Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Position on Trusted Computing

Posted by michael on from the code-is-law dept.

Seth Schoen writes "EFF has just released our analysis of Trusted Computing. We find that the technology could benefit computer security, but must be fixed to ensure that the computer owner is always in control. We also propose a specific way of fixing it. There's coverage of our position at news.com. More articles should be up in the near future at the new EFF Trusted Computing page. Thanks to all the people who helped us understand this technology!"

24 of 183 comments (clear)

  1. Bad assumption by Jason1729 · · Score: 5, Insightful

    This seems to be assuming "Trusted Computing" is intended to benefit users.

    The real reason it exists is precisely to take control away from the computer owner and give it to the content owner. Given that, what is the point of the EFF proposing "fixes" to help keep the computer owner in control, when its primary design goal is the exact opposite?

    Jason
    ProfQuotes

    1. Re:Bad assumption by pla · · Score: 5, Insightful

      Given that, what is the point of the EFF proposing "fixes" to help keep the computer owner in control, when its primary design goal is the exact opposite?

      Because it throws the ball back over the fence to those trying to force DRM on us.

      In essence, the EFF has given these folks an ultimatum - "You want a trusted computing environment, but not the public backlash? You can fix it like this. Now put up or shut up".

      Up to this point, the Palladium group et al could safely ignore most of us, since all of us opposed to DRM have basically just whined about it. Now that someone (and a respectable someone, at that) has offered them a way to get what they claim they want, choosing to ignore that will very tangibly clarify the real intent - If they ignore the EFF's recommendations completely, they all but publically admit they only care about stripping users of the right to use their own machines, rather than creating some fictional "safe" computing environment.

    2. Re:Bad assumption by fermion · · Score: 2, Insightful
      The EFF is doing exactly what it should. It is taking business propaganda at face value and then compare the actual product to the propaganda. If the two match, the yea. If not, then either the company is deceiving through it's propaganda or building a deficient product.

      In this case trusted computers is being billed as a way to allows owners to control their content. The opportunity for deception is provided by the interpretation of the word 'owners.'

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    3. Re:Bad assumption by mentin · · Score: 3, Insightful
      if it means giving control over what processes run on my computer to someone else

      It does not. It means being able to prove what processes run on your computer to someone else, if you want this - if you need some services from that someone one. If you can't, that someone else simply would not deal with you, but it would not be able to control what is run on your machine.

      EFF proposal is stupidiest I've ever saw (from CNET):

      The EFF proposes amending the trusted computing initiative to include a feature called "owner override," which would allow computer owners, whether individuals or companies, to essentially lie to an organization that attempts to ascertain the integrity of their content.
      This ability to lie breaks the whole idea - if somebody else does not trust you, he will not deal with you - no EFF will ever force him to.
      --
      MSDOS: 20+ years without remote hole in the default install
    4. Re:Bad assumption by pla · · Score: 2, Insightful

      How can they ignore people who will not buy their hardware and OSes?

      Because most people know absolutely nothing about this, and will go out and buy the new much-hyped "Pentium 5 FX Palladium! with patented Ultra TCPA technology! To make your web experience faster over even a 300 baud packet radio modem!".

      Those of us who have a clue will avoid this as long as possible, and might even make it a few years without ugrading (hey, my current desktop has lived a few years, and it still runs well), but when even grandma has a 500GHz machine with a terrabyte of 1:1 CPU-synchronous RAM and a petabyte of solid-state disk space, we simply won't have the option of not upgrading our pathetic oversized calculators.

      I purchase about 3 complete computer systems and OSes for everyone Joe Sixpack buys

      But for every one of us, they have three thousand joe sixpacks to buy into whatever they tell him he wants.

      pretty, and I don't like it any more than you, but a geek-only boycott will simply never exert enough market pressure to make a difference.

    5. Re:Bad assumption by Alsee · · Score: 3, Insightful

      >if it means giving control over what processes run on my computer to someone else

      It does not.

      Actually it does when more and more websites and software simply refuse to run at all. It is essentially extortion. You are given a choice to "voluntarily" agree to give up all right to privacy and give up control over your own computer, or you are denied use of your computer.

      That computer sitting on your desk is little more than a worthless lump of metal and plastic if you are denied access to most of the internet and you are denied use of virtually all new software.

      This ability to lie breaks the whole idea - if somebody else does not trust you, he will not deal with you - no EFF will ever force him to.

      Fine, if someone doesn't want to deal with the GERNERAL PUBLIC then they are perfectly free to go hide a hole in the ground. They have absolutely right to expect the GENERAL PUBLIC to be denied ordinary control over their own property.

      You are essentially proposing to 'offer' everyone a chance to have a polygraph surgically implanted in their brain. Anyone who doesn't 'voluntarily' agree then gets locked out of all buildings, denied use of the phone, denied use of the roads, denied use of money. To quote you, "if somebody else does not trust you, he will not deal with you". You don't HAVE to vuluntarily have this device implanted in your brain, but if you decline you are effectively thrown in prison. Sure, you're free to walk around your own house, but your house is the prison cell.

      Oh, and that "polygraph device" they are implanting in your brain? When you 'voluntarily' use it, it has TOTAL REMOTE CONTROL power. It can force you to do anything, it can prevent you from doing anything, it can erase or modify anything. Of course you are perfectly free to chose to live in a prison cell for the rest of your life instead.

      The EFF is simply saying that your computer is your property. They are simply saying that it should not be designed as a weapon against it's owner.

      As I have been saying for months, the only problem with TCPA and Palladium/NGSCB is that the design specifications require that the owner of the machine is FORBIDDEN to know his own keys (passwords). The sole purpose for that design requirement is "secure" the computer against it's rightful owner. The owner of the computer has absolutely every right to rip the hardware open and dig those passwords out with a microscope if he feels like it. And once he does that he does have full control over the system and is capable of doing exactly what the EFF proposes. The EFF isn't proposing anything that people don't already have every right and ability to do. They are just saying that there is no reason that people should need a microscope and other equipment to do it.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  2. Security in Fortune 500 companies by Anonymous Coward · · Score: 2, Insightful

    I've been working in the security field for about 30 odd years, starting with securing mainframes back at Berkeley in the early 70s and am now providing consulting services to the major financial institutions in the US.

    I think that any corporation that invests at least 10% of their budget wisely should be on the track to provide their clients and staff a secure environment in which to deliver their products. I have to deal with a lot of intrusions on a daily basis while overhauling the infrastructure. Currently we've implemented the .NET framework in an insurance company which has permitted them granular control of all security aspects of the deployed .NET applications. This is key, we don't just want to control the desktops but also the software running on them.

    Which is nice.

    1. Re:Security in Fortune 500 companies by marine_recon · · Score: 2, Insightful

      keeping things in control is all well and good, but where do you draw the line? next are you going to keep tabs on what is on each persons screen? i dont know about you, but i sometimes might actually feel the urge to check my personal email during the day, and having people look at my personal things with out me ever knowing about it is rather disturbing.

      --
      Jack the sound barrier. Bring the noise.
  3. Fear by Davak · · Score: 2, Insightful

    In order for a computer to be more secure, it must monitor more aggressively for changes. This seems to be point 4 in the article (remote attestation).

    However, by intuition, this would mean that your computer system would know and monitor your system and thus the user more and more.

    Misconceptions about this design abound. The most common misconception denies that the trusted computing PCs would really be backwards-compatible or able to run existing software.

    Well, crap... of course there is going to be compatibility problems... I am much more concerned that my system and my massaging of that system is going to be tracked and recorded at higher and higher resolution of detail.

    Davak

  4. EFF's position is outrageous by Anonymous Coward · · Score: 2, Insightful

    The EFF basically wants your computer to lie to a content provider so that you can turn off the security and still receive their content. It might as well not exist in the 1st place then, which is probably their real goal.

    1. Re:EFF's position is outrageous by Highrollr · · Score: 5, Insightful

      Having my computer do what I want it to doesn't seem particularly outrageous to me.

    2. Re:EFF's position is outrageous by prichardson · · Score: 3, Insightful

      How about this, since I can't control my computer, why should I have to pay for it. I would be much less opposed to not controlling it if I didn't own the hardware. Perhaps Microsoft will start liscensing computers as well.

      --
      Help I'm a rock.
  5. Not with the current government... by dpilot · · Score: 4, Insightful

    Not just Executive, but Legislative, as well.

    Our government responds to campaign finance, and the lion's share of that is done by large corporations and other aggregates that want to make sure that THEIR rights come first.

    Most people don't understand enough about computers to understand how completely OUR rights in this realm have been trampled, already.

    --
    The living have better things to do than to continue hating the dead.
  6. Doesn't that... by chill · · Score: 2, Insightful

    ...defeat the purpose? I mean, everyone knows that end users can't be trusted. Given the chance, they'll do nothing but pirate movies, music, television and software, etc.

    *** END SARCASM ***

    I think DRM is a *good* thing. Once people have to pay for music, movies, etc. the industry will realize exactly what they were losing to piracy -- almost nothing. If someone could wave a magic wand and people had to abide 100% by the rediculous license agreements, you'd find that instead of buying what they were sharing, they would go without.

    Or does Microsoft, the BSA, MPAA and RIAA really think all those people in Asia are going to pay a few months worth of wages for software or entertainment?

    --
    Learning HOW to think is more important than learning WHAT to think.
  7. Trust. by Simple-Simmian · · Score: 3, Insightful

    The EFF is correct as usual. Trusted computing = Me knowing what the hell is running on my computer and having control over it. Anything else is untrustworthy computing. Anyone that wants to control what I can do with my own property (computer) can stuff it where the sun don't shine.

    --
    If you don't like what I write don't be a CS and mod it down. Refute it.
    Yea I can't spell. So what is your point?
  8. Trusted ... or Trustworthy? by Anonymous Coward · · Score: 1, Insightful

    Personally, I still prefer "Trustworthy Computing" over "Trusted Computing."

  9. It's a game -- flush out the rats of hidden agenda by Morgaine · · Score: 5, Insightful

    The point of the EFF doing this is precisely to underline the fact that big business is attempting to take control of the end-user computing platform away from the user.

    You see, the problem is not so much that big business is doing this, but that it is doing so by subterfuge rather than out in the open.

    The EFF is just flushing out the rats here. If business were trying to take control of people's property openly then the EFF wouldn't need to put on an act of innocence and merely be "identifying dangers" as the proposed solutions as if business wasn't aware of them.

    It's a good strategy. Big business can only respond by saying either "Oh yeah, we hadn't realized" (LOL), or else it can reply that this was indeed the intention. In both cases, the user wins.

    My bet though is that the EFF will be met by total silence.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  10. I want a secure computer by kfg · · Score: 5, Insightful

    Not a "trusted" one.

    Just as I wish with my house. I want my house to protect me, my papers, possessions and privacy. I want it to be nobody's business what my house contains, even to the point of being able to protect myself against legitimate legal prossecution.

    Oddly enough, that's what the Constitution was written to provide my house with.

    It is up to me to secure my house with whatever technological measures are available to provide that security and understand how to use that technology. I'm perfectly willing to take the same responsibility for the security of my computer. Just provide me with the tools. Then go the hell away and leave me alone.

    The second my house starts deciding for me what I may or may not keep in it or do inside it I get a new house.

    The day my computer decides it doesn't "trust" me with what I'm storing in it or doing with it I pull the plug.

    Fortunatly for me there are already hundreds of millions of "untrusted" computers already out there in the wild that do everything I might require my computer to do.

    KFG

  11. Sad to see EFF legitimizing this by Atario · · Score: 4, Insightful
    You're exactly right. In "Trusted Computing", as the analysis points out:
    ...the computer's owner is sometimes treated as just another attacker or adversary who must be prevented from breaking in and altering the computer's software.
    I can't put it any more directly than that without risking being modded "Funny". Your computer, in effect, belongs to them. (See?)

    Even the proposed "Owner Override" seems to me a "how are you going to do that" issue. How are you going to assure that a change was made by you and not by some software pretending to be you?

    There are other oversights too:
    • "Identity" of software is determined by submitting a hash value, but how can you be sure someone's not sending a canned hash value?
    • "Secure output can prevent information displayed on the screen from being recorded" -- until someone invents a screen-scraping monitor. If information exists, there's a way to copy it. That's just what information is.
    • The most serious point of all -- that the EFF is lending credibility to this blatant grab for dictator-like powers by suggesting that it can be "fixed" and the problems "addressed", at which point we should all happily adopt it. Not me, brother.
    I would have much preferred the factual analysis and then a great big "run away from this as fast as you can".
    --
    "A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
  12. The trouble is... by tkrotchko · · Score: 3, Insightful

    If this is unopposed, it will not be long until everything useful requires "trust". And so my PC, the one I paid money for, will not work the way I want anymore. Oh, theoretically it will, but in a practical sense it won't.

    If a content provider wants to "trust" a device, then they should buy it for me.

    My cell phone providers wants a trusted device. Great. They give me a phone, and I pay to use it.

    Ask yourself this... is watching an HDTV version of Star Wars so compelling that you're willing to compromise yout ability to control your PC? If you answered "yes", then you and I simply have a completely different viewpoint on the subject that I suspect we'll never agree on.

    --
    You were mistaken. Which is odd, since memory shouldn't be a problem for you
  13. Etch SW into HW and Make User Data the ONLY I/O by Anonymous Coward · · Score: 1, Insightful

    As Jason noted earlier: "...'Trusted Computing'...exists...to take control away from the computer owner and give it to the content owner... what is the point of the EFF proposing 'fixes' to help keep the computer owner in control, when its primary design goal is the exact opposite?"

    Home PC users should tell scummy Big Brothers Micro$oft, Intel, Hollywood, etc. to shove it. I'm not going to pay you for a DRM'ed PC, and let you charge me usage fees, force-feed me content, view my private info, etc.

    If businesses (or home users) need ultimate security, jump back to the days of a closed hardware box with etched-in software; the only I/O was user data, so, no I/O was ever considered program code (no more viruses!). This would mean that the box would have to leave the factory with a DEBUGGED, etched-in O/S; DEBUGGED, etched-in office-suite software; and hardware slots into which additional purchased software (made by any company, etched onto hardware cartridges, and memory-isolated by the hardware box) could be plugged.

    This would mean NO MORE BELLS-AND-WHISTLES CRAPWARE...keep it mean, lean, and bug-free, because any patch will have to be a free replacement cartridge (or you piss off your customers).

    This would mean that the closed box with hardware-cartridge expansion is a BUSINESS MACHINE. You could still buy the PC of today for your home use and program the PC to your liking...but it could never corrupt the business machine. Want to bring your work home with you? The BUSINESS MACHINE could easily be of laptop design.

    The point is, the CRAPWARE and viruses of today's PC...could never touch your BUSINESS MACHINE or its user data.

    END OF STORY. PROBLEM SOLVED. No more asinine "Norton Anti-Virus" and its drug-addict subscription fees. No more asinine "Microsoft Windows Updates" because of over-featured, crapified software released too early. No more script kiddies. No more employees putting WHATEVER CRAP THEY WANT onto the BUSINESS MACHINE.

    Anyone who nags about:

    (1) the locked-down, basic-software-etched-in-hardware box,
    (2) the cost/inconvenience of cartridges versus the FREE-FOR-ALL of downloadable Web software (such as broken-software patches, utilities for things the O/S should have been doing in the first place, etc.), and
    (3) lesser user freedom (to add additional, company-unapproved software to his work machine)

    HAD BETTER THINK ABOUT ALL THE WASTED TIME AND MONEY WE ARE NOW SPENDING ON VIRUSES AND OUT-OF-THE-BOX-BROKEN, CRAP-FEATURE-LADEN O/S's AND SOFTWARE.

    Do that, and software etched in hardware...with I/O consisting ONLY of user data...DOESN'T SEEM TO BE SUCH A BAD BUSINESS IDEA AFTER ALL...does it? :-)

  14. Re:EFF by cduffy · · Score: 3, Insightful

    Libertarians always say they don't believe in handouts, so why should I give EFF a handout then?

    Libertarians don't believe in handouts funded by individuals who didn't explicitly and personally agree to provide those handouts. So, say, if money that was taken from me via taxes is being given to the League of Gay Midget Eskimos without my consent, that's a bad thing. I may be more than happy to donate to said League if it were my choice -- but being forced to do it at the risk of men with guns coming and putting me in jail is a different matter.

    The EFF is the same way. I don't believe in enforced handouts to the EFF from folks who don't support them -- if you don't like the EFF, you shouldn't be forced to donate to them. On the other hand, if you believe that donating to the EFF is something you wish to do -- perhaps even something which is aligned with your own enlightened self interest -- then you should be every bit as free to do that as to donate to the Gay Midget Eskimo fund. Which is to say, very.

  15. Attestation by TeachingMachines · · Score: 2, Insightful


    With Microsoft, IBM, and other major players involved in this process, the EFF doesn't have much of a choice but to work with what they've got. I don't think that the EFF agrees with the Trusted Computing initiative; as they say in the article, most of the changes described by the initiative can be implemented at the software level. I agree that that is where the changes should take place.

    I agree with some of the other posters here and I don't really see anything useful about the attestation process (see the chart at the bottom of the page). I'm especially concerned about all of hardware specs that I know nothing about: Do you honestly expect me to think that the Bush administration isn't salivating over this? Can you say "backdoor"?

    It sounds pathetic, but the only way I see out of this is through education and certification. People should be certified to connect to a network, and if they screw up, they are responsible. It's the way it works (usually) in academia.

    What a mess.

    --

    The Death Penalty: Killing people to show others that killing people is wrong.
  16. Re:Microsoft may be changing course by Wesley+Felter · · Score: 2, Insightful

    They look like separate issues to me. Trusted computing provides lock-in, DRM, secure data, etc., but it doesn't protect you from viruses. "Shield technology" may help protect against that stuff. I'm sure MS is not dropping trusted computing.