Slashdot Mirror
EFF Position on Trusted Computing
Seth Schoen writes "EFF has just released our
analysis
of Trusted Computing. We find that the technology could benefit
computer security, but must be fixed to ensure that the computer owner
is always in control. We also propose a specific way of fixing it.
There's coverage
of our position at news.com. More articles should be up in
the near future at
the new EFF
Trusted Computing page. Thanks to all the people who helped us
understand this technology!"
Don't trust trusted computing. It does not compute.
This seems to be assuming "Trusted Computing" is intended to benefit users.
The real reason it exists is precisely to take control away from the computer owner and give it to the content owner. Given that, what is the point of the EFF proposing "fixes" to help keep the computer owner in control, when its primary design goal is the exact opposite?
Jason
ProfQuotes
That users are ignorant of Computer Security, so it must be controlled by a more intelligent source, like Microsoft. (It's true most are, but does anyone believe MS will fix it?)
Browse at -1, because trolls are often the most creative part of
i dont understand what the big deal over this is. all your doing is handing your computer over to peoples unknow, and they can be trusted to not wreak havoc with your machine. cant they?
Jack the sound barrier. Bring the noise.
I've been working in the security field for about 30 odd years, starting with securing mainframes back at Berkeley in the early 70s and am now providing consulting services to the major financial institutions in the US.
.NET framework in an insurance company which has permitted them granular control of all security aspects of the deployed .NET applications. This is key, we don't just want to control the desktops but also the software running on them.
I think that any corporation that invests at least 10% of their budget wisely should be on the track to provide their clients and staff a secure environment in which to deliver their products. I have to deal with a lot of intrusions on a daily basis while overhauling the infrastructure. Currently we've implemented the
Which is nice.
In order for a computer to be more secure, it must monitor more aggressively for changes. This seems to be point 4 in the article (remote attestation).
However, by intuition, this would mean that your computer system would know and monitor your system and thus the user more and more.
Misconceptions about this design abound. The most common misconception denies that the trusted computing PCs would really be backwards-compatible or able to run existing software.
Well, crap... of course there is going to be compatibility problems... I am much more concerned that my system and my massaging of that system is going to be tracked and recorded at higher and higher resolution of detail.
Davak
Right on the heels of learning that Outlook Express was mostly responsible for the HL2 Source Code Leak..
Browse at -1, because trolls are often the most creative part of
The EFF basically wants your computer to lie to a content provider so that you can turn off the security and still receive their content. It might as well not exist in the 1st place then, which is probably their real goal.
Not just Executive, but Legislative, as well.
Our government responds to campaign finance, and the lion's share of that is done by large corporations and other aggregates that want to make sure that THEIR rights come first.
Most people don't understand enough about computers to understand how completely OUR rights in this realm have been trampled, already.
The living have better things to do than to continue hating the dead.
The will search your hardrive for any copyrighted material.
Next Tv's,Stereos
...defeat the purpose? I mean, everyone knows that end users can't be trusted. Given the chance, they'll do nothing but pirate movies, music, television and software, etc.
*** END SARCASM ***
I think DRM is a *good* thing. Once people have to pay for music, movies, etc. the industry will realize exactly what they were losing to piracy -- almost nothing. If someone could wave a magic wand and people had to abide 100% by the rediculous license agreements, you'd find that instead of buying what they were sharing, they would go without.
Or does Microsoft, the BSA, MPAA and RIAA really think all those people in Asia are going to pay a few months worth of wages for software or entertainment?
Learning HOW to think is more important than learning WHAT to think.
We find that the technology could benefit computer security, but must be fixed to ensure that the computer owner is always in control.
That's simple enough to solve. The computer will just be both owned and "0wnz0red" by someone else, most likely by the entity that licensed the operating system to the user, and the hardware imprinted for that specific operating system and all others irrevocably locked out.
And it will all be done with the click on a seemingly innocuous little virtual button that reads simply, "I Agree".
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
The EFF is correct as usual. Trusted computing = Me knowing what the hell is running on my computer and having control over it. Anything else is untrustworthy computing. Anyone that wants to control what I can do with my own property (computer) can stuff it where the sun don't shine.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
Personally, I still prefer "Trustworthy Computing" over "Trusted Computing."
The point of the EFF doing this is precisely to underline the fact that big business is attempting to take control of the end-user computing platform away from the user.
You see, the problem is not so much that big business is doing this, but that it is doing so by subterfuge rather than out in the open.
The EFF is just flushing out the rats here. If business were trying to take control of people's property openly then the EFF wouldn't need to put on an act of innocence and merely be "identifying dangers" as the proposed solutions as if business wasn't aware of them.
It's a good strategy. Big business can only respond by saying either "Oh yeah, we hadn't realized" (LOL), or else it can reply that this was indeed the intention. In both cases, the user wins.
My bet though is that the EFF will be met by total silence.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
I used to intern for a company that works with a product called "WIBU KEY" now despite the fact their is a single note of one group "getting around" WIBU key, done properly WIBU should not be feasible to break.
Now WIBU is making something called "Codemeter" in which a user will be able to have licence information for hundreds of different software packages, that means if someone has MS word on their computer, and knows someone else that has it, they can use their licence on the Codemeter stick on their friends computer.
They are USB devices that can be carried on the keychain, and places like www.securikey.com are going to start using the new codemeter product.
It is MUCH better than other trusted computing schemes, since the data is not just being hanleded on the computer, all codes are "private" and all licence data is "private" on the key itself.
The way the part is manufactured you cannot get the data off of the key, if it is stored using a certain key mode. Since the key has its own integrated chip, it can use its key to decrypt as a private key that you need never know. If you lose your key or break it, you can go on-line, register a new key that you have bought, and get the data transferred to your new codemeter stick.
I was excited when I got to look at the product in its pre-development stages, and only wish that I had been able to stay on with the company to do more work with the new product line.
I think token based authentication is the way to go for the future, simply make programs that will not run unless large chunks of them have been decoded, and make sure small but important algos in the programs have to be run through the key every so often.
And as you detail attacks (if you reply) please note, spoofing the key doesnt work when the code runs inside the key, and if you use random checking algos against the key, it wont work either.
Any WIBU key hack on the net (which i researched) is totally based on bad programming by the target company, IE they sent "999999" to the key, and expected "99999" back, which was just bad programming on thier part.
Buzz OUT
If you don't vote, you don't matter, so don't waste your time telling me your opinion
Not a "trusted" one.
Just as I wish with my house. I want my house to protect me, my papers, possessions and privacy. I want it to be nobody's business what my house contains, even to the point of being able to protect myself against legitimate legal prossecution.
Oddly enough, that's what the Constitution was written to provide my house with.
It is up to me to secure my house with whatever technological measures are available to provide that security and understand how to use that technology. I'm perfectly willing to take the same responsibility for the security of my computer. Just provide me with the tools. Then go the hell away and leave me alone.
The second my house starts deciding for me what I may or may not keep in it or do inside it I get a new house.
The day my computer decides it doesn't "trust" me with what I'm storing in it or doing with it I pull the plug.
Fortunatly for me there are already hundreds of millions of "untrusted" computers already out there in the wild that do everything I might require my computer to do.
KFG
"We also propose a specific way of fixing it"
Namely, removing it.
This article over at cnet looks like Microsoft may actually be listening to the critics of trusted computing and rather moving towards what it calls Shield Technology - basically incorporating better firewall technology into the operating system. I for one would welcome this over trusted computing.
Whatever changes are made to DRM, just remember what the consumers' position will be when DRM is commonplace:
Bent over, taking it in the poop chute.
Somebody get that guy an ambulance!
How is that flamebait?
Libertarians always say they don't believe in handouts, so why should I give EFF a handout then?
If you're gonna promote that ideology then you can get your own damn money thank you very much.
Even the proposed "Owner Override" seems to me a "how are you going to do that" issue. How are you going to assure that a change was made by you and not by some software pretending to be you?
There are other oversights too:
- "Identity" of software is determined by submitting a hash value, but how can you be sure someone's not sending a canned hash value?
- "Secure output can prevent information displayed on the screen from being recorded" -- until someone invents a screen-scraping monitor. If information exists, there's a way to copy it. That's just what information is.
- The most serious point of all -- that the EFF is lending credibility to this blatant grab for dictator-like powers by suggesting that it can be "fixed" and the problems "addressed", at which point we should all happily adopt it. Not me, brother.
I would have much preferred the factual analysis and then a great big "run away from this as fast as you can"."A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
OMG! All Libertarians are evil! OMG! OMG! Libertarian thought is evil thought and must be stameped out. OMG! OMG! Freedom is evil and bad OMG! OMG! I actually read the articles. The EFF is right. I don't think they are exactly Libertarians though. We are going to have a left right civil war in this country and the left is going to precipitate it. The A pox on the Democrats and the Republcans. Screw the left right labels. I am proud to be a Libertarian who isn't tring to force or brow beat others into "thinking correctly." That is what the left and right do. Libertarians are not "right wing" they are not leftists either, they are concerned with personal liberty.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
If this is unopposed, it will not be long until everything useful requires "trust". And so my PC, the one I paid money for, will not work the way I want anymore. Oh, theoretically it will, but in a practical sense it won't.
If a content provider wants to "trust" a device, then they should buy it for me.
My cell phone providers wants a trusted device. Great. They give me a phone, and I pay to use it.
Ask yourself this... is watching an HDTV version of Star Wars so compelling that you're willing to compromise yout ability to control your PC? If you answered "yes", then you and I simply have a completely different viewpoint on the subject that I suspect we'll never agree on.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
That's a CRAZY idea. As usual, let's compare computing on the information super highway with driving on our own freeways.
What would happen if we let people drive their own cars? They would repair their own cars, "upgrade" them too! But if they are in control, they may not make repairs as needed and then their cars would fall apart on a public super highway and cause other people to die and stuff.
Oh wait... we have a "license" to help ensure that the public has a bare minimum amount of knowledge and skill to operate a vehicle safely on public roads.
Now let's return to cyber-reality again. Instead of "trusted computing" how about "trusted users."?
Let's say that the price of admission to the information super highway should be controlled in the same or similar way to the way we control access to the roads. What a fabulous world we'd live in! "License to SPAM" wouldn't exist. Maybe there are a lot of bad things I haven't considered but is it much worse than requiring a driver's license write a check?
Wow... imagine getting a ticket and your license revoked for SPAMing... or for operating a computer with a virus...
"The Responsible Computing Initiative" is born!
Very fancy dongles to be sure, but here they are again. Will users reject them for the same reason?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Trusted computing is being promoted as a computer platform that users can trust, but it's really more about creating a platform where third parties can determine whether the users themselves can be trusted.
Trusted computing benefits content producers and service providers more than it benefits users. The reason is that producers and providers are usually the ones whose systems are being acessed, while the users are the ones accessing these well-known systems. It is the nature of the transaction that trusted computing will favor the well-known party over the party that is "anonymous".
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
when the hardware gets hackered and cracked, then you will have to upgrade....
Whats the difference between hardware and software when it comes to bit flipping?
to put something in hardware gains the advantage of speed but the inflexability of change.
Microsoft's chief security strategist made the surprising statement that the company is about one-third of the way to its goals for Trustworthy Computing. I guess there's a lot more going on internally than we're aware of.
The article also says, "Microsoft's short-term strategy will shift from patch management to what the company calls 'securing the perimeter.'" What this means is that they're working more closely with firewall companies.
As Jason noted earlier: "...'Trusted Computing'...exists...to take control away from the computer owner and give it to the content owner... what is the point of the EFF proposing 'fixes' to help keep the computer owner in control, when its primary design goal is the exact opposite?"
:-)
Home PC users should tell scummy Big Brothers Micro$oft, Intel, Hollywood, etc. to shove it. I'm not going to pay you for a DRM'ed PC, and let you charge me usage fees, force-feed me content, view my private info, etc.
If businesses (or home users) need ultimate security, jump back to the days of a closed hardware box with etched-in software; the only I/O was user data, so, no I/O was ever considered program code (no more viruses!). This would mean that the box would have to leave the factory with a DEBUGGED, etched-in O/S; DEBUGGED, etched-in office-suite software; and hardware slots into which additional purchased software (made by any company, etched onto hardware cartridges, and memory-isolated by the hardware box) could be plugged.
This would mean NO MORE BELLS-AND-WHISTLES CRAPWARE...keep it mean, lean, and bug-free, because any patch will have to be a free replacement cartridge (or you piss off your customers).
This would mean that the closed box with hardware-cartridge expansion is a BUSINESS MACHINE. You could still buy the PC of today for your home use and program the PC to your liking...but it could never corrupt the business machine. Want to bring your work home with you? The BUSINESS MACHINE could easily be of laptop design.
The point is, the CRAPWARE and viruses of today's PC...could never touch your BUSINESS MACHINE or its user data.
END OF STORY. PROBLEM SOLVED. No more asinine "Norton Anti-Virus" and its drug-addict subscription fees. No more asinine "Microsoft Windows Updates" because of over-featured, crapified software released too early. No more script kiddies. No more employees putting WHATEVER CRAP THEY WANT onto the BUSINESS MACHINE.
Anyone who nags about:
(1) the locked-down, basic-software-etched-in-hardware box,
(2) the cost/inconvenience of cartridges versus the FREE-FOR-ALL of downloadable Web software (such as broken-software patches, utilities for things the O/S should have been doing in the first place, etc.), and
(3) lesser user freedom (to add additional, company-unapproved software to his work machine)
HAD BETTER THINK ABOUT ALL THE WASTED TIME AND MONEY WE ARE NOW SPENDING ON VIRUSES AND OUT-OF-THE-BOX-BROKEN, CRAP-FEATURE-LADEN O/S's AND SOFTWARE.
Do that, and software etched in hardware...with I/O consisting ONLY of user data...DOESN'T SEEM TO BE SUCH A BAD BUSINESS IDEA AFTER ALL...does it?
Libertarians always say they don't believe in handouts, so why should I give EFF a handout then?
Libertarians don't believe in handouts funded by individuals who didn't explicitly and personally agree to provide those handouts. So, say, if money that was taken from me via taxes is being given to the League of Gay Midget Eskimos without my consent, that's a bad thing. I may be more than happy to donate to said League if it were my choice -- but being forced to do it at the risk of men with guns coming and putting me in jail is a different matter.
The EFF is the same way. I don't believe in enforced handouts to the EFF from folks who don't support them -- if you don't like the EFF, you shouldn't be forced to donate to them. On the other hand, if you believe that donating to the EFF is something you wish to do -- perhaps even something which is aligned with your own enlightened self interest -- then you should be every bit as free to do that as to donate to the Gay Midget Eskimo fund. Which is to say, very.
in the article it clearly states that DRM is only a small part of trusted computing.
With Microsoft, IBM, and other major players involved in this process, the EFF doesn't have much of a choice but to work with what they've got. I don't think that the EFF agrees with the Trusted Computing initiative; as they say in the article, most of the changes described by the initiative can be implemented at the software level. I agree that that is where the changes should take place.
I agree with some of the other posters here and I don't really see anything useful about the attestation process (see the chart at the bottom of the page). I'm especially concerned about all of hardware specs that I know nothing about: Do you honestly expect me to think that the Bush administration isn't salivating over this? Can you say "backdoor"?
It sounds pathetic, but the only way I see out of this is through education and certification. People should be certified to connect to a network, and if they screw up, they are responsible. It's the way it works (usually) in academia.
What a mess.
The Death Penalty: Killing people to show others that killing people is wrong.
You're talking about dongles, not trusted computing. All dongles are crackable by simply modifying the application not to check the dongle at all.
Dongles don't provide sealed storage (which is pretty much the only useful feature of trusted computing), so they are not an alternative to trusted computing.
The "trusted party" in trusted computing is the software. TC lets you trust software to behave in a certain way: software on your own computer, or software on remote computers, with the owner's permission.
There are some other problems with Trusted Computing that the EFF article fails to address.
One is the difficulty of dealing with upgrades, failures and replacement of computers, if your data is locked to the old machine. TCPA had a hugely complicated process you would have to go through to migrate any of your "secure" data to the new machine. It involved going back to the manufacturer, getting a special transfer key, moving the data over and having it get re-encrypted. Microsoft hasn't said what they're going to do, but it's an extremely difficult technical problem to solve while retaining the security.
Another problem is the PKI (public key infrastructure) issue. For remote attestation to work, it's necessary that the TC chips have some kind of crypto certificate that says that they are legitimate. Microsoft has said nothing about who will issue these certificates and who will revoke them if a machine gets broken into. Setting up a successful, global PKI is a prerequisite for DRM type applications and will be an enormous job.
The article also overlooks that the sealed storage feature, which the EFF mostly views favorably, can also be used to achieve lock-in and secure closed formats. Microsoft Word could store data encrypted using the TC hardware, such that only Microsoft-signed applications can access the data. This kind of lock-in does not depend on the remote attestation features that the EFF is so concerned about, and would not be addressed by their Owner Overrides.
I know no one wants to hear this, but the dark picture painted by the EFF of the ills due to Trusted Computing is not likely to come to pass.
The main point that the EFF analysis overlooks is the role of competition in the marketplace. Yes, TC could allow web sites to require you to run particular software; yes, TC could allow vendors to encrypt their data formats making it impossible for you to switch to a new software package; yes, TC could be the foundation for DRM and restrictive licensing.
But the point is that not all companies would use TC to do these things. Users would have a choice between companies which impose very strong restrictions on how end users can manipulate their data, and companies which offer open and unrestricted data formats. If all those limitations which TC would allow companies to impose are so bad, customers will refuse to buy the software of those companies. Competitors which offer unrestricted data formats will win in the marketplace.
Look at what is happening today with online music. By the end of this year, there will have been several launches of online music services, each with its own tradeoffs of per-song pricing, subscription fees, and download restrictions. This is competition. The market will respond, and we will get to a situation that provides a balance between the desires of all parties involved. Some DRM will exist, but it will be in a form that customers can accept.
In the same way, TC can be used lightly to enforce DRM and other restrictions in a way that users will not find objectionable and onerous. Competition will evolve a balance between the desires of the vendors and those of the customers, just as it does for prices, features, licensing and all other elements of a software purchase. Neither side is in a position to dictate terms.
Considering public perceptions including the constant repetition of a less then favourable political agenda (agenda based interpretation of psychology including but not limited to criminal behaviour). Open support demonstrating opposition can mean alienation (even if it's the process of deduction and observation). When business is involved public perception can destroy a company regardless of quality, potential or community involvement (what's on your side walk). Maybe it's time to take a step back and observe. Regardless of political motivation business is business and removing peoples ability to accurately intrepret their environment does seem at present to offer the most reliable return.
In other words getting caught up in the hype, here or anywhere can threaten income generation and pay a heavier cost in demoralized.
I try to avoid manipulation (because I do love my own liberty) and it's sad to see that it's so damn effective.
"When the architects of our republic wrote the magnificent words of the Constitution and the Declaration of Independence, they were signing a promissory note to which every American was to fall heir." Some guy's most important and long overdue delivery.
The "trusted party" is indeed the software, but whose software, exactly?
The point I'm making is that it's usually the user/client who must show that the software he is running on his computer may be trusted by third parties. I'm suggesting that establishing such trust relationships is the primary purpose of the trusted computing initiative, more so than users establishing trust relationships with their own software (it's easier to fool the user than it is to fool a third party's computer).
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
What usually happens is that a cracked version not requiring the key/dongle is released, so people who want to copy the program still do so. And then you, a real user, are trying to use the program at 2am when the internet goes down or the devices fails are you are stuck with an app that will not run.
That's why if I buy a program that requires a CD key or something along those lines, I almost always download the cracked version or updater and use that instead.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
...you can run Linux on your business desktop today. It's not quite the same, but you can have software installed which does exactly what the users need, tailor everything to your specific requirements, and disable executables on /home (most users wouldn't need them). It's even better if you use X terminals, because all the desktop machines are identical, and users can switch between them with no problems whatsoever.
The problem with the hardware solution that you propose is that it would make free-as-in-beer software almost impossible, as all software would have to be distributed on a physical medium, which costs money.
WMBC freeform/independent online radio.
The real problem, as I see it, is not trustworthy computing, it is certainly not protecting the users, and it is not even corporations--rightly or not--seeking to protect their investments by invasive means.
Instead, the problem is a generally uneducated user base. I don't mean "uneducated" in the sense that they are in any way unintelligent, but that for some reason they are simply not interested in learning the intricacies of computers and related topics. They simply want things to <I>work</I>, they don't care <I>how</I> they work. And the truth is it would take an immense amount of invasion of privacy before the average computer user noticed, much less began to raise a fuss that might stop a company from heading in that direction.
The question, then, becomes how do we educate people who do not wish to be educated? If we write them off, is the cause lost? It seems even vocal critics such as the EFF go mostly ignored by companies even as the hordes of us behind them applaud. Bill Gates just smirks and buys himself another ivory back scratcher.
Can the tech-savvy win in a world of technological indifference?
Well, I thank the EFF for this analysis, but I think they've missed an important tactic. Let Microsoft and Co. lock out non-MS software all they want. They're at a fundamental disadvantage. If they wish to exacerbate their tenuous position vis-a-vis monopoly, fine. If they want to gamble shareholder confidence on a risky offensive against the general good will of the net public, we should help them.
The EFF warns that Microsoft's IIS web-server could block web-browsers other than Microsoft's IE. Well, Apache can just as easily be made to block IE. After all, Apache has run the majority of Internet web-sites since 1996. In other words, if MS doesn't play nice, we shouldn't reward them by rolling out the red carpet. Kick MS off the net (maybe for just a year or so.. mercy and all). You can start sending the message now.
I bought the book a few months ago... I really like it. There's very few tech books I read cover to cover any more, yours is/was one of them.
Thanks.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
From the article:
Refusing to provide the information required by remote attestation won't work, Schoen said, because such a refusal is still giving something away. "In criminal cases, you can take the Fifth Amendment," he said. "While the jury is not supposed to infer anything from that, the general public certainly infers that the person is guilty or has something to hide."
I think this will work, and this would be a feature that I would love to have. You can infer whatever you want about the contents of my hard disk. I remain innocent until proven otherwise, or is that not the way things work anymore?
Karma: Bad. (As in Good?)
As much as I despise Outlook's vulnerable status, the consensus in our group is that Valve probably had it at www.valve.com/hl2source.tar.gz, and they were so embarassed they engineered this story.
A joke. Food for thought.
If I get modded flamebait for this, I'm going to cry at slashdot's sad state of humor.
According to their idea, you can lie about changes you've made.But you can't claim that something that was never true about your computer is true. While this provides more compatibility with the dictionary definition of the word 'trusted', it doesn't solve all that much. Imagine a DRMed version of CIFS that only connects to MS clients. Under the EFFs scheme, a client that runs a hacked version of Windows is OK, but a client that never ran Windows isn't. Samba is still dead.
In soviet russia stale jokes recycle you!
welcome our new Disney Computer Overlords
Where can I buy a box with "owner override"?
It will only take one vendor doing it, and I'd pay a few extra bucks for my Linux owner override feature to work.
Ice, ice baby.
Big Brother Bush is doubleplus ungood.
I'm a gamer. I play Ghost Recon online and an a moderator for a well respected community/clan (WGC). Our major problem is cheaters and Team killing smacktards who come in under random IP addresses, random names etc. With a decent trusted computing environment we could deny access to people who were running unverified mods or cheats or who were known to be arseholes.
That's not to say I support TCPA exactly, but when software is client side the server has to be able to trust that the client has lived up to its side of the deal, and if a trust relationship can be set up in a secure way that gives service providers a way to be certain that the client is who and what they say they are then I'm in favour so long as there are legal protections in force that prevent it being used as a way to limit competition through arbitrary assertions. i.e. checks against OS or other peripheral factors.
Also if a service is paid for providers should be forced to provide validation for 3rd party apps and an SDK for anyonewho wants one at a reasonable price.
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
The DRM applications of this technology are small potatoes compared to the ability to lock-in consumers to an application suite (major score for the capitalists) and the ability to lock-out subversive information (major score for government censors).
That said, something absolutely must be done to protect end-user computers better; the current state of affairs is intolerable. I thought the EFF did a nice job not just crying Chicken Little, but making a specific suggestion on how to prevent the abuse of this important, needed technology.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
I think folks may be focusing too much on the capitalist implications of an abused Trusted Computing Platform. Government censorship is a much more serious threat.
For the "good of the people", President Bob dictates that everyone in the United Federation must use a trusted computer platform or go to jail. Dissidents? Bye-bye. Free press? Bye-bye. Long live President Bob!
If you don't have root to your own machine, you are not free.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
Wake up.
Regards,
Fredrick
First, there will be a further clamp down on what is convered in the media and how it is spun: "To Microsoft, the threat is bad publicity, and they are going to produce a security system that deals with the threat," he said. [Schneier] said.
Realize also that Microsoft in all likelihood is going to try to make the option DRM patch mandatory, if for no other reason than to lock out competitors. ""Windows 2003 may be secure, but the level of security it provides could break backwards compatibility."
The last thing MS wants is for people to go over to the new version of OpenOffice.org or to avoid the hidden payloads in WMP9 by using Ogg. Office2003 and WMP9 are essential vectors in getting the "optional" DRM patch into Windows machines.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I've a prior patent on this idea.
Cease and desist or face the consequences.
You can not tell people to "wake up" without giving me at the very least some credit for the term "wake up".
I've also patented the idea that trash is trash and any trash whether it's digital trash or physical trash it still goddamed trash. If you for any reason decide that what you have recieved via any orifice, whether that be physical or digital is trash and should be discarded, then I want a piece of the profit.
I'm sorry that Apple actually patented the trash can before I did but I've been able to alter the ICON several million times and have several thousand ICONS I can use to enforce MY original idea that trash is trash.
So if you throw anything in the trash either digitally or physically I want my fair share of the proceeds. If you save 1Gb of a 10 Gb drive that cost $30.00 then you have to send me 0.0000045876 cent's, and I want that amount for every hard drive that stored the unwanted document on it's way to you.
"Trusted Computing" operates under the assumption that the system itself is trusted. Given the number of security flaws in OS software in general, this is an obviously flawed assumption. In essence, a remote attacker exploiting a security flaw in your "Trusted Computing" OS has more control over your computer than you do.
Quite literally, not only are you just leasing your software, you are giving complete access and control of your data and hardware to third parties, often without your knowledge.
How many reading this would want a technology such as this serving as the platform and network infrastructure underlying government operations? The threat is not only to your own computer, but to your information as maintained by social services and law enforcement.
Yeah, lets give all the power to software vendors (including convicted monopolists), and hackers, while the normal computer user is left in the dark.
I pledge to use only open standards in all the solutions and networks I create. Freedom is far more important than "promised" security.
Trusted computing is about creating a platform the content providers can trust. Not the computer owners.
Whether the content provider is a network admin rightfully protecting the company owned computers on his network. Or microsoft/riaa wrongfully protecting the computer YOU own from copy infringing materials and from things they just don't like even though you have every legal right to do them.
You can attest to having a Microsoft software environment when connecting with smbclient. The point of owner override is that there need not be any connection between the PCR values you attest to and the reality. So you have a client that speaks the protocol and the other side can't tell that it's not the original client.
All that "trusted" platform does is preventing things that were developed over decades of technology development, and replaces them with things that no one thought about because they are useless.
1. Make sure that the user is typing at the keyboard, and not another program is doing it. That means, no remote access, no automation, no pretty much any feature that allows users to use interactive software unless it's sitting on the box behind his desk. Yes, one can try to send locally encrypted data blindly over the network -- then where is going the server to stuff it to be decrypted? And if it will be able to, why someone else won't be do the same with his own keystrokes, even if it will take a bunch of mechanical relays "typing" on a "secure" physical keyboard?
2. Trust the software application to provide the "safe" data. That means, no scripts, pipes, interpreted languages, or anything else that combines multiple "products" into an application. Because anything combined will have to be trusted as every component, ane every component (including "data" that is the interpreted program and the interpreter that runs it) will be trusted just as much as the complete system.
3. No virtual machines and emulators. Does not even deserve an explanation.
4. No user-created OS-level software, no matter in what language. Same.
Any of those features, if can be overriden by the user, undermines the system in its very core -- user may have a big red switch, but unless he can discern which particular software is running at the moment he is flipping it, he can not distinguish between bypassing the controls for his own program, for someone else's legitimate software, or for a worm/virus/malware/... Same applies even to self-signing system, with a nice addition of a problem in a networked environment, when one can not physically sign the application on all computers that should be able to run it, and all other methods will mean the ability to transfer and modify secret keys by the user.
So basically we will get a nice computer with all the features expected from ZX Spectrum, but in a "secure" environment. Obviously there should be something that will provide a replacement for those things. And there certainly will be -- there will be a remote access program that will be "trusted" that it already checked the validity of input on the client end, and can be "trusted" on the server. Single application signing service that will "let" the user run some software. Long explanations that emulators are only used by pirates, and that OS authors smell bad, so no self-respecting user would want to do any of those things, ever.
And the company that will bring it to you.... No, not _that_ company, the other one.
Contrary to the popular belief, there indeed is no God.
Is it not lathered on thickly enough, or do the links offer no clue either?
This analysis is very well scoped out to the extent that it focusses specifically on the topics of privacy, internet security and computers. But it seems to raise more issues than it defines. In a networked environment that is increasingly defined by technological convergence, the lines between physical and online presence are already becoming blurred. When the day comes that computers are able to routinely link to and manage our material comforts and all of that "stuff" is networked in, who defines our rights to privacy and the level of access we are allowed to what we already have? The EFF says the individual should have the right of ultimate access. (It's hard to disagree with that, isn't it?) But some sectors, if not most sectors of the government could argue that, "for security reasons", they have a legitimate claim on the right of access to private identity. Identity theft is one issue that tends to feed legitimacy to this argument, as do the precedents of social security numbers and drivers lisences as accepted standards if identification. Privately governments are mostly concerned with being able to identify, locate and regulate people (that's what governments do). Of course businesses that produce convergence technology will argue publicly that they should have God rights because they "understand" the technical issues better than the mere mortals they service, while privately conspiring to lock in their market and stake out their claims to access and distribution. (That's what businesses do) But who defines where the concepts of ownership and privacy starts and end, when our computers become wearable and our consumables are wired in? That's what individuals should do. But with all these other interests out there, will they?