Slashdot Mirror
EFF Position on Trusted Computing
Seth Schoen writes "EFF has just released our
analysis
of Trusted Computing. We find that the technology could benefit
computer security, but must be fixed to ensure that the computer owner
is always in control. We also propose a specific way of fixing it.
There's coverage
of our position at news.com. More articles should be up in
the near future at
the new EFF
Trusted Computing page. Thanks to all the people who helped us
understand this technology!"
Don't trust trusted computing. It does not compute.
This seems to be assuming "Trusted Computing" is intended to benefit users.
The real reason it exists is precisely to take control away from the computer owner and give it to the content owner. Given that, what is the point of the EFF proposing "fixes" to help keep the computer owner in control, when its primary design goal is the exact opposite?
Jason
ProfQuotes
That users are ignorant of Computer Security, so it must be controlled by a more intelligent source, like Microsoft. (It's true most are, but does anyone believe MS will fix it?)
Browse at -1, because trolls are often the most creative part of
I've been working in the security field for about 30 odd years, starting with securing mainframes back at Berkeley in the early 70s and am now providing consulting services to the major financial institutions in the US.
.NET framework in an insurance company which has permitted them granular control of all security aspects of the deployed .NET applications. This is key, we don't just want to control the desktops but also the software running on them.
I think that any corporation that invests at least 10% of their budget wisely should be on the track to provide their clients and staff a secure environment in which to deliver their products. I have to deal with a lot of intrusions on a daily basis while overhauling the infrastructure. Currently we've implemented the
Which is nice.
In order for a computer to be more secure, it must monitor more aggressively for changes. This seems to be point 4 in the article (remote attestation).
However, by intuition, this would mean that your computer system would know and monitor your system and thus the user more and more.
Misconceptions about this design abound. The most common misconception denies that the trusted computing PCs would really be backwards-compatible or able to run existing software.
Well, crap... of course there is going to be compatibility problems... I am much more concerned that my system and my massaging of that system is going to be tracked and recorded at higher and higher resolution of detail.
Davak
Right on the heels of learning that Outlook Express was mostly responsible for the HL2 Source Code Leak..
Browse at -1, because trolls are often the most creative part of
The EFF basically wants your computer to lie to a content provider so that you can turn off the security and still receive their content. It might as well not exist in the 1st place then, which is probably their real goal.
Not just Executive, but Legislative, as well.
Our government responds to campaign finance, and the lion's share of that is done by large corporations and other aggregates that want to make sure that THEIR rights come first.
Most people don't understand enough about computers to understand how completely OUR rights in this realm have been trampled, already.
The living have better things to do than to continue hating the dead.
...defeat the purpose? I mean, everyone knows that end users can't be trusted. Given the chance, they'll do nothing but pirate movies, music, television and software, etc.
*** END SARCASM ***
I think DRM is a *good* thing. Once people have to pay for music, movies, etc. the industry will realize exactly what they were losing to piracy -- almost nothing. If someone could wave a magic wand and people had to abide 100% by the rediculous license agreements, you'd find that instead of buying what they were sharing, they would go without.
Or does Microsoft, the BSA, MPAA and RIAA really think all those people in Asia are going to pay a few months worth of wages for software or entertainment?
Learning HOW to think is more important than learning WHAT to think.
The EFF is correct as usual. Trusted computing = Me knowing what the hell is running on my computer and having control over it. Anything else is untrustworthy computing. Anyone that wants to control what I can do with my own property (computer) can stuff it where the sun don't shine.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
The point of the EFF doing this is precisely to underline the fact that big business is attempting to take control of the end-user computing platform away from the user.
You see, the problem is not so much that big business is doing this, but that it is doing so by subterfuge rather than out in the open.
The EFF is just flushing out the rats here. If business were trying to take control of people's property openly then the EFF wouldn't need to put on an act of innocence and merely be "identifying dangers" as the proposed solutions as if business wasn't aware of them.
It's a good strategy. Big business can only respond by saying either "Oh yeah, we hadn't realized" (LOL), or else it can reply that this was indeed the intention. In both cases, the user wins.
My bet though is that the EFF will be met by total silence.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Not a "trusted" one.
Just as I wish with my house. I want my house to protect me, my papers, possessions and privacy. I want it to be nobody's business what my house contains, even to the point of being able to protect myself against legitimate legal prossecution.
Oddly enough, that's what the Constitution was written to provide my house with.
It is up to me to secure my house with whatever technological measures are available to provide that security and understand how to use that technology. I'm perfectly willing to take the same responsibility for the security of my computer. Just provide me with the tools. Then go the hell away and leave me alone.
The second my house starts deciding for me what I may or may not keep in it or do inside it I get a new house.
The day my computer decides it doesn't "trust" me with what I'm storing in it or doing with it I pull the plug.
Fortunatly for me there are already hundreds of millions of "untrusted" computers already out there in the wild that do everything I might require my computer to do.
KFG
Even the proposed "Owner Override" seems to me a "how are you going to do that" issue. How are you going to assure that a change was made by you and not by some software pretending to be you?
There are other oversights too:
- "Identity" of software is determined by submitting a hash value, but how can you be sure someone's not sending a canned hash value?
- "Secure output can prevent information displayed on the screen from being recorded" -- until someone invents a screen-scraping monitor. If information exists, there's a way to copy it. That's just what information is.
- The most serious point of all -- that the EFF is lending credibility to this blatant grab for dictator-like powers by suggesting that it can be "fixed" and the problems "addressed", at which point we should all happily adopt it. Not me, brother.
I would have much preferred the factual analysis and then a great big "run away from this as fast as you can"."A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
If this is unopposed, it will not be long until everything useful requires "trust". And so my PC, the one I paid money for, will not work the way I want anymore. Oh, theoretically it will, but in a practical sense it won't.
If a content provider wants to "trust" a device, then they should buy it for me.
My cell phone providers wants a trusted device. Great. They give me a phone, and I pay to use it.
Ask yourself this... is watching an HDTV version of Star Wars so compelling that you're willing to compromise yout ability to control your PC? If you answered "yes", then you and I simply have a completely different viewpoint on the subject that I suspect we'll never agree on.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
That's a CRAZY idea. As usual, let's compare computing on the information super highway with driving on our own freeways.
What would happen if we let people drive their own cars? They would repair their own cars, "upgrade" them too! But if they are in control, they may not make repairs as needed and then their cars would fall apart on a public super highway and cause other people to die and stuff.
Oh wait... we have a "license" to help ensure that the public has a bare minimum amount of knowledge and skill to operate a vehicle safely on public roads.
Now let's return to cyber-reality again. Instead of "trusted computing" how about "trusted users."?
Let's say that the price of admission to the information super highway should be controlled in the same or similar way to the way we control access to the roads. What a fabulous world we'd live in! "License to SPAM" wouldn't exist. Maybe there are a lot of bad things I haven't considered but is it much worse than requiring a driver's license write a check?
Wow... imagine getting a ticket and your license revoked for SPAMing... or for operating a computer with a virus...
"The Responsible Computing Initiative" is born!
Microsoft's chief security strategist made the surprising statement that the company is about one-third of the way to its goals for Trustworthy Computing. I guess there's a lot more going on internally than we're aware of.
The article also says, "Microsoft's short-term strategy will shift from patch management to what the company calls 'securing the perimeter.'" What this means is that they're working more closely with firewall companies.
Libertarians always say they don't believe in handouts, so why should I give EFF a handout then?
Libertarians don't believe in handouts funded by individuals who didn't explicitly and personally agree to provide those handouts. So, say, if money that was taken from me via taxes is being given to the League of Gay Midget Eskimos without my consent, that's a bad thing. I may be more than happy to donate to said League if it were my choice -- but being forced to do it at the risk of men with guns coming and putting me in jail is a different matter.
The EFF is the same way. I don't believe in enforced handouts to the EFF from folks who don't support them -- if you don't like the EFF, you shouldn't be forced to donate to them. On the other hand, if you believe that donating to the EFF is something you wish to do -- perhaps even something which is aligned with your own enlightened self interest -- then you should be every bit as free to do that as to donate to the Gay Midget Eskimo fund. Which is to say, very.
With Microsoft, IBM, and other major players involved in this process, the EFF doesn't have much of a choice but to work with what they've got. I don't think that the EFF agrees with the Trusted Computing initiative; as they say in the article, most of the changes described by the initiative can be implemented at the software level. I agree that that is where the changes should take place.
I agree with some of the other posters here and I don't really see anything useful about the attestation process (see the chart at the bottom of the page). I'm especially concerned about all of hardware specs that I know nothing about: Do you honestly expect me to think that the Bush administration isn't salivating over this? Can you say "backdoor"?
It sounds pathetic, but the only way I see out of this is through education and certification. People should be certified to connect to a network, and if they screw up, they are responsible. It's the way it works (usually) in academia.
What a mess.
The Death Penalty: Killing people to show others that killing people is wrong.
They look like separate issues to me. Trusted computing provides lock-in, DRM, secure data, etc., but it doesn't protect you from viruses. "Shield technology" may help protect against that stuff. I'm sure MS is not dropping trusted computing.
There are some other problems with Trusted Computing that the EFF article fails to address.
One is the difficulty of dealing with upgrades, failures and replacement of computers, if your data is locked to the old machine. TCPA had a hugely complicated process you would have to go through to migrate any of your "secure" data to the new machine. It involved going back to the manufacturer, getting a special transfer key, moving the data over and having it get re-encrypted. Microsoft hasn't said what they're going to do, but it's an extremely difficult technical problem to solve while retaining the security.
Another problem is the PKI (public key infrastructure) issue. For remote attestation to work, it's necessary that the TC chips have some kind of crypto certificate that says that they are legitimate. Microsoft has said nothing about who will issue these certificates and who will revoke them if a machine gets broken into. Setting up a successful, global PKI is a prerequisite for DRM type applications and will be an enormous job.
The article also overlooks that the sealed storage feature, which the EFF mostly views favorably, can also be used to achieve lock-in and secure closed formats. Microsoft Word could store data encrypted using the TC hardware, such that only Microsoft-signed applications can access the data. This kind of lock-in does not depend on the remote attestation features that the EFF is so concerned about, and would not be addressed by their Owner Overrides.
The DRM applications of this technology are small potatoes compared to the ability to lock-in consumers to an application suite (major score for the capitalists) and the ability to lock-out subversive information (major score for government censors).
That said, something absolutely must be done to protect end-user computers better; the current state of affairs is intolerable. I thought the EFF did a nice job not just crying Chicken Little, but making a specific suggestion on how to prevent the abuse of this important, needed technology.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday