolerance for PR whitewashes around here"

LOL this site is a joke... where is all the latest news about the ms stock split and the multibillion $ loss by sun? ... and dont penguins swim in circles? social or stupid

They are scared......

[sickboy_macosX]

I think Microsoft is scared. they are running from the Linux/Open Source Communinity while trying to figure out how to live by the "if you cant beat em, join em" Business Plan. 20$ says Bill gates will see how bad the TCPA is, and scrap it, like he did with Microsoft Bob. Or at least I can hope... (Is this going to be the first on topic post??)

Re:They are scared......

[patch-rustem]

Just because Microsoft are involved doesn't have to make something bad.

Thay may make it more interesting.

Re:They are scared......

[Planesdragon]

I think Microsoft is scared. they are running from the Linux/Open Source Communinity while trying to figure out how to live by the "if you cant beat em, join em" Business Plan.

Did you even read this? Palladium is as much a step away from the "copy any bit you want" PC we have today as the original Macintosh was from "CLI and only CLI."

20$ says Bill gates will see how bad the TCPA is, and scrap it, like he did with Microsoft Bob. Or at least I can hope... (Is this going to be the first on topic post??)

You mean Palladium, right? I know you do...

(y'know, I have to wonder why no Linux security-freak has decided to take up TCPA for their own projects...)

Re:They are scared......

[siskbc]

I think Microsoft is scared. they are running from the Linux/Open Source Communinity while trying to figure out how to live by the "if you cant beat em, join em" Business Plan. 20$ says Bill gates will see how bad the TCPA is, and scrap it, like he did with Microsoft Bob.

1. TCPA is hardware and, as far as I can tell, an open spec. Bill can't "scrap" it. In fact, Bill isn't the major push for it - that would be the **AA, if you believe the conspiracy theories (I do). Not to say RTFA, but... And anyway, I have no idea what TCPA and Microsoft's stance on it has to do with Microsoft's fear of OpenSource.

Microsoft Bob...HAHAHAHA! Now THAT was funny. I would love to know who greenlighted that one - probably heading Microsoft Iceland right about now.

Re:They are scared......

[Pxtl]

RTFA. To me, it sounds like most of TCPA is allowing hardware-speed hashing which can be applied to your software to insure that they (or your data streams) aren't modified undesirably. Yes, that could be used for nasty DRM. But Microsoft would like that. So they will. Its just up to us independants to make sure there are ways to work with this to ensure that you have the power to control your PC (while leaving enough of the TCPA structure in place to allow its security features to still be useful).

Re:They are scared......

[blazerw11]

I have to wonder why no Linux security-freak has decided to take up TCPA for their own projects.

They didn't need to. Linux doesn't need hardware help to be secure. A properly configured Windows box (newer versions) doesn't need it either.

Re:They are scared......

# Microsoft Bob...HAHAHAHA! Now THAT was funny. I would love to know who greenlighted that one

Bob was the pet project of the woman who became Bill Gates's wife. Not exactly Iceland...

Re:They are scared......

That's a short sighted comment to make.
Security is an end to end process. Assuming that you OS is secure therefore you don't have to worry about physical security or hardware level security is naive.

Nothing I love more than deflating a blowhard by pulling a network cable, hitting a power switch or re-booting into single user mode.

Re:They are scared......

[Planesdragon]

They didn't need to. Linux doesn't need hardware help to be secure. A properly configured Windows box (newer versions) doesn't need it either.

You seem to think that security is an absolute thing, rather than a never-ending qualitive bit.

Linux is not magically secure--it and windows can be improved through all manner of devices and programs, and this will be so for a long, long time.

Re:They are scared......

Are we supposed to be surprised that you're a Christian and an RPG player? Hell, if you're a Christian, then you are used to mythologies. I assume a game based on them would be right up your alley...

Re:They are scared......

[tzanger]

They didn't need to. Linux doesn't need hardware help to be secure.

You are so wrong. Linux can do nothing if I've got a rogue PCI card or USB device installed. Linux can do nothing if I've got an ICE on the processor. Windows, OS/2, Mac, nobody can. It's beyond the scope of the OS' current capabilities, and it has no way of assuring itself within reasonable doubt that whatever it's talking to has not been tampered.

TCPA is all about that level of security. I can write TCPA-enhanced drivers which will validate that the PCI card I'm talking to hasn't been tampered from its original spec, almost right up to the output DACs or input ADCs. (I can still tap off any analog output or feed funky values to any analog input, but that's not a problem for most people designing this TCPA and Palladium stuff.)

Re:They are scared......

[BeeShoo]

"Microsoft Bob...HAHAHAHA! Now THAT was funny. I would love to know who greenlighted that one - probably heading Microsoft Iceland right about now.

Actually, it was Bill's wife, Melinda Gates' idea, believe it or not.
I'm guessing he didn't send her off to Iceland...
At least, not for that

Re:They are scared......

Uh-huh. And exactly how many "tampered" cards have you come across? And how were they "tampered" with. And who did the tampering and for what purpose.

And if the card is tampered with to give a false verification, then TCPA is useless. Thanks for trying, though.

Re:They are scared......

[gmack]

Linux also doesn't stop you from rebooting and loading the OS as single user mode or using a bootdisk to access the FS. If fact, other than an easilly bypassable LiLO password it doesn't try.(neither does free or openBSD.

Some problems are just not worth fixing and modded hardware is one of them. I fear the sort of screwups this sort any mechanism to protect the system from physical intrusion would lead to. Can we say support nightmare? Just imagine how much fun forgotten passwords would be with a mechanism like that.

Now OTH using TCPA to accellerate SSH migh tbe a good idea. But then they could have done that with just a mandated crypto processor and not messing with the BIOS at all.

I honesly don't know what they were trying to do.. it goes beond what is needed to ehnance security but far short of what Microsoft would need to implement palladium.

Re:They are scared......

Bill Gate's Wife green lighted that one.
Her reward? big ass fatty diamond on her hand.
She is proof that, yes, a Diamond on a ring CAN be too big.

The engineers put some good work, into what, at its most basic concept, was a good idea.
Unfortunatly, a certin woman took control of it and drove it into the ground. It wouldn't of gone that far, but she had the CEO by the balls, literally.

Re:They are scared......

[tzanger]

Some problems are just not worth fixing and modded hardware is one of them.

That's not what the **AA and (I am betting) military institutuions are saying. For 99% of the people out there, I would agree with you 100%. but it's not the 99% of people who are pushing this tech. It's the very wealthy and very powerful 1% who want to have total control over your system and what you do with it.

As far as using the TPM for crypto acceleration, I too think that's a nifty idea. I mean ssl-engine already supports a myriad of accelerators, why not ones that are likely on your sytstem already (or at least in the next few years)?

Re:They are scared......

so how long before there is a M$/Linux distro ?
With the value added/dmca protected/palladium enabled mod's ??

Re:They are scared......

[bobetov]

296 times bitten, 297 times shy, I guess.

Re:They are scared......

[gmack]

That's the whole point though.. this doesn't seem to provide total control it falls far short of that.

As for the millitary, they can easilly make do with terminals and put the real machines in a locked vault if they need to and get far better security than evan palladium prommises to deliver.

Hmm

[jon787]

I don't think posting the entire article here is gonna stop people from posting beforing reading, nice try though.

XOR as clear

[balister]

I loved the XOR answer. I learned that trick when I was writing 8085 assembly as a coop in the very early 80's. I'm surprised it is regarded as unusual, by now I would have thought every good programmer would have discovered or seen this trick.

Thanks for the memories. Somewhere around here I have an IBM PC technical reference with the assmebly listing for the BIOS.

Philip

Re:XOR as clear

[LordNimon]

Instead of XOR, a lot of people use SUB.

Re:XOR as clear

It really depends on what the goal of the code is.

Size: XOR (2 bytes)*
Speed: SUB (one of the fastest pipelines in most modern x86 CPUs)
Clarity: MOV (very straight forward that you want to put 0 in a register)

*assuming native mode, otherwise 3 bytes (1 for size override prefix if needed)

Re:XOR as clear

[entrager]

I learned this trick from the professor that taught me assembly. However, I think his reasoning for the use of the XOR trick is much better than "it takes less space." How about "it's much faster". By XORing a register with itself you don't need to pull anything from memory over the slow bus. A MOV instruction costs you precious bus cycles.

Re:XOR as clear

[chrisseaton]

Agreed. I never thought it was any kind of trick. Simply the way to clear a register.

Re:XOR as clear

[mattdm]

Your priorities are probably different from those of someone writing a BIOS, which has to live on a relatively small chip.

Re:XOR as clear

Speed is a non-issue in this particular comparison. When the instructions are being fetched 32 or 64 bits at a time and with parallel execution units and other advanced CPU features, there is little or no intrinsic or predictable speed difference between 1, 2, 3 or 4 byte instructions that all perform the same desired function.

In programming the x86 family in assembler, I stopped counting machine cycles starting with the '386.

Re:XOR as clear

[Koyaanisqatsi]

Actually I learned that trick during computer architecture classes. As part of the course we would learn assembly language of hypothetical machines (simple instruction set) and run programs on simulators. The tasks included implementing subtraction and division routines in a machine that could only do add and 2's complement. Good learning experience :)

At one point we had a open challenge in class to implement a fast sort algorithm that would run in the minimum amount of (virtual) machine cycles. I actually got FP (first place) with a custom pivot sort suitable for arrays that size (less then one hundred elements)

Professor Weber, if you're reading this (I doubt), thanks: that was one heck of a learning experience.

Re:XOR as clear

[Mendax+Veritas]

I don't quite agree that MOV is clearer than XOR or SUB. First off, if you understand basic arithmetic and Boolean logic, it's blindingly obvious that xor'ing a register with itself, or subtracting it from itself, will result in setting the register to zero. But perhaps more importantly, the notion of "clarity" (and, related but not identical, "elegance") is dependent on the culture of programmers using the language in question, and what is considered "normal" in that culture. Every C/C++/Java programmer, for example, often writes infinite loops with "for (;;)" even though "while (TRUE)" is arguably "clearer". Similarly, "i=i+1" is arguably "clearer" than "++i". And then there's the ?: operator, +=, typecasts, pointer aliasing in C/C++ (not Java, obviously)... you see what I mean. These things are considered normal by programmers who are experienced in working in these languages, even though they may not seem at all obvious or straightforward to someone who's spent his whole career working in, say, Pascal or ADA. By the same token, clearing a register with xor or sub is an extremely common idiom in assembly language (particularly, but not only, on the Intel chips). It is the normal way to do it, and nothing can be more clear than to do something in the normal way that everyone familiar with the language would expect you to do it.

Re:XOR as clear

[Koyaanisqatsi]

Forgot to mention: you can use that awesome XOR instruction also to swap registers without using a third register, like in:

R1 = R1 XOR R2
R2 = R1 XOR R2
R1 = R1 XOR R2

Just try it with a pencil and you'll "get it".

Re:XOR as clear

[PetiePooo]

A MOV with an immediate doesn't pull anything over the memory bus other than the instruction and operands which any operation would. However, it would need to move the immediate from the CPU's instruction cache into the ALU.

Its still worse than XORing a register with itself, but its not as bad as you make it out to be. Really a moot point, being that XOR AX, AX is a better choice overall and MOV AX, #0 has absolutely no advantages.

Re:XOR as clear

[PetiePooo]

Speaking of orthogonal instruction sets (ok, I'm stretching here), there's a series of x86 instructions to exchange another register with AX.
93 exchanges DX and AX.
92 exchanges CX and AX.
91 exchanges BX and AX.
90 is listed as NOP.

No operation? It actually does give the processor something to do: exchange AX with itself!

Re:XOR as clear

First off, if you understand basic arithmetic and Boolean logic, it's blindingly obvious that xor'ing a register with itself, or subtracting it from itself, will result in setting the register to zero.

i=(i-i) is clearer than i=0? Hardly.

Re:XOR as clear

Professor Weber, if you're reading this (I doubt), thanks: that was one heck of a learning experience.

Well, if he isn't, his students clearly are... While reading your comment, I could only think, well, the same happened in my computer architecture classes, only to find out that we had the same teacher. :)

Re:XOR as clear

[rabidcow]

Nowadays that's about as useful as Duff's Device and doubly-linked lists with a single pointer. With the register renaming in modern processors, swaps are effortless.

Re:XOR as clear

Yeah, that's the XCHG operation. I'm suprised you'd quote the opcode without the symbol. As in:

XCHG EAX, EDX
(etc)

Re:XOR as clear

[d2k297]

I find it strange that the XOR trick isn't well known. I think it is mentioned in the edition of a text authored by Barry Brey published by Prentice Hall in 2002. I am sure that it can be found in a text which has C. L. Liu as an author. coincidentally the copy I have is nearly 8 yrs old.

Re:XOR as clear

[jnik]

A MOV with an immediate doesn't pull anything over the memory bus other than the instruction and operands which any operation would.
Right, but that's one more byte to pull. Prefetch on the 8088 is 8 bytes; on the 8086 it's 12. Chopping out that extra little byte made a big difference back in the day. And as you say..no advantage to MOV.

Re:XOR as clear

[Rich0]

i=(i-i) is clearer than i=0? Hardly

To my grandmother they're both equally incomprehensible.

But my grandmother doesn't read C source code.

Likewise, the average C programmer might not get XOR AX, AX, but then again, they don't read 8086 assembly language either.

To somebody who knows ASM, XOR AX,AX is meaningful. To somembody who doesn't, MOV AX,0 is not. As a matter of fact, a C-only programmer would probably translate MOV BX,AX as AX=BX and not correctly as BX=AX (ie - move BX INTO AX, and not the correct meaning). (Heck - who decided to put the destination BEFORE the source in i86 ASM?)

Re:XOR as clear

[vsprintf]

Wow. After reading all the other responses to your post, I find it hard to believe there are that many people still using Assembly (and so passionate about it). I had thought I was one of the last to give up the addiction to bare metal, and it's been over five years since I used an assembler.

Re:XOR as clear

Actually,

mov ax, 0

has one advantage over

xor ax, ax

that might make it useful in certain situations: the mov instruction does not change the flags register, while the xor does.

Re:XOR as clear

[Slime-dogg]

It's just standard prefix notation. You wouldn't put "DIV 8 4" and expect 1/2 as an answer. Why would you expect MOV to be any different?

Re:XOR as clear

[shepd]

While I don't disagree, considering that BIOSESes are usually flashed onto approx. 100 ns chips, I really doubt the BIOS makers could care less if the code is "slow"...

[ For fun, turn off BIOS shadowing on your motherboard. Next boot enjoy how XT-ish the responses on the menus are. ]

Re:XOR as clear

[Anonvmous+Coward]

And I thought everybody here hated .MOV because Apple doesn't support Linux.

Re:XOR as clear

[Strepsil]

> (Heck - who decided to put the destination BEFORE the
> source in i86 ASM?)

It always made sense to me. The first item after the instruction is always "what you're working on". This is always a necessary parameter when you're trying to affect something. The second parameter (not always required) is "what you're working with".

Damn, it's hard to write what's in my brain right now ...

It's quite a clever syntax, really. You've got a system where you can extend the scope of what you're doing, just by adding extra items to the end of your "sentence" - you never change the positional meanings. You can proceed right though:

"Do This"
"Do This" "To This"
"Do This" "To This" "With This"

OK, the English translation doesn't hold up well when you're talking about jumps or some other stuff, but it's still roughly right.

Anyway, enough rambling. I think about this crap too much. :)

Re:XOR as clear

[Mithy]

(ie - move BX INTO AX, and not the correct meaning). (Heck - who decided to put the destination BEFORE the source in i86 ASM?)

It's historical, IIRC. 8080/Z80 assembly is the same.

Re:XOR as clear

[minion]

Bare metal is a necessity if you're an embedded programmer.

Re:XOR as clear

[Thanatiel]

I didn't played with asm since a lot of time, but I'm pretty sure the register are sorted as "ax cx dx bx sp bp si di".

So it would be :

90 xchg ax ax AKA nop
91 xchg ax cx
92 xchg ax dx
93 xchg ax bx

He did not awnser this

[nervlord1]

2) Advantage

by TedCheshireAcad

What is the advantage to me, a Linux using consumer, to buying your product over those of your competitors?

His awnser was basically non existant, i belive the poster of this question was asking, what advantage does TCPA present for me, a linux user, in which case the awnser is a big fat nothing, and waht benifit for windows users? once again, nothing

Re:He did not awnser this

[grub]

What is the advantage to me, a Linux using consumer, to buying your product over those of your competitors?

Actually he (sort of) answered your question. We, as end users, are not their actual customers. Their customers are the motherboard manufacturers, we don't buy a motherboard and then pick a BIOS. 'AMI markets AMIBIOS directly to the motherboard manufacturer, who we see as the actual "BIOS customer"'

Further down he does mention testing with various Linux distros and FreeBSD.

Re:He did not awnser this

[stratjakt]

It was a stupid question. You are not an AMI customer.

Their customers are motherboard vendors, not end users. Ask the mobo manufacturers or the dells and compaqs. They provided support for TPM because their customers asked for it. It's up to the mobo vendors to decide how to use it, if at all.

Re:He did not awnser this

[Kourino]

Then they should have asked that. They asked "why should I buy Ami", and they got an Ami marketing pitch, more or less. Is this unusual?

Re:He did not awnser this

[ehiris]

Encrypting data prior to writing it to the hard drive in order to avoid putting yourself at risk of disclosing private data would be an excellent benefit.

Re:He did not awnser this

[siphoncolder]

I wish I had mod point to mod you up. Maybe another time ;)

I'll take a stab at answering this whole ball of yarn: It occurs to me that TPM is more like an API, not a different design of computer. It's an add-on, much like .NET is an API sort of add-on to windows. Applications have to specifically say "I want to use TPM" in order to access any trusted-computing functionality.

In that case, a mobo with TPM will not affect anything that currently exists.

However, what must be watched for is: hardware that requires TPM (i.e. your CD burner). Software that requires TPM (for whatever reason). I believe that in the end, the goal is that while piracy may still be possible for you & me, media vendors can use TCPA-enabled applications to serve media to TCPA-enabled computers, and deny it to non-TCPA enabled systems.

Another concern: some years from now, when all hardware that deals with media is TCPA-enabled, how exactly will you (for example) rip your songs off a CD/DVD and share it over the internet?

Another concern: how can this be used to usurp your rights in the future?

The issue is not "how this will affect Linux & pirateers", but: can this be used as a sort of "Hardware-EULA" that's forced on you?

You may want to practice living without buying CD's, DVD's, and not downloading any of that media for a while to get the full effect of what TCPA is going to do to you.

Re:He did not awnser this

[briancnorton]

improved VPN for companies that are super-paranoid about their data dedicated crypto-processor Secure key storage on the system mainboard Besides, when was the last time you were a customer of AMI? Chances are, NEVER. They sell to motherboard manufacturers.

Re:He did not awnser this

Not buying any cd's, dvd's, vhs, movie tickets etc. right now or in the future, nor am I stealing stuff off the web. So this wont affect someone like me right? right? I will still be able to use the OS of my choice on any PC hardware I purchase right? right? RIGHT!!!!!????? Freakin assholes!!!

Re:He did not awnser this

[TedCheshireAcad]

What I was asking for, more or less, was a sales pitch of sorts comparing the AMI TCPA BIOS to a TCPA BIOS of a competitor, with respect to Linux users. The goal of my question was, if we're going to be stuck with this TCPA mess regardless, what is the bottom line as to what product to buy for us Linux users.

Re:He did not awnser this

[geekee]

Eventually, Linux coders will realize the benefits of TCPA and write open source code that takes advantage of it.

Re:He did not awnser this

Granted, I haven't read a damn thing about TCPADJFGUTERTYUUOOEE or what it does, but from what I read in the article (which, I admit, may be biased.....) basically all it is is a dedicated co-processor, built into the motherboard that is used solely for encryption. .. ..

how is this a bad thing?

As long as someone else doesn't control your keys , you can use them however you want.

I can see many open-source products that can benefit from this.

someone give me the argument against, in relatively plain terms.

ALL YOUR BIOS ARE BELONG TO US!

Captain: What happen?

Mechanic: Somebody set up us the DRM.

Cats: How are you gentlemen !! All your BIOS are belong to us.

Re:ALL YOUR BIOS ARE BELONG TO US!

[ethereal]

For once, you're on-topic, my AC friend. We'll see if any moderators didn't read the article...

info

[LordCheese]

Best info I have seen on the /. in a while

Re:info

[SavingPrivateNawak]

I agree, best interview in a long time!

By the way, I do not understand your sig, is it a joke from a movie or something?

Re:info

[pavlov112]

By the way, I do not understand your sig, is it a joke from a movie or something?

It's from the movie Animal House. If you haven't seen it, you should... (Not that it has anything to do with TCPA or BIOS!)

The power of Slashdot

[rxed]

Maybe one day we'll be able to ask Bill Gates a question or two trough the Slashdot.

Re:The power of Slashdot

That will be the day..

Re:The power of Slashdot

Maybe one day we'll be able to stop calling it "the Slashdot".

Re:The power of Slashdot

YUO = TEH FAGOT

*Applause*

[CableModemSniper]

Now that, was a good interview.

Michael has no shame.

[MondoMor]

He mods his own crackpot conspiracy theory question into the top 10, then gets schooled by someone much smarter than him.

Also, Roblimo said:
we have low tolerance for PR whitewashes around here

What the fuck is that? So all of the editor's smart-assed snide comments added to user-submitted stories (and the accepted stories themselves, which are often titled misleadingly and contain an obvious bias) are just my imagination?

Slashdot commits as much whitewashing and FUD spreading as any other organization. Lunix and open source are ALWAYS good, Microsoft is ALWAYS bad.

Goddamn hypocrites. Especially you, Michael "I HATE CENSORSHIP UNLESS I NEED TO BITCHSLAP A DISSENTING OPINION".

Watch. I had a comment posted the other day that was +5 Funny (despite getting modded by editors as "overrated" and "Troll"). How much you want to bet michael will magically make that post -1 real soon?

The users modded that up, dipshit. You don't have the right to override it ("bitchslapping") just because you don't like me.

Learn to live with your dissenters, Slashdot editors. We're actually trying to help, but you're too fucking hypocritical and insecure to see it.

Re:Michael has no shame.

Silence ass! People like you deserve to be bitchslapped. If you have a dissenting opinion with the status quo, then leave. This site is not for people like you.

You can clear a register with MOV??

[kahei]

Seriously, this article was the first time it ever occurred to me that MOV might be a more obvious way to clear a register.

Now I'm afraid that there are legions of people out there zeroing registers with MOV and I'm left out.

NO?!?!

[crown_whore]

Once again, NO!!!

Give us an alternative or not, the choice is yours.
I will not buy TCPA enablied products, I don't care if I can turn it off or not
I will seek to return any TCPA product not labelled and I will discourage anybody from buying TCPA enabled products
I don't care if I'm running a 486 to do so
Anything within reason to discourage it's use

The failure is on your behalf; for not checking with your customers first and the undertaken should be written off at your expense.

I don't trust large corporations other than cash and sometimes a credit card, and that mistrust is not misplaced.

Re:NO?!?!

[rtkluttz]

Exactly.
Even though he didn't answer my question that I posted when they were being gathered, he answered it indirectly.
The fact that it even COULD be included in a DRM solution actually means that it WILL be included in a DRM solution. I'm tired of having my fair use rights trampled on.
I don't care if 2 billion people are stealing content and only 1 who isn't, that doesn't give them the right to lock out every tool that could possibly be used to bypass their DRM technology, or to lock down every piece of media because they havn't approved how you plan to use it.

Here is a hypothetical... my company uses Microsoft products. We have an in house programmer. If (When) Microsoft starts tying their code to the Bioses and you have the choice of running the PC in entirely trusted or entirely untrusted modes, our workstations in the organization start having to be two workstations. Once to run nothing but trusted applications, and another to run our uncertified code created by our in house programmer where we used to have one PC.
And OMG what if they tie it to network access also, will the PC eventually have to be completely standalone to run untrusted code?
We have a few Linux machines here... time to start increasing their numbers and get the users used to using them.

.

Re:NO?!?!

Flamebait???

What part of no do you not understand...

Re:NO?!?!

I know what you mean, here in Canada our national pension plan was moved over to open trading while the market was in decline (and done illegally). The result was the investment brokers that hold our politicians investments while in office got very rich, many of the politicians also earned alot of money selling to CPP (canadian pension plan). The offical result was a 1.5 billion decline in our pension, the unoffical number was conciderably higher. Because the charter of freedom Canada's (constitutional equivent to the US) was writen to limit rights, interprete them, and not to protect; we have no legal rights.

The CBC, paid for with tax and funding threatened by the current goverment likely insures little to no attention. I've seen them jump a few times when their funding became threatened.

There are plenty of reasons not to trust.

Access to ideas

[ryants]

In an industry driven by innovation, many companies feel they loose competitive advantage by opening their source ... if everybody has access to their ideas, then why buy their product over another?

This argument doesn't hold much water with me.

I have access to all of Stephen King's ideas, since he publishes them in an easy-to-read and often easy-to-carry format, and yet when it comes to book writing he has a considerable advantage over me.

Re:Access to ideas

[jmu1]

That is a great analogy.

It took me three years and a whole lot of jaw-wagging to convince several of my peers of that very idea.

Re:Access to ideas

[stratjakt]

No, it's a bad analogy.

Software doesn't compare to literature, it compares better to trade secrets.

Why should Colonel Sanders tell you what his 'secret blend of herbs and spices' are, or Budweiser give up all their brewing formulas and production techniques so their competitors can duplicate their products and eliminate whatever advantage they feel they have.

Re:Access to ideas

[Abcd1234]

Oooh, bad example... why would *anyone* want to duplicate Budweiser? *shudder* ;)

Re:Access to ideas

[jmu1]

This is a bios. It's not Nvidia's bleed'n proprietary methods of rendering the steam from a great big pile of shit.

These are pretty standard things that all computers do and use. It's a lot like that little kernel thingy.

Re:Access to ideas

[ryants]

I have a recipe for ravioli passed down to me through the generations from my nonna (grandmother in Italian), and yet mine suck ass and hers I would kill for.

Better?

Re:Access to ideas

Yeah, Guiness would've been a better example.

Re:Access to ideas

[jtheory]

Hm. Your analogy only works if you're using that Stephen King book to prop up that wobbly table leg.

Think about the function of a book vs. the function of a BIOS.

Re:Access to ideas

[RealAlaskan]

Software doesn't compare to literature, it compares better to trade secrets.

I think that the original point in the great-grandparent post was that execution is everything.

Why should Colonel Sanders tell you what his 'secret blend of herbs and spices' are ... [sic]

There is no reason why he should, and not much reason for me to want it. If I had his recipe, I would still have to cook it. There are days when I'm willing to pay a restaraunt more money than it would cost me to buy and cook a T-bone dinner, for food that's worse than I would cook. Not having to deal with cooking and cleaning can be a big deal.

Getting back to the topic of the thread, if everyone is sharing the same technology (same opensource bios code), then the company which can do the best job of supporting it will make the most revenue. Execution is everything.

So far as I know, no company has a monopoly on bios code right now. A motherboard manufacturer can choose who they will buy from based on existing relationships, on the bios manufacturer's experience, on the manufacturer's perceived ability to engineer a working product on time and whatever else matters. Since there is no monopoly, the Linux bios project isn't such a threat to AMI as Linux is to Microsoft.

Having an open source bios platform might be a good thing for engineers who wanted to freelance, since it would obviously lower tha barriers to entry. On the other hand, most garage businesses aren't going to be able to convince a motherboard manufacturer that they are a lower-risk option than AMI. I suspect that AMI realizes that freelancers using the Linuxbios project aren't going to be a threat to their core market of high-volume motherboard manufacturers like ASUS and ABIT.

If we didn't have any thing like Palladium or TCPA in the offing, ASUS could take the Linuxbios and have their engineers use it to boot Windows, and cut out AMI entirely. So I suspect that AMI is very happy to be able to offer something that Linuxbios apparently can't do, such as TCPA.

Re:Access to ideas

[MrResistor]

I have access to all of Stephen King's ideas, since he publishes them in an easy-to-read and often easy-to-carry format, and yet when it comes to book writing he has a considerable advantage over me.

No, you don't have access to all his ideas, and that is one of the reasons he has considerable advantage over you. You only have access to the ideas he's finished with and decided to publish.

Software, OTOH, is generally a living document. AMI isn't finished with their BIOS idea, so it makes no sense for them, as a business which depends on their BIOS code for income, to give their competition a leg up by opening their source.

Your analogy only works for software thats "finished", meaning it's no longer being developed.

Re:Access to ideas

[Red+Rocket]

True. :)

Plus, it's not the flavor of Budweiser that results in that particular product's sucess. It's the titties in the ads! And they're already duplicated.

Re:Access to ideas

You killed your grandmother over some ravioli? Sick fuck.

never met satan

[BigGar']

3. I don't know, I've never met Satan ... but I have been to WinHEC

Man that's like having diner at the Whitehouse and not meeting the president.

Position Change

[Evilderek]

So, since you left your first job you can now really say that you don't do SQuAT?

Does anyone else...

[jmu1]

feel dirty after reading that?

I don't mean porno dirty, but more like greasy used car salesman dirty.

It just seemed to me he was spending most of his time jusifying his existence, his 'geekishness'. We asked for answers and what we got was feelgood hyperbole. This bodes ill for the computing community.

Re:Does anyone else...

You're a fucking moron.

Re:Does anyone else...

As long as we are trolling, you used "hyperbole" wrong.

Linux on the latest motherboards

[Standfast]

Brian says:

We test RedHat, SuSe, Mandrake, Xandros, Lindows and FreeBSD by default (along with various beta distros).

This is great. It would be even better if there was a tighter relationship between motherboard, chipset and BIOS manufacturers on the one hand, and the Linux kernel community on the other hand.

For one thing, if instead of "beta distros" AMI would invest time working with the latest even and odd-revision kernels, both the kernels and the BIOSes would benefit.

In fact, I would not be surprised if this was already happening. I am just responding to what Brian said, and to the consistently higher level of problems I see reported on the kernel mailing list having to do with newer motherboards.

-David.

Interview

Wow! Thanks, Brian, for taking the time and effort to go well beyond most interviews here. I now feel I have a much better picture of the whole BIOS and TCPA scenario. And you make a lot of reasonable points.

This was great,

Lnuss

Good info!

[Ageless]

That was a great interview and some very good info in there. One thing I was particularly interested in was the mention that the onboard chip is responsible for generating random numbers. Is this the answer to the dream of every computer having a hardware RNG that generates true randomness? I for one would be thrilled to see a general purpose crypto processor in every computer.

Re:Good info!

Didn't some of the early Commodore's have this functionality? Specifically the SID in the C64. The box generated random numbers by digitizing the noise on a pin of the chip or something.

Maybe I've drank too much Robitussin or something....

peace...

Re:Good info!

[stinky+wizzleteats]

I for one would be thrilled to see a general purpose crypto processor in every computer.

What do you do if someone finds/builds in a cryptographic weakness in your hardware chip?

Re:Good info!

[Maudib]

Where is it getting the seed values?
I would love a mod that would allow me to connect a seed value generator to the bios.
Using radio-decay to generate the seed value (as a friend of mine once proposed) would be neat.
PLEASE STEP AWAY FROM THE USB-ENABLED PLUTONIUM.

Re:Good info!

[moncyb]

You are probably correct. I don't know about the C64, but my Atari 130XE had one. ...and I don't drink Robitussin. ;-)

Re:Good info!

[moncyb]

Hardware random # generators don't need seed values. Many software ones need the seed value because they just use an equation to generate the numbers and the seed tells it where to start. Hardware ones get their data from component noise or measuring other random phenomenon.

Re:Good info!

[sjames]

That's getting a lot moe common these days. I've seen it in southbridges and in Intel firmware hubs (flash chip). I'm not sure how random the random is. It should be just a matter of getting the datasheet and coding up the driver. The interfaces I've seen are fairly straitforward.

Yep

[Kourino]

I don't have a listing of any of my (or anyone else's) BIOS sitting around anywhere, but I learned the xor trick back when I was learning graphics programming via x86 assembly. It got mentioned a few times if you read the right docs. (It was stuff geared towards demo writers, but I never got that good, nor that aware of the demo scene ... such a dork I was. ^^; ) I also want to say the professor of my machine architectures class in uni mentioned it. Don't remember. But yes, it seems pretty widely known among people who "wanted to program games" between, oh, the mid eighties and nineties.

"customers want it"

he keeps on insisting and he repeats several times through the "interview" customers want it. I don't know which customers he means. The OEM? The indivigual lusers who go into CompUSA and buy an HP with XP preinstalled? I built my own system a year ago by buying the indivigual components and putting them together. I certanly don't care to have a TCPA enabled BIOS. I am a customer too.

Overall, an OK interview. Yeah,sure Linux will work on any BIOS if its ceertified forit. That means a kernel that got re-compiled or changed won't work. That means if I d/l the brand new SuSE iso ver 8.5.3 and try to install it it won't work either.
This all means one thing:
Welcome to the end of computing as we know it.

We might have to start buyng China made boards in coupl a years.

Re:"customers want it"

[nuggz]

He CLEARLY states the customer is the Motherboard designer.
They buy their product. Of course making sure their product works well for the end user is important. If their BIOS doesn't satisfy the system builders, or end users, the motherboard manufacturer wont' be happy either.

Re:"customers want it"

[revery]

he keeps on insisting and he repeats several times through the "interview" customers want it. I don't know which customers he means. The OEM? The indivigual lusers who go into CompUSA and buy an HP with XP preinstalled? I built my own system a year ago by buying the indivigual components and putting them together. I certanly don't care to have a TCPA enabled BIOS. I am a customer too.

His customers are motherboard manufacturers, not end users.

Re:"customers want it"

[jasonditz]

I still think he should've been a tad more direct about answering that rather than just blithely saying "You aren't our REAL customers". That sort of like GM telling carowners "We don't care what you think, we sell our cars to dealers, not to you".

They are providing BIOS to motherboard manufacturers to put in motherboards that WE are supposed to buy. It seems like they should think a little beyond the initial transaction with the MB company here.

I know if I was a MB maker I wouldn't want someone I buy parts from telling my customers they aren't important.

Re:"customers want it"

[dhogaza]

You have it backwards. The BIOS maker isn't telling the MB maker their customers aren't important.

The BIOS maker knows the MB maker holds their customers to be important, so asks the MB "what do you need?" Assuming that the MB wants to make their customers happy and will ask for features that will make them happy.

The GM analogy if flawed. The BIOS manufacturer is more like a piston rod manufacturer than GM. GM decides what kind of engines their customers desire and specs piston rods accordingly. The flow is top-down (customer -> GM -> piston rod manufacturer). Just as it is with the BIOS maker (customer -> computer manufacturer -> MB maker -> BIOS maker + chipset maker etc)

Re:"customers want it"

[jasonditz]

You have it backwards. The BIOS maker isn't telling the MB maker their customers aren't important.

No, they are telling MB customers that they aren't important.

I like your analogy with the piston manufacturer, but this is a simple marketing exercise. Its not a question of whether the MB designers are targetting their customers properly in this case, its a question of one of the MB designers' parts makers telling the end user "you aren't important", and I would tend to think that wouldn't sit well with the MB maker.

Consider someone going through a plant that manufacturers brakes specifically for new cars. They ask the tour guide "what are you doing to see to it that my car's brakes will function properly" and the tour guide answers "We didn't make the brakes for you, we made them for your car's manufacturer".

Again its not a question of whether or not the manufacturer his chosen the best part here, its a question of the part maker slapping the end user in the face.

hardware specs for open source

I asked Theo de Raadt of the OpenBSD project about this. In the interview answers, Mr Richardson of AMI asks "does any open-source developer want to check if these extensions could be used to improve SSH, SCP or GPG performance?" Given OpenBSD's integrated crypto and more specifically crypto hardware support, I put the question to Theo. Within about a minute he responded. It was short, sweet and to the point. Will Mr. Richardson help follow through on this and get the OpenBSD project leading the way on using AMI's latest security developments at the OS level? From: Theo de Raadt Date: Fri Jan 17, 2003 12:12:47 PM America/New_York To: Anonymous Coward Subject: Re: /. interview regarding new security hardware on x86 If we had hardware docs.

Re:hardware specs for open source

[SalesEngineer]

The OpenBSD project should be able to get TPM and Transmeta security extension specifications on their own. Do they need a contct name?

And just as a reminder ... it's not AMI's security developments, it AMI's support of an industry specification.

Wow, great answers

[rosewood]

I dont want to say I feel better about TCPA now but I know better now where to focus the fear. It seems that what needs to happen is the open source community needs to quickly jump on TCPA and make it worthwhile for doing REALLY cool things, long before someone else turns it into something that makes me unplug.

Re:Wow, great answers

Insightful my ass. This is a bit like saying "whoa, cool, let's make out own .NET implementation", with all the associated dangers.

TCPA is not a tool we can control, it is a tool for controlling US. The only way to deal with it is to get rid of it.

Re:Wow, great answers

[OeLeWaPpErKe]

I assume you will be paying the fees required for certification ?

Re:Wow, great answers

[Quikah]

Where does it say you have to certify anything? My understanding is that the TCPA does not certify anything, they just publish the spec and place the certification duty on the developer. So you can certify or not, the TCPA doesn't care. Everythign is freely available so they can't exactly force you to certify anything.

Re:Wow, great answers

[Melantha_Bacchae]

An AC wrote:

> TCPA is not a tool we can control, it is a tool for
> controlling US.

Remember, we are only now (according to Microsoft's plan) supposed to be hearing about something Microsoft is cooking up called Palladium. And about all we are supposed to know is that it is Windows support for the trusty, secure, feel-good TCPA thingy that's supposed to make our computers more reliable. Having a wise reporter break the story six months or so early was never Microsoft's idea.

Actually, when TCPA was formed, Microsoft was probably very careful to only talk in general terms of security and reliability. The other members probably didn't have much in the way of evil intentions; having more reliable PCs from the hardware up would have sounded good to them.

Only Microsoft would have known of its plans at that point, well them and anyone who did any looking into their research into their next generation OS: Millennium (http://research.microsoft.com/research/sn/Millenn ium/mgoals.html). Millennium is a Microsoft Research project from the late 1990's. It was a platform independent (ran on a JVM named "Borg"), distributed network OS that would be worldwide, scalable, and secure.

It is in the Millennium documentation that we find such phrases "trust" and "trust domains". It is in Millennium, not Bill's memo, that Palladium and "trustworthy computing" find their root. TCPA creates the ideal platform for Millennium, but .Net, the modern replacement for the Borg JVM, will allow Millennium to run on top of Linux and OS X, giving Microsoft that 100% monopoly they crave. Have we forgotten "Embrace, Extend, Extinguish" so quickly?

Science fiction and fantasy fans will enjoy these Millennium quotes (from the url above):

"New machines, network links, and resources should be automatically assimilated."

"Worldwide scalability. Logically there should be only one system..." (To rule them all? ;)

Also, serious mention needs to be made to the Japanese version of "Godzilla 2000 Millennium" (Godzilla vs. Microsoft) with its many references to "controlling systems all over the world", the Millennium alien Embracing and Extending Godzilla (and dying in the attempt), cutting off of oxygen supplies, and those MAME servers displaying the "Millennium" boot screen when completely taken over by the alien. Chances are, they were Compaq servers running "My Custom OS" (Godzilla's name for Linux). Are we paying attention here, Mono?

> The only way to deal with it is to get rid of it.

The hardware part of TCPA may or may not have benign uses. As for any of the Millennium components: .Net, Palladium, Yukon, etc., Godzilla's own advice is to stay far away lest ye get stomped. One thing is very certain: without some kind of governmental backing, the day Millennium wakes up in the real world is the day Microsoft dies, either due to market stompage, or literal thermonuclear heartburn.

Only deities get thousand year kingdoms, as the Third Reich found out the hard way. When mere mortals try to claim them, they get burned big time. This is the millennium of Godzilla, Dreaded God of the Atom, not Microsoft, dreaded wanna-be god of the BSOD.

Shinoda: "The age of Millennium."
Io: "What does that mean?"
Shinoda: "A thousand year kingdom. It wants to create a home for itself. There is one flaw in its plan: Godzilla."
"Godzilla 2000 Millennium" (Japanese version)

Re:Wow, great answers

Nobody's paid the fees to certify Linux as "UNIX", and that hasn't bothered anyone.

Standards

[Amsterdam+Vallon]

Brian,

As evident by the development of current Internet technologies such as TCP and IP by the Department of Defense-backed Advanced Research Projects Association (ARPA), we can only achieve a standard if one company or organization is behind both the medium and the protocol.

Do you feel that the Intel-backed TCPA and the Microsoft-owned Palladium technologies both have better chances of succeeding since they're one-man operations? If not, what alternatives do you suggest?

Re:Standards

[SalesEngineer]

Well, there's over 150 companies behind TCPA (I don't know why you can't view the membership list from their website). They span all aspects of the computer industry, and publish their specifications. I don't know how that can be improved to be more open.

Performance hit

[oliverthered]

hmm... Well he didn't answer the question, more avioded it.
Any extra header data will have to travel around the system bus reducing bandwith.

Any processing overhead will introduce latency, not a nice thing to have kicking around.

So it may not affect the CPU in terms of processing overhead but there's an overall systems performance hit.

Re:Performance hit

[oliverthered]

One extra thought, encrypted data is less compressible. Big performance hit if your encapsulating encrypted data.

Re:Performance hit

[alienw]

It's less compressible because most encryption software compresses data. Double compression doesn't work. Duh.

Re:Performance hit

[oliverthered]

Well, if you just encrypting a stream fast and in hardware using a standard RSA or A-Symetric algorythm then the data is less compressable.

I didn't see any mention of compression of data in the DRMalike.

Re:Performance hit

[Amazing+Quantum+Man]

No, because encrypted data is supposed to have no patterns (i.e. appear random). Therefore there is no redundant information to compress out.

Try this:

dd if=/dev/random of=/tmp/somefile bs=1 count=100000
ls -l /tmp/somefile
gzip -v -9 /tmp/somefile
ls -l /tmp/somefile.gz

You will get essentially 0 compression. Now try it with a GPG'ed file. Make sure you use a long enough key, and the file is also in the vicinity of 100K. You should also see close to 0 compression.

Re:Performance hit

[Zathrus]

Actually, I think the original question had it backwards... or at least sideways.

Presumably not every single bit of data needs to go through TCPA and the TPM. Hopefully this data does not incur any performance penalty.

If you need TCPA/TPM capabilities, like highly random numbers, encryption, etc. then it will have less of a performance hit than it would without the TPM hardware. You're essentially adding a coprocessor that's dedicated to encryption. It's up to the program to interface and use it, but doing so could bring about a hefty performance increase as well as a security enhancement (since you can use larger keys without a performance hit).

There probably will be an overall hit in performance, even for data not utilizing TCPA/TPM, but I'd be surprised if it's significant.

Re:Performance hit

[Grotus]

Both of you are more or less correct.

Encrypted data doesn't compress well, compressed data doesn't compress well. Both encryption and compression reduce the redundancy of the data.

Encryption algorithms don't usually compress data, but encryption systems tend to compress the data before encrypting it. Not only does it make for smaller messages, but for some cryptosystems, lowering the redundancy of the input tends to make the output less susceptible to known plaintext analysis/attack.

Re:Performance hit

[oliverthered]

I do tend to umm.. be a bit zen with my writing, just think how hard it is for me to understand everyone else.

Anyhow, I could think of anything better the 'operating system' for the performance hit area, it covers micro kernels in hardware etc...

I wanted an answer about the overhead, when sending encrypted data over the bus not the overhead of actually encrypting the data in the first palce, though the encrytion will cause some entra latency.

Use TPM for other things?

[Milo+Fungus]

A follow-up question: Is it possible to use the TPM for things other than security and TCPA-related calculations? If you boot in non-TCPA mode, is it possible to use the processor instead of just letting it sit there on the board doing nothing? I'm not a hardware guy, just a curious quasi-geek.

Re:Use TPM for other things?

[juuri]

Good question.

This would be awesome if the encryption chip was available to the OS, this would be an awesome boon for SSL performance. Maybe this is an angle manufactors can push to get people to upgrade? "BUILT IN ENCRYPTION SPEED!!!"

Re:Use TPM for other things?

While he didn't really answer that, he did somewhat address it.

Sidenote: does any open-source developer want to check if these extensions could be used to improve SSH, SCP or GPG performance?

The signing methods and potential benefits are outlined in the TCPA specification and FAQ.

Re:Use TPM for other things?

[nu-k-ar]

cypher box , does it , i dunnot needt cipher speed on my laptop , or do i ? ,yeah probably i wan't to make out of my laptop a mission critical server ...

Re:Use TPM for other things?

[PM4RK5]

Well, he mentioned that Transmeta placed the TPM inside the processor, via extensions to the x86 instruction set. By placing the TPM inside the processor (and making it available via extended x86 instructions), it should theoretically become available for non-TCPA-related uses. Maybe that's why Transmeta chose to embed the TPM in the processor.

Anyone else notice #6?

[FortKnox]

I really wonder if question #6 (posted by the editor michael) got modded up under normal moderations, not unlimited moderation points of the editors (or, if it got a last second mod-down if it was 'pushed back up' by the editor).

But, OTOH, its nice to see an editor get a "RTFM" response:
What we have done by choosing TCPA over any number of proprietary security solutions is present an option that isn't closed to third parties. If we enable TCPA on a board and you want to make use of it, read the spec and develop accordingly.

Re:Anyone else notice #6?

[azizlumiere]

How dare do you question moderation and meta-moderation ?

Only a [Microsoft fanboy/Linux hater/Pro Xbox/DRM lover] would say such a thing.

Re:Anyone else notice #6?

[Roblimo]

Michael's question was modded up by normal moderators. If I use an editor-written question in an interview that does not get chosen by the same system as all other questions, it is clearly marked as a "bonus question from [editor]" or some such.

This has only happened once or twice in over three years' worth of Slashdot reader-generated interviews, BTW.

- Robin

Re:Anyone else notice #6?

[maddogsparky]

Thanks for the answer.

Re:Anyone else notice #6?

Thanks for the answer.

Too bad it was probrably bullshit.

Not Quite...

[waltc]

I think it is a bit silly to say, "Someone would have to write software to tie our bios initiatives to DRM," as if such a probability is extremely remote.

I think the correct answer might have been:

"If we weren't including and supporting these bios initiatives, there'd be nothing in our bios anyone could tie to a DRM software inititiative."

The problem here is that even though it can be disabled by the end user, and can't be software-enabled through the OS on the fly, the mere inclusion of it as a standard feature in a bios will encourage the DRM software author to say: "If you don't enable your bios control, you won't get any standard functionality out of our software." The mere fact that it is in the bios will be enough to spur software development in that direction.

The bright side to this is that it's all still years into the future--there are hundreds of millions of machines in use world wide which don't have any such bios capabilities and which aren't going to be discarded any time soon. And of course current machines being sold right now do not have it.

The question is will there be a market for this sort of thing? If implementers could guarantee me that using it means I can safely shut out Microsoft or any other company from doing *anything* (via the Internet) in my system without my express advance permission [and I don't mean EULA licensing--I mean per-occurrence notification as it happens]--well, even I might be interested at that point.

But the DRM initiative by private companies and the "privacy issue" for me seem entirely at cross purposes, and frankly I'm getting a little tired of hearing that these initiatives are promising that they can allow companies to inspect my system and control my software in the name of DRM, but at the same time will use the same technology to guarantee my privacy. I can't see how the two mix.

Re:Not Quite...

[stratjakt]

What I read was that DRM can exist with or without TCPA. Just like SSL exists with or without TCPA.

TCPA adds a dedicated crypto processor and a secure boot process, but there's nothing to prevent crypto for DRM being done on your system right now.

His answers were as honest and truthful as they could be. If someone wanted to create a DRM enabled app that only runs on a specific OS under Palladium, they could do so. If someone wanted to creat a DRM enabled app that only runs on a specific version of non-palladium Windows - they could do so too.

It's like asking "How does liscensing drivers prevent shoplifting?". The two are unrelated. It's a non sequiter.

It's worth noting that DRM has thus far proven to be an unpopular 'feature', and MSFT decided not to include it on Windows MCE. Of course news of MS making a 'good' decision isn't worth of a /. article.

Re:Not Quite...

[Torville]

This whole process reminds me of a ill-formed logic problem, where a series of individually reasonable-sounding steps somehow leads you to an untenable and unacceptable conclusion.

Did anyone ask if disabling the TPM counts as a DMCA violation... or is that a foregone conclusion?

Re:Not Quite...

[impto]

You make some interesting points but altogether your argument is flawed. Somehow you managed to make the same jump from TCPA to DRM that most other people around here do so easily. DRM does not require TCPA and TCPA was not sole designed for DRM. That's not to say that TCPA won't make certain DRM schemes harder to circumvent.

[T]he mere inclusion of it as a standard feature in a bios will encourage the DRM software author to say: "If you don't enable your bios control, you won't get any standard functionality out of our software."

If the standard functionality of a program requires TCPA enabled DRM to function then either it wouldn't work without it (e.g. secure methods for copy control) and there is no getting around it or it would work without it, in which case a competitor could easily copy the functionality and market or give away that same functionality without the annoyance of having TCPA enabled.

The mere fact that it is in the bios will be enough to spur software development in that direction.

The demand for DRM is already there. From the [MP|RI]AA and from people who just plain want to get paid for their work. Including TCPA is not spurring on DRM, however useful it is to that end. In effect, you are using the same logic used by the MPAA against DeCSS. Just because it can be used in an illegal manner doesn't make it bad altogether.

If implementers could guarantee me that using it means I can safely shut out Microsoft or any other company from doing *anything* (via the Internet) in my system without my express advance permission...

How about this: If you don't want Microsoft doing anything on your computer of which you don't approve, don't run Microsoft software.

Re:Not Quite...

Upon booting from a Windows CD on a clean system about 5 years from now:

ALERT! YOUR SYSTEM REQUIRES A MANDATORY BIOS UPDATE THAT IS REQUIRED BY FEDERAL LAW!

When your BIOS manufacturer created the BIOS you are currently using they enabled a feature that is now unlawful. The ability to turn off the TCPA function in your computer falls under the classification of a "circumvention tool/utility" because it can "render useless" the TCPA/DRM features of installed software. The ability to develop or discuss such devices was banned by the Digital Millennium Copyright Act of 1998. You are now REQUIRED to allow Windows to update your system BIOS. The process has already started, your computer will reboot when finished. DO NOT TURN OFF YOUR COMPUTER DURING THIS PROCESS, YOU MAY RENDER YOUR HARDWARE UNUSABLE IN THE PROCESS!

Think they can't extend it that way? Look at what the supreme court just did with the copyright. They (capitalists) will word and interpret laws to their liking. It's simple to claim oversight in retrospect; "We didn't realize that this option was a violation we developed it." "But now we realize the ability to turn it off must not exist."

This is what allowing companies to make campaign contributions gets...

Re:Not Quite...

[waltc]

Frankly, I don't understand people who fail to make the jump...;) It's like a connect-the-dots restaurant placemat, you know?

I've been computing on the desktop for 18 years and over multiple platforms and it's truly mind-boggling what I've been able to do without the "helpful" technologies of DRM, Palladium, and TCPA (now you might make the technically accurate point that TCPA is not DRM, and you'd be correct. However, that does not alter the fact that A] it's not needed, and b] TCPA may in fact be leveraged by software DRM applications.)

You've got quite a few things backwards. It's actually the software companies which are accusing honest people of illegality (pirating software) and are stating loud and clear that they don't trust *me* as in individual enough to take my word that I don't pirate software (which I don't), but prefer instead to attempt to control my personal computing environment so they won't have to take my word for anything. I think this stinks--and I also think that in short order the DMCA will be repealed--the abuse of it already by private corporations is staggering. I'm for a *balance* between corporate rights and the state--I don't want to see the rights of individuals trampled by the rights of corporations.

Interesting, isn't it, how Microsoft's present financial position and strength owes nothing to DRM, Palladium, TCPA or Product Activation? The first three have yet to exist in the marketplace, and Microsoft was very rich long before it initiated Product Activation schemes. Absolute proof, then, that these initiatives are not about software piracy at all (at least from MIcrosoft's position.)

I think in the end it all boils down to greed and greedy men who fear the loss of a $ so much that they would cheerfully usurp the rights of everyone over private property simply because these greedy people consider that their right to make a profit is the Supreme Right in the Universe. That's nonsense, of course.

But as I said this is much ado about nothing at this point because DRM and Palladium are effectively nothing at the moment and control no one's hardware and software environment. Even with a complete acceptance by the markets this technology (after it is finished of course) would take years to penetrate before it would make any fundamental differences. Like the DMCA, though, I suspect it has a very shaky future in store, because there are a lot of people like me who want nothing to do with it--and the corporations which now exist will simply have to find a way to live with that--just as they found ways to "survive" the recording VCR which that idiot Jack Valenti proclaimed would be the "ruination" of Hollywood. (Come to think of it, maybe sending Hollywood down the tubes is not such a bad idea after all...;))

Re:Not Quite...

[finkployd]

Point of fact, the Supreme Court did not do anything with copywrite, Congress did. All the SP said was that what Congress did was not unconstitutional (although there were some comments that they believe it was wrong, that is a different matter)

Place blame where blame is due.

Finkployd

Re:Not Quite...

[Chazmyrr]

Regardless of whether DRM can leverage TCPA, TCPA is an important step in the right direction for business computing. Its probably unnecessary for a consumer system. I say probably because I haven't thought of a good use other than DRM. I'm not going to make the assumption that because I haven't thought of a good use that there isn't one.

In business computing, the ability to restrict hardware and software will become a priority. For example, being able to ensure that account information was not compromised even if one of the thousands of employees with physical access to a customer service workstation installed additional software on the machine. Yes, it's against policy and they will be fired for it. Yes, we have the machines as locked down as they can be and still function. Yes, we do FBI background checks on every employee. And, yes, they can still write them down. But, if you have physical access to a computer, you can alter the operating system. If someone walks out with a file containing thousands of accounts it's a much bigger problem than a couple names and numbers scribbled on a napkin.

Aside from making it difficult to steal large amounts of sensitive information from the company, trusted hardware makes biometrics a viable form of authentication. Sure, biometrics has issues. So do static passwords. Most of the issues with biometrics can be solved through trusted hardware. The significant remaining issue, fooling the trusted hardware, can be mitigated through an additional means of authentication. Probably the smart card built into your employee ID. It isn't infallible but it's certainly more secure than passwords. Stealing an ID and forging a fingerprint or retina scan or DNA sample vs. social engineering a static password, which do you think is harder?

Frankly I don't give a damn if some software DRM application tries to leverage TCPA on my home machine. Call me old fashioned but I'm not about to pay for an ebook or an mp3 or a divx movie. What do you get? Some zeros and ones that go away if your hard drive fails? Nah..I'll pass. And if they want to stop me from ripping a CD to mp3s? Well then I can alter the hardware and/or use a different OS.

Re:Not Quite...

[geekee]

"The problem here is that even though it can be disabled by the end user, and can't be software-enabled through the OS on the fly, the mere inclusion of it as a standard feature in a bios will encourage the DRM software author to say: "If you don't enable your bios control, you won't get any standard functionality out of our software." The mere fact that it is in the bios will be enough to spur software development in that direction."

What's wrong with that. DRM and TCPA offers a secure system for digital media. You have the option to disable it. The media distributers have the option to say it will only work with TCPA/DRM. The only people I see trying to take away choice are slashdot extremist who don't want anyone to have the option to use TCPA/DRM.

Re:Not Quite...

[chazbot]

You've got quite a few things backwards. It's actually the software companies which are accusing honest people of illegality (pirating software) and are stating loud and clear that they don't trust *me* as in individual enough to take my word that I don't pirate software (which I don't), but prefer instead to attempt to control my personal computing environment so they won't have to take my word for anything. I think this stinks--and I also think that in short order the DMCA will be repealed--the abuse of it already by private corporations is staggering. I'm for a *balance* between corporate rights and the state--I don't want to see the rights of individuals trampled by the rights of corporations.

If the companies pushing DRM had an opportunity to get to know you and every other end-user as individuals, I'm sure they wouldn't feel a need to impose on your computing experience. The fact is that most businesses aren't in a position to find out if you, as an individual, are trustworthy. Unfortunately, in this world, there is a significant minority of people who can't be trusted. Do you get offended every time you enter a bank and see security guards? see cameras every twenty feet at the department store? Even libraries, who have no profit driven incentive, want you to walk through sensors.

That being said, DRM in its final state is probably going to suck balls.

Re:Not Quite...

What I read was that DRM can exist with or without TCPA.

DRM can not be secure without TCPA. Sure, someone could implement a DRM system without TCPA, but it would be relatively easy to break.

Just like SSL exists with or without TCPA.

SSL doesn't depend on your machine being secure from you. SSL assumes that you are authorized to access the cleartext of whatever data your are transferring.

It's worth noting that DRM has thus far proven to be an unpopular 'feature'

How long do you think that will remain true? History has shown over and over again, you're rights will be slowly eroded a little bit at a time. People have resisted DRM so far, but Microsoft and Hollywood will continue to push it forward until people simply get tired of fighting it. Hollywood already distributes DVDs that you can't fastforward through, or even pause. People get upset, complain, and buy another shiney new DVD (the MPAA just had a record setting year). Here, you're saying, "They'll never get away with it anyway. Let's just be complacent."

TCPA is not DRM. It is however, a key piece of infrastructure necessary to deploy a secure DRM system. You're fooling yourself if you think it's for any other purpose.

Re:Not Quite...

[Darth]

>I think it is a bit silly to say, "Someone would have to write software to tie our bios initiatives to DRM," as if such a probability is extremely remote.

>I think the correct answer might have been:

>"If we weren't including and supporting these bios initiatives, there'd be nothing in our bios anyone could tie to a DRM software inititiative."

I think you are quite skillfully missing the point on your own last statement there.

The answer wouldnt be:
"If we weren't including and supporting these bios initiatives, there'd be nothing in our bios anyone could tie to a DRM software initiative."
The answer would be:
"Our bios isnt included on your motherboard because the motherboard vendor wanted a bios with TCPA support and we refused to provide one."

That's not a tenable answer for a company, if it wants to survive.

The ethical vacuum you want to attach to AMI attaches more nicely to the motherboard vendors and possibly the OEMs. The question is are the motherboard vendors being pressured to support TCPA for fear of losing OEM clients?

To a large degree I agree that being morally clean is more important than being financially successful, there's still an issue of survival.

Also, if TCPA has other legitimate uses that could be valuable, villifying the tool becomes eerily similar to the villification of things like DeCSS.

This will be where the argument about DeCSS being designed for legal fair use purposes while DRM is created specifically in opposition to fair use. While I might agree with that statement, I believe the intent in creating the tool is less relevent than the use of the tool.

Re:Not Quite...

[doug363]

DRM may not be secure even with TPCA: according to the AMI guy, TPCA doesn't support "memory curtaining", so it may be possible to snoop on decrypted data while it's in memory. The memory and protected video hardware stuff is the bit that most annoys me about Palladium and TPCA: there's absolutely no use for this except to the movie/music industries trying to flog per-use "content".

Re:Not Quite...

There's probably no market for this yet, and I doubt there ever will be unless all current computers are outlawed (not likely). There's a vast number of machines that don't have this sort of thing, so it wouldn't make sense to develop software that only an extremely small audience can use. Same reason why a lot of companies do not develop Linux versions of their applications.

The only things I would imagine this kind of BIOS appearing on that will eventually be widespread are PVRs and other media center type devices.

Re:Not Quite...

[OeLeWaPpErKe]

What's wrong with that. DRM and TCPA offers a secure system for digital media. You have the option to disable it. The media distributers have the option to say it will only work with TCPA/DRM. The only people I see trying to take away choice are slashdot extremist who don't want anyone to have the option to use TCPA/DRM.

The problem is the bsa companies. TCPA allows for forced incompatibility (ie tcpa makes the writing of ANY import filter for tcpa "enabled" (user disabled) software an utter impossibility (this is illegal of course, if not by the letter then by the spirit of the law).

THAT's what is is made to do. THAT's what it will be used for.

Q: "You'd like to watch your home movies on program X"
A: "I am sorry I encrypted them"
Q: "Can I export them ?"
A: "No you can't, that would enable you to do copyright violations"
Q: "Can I have the key ?"
A: "No you can't"

expect to hear this from a helpdesk VERY soon after tcpa is introduced. (Of course I am overestimating the intelligence of a helpdesk worker but ...)

Follow-Up Question: Use TPM for Other Things?

[Milo+Fungus]

If booted in non-TCPA mode, is it possible to use the TPM for other calculations? He mentioned the possibility of using it for SSH and other things. What about decoding audio/video formats?

Re:Follow-Up Question: Use TPM for Other Things?

[Boone^]

I get the impression that the TPM is not a general purpose ALU. It just does a few things really fast. That fancy GPU you've got attached to your AGP bus, on the other hand...

Re:Follow-Up Question: Use TPM for Other Things?

[Boone^]

err AGP Port, but Bus.

Answer to what "trusted" means

[KjetilK]

Parts of the interview was very nice indeed, and it would certainly be cool to see what a dedicated processor for crypto can do for us.

Yet, I do not feel very confident, after reading how he tries to avoid question concerning the newspeak on what "trust" is supposed to mean. OK, so any technology can be used for good and bad, that is clear.

It is my firm belief that technologists have a great responsibility for the things that they make, because no one is better suited to understand the consequences of the tech that they develop than the techie himself.

So, just referring to TCPA and what they say, what their goals are, and so on, it doesn't cut it. Brian has a moral duty to try to understand what motives drive the stuff that he is doing, and if he thinks that these motives are bad, he has a moral duty to speak up about it.

I really haven't seen anything non-fuzzy from TCPA about what their real motives are, but one thing I know: If the real goal is to take away the control of the technology each individual uses away from the individiual, it will be the most drastic step towards an authoritarian society.

Few are better suited than Brian to examine these issues, and with that comes a huge responsibility to make sure that the technology he is developing does not move society in that direction.

After reading this interview, I do not feel confident that Brian takes this responsibility seriously enough.

Re:Answer to what "trusted" means

[Windcatcher]

I went to college for Physics. It was inevitable that over the course of my education we students talked about things like the atomic bomb. Would we build a device that could be used for great evil, even if said device also acted as a deterrent? Would we build (for example) a multi-megawatt laser (Physics majors NOT seeing "Real Genius"? Please...)? What are all the uses to which it could be used?

It's an important question. Whenever building anything, one has the moral responsibility to consider ALL of its potential uses.

Whether you agree with him or not...

[gosand]

Even if people complain about the content of his answers, at least he didn't "Shatner" the questions. Granted, they were two totally different types of interviews, but he answered the questions, expanded on them, gave opinion and fact, and even a little humor thrown in. Even though I am not much more comfortable with the whole idea, I liked the interview.

I've got to admit...

[j3110]

I'm excited to see the end product. Cryptographic processors on all motherboards sounds to me like a great idea. I wonder how hard it will/would be to change the keys though... I hope they aren't hard-wired. Palladium is just another reason to not run windows, but TCPA could theoretically be disabled, and you can run Linux.

The only way this will improve DRM is by allowing stronger encryption of data. 2048 bit encryption will be tough to break, and with these chips in DVD players, strong encryption will be possible even for small devices. The media companies will always have the problem of "It has to get in my brain somehow, and if it does, I could store what I see with good enough technology." Because your brain doesn't have DRM, they can never really lock out illegal copying. It has to be in a human understandable format at some point in order for it to have value. The more they fight the inevitable, the sooner an illegal trust/monopoly will be out of business. Art will continue. It probably won't pay the ludicrous amounts that it does now, but it will survive as it always has.

Re:I've got to admit...

I don't think you can change keys. And I still have not heard any answer as to how I am supposed to transfer DRM content from 1 PC to another. Since I get a new computer every 2 years, and had one mobo fail on me, this is rather important to me.

Re:I've got to admit...

[autopr0n]

Because your brain doesn't have DRM...

Yet...

bwuahahahahahahha ha!

Re:I've got to admit...

[j3110]

Unless you count forgetfullness as DRM...

Isn't it a sad case that the Music/Movie industry is making money off our forgetfullness/inability to remember every sence. I say, if you've seen it before, you should be able to pirate it to refresh your memory... That should be fair enough use :)

Re:I've got to admit...

But...the Clipper chip would have been a dedicated crypto chip on the mobo also. OK, so the big deal about that one was key escrow. But doesn't it sound a little bit like TCPA is invoking a bit of key escrow on the motherboard where the end user cannot get to it?

And why not coopting some of the other processors in most computers, say, the DSP of the sound card, to do some of this heavy lifting?

Re:I've got to admit...

[moncyb]

Most likely you won't be able to transfer anything--including software. The DRM encoded music/movies/software can also have a time bomb so you may have to repurchase it every so often (even if you don't use it). They can also put a limit of how many hours the program can be run. Technicly software can do this now, but they don't do it because: A) on current systems anyone can mess around with the computer's clock to defeat it, and B) most home users won't accept this, but after years of being screwed over by DRM, they eventually will.

You may have heard about some of the nightmares with software in the commercial Unix world. "We were working all Friday night on a project and we used up all the time on our license. It was the weekend so we couldn't contact the vendor for a renewal. We needed that project finished by Monday!" The way it sounded, for every hundred or so hours of use, they had to pay some expensive license fee. I'm glad I've been lucky enough that the places I worked don't use this software. Must be a real pain.

This is one of the major reasons the "tech" companies are trying to push this. They are trying to smokescreen it as being forced upon them by the MPAA because they know their customers don't want it. Believe me, they do!

Re:Not quite true

[homer_ca]

"The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted."

He clearly states that the user has a choice of Certificate Authorities. That means users should be able to self sign certificates just like with OpenSSL, and Redhat or FSF could issue their own certificates if they wanted to use TCPA features. Your RIAA-approved media player won't run if you booted with a self-signed TCPA certificate, but that just means you can't play RIAA-approved content you downloaded from a future Pressplay-type online service. That's not any different from today where there's virtually no RIAA content legally downloadable on the Internet.

BIOS security irrelevant

[master_p]

Is PC BIOS security relevant to any modern OS ? Linux does not use the BIOS routines. And I don't see how a protected piece of data (video, audio, software) can't be reproduced by open source code.

Anything that is software can be hacked: just do a hardware debugging step-by-step execution and disable the relevant security calls. It is even easier today with all the virtual PC environments available. Of course, it would be a legal problem, but it is no different than today's piracy.

I believe that in the future, PC manufacturers will deny pre-installing any free O/S in a PC due to legal problems, and thus preventing the spreading of free operating systems.

Re:BIOS security irrelevant

[williamyf]

Is PC BIOS security relevant to any modern OS ? Linux does not use the BIOS routines. And I don't see how a protected piece of data (video, audio, software) can't be reproduced by open source code.

>>> Precisely, you put the API calls in Linux so that the BIOS routines can be used if so is desired... >> The whole Idea of puting the routines in HW is that if you hach a software which you are not supposed to hack, the change can be detected and the application does not run...... Of course, you could hack the VIOS itself, mod the thing, or..... but then again, is an arms race.

Re:BIOS security irrelevant

>Anything that is software can be hacked: just do a hardware debugging step-by-step execution and disable the relevant security calls.

How naive. I knew better 25 years ago. Don't get me wrong, what you say is true in principle - any secret is subject to hacking by the determined hacker. However, if you conceal the secret well enough, it becomes effectively unbreakable for even very determined hackers.

IOW, single stepping through multi-million byte executables is a futile exercise, particularly if I anticipate that you are going to do so.

For example, a major microprocessor company I used to work at had an instruction variant, let's call it ADD_C, that would fill three registers with a pattern based on the contents of the carry bit, and the bit patterns of the surrounding instructions. The instruction would only work this way the *seventeenth* time it was called, it would only work this way if the instruction pointer were within a small range, a couple of the registers had to have certain values in them, there had to have been a certain other instruction executed within the previous 10 instructions, etc. Lots of non-obvious conditions. Otherwise, the instruction functioned as a regular ADD instruction.

Because it was documented as an ADD variant, and its other functions were unknown outside of the microprocessor and OS groups, the OS group could use it to detect if the OS were running on a clone microprocessor, and perform a corruption of the kernel data that would not show up for millions of CPU cycles - stepping on the task control block and code for the idle task was one thing we did, changing the pointer to the block of memory it would randomly write with zeros to some other memory location, like the base addresses of the memory descriptors in the shared descriptor area.

Despite fifty man-years of intense debug, according to our "mole" employed by the competitor, the competitor's verification engineers were never able to figure out why our OS would not run on their microprocessor - by the time the OS crapped out, the evidence was long gone, and megabytes of memory had been corrupted.

Their final conclusion was that their circuit design engineers were morons, and had implemented their BIU (bus interface unit) with bugs that only our OS exercised. They further concluded they couldn't run any code without worrying that they might exercise the mythical "BIU bug." Totally wrong. They'd done an excellent job, only running aground on the rock that we'd placed for them.

They canceled the project, and never shipped that clone microprocessor. Cost them half a billion dollars just in wasted manpower. Their company nearly died.

*We* all got awards - bundles of cash, and a vaguely worded plaque about "excellence in execution." The cash is long gone, spent on a vacation IIRC, but I'm looking at the plaque right now.

Eventually, the ADD_C instruction was dropped from the ISA, when the company realized that it was close to becoming a monopoly. If the competitors didn't exist, we'd have to create them...

We had other tricks, too, based on other undocumented "features" that were lying in wait for the clone makers, but I don't recall ever hearing about any of those traps being tripped.

I do remember the meeting where we were told to take them all out, and the groans at losing such a wonderful set of hacks...

All's fair in business, it seems.

Re:BIOS security irrelevant

Ah, but you are missing some of what the BIOS does. The BIOS configures and initializes quite a few things that Linux does not. For instance, memory. Without the BIOS initializing memory, Linux isn't going to run ;) I think you don't have a very firm understanding of how BIOS works.

Keys aren't Open

[echo]

While the TCPA stuff maybe be an "Open Standard", the crypto keys hidden in a chip on the motherboard are NOT open. That's what takes your control away.
SSL might be an open standard, but I can still encrypt something so YOU can't see it.

Isn't it possible that Computer Manufacturers could use this so these machines would only boot Windows? Maybe AMI is saying "You can disable it", but what will a Dell machine do? Will they sell a "Developer" version of thier machines that allow you to turn it off, but cost twice as much as the standard machines? This gives them the power to do such a thing....

Imagine, RedHat could even pay to get their kernels signed so they boot on such a machine, but the regular user wouldn't be able to recompile a custom kernel and use it!

If the keys on the motherboard get out though, then it's all over... anyone could use them to sign code.

I can imagine as soon as these show up, hardware and software hackers will work to extract the keys.... Maybe that's the only thing we can hope for to save us from losing control of our own computers....

Re:Keys aren't Open

You could relate this to the xbox, only running signed code and requiring a hacked bios to run homebrew code.

Re:Keys aren't Open

[Unregistered]

If dell didn't have the option to disable TCPA and would only boot win, that's just one more reason not to buy a dell.

If redhat removed the ability to recompile the kernel they'd be fucked for other reasons such as hardware incompatabilities.

We asked the wrong person

[carambola5]

With regards to all the financially related questions on Palladium/TCPA, I believe we asked the wrong person.... not that we could help it, though.

In reference to Answer 6c, the people we need to be pressuring is the motherboard manufacturers (Asus, Shuttle, etc) and the final vendors (Dell, Compaq, etc). Writing in TCPA support to their product is a purely business move on AMI's part. They have no room for ethics here. It's sink or swim.

If we, however, convince the mobo and vendor people to not use this "technology," AMI will never be pressured into making a TCPA-compliant product.

So, I ask the Slashdot editors: Can we get a rep for Abit, Gigabyte, Gateway, or somewhere to do an interview? I think our Palladium-fluent readers will have much more success in crafting questions for these people.

Not to say this was a waste, though. It's good to see a fresh perspective: the man caught in the middle.

Re:We asked the wrong person

[geekoid]

If it comes to sink or swim, and you swim, did you ever really have ethics in the first place?

It is easy to have ethicks that are rarly contested, and when they are, the punishment for standing by them is a slap on the wrist.

Re:We asked the wrong person

[alienw]

Why would mobo people put that shit into their motherboards? Because their customers demand it. You may not know it, but some people really want to watch hollywood movies on their computers. That's what palladium is for, and that's why everything is shifting in that direction. You're pointing at the wrong people.

Re:We asked the wrong person

That's capitalism for ya. This is how the US believes the world should be.

Re:We asked the wrong person

Writing in TCPA support to their product is a purely business move on AMI's part. They have no room for ethics here.

Is this meant to excuse their business decision? It doesn't seem like a very convincing argument to me...

Certainly, AMI is being financially pressured into making that decision. The only way to counter it is to provide pressure in the opposite direction - and to hope that it will outweigh the TCPA/DRM supporters.

Don't trick yourself into believing that end users aren't AMI customers. They may not buy directly from AMI, but they are AMI's effective market.

Re:We asked the wrong person

[Junior+J.+Junior+III]

Funny, my computer doesn't have Palladium on it, and yet I can watch Hollywood movies on it.

Come to think of it, I can copy them, make screen captures, re-edit, and a lot of other stuff. And I don't even have to pay for the privilege of each re-play.

I own the bits on my hard drive! Amazing concept!

Re:We asked the wrong person

[Dan+Crash]

You can already watch Hollywood movies on your PC legally.

Top 5 Downloads on Movielink.com:

1. Men In Black 2
2. The Sum Of All Fears
3. Changing Lanes
4. 13 Conversations About One Thing
5. Death to Smoochy

It's not consumer demand for movies driving TCPA/Palladium.

Re:We asked the wrong person

[DeepRedux]

As he said customers still need that "Designed for Windows" sticker. Does any doubt that Palladium will become part of the requirements for that sticker? Can anyone building x86 motherboards stay in business without it: highly unlikely.

Re:We asked the wrong person

[ndogg]

But first we need to ask ourselves if this is something we really are against in the first place. All the documentation that I've read at the TCPA website indicates to me that it's nothing more than a hardware-level implementation of the operations that security software such as SSH and GPG do. If that's all it is, then I would have to argue that it's actually a Good Thing(TM).

Re:We asked the wrong person

[Alsee]

Why would mobo people put that shit into their motherboards? Because their customers demand it.

Bzzzzt! WRONG ANSWER.

AMI is implementing TCPA because their customers are demanding it. Note that AMI's customers are NOT you and me, AMI's customers are motherboard manufactures.

Ok, so why are motherboard manufacturers implementing TCPA? BECAUSE MICROSOFT IS DEMANDING IT. Any motherboard that does not implement TCPA WILL NOT RECEIVE "WINDOWS COMPATIBLE" CERTIFICATION. Any hardware manufacturer that does NOT get Windows Compatible certifacation is fuxored.

There are basicly two kinds of consumers. Ones who understand TCPA and DON'T want it, and consumers who have never heard of it. The number of consumers that actually want TCPA is 0.0%. Give or take less than 0.1%. Microsoft is single handedly strong-arming TCPA onto everyone.

-

Re:We asked the wrong person

[Alsee]

I'm a programmer. I understand what TCPA is and what it does and what it doesn't do. Security software such as SSH and GPG already work, they have absolutely no need for TCPA hardware. Any GoodThing(TM) you can do with TCPA you can do without TCPA. The ONLY TIME you ever need TCPA hardware is when you want a computer to treat its owner as the enemy.

All the documentation that I've read at the TCPA website

The TCPA website is deceptive. It's propaganda. Re-read sections 7 through 14 of their FAQ and keep the following translation table in mind:
protected > protected from you
secure > secure against you
control > you lose control, someone ELSE gets control
access > you get no access
rouge software such as a virus > software you run, such as a music player
changed by a virus > changed by you
secret > secret from you
operating as expected > operating the way SOMEONE ELSE wants

As for privacy (section 13), they play an amusing word game. The "owner has ultimate control and permissions over private information", but then they go on to say you " MUST opt-in in order to use the TCPA subsystem". The rest of section 13 is mostly bullshit, though the details are very complicated. The primary loophole is the mandatory opt-in in order to use the TCPA system. TCPA programs can and will track you.

Section 18: "No" > "Yes" if you run the next generation Microsoft operating system.

security software such as SSH and GPG do. If that's all it is, then it's actually a Good Thing(TM)

If that's what it was then yeah, it would be good. That's NOT what it is, so it's a Bad Thing(TM).

-

Re:We asked the wrong person

[alienw]

Strange. When I buy motherboards, I don't ever look for or see any windows certified stickers. Neither do any OEMs. It's blazingly obvious that any PC motherboard will run windows unless it's defective. Assuming a non-certified board is cheaper by $30 (probably how much that TCPA stuff costs) that's what I or the OEM could get.

No, the real reason that this stuff is being pushed for is that Microsoft wants a PC in every living room. Heard of their Windows XP Media Center edition? People like it, too.

Don't you think they'd like it more if they could buy MP3s and stuff for it over the net? Of course they would. Would any company in their right mind sell that stuff without secure DRM? Probably not. That's where Palladium comes in.

Do people want DRM-enabled PCs? Not really. Do they want 'Media center' PCs? Hell yeah. DRM is pretty much a requirement for one of these, and Palladium makes it secure.

Re:We asked the wrong person

[Alsee]

It's blazingly obvious that any PC motherboard will run windows unless it's defective.

LOL! I love that line! Except I read it this way:

It's blazingly obvious that any PC motherboard will run windows unless WINDOWS is defective.

Because current motherboards WILL NOT be able to run the next version of Windows. Thta means either all current motherboards are defective or the next version of windows is defective :)

But, back to the windows certified stickers. You're right, consumers don't look at motherboards. But they do look at systems. And no system is windows certified or even windows compatible unless all the parts are. No one can advertize it as a Windows system unless it's certified. And if the hardware isn't certified then Microsoft can refuse tech support and fixes. Windows can simply not run at all and Microsoft blames everything on the hardware.

Do you really think Dell can sell machines that aren't windows compatible?

Assuming a non-certified board is cheaper by $30 (probably how much that TCPA stuff costs) that's what I or the OEM could get.

And your computer will simply stop working completely when you install the next Microsoft OS, or Mediaplayer 10, or some security patch. And Microsoft will say it's not their fault, your have incompatible hardware. They'll tell you to call whoever you bought the machine from. And it will be impossible for them to "fix" the problem because the problem is that by design Windows refuses to run on it.

No motherboard manufacture can survive that. There simply will not be any new TCPA-free motherboards available in a few months. You will have no choice except to pay extra for the TCPA hardware

It's the same thing as with Secure Audio Path (SAP). No one demanded audio cards have SAP except for Microsoft. Microsoft refuses to certify a soundcard as Windows Compatible and refuses to sign the drivers unless the soundcard has SAP. Nobody uses or wants SAP, but now all soundcards have it, and we have to pay for it.

Every single soundcard manufacture did what Microsoft demanded to get certification. Microsoft is a monopoly and no sound card manufacturer could refuse and stay in bussiness. It is yet another monopoloy abuse that never came up in the anti-trust trial.

As for DRM and Palladium, has it crossed your mind that essentially everything on the internet is copyrighted? Websites, text, images, files, Email, media, even this slashdot post. It can all get put in Palladium wrappers. I don't know about you, but I'm pretty alarmed at the idea that a steadily increasing percentage of webpages would be impossible to view without a Microsoft Windows operating system and Microsoft Internet Explorer.

And as for your wonderful Palladium media, did you know that the entire system will lock it self up if it doesn't have continuous internet access? It's right there in the MS DRM OS patent, it requires internet access to a cryptographicly protected timeserver. In needs that becuase you might change the system clock to view "expired" content - perhaps a 24 movie rental, or perhaps your music files will have a monthly fee.

You also aren't going to get the choice not to "opt in" on privacy violation.

-

Re:We asked the wrong person

[alienw]

Am I saying I like Palladium? I hate the fucking thing. My point is that some of the general population really does want it, even if some of them are not aware of that. Why do you think Microsoft wants that shit in every computer? They need to move copies of Windows. Media center PCs promise to be more popular than desktop PCs. Microsoft wants to make PCs with Windows into something as ubiquitous as TVs. Microsoft will not survive unless it can sustain exponential sales growth, and they know it perfectly well. Hence the xbox, drm PCs, and all the other shit they're coming up with.

I don't give a shit, though. I doubt they will make the palladium stuff permanently-on. Just won't work very well. And I couldn't give less of a shit about the stuff that Palladium would protect. Hollywood movies and Britney Spears? Give me a break.

IBM and the Holocaust

Option B is an obvious downer, because customers give us money. Money can be exchanged for goods and services, like food ... and I find food to be an important part of a nutritious breakfast.

Have you read any of the books concerning how IBM's equipment was used by the Nazis to support the Holocaust, and how IBM continued to cash royalty checks from Germany well into 1942 (after their host country was at war with Germany)? As a technical professional does this bother you? Does AMI have any responsibility for how its products are used?

Re:IBM and the Holocaust

Do you sue Sears if somebody hits you over the head with a Craftsman hammer? Let me know when Hitler buys a new motherboard.

Re:IBM and the Holocaust

[prowley]

Er, wouldn't caching Nazi checks help the Allied war effort by moving money from Nazi Germany to USA?

Re:IBM and the Holocaust

You know, the problem with this argument is that you are equating providing your customers with a product that is beneficial to the end user to providing a military regime with equipment to coordinate the mass-murder of millions of human beings.

I've seen people get worked up over the possibility of DRM, but I think that a little perspective might be nice.

He's a weasel

[legLess]

[Yes, I've read the whole interview, and even a few of the links.]

The thrust of half those questions was: "TCPA seems to provide benefit only to those who wish to tell me what I can and cannot do with my computer. Is this true? If not, what's in it for me? If it is true, how can you sleep at night?"

I think Michael's questions were most on-point, and what I most wondered myself (there, I said something nice about him :). Brian totally fucking dodged every single one of them.

a) Isn't the goal of "trusted computing" to allow entities other than the owner of the computer to control what the owner does with his/her hardware?

Brian mumbles something about his reading of the TCPA spec and DRM, neither of which were the point of the question. The answer is obvious: "Yes, of course that's the goal. Shut up and eat your BIOS."

b) However, isn't it true that without AMI's trusted BIOS, Palladium wouldn't work?

The reason we keep saying "we're not a part of Palladium" is because Palladium doesn't exist in the marketplace...

This is splitting hairs at best, and another artful dodge. If Palladium were in the marketplace, would AMI be part of it? Of course they would. And right now they're laying the groundwork.

c) In what way does AMI benefit ... from introducing a BIOS designed to make the computer it is installed in less useful to the purchaser of the computer?

Here Brian reinforces that you and I are consumers, not customers - mobo manufacturers are customers, and they get the features they want. This is the way the market works, and I've got no special beef with it, but it's a bit of a wake-up call for those who still believe companies like AMI give a rat's ass about the average geek buying a motherboard.

If I sound harsh it's because I'm pissed. The goal of TCPA is transparent, and Brian The AMI Guy is either trying to pull the wool over our eyes or incompetent. Given that he used to hack this stuff for a living, and now has "Sales" in his title, I'd suggest the former.

Big Media nad Big Software are chortling in glee as they see their plans for "Trusted Computing" coming to fruition. The MPAA wants to turn your computer into a TV, and AMI is only to happy to help.

Re:He's a weasel

[SalesEngineer]

Well, that is a bit harsh. You make sound like I'm hanging out in Hollywood, smoking cigars with agents as the MPAA hands me a contract for their next line of motherboards.

I think I can addess my feelings on the situation using the following vernacular: "Don't hate tha playa, hate tha game."

Just remember that it's not the tool, but how you use it. I can build with a hammer, or I can use it to break bone. I can use GPG to send my personal e-mail, or I can use it to sneak nuclear secrets to the North Koreans.

Brian Richardson

Re:He's a weasel

[legLess]

Thanks for replying, Brian.

This is peripheral to the main point, but:

"Don't hate tha playa, hate tha game."

...is not an excuse, justification, or defense. At best it's a rationalization, and a poor one. If the best thing you (and I mean "you" in the general sense) can say about your actions is, "Everyone else is doing it, so I might as well make my lettuce while I can," then you're in sorry shape indeed.

But I said that was peripheral and it is. My main point is: your answers to the uncomfortable questions were evasive. I know you're not the architect of this scheme, and perhaps the world would be different if you ran it all, but that isn't the point. The geeks here asked you a number of questions because you're an authority. I think that either (a) I'm not just harsh but incorrect in my criticisms, in which case I'll apologize, or (b) my criticisms are correct and you did not, in fact, provide us with the honesty you could have.

Re:He's a weasel

[bofkentucky]

We are customers, of Abit and Dell. Call them and complain, tell them you won't buy TCPA hardware, they can use that feedback to tell Phenoix and AMI to stuff their TCPA hardware. As much as we think Dell would die without Microsoft, it works the other way as well. Microsoft needs (relatively) cheap hardware to spread to every home, just the same as Dell needs a easy to use OS for the masses. Frankly, quit bitching and get to work if you want to bring about change. Vote and buy based on what you believe, support projects with others who seek the same goals as you and eventually someone might quit making bone-headed decisiions.

Re:He's a weasel

[SalesEngineer]

We don't have access to any released applications that make use of the TPM outside of basic test utilities. I have no real idea how the final products will work. Some of them may be good, some may suck. I gave as much information as I could based on the specs I have. I may be considered an 'authority' on BIOS, but I am far from an authority on security issues. My company got sucked into this whirlwind because of the politics of TCPA/Palladium, and I decided to do what I could to try and separate fact from fiction (I can't do anything about the paranoia, but I hear there is a pill for that). Brian Richardson (AMI)

Re:He's a weasel

[_xeno_]

I think a lot of people here misunderstand the ideas behind trusted computing. Suffice it to say that a lot of people want this, and they aren't just people thinking about DRM.

Trusted computing means that the computer has a way of verifying that things haven't been messed with. Yeah, this can mean that it prevents the end user from modding out their board, but that's not the reason behind it. The idea is that on bootup the computer verifys that no one has been messing with the system. Think remote cracker, don't think hardware modder. It can ensure that processes cannot possibly "look in" on other processes. It helps make sure that memory given to a "secure" application doesn't accidently leak into another application.

Remember the story about the data leak possible using the malformed ICMP package? Trusted computing would allow your VPN client to say that it's memory for the session keys needs to be kept secure and will prevent the TCP/IP driver from accidently accessing the plaintext memory. (From my understanding - keep in mind I'm talking from what I know about "trusted computing" and not TCPA specifically.)

Trusted computing means that your processor helps to enforce security conditions that the OS enforces. Processes can't see other processes memory - even after the memory has been freed. With the full-on application of TCPA, worms cannot run their code on the computer because they are not trusted by the computer. Viruses cannot infect because their code is not trusted. That is the idea behind trusted computing.

The government and the military are very interested in TCPA - they want the additional security it promises. Trusted computing is coming whether you want it to or not - it is the next "big thing" in computing, and it will happen. There is no reason why Linux could not take advantage of a trusted computing platform and no reason why it would necessarily lock Linux off the system - the owner of the system still has complete control. The user does not - in this case, think of "owner" as the IT department and the "user" as the secretary who has infected the company with every new Outlook worm.

Trusted computing is coming - and while it may be used to implement DRM in a more effective way (keep in mind that the government has uses for DRM too - it can be used to help keep internal documents internal), it also promises to greatly improve the security of computing. Ready or not, it's coming.

Re:He's a weasel

[Danse]

What paranoia? The intent of TCPA/Palladium is clear. There is no conspiracy. There is no mystery. The goal is to remove at least some degree of control over the computer from the owner of the computer. This will be done in an attempt to protect the interests of content-owners. I think we understand that AMI is supporting this for the same reason that anyone supports it, because it will make them money. The only people with no good reason to support it are the consumers. So, like some others here have said, if we have a problem with it, we need to take it up with the hardware manufacturers, not AMI or any of the higher level suppliers. I think that sums it up. Thank you, drive through.

Re:He's a weasel

[_Sprocket_]

...I am far from an authority on security issues.

...I decided to do what I could to try and separate fact from fiction (I can't do anything about the paranoia, but I hear there is a pill for that).

Oddly enough, understanding infosec issues requires a healthy dose of paranoia. :)

Re:He's a weasel

[TyrionLannister]

You must realize that there is no such things as consumers anymore. The US government has decided that consumers only exist to serve the interest of the corporations that feed it campaign donations.

Until campaigns are publicly funded, this will only get worse. The difference between our future and that in Orwell's 1984 is that it will not be a monolithic govrenment running our lives. It will be a government granting the power to corporations to run our lives.

I don't agree with all of McCain's ideas by any stretch of the imagination, but I would love to see him elected because his is the only guy with the balls and the clout to give the government back to the people.

Re:He's a weasel

[autopr0n]

Here Brian reinforces that you and I are consumers, not customers - mobo manufacturers are customers, and they get the features they want.

Wtf, of course they mobo manufacturers are the customers, they are the ones writing the checks and taking the stuff. They, for whatever reason, want TCPA. It would be retarded for them not to include it, for reasons that they outlined above.

The only real question is how effectively TCPM can be disabled by the user. You can turn it off if you want to, rather then buying hardware without it.

Re:He's a weasel

[Dan+Crash]

Until campaigns are publicly funded, this will only get worse. The difference between our future and that in Orwell's 1984 is that it will not be a monolithic govrenment running our lives. It will be a government granting the power to corporations to run our lives.

What's even more disturbing is the symbotic relationship between the two. Total Information Awareness, for instance, shores up the US government's power to spy on its citizenry, and is really only effective because of the millions of tiny daily invasions of our privacy corporations have subtly introduced into our lives. Every day they come up with more.

I don't agree with all of McCain's ideas by any stretch of the imagination, but I would love to see him elected because his is the only guy with the balls and the clout to give the government back to the people.

I'd vote for McCain, too. Honestly, I'd love it if he ran as an Independent. You're right when you say he's not perfect, but he's something no other candidate seems to be: electable.

Re:He's a weasel

[Rich0]

Viruses cannot infect because their code is not trusted. That is the idea behind trusted computing.

I don't think anybody has a problem with having computers decide what programs to trust. The problem is WHO gets to decide what programs are trustworthy.

If I can create a keypair and register the public key in the bios using a utility such that the computer will sandbox any program which isn't signed using the key, that is a good thing. I'd just put the private key on a CD and store it in a shoebox - if a virus comes along, it can't get a hold of the key.

If all programs always run in a sandbox unless they are signed using a key that is retained solely by some consortium that charges $10k to do a code review and sign a program, then that is BAD. I want to be able to designate which programs are trusted, and which one's aren't.

If I can sign programs then I'm all for this software. If I can't, then it is useless to me. The only use is to those who control access to the keys - which are more along the lines of content providers.

And who sets the criteria for signing software? Suppose I write a general-purpose hex-edit program that allows browsing of all computer RAM / HD space? Can I submit it once and get it signed (thus compromising every other DRM scheme out there)? If not, what is their criteria about what a trustworthy program is, and what isn't? A read-only hex-edit program does not present a threat to the owner of a computer - it only allows the owner to view data on their own PC. It does threaten those who want to prevent PC owners from knowing what is going on in their PCs. A glance at the signing criteria would tell you in an instant who really stands to benefit from this scheme...

Re:He's a weasel

[impto]

How does trying to make a living selling a BIOS make this guy a weasel?

...but it's a bit of a wake-up call for those who still believe companies like AMI give a rat's ass about the average geek buying a motherboard.

He's got absolutely no reason to care and never has. Do you want to know why? He's not selling motherboards. In fact he can't afford to worry with whether or not TCPA is going to fuck consumers in the ass. If he doesn't put it in his BIOS then his BIOS doesn't get sold, his company makes no money, and he doesn't eat. It's kinda hard to explain to your stomach you've got no food based on spurious moral reasoning.

But, I honestly think that this guy is struggling to some degree with the morallity of TCPA and related technologies and isn't just spindoctoring. It might have just been rationalization when stated multiple ways in which TCPA can be beneficial to consumers, but I think he has a point. But, whether or not the goal of it is for Palladium or for the RIAA and the MPAA to be able to sell us content and control how we use it can't be his focus. He doesn't have that luxury.

The point you should be focusing on is that TCPA is really the only hardware issue that we have to worry about right now and it can be turned off and/or used by anybody that wants to use it. In other words, it poses no threat to people who use open source software.

Re:He's a weasel

[Hobbex]

I have no real idea how the final products will work. Some of them may be good, some may suck.

This is the very weaseling that you stand accused of: trying to plant the idea of these mythical good uses for this technology but avoiding saying anything about them. The main question, the one that Michael was trying to ask you, and the one that the parent poster was trying to ask you twice, and the one I'm putting to you again is this:

How can a technology whose only purpose is to take away from us control of our own computers, and thus in a very real sense our control of ourselves, EVER, concievably, have good uses?

You have not answered this, because you know the answer as well as we do, and all your justifications and rationalizations of the process you are taking part of fall together like a house of cards because of it. If you think you haven't met the devil, you need to look closer.

Re:He's a weasel

[SteveX]

>This is splitting hairs at best, and another artful dodge. If Palladium were in the marketplace, would AMI be part of it? Of course they would. And right now they're laying the groundwork.

Palladium is an implementation of the TCPA specification. Mozilla implements W3C specifications, but if I worked on some library code that Mozilla linked to that wouldn't make me a part of Mozilla.

TCPM is about verifying trust. DRM is an application of that technology, but not the only one. Online game servers being able to verify that the game clients aren't using hacked clients to cheat is another use. So is the bank's server checking out your web browser to make sure it's not been hacked. Technology itself isn't evil; applications of technology can be evil.

If a player implements DRM using TCPA, don't use it. Nothing is forcing you to.

- Steve

Re:He's a weasel

[WNight]

The problem is that you can have all the code signing in the world and crap OSes and crap mail-readers will still let shit happen.

It's not like there's a "Mail my private documents to everyone under the sun" feature in Outlook that people just forgot the password. The problem is that an email client needs to do certain things to function, access files in a read-only mode, and create/receive email. A virus will still be able to cause a stack-overflow, or something similar, and cause outlook to do something you didn't want, using only allowed resources.

It helps that Outlook (maybe) won't have write access to files, but that doesn't help people whose files have been copied to everyone else.

And applications that have write access will still be vulnerable. If you use Kazaa to download legit MP3s (sure) and someone tricks it into overwriting them all with "hahaha RIAA 0wn3r3d you!" you still lost your collection of Greatful Dead concert recordings.

It's like how a Unix person says "Unix can't get viruses - if you run a malicious program, the most it can do is wipe your user files." That's good, except that user files are the only things of value on the average, end-user computer.

Similarly, TCPA/Palladium/Whatever will make sure that while some buggy program destroys your personal data, it won't be able to copy the precious hollywood movies you're "renting".

There's no security for the user in this. There's security *against* the user here. That's great for me, if I'm a government or corp, and I don't trust the user. But if I'm a home user, I don't really want to buy a computer that won't do what I want it to do.

Re:He's a weasel

[SalesEngineer]

The only way you let technology take control of you is if you let it. Period.

If we can't agree on that, then there's no answer that I can ever give to make you happy.

Re:He's a weasel

[WNight]

The problem is that while TCPA is a tool, it's one only wanted by the "bad guys". Imagine if your local Thugs and Vandals Association put in an order for hammers and spray-paint. The police would be right to suspect mayhem.

Similarly, if consumers were pressing for this because GPG ran slowly (which it doesn't, nor does SSH. SSH can saturate 100Mbps networks on a P2-600 easily) then we'd trust it. But with the main movers behind this being the MPAA/RIAA, Microsoft, and the Bush Administration, we're justifiably nervous.

TCPA/Etc are supposed to allow user protection by code signing, etc. Even if these worked perfectly it still wouldn't stop the attacks that hurt most people. Buffer overflows masquerade as legit data so you don't check them for a certificate before accidentally executing them. Similarly, programs can be fed bad data and through a lack of error-checking, do bad things.

Take an example like Outlook. In a secure system you'd give outlook write permission to it's own files and read access to things you may want to send as attachments. Unless you want to okay everything it does seperately, you'll have a blanket permission policy. Now, someone sends you email with a buffer overflow and runs their own code. The OS won't let them write to any useful files, but your email. That's gone... After it signals your IMAP server to delete it as well. And any personal files it has access to, it'll send those out to everyone in your address book, and a few mailing lists too.

But, you're protected right. I mean, that trusted architecture made sure that if the email virus tried to copy your precious copies of those "Hollywood Movies" that it wouldn't be able to. I bet you feel much better.

Meanwhile, the same guy who wrote the email virus is sitting back, watching a very high quality bootleg of that movie that was made by someone in another country, with studio-quality analog gear and then dumped, sans watermark, onto the p2p networks.

But yeah, I'm sure there are good applications for this technology... As long as you're looking at it from the point of view of controlling what legitimate users, those without the facilities to find bugs and backdoors, can do.

But yes, it is unfair to pick on you. And thank you for at least letting us know what's going on. We'll try not to shoot the messenger, but pardon us for not believing in the benign intentions of those in charge of this.

Re:He's a weasel

[NigelJohnstone]

"If we can't agree on that, then there's no answer that I can ever give to make you happy"

Yes there is, you can say this:

"Microsoft told us that if we didn't put it in, then we would wake up to find Windows wouldn't run on our BIOS and we would have no market. We won't kid you, its not in your interests, its serves no useful purpose to you, we had to do it because we had no choice"

There, truth sounds so much nicer doesn't it. The whole board is full of you and Brian dodging questions and some very iffy moderation doesn't hide that.

Re:He's a weasel

[KjetilK]

Well, if you get thrown in jail for not letting it take control over you, then it is not so much a matter of individual choices anymore.

Of course, we can always try to destroy what you are creating, illegal or not, if it gets out of hand. Would you want that? If it did get out of hand, and it would need to be destroyed, then what would you say?

You have a huge responsibility for the things that you develop, Brian, are you ready to assume that responsibility?

Re:He's a weasel

[seiyakun]

How can a technology whose only purpose is to take away from us control of our own computers, and thus in a very real sense our control of ourselves, EVER, concievably, have good uses?

First of all, you're starting from what I think is a flawed assumption. How can this technology (assuming you're talking about TCPA) take away control of your computer? It's WRITTEN INTO THE SPEC that it's an opt-in system, with the owner of the computer being the one in control.

Second, TCPA will only be in the computer/BIOS/motherboard if you buy a computer/BIOS/motherboard with TCPA in it. Duh. So if you don't want it, let them know you don't want it.

Third, man, you need to get out more if your sense of self is so tied to your computer. :)

Re:He's a weasel

[SiliconEntity]

a) Isn't the goal of "trusted computing" to allow entities other than the owner of the computer to control what the owner does with his/her hardware?

No, it's not. Trusted computing allows you to prove to remote users that you are running some particular software. It lets you provide a hash of the running software and possibly some other properties of your computer, all signed using the internal TPM key which never leaves the chip.

This is a general technological capability that could support many goals. It would let some P2P applications run more efficiently, for example, by letting each peer authenticate that others in the network are running the same software. It could help with online games by letting users prove that they are running non-cheating clients. It could improve the security of VPNs by making sure that remote users are running up-to-date versions of system software.

And yes, it could serve the purposes of DRM, by allowing servers to refuse to download content unless the client is running a program which will honor the DRM requirements.

But none of this involves anyone controlling the owner or his computer! At most it allows the owner to convincingly claim that he is running software which will work in a particular way. The owner may choose to use that capability in order to persuade a remote system to do him a service - like letting him join in an online game, or a P2P network, or to download a movie. But that's the owner's choice. Nobody is forcing him to do anything. Nobody is controlling him.

If someone offers to give me information only in exchange for me signing a non-disclosure agreement, and I choose to take that bargain, he is not controlling me. It's my own choice. In the past, a similar exchange was not possible on computers, because I couldn't convincingly claim to be running any particular software. Trusted computing intends to make that kind of claim be possible. That's all. It doesn't give anyone control over any systems, it just lets people make new kinds of bargains.

Re:He's a weasel

[mstefan]

...it's an opt-in system, with the owner of the computer being the one in control.

The concern of course is not that end-users won't be able to opt-out of this kind of technology, but that applications -- or even the operating system -- will refuse to load if it has been disabled. For example, a media player may simply refuse to play that video or audio clip unless the user has "opted in", and then will use it as part of its DRM implementation to ensure that you are allowed to view, copy or even store the data (in the case of streaming data over the net).

One argument is that such operating systems and/or applications will only be implemented in the absence of a) resistance by the customer, b) competing products which do not implement this kind of technology. That if the marketplace decides that these kinds of tactics to control access to digital media are onerous, then it will fall to the wayside by virtue of consumer choice and the power of the almighty buck. But I think that ignores the significant influence that organizations like the MPAA and RIAA have, particularly now that they've publically climbed into bed with the major software vendors out there rather than try to shovel through legislation that mandates compliance. When you're talking about implementation at the operating system level and a company that owns 95% of the desktop market, market forces and a user's ability to "opt in" become moot points.

In the end, it's not about what consumers want, it's about what companies want on both sides of the fence.

Re:He's a weasel

You must realize that there is no such things as consumers anymore. The US government has decided that consumers only exist to serve the interest of the corporations that feed it campaign donations.

I'm sorry, but I just posted this on IRC, and we had a good, hearty laugh. You think you perception could be any more negative? I'm laughing pretty damned hard over here...

Re:He's a weasel

[solferino]

Don't hate tha playa, hate tha game."

no players -> no game

without people prepared to bend their ethics there are no unethical games - a game only exists if it played, to be played it requires players

Just remember that it's not the tool, but how you use it.

This is the fundamental philosophy of the technocrat i.e. that tools are neutral - when fully examined this is completely bogus - tools are designed by people and have those people's moral frameworks built in i.e. if you do not believe in killing you do not design, manufacture and sell guns

the only 'tools' that are neutral are natural objects i.e. a big rock could never be considered a 'suspect' object even if it had been used to hit someone over the head - a land mine on the other hand will always be an evil object and an embodiement of the lapsed moral standards of it creators and manufacturers

Re:He's a weasel

Holy crap - someone has made the perfect slashdot post - one that is both completely uninteresting and irrelevant simultaneously! Congrats.

Re:He's a weasel

[spitzak]

You have no idea what you are talking about. Every one of your examples can be done by software and virtual memory hardware that exists today. The TCP/IP driver can peek at the VPN passwords because the programmer was too stupid to put the things in different memory spaces. If you think having a different form of protection in TCPA is going to suddenly make the programmer smart enough to not do this mistake, you are seriously deluded. However I think you are trying to make excuses.

TCPA means there is a public crypto key in the hardware. THERE IS NO PRIVATE KEY. This means that the owner of the computer CANNOT SIGN CODE!!! (by owner I mean the same thing you mean, the IT department, not the dumb secretary who is at the desk). The fact that the owner cannot sign code is the ONLY difference between TCPA and all the well-established security schemes in existence.

The entire purpose of TCPA is to make sure that people cannot program their own computers. It is not a magic thing that is going to suddenly make software have no bugs!! It is going to sign those bugs and say they are "trusted".

Re:He's a weasel

[m1chael]

let me get this straight: palladium has nothing to do with the tcpa! its microsofts own implementation of their take on 'trusted computing'. microsoft may have been part of the tcpa but they chose to make their own piece of pie.

Re:He's a weasel

[TheLink]

Issues:
1) Whose public keys get preinstalled? Redhat Linux?
2) How is signature protection going to be done for user generated macros vs macro virues, or user programs vs malware?
3) Correctly signed software can still be badly broken.

1) If it's hard to install your own public keys into the BIOS, only a few parties would be able to supply TCPA features in their software. It'll be a good starting point for monopolies.
2) How do you tell the difference between software written by users and malicious software? Will your Perl/PHP/VB script run? If it does, it's a security problem. If it doesn't it can be a big problem.

3) The vendor could sign a flawed program, using the same key it used to sign thousands of other programs.

See:
http://www.microsoft.com/technet/treeview/ default. asp?url=/technet/security/bulletin/MS02-065.asp

"Because the ActiveX control at issue here has been digitally signed by Microsoft, and the signature is still valid," reads the advisory, "it could be possible under certain conditions for an attacker to re-introduce the old, vulnerable version of the control onto a system that had been patched, thereby making it vulnerable again."

The way to get around this? Remove Microsoft from your list of "Trusted Publishers" on your system.

Re:He's a weasel

[eratosthene]

Okay, I don't know very much about TCPA/Palladium at all, so forgive me if I sound silly. But it seems to me that Brian made clear several times, even referencing the TCPA documents, that TCPA is not equivalent to DRM. Once again, it's an issue where the TPM can, and most certainly will, be used for DRM, but what I think Brian is trying to point out is that it can, and will, have other uses. As a few posts have pointed out, it would be pretty nifty to have a hardware chip that can do cryptography of some sort, at least to take a load off the CPU. So I'm not sure what you have to be pissed off about. AMI sees that they have customers (be they mobo manufacturers, Dell, or Joe Ugly on the street) that want TCPA-enable BIOSes, so they make them. End of story. It has nothing to do with AMI supporting some sort of RIAA-induced control mania. It's a simply question of supply and demand.

Re:He's a weasel

If you want a hardware chip for crypto, then buy one. We all know that that will be, at very best, a distant secondary use.

Re:He's a weasel

Gee it gets boring listening to geeks criticize people for making money. We all love open source but insisting that every company should become open source because you would personally like it that way is just dumb. Get over yourself.

Re:He's a weasel

[Alsee]

It's a simply question of supply and demand.

Consumers are not demanding TCPA, they've never even heard of it! MICROSOFT is demanding it. Any motherboard that does not have TCPA to support Palladium will not get Windows Compatible Certification when the next OS comes out. Any company that does not get it's hardware certified Windows Compatible is screwed.

-

Re:He's a weasel

[eratosthene]

Okay, am I crazy, or did Brian not mention that TCPA and Palladium are two different initiatives? TCPA is simply one specification that uses the TPM, Palladium is a whole computer-BIOS-OS-kitchen-sink pile of Microsoft crap. While it is concievable that Microsoft would use TCPA in Palladium, it's also concievable that they would develop their own, proprietary thing and try to force people to use that instead. That seems to be their case history. And the consumers I was referring to, as was Brian, are mostly motherboard manufacturers, who are AMI's direct customers, and thus they, not us, are who pays Brian's paycheck. So yeah, AMI could decide not to implement TCPA in their BIOS, but then they'd be up shit creek when none of the manufacturers bought it. So if you really have a beef with TCPA, which I'm not sure is a legitimate one, follow the advice of several posts and yell at the mobo people, since it's actually them that are "forcing" AMI to implement this. And, remember, TCPA has a definite on-off switch, so sometime in 2010 when you buy a board with TCPA on it and want to run a non-certified (if there is such thing) OS, just turn it off. Voila, works fine. Seriously, I'm not sure why everyone is so up in arms about this. The general paranoia about DRM (which is something I'm definitely opposed to) seems to be bleeding over into things that don't technically have anything to do with it. Metaphor: a small microphone. (Bear with me.) No one gives the manufacturers of bug mics hell, and yet they can be used to invade your privacy just as much. Someone could bug your house, tap your phone, etc., yet I don't hear anyone bitching about them, because they have plenty of good uses as well. The problem here is that peoples' vision is so mucked up by all the RIAA's bullshit that they aren't seeing the potential benefits, they're only seeing what Big Brother might use it for. And yeah, that scares me, but it seems like not such a big threat, given that you can turn it off! Plus, if you're worried that MS Windows will turn it back on behind your back, don't use Windows! It amazes how many people bitch about how much Windows sucks (and I wholeheartedly agree) yet they go right on using it. If you're really worried about MS, then use Linux, FreeBSD, OS/2, Mac/OS, AmigaOS, BeOS, anything. As far as I can tell by this article, nothing in TCPA is going to hinder any of them from running fine. And if it does, turn it off. Simple.

Re:He's a weasel

[Alsee]

Okay, am I crazy, or did Brian not mention that TCPA and Palladium are two different initiatives?

While it is concievable that Microsoft would use TCPA in Palladium, it's also concievable that they would develop their own, proprietary thing and try to force people to use that instead

You don't fully understand TCPA and Palladium then. Palladium is software that requires custom hardware to function, and TCPA is the hardware it requires. TCPA and Palladium are "different inititives" just like monitors and the graphics cards are "different inititives". Palladium on a computer without TCPA works as well as a monitor on a computer without a graphics card (or speakers on a computer without a sound card). TCPA does the work, it's the guts of Palladium. Palladium is the interface between TCPA and the user.

yell at the mobo people, since it's actually them that are "forcing" AMI to implement this.

You're getting warmer, but there's a second step you missed.

You're right that AMI doesn't have much choice in the matter, but think for a minute - WHY are the motherboard manufacturers demanding TCPA? Hint: it's not because consumers want it. Consumers have never even heard of TCPA.

It's because Microsoft is demanding motherboards support TCPA. Microsoft's next operating system WILL REQUIRE TCPA. Therefor any motherboard that doesn't have TCPA is going to be incompatible with the next Windows. Any hardware that is incompatible with Windows is dead-on-arrival on the market.

Palladium cannot do anything without TCPA hardware or some other hardware that does essentially the same thing as TCPA (a rose by any other name is still a rose). And TCPA is extremely specialized hardware that can be used for almost nothing other than Palladium or some other software that does essentially same thing as Palladium (a rose by any other name is still a rose).

TCPA has a definite on-off switch

Yes, and numerous other posts have explained why it will become increasingly difficult to turn it off. For Windows users it will become impossible to avoid, and it will be the ultimate lock-out against non-Windows users. Check this post where I describe how it could potentially be used to essentially "embrace and extend" the internet. Everyone else gets locked out. Don't forget that pretty much all online purchases will use it.

Metaphor: a small microphone... they have plenty of good uses as well.

Exactly, except TCPA/Palladium do NOT have good uses. I am a programmer. I know how it works and what it does. Any "good uses" can be done without TCPA or Palladium. TCPA has one use and once use only - to lock the owner out of his own computer.

To be honest I do see one good use for it - preventing cheating in multiplayer games. But that's just more proof of what I said: the ONLY use for TCPA is to lock you out of your own computer.

TCPA is not for your security. It is not for your trust. It is security AGAINST the owner of the machine.

The problem here is... they aren't seeing the potential benefits

There are none. They (TCPA.ORG and Microsoft) claim all sorts of good uses, but it is 100% smoke and mirrors. Go ahead, name ONE benefit other than locking people out of their own computers. There aren't any. It's understandable that people fall for their deception, it takes a programmer to fully understand how it works.

As far as I can tell by this article

Unfortuantely this article is 100% useless for understanding the issue. He was here defending AMI, and yes, for the most part AMI is just getting dragged along by forces beyond their control.

Question 1 was:
Specifically, could TCPA be used against free OS's like Free/Open/netBSD and Linux to prevent those users from accessing the same content users of commercial OS's can?

He spent several paragraphs NOT answering the question. Ans the answer is yes, TCPA can be used against other operating systems in that manner. Open OS's can "use" TCPA, but they will still be locked out. It is a "useless" sort of use. You need the approval of the impotrand root authorities for TCPA to be usefull, and open OS's won't be getting approval.

Question 2 had nothing to do with TCPA.

Question 3 was about speed (not important here) and:
how will this benefit the end-user?

He did not answer this question. All he did was give a link to the TCPA FAQ. I explain in this post how that FAQ is pure propaganda. Read my post then read the FAQ. The only benefits it lists are Trusted computing, security, and access control, except all of those phrases are really euphemisms for DRM. There are NO uses where you need TCPA to give you security on your own machine. When they say "security" it equals DRM - security FROM the owner of the computer.

Questions 4 and 5 have nothing to do with TCPA.

Question 6 is a valid problem:
Isn't the goal of "trusted computing" to allow entities other than the owner of the computer to control what the owner does with his/her hardware? ...a trusted computer is one that can't be trusted by the computer's owner ...designed to make the computer it is installed in less useful to the purchaser of the computer

His answer part (A) is that it's not our fault and he can't or won't defend TCPA. He says go ask/blame TCPA.ORG.

His answer part (B) is it's not our fault and he can't or won't defend Palladium. He says go ask/blame Microsoft.

His answer part (C) is that their customers are not you and me, the consumers. Their customers are motherboard manufactures. He says they pretty much forced AMI to support TCPA. He's saying blame them.

Question 7 was TCPA related, but it didn't tell us anything about TCPA.

Question 8 was EXCELLENT and insightfull. He wanted to know if software could cheat and use TCPA even if you turned it off.

His answer is "it depends". At the end he implies it would require a reboot, but he's mistaken. If a program is going to cheat and turn on TCPA when you specificly turned it off then they can very well cheat and and skip the power on root of trust step. It wouldn't be according to spec and it may or may not be fully secure, but it would work. If TCPA is not switched off by a physical jumper on the motherboard then software can probably cheat and use it anyway even when you turn it off.

Question 9 What is the difference between TCPA and Palladium?

Answer in 3 parts:
(1)TCPA doesn't mention consealing memory. A minor point.
(2)Microsoft controlls Palladium.
(3)Microsoft owns Palladium.

That's it. That's the big difference.
In other words Palladium is little more than a trademark for TCPA.

And question 10 has nothing to do with TCPA.

He defended AMI fairly well, but he never said a single word in support of TCPA or Palladium and he never denied a single attack on it. It is almost inconceivable this was accidental considering that the title of the article was "AMI Guy Talks About TCPA, Palladium, and Other BIOS Issues". I can only speculate that he doesn't support TCPA any more than I do. He works for AMI and he carefully defended AMI without defending TCPA. His answers amounted to little more than "don't blame us, it's not our fault".

-

Re:He's a weasel

[eratosthene]

Thank you for clarifying the relationship between TCPA and Palladium. That makes a bit more sense now. Now another question: can the TPA be used at all without the root authority crap? In other words, could a Linux driver be written just to shift all of the encryption over to that chip, thus speeding up SSH and such? I don't know all that much about kernel hacking, so I'm just pondering here. It seems that the TCPA faq seems to say that would work, but I don't know. Still, I'm not sure I understand why everyone is so aghast at Microsoft doing the same thing they've always been doing: namely leveraging their market share to try to get rid of competitors. As it is, I dual boot Win98 and Gentoo Linux, using Windows as little as possible, and Wine/WineX when I can. I dislike Windows very much, but I use it (as I suspect most people do) for a few applications that I really like (Cool Edit Pro, Photoshop, Revalver, Flash, Warcraft III). In the future, if indeed somehow Microsoft manages to retrofit all copies of Windows98 to use Palladium (doubtful), and I can no longer use it without MS controlling my machine, then I won't. I'll just make do without it, and write my own apps. I think rather than campaigning against TCPA/Palladium, perhaps we should start a campaign to help users remember that old Windows versions (98SE-2K-XP) don't have Palladium, and pretty much can't ever have it. Not only this, but they still run just fine, and all the software you might want will run on them. Sure, someone might laugh at me running Win98 on a 3GHz machine (dude, that's so five years ago...), but it works, right? And I think that's an equation that even Joe Average can understand, especially given the number of non-techies I know that refuse to upgrade (not worth the hassle, it still works well enough for me, etc.). So anyway, I'm digressing a bit here, but the gist of what I'm saying is that I think perhaps Microsoft underestimates the intelligence of the ordinary user. If users are informed of Palladium's true intentions (which is what we are trying to do), and also informed that there's really no particular need to upgrade at all (better yet, use Linux :), then I think users can figure out for themselves what to do. What I'm leaving out of this equation is future application developement. I wonder, then, if Photoshop 8.0 will require Palladium so nobody can download it on those 0-day WaReZ sites? Or whether Warcraft IV will require TCPA-enabled cd-drives so you can't just copy the cd and install it somewhere else? This is what bugs me. Of course, the fun thing is, even if all of this happened, it would only be about three weeks till some group of l33t hAX0Rs cracks the code and releases AMIBIOS-3.2-TCPA-PALLADIUM-FIXED-RAZOR1911.zip onto the internet...of course, by that time, even WinZIP will be TCPA-aware, and refuse to unzip the file...so you'll just unzip it in Linux to a bootable floppy, disable TCPA in the BIOS so you can boot from the "untrusted" floppy, and flash it to hell...unless...oh nevermind.

Re:He's a weasel

[Alsee]

Thank you for clarifying the relationship between TCPA and Palladium.

You're welcome. It's a pleasure to share the information. Some of my other discussions on the topic have been rather frustrating, I hope I didn't let a negative tone slip in anywhere in my post to you. A lot of people are missinformed on the topic. I don't blame people for being missinformed, it's is a very technical topic and TCPA proponents have been spreading a lot of missleading information. Some people take offense at the idea that they have been missled and refuse to believe anything that contradicts it, those people get frustrating.

Now another question: can the TPA be used at all without the root authority crap?

Yes, no, sorta. You can use it that way - and they keep hyping that it is open for everyone to use. But it's missleading. If you don't have a root authority then you have no need for special hardware. Without the "crap" it is plain old software.

could a Linux driver be written just to shift all of the encryption over to that chip, thus speeding up SSH and such?

That's sort of like finding survailance cameras installed in your bedroom/bathroom and using them to take dictation. It'll probably work, but it would be cheaper and more reasonable to have a crypo-chip that works FOR the owner, not one who's primary design is to be secure AGAINST the owner.

I'm not sure I understand why everyone is so aghast at Microsoft doing the same thing they've always been doing: namely leveraging their market share to try to get rid of competitors.

Because if the other attacks were handgrenades, this one is a nuke. *If* TCPA becomes widespread and *if* the government doesn't interfere, Microsoft could conceivably steal the internet over the course of a few years. Palladium "protects" copyrighted content. Websites are nothing but copyrighted content - text, images, media. Palladium will also be used to protect online shopping. And patches. And passwords. And accounts. And Email. And file transfers. And tech support.

Once a certain percentage of the internet uses Palladium then Microsoft can leverage it to pressure everything into Palladium. Anyone who does not move inside the Palladium wall will be made to suffer. If you split the internet into two pieces - Microsoft only and everyone else, then the "everyone else" section will be too small to survive. It's the network effect, bigger networks are more usefull. Most computers on the internet run Microsoft software.

if indeed somehow Microsoft manages to retrofit all copies of Windows98 to use Palladium (doubtful)

I assume you have Windows MediaPlayer installed? If you have version 7 or up it's not so doubtful. WinXP and Win98 mediaplayer 7 and up already support forcing a Palladium download and install - if we had TCPA motherboards. Not an optional install - a mandatory install. It is in their EULA's and I'm sure it's in the code.

TCPA gives Microsoft the technical capability to steal the internet. I'm not saying it will happen, I really hope the US government - the rest of the world - would stop them before it got that far. I'm just saying that it has that potential - that's how dangerous it is. That's why I'm "aghast". It's like The Blob, if it can swallow the internet it can swallow anything.

If users are informed of Palladium's true intention

But Microsoft is going to spend millions to mislead the general public. You're a slashdot reader, you're at least a semi-techie, you use Linux, you know about Microsoft abuses, and still it took me several pages of text to expose the deception to you. John Q. Public has already switched to XP. And when they buy their next computer it will have TCPA and it will come with a Palladium operating system. And Microsoft will make damn sure that everyone knows that Win98 and old hardware are obsolete.

Take a look at Microsoft's product lifecycle:
Windows 98 / 98 SE Non-Supported phase January 16, 2004 (less than a year) End of Life June 30, 2004 (17 months)

If a year and a half from now someone releases an an exploit where a jpg or text file or email can wipe your harddrive then Microsoft won't release a patch. You'll have a choice, either switch operating systems or eventually you get nailed.

I wonder, then, if Photoshop 8.0 will require Palladium... This is what bugs me.

All sorts of software will require Palladium, or it will at least require the new version of windows which will require Palladium. At first Microsoft software will have optional "extra" features that need a "Palladium enhanced" computer. A year later Microsoft software will start requiring Palladium for core functionality and for patches. A year later Microsoft software won't run at all without Palladium. And it won't just be Microsoft software, Photoshop, office apps, games, many can and will start using it.

That's whats so scary about the whole thing, I can see exactly how they can do it all. They just need to take it one step at a time over a couple of years. In 6 years you're going to want to buy a 32 gigahertz 16 processor machine with 8 gig of ram and it will only come with TCPA. And much of the software you will want will require Palladium - unless Linux manages to capture the desktop market.

three weeks till some group of l33t hAX0Rs cracks the code

Normally I'd agree, DRM just doesn't work. But this is nasty - it's in the hardware. It's a whole different ballgame. And they have it set up where they can force everyone to install a patch to kill the crack, and potentially even wipe anything you got using the crack. Everytime you connect to the internet it can check for security updates. And they can even have your machine lock up if you don't connect to the internet every day. They specificly have support for locking files if the machine cannot contact a cryptographicly authenticated timeserver. Palladium does not trust the system clock because you could change it in order to view expired content (24 hour movie rentals, or even monthy fees on your music collection).

Actually the part about requiring a connection to a cryptographicly authenticated timeserver on the internet came straight from the text of the Microsoft Digital Rights Management Operating System patent. And everything in that patent is an exact match for the capabilities Palladium and TCPA. TCPA = Palladium = Microsoft DRM OS patent.

The only thing TCPA is good for is DRM, and Linux can't do that even if it wanted to because of the patent, lol.

-

Re:He's a weasel

[eratosthene]

You know what's funny (and a bit scary)? I didn't have WMP > 6 installed since about two years ago when I put win98 on this box. I didn't see any reason to, since I could just download the WM7/8 codecs and use them with WMP6. But just the other day, I came across a WM9 file I wanted to view, and bam, had to download WMP9, as WMP6 just refused to handle it. Pretty sleazy shit, since there's no real technical reason it shouldn't be able to. One thing: when I do buy my own 32 gigahertz 16 processor machine with 8 gig of ram (which will be in like 20 years when I can afford it on top of paying rent...), could I still not turn off TCPA and boot Linux anyway? Of course, if I can't connect to the net, that would really suck. Perhaps somebody can pry the EEPROM off a mobo, download the code, reverse engineer it, re-flash it, and put the chip back in? I assume there has to be some sort of code running in the BIOS that provides hooks to the TPM chip. So, why not modify those hooks so that whenever any application asks for authorization, the BIOS just returns true, no matter what? It sucks since every single revision of a board will have a different BIOS, but haven't hobbyists been doing that with the PS2 and the XBox with some success for some time now? Man, I have got to stop rambling so much...

Re:He's a weasel

[Alsee]

could I still not turn off TCPA and boot Linux anyway?

Right. That practically the only thing they haven't been deceptive about, a TCPA machine can run any software a non-TCPA machine can run. That's one of the big points in getting TCPA out there and onto a critical mass of machines. That's stage one - having TCPA on your machine doesn't hurt you in any way. Once they hit critical mass they can start using it to inconvience everyone who doesn't have it.

TCPA is like a roach-motel (chuckle). You can move anything into the protected area, but there's no way to get anything back out unless they give you permission.

Perhaps somebody can pry the EEPROM off a mobo, download the code, reverse engineer it, re-flash it, and put the chip back in?

There are multiple layers of keys. If you can get your personal key (a bottom layer key) out of the crypto chip then you can unlock all of your files, but not anyone elses. And it will probably be really hard to pry the key out of the chip. You can't do it in software, you need to actually rip the chip open with some pretty serious scaning equipment. You'd need at least an advanced college lab. Or a government agency could do it.

The good news is that cracking a chip will let you make as many "unlocked" computers as you want. The bad news is that they would all have the same "serial number". Assuming they design the system right they can revoke that serial number and lock out all of those machines at once as soon as they detect it.

The fact that your key is hidden is what makes TCPA different. Software can do anything TCPA can do - except hide your key from you. That is what's "secure", it's what they "trust". If you can't get your key you can't read your own files and you can't run a program they don't like without them knowing it and shutting everything down.

why not modify those hooks so that whenever any application asks for authorization, the BIOS just returns true, no matter what?

Because the encryption key is hidden in the chip. No key, no authorization.

-

Re:He's a weasel

[Vesuvius_2]

that's like saying "bullets are not a gun" sure they'll be used with the gun to kill, sure they have no role independent of the gun, but they aren't the gun itself so somehow they're okay.

deer in headlights

[prell]

I like how this interview starts out with what looks like a good understanding of the technology, its place, and AMI's place in it, but once we get to the key question (relating DRM, "trust," and pre-emptive behavior prevention in software), the interviewee completely opts out and suggests we all take a look at the extensive TCPA documentation. Yeah, we could do that, or we could interview a BIOS person. Oh wait..

I also LOVED where he said AMI doesnt' bear responsibility for palladium because it "doesnt exist yet." What a lame cop-out. "Yeah uh, Im gonna make this handcuff ring, but the other side isnt done yet, so you can just kind of wear it like a bracelet. I dunno what it will do!"

I also noticed this guy is from "sales," so naturally he's going to try and sell this to us. "It's not as bad as you think - you guys with your crazy linux stuff will love it! 0wnz0red!" Remember, people dont give away freedoms all at once - they do it piece by piece, being convinced by stuff like this.

I also enjoyed how he referenced Zero Wing. That shows he's really one of us. What a cool guy!

Re:deer in headlights

[SalesEngineer]

Yeah, we could do that, or we could interview a BIOS person.

You got an interview with a BIOS person, not a security person. The deeper questions you want answered aren't in my realm ... which was the main thing I wanted to explain in the interview.

Brian Richardson - AMI

Follow-up question

[kiolbasa]

So, roblimo says this guy reads Slahsdot, maybe he will answer follow-up questions here...

Please clarify, in 50 words or less, wether or not the trust model that TCPA implements will ever allow software to consider the owner and operator of a TCPA-enabled computer "not trusted."

Re:Follow-up question

[Hobophile]

Please clarify, in 50 words or less, wether or not the trust model that TCPA implements will ever allow software to consider the owner and operator of a TCPA-enabled computer "not trusted."

Oh come on. Let's face reality: the fact of the matter is that your (proprietary) software hasn't trusted you for a while now. What exactly do CD keys and registration requirements indicate if not a complete distrust of the end user's good intentions?

Take the recent story on Quicken's Turbo Tax program, where Quicken removed your option to print returns on a computer other than the one the software was originally activated on. Do you think maybe Quicken did this because they don't trust you?

Another example off the top of my head are those annoying product activations the new Microsoft Office products require. Why would Microsoft do this if they trusted their customers? Hint: they wouldn't.

If you honestly believe any major software company trusts you to protect their own interests when your convenience or money is on the line, you are quite deluded. Management at these companies is only going to trust you insofar as this aligns with their long term strategic interests. Once this is no longer the case they will do everything in their power to make sure the untrusted end user cannot impact those interests, even if it makes their software substantially less useful to you.

Bottom line: software companies do not trust you. They have no reason to, and therefore should not be expected to. Adding TCPA does not change this reality; they will still not trust you. But they'll be more comfortable dealing with you because your potentially damaging actions are verifiably constrained by their software.

Don't like this? Buy/support/use software that does not constrain you. That's your option. Boycotting AMI or TCPA-enabled motherboards does not solve the problem; those manufacturers are responding to a demand from software developers and content owners. It is up to you to show those people that you do not want to be curtailed and restricted and denied at every juncture.

Re:Follow-up question

[SalesEngineer]

Don't like this? Buy/support/use software that does not constrain you. That's your option. Boycotting AMI or TCPA-enabled motherboards does not solve the problem; those manufacturers are responding to a demand from software developers and content owners. It is up to you to show those people that you do not want to be curtailed and restricted and denied at every juncture.

That's a good way to explain it. Perhaps I should have said that in the interview.

Brian Richardson - AMI

Re:Follow-up question

[kiolbasa]

Perhaps I should have said that in the interview.

Which is why I asked for a follow up. It may have been unintentional on your part, but the issue I addressed in my follow up was only addressed indirectly in the interview. We all *know* how vendors feel about us end users, they just won't say it to our faces. Attempts to obscure one's true intentions bug me alot more than those intentions themselves.

Re:Follow-up question

[kiolbasa]

Bottom line: software companies do not trust you.

I would like nothing more than for a software companies to justify their actions by saying "That's correct, we don't trust users." Maybe AMI is more of a middleman and is only giving software companies tools to restrict end users. But, he was presented with this issue in the interview and the response was not clear.

Bottom line: software companies do not trust you. I know it, you know it, but when they try to dance around the issue when confronted, it is just insulting.

Now, who wants to see me hit a few dingers!!!

Re:Follow-up question

[Saeger]

Yeah, it's too bad that being a two-faced phony will always be a job requirement as long as the number of potential customers able to see through the bullshit is fewer than those who get hooked by it. Cluetrain? Hah.

--

Re:Follow-up question

[Madcapjack]

I must admit, I would like the same thing. I think that this is the question most non-specialists want answered.

But lets put it a yes or no question:

Brian, will it prevent us from operating any software or running any media files? Yes, no?

Re:Follow-up question

[Alsee]

Bottom line: software companies do not trust you.

Fine. But we are not talking about software companies. We are talking about MY COMPUTER. And my computer is suppossed to serve ME. It it MY agent, not some software company's agent. Why the hell should my computer prevent me from doing perfectly legal things like read my data or modify my data or copy my data? Hell, why should my computer even prevent me from doing something illegal?

The ONLY reason computers are going to include TCPA is because Microsoft is REQUIRING TCPA support for their next operating system.

-

You haven't met me yet?

[Zog]

I don't know, I've never met Satan

You say you haven't met me yet? That's kind of funny. Well, regardless, I distinctly remember you.

Have a nice day.

Say good-bye to dual booting...

[jgrider]

Okay, I'll bite:

you would have to reboot to have the TPM enabled at power-on to set proper "root of trust" (you can't just turn it on midstream, since a TCPA system is supposed to hash the BIOS & bootloader).

If this is true, then how do we get our free bootloader (lilo?) to work? Will (insert free bootloader here) have to switch to binary only releases, and pass every one through a certificate authority?

I have a gut-wrenching feeling that either we aren't hearing the whole story, or this guy is oblivious to the larger strategies at work here...

Re:Say good-bye to dual booting...

No, you wouldnt. Read the whole goddam answer before you open your mouth. What he is responding to is the possibility of software reactivating a disabled TPM module. If you turn it off, it cannot be reenabled by the OS without rebooting to set the proper "root of trust" is what he's saying.

This has absolutely nothing to do with whether LILO will work on the BIOS, with or without TPM enabled. Don't get me wrong,jgrider, I think you're a swell guy. But read the freakin' context before you decide to panic on behalf of the Linux community.

He is doing his best

[dusanv]

Really, everyone is being too hard on this guy. Altough he is involved with Linux he is just a salesman trying to make best out of a bad situation. I mean, AMI pays his salary. What is he supposed to say: Yeah, the primary use for our BIOS will be to secure a steady revenue stream for a couple of Hollywood/Redmond a$$es and take the fair use rights from the user. He is clinging hard to the fact that it may have other uses as well (VPN, whatever..) and that it may be disabled. In any case, e hasn't changed my mind a bit. That crap isn't going to make it into my house.

Smart guy, well spoken, but pushing BULLSHIT.

[Eric_Cartman_South_P]

In regards to supporting Palladium: Keep in mind that this is just one more feature we offer

No, it's not. On paper, it appears to be a feature. Get a BIOS pre-palladium. List features and count. For exmaple, lets say 110 "features". Now add palladium to that same chip. We now count 111 features. Again, on paper it looks good. But in the real world, where we live and where the chip will run, it's bullshit.

That 1 "feature" will reduce a very important part of my computing usage. "Freedom" and "choice" and "control" el. at. It's a net-negative. You added 1 "feature" on paper but reduced my "LIBERTY" as the user.

If Ford were to advertise "New Options! All cars CAN have a STEARING WHEEL and an ENGINE if you like!" they would be shut down. But in the digital world, AMI et. al. calls this type of selling a "feature". No thank you.

Re:Smart guy, well spoken, but pushing BULLSHIT.

Question: does the knife on your kitchen counter jump up and cut you on its own? Apparently that's how some readers thinks a TPM works. Based on the comments I read, the TPM is a magic chip filled with "MPAA pixie dust" that erases your music collection as you sleep. The TPM requires extra software to lock away data ... a TCPA BIOS by itself cannot do that, the TPM by itself cannot do that. If you want to focus your TCPA-related angst on something, focus it on that extra software. Brian Richardson - AMI

Re:Smart guy, well spoken, but pushing BULLSHIT.

[glenrm]

Car makers used to advertise rack and pinon steering.

Re:Smart guy, well spoken, but pushing BULLSHIT.

"It's a net-negative."

As opposed to yourself, a mere net-irritant.

Re:Smart guy, well spoken, but pushing BULLSHIT.

[Hobophile]

No, it's not. On paper, it appears to be a feature. Get a BIOS pre-palladium. List features and count. For exmaple, lets say 110 "features". Now add palladium to that same chip. We now count 111 features. Again, on paper it looks good. But in the real world, where we live and where the chip will run, it's bullshit.

I think it's a great feature. Seriously, sign me up.

No, I'm not crazy, and I'm not trolling. See, I'm a big fan of online gaming in general, and have logged more than my fair share of hours in quite a few games. Diablo 2 and Warcraft 3 are among those.

Now, as anyone who played Diablo 2 longer than a few months after release knows, hacking and cheating were rampant on the supposedly secure realm servers. And anyone doing ladder games for Warcraft 3 presently knows that finding hack free games is increasingly rare, with the abundance of map hacks and disconnect hacks and the like circulating.

How would this be different in a TCPA-enabled future? Well, if Warcraft 3 ran in a trusted environment, with the memory regions it used isolated from non-trusted applications, then the creators of these hacks would have nowhere to begin, effectively eliminating the cheating problem.

It's my understanding that this is the sort of multiplayer environment Xbox Live can guarantee. And honestly, I really envy that. Hackers and cheaters can easily ruin the fun of the game for players that do not use such "aids." A case in point is the utter joke the Diablo 2 realm economy eventually became.

I'm not saying Blizzard or anyone else should actively shut out players who didn't have TCPA-based hardware; just that those of us who did have it could use that feature to play the game without the cheaters. In fact, I would go so far as to say that this particular sort of software would become more valuable to me if that sort of unbreakable, trustworthy guarantee of a clean game was available. And the more emphasis that was placed upon this feature -- such as by requiring all ladder games to take place between opponents running the game on a TCPA-enabled platform-- the more valuable it would become.

And to me that settles once and for all the question of whether or not TCPA and things like it are just "bullshit" as you claim.

Can it be abused? Yes. Of course. Most features of note can be, even down to the ability to execute programs on your computer, which can be abused to compromise your system in the event you execute malicious code.

So: don't run viruses, and don't run programs that demand you use any other feature, TCPA included, in a way that abuses and tramples your rights as a computer user. Believe it or not, such abusive "features" are unpopular and cause companies that employ them to lose market share. Companies that continue to do so, or fail to remove such abuses when pressured publicly to do so, do not continue to receive money from intelligent consumers.

Re:Smart guy, well spoken, but pushing BULLSHIT.

[NigelJohnstone]

"Question: does the knife on your kitchen counter jump up and cut you on its own? "
No, you handed control of *my* knife to the RIAA & MPAA & Microsoft.

You must be able to see the vector here. The outside world will be able to dictate all aspects of my machine or refuse to inter-operate with it.

Normally I would simply reverse engineer the blockage and a new Linux with a patch would arrive to bypass just that blockage.
However under the new scheme this new version would not get a certificate so it would not work.

My machine can't live in a vacuum, so I have to agree to the conditions.
Your BIOS enforces this rule.

Saying you are only a tiny brick in the prison wall doesn't make it less of a prison.

Yes he did

He basically said that their project

a) Is well engineered
b) Supports lots of configurations
c) Is Well maintained

Re-read the answer. Also, read the answer to #10 for more reasons.

so can I sign my own software?

[hopeless+case]

The one question I wanted to see an answer to was whether I could designate myself as a signing authority and get the motherboard to only run code I had signed, or whether there was a fixed list of signing authorities.

Perhaps I missed it, but I didn't see an answer to that. The answer seems to be no, which means the comsumer is being taken for a ride.

Re:so can I sign my own software?

[geekee]

He made it pretty clear that any OS can run on this platform and use the encryption key system any way they like.

Re:so can I sign my own software?

[seiyakun]

The one question I wanted to see an answer to was whether I could designate myself as a signing authority and get the motherboard to only run code I had signed, or whether there was a fixed list of signing authorities.

As I read the responses, that's not a BIOS or motherboard issue, but rather an OS/application issue. So sure, if you want to write your own OS that designates you as your computer's god and master, feel free. :)

Re:so can I sign my own software?

[spitzak]

False. It is pretty clear the TPM chip contains a PUBLIC key. You can read it. But you cannot encrypt anything in a way that will be decrypted by the public key. However large companies are able to sign contracts that give them access to the private key, or a service that encrypts their information with it.

Therefore there is something your own software cannot do with the encryption system: it cannot create data that can be decrypted by it. Others can. Thus by definition you cannot use the encryption key system in any way you like.

Re:so can I sign my own software?

[captaineo]

It will be interesting to see whether they use the same key pair for all machines, or whether each machine will have a different key.

One key pair for everybody would be cheaper and simpler, but there is a big chance the key would get compromised. (MS went this route with Xbox and seem to have done a good job keeping the key secret, however the Xbox software vendors form a much smaller group than the general software development and media communities...)

One key per device would give better security, but all your software and media would have to be custom-encrypted for your machine, which would impose pretty substantial costs on vendors. I'm not sure a typical company would want to maintain a farm of machines running 24/7 just to encrypt their products for each new customer.

Even in a one-key-per-device system, there is still the danger that one key pair could be recovered (or forged) - and then whoever has that pair could decrypt and offer plaintext versions of anything to the world... If such a system is adopted, expect hardware vendors to maintain a "master list" of the public keys for every unit sold; before encrypting a product the media vendor would check your key against the list to prevent you from providing a forged public key (whose private key you know).

The burden of administering this list would be heavy, and I'd expect it to become the target of many attacks... e.g. one of the large overseas piracy outfits could set up a rogue hardware manufacturer just to get access to the key list. It might not even take that much - a "social engineering" attack at a hardware vendor might score some key pairs. There would be a race between key attackers and the "master list" maintainers, who would strike compromised keys off the list as they are discovered.

Re:so can I sign my own software?

[spitzak]

I think there will be only one key (or probably a fixed *set* of keys). At least at some level.

I doubt they will give the private keys to anybody. Instead you must send your binary to a "signing service" that will do it. So the vendors will not have access to these keys. However I see a lot of problems. Any software developer will have to sign dozens of test versions a day, so this system will have to be automated. It would not be too hard for a trusted developer to get anything signed they wanted. Alternatively the software developer could be given a "broken" Windows that runs anything with full trust, but this system itself would be incredibly valuable. In either case I don't see how a Hong Kong pirate or Osama bin Laden, with a lot of money and other methods of coercion at their disposal, would have little trouble cracking this.

I also wonder if Public key encryption can be broken if you have the ability to select arbitrary messages you want encrypted.

Of course the whole point of this is to lock down private machines so the individual can't fast-forward through ads (even on their pirate copy), and make it impossible to do things (like play even a pirate copy) without running Windows. It has nothing to do with stopping piracy or with security, so these holes are irrelevant to their plans.

I think he did...

[fireboy1919]

I can't be absolutely certain what you're claiming he didn't answer because you used commas instead of periods in your last sentence, and none of the other necessary punctuation marks. Sometimes you need to use actual grammer rules to get your point across. He did explain what the benefit of the technology is.

It can be used to uniquely identify a particular computer with a low amount of computation. It's a glorified MAC address system, but with an encryption system based upon this as well.

I don't even see how this is even bad by itself. Is MAC bad? In addition, the only way it's going to be permanently encrypting data is if you put software on it that does that.

If that's what you want - data that is restricted to one machine - then just make an encryption scheme that combines serial numbers of all of the components in a machine to make a hash and use that. Is TCPA a technology that enables unique identification? Yeah, but so is a friggin' turing machine.

I won't accept a system that keeps my data from being portable. I won't use any XP product because when they're no longer supported, you won't be able to register them, and then even having the software won't mean you can use it. I won't use any DRM software that limits my rights to my files or is not portable among operating systems.

But if I can get a coprocessor that does encryption for free when I buy my board, and I don't have to be quite so paranoid in figuring out who is who because they have one too, I'm all for it. Maybe this'll help knock out the screwed up digital certificate market.

Re:I think he did...

Sometimes you need to use actual grammer rules to get your point across.

Sometimes you need to use actual spelling rules to get your point across.

GRAMMAR with an *A*!

Re:Not quite true

[gorilla]

If they wrote it without TPM then it would be hacked, so TPM is pretty much a pre-requisite.

The opposite is also true, if they wrote it with TPM then it can still be hacked. If the object files for the DRM program are distributed on any non-trusted medium, for example the internet or CD-ROM, then they can be read on a non-TPM system, and attacked. It expect it won't be easy, I'd start with a TPM protected decyrption program, but non-easy and impossible are two different situations.

Really?

Damn....at least that explains it, tho. Although I could contend that being married to Bill is, in effect, Microsoft Ice-land. I mean, he is a friggin' robot.

Quite interesting...

The Trusted Computing Alliance is still annoyingly cloak-and-dagger, but this does clarify things a bit. (It's a shame more of the questions asked didn't take into account that TCPA obviously != Palladium, though TCPA -> Palladium.)

My thoughts here-

-Crypto offloading is great, if done properly. Question is, will it be self-perpetuating, or will the initial implementation be light-years ahead of general-purpose processing, but various issues bog down R&D and spec-updating until 'brute force' CPUs once again mop the floor with the specialized units?

-As we probably knew in the back of our heads, TCPA is just a 'technology,' like SSH, or more accurately, SNMP/WoL/other remote-management solutions. What would make things evil would be:

-TCPA-only hardware/systems models, roughly equivalent to Winmodems or anything else built under the assumption of proprietary licensing (of OSes, keys, etc). The real risk here doesn't sound like "Linux/BSD won't boot;" it sounds more like "Linux/BSD won't be able to boot 'Trusted' so you can't put that SAMBA server on your Windows network."

-In fact, let me repeat that. "Linux/BSD won't boot trusted, so you can't put that SAMBA server on your Windows network." This is why MS gives a hoot, and while TCPA itself might not be an idea with [good|evil] alignment, beware of influence to the spec. Network filesystems are a good idea; CIFS is an example of a good idea manipulated for lock-in.

-As to Palladium... first off, it's sounding more and more like another lovely exploitable mechanism. If, somehow, Gator or friends can inject code into the Palladium box, they get free reign and undetectability. Heck, imagine if worms could take advantage... [I'm not feeling up to speed on the spec today, so I may be ignoring how code gets into the Palladium box in the first place. Still, it's long been proven there's more than one way to skin a horse- Microsoft signatures aren't necessarily from Microsoft and all that. ;)]

-...secondly, it sounds like the full Palladium vision (in the sense of MS revoking the 'license' to your Word documents and so forth) is going to be an *application* of TCPA and other protocols, in the same way BackOrifice is an application of TCP/IP networking.

-Finally, as far as I can tell, most jumpers in this day and age simply set registers read by the BIOS at boot, so unless these are physically cutting power/pathways to various chips, I can't see why the TCPA processor can't be enabled later. After all, there've long been hacks like SoftFSB and similar. Whether that'd have actual utility is anyone's guess... The potential to curtain some memory in Palladium-ready chips based on an exploit's request sounds more disturbing.

Re:Quite interesting...

[Hobophile]

-In fact, let me repeat that. "Linux/BSD won't boot trusted, so you can't put that SAMBA server on your Windows network." This is why MS gives a hoot, and while TCPA itself might not be an idea with [good|evil] alignment, beware of influence to the spec. Network filesystems are a good idea; CIFS is an example of a good idea manipulated for lock-in.

If this is truly Microsoft's plan, then Linux users can rejoice: they are about to inflict a mortal wound on themselves.

How many businesses with any serious investment in technology would willingly upgrade to an operating system / platform which deliberately breaks compatibility with servers and systems they have spent so much time and effort getting to interact correctly in the first place?

It takes years for products to gather momentum in a corporate environment, particularly in this era of reduced IT spending. If Microsoft's new server release won't trust the Unix servers down the hall that have been working right for the past decade, the chances of that server release actually making it out of testing stages are virtually nonexistent. Only the most reckless businesses would voluntarily buy in to a scheme which made them utterly dependent on the whims of a convicted monopoly.

Would Microsoft love it if businesses went along and ignored any misgivings? Of course! But why should businesses do this? Linux is being taken increasingly seriously on small to mid-end servers, and Windows has never had much of a foothold on big iron machines. Such an obvious ploy to cement Microsoft's hold just would not work. Microsoft would have to proceed gradually, carefully putting in compatibility problems and introducing difficulties where none previously existed, until finally they created an environment in which only Microsoft products can be used.

But even then businesses would stop one point release before total incompatibility is achieved, and refuse to go further. Moreover, as compatibility broke at an increasing pace, businesses would slow their upgrade rate to glacial speeds. They'd have to, to give time for compatibility fixes and hacks to come out from Microsoft's competitors, as well as to test future releases for similar issues.

One might observe that the above has been Microsoft's strategy for a long time now, and it may well be that DRM-based efforts like Palladium represent that final push towards full incompatibility. But to believe that Microsoft will succeed fails to take into account the increasing (and deserved) mistrust Microsoft has earned for itself over the years.

TCPA is DRM, whether they want it to be or not.

[geekoid]

" Merely adding TCPA to AMIBIOS doesn't constitute DRM:"
then later he says that TCPA can be turned off three defferent ways: In the bios, jumper, or software.

Which way do you think Mother board manufacturers will want? I'm guessing the cheap route, Software.

So you can turn Off tcpa , then the OS could turn it back on 'for' you.

But that doesn't matter, because a company with a history of abuses in the market place, and a convicted monopoly, won't have an issue with popping up a message telling the user to enable tcpa, or there OS won't run. Probably After its been installed for a month for 'convience' sake.

Re:TCPA is DRM, whether they want it to be or not.

[brokeninside]

Which way do you think Mother board manufacturers will want? I'm guessing the cheap route, Software.

Some will. Some won't. I'd imagine that one day only machines where TPM functionality is turned on via hardware (the jumper option) will be trusted for certain applications, especially applications involving security.

So you can turn Off tcpa, then the OS could turn it back on 'for' you

True. But how is this different in kind from the current status quo? There is already good reason not to trust many software packages (spyware, worms, trojans).

And we also need to imagine the flip side. Imagine software that turns your TPM off for you. Wouldn't that rain on more than a few parades.

Plus, tt would seem to me that verifying TPM state will be a future feature of security software.

But that doesn't matter, because a company with a history of abuses in the market place, and a convicted monopoly, won't have an issue with popping up a message telling the user to enable tcpa, or there OS won't run. Probably After its been installed for a month for 'convience' sake.

Regrettably, this is a real possibility. It seems to me that it would also be the basis of a new round of lawsuits. I would think that it would also push people to migrate to a new OS.

Re:TCPA is DRM, whether they want it to be or not.

[autopr0n]

So you can turn Off tcpa , then the OS could turn it back on 'for' you.

Actualy, the system needs to be started when the computer is powered up, otherwise it dosn't work. The AMI guy mentioned that, but he didn't really emphasize it as much as he should have. if TCPA could be started back up by the OS, then it could also be started back up by some cracking software, or something.

Re:TCPA is DRM, whether they want it to be or not.

[NigelJohnstone]

"So you can turn Off tcpa , then the OS could turn it back on 'for' you."

More likely, you will find that unless you turn it on, your machine will interoperate less and less with other machines.
So you will turn it on because you the alternative is to live as a hermit in the hills.

My Concern

I believe this is a play, to set precedent for the digital tv turn over.

Services can be concidered any show you watch.

Very accurate information about every person that uses this new technology.

Instead of broad stroke appeals to certain demographics, precision strikes. Similar to a certain trusted news organization selling it's time and reporters to praise the virtues of hormone therapy, which ended up cutting short the lives of 10 million women in North America. With little to no mention of a retraction.

There are no laws to protect a countries citizens from such abuses.

Re:My Concern

heh... and legal censoring without the use of the courts.

Whatever

Read it again -- no waffling here:

c) What is the licensing structure? There isn't one. From the TCPA FAQ:

10. What are the licensing and/or royalty arrangements for the technologies outlined by the TCPA specification?

The TCPA spec is currently set up as a "just-publish" IP model.

d) Can open-source software make use of TCPA? Yes. From the TPM FAQ:

18. Does the TCPA support open source systems?

Yes. The ability to use the TPM functionality is available to all developers of software. An open source project could determine to use TPM functionally today. The concepts of measurement, protected storage and attestation of measurements are fundamental concepts that hold true for any type of OS or application. The platforms that support TCPA today are not limited to only one OS and if open source developers provided applications that used the TPM functionality they would find support.

Re:Whatever

[NigelJohnstone]

Sure he didn't waffle here, but let me spell out what he didn't say.

First your quoted section:

"Yes. The ability to use the TPM functionality is available to all developers of software. An open source project could determine to use TPM functionally today"

To be trusted it has to have a certificate accepted by the remote party who will send the media. Those certificates carry a set of conditions which must be met to obtain the certificate. Open source can therefore only support this if they agree to those conditions.

Now suppose the remote RIAA site requires a certificate that says "this machine must be unable to rip CDs into MP3 format".

Now you see the problem. You can sure make a crippled version of Linux without anything objectionable like stream ripping and cd->mp3. But why would you?

Bingo! (Re:We asked the wrong person)

[SalesEngineer]

I think that's the best description of the situation I've seen yet. This guy has the right idea on how to handle TCPA from a consumer standpoint.

Brian Richardson (AMI)

Customer food chain

[Distan]

I'm going to address something Brian said from the perspective of a motherboard designer, because that is what my recent job was.

Brian says "So when a customer (or customers) comes to AMI and says "Our next motherboard will support TCPA, and we need a BIOS module", AMI has two choices:"

This really is the key. AMI doesn't sell their BIOS to "Linux Users", nor do they sell it to any other end users. AMI's customers are the companies that either design or specify designs for motherboards (think Dell, IBM, HP, Intel, Tyan, etc.) AMI simply can't say "no" to these customers, as they will simply go somewhere else. Or, as he pointed out, since the motherboard designer usually has a license for the code, they can just have their own programmers put in the offending feature.

The next question you have to ask yourself is why are the motherboard designers pushing for this feature? Extending Brian's argument, it is because their customers are system integrators and the system integrators are demanding it. In the case of Dell or HP, the system integrator is just another group in the same company, in the case of Tyan it is another company altogether, but the case is the same either way.

So why are the system integrators demanding it? The simple answer is, Microsoft doesn't give you any choice. No PC maker can be competitive without that little "Designed for Windows 2004" sticker on the front of their box. Our contracts with Microsoft give us a big discount on Windows licenses if we meet their demands, and one of those demands is that the hardware platform we ship meet all the requirements of a MS/Intel driven design guide.

Ever notice that all computers now ship with a network port? Ever notice that no computers ship today with ISA slots? Ever wonder why? Because those are the demands that MS makes, and the costs of failing to meet their demands are so high that the PC makers really have no choice.

Don't get upset with AMI for enabling Palladium. They really have no choice. If you want to find out who you should be upset with, just follow the money and see where it leads.

Re:Customer food chain

Ever notice that all computers now ship with a network port? Ever notice that no computers ship today with ISA slots?

WE demand that. I demand that. I want a network port and no ISA slots. Get rid of the parallel port and the PS/2 mouse connectors next.

Re:Customer food chain

This guys is absolutely right. I work for a PC maker and Microsoft gives us big discounts if we do it exactly the way they want it. Otherwise we have to pay more. So we spend considerable time making things the way Microsoft wants it so we make more money. It's really sad.

We are Greedy-American-Capitalistic-Pig-Dogs

[Your+Average+Joe]

The whole purpose behind TCPA/Palladium is to sell product. How do you think Microsoft will keep the Xbox a game console? They need to make it as proprietary as possible. Besides "Trusted Computing" is a Microsoft buzz word. Microsoft has buckets of money to protect the Xboxes future!

The motherboard manufacturers could have the economy model for home users that would only work with win9x or XP. The server, workstation or Linux versions would be priced much higher.. Now this would also work for Dell, say you have Dell servers and workstations and you have a server board failure, you would need to have an extra Server and Workstation since the motherboards have different BIOSes. The end result is companies have fewer choices while the VARs make more money. DUDE! Your Seagate IDE Server hard drive FAILED? We can send you one today, the replcemnet is $499! So you try to put a workstation drive in and it won't boot! You know capitalism, after all we are Greedy-American-Capitalistic-Pig-Dogs!

The next thing it will do it will allow poorly conceived business to stay afloat, like Net Appliance when all the hackers bought IOpeners and caused their business model to fail.

How do you become a BIOS hacker?

[MikeFM]

I've often wondered how I'd go about developing my own BIOS if I should want to do so. I have years of programming experience and decent electronic engineering experience but I'm not really sure how I'd start on writing a BIOS. Are their books devoted to such a thing? Motherboard Design and BIOS Hacking for Dummies? I wouldn't mind tearing up some old mobos to get some practice in.

Re:How do you become a BIOS hacker?

[williamyf]

Try these:
http://www.pcengines.com/resource.htm#bios

Re:How do you become a BIOS hacker?

Having written a BIOS for embedded systems based on X86, the best I can say is it involves a lot of research and books on the PC architecture.

The PC architecture isn't logical. It wasn't even designed. It evolved (sort of) and is a pile of hacks on top of a pile of hacks.

Sadly, these hacks are necessary to form the interface to most operating system software (Linux, BSD, Win, QNX, etc).

The first book I would recommend is "The Undocumented PC." It goes over a lot of the BIOS calls and (more importantly) memory locations. Ralph Brown's interrupt list is a good one to have. "Programming the 80386" [Crawford] is another good book. BIOSes use protected mode (some people are surprised by that).

Also, there are a bunch of PC architecture books. The ones on PCI are important if your H/W has PCI support.

And the *most* important tool: A logic analyzer. I could never have gotten my BIOS very far without my trusty Aglient.

It also depends on the chipset you use. Not all of the BIOS code will probably be written by you (unless you work for the sillicon house).

For example, my BIOS was for the NSC SC1100 CPU using the M-Systems Millenium+ Disk-On-Chip. A lot of my code was specific to this sillicon, and I had a great deal of help from both companies (especially M-Systems, their techs were terrific).

Your best bet is to try writing a BIOS for either very old hardware (8086 stuff) which is simple to do as everything is well documented or get in contact with a chip vendor who will give you the necessary support.

-- Mark G.

This is what I call a fundamental feature

[leoboiko]

AMI has advantages over LinuxBIOS as well (...) JPEG graphics as boot logo...

That's it. I'm not interested in LinuxBIOS anymore until they support JPEG graphics.

He definitely is an engineer

[nycsubway]

From the TCPA specification, I am definitely a BIOS engineer, here's why:

a) Main

b) Advanced

c) Security

d) Power

e) Boot

f) Exit

For those reasons, it's clear that engineering BIOS is all about making lists.

Re:He definitely is an engineer

[SalesEngineer]

Actually, it's the EE degree from Clemson and the 6.5 years on the job writing code. Brian Richardson (AMI)

Re:He definitely is an engineer

[kimon]

Hey, that's from an HP BIOS!

DRM turns sales into bad rentals?

[TyrionLannister]

Can anyone tell me what happens to materials I have purchased on PC #1 when I upgrade to PC #2. IS it just me, or does it seem that there should be legislation guaranteeing this ability. If there isn't this is going to be the biggest rip-off for consumers in history. When you purchase DRM content, not only will you not be able to play it on more than one electronic device, but you will lose the ability to use it at all when you upgrade computer or switch mobos or if your mobo goes bad.

Or is there some mechanism to avoid this?

Will attest to their configuration

[OeLeWaPpErKe]

I guess "windows-only" will truly mean windows only with tcpa (and webmasters will never do this, as we all know).

TCPA provides one thing, and one thing only (unless you pay thousands of dollars) : forced incompatibility, a windows program will NOT work on wine, or any other system, after this is done.

Websites will check you configuration and refuse to send anything to other configs (we've seen it happen before). Browsers will identify themselves, and we will no longer be able to lie about our browser at all. MSN, Hotmail, Yahoo, etc will be off-limits to anyone using anything other than windows. (Remember the sort of stuff this gets used for, websites where you cannot take screenshots, DRM, mails that destroy themselves, ...)

It is quite obvious that this is the whole purpose of tcpa in the first place, to "protect intellectual property". I would think long and hard before endorsing it to anyone as you will NOT be doing them a favor.

Re:Not quite true

[geekoid]

unless your not allowed to read cd-rom without TCPA enabled.

great answers, sorta...

[anonymous+loser]

If only Willam Shatner had provided such in-depth, technical answers to questions about the physics of warp travel. He could have even quoted from the FAQ just like Brian!

I was a little disappointed by the answers that just reiterated the TCPA FAQ, but then again if I didn't know much about it, that's probably what I'd do, too. For example:

The crypto-processor and key storage are provided by the Trusted Platform Module (TPM). A TCPA enabled system will have a TPM on the motherboard. This TPM can be disabled, as per TCPA specification, if the user wants to opt-out.

Unless the operating system is designed to refuse to run uness TCPA is enabled.

Re:great answers, sorta...

[Ernest]

Unless the operating system is designed to refuse to run unless TCPA is enabled.

Big deal. You can still choose not to use it! I haven't used windows at home since quite a while now. At work I have little choice, but there DRM is less of a problem (the system manager is the problem, even legal stuff is illegal in his eyes).

The only real problem would be if it couldn't be switched off at all.

Even then, I wouldn't be too worried. Somebody will figure out a way to disable it

Why BIOS at all?

[mdxi]

I wish I'd thought to ask this earlier. I'd love to know why PCs still use the old, crufty, ugly, BIOS at all. Why does the Intel architecture industry not use an implementation of the powerful, flexible, architecture-independent OpenBoot (IEEE 1275) standard?

SPARC, PowerPC, and Alpha machines use it. Why is the x86 world stuck in 1980? (This, the clever reader will observe, is a rhetorical question.)

Re:Why BIOS at all?

[Scott+Wood]

Alphas do not use OpenBoot. They run either SRM, AlphaBIOS (for NT), or ARC (for NT on older Alphas). The latter two look and feel much like a PC's BIOS. The former is command-line based, but it's still not the same as OpenBoot.

Re:Why BIOS at all?

[Clubber+Lang]

(This, the clever reader will observe, is a rhetorical question.)

"Do I know what rhetorical means?!" - HJ Simpson

Re:Why BIOS at all?

[zozzi]

BIOS is gone in Intel's Itanium - it's replaced by 3 layers: PAL (which does core testing and some patching and OS services), SAL (more knowledge about platform, testing and more OS services) and finally EFI - which can load boot images from a wide variety of devices (disk, cd, dvd, zip, usb, network, etc...)

A bit hellish to master but supposedly very extensible

Re:Why BIOS at all?

[IntlHarvester]

Nobody really answered your question, so I'll take a shot at it -- the primary reason for the BIOS is backwards compatiblilty.

The following OSes are designed to require a classic PC AT-style BIOS, at least for the boot sequence:

DOS
Win 9x
OS/2
Novell Netware (bootstraps from DOS)

Note that the first 3 are "obsolete" and aren't being updated but are still in very widescale use. I believe it's possible to still order machines with Windows ME.

Anyway, you could make a legacy-free firmware that could boot lightly modified versions of XP or Linux, but that doesn't help the installed base at all. Maybe in 10 years, but not now.

The BIOS is just the tip of the iceburg -- a modern PC is still very much "AT-Compatible" -- and that has radical effect on the hardware design. For example, ATA/IDE has to be continually improved, rather than replaced, because it offers the highest compatibility.

As a secondary problem, even modern OSes like NT/2K/XP and Linux have a bunch of dependancies on BIOSy things like ACPI.

Re:Why BIOS at all?

[WhodoVoodoo]

Soo we'll be stuck in 1984.

OT: Your sig

So you're a Role Playing Game gamer, huh? Do you often use the Automated Teller Machine machine and work for the redundancy office of redundancy? :-)

Well ... yes, I did answer the question.

[SalesEngineer]

He asked me why to buy AMI over a competitor ... that's what I answered. That's what I do for a living, so I had an answer.

If he wanted to ask about something else, he should have asked a different question.

Brian Richardson - AMI

Re:Well ... yes, I did answer the question.

Ahh..so in that regard, you could very well be here spin-doctoring the "geek" crowd so that they'll be more likely to support your company, and the TCPA as a whole? Are you sure you don't make lies for a living?

Re:Well ... yes, I did answer the question.

[Wiwi+Jumbo]

*groan*

Do you have problems making friends?

XOR Trick

[PetiePooo]

When I hear the phrase "XOR trick," I think of its usefulness for exchanging registers.

If you don't have an XCHG op like the Motorola 68k to exchange two registers, you can use the following trick:
XOR AX, BX
XOR BX, AX
XOR AX, BX

Now, that's a real trick!

Re:XOR Trick

[butt-rock+camaro]

Actually, x86 does have an XCHG op.

Re:XOR Trick

[Mucky]

ya, but he's talking about Motorola 68k architecture

Re:XOR Trick

[Mucky]

Damn thats cool! Never thought of doing that. The XOR clear trick is cool, but this is even better.

Re:XOR Trick

[red_dragon]

The same thing works for reversing strings:

void strrev( char *p )
{
char *q = p;

/* this goes boom if *p isn't null-terminated */
while ( *q ) q++; q--;
while ( p != q && p < q ) *p ^= *q, *q ^= *p, *p ^= *q, p++, q--;
}

Re:XOR Trick

[TummyX]

Ofcourse it's actually *slower* than using a temporary variable.

yuck

[rxed]

It seems that there is no limit on how much some people can brown nose for a few karma points...get a life you troll!

Re:yuck

sorry to hear about your penis

a ^= b ^= a ^= b gets optimized out

[yerricde]

The old swap trick a ^= b ^= a ^= b may have worked well on older architectures without a swap instruction, but modern processors can swap R1, R2 in one cycle as opposed to the three cycles a ^= b ^= a ^= b takes. In fact, GCC will optimize a ^= b ^= a ^= b to swap R1, R2 on such architectures.

Re:a ^= b ^= a ^= b gets optimized out

[Edgewize]

Btw, a ^= b ^= a ^= b is technically invalid code. There is no guarantee on the order of evaluations, and it could vary from compiler to compiler or with optimization level. I've seen it used all over the place and it pisses me off; it means the author assumed that 'this works for me so I'll assume it works for everyone'. Makes me wonder what other non-portable or compiler-specific tricks were used.

Proofread, Brian, Proofread...

Ouch, my teeth are hurtin'...

TCPA works in a very similar fashion as other key-based security mechanisms

You can break these down three major areas

AMI has to sign a has to sign a Non-Disclosure Agreement

the choice to distribute their product anyway they choose.

companies feel they loose competitive advantage

a few websites do a good job of explain the ugly details

the fact my company is a TCPA member

working on TCPA for quite sometime

they we spent time developing a feature nobody wanted

that's happens in cutting edge development

it's any body's guess what this does to application development

thanks to the readers for wading through the text.

Anyone ever thought of including aspirin in the /. subscriptions?

Re:Proofread, Brian, Proofread...

[SalesEngineer]

I did write this in OpenOffice ... I guess there's still some bugs in the spell/grammar check.

Eleven errors in eleven pages ... that's not bad for me. Just don't let my mom read it.

Brian Richardson - AMI

This answeres NONE of the relevant questions

[decathexis]

While this interview has some semi-interesting info about BIOS business and architecture, it answeres NONE of the questions that it promised to answer.

The promise was to explain why TCPA is not effectively going to stop open source. The answer amounts to little beyond "read the specs". We all understand that TPM maybe be turned off in some cases. We all understand that a linux distro can theoretically be certified and run as a trusted OS. This doesn't mean, however, that wide spread of TPM wouldn't be the end of open source. If future cohort of Windows machines know to ignore any files produced on something that is not certified to be Windows, turning off TPM isn't going to be much of a solution. If you can't compile and certify your own software, how will certified HP Linux be practically different Windows?

I am extremely disappointed with this interview. If Brian is not qualified to talk about the implications of TCPA, as he himself admits, he shouldn't have volunteered to talk about it.

Hardware RNG

[williamyf]

I am not sure if it was the Pentium III or P4, but I think RIGHT NOW there is a RNG in Hardware, which uses thermal noise for the number generation.

The real lowdown on TCPA.

[TyrionLannister]

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

On RISC architectures

[yerricde]

On RISC architectures, each instruction typically takes one cycle and fits in one 16- or 32-bit word. Thus, there's no speed or size difference between mov r4, #0 and xor r4, r4, r4.

The people who don't "get" xor ax, ax at first glance are primarily those whose first assembly language experience was on an architecture such as 6502 that can't do operations between registers and registers, only registers and memory.

Re:On RISC architectures

on RISC archs you don't xor a register
you gave the first register hard-wired to 0 and you do a add %g0,%l0,%l0 (on SPARC)

Re:On RISC architectures

[yerricde]

on RISC archs you don't xor a register

Why wouldn't xor r3, r3, r3 or sub r3, r3, r3 work?

you gave the first register hard-wired to 0

SPARC and MIPS have a hardwired zero register. ARM doesn't. PowerPC apparently doesn't.

"...would Intel/AMD exist?"

[sacrilicious]

On the question of why BIOSes are not open sourced, the interviewee includes this comment:

In an industry driven by innovation, many companies feel they loose competitive advantage by opening their source ... If there was no profit in computing, would Intel and AMD even exist?

There is profit in computing - certainly from the standpoint of hardware manufacturers such as Intel and AMD - specifically because it is not yet possible to mass-duplicate chips and hardware with the ease that software allows. It is possible that if/when chips are duplicatable as easily as software, then Intel and AMD may cease to exist (or undergo radical phase change)... but the consequence of this will not be the cessation of computing for the masses. I took the interviewee's comment to be implying the contrary, namely that the ability to profit is essential to computing. That may be true today due to current technology, but it is not intrinsic and may well change.

.

Re:"...would Intel/AMD exist?"

[geekee]

The cost to buld fabrication facilities is going up, not down.

Re:"...would Intel/AMD exist?"

[stux]

Then the matter-compiler manufacturers would just control the show ;)

It's NOT global identification

[mmol_6453]

He specifically pointed out that it isn't a global identification.

I think the only thing it can identify is what BIOS-and-bootloader combination you're running.

The REAL question is, "so I have an ASUS P5B, and I use LILO. How does that affect the operating system?" (You can use LILO without using Linux or BSD...you might be running OS/2, DOS and x86 OS/X)

Some thoughts as I read though

[John+Sullivan]

Let me start out by reminding the audience I am not a security expert.

Understood - this isn't personal, just a few points which I though were unclear or misstated.

TCPA adds a few elements to this security scheme [...] longer keys (some keys are 160 bits, most are 2048 bits)

I would assume that the 128 and 160-bit keys are keys for some symmetric cipher, and the 2048 bit keys are RSA keys. It is wrong to suggest that key length correlates to strength without taking the algorithm into account, and even then practicality limits the usefulness of longer and longer keys. 128 bits is probably safe enough, and though I'd be happy to use a 160 or 256 bit key in a symmetric cipher, longer than that gets silly: at 128 bits you're already never going to see the key brute forced.

The benefits of 2048 bit RSA keys come not from strength through length, but from the fact that they belong to a different class of algorithm, which allows you to do very different things with them.

This enables the denial of access to data if rogue software, such as a virus, is introduced into a platform, because such introduction necessarily changes the software state of the platform.

I have yet to be convinced that this is true of data in the general sense and malware. All real world software contains bugs, some of which can be exploited to subvert the system. No amount of hardware trickery can stop this being true, the best you can hope for is to contain the spread of corruption by compartmentalizing the system. If you only have one compartment, or only one compartment you really care about, which I suspect will be the case for the majority of systems, then containing malicious code to that compartment provides little benefit. Even if you care about other compartments, the premise of containment assumes no bugs in the boundaries between neighbouring compartments.

In all likelihood you can make things prohibitively difficult for individuals to do something against the policy of the creator of the platform/application, even with their own property, but you can't make the guarantee that the platform is immune from malware.

Can open-source software make use of TCPA? Yes.

This is not necessarily useful. Anyone may well be able to implement TCPA features, just as anyone can implement an SSH client. Without access to the necessary keys, you can still be prevented from accessing particular data or functionality, just as your own SSH client won't allow you to login to any extra servers. With open access to the keys, you've lost any security guarantees that rested on them. This makes the exercise somewhat pointless in many cases.

While somebody could write a DRM application using the TPM, they could also write one without it.

DRM without hardware support can never be secure. At some point the data being protected has to be decrypted, and since the DRM implementation doesn't have the secure platform guarantee the TPM provides, it can't be sure there isn't something out there waiting to extract the data. It's even relatively easy to directly subvert the software, but subverting secure hardware is very much more difficult. This is significant because the R in DRM is not directly tied to law - it can be used to enforce policy that extends beyond the data owner's rights, by restricting rights that the end user does have.

Non-DRM applications can be developed under TCPA. The example I thought of is an improved VPN for companies that are super-paranoid about their data (think about it ... 2048 bit keys, no hash load on the system CPU, ability to tie accessibility to a unique platform).

This can of course be done without TCPA. You could easily push the crypto into the NIC. nCipher make a variety of crypto hardware accelerators for networking, storage and other uses, which don't impact the architecture of the whole of the rest of the system.

Answer me just ONE question:

[NetGyver]

So can you turn TCPA *off* and *on* like a switch, like a jumper, or bios setting? And can you run Windows, Linux, etc. the same way you always did once TCPA bios's becomes the norm? This may sound painfully obvious, but my head's spinning.

One minate I get the feeling that TCPA is on/off switchable (not on the fly of course), then the next minate by what the AMI guy said in his interview, it's really not.

Yes? No? Maybe? Just a simple answer is all i'm really looking for. If it was already said, I apologize, but I missed it.

Re:Answer me just ONE question:

[infolib]

So can you turn TCPA *off* and *on* like a switch, like a jumper, or bios setting? And can you run Windows, Linux, etc. the same way you always did once TCPA bios's becomes the norm?

Yes, you can. The trick is that in a few years no one is going to let you download anything for money, unless the Microsoft-signed Fritz chip on your mobo attests that your system will enforce the limitations they set. Neither will anyone let you do online banking, recieve confidential email or process company documents. Paranoia

This of course means you have to turn TCPA *on*.

It also means you will not be allowed to transfer the MP3 you bought to your portable player without paying extra. (And of course your portable should be "well behaved" as well)

Totally OT, but what the hell... your sig

This has been bugging me for a hell of a long time (not just you, but your sig sent me on a rant...)

YES, I'm a Christian... and a RPG gamer

Who gives a flying fuck if your a Christian? This is a tech/nerd forum. I don't give a damn if you're Christian, Jewish, Muslim, Hindu, Buddhist, Shintoist, Pagan, Animist, Agnostic, Atheist, or [INSERT YOUR FAVORITE BELIEF SYSTEM HERE]. This is a technical discussion, and all I give a damn about is how technically competent you are.

Re:Totally OT, but what the hell... your sig

In Soviet Russia...

...there is only one - COMUNIST!

Question 10 reply

[lanner]

Dear Brian

I was the author of question number 10, "What do you think about Linux BIOS?". Thank you very much for your answers.

You appropriately split up this question into two parts, which was great. Novell is not much of a player anymore, but Microsoft is, and of course you have to support them. But I am happy to hear that you test for BSD and Linux comparability too. My preferences are Debian GNU/Linux, and FreeBSD.

When I think of the possibilities of LinuxBIOS, I think of my Sun SparcSTATION 10 which I have here at home. It was built in 1993, and has an EEPROM BIOS, called the PROM in the Sun world. It uses Forth and has a lot of cool features. Basically, it is a small OS built into the BIOS which allows you to modify settings, boot from CDROM, tape, and other devices, you can configure the network interfaces without booting into the OS, have pretty logos and such, shunt the CLI to a serial port (ding ding ding!), and much much more, all from a little CLI. This computer is ten years old!

Of course, Sun is like Apple -- they don't have all of the crazy hardware that we deal with on the PC platform. This is why the PC had to wait so long to get all of this support.

When I spoke about LinuxBIOS, I did not necessarily mean to imply the GPL licensing. If there was a FreeBSD-BIOS, I would be just as happy. This would allow you to keep the source to yourself. The true utility in my mind is the CLI interface, versus a simple GUI. I am after the utility. BIOS has gotten better over the years, but there are still some things that I desire. This is especially true of serial port control IO, remote power and reset control, diagnostics, and a few other little things. Being able to do a 'cat /proc/pci' would make me dance.

Of course, if this LinuxBIOS or FreeBSD-BIOS ever came into being real, would they have to support booting from Microsoft's operating systems? Absolutely they would. Doing otherwise would be as bad as,... Microsoft.

I appreciate your positive competition attitude!

Take care

Re:Question 10 reply

[user32.ExitWindowsEx]

Given the availability of large FlashROM chips (16 MB and up), wouldn't it be possible to use an OS like QNX as well? You could practically have a true diskless solution then....all in the BIOS.

Robotic hands

[3ryon]

From the article...The first two would be really hard to override in software (unless there's a robotic hand attached to the USB port).

I'm pretty sure that the online pr0n industry is working on this.

So basically....

[JohnnyBigodes]

...it means that TCPA is not DRM "per se", but simply as a tool that enables trusted computing. The problem lies with the fact that this tool can easily be used to implement a DRM scheme. If all the media, programs necessary to play the media (it has already happened with many audio CDs), and etc. all have DRM restrictions which in turn require TPCA to work, then having the option to disable it in the BIOS is not really an option, since all the stuff I'm going to run is mostly likely need it anyway.

Not only DRM-ed media, but DRM-ed applications, utilities, and all sort of stuff will probably rely on the TCPA itself for implementation. This leaves us with two scenarios:

- Use only open-source/non-signed software. This is the very good scenario, given that if a good number of commercial companies follow, then we can keep on working with our computers just the way we did before TCPA or DRM came around. Unfortunately, with all the anti-piracy craziness of late, this doesn't seem to be in any chance of happening, because the first thing software vendors will do when enough people have TCPA-enabled PCs will be digitally signing them and bang, you're dead.

- Use only proprietary, TCPA-signed, DRM-ed media and software. We all know that scenario. All your base are belong to us, Embrance and Extend, You Will Be Assimilated.

So if this gets along, there's nothing that can be done except providing good open-source alternatives to all the current mainstream applications. Unfortunately, that's not enough to cover the "DRM-media" problem, but hopefully if the ghoulish media companies get themselves locked out because nobody wants or needs TCPA, they'll end up playing "our game" and drop this thing in the trash bin where it belongs.

Sorry for the long rant :|

Good points...

[waltc]

Oh, I think Brian's answers were very truthful...have no complaints about his forthrightness.

But you have to admit the logic in all of this gets a little tangled...if it's as unrelated as you say, then why would any software maker think of writing a DRM application that uses TCPA? Apparently Brian thinks it would be possible to integrate if not suborn TCPA into a DRM software application. The idea, as well as its feasibility, has occurred to him and apparently he's concluded that the two are not so dissimilar as to rule out someone writing such a DRM software application. If he thought that I think he would have said so.

I think you missed my point--if TCPA isn't in a bios, and Palladium chips aren't on motherboards--then obviously nobody's going to write software that integrates either one or requires either one, as is currently the case today.

As far as TCPA goes I'm interested in what is meant by an "authenticated" boot. IMO, this could conceivably have several meanings and not strictly refer to the unspoiled state of the kernel.

It's surprising to me, but as detail oriented as you have to be to get things done in this industry, I've friends and acquaintances who really have trouble seeing connections and subtleties that to me, anyway, seem quite obvious. This is like a Pandora's box of sorts because what you start with, regardless of how inoffensive it may seem, and what you end up are likely to be very different things.

(Microsoft has, however, continued DRM support in WMP9, I note, and the fact that WinXP Product Activation is not popular has not dissuaded Microsoft's continued use of it--which they have now spread to a program as innocuous as Plus!. But that's really not the point here....)

You make a very good point, which perhaps you ought to consider a bit more--like you say, DRM is currently possible on existing hardware--just as is SSL (which I think seems to work pretty darn well.) Something like SSL does *not require* DRM or Palladium to function properly.

So whence cometh the need for Palladium, TCPA, and DRM...? (DRM is the obvious one, of course.) IMHO, the others will be used as system foundations for more "advanced" (more invasive) DRM software technology.

I used to laugh at the notions people had when they said that Microsoft wanted to take over the world. In fact, I still find it pretty darn funny. However, with Microsoft pushing technologies like these I do think Microsoft wants to take over my desktop--and yours--and everyone else's. I don't find that to be outlandish at all. Microsoft is pushing to be the traffic cop on my machine and seeking to install software and firmware initiatives so that Microsoft, not me, decides what and when I can run something on my computer. The problem with the whole Digital Rights initiative is that my Constitutional right to the ownership of private property (which I consider my computers to be as well as the software that resides on them) is usurped in favor of the *imagined rights* of corporations to invade my privacy to "help me" remain honest.

So why does an end user "need" TCPA or DRM or Palladium?

Re:Good points...

[doug363]

So why does an end user "need" TCPA or DRM or Palladium?

I don't think that they do. There are reasons for TCPA (but not DRM IMHO) on corporate desktops and servers, which account for a large chunk of computer sales. In these situations, the end user doesn't own the computer, and so the user doesn't have the private property rights that you mention. On the server side, if you're processing lots of encrypted data and doing lots of crypto hashes, having crypto facilities in hardware that can deal with large keys could give a performance and security boost.

TCPA license issue avoided

[teslatug]

The TCPA spec is currently set up as a "just-publish" IP model.

That doesn't mean much. Is it copyrighted? Are there patents realted to it? Could it change later on and become an issue like GIFs, JPEGs, MP3s, etc?

Who controls its future? We (consumers) are not in it just for a couple of months.

Why are BIOSes closed source?

[Mr+Bill]

I can understand AMI's reasons for keep the source to their BIOS closed while it is being developed, and prior to the release of the motherboard in question. But is there any reason why they can't release the source to older BIOS code that applies to equipment that is already outdated and no longer manufactured? Is there a competitive advantage to holding on to outdated technology?

Just wondering...

Who trusts who ?

[EpsCylonB]

12. What do you mean by trust?

The ability to feel confident that the software environment in a platform is operating as expected.


Operating as expected by who ?, the owner of the bios ?.

You are a troll.

You may not know it, but some people really want to watch hollywood movies on their computers.

Idiot. People already watch Hollywood(tm) movies on their computers.

That's what palladium is for, and that's why everything is shifting in that direction.

The crack you're smoking must be real good. The only reason Palladium is coming is because the IP cartels haven't figured out that it's useless for the purposes they've designed.

Moron.

Not likely for a while, at least

MSN, Hotmail, Yahoo, etc will be off-limits to anyone using anything other than windows.

Since MS can't get Hotmail to RUN from Windows, I don't see them requiring it.

For a good laugh, look at the "OS" and "Netblock Owner" columns in the table.

Real Engineers Don't Exist

[MicahEli]

Its been my experience that REAL engineers don't exist. Rather they are born. People who go to college, and THEN start to engineer stuff, become engineers. People who freelance engineer stuff, are NOT considered engineers. Engineers are meerly egotistical, degree driven people with little-to-no world experience with the products that they "engineer". Products made from companies with REAL WORLD engineers, are always higher quality and don't fail. Don't get me wrong, every corporation has its share of DECENT degree empowered engineers. Majority rules, however, giving the idiots all of the power. I've worked in a few engineering departments at a LOT of large corporations over the years. What I have said is true at all of them. I doubt its isolated to my opinion. ---_WHEW_--- Glad I got that out there.. I just saw the word engineer in that article and got a little steamed up. :) Forgive me.

Re:Real Engineers Don't Exist

[SalesEngineer]

Preach on brother!

I can agree that engineers are born, not made. That type of thing seems to run in my family. I'm doing this 'engineering' thing because I love it, not because it looks good on a resume. I saw way too many people wash out of engineering programs because they got into it for the wrong reasons.

BTW, I do have BSEE & MSEE degrees from Clemson. I taught one year as a part-time processor at Devry, and two years of lab at Clemson. I am in the 'sales' end because I happen to be more comfortable traveling and talking to customers than my counterparts (and most of those guys were 'born engineers').

Brian Richardson - AMI

Re:Real Engineers Don't Exist

I taught one year as a part-time processor at Devry,

Brian Richardson - AMI

All along I suspected you were some sort of a souped-up computerized supermarket cash register. Thanks for the confirmation!

(Now where is the human you call when a customer's driver's license needs to be checked?)

Re:Real Engineers Don't Exist

[SalesEngineer]

Bite my shiny metal butt!

/me smacks self in head for not using Preview button

Re:Not quite true

[NigelJohnstone]

This was the question asked by the original man:

"Is it (will it be) possible to use TCPA to effectively lock-out certain operating evironments from various services (software, media, etc) solely because the operating environment is not backed by a company, and has no mechanism for paying certification fees and licenses"

This was my answer:

"The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted."

This was your answer to my comment:

"...That means users should be able to self sign certificates just like with OpenSSL, and Redhat or FSF could issue their own certificates if they wanted to use TCPA features....but that just means you can't play RIAA-approved content you downloaded from a future Pressplay-type online service"

So you're confirming my comment? That he's lock out from TCPA content, his exact question. The PR man dodged the question. If you self sign, you have a machine that won't interoperate with any other machine that uses TCPA services.

Stick head in sand and ignore...

[Kjella]

...every question that goes at "what does that mean for us end-users" he basicly goes blank and talks about how their consumers are mobo companies, or refer to specs. I see no reason why the outrage which caused this interview should subside, because it smells foul. Why give a public interview as response to public outrage if you're not going to give any information that is interesting to the public?

Here's my summary: "Yes we know what this will do to you but we don't want to talk about it. We'd even like to pretend we have nothing to do with it." Seriously, everybody that has looked at the specs will realize that it's designed for DRM. So why deny it? They'll blame the mobo makers, and the mobo makers will blame Microsoft, Microsoft will blame it on business (RIAA/MPAA) demand and so on. Whether AMI likes it or not, they're actively pushing DRM to the markedplace. If they want to play stupid, well... I can't say I'm fooled.

Kjella

Re:Not quite true

[NigelJohnstone]

"The opposite is also true, if they wrote it with TPM then it can still be hacked."

I agree, it will still be hacked, but the idea behind this 'trusted' solution is that the machine on the end is verifiable and 'trusted' as being unhackable.

So a hacked DRM system on a non-trusted machine has no purpose because the machine (and hence the object files) couldn't be verified as unhacked and so would be denied the content anyway.

Do you see my point?

Open-source community...

[TheShadow]

It sounds like the open source community needs to get a handle on this technology and make the most of it.

Brian brings up a good point about OpenSSL, GPG, etc... wouldn't it make sense to have those programs detect the existance of the TPM hardware and use it to offload certain functions from the processor?

Also, wouldn't it make sense build "trusted computing" features into Linux... such as being able to setup a file system so you cannot read it if the machine was booted from floppy, or removed from the machine. Sounds like that would be a good way to protect data on a stolen laptop, or on a server that some unauthorized person got their hands on.

My point is that if the open source community continues to shun this technology just because Microsoft/MPAA/RIAA are going to use it to implement DRM, we'll miss out on the good uses of this technology.

Credentials?

[sstamps]

Brian,

Contrary to the subject, I do not intend to question your credentials, but there is no mention of your participation on the Board of Directors in Tech Corps Georgia. It looks like the web page might be in need of a little update.

Just figure I'd point this out and send you a little wave from a fellow Georgian (Canton).

Re:Credentials?

[SalesEngineer]

TCGA recently merged with Free Bytes NP, Inc. (another Georgia non-profit). I've been a Free Bytes volunteer and board member for years.

I'm now a member of the Tech Corps board of directors. We haven't finished the new web page yet. That information will be part of the new page.

And, yes, our website is really in need of an update. We're letting the board member who works at Earthlink handle that.

Yo, cornholio

[jmorris42]

[flame]

Ever heard of Public Key Crypto? If they decide to ignore their prior promises of allowing the end user to load keys it is over. You won't need to crack the keys out of the module, the BIOS will happily SHOW them because they are the Public keys. The software vendors (i.e. M$) will have the Private keys. Think XBox.

[/flame]

Re:Yo, cornholio

[echo]

No, the private key has to be ON the box, unless you HAVE to connect it to a network before it can authenticate.

I'm sure you don't have to connect the XBox to LAN in order to boot it.

Therefore the private key the bootloader was signed with is IN the hardware somewhere.

When someone encrypts something to me using my PGP public key, I must have my private key to decrypt it.

I don't see how it can't have the private key not stored in the hardware somewhere.

Hardware RNG already exists today

[DakotaSandstone]

The Intel Firmware Hub, which contains the BIOS code on current Intel chipsets (the FLASH chip), already has a hardware RNG in it.

I don't think many apps are using this yet. Intel has a FAQ on this technology here, and they even have a Windows driver to support this.

Re:Hardware RNG already exists today

[norton_I]

The linux kernel has supported that as a random source for /dev/[u]random for some time now.

Re:Not quite true

[MrResistor]

"Is it (will it be) possible to use TCPA to effectively lock-out certain operating evironments from various services (software, media, etc) solely because the operating environment is not backed by a company, and has no mechanism for paying certification fees and licenses"

The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted.

That has nothing to do with him or AMI or TCPA. Obviously MS could use TCPA with Palladium in such a way that it would lock out anyone not running Windows. Guess what, Red Hat could do the same thing. What part of "TCPA is an open spec" did you not understand?

TPM is just a tool, like a hammer. If I kill someone with a hammer, does the blame go to the hammer? No, the blame goes to me, the one who decided to use the hammer that way.

"While somebody could write a DRM application using the TPM, they could also write one without it. "

If they wrote it without TPM then it would be hacked, so TPM is pretty much a pre-requisite.
So what he said is true, but yet not true.

If they wrote it with TPM it could still be hacked. TPM is just a peice of hardware that is optomized for crypto, it doesn't do anything that can't already be done (albeit a lot slower) in software.

"18. Does the TCPA support open source systems?
Yes. The ability to use the TPM functionality is available to all developers of software"

Sure, if you remove anything the thought police object to.

There are people who can help you with these paranoid delusions you seem to be suffering. I suggest you look into it.

All you need to know

[phorm]

3. They are not fixed functions - it can be disabled permanently.

As also mentioned, how this is controlled (BIOS screen only, jumper, software) is mostly up to the motherboard manufacturer. But really... if it can be turned off, why worry?

You know windows is going the DRM road... you'll probably have to turn it on for Win2005 or whatever, but for the linux users simply having the switch-off feature is key.

If specific options can be switched, even better. I'm particularly interested in the ideas of using it to speed up PGP/MD5/etc processes, or spawning new-and-improved ones.

Re:All you need to know

[geekoid]

What happens when MS pushed hardware manufacture to only let there hardware function if it is enabled?

Re:All you need to know

[phorm]

Huh? You mean MS's hardware... because I haven't heard of any.

As noted, I fully expect future versions of the OS to only work with DRM features enabled on the BIOS, but you could still turn them off for alternate OS's ('nix, 'BSD, etc) and somebody will probably hack the OS to bypass the requirement eventually

Re:All you need to know

[geekee]

Why would you want to switch off a perfectly good key authentication system under linux, unless you don't trust open-source code either?

Re:All you need to know

[phorm]

Not at all... just to speed it up for large keys.

Demands

"Our decision to develop a TCPA option was driven by sufficient demand for the technology." ... hopefully manufacturers will recognize that there's also demand for motherboards without the technology.

Re:Not quite true

[NigelJohnstone]

My comment:

"The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted."

Your reply:

"Obviously MS could use TCPA with Palladium in such a way that it would lock out anyone ...TPM is just a tool, like a hammer. If I kill someone with a hammer, does the blame go to the hammer? No, the blame goes to me, the one who decided to use the hammer that way."

A trusted machine is one that conforms to a certification process. You don't define the certification, the remote service requires it of you. So using your metaphor, the hammer that kills someone is not in your control, you just swing it as per instructions.

I wrote:
"If they wrote it without TPM then it would be hacked, so TPM is pretty much a pre-requisite.
So what he said is true, but yet not true."

Your replied:

"If they wrote it with TPM it could still be hacked. TPM is just a peice of hardware that is optomized for crypto, it doesn't do anything that can't already be done (albeit a lot slower) in software."

I can change software, those tiny silicon transitors are a damn site harder. But yes I agree they could do the useful stuff in software - there is no need for this stuff.

I wrote:

"Sure, if you remove anything the thought police object to."

You wrote:

"There are people who can help you with these paranoid delusions you seem to be suffering."

Please read the bills before Congress, particular the "DRM in all devices" bill. To be paranoid I have to *suspect* something that is not true, not *read* something that is true.

OT: Re:Anyone else notice #6?

[CyberKnet]

Quoth the poster:
Thanks for the answer.

Quoth the (AC) replier:
Too bad it was probrably bullshit.

I was one of those moderators. Not everything is a conspiracy.

Re:OT: Re:Anyone else notice #6?

[Roblimo]

Well, you never know. I just found out that a Massachussetts state Rep is trying to make "6" the official Mass. state number.

(http://www.state.ma.us/legis/history/h01304.htm )

Coincidence? Or has Michael used his *Slashdot powers* to make this happen?

If were a conspiracy person whose aluminum foil hat was on crooked, I would certainly wonder about this...

- Robin

Re:OT: Re:Anyone else notice #6?

STFU you stupid fag

Reading between the lines

[jmorris42]

I think Brian said more than he intended perhaps. Notice how he went out of his way to hammer home the fact that WE aren't the customer/user from his/AMI's POV. Now re-read all of the bits about where the 'user' could disable this junk and think about it. Dell being able to disable isn't the same thing as thee and me being able to control this monster.

And why is it that anytime TCM/Palladium come up I have this recurring vision of this being a retelling of Belling the Cat with us in the role of the Cat and the MPAA/RIAA (And of course Disney [grin]) being in the role of the Mice? Except in this dope smoking surreal version one of the mice is an MBA with a minor in Marketing who stands up and says, "No! No! You guys are doing this the hard way. Forget drawing lots to see who will go on the suicide mission to put the bell on the Cat. I will handle it. Whereupon the smart mouse takes the bell and goes and SELLS it to the Cat."

MOV #0 != XOR != SUB

[clem.dickey]

It should be mentioned that, even leaving the effect on IP aside, the three instructions
MOV AX,#0
XOR AX,AX
SUB AX,AX
are not equivalent. MOV leaves the AF bit alone, SUB sets it to a defined value (0, I think in this case), and XOR leaves it undefined. Or don't assembly hackers notice condition bits these days?

Linux needs to implement DRM before MS does...

[marciot]

> Isn't it possible that Computer Manufacturers > could use this so these machines would only
> boot Windows? ... This gives them the power to
> do such a thing....

Yes. But you also have the power not to purchase such a machine. And while it is true that you may be compelled to buy these machines in order to access certain DRM-protected content, you also have a choice not to purchase that content (just as today you can choose not to buy copy protected CDs).

Clearly, everyone is concerned about what happens if all content becomes DRM-protected and unavailable to people that are using open/free systems. I wish people would realize that the best way to kill Palladium is to beat Microsoft to it. I wish there was some efforts under way to implement an Open Source DRM system under Linux, perhaps based on the Ogg Vorbis format. If we had a "trusted" Linux platform, signed by the FSF, for example, I'm sure content creators would take advantage of it to sell music or media under Linux. If this catches on before Palladium does, Microsoft would have a hard time pushing their own closed standard and Linux would have gained the upper-hand in a very big way

Re:OpenBoot standard

[clem.dickey]

Sadly, OpenBoot is no longer an IEEE standard. IEEE 1275 lapsed when no one took the initiative to update it on the required basis. I think you can still buy the manuals; IBM, Apple and Sun still use it; and the other adjectives (flexible, etc.) still apply. But not IEEE standard.

Alphas do not run OpenBIOS!!!

[Starrider]

Have you ever actually *used* an Alpha? One of the best parts of the x86 is the BIOS itself. The x86 bios initializes cards, sets IRQs, and supports tons or boot hardware.

Alphas do NOT use Openboot. Installing linux generally requires SRM, which has very little hardware support. On most Alphas, you cannot boot from an onboard IDE hard device. I own a PC164LX and run RedHat on it. One reason for the lack of device support in linux is because the drivers expect certain things to be done automatically by the bios (for instance, initialization.)

If you want to learn more about the bios, or lack thereof, on an alpha, you can try this link

Re:Alphas do not run OpenBIOS!!!

Have you ever actually *used* openboot? If you had, you'd recognize the x86 BIOS for the steaming pile of shit that it is.

You're right about Alpha, but I beg to differ about SRM. I think it's great, and you CAN configure it and save that configuration. Perhaps you just don't know how to use it?

Re:Alphas do not run OpenBIOS!!!

[Starrider]

SRM is what we use because we have no other choice. Yes you can save a configuration, but it does very little in the way of setting up the system the way most OS's expect (including Linux). It only supports a very small number of video cards made in the last 3 years, and has extremely limited boot options. Oh, lets not forget that we haven't seen major revisions of it (supporting new hardware) in years...

You talk about configuring SRM? Sure, you can set it to autoboot on powerup, set a password, but that is about all you can do with it. SRM is a dinosaur, one that we unfortunately have to deal with for the time being. From your statements, methinks you do not know what you are talking about, and are just a troll.

One at a time...

[waltc]

What exactly do CD keys and registration requirements indicate if not a complete distrust of the end user's good intentions?

Actually, CD keys are *reasonable* and non-invasive steps a software company could and should take with its software. As the software companies are quite aware that a single valid CD key could indeed athenticate scads of bootleg copies, they are in fact trusting the end user to a very great extent, CD key or no.

Take the recent story on Quicken's Turbo Tax program, where Quicken removed your option to print returns on a computer other than the one the software was originally activated on. Do you think maybe Quicken did this because they don't trust you?

No, I think Quicken did this out of a fevered, greed-drenched imagination which caused them to hallucinate losing billions of $ to software piracy. Greed, not trust, is the issue here.

Why would Microsoft do this if they trusted their customers? Hint: they wouldn't.

Ironically, however, Microsoft has no trouble trusting corporations who buy as few as 5 licenses, since they do not have to jump through the product activation hoops at all. I'm sure you knew that. Microsoft simply did this to penalize the small user (who has little clout individually with the company because he doesn't buy thousands of licenses at a time) who has 2-3 machines at home and was installing a single legitimately purchased copy to both machines--and Microsoft wanted to double its money. Greed again (not necessarily intelligence for the long haul.)

Bottom line: software companies do not trust you.

True, no doubt. However it is more an issue of greed than I think it is one of trust. After all, Microsoft got very, very rich before the first copy of Product Activated WinXP was sold (all their "piracy estimates" notwithstanding.)

Don't like this? Buy/support/use software that does not constrain you. That's your option. Boycotting AMI or TCPA-enabled motherboards does not solve the problem; those manufacturers are responding to a demand from software developers and content owners.

What a load...;) There is no reason any bios company has to stop selling its non-TCPA builds. They can sell both, and the idea that they would have "no demand" for non-TCPA formats is ludicrous. After all, who is the ultimate customer of the bios company--hint: it's not the software developers, it's not the content owners--it's the *end users who buy the motherboards.* Was it the "content owners" which influenced bios companies to start making bios versions with all kinds of adjustable parameters, parameters that for years were excluded from the user CMOS interface (ram timings, voltage regulation, etc?) *chuckle* Hardly (snicker)

Companies large and small who forget who their actual cutomer base is will regret it, I predict, because their customers will go elsewhere. There's an old capitalist adage that businesses today would be well-advised to heed: the customer is always right. It would appear that some companies today are so confused they don't even know who their customers actually are--they think the middlemen they sell to are their customers. However, it's the needs and demands of the end user that shape the order of the middlemen companies. If the last guy in the chain loses his business (in this case the motherboard makers) then everybody upriver loses theirs, too. I shouldn't even have to say any of this it's so obvious.

This was great!

[ViceClown]

Brian, you might not see this since Im posting it late and I didn't get to print out and read your answers till a little later in the day. This is one of the best interviews I've read on SD. Thanks so much for the thoughtfull responses and consideration you put into your words. It's a treat for readers to get a feel for a topic from an "insider" of any company. Again, thanks a ton for all the information. I know I found it incredibly enlightening and definitely helped me sort out my facts and opinions on TCPA and Palladium. Great job!!

Only someone who doesn't know what a bios does...

[waltc]

...would ask this question.

First of all, the modern x86 bioses are self-configuring and can be safely ignored if the end user wishes to do so. However, a bios offers *hardware configuration options* that I personally find invaluable and could not imagine doing without. Suppose that I want to adjust the motherboard voltage regulation and raise or lower the voltage the motherboard provides to the cpu, the ram, the AGP bus, I/O--etc? (Whether or not a person thinks this is "necessary" is utterly irrelevant *chuckle* so please don't go off on that silly tangent.) The fact is that these are the kinds of hardware configuration options, among many, many more, which a modern bios provides.

If you don't have a bios you are autoconfigured and the bios is still there--it's just hidden from you completely and you have no control over it whatever. This is progress? I think not.

Ten years ago on an Amiga 3000 I was booting a bios image to ram from hard drive and using the MMU of the 68030 to point the system to it--whoopee-doo--big deal *chuckle* It was maybe marginally quicker to change out the file as opposed to flashing a bios--but the priciple is exactly the same--and the bios is a lot less cumbersome than something like I used with the Amiga (temporarily as I went back to the standard bios after failing to discern a benefit--ram and HD space was very limited in those days--plus I wanted to use the 68030 MMU for other things.) I see no advantage to something like that at all (though I dearly loved my Amigas!)

PCs use a bios still because of the enormous hardware choices available in the x86 marketplace that do not exist for small, closed hardware companies like Apple, for instance. Sometimes it's very nice to go into the the bios and configure a piece of hardware you've installed as opposed to packing up the system and dropping it off at the dealer's and telling him to fix it--just because the system locks the end user out of some of the internals. OpenBoot wouldn't work well at all in the x86 desktop market (I don't think) because you have so very many more hardware choices than these other cpu markets support.

Edited Version

I don't know. I don't care. Everything is fine. You are not the customer. We just do what we are told and so far this is what we have been told to do.

It is an art form to use so many words and say so little. The only way this guy could be a /. reader and COMPLETELY miss the point of of almost every question is that trolling slashdot is in his job description. From the responses so far, he is very good at his job.

I will now selectively quote from one of his responses which I believe may be a tighter summary than even my caustic words.

I can't do anything about the paranoia, but I hear there is a pill for that.

I suggest that AMI pop a few of these because paranoia is the only explanation for dropping marketing dollars on a crowd that by his own answers have no influence on their decision making process.

Why didn't MASM just do it for you?

[iamacat]

It seams a no-brainer that your assembler should change larger, slower instructions to shorter, faster ones when it will not change your code behaviour. I find it amazing that MASM and others actually made you write xor ax, ax or "jmp short l1" or "mov ax, bx" rather than lea ax, [bx] explicitely. I remember a86 actually did some of it, but it wasn't completely compatible with MASM and made you explicetely declare your jmp as forward or backward.

Of course you might need some explicit prefix to say that an instruction shouldn't be touched, say because it's a part of self-modifying code. But for the most part, it's just a laziness on the part of tool developers. Although there was some satisfaction in knowing the tricks and writting better code than other people.

Now the big question is: was MASM written in assembler and did they bootstrap the development process using DEBUG?

Re:Why didn't MASM just do it for you?

[LordNimon]

The later versions of MASM did replace "MOV AX,0" with "XOR AX,AX". You're living in the '80s, dude.

OT: Boot from USB/USB2?

[swb]

Anyone familiar with these as usable features on any current x86 systems? What OSes (yes, including Windows) will support installation and boot off of USB devices?

USB2 might just be fast enough where boot from a USB2 HDD might be a very useful feature. I didn't think that PCs would ever be able to boot off of a non-IDE/SCSI disk (network boots and CD/floppy helper boots notwithstanding).

Re:OT: Boot from USB/USB2?

[SalesEngineer]

I'm not sure where to get a clear list of what motherboards boot to USB/USB2, but it should be a very popular feature this year.

BIOS provides USB boot for DOS by using the INT 13h disk access routines to fool DOS into thinking it's talking to a good'ol fashioned hard disk (the same way that MSCDEX.EXE works).

Any other operating system will support a 'handoff' that's outlined in the USB specification. The BIOS handles the boot loader, then the OS makes a transition from the BIOS USB handler to its own driver.

Windows doesn't support boot to USB right now (they have issues with drive hosting the OS being on a bus that supports 'suprise removal'). I have no idea if Linux supports USB boot (I think it does, but never tried it).

Windows 2000 and higher can be installed from bootable CD on USB (not USB 2.0). Windows XP SP1 can be installed from bootable CD on USB 2.0.

Brian Richardson - AMI

Re:OT: Boot from USB/USB2?

[swb]

Thanks for the info.

It would be quite useful for PC rollouts and imaging to be able to do this, but it sounds like something that won't have a huge impact for that for several years until the HW base and the OS are able to actually do something with it.

AMI uses Bugzilla!!

[JourneymanMereel]

This is a really educational article. Thank-you, Brian, for taking the time to write it. I'm still very frightened by Palladium, but at least I don't feel threatened by TCPA :)

Slightly OT: I also thought it was really cool to see that AMI has an installation of Bugzilla. Brian, do you mind if we list you (AMI) as a company using Bugzilla?

Re:AMI uses Bugzilla!!

[SalesEngineer]

Well, you might be mad because we're using an old version of RedHat Bugzilla (2.7) ... at the time, it was easier to install and the testers liked the interface more (even though I've hacked it quite a bit).

I don't mind if you put it on the page ... it's not like I can deny it after saying it in an interview.

Re:AMI uses Bugzilla!!

[JourneymanMereel]

I thought RedHat forked on version 2.8? That's minor anyway as the point is it's really old :)

Do you use Oracle as the DB backend or MySQL? If it's MySQL, you may wish to look into the latest release (2.16.2) which has all user generated pages being handled by templates (the default look and feel is still what's seen on bugzilla.mozilla.org). If you're using Oracle, you'll have to wait for a while as the cross database compatibility is still being developed.

Did you hack anything other than the interface? I'd recommend upgrading if at all possible, especially if your Bugzilla install is publicly available, as there have been many security holes fixed since the 2.7/2.8 timeframe.

Re:AMI uses Bugzilla!!

[SalesEngineer]

We use MySQL as a backend ... but RedHat Bugzilla uses a slightly different database structure. We forked database structure ourselves a while back to add some new fields. We don't use public access (it's internal only, behind a firewall), so the security concerns aren't as severe. We have looked at moving back to the official Bugzilla, but we have also looked at migrating to other tools (php/MySQL based).

Re: the sig

[Grotus]

The quote is from Animal House. IIRC it was the John Belushi character after their frat house was closed by order of the Dean for various violations.

Re:Only someone who doesn't know what a bios does.

I disagree that vast hardware variety is the reason we need x86-style BIOS in x86 machines. The BIOS does *not* let you configure hardware you plug into your machine beyond what standard OpenFirmware (ieee1275) supports. (What special options suddenly appear in *your* x86 BIOS when you plug in XYZ-super-controller-2000? None appear in mine...)

OpenFirmware supports setting up software boot options, configuring boot devices, setting memory & bus options, etc, etc - if the implementer of your platform's firmware wrote in support. IEEE1275 (or what was formerly ieee1275, I suppose) is merely a framework for that. Some people give lots of options in their implementation with pretty menus - others autoconfigure everything. Part of that framework is that add-on cards are supposed to be *self-configuring* - They contain a ROM of code that is called by the system's OpenFirmware at boot time that provides all sorts of useful information to the system firmware. Thus new devices show up in the system's device tree, and if the device's firmware (again, provided by the card vendor on the card's ROM - this is why many standard PC-style PCI cards won't work in an IBM rs6k without additional code support from IBM or without a new version of the PCI card with an openfirmware rom on it) may support configuration routines that the user can invoke.

In short, openfirmware has less 3rd-party hardware support because it's cheaper (in development costs and manufacturing) to not put an openfirmware rom on every card.

So, why are we stuck with x86-style BIOSes? Most all OSes rely on the bios for initialization. Some still use it after startup "handoff" (*cough* win98 *cough*.) Ditching it ditches support for every PC operating system (initialization only, for the most part - practically every modern x86 BIOS goes *poof* once the OS has started).

This doesn't even begin to address the superset functionality BIOSes give now for things like ACPI - things which OSes sometimes rely on the BIOS to control but probably shouldn't. TCPA is another superset functionality - whether or not you think being able to call the BIOS from OS is a sane architecture at all is another discussion entirely.

(The point someone made about the SRM on alpha is illustrative - an equivalent hack would be required for OS initialization if the PC changed its BIOS.)

that is apples and oranges

[Archfeld]

No system is secure if you have physical access.
Most people have mastered locking their doors, locking their servers is a totally different matter. None of the solutions provided deal with physical access, only logical...

Aren't we missing an obvious use for it ?

[BigJim.fr]

That's actually a cryptography co-processor on those boards. I could use that ! Giga throughput VPNs, keeping whole partitions encrypted, offloading SSL processing... Bring it on as long as we can write software to exploit that stuff !

Now the real question: will developpers actually be able to peruse this piece of hardware as they fancy, or will there be restrictions ? If the dreaded DRM features can be disabled and the extra silicon put to good use with a couple of nice hacks, then I'm all for it.

Think positive ! Turning useless junk into something fun and/or valuable is what hacking is about, not endlessly complaining about the latest MPAA/Microsoft conspiracy.

Maybe SE Linux

Id like to see something like security enhanced linux be further developed with this as a platform, it can then be used for what its meant to be used for.

Answer the questions

[NigelJohnstone]

"and I decided to do what I could to try and separate fact from fiction .... I can't do anything about the paranoia, but I hear there is a pill for that).

Thats nice, but his points were valid, you dodge the questions and continue to do so. Let me pull out the important phrases you dodged:

a) Isn't the goal of "trusted computing" to allow entities other than the owner of the computer to control what the owner does with his/her hardware?

Brian mumbles something about his reading of the TCPA spec and DRM, neither of which were the point of the question. The answer is obvious: "Yes, of course that's the goal. Shut up and eat your BIOS."

b) However, isn't it true that without AMI's trusted BIOS, Palladium wouldn't work?
The reason we keep saying "we're not a part of Palladium" is because Palladium doesn't exist in the marketplace...
This is splitting hairs at best, and another artful dodge. If Palladium were in the marketplace, would AMI be part of it? Of course they would. And right now they're laying the groundwork.

c) In what way does AMI benefit ... from introducing a BIOS designed to make the computer it is installed in less useful to the purchaser of the computer?

Here Brian reinforces that you and I are consumers, not customers - mobo manufacturers are customers, and they get the features they want. This is the way the market works, and I've got no special beef with it, but it's a bit of a wake-up call for those who still believe companies like AMI give a rat's ass about the average geek buying a motherboard.

MODERATORS GO TO HELL

I asked this question when the request for questions first went out and I was left at _0_ even though other people reasonded with interesting comments after me.

This guy asks this question too late (good question, btw :) ) and get's +5? Where the fuck were you when you were modding every DRM-obsessed fool up to "+10000, Horse Isn't Dead Yet" ?

Oops, I forgot about condition flags

[iamacat]

Just realized that xor will modify a bunch of flags like ZF and mov will not. Even add ax, 1 can not be always replaced with inc ax because the later one doesn't modify the carry flag. So I guess assembler would have to look if you have another instruction that overwrites a flag before anything that tests them or a jmp. So eventually, you still need to use the optimized form yourself, because *ASM can not determine all the cases when it's safe. Just curious, what algorithm did the later versions of MASM use?

A very good point, but one threat remains...

[Eric_Cartman_South_P]

...you had a VERY good point on the gaming example.

I would enjoy a "safe-spot" in my PC for things to run clean and safe and where computers can identify me when I want them to (Citibank, EA game servers, etc). But what will happen with this control VERY quickly will be bad enough to negate any and all good aspects.

>Believe it or not, such abusive "features" are unpopular and cause companies that employ them to lose market share.

True... EXCEPT for Microsoft. That's the threat. That's the worry. That is what will - despite my passion for free computing, free information, etc - turn every computer into an X-Box type device in 5-10 years. Don't envy X-Box users. When ALL computing is done on a closed PC, where opening the box will get us arrested, we'll remember the days back on Slashdot when all this was nothing more than wild paranoia.

I remember only a few years ago people joking around about being arrested for swapping songs. "Never gonna happen." was the general response.

Only someone who doesn't know what Openboot is...

... would make such a fool out of himself.

There's no reason that voltages, temp monitoring, and the rest couldn't conform to the Openboot standard. I think Apple makes machines for people who can't cope with serious hardware, but they have an Open Firmware boot console that allows you to query EVERY detail of the system hardwre config without even having an OS installed (without even having a HD installed, really).

Since you need a clue, here it is: Openboot (aka Open Firmware) is a standard by which mainboard, peripheral, and OS developers can all speak the same language to bootstrap the system. One of the central pieces of this system is FCode, a Forth-like system that has, like Java, a sort of virtual machine and a standardized bytecode. Each component in the system that needs to speak to the mainboard to boot is programmed with FCode that the VM on the mainboard executes first off.

Video cards on x86 have actual x86 code in their BIOSes so that the POST can happen (and the VGA BIOS, but that's separate). Openboot makes this possible on a cross-platform basis, hence FCode.

FCode is to the modern x86 BIOS what Linux (or any 32bit OS) is to DOS 3.3 .

Yeah, the real hackers are all laughing at you now.

Well I'm sure others noticed

[angelkey]

That was the biggest whitewash I have read in recent memory. He even made it sound like he was actually addressing concerns. He/AMI are not. Don't buy into this tripe. Just because an interview has to have a disclaimer saying 'this isn't whitewash' taints it. AMI is obviously worried that noone will purchase boards with TCPA/Palladium/DRM and I think a small startup WILL make a bios (likely flashable to any tainted board). We will buy that. Plain and simple. If we don't want something, don't buy it. Capitalism is great for this. Someone else will come along to figure out how to take our money and we get what we want. Consumer's are a powerful force and this is why you see an AMI engineer dispatched to quell growing dissent.

Re:Well I'm sure others noticed

[m1chael]

he is a sales engineer, and i am a dole engineer.

Also werden wir es ausschlachten....

[Trelane]

There's no question that parts of this spec have nice ramifications. When we, the FOSS community, see something in the hardware that's neat or that will provide some new functionality, werden wir es natürlich ausschlachten. But the biggest problem, which does not reassure me nor the rest of the community, and which seems to be hinted to by this apparently glossed-over bit of the TCPA FAQ (http://www.trustedcomputing.org/docs/Website_TCPA %20FAQ_0703021.pdf):

22. How does TCPA relate to the recent Palladium announcement from Microsoft?
Microsoft is a founding member of the TCPA. Detailed Palladium questions should be directed to Microsoft at this time.

That seems to imply to me at least that there's a TCPA<->Palladium link in the background that seems rather sinister. Particularly the reference to MSFT being a "founding member" (although that could be to clearify MSFT's role in TCPA, although that tends to make me (and I'm sure many others) envision TCPA being driven at least to a modest, if not large extent, by the World's most Wealthy and Powerful Monopolist, who has been proven again and again to abuse this position to further its own interests and crush actual and potential competition) and in particular the "directed to Microsoft at this time" bit seems to signal to me that the TCPA is just the hardware component of Palladium, and that TCPA will accomodate Palladium and MSFT (who is doing everything it can to kill Linux and Free Software) when the time is right. Maybe even now, but only the members (or even a subset of them!) know. After all, an API is only as open as is actually revealed.

I would be much more reassured if you were actually an active part of the AMI TCPA contingent, and then also privvy to all of the internal docs. You could then possibly reassure us that we won't be excluded from the fun now or later on down the road.

An additional thorn in my side is this "membership" business. It seems that you have to sign some agreements in order to get more access to TCPA docs, which leads me to wonder that the "open" specification isn't really quite so open, and that we're being left outside in the cold for anything that will potentially hurt us, so that we will go along with it. Once again, an API is only as open as is actually revealed .

What reassurances can you offer?

...What this does to the application environment..

[Slime-dogg]

This type of mechanism doesn't exist in TCPA, and would probably require some sort of support at the chipset level (which means it couldn't be implemented using current northbridge hardware). The total system impact isn't known, and it's any body's guess what this does to application development.

This is what it does:

INVALID PAGE FAULT AT UNKNOWN ADDRESS

This may be unpopular, but there is another vision

[eman1961]

There is another vision to take of this thing. There is a lot of content that is not being released on the web because it is too expensive to produce, and the author / creator must get compensated for their time. Examples of this are first run / highly popular books, such as those on the NY Times best seller list. Such an author would be willing to sell an electronic copy of their work for much less money if they could be assured that the would sell more than one copy.

I can imagine a world where I can buy first run books to read electronically for 50 cents. This would be worth it to me. I am as happy reading a book on my computer as I am reading it in paper - perhaps happier as I can search. It would be worth it to the author. They are compensated for their extraordinary effort in writing the book.

I can see the possibility that 'trusted' computing platforms do give me something that I don't currently have. They give me access to content that simply will not be made available if there is no 'trusted' computing platform.

And, at the same time, nobody's arm is twisted. If you don't want the content, then you don't need to have an implementation of something like Paladium.

What if we could move to a world where *everything* is online. All content is available. Some of it is free, as in free beer and etc. Some of it is not free, and it is within the rights of the author to decide which category he wants to place his content.

Actually, in my opinion, this *is* going to happen, whether I want it or not, or whether anyone else wants it or not.

I see a lot of posts on /. that advocate that all information should be free. Some idiot even said "why should someone own the intellectual property rights to something just because they created it."

This is just like someone saying, "Why should you be able to mold your children's values in the direction that you choose, just because you *created* them."

My point is that if I create some intellectual property, I get to decide what to do with it, not you or anybody else on the web, and Paladium helps. And at the same time, it will make it far easier for me to release my content to a much vaster audience. And I believe that there will be much more content available to me post-Paladium.

All right, you're a *hired* weasel

Fine, your job benefits don't include cigars. You're not living in fat city, and if you had answered the questions honestly, you'd probably lose your job.

That still doesn't make it right. If you're speaking for AMI, it reflects poorly on them for sending you here to give dishonest answers; if you're speaking for yourself, it reflects poorly on you.

I've never red the spec

[Rysc]

But from how he fails to describe it, it sounds as if this is a "Let's make crypto faster and more integral by having a dedicated, onboard hardware encryption module to replace all the thousands of possibly-not-as-good software versions."

That sounds like a decent idea to me, as long as it doesn't uniquely identify me and doesn't allow an application to circumvent my control.

Makes Better Sense Now

[NetGyver]

That cleared it up pretty much. My basic gut feeling about this was right after all. Customers have a choice (TCPA on/off) but it won't matter because if this thing catches on (which obviously shit's starting to roll down hill now) you evenually be forced to keep it *on* in order to do anything on your PC. Lovely. How about older hardware? If my gut feeling is true, the TCPA enabled apps will probably detect prior-to-TCPA mobo's as *off*.

The bible reference is quite fitting, I had a hunch it was REV 13:17. In any case, thanks for the clarification, now i know who's side i'm on. :)

Re:Makes Better Sense Now

[infolib]

If my gut feeling is true, the TCPA enabled apps will probably detect prior-to-TCPA mobo's as *off*.

Yes, of course. From the FAQ:

Once the machine is in this state, Fritz can certify it to third parties: for example, he will do an authentication protocol with Disney to prove that his machine is a suitable recipient of `Snow White'. This will mean certifying that the PC is currently running an authorised application program - MediaPlayer, DisneyPlayer, whatever. The Disney server then sends encrypted data, with a key that Fritz will use to unseal it.

If you have no Fritz on your Mobo you can't certify with Disney. (Remember that Fritz needs to authenticate with Disney using a secret key buried somewhere deep down in the silicon)

Re:Only someone who doesn't know what a bios does.

[Greger47]

OpenFirmware supports setting up software boot options, configuring boot devices, setting memory & bus options, etc, etc - if the implementer of your platform's firmware wrote in support. IEEE1275 (or what was formerly ieee1275, I suppose) is merely a framework for that. Some people give lots of options in their implementation with pretty menus - others autoconfigure everything. Part of that framework is that add-on cards are supposed to be *self-configuring* - They contain a ROM of code that is called by the system's OpenFirmware at boot time that provides all sorts of useful information to the system firmware. Thus new devices show up in the system's device tree, and if the device's firmware (again, provided by the card vendor on the card's ROM - this is why many standard PC-style PCI cards won't work in an IBM rs6k without additional code support from IBM or without a new version of the PCI card with an openfirmware rom on it) may support configuration routines that the user can invoke.

Oh, so that ROM code included on all PCI cards that plugs right into the x86 BIOS framwork and gives you extra configuration menus and boot possibilities on everything from NICs to RAID controllers doesn't count?

OpenFirmware doesn't solve your problem, there's no chanse in hell PCI card vendors will include the necessary code compiled for each and every CPU arch on earth.

This doesn't even begin to address the superset functionality BIOSes give now for things like ACPI - things which OSes sometimes rely on the BIOS to control but probably shouldn't.

ACPI is exactly what you want, it specifies a virtual machine and the pheripal ROM contains code compiled for this machine. Think Java in a BIOS. Unfortunatley ACPI today leaves a lot to be wished for but I bet that by version 3.0...

Let X = X

[Wraithlyn]

"The only way you let technology take control of you is if you let it."

Um, that's pretty profound there Brian. Similar to saying the only way I type this message is if I type it.

And when did we start talking about technology controlling us? The fact that you made that jump is revealing in itself. This is about who controls our technology. And how our control is in the process of being undermined and eroded by new "trust" initiatives, whether it is welcome or not.

Look I appreciate the time you spent answering the interview, it's obvious you put a lot of work and thought behind it, nobody is saying otherwise. But you DID evade some sticky questions, and you're doing it now. And don't shovel us that line about how you're not a security expert. These questions are ethical and philosophical in shape. They're about copyright regimes stripping us of technological freedom and empowerment. As a fellow member of the human species (salespeople excepted joke omitted), do you have a raw, honest opinion on that? Or do you just take your paycheck and not think about where this is going? (I say IS going, not COULD go. The parties behind this have goals. Profit by means of as much control as possible.)

Re:Let X = X

[SalesEngineer]

I mistyped ... I think the more appropriate statement is "The only way technology controls you is if you let it".

You've got two themes in your statement ... one is how entities attempt to control how you use technology, the other is who to hold accountable for the undesirable application of technology.

I: Business organizations that provide software and media content want to protect their product. By "protect", I mean they want to deliver product to paying customers and prevent people who don't pay for that product from using it. Crackers, warez sites and p2p programs give these companies a good reason to explore security products.

The point is ... these "copyright holders" only care about preventing non-paying users from using their product. They care about controlling their product, not your personal data. The fact that many of these "copyright holders" act like asshats in the way they attempt to implement these controls doesn't mean they don't have a right to stop people who don't pay from using their products.

So how does using a security product to stop a wannabe cracker from pirating software differ from using a security product to prevent the same wannabe cracker from reading your e-mail? The assumption that content protection only works one way sounds to me like people saying they don't have control over the technology they use ... and I think that's bull.

II: If you're pressed for time, I'll sum up my feelings in one sentence: I honestly believe that ethical & moral issues of technology application fall to it's final use, not it's initial development.

If you have more time, read on ...

Do I think about where technology is going ... yes, all the time. I think about the fact that the technology I work on goes into passenger airplanes, server farms and people's homes. I also think about the fact that it goes into tanks and computers that simulate missile targeting systems.

The difference between the "consumer" and "military" applications isn't in the technology, but it's application. That applies as much to TCPA as anything else.

Think about this: Let's say weapons inspectors in Iraq raid a lab and discover nuclear weapons development. They start to go through the computers and find that they all run Debian Linux, setup in Beowulf clusters. The documentation of the development is done in OpenOffice, GPG was used to send coded e-mails to equipment dealers, and GNU Octave is used for all of the simulations.

Did the developers of these open-source programs consider the fact that their programs would be used to create weapons? Would they have stopped development? Are they responsible for the weapons created because they created tools used in their development?

Re:Use TPM for [things other than security]?

[hobo2k]

It was mentioned that the chip would be designed specifically for those functions, not a general processor. So you couldn't use it to decode mpeg for instance.

But it did include random number generation which is used in many areas of computing not just security (games, simulators, whatever).

Re:Only someone who doesn't know what a bios does.

OpenFirmware doesn't solve your problem, there's no chanse in hell PCI card vendors will include the necessary code compiled for each and every CPU arch on earth.

They don't have to. OpenFirmware is written in FCode, which is like Forth, which was heavily influential in the development of Java. One of the things Forth provides is write once, run anywhere (for real this time). Openboot devices have interfaces in Fcode and the bios can talk to them. It is stable and mature and has been used in production machines for over a decade. ACPI is reinventing the wheel poorly. 'Java in a BIOS' already exists. Please do your research first.

I like to hear the straight poop...

Even if this is not a direct sales pitch, I am glad to hear a company rep talking straight instead of quoting sales liturature.

Even if the AMI doesn't open source their product, it is almost as good to have straight answers about the industry and why they won't do it. Open answers are the next best thing to open-source.

Re:Not quite true

[Genyin]

How could you do that?

Okay, I'll admit that you could have some sort of future disc hardware that might refuse to run without TCPA, but that wouldn't be a cd-rom or a dvd, in any case.

A new disk format could be created that demands TCPA support in the backend and only sends if it trusts your system, but unless the entire format of the disc were unknown, it would still be possible to create a disc reader that doesn't require TCPA that outputs the encrypted version.

the point being, it's not that simple. (and probably not worth doing, unless the encryption sucks, at which point there isn't that much point in using it in the first place)

SUB as clear

[Brother52]

The XOR trick is classic, but the SUB instruction does exactly the same, though is much less used.

I loved to use it in my 8086 assembly and watch how it gives people reading my code a pause ;)

this sucks

[nightherper]

I feel like there is grey matter leaking out my fucking ear right now. I tried to understand wtf is going with this but I am still clueless.

I'm scared. I don't want a Microsoft Computer. If I paid for it, it's mine and I can run any fucking software I want. Linux, Viruses (virii? whatever), porndialers, worms, Fucking Free Software that I don't have to pay Microsoft for.
I don't want Microsoft telling me what I can and cannot do with something I own. I used to chat on their IRC servers and saw how they treated users. It was a daily thing to dump everyone off just to see what would happen. I could see this: "BSOD: Microsoft has halted your computer's operation to see what would happen, please reboot to continue..."

If that is what is coming, I hope some group gets together and continues to make real computer parts. Of course it will probably be illegal by then.

Someone please post a real scenario of what things might be like with this stuff enabled...

Re:Not quite true

[MrResistor]

A trusted machine is one that conforms to a certification process. You don't define the certification, the remote service requires it of you. So using your metaphor, the hammer that kills someone is not in your control, you just swing it as per instructions.

The point of my metaphor is that TPM is just a tool, like a hammer. It has beneficial uses and harmful uses, and which use it is put to is not up to the tool. In the event the TPM is used to lock out certain OSs it makes no sense to blame TPM or even TCPA, the blame rests squarly on the issuer of the certificate. Most likely that would be MS, but it could just as easily be RH as I attempted to point out.

I can change software, those tiny silicon transitors are a damn site harder. But yes I agree they could do the useful stuff in software - there is no need for this stuff.

You're right, there isn't strictly a need for this. However, it would be really useful to me if I could put really strong crypto (say 2048 bit) on an ssh connection to a server I'm responsible for without bringing that server, or my home computer, to it's knees processing the encryption algorythms. It would also be really nice if there were a way to limit what machines my server would accept connections from specific remote machines. Since I can't do that currently, I err on the side of caution and leave no possibility for remote administartion.

Please read the bills before Congress, particular the "DRM in all devices" bill. To be paranoid I have to *suspect* something that is not true, not *read* something that is true.

There are no bills before Congress. Congress is not currently in session, and any bills which were undecided upon at the close of the last session are now gone, and will have to be reintroduced to the next session, which is unlikely considering the backlash against the Hollings bill, the fact that Hollings is no longer in the same position of power he was in which would have enabled him to push the bill through comittee, and the fact that the RIAA has stated that it no longer seeks such legislation.Based on that evidence I think it's quite reasonable to say that the threat no longer exists, therefore you are paranoid.

That said, though, the statement that was in response to had nothing to do with DRM.

Re:Let X = X mod the parent up

[Vesuvius_2]

good point wraithlyn

MOD PARENT UP!

enoof sayd

riiiight

[MortisUmbra]

(yes, the obvious joke is "boot speed doesn't matter when you don't have to reboot so often" ... but I'm taking the high road)

OOOOOOH....Damn I forgot, you gotta reboot windows every other day right?

Hmmm let see, last time I rebooted my PC was....Oct. 28th 2002, because I had to take it to a LAN party. Before that it had been up a month before I upgraded the video drivers. And I routinely do everything from browsing, to photoshop, to Maya Unlimited, to 3DSMAX, to Dreamweaver and more. Take the high road indeed.

Thanks Brian

[kien]

I might've missed it, but I didn't notice anyone thanking you for submitting yourself to the scrutiny of the /. community.

I happen to live in your neck of the woods and lunch is on me whenever and wherever you prefer. Just msg me from my profile if you're interested.

That being said, and acknowledging your statement that you're not a TCPA advocate, please forward this statement to your leadership: I did not ask for TCPA. I know that I'm not one of your big customers, but that fact is irrelevant to me. From a purely risk-assessment point-of-view, I'm much more comfortable accepting the possibility of a million crazed virus authors versus the alternative: allowing a conglomeration of companies to control the future of computing innovation. I can fight the authors of computer viruses on the technological common ground that is the PC today. I cannot afford to fight teams of lawyers from large companies tomorrow. Maybe once we get the DMCA (and its worldwide equivalents) repealed, TCPA can be re-addressed. Until then, given today's frenzy of litigation...it's just too risky a prospect for me to consider.

Again, thanks for taking the time to explain your company's involvement with TCPA and for answering our questions. More companies need people like you to address the "masses".

--K.

I have a different question regarding the encrypti

[waspleg]

on by the onboard TPM

what happens when the power goes out in the middle of a hash?

Not really

[bwoodring]

actually I thought his replies were excellent. You on the other hand, are a god damned imbecile.

Hmmm...

[sootman]

I personally like the idea of open-source, and I use a lot of open-source programs at home and work... But I also buy and use regular closed-source programs... The choice isn't whether or not the source is accessible, but if the tool fits my needs. [emphasis added]

Who is this freak of nature and how the hell did he wind up on slashdot? ;-) Seriously, great piece. A lot was over my head, but what I understood was very good. Thanks!

Monopolies at work.

[Xife]

AMI customers are motherboard manufactures.

MB manufacture clients are system developers.

System developers are companies like Dell and HP.

Dell and HP have to choose MSFT to achieve repsectable sales numbers, hence they ignore the consumer and listen to the MSFT monopoly. I do not blame AMI for wanting to stay in business.

One problem with performance -
Bios will likely run at the motherboard clock speed, which is usually a lot closer to 133MHz than 2.0 GHz. Even custom hardware will have a tough time making up this difference. Hence, won't a dedicated Bios processor still be slower than a processor based solution.

Way, way, way, way OT [OT]

[fredrik70]

Sometimes you're just humble.
I might bith and moan about slashdot every now and then, but stories like this makes me realise why I end up reading slashdot pretty much every day. Cudos to all of you keeping slashdot up, and that includes the people in the forum as well.
yeah I'm drunk and it's over 6 o'clock here in the UK. but I just wanted to give some credit back to the people here. cheers...

Know what would be funny?

[josh+crawley]

If cheap Quantum Computing was created by the end of TCPA-installation of machines..

Would quantum computers be against the DMCA? After all, they just brute force the key (just all at once, heh ;-)

MOV has another advantage

[zenyu]

xor ax, ax

depends on the value of ax... this may seem silly since it's going to be zero, but with a superscalar architectures it can mean a stalled pipe waiting for ax to be set before you clear it. For speed optimized code which one to use depends on the surrounding instuctions. For a BIOS stored in potentially slow memory and then only 64KB or 128KB of it xor always makes sense, but gcc -O3 should probably use mov.. The difference between xor and sub is like one flag in this case (both are two bytes.) I'd go with the xor because it's a simpler instruction and probably consumes some part of a nanoWatt less energy. But may in fact not be the case, and it hasn't ever been high enough on my list of todo's to measure.

RIAA and content

[d2k297]

Forget about TCPA for a second. I bought a decent voice-recorder for CAD 150 a few days ago. It can capture output from my PC speakers reasonably well. Let the RIAA go broke paying for MS's Palladium, v can still get our music if aren't too finicky. I know 3D effects r cool but let us await voice-recorders which can better capture sound. I think the demand for voice-recorders is high enough for someone to bring out recorders with capabilities comparable to studio-equipment.

Ami WinBios?

Hey, does anyone know if AMI still has that stupid 'windows lookalike' bios setup?

I've avoided any motherboard using AMI Bioses ever since the day I bought a 486 that had a "WinBios".

Re:Not quite true

[Alsee]

self sign certificates

Self sign certificates are useless for interoperating with other systems. Either you turn over full control to the primary certificate authority or you get completely locked out. Microsoft *is* going to be the 800-pound gorilla certificate authority.

Try this on for size - websites are COPYRIGHTED CONTENT. Copyrighted text. Copyrighted images. Copyrighted audio. Copyrighted video. Now imagine Internet Explorer supports protected web content. And imagine various websites protect thier content. Anyone running Microsoft signed software can access the entire internet. Anyone NOT running Microsoft signed software can only access part of the internet. And Microsoft can come up with a variety of ways to pressure everyone to move inside the protected zone. It would take several years, but it certainly is conceivable.

-

A tool for BOFH

This interview was quite interesting and cleared up some points. So what it (TCPA) seems to be is
an hardware ssl like, with the possibility given to the user to manage the certificates.
The usefullness of such a thing would be:

- restriction on users liberties (very efficient) with two applications that jumps to mind:
* DRM of course
* Use by system operators to prevent users from running the latest "play at work place" featuring the newest (and of course worst) trojan... I'm pretty sure all the BOFHs out there would love it ;) (for those who still don't know about the BOFH read it here [http://bofh.ntk.net])

This could look like:
"
user: I can't log in my computer
bofh: (look at the excuse of the day) That's because you aren't registred by [insert some Redmond based software company]
[silence]
user: And is there something I can do to get myself registred? (note: woah this actually looks like some response of the emacs psychiatrist)
bofh (smiling gently): Sure! You have to go to Redmond for user identification.It's a bit like a medical check, but more thorough. Be sure to bring them a nice urine sample, they use it for DNA.
user: Do i need something special?
bofh (kindness radiating from his face): no, just hand the urine sample to the hostess and she will understand.
user: Ok I understand! Thank you so much!
bofh: No problem. Oh btw, I forgot to tell you that's this procedure is kinda secret, so don't mention me, just pretend you knew it was the right thing to do!
user: Ok, I'll remember it, rest assured!
"

- speeding encryption. This could be great: it could generalize secured transfers. However I'm not quite sure that WE need such a level of protection. Further more I can't see how this could possibly make governments happy! How would they be able to take a look at 2048 bits encrypted data?!

To conclude: the claim that the owner will be able to manage the keys is FALSE (or will be)!
This way, all adds up nicely, but not for us!
btw: note the distinction between "owner" and "user", which are WE?!

Re:Not quite true

[OeLeWaPpErKe]

You cannot change the root certificate in your system. You most defineately cannot pick who you trust with tcpa. You cannot, for example "trust" yourself (which is the whole point of tcpa of course).

Re:He are the sly person

[ Is, I read the whole interview, with even some links. ]

One half thrust force these questions are: "What does TCPA seem provides the advantage only tells me to these hopes my canned food and is not possible to do with mine computer. Is this is real? If is not, is what in it is I? If it are real, how can you sleep in evening?"

I think Michael's question is most in the spot, and what I most do want to know I (there, I reach an agreement the matter about him :). The Brian complete sexual intercourse dodges each only their in the middle one.

a) What this owner isn't goal "computation" which trusts is allowed the individual differently to to control to the computer owner does with his / hers hardware?

Brian ambiguously said something about the TCPA stored routine education computer and DRM his study, two all is not this question spot. This answer is obvious: "Is, certainly is this goal. The closure and eats your biology live element."

b) However, is not it is real, biology live element which trusts, does not have the operation?

We continue reason "which said we are not partial " is because does not exist in this market...

This fission hair is best, slyly dodges with other. If is in this market, is partial it? Certainly their meeting. And they now eliminate the foundation.

c) What way... it is with beneficially installed from the introduction to in comparatively not usefully does to the computer purchaser's biology live element design the computer?

Here Brian strengthens, you and I are the consumer, is not the customer - mobo manufacturer is the customer, and they obtain the characteristic they want. This is this market operation way, and I do not have the special beef with it, but it were one to these awaken the call still believe the company likely awarded the mouse the donkey buys the motherboard about general geek.

If I sound to be harsh it are because I urinate. The TCPA goal is transparent, and the person or is trying to pull the wool in ours eye or incompetent Brian. The supposition he pass randomly chop this kind of material are the life, has "with the now sells" in his title, I suggest front.

Big medium nad big software chortling in glee when they look their plan is "computation" which trusts is been mature. MPAA wants to turn yours computer the television, and is only to the happy help.

Only someone who doesn't know what OF does...

[SmittyTheBold]

...would answer this way.

You confuse the mechanism with the functionality. Yes, a BIOS lets you set myriad options. None of those options are specific to a BIOS.

True, Apple doesn't really pack their OF implementations with features, but it suits the way a Macintosh is used. If you get into it, you will see that OF is actually remarkably flexible and powerful. For a really good example, get into the firmware on a Sun machine. Look at the things you can do with the SCSI cards. Note the extensive diagnostics for the network controllers. If Sun wanted to (indeed, if Sun users wanted the ability to) you can bet controls for voltages and the like would be there as well.

PCs use a bios still because of the enormous hardware choices available in the x86 marketplace that do not exist for small, closed hardware companies like Apple, for instance.

Not true at all. PCs use a BIOS because it provides all the bacwards compatibility the DOS (and now Windows) market demands. In fact, Open Firmware provides mechanisms so that devices can extend the functionality. If you insert a new card, it provides new abilitis related to the card in the firmware. The closest a PC BIOS gets to that is multiple independent BIOSes, like you see when you have a bootable SCSI controller, NIC, or the like installed.

The BIOS is very much like the x86 architecture. It's still here because it's the product of very gradual change. It is layer upon layer of compatibility, with advanced functions tacked on one at a time. Open Firmware, on the other hand, is relatively new. The group that designed it created it to be open and expandable, while the groups that designed the BIOS wanted to run DOS as well as the IBM PCs they were cloning, nothing more.

Re:Only someone who doesn't know what a bios does.

[SmittyTheBold]

I was goign to yell at you, but I see it's already been done. Oh well, might as well re-iterate.

Oh, so that ROM code included on all PCI cards that plugs right into the x86 BIOS framwork and gives you extra configuration menus and boot possibilities on everything from NICs to RAID controllers doesn't count?

By "plugs right into" do you mean "runs separately?" If not, well that's what you should have said. Your main motherboard BIOS has a boot option that allows other devices to take control of the boot process, but it's far short of a plug-in arch.

OpenFirmware doesn't solve your problem, there's no chanse in hell PCI card vendors will include the necessary code compiled for each and every CPU arch on earth.

Oh, but it does. It uses an interpreted language for everything, so it's platform-agnostic. It's rather powerful and flexible, as well. I have seen (not used, mind you, I didn't have the machine to run it) a version of Pong written in Forth code that you could run on a few specific Mac models. It was a product of MacHack, probably six years ago or so. You got it into the Mac by connecting a serial cable to the Mac, then entering a spefic command into the firmware that told it to read an incoming program off the serial lines. (Oh, what those geeks think of.)

ACPI is exactly what you want, it specifies a virtual machine and the pheripal ROM contains code compiled for this machine. Think Java in a BIOS. Unfortunatley ACPI today leaves a lot to be wished for but I bet that by version 3.0...

Okay, something sucks now, but I'm sure that by the time they work on it more it'll suck less. That's not the way clean interfaces get made. Look a little more into Open Firmware, and understand that it does pretty much everything now that you think ACPI will do eventually.

Sorry, but TCPA AMI BIOS is all MS needs

[Lours]

The AMI's Brian Richardson interview is somewhat informative but unfortunately it doesn't go very deep on the technical side of the TCPA/Palladium debate.
How are we supposed to determine that a technical specification (TCPA is nothing more than that after all, it's its uses which are potentially negatives) can lead to abuses (Microsoft's or vendor's ones) if we don't get a detailed explanation of how works.

We would need to know how this crypto-chip interacts with the BIOS first, then the booted OS, then all software running under that OS in order to know if it can be used to deprive us of our liberty.

From what I've read on slashdot about the TCPA until now (but I may have read too fast) this point was not talked about and the interview while informative on some points fails to fill that hole (the TCPA FAQ Brian pointed to is not informative, nor are the TCPA specs I read). It could be intentional or not but - as some have mentionned it - vague answers have been replied to questions that might have lead to such detailed explanation of the working of the TCPA chip/bios system. I hope however that Brian Richardson will be given the possibility to correct this omission (more at the bottom).

Anyway, even without knowing how the whole thing runs we can make a few simple technical assumptions and see what consequences they would have on the user's liberty. Getting a clear answer on TCPA's risks would just be a matter of asking which assumptions are right or wrong to guys such as Brian R.

Let's imagine the boot process of a TCPA BIOS with TCPA enabled :

The chip is basically used to secure the boot process, ie its goal is to verify that essential boot code was not compromised beetween consecutive reboots. For this purpose, it must be the first chip on the mother board to boot. Then the only thing it has to do is check the BIOS signature and verify that it matches the private key (which the chip keeps hidden in its own externally-unnaccessible backup memory).

If the BIOS signature does not match then the chip would inform the user via an audio or visual message.

Whether the user chooses to continue the boot process or investigate further the cause of his BIOS "corruption" is up to him and does not interest us anymore : he has been warned that his system was compromised.

If the BIOS signature matches, then the user knows he can trust the BIOS to correctly load the boot loader. From there the BIOS would now send a message to the crypto-chip saying "take a rest now, i'll call you when needed", it would load the boot-loader and check its signature using the crypto chip.

Once the boot loader sig has been verified and can thus be trusted, the BIOS launches it.

From that point I guess there's no more need to detail the booting chain as most of you will get the point : the trusted boot-loader loads the OS kernel, uses the chip to check its sig, and so on.

When the OS has finally loaded, the user is fully sure that its system was not compromised in any way, if the OS (be it Linux or Windows, this is not relevant) or the software running on it need to check some important data integrity, they will just have to load it and ask the chip to check it for them.

This all leads to what we can call without fear in the common-man (ie not security expert one) sense to a really trusted computer : a computer which can be trusted by its owner to have all its critical (or not) data integrity guaranteed.

No one outside can change any part of the system or user data without the user being informed of it.

At this point, this looks rather helpful : user gets data integrity for the cost of a probably quite cheap chip (sorry) and everyone's happy.

With this system, windows can of course encrypt sensitive data which nobody will be able to decrypt from another OS (on the same machine)... unless this OS is able to use the TCPA chip, which means that anyone using a TCPA enabled Linux (always fully open source which guarantees nothing's hidden to us) will be able to decrypt the windows kernel, windows software, disassemble them and remove eventual protection.

User : "So where's does the monster hide ?"

To find it we must be able to locate what technically makes this system really "secure" (from the user's point of view) and it's quite easy : windows/linux can be trusted because they rely on a lauching stage which is itself considered trusted, which itself relies on a previous trusted stage and so on... until... the BIOS itself which is the first stage of the booting process :

The system is secure if and only because the BIOS is.

Which means that the BIOS is the most crucial security element of the whole TCPA system (and I can't believe that Brian Richardson as an engineer is not aware of this) : whoever can become a friend of the BIOS will have full access to every single unencrypted byte stored on the machine whether Bill Gates wants it or not.

User : "Well, I'm confused. Are you saying there's no monster ?"

Let's continue :

Imagine a user with a TCPA aware windows, we're not talking Palladium (at least not yet) : this is just a windows version able to use the crypto chip to ensure the user can trust all its data.

Now imagine that this user wants to install a TCPA aware Linux on his machine. As we saw before, to do so he must be a friend of the BIOS if he wants to modify the boot loader.

User : "Ok, so how do I become a friend of the BIOS ?"

It's easy to imagine that to access the BIOS settings one will have to enter a password known only to the TCPA chip : when you press DEL at boot, the BIOS prompts for the password, sends it to the TCPA chip which replies "valid" or "invalid" (with a few seconds delay to ensure that brute force attempts will be worthless). If the password is valid the BIOS considers you a friend and user has full access again to every single byte of its machine and can install whatever OS he likes, be it TCPA enabled or not.

User : "Ok, but no monster still ???"

But... imagine that your machine came with Windows installed.

User : "Well, I still get to enter the password so I can still install TCPA/Linux no ?"

Well, perhaps, but imagine there is no password.

Imagine that the only thing you can do is format your whole harddrive and reinstall only manufacturer-signed OSes.

That the BIOS does not allow you to install another OS, using the SAME private key which was used to install windows.

Do you get it now ?

I actually think that Brian Richardson might not have been very honest when answering the question regarding accessibility of data from open source OSes (TCPA enabled or not).

Answering that TCPA could be disabled is not a valid answer, the BIOS might let you install a non TCPA OS providing it allows you access only to hard drive partitions unused by windows but this OS still won't be to read windows data : you won't be able to read data you downloaded from windows if windows encrypts it (and be sure it will !).

The only monster present here lies in the very BIOS AMI and Brian R. try to present as innocuous, if the BIOS does not allow the user to share the same private keys beetween different OSes then it is clear that the Palladium system is just a smoke screen deployed by Microsoft in order to let time for all users to switch to TCPA BIOSes. Once most users will use such BIOSes there will be no need for a palladium chip or any other kind of Microsoft/Intel hardware : a TCPA enabled version of windows able to tell the chip "here's the new key, never share it with anyone but me" is all Bill needs to ensnare everyone.

There's no need either for curtain memory or anything else as long as this windows version only allows signed executables to be run...

So Brian, what have you got to say at that point ?

Now that it is clear that what is what *you* (and others) at AMI and not Microsoft will choose to implement will determine whether Bill will be king or not, are you going to tell us a bit more about the interaction beetween the AMI TCPA BIOS and the TCPA chip or are you still going to be very vague on that point ?

And please don't point on the quite vague TCPA FAQ or whitepaper. Tell us simply this : will multiple OSes be allowed to share the same key and what will be the procedures to become a BIOS friend ?

I guess everyone here at /. is eager to have your point on those.

Well this post is quite long enough, but I'll take the time to add another thing about ethics and trade.

Despite what Brian said, what we do with technology is not just a matter of consumers/vendors relation, the economic world does not (should not at least) rule over the civical one, it's the contrary which is (should be) true.

Did you ever ask yourself why it's not allowed to kill someone for money ? That might be beneficial for the economy if it was, but humans don't want to live in such a society so they make laws to restrict what the economic agents are allowed to do.

And as citizens of so-called civilized countries it is our duty to refuse to build/make tools whose intent is to gain power over other citizens and to make other citizens aware of such issues.

To this respect Brian I think that you might be a good sales engineer, but you might also be a quite bad human being depending on what you choose to do or sell.

so in 6 years...

[macrostiff]

A PeeCee will be an appliance and a computer will run ...ix There will be enough demand for both...

Interesting...

[M.C.+Hampster]

The TCPA website is deceptive. It's propaganda. Re-read sections 7 through 14 of their FAQ and keep the following translation table in mind

Interesting. So if I substitute your words into their words, it all sounds very scary and is now propaganda. You've convinced me.

Here, let me try that with your post. Here, let's read the following sentence you wrote:

As for privacy (section 13), they play an amusing word game.

But keep the following translation table in mind:

privacy (section 13) > my sexual desires
they > I
an amusing word game > with myself while looking at pictures of dogs

By keeping my translation table in mind, I can make you into a pervert! Hey, this is fun!

You and AMI have NO Inegrity

[babylon93]

"Option B is an obvious downer, because customers give us money. Money can be exchanged for goods and services, like food ... and I find food to be an important part of a nutritious breakfast."

Fucking Whore

MONEY money MONEY money MONEY money MONEY money
MONEY money MONEY money MONEY money MONEY money
MONEY money MONEY money MONEY money MONEY money
MONEY money MONEY money MONEY money MONEY money
MONEY money MONEY money MONEY money MONEY money
MONEY money MONEY money MONEY money MONEY money
MONEY money MONEY money MONEY money MONEY money v

Re:You and AMI have NO Inegrity

[babylon93]

Should be read as:
"<b>Inegrity can be exchanged for goods and services, like money. I get a lot more use out of money earned without a bit of integrity than I do from knowing I am doing the right thing."</b>

Basic PKI

[jmorris42]

The executable is signed with M$'s PRIVATE key. The signature is checked against the PUBLIC key in the chip. No connectivity needed either. Cracking the chip only gets you the PUBLIC key. Please don't confuse encryption with signing. If you are still fuzzy go read the PGP docs by Phil Zimmerman, he explains it a lot better than I am going to here.

Re:Basic PKI

[echo]

So, these things won't support ENCRYPTED data? Then you just boot into a non-DRM OS and copy the files right?

Come on now... There has to be a private key somewhere that you can't access if they have any hop e of actually securing the data.

BZZT!

[multipartmixed]

> The people who don't "get" xor ax, ax at first
> glance are primarily those whose first assembly
> language experience was on an architecture such
> as 6502 that can't do operations between
> registers and registers, only registers and
> memory.

Then what do TAX, TYA, and brethern do?

Of course, "transfer" isn't much of an operation, but it is one. :)

Very insightful point, howerver. The first time I saw "xor ax,ax" was in 1987, after programming 6502/6510 for a few years. I took me almost ten minutes to figure out what the hell was going on.

Of course, that was also the first day I'd seen 80x86 assembly, and it was literally the first instruction in the program I was reading.

oops

[yerricde]

Of course, "transfer" isn't much of an operation, but it is one. :)

Oops... I misused "operations" to mean "ALU operations or shift operations".