Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Position on Trusted Computing

Posted by michael on from the code-is-law dept.

Seth Schoen writes "EFF has just released our analysis of Trusted Computing. We find that the technology could benefit computer security, but must be fixed to ensure that the computer owner is always in control. We also propose a specific way of fixing it. There's coverage of our position at news.com. More articles should be up in the near future at the new EFF Trusted Computing page. Thanks to all the people who helped us understand this technology!"

15 of 183 comments (clear)

  1. Bad assumption by Jason1729 · · Score: 5, Insightful

    This seems to be assuming "Trusted Computing" is intended to benefit users.

    The real reason it exists is precisely to take control away from the computer owner and give it to the content owner. Given that, what is the point of the EFF proposing "fixes" to help keep the computer owner in control, when its primary design goal is the exact opposite?

    Jason
    ProfQuotes

    1. Re:Bad assumption by pla · · Score: 5, Insightful

      Given that, what is the point of the EFF proposing "fixes" to help keep the computer owner in control, when its primary design goal is the exact opposite?

      Because it throws the ball back over the fence to those trying to force DRM on us.

      In essence, the EFF has given these folks an ultimatum - "You want a trusted computing environment, but not the public backlash? You can fix it like this. Now put up or shut up".

      Up to this point, the Palladium group et al could safely ignore most of us, since all of us opposed to DRM have basically just whined about it. Now that someone (and a respectable someone, at that) has offered them a way to get what they claim they want, choosing to ignore that will very tangibly clarify the real intent - If they ignore the EFF's recommendations completely, they all but publically admit they only care about stripping users of the right to use their own machines, rather than creating some fictional "safe" computing environment.

    2. Re:Bad assumption by mentin · · Score: 3, Insightful
      if it means giving control over what processes run on my computer to someone else

      It does not. It means being able to prove what processes run on your computer to someone else, if you want this - if you need some services from that someone one. If you can't, that someone else simply would not deal with you, but it would not be able to control what is run on your machine.

      EFF proposal is stupidiest I've ever saw (from CNET):

      The EFF proposes amending the trusted computing initiative to include a feature called "owner override," which would allow computer owners, whether individuals or companies, to essentially lie to an organization that attempts to ascertain the integrity of their content.
      This ability to lie breaks the whole idea - if somebody else does not trust you, he will not deal with you - no EFF will ever force him to.
      --
      MSDOS: 20+ years without remote hole in the default install
    3. Re:Bad assumption by Alsee · · Score: 3, Insightful

      >if it means giving control over what processes run on my computer to someone else

      It does not.

      Actually it does when more and more websites and software simply refuse to run at all. It is essentially extortion. You are given a choice to "voluntarily" agree to give up all right to privacy and give up control over your own computer, or you are denied use of your computer.

      That computer sitting on your desk is little more than a worthless lump of metal and plastic if you are denied access to most of the internet and you are denied use of virtually all new software.

      This ability to lie breaks the whole idea - if somebody else does not trust you, he will not deal with you - no EFF will ever force him to.

      Fine, if someone doesn't want to deal with the GERNERAL PUBLIC then they are perfectly free to go hide a hole in the ground. They have absolutely right to expect the GENERAL PUBLIC to be denied ordinary control over their own property.

      You are essentially proposing to 'offer' everyone a chance to have a polygraph surgically implanted in their brain. Anyone who doesn't 'voluntarily' agree then gets locked out of all buildings, denied use of the phone, denied use of the roads, denied use of money. To quote you, "if somebody else does not trust you, he will not deal with you". You don't HAVE to vuluntarily have this device implanted in your brain, but if you decline you are effectively thrown in prison. Sure, you're free to walk around your own house, but your house is the prison cell.

      Oh, and that "polygraph device" they are implanting in your brain? When you 'voluntarily' use it, it has TOTAL REMOTE CONTROL power. It can force you to do anything, it can prevent you from doing anything, it can erase or modify anything. Of course you are perfectly free to chose to live in a prison cell for the rest of your life instead.

      The EFF is simply saying that your computer is your property. They are simply saying that it should not be designed as a weapon against it's owner.

      As I have been saying for months, the only problem with TCPA and Palladium/NGSCB is that the design specifications require that the owner of the machine is FORBIDDEN to know his own keys (passwords). The sole purpose for that design requirement is "secure" the computer against it's rightful owner. The owner of the computer has absolutely every right to rip the hardware open and dig those passwords out with a microscope if he feels like it. And once he does that he does have full control over the system and is capable of doing exactly what the EFF proposes. The EFF isn't proposing anything that people don't already have every right and ability to do. They are just saying that there is no reason that people should need a microscope and other equipment to do it.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  2. Not with the current government... by dpilot · · Score: 4, Insightful

    Not just Executive, but Legislative, as well.

    Our government responds to campaign finance, and the lion's share of that is done by large corporations and other aggregates that want to make sure that THEIR rights come first.

    Most people don't understand enough about computers to understand how completely OUR rights in this realm have been trampled, already.

    --
    The living have better things to do than to continue hating the dead.
  3. Re:EFF's position is outrageous by Highrollr · · Score: 5, Insightful

    Having my computer do what I want it to doesn't seem particularly outrageous to me.

  4. Trust. by Simple-Simmian · · Score: 3, Insightful

    The EFF is correct as usual. Trusted computing = Me knowing what the hell is running on my computer and having control over it. Anything else is untrustworthy computing. Anyone that wants to control what I can do with my own property (computer) can stuff it where the sun don't shine.

    --
    If you don't like what I write don't be a CS and mod it down. Refute it.
    Yea I can't spell. So what is your point?
  5. It's a game -- flush out the rats of hidden agenda by Morgaine · · Score: 5, Insightful

    The point of the EFF doing this is precisely to underline the fact that big business is attempting to take control of the end-user computing platform away from the user.

    You see, the problem is not so much that big business is doing this, but that it is doing so by subterfuge rather than out in the open.

    The EFF is just flushing out the rats here. If business were trying to take control of people's property openly then the EFF wouldn't need to put on an act of innocence and merely be "identifying dangers" as the proposed solutions as if business wasn't aware of them.

    It's a good strategy. Big business can only respond by saying either "Oh yeah, we hadn't realized" (LOL), or else it can reply that this was indeed the intention. In both cases, the user wins.

    My bet though is that the EFF will be met by total silence.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  6. I want a secure computer by kfg · · Score: 5, Insightful

    Not a "trusted" one.

    Just as I wish with my house. I want my house to protect me, my papers, possessions and privacy. I want it to be nobody's business what my house contains, even to the point of being able to protect myself against legitimate legal prossecution.

    Oddly enough, that's what the Constitution was written to provide my house with.

    It is up to me to secure my house with whatever technological measures are available to provide that security and understand how to use that technology. I'm perfectly willing to take the same responsibility for the security of my computer. Just provide me with the tools. Then go the hell away and leave me alone.

    The second my house starts deciding for me what I may or may not keep in it or do inside it I get a new house.

    The day my computer decides it doesn't "trust" me with what I'm storing in it or doing with it I pull the plug.

    Fortunatly for me there are already hundreds of millions of "untrusted" computers already out there in the wild that do everything I might require my computer to do.

    KFG

  7. Sad to see EFF legitimizing this by Atario · · Score: 4, Insightful
    You're exactly right. In "Trusted Computing", as the analysis points out:
    ...the computer's owner is sometimes treated as just another attacker or adversary who must be prevented from breaking in and altering the computer's software.
    I can't put it any more directly than that without risking being modded "Funny". Your computer, in effect, belongs to them. (See?)

    Even the proposed "Owner Override" seems to me a "how are you going to do that" issue. How are you going to assure that a change was made by you and not by some software pretending to be you?

    There are other oversights too:
    • "Identity" of software is determined by submitting a hash value, but how can you be sure someone's not sending a canned hash value?
    • "Secure output can prevent information displayed on the screen from being recorded" -- until someone invents a screen-scraping monitor. If information exists, there's a way to copy it. That's just what information is.
    • The most serious point of all -- that the EFF is lending credibility to this blatant grab for dictator-like powers by suggesting that it can be "fixed" and the problems "addressed", at which point we should all happily adopt it. Not me, brother.
    I would have much preferred the factual analysis and then a great big "run away from this as fast as you can".
    --
    "A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
    1. Re:Sad to see EFF legitimizing this by Alsee · · Score: 5, Informative

      How are you going to assure that a change was made by you and not by some software pretending to be you?

      Actually that is pretty easy, you press a special button/switch. Malicious software is incapable of faking actual physical control. I proposed exactly such a modification to TCPA months ago.

      I e-mailed this one of the main TCPA proponents about this back in January. It was David Safford, author of Why_TCPA and TCPA_Rebuttal. I explained this system and pointed out that there every single claimed benefit of Why_TCPA works just as well with actual and full owner control like my (and the EFF's) proposed modification grants. He did not dispute this.

      His only reply was to suggest this change would no longer keep laptops secure against a thief. This suggestion fails on two grounds. First of all it directly contradicts TCPA_Rebuttal where he claims TCPA is not designed to be secure against physical access and that this supposedly 'proves' that TCPA is not designed for DRM. If TCPA is not supposed to be secure against physical access then it is disingenuous to claim it is supposed to protect a laptop against theft. The second reason his 'theft' argument fails is that it is simple to combine a physical button-press with an owner ID code or password before full control is given. A theif cannot get this owner password, and software can neither get the password nor press the button.

      Granting the owner of the machine to his own keys (passwords) that are locked in the TCPA chip gives the owner full control over the system. There is absolutely no justification for denying the owner access to his own keys. The only purpose for this design requirement is to use it as a weapon against the owner and for various varients of DRM.

      Of course Microsoft and the TCPA proponents will never accept my proposal (and the EFF's proposal) because the only real motivation for this hardware change is for DRM-type purposes. If owners maintain actual control over their machines and it can't be used for DRM systems then the entire project is a waste of time. Everything else is just a smoke-screen. TCPA will not prevent your computer from being infected with a virus, and it will not prevent that virus from slagging your entire hard drive and everything on it. The only thing it will do is prevent the virus from distributing copies of your 'secure' music files.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  8. The trouble is... by tkrotchko · · Score: 3, Insightful

    If this is unopposed, it will not be long until everything useful requires "trust". And so my PC, the one I paid money for, will not work the way I want anymore. Oh, theoretically it will, but in a practical sense it won't.

    If a content provider wants to "trust" a device, then they should buy it for me.

    My cell phone providers wants a trusted device. Great. They give me a phone, and I pay to use it.

    Ask yourself this... is watching an HDTV version of Star Wars so compelling that you're willing to compromise yout ability to control your PC? If you answered "yes", then you and I simply have a completely different viewpoint on the subject that I suspect we'll never agree on.

    --
    You were mistaken. Which is odd, since memory shouldn't be a problem for you
  9. Re:EFF by cduffy · · Score: 3, Insightful

    Libertarians always say they don't believe in handouts, so why should I give EFF a handout then?

    Libertarians don't believe in handouts funded by individuals who didn't explicitly and personally agree to provide those handouts. So, say, if money that was taken from me via taxes is being given to the League of Gay Midget Eskimos without my consent, that's a bad thing. I may be more than happy to donate to said League if it were my choice -- but being forced to do it at the risk of men with guns coming and putting me in jail is a different matter.

    The EFF is the same way. I don't believe in enforced handouts to the EFF from folks who don't support them -- if you don't like the EFF, you shouldn't be forced to donate to them. On the other hand, if you believe that donating to the EFF is something you wish to do -- perhaps even something which is aligned with your own enlightened self interest -- then you should be every bit as free to do that as to donate to the Gay Midget Eskimo fund. Which is to say, very.

  10. Re:EFF's position is outrageous by prichardson · · Score: 3, Insightful

    How about this, since I can't control my computer, why should I have to pay for it. I would be much less opposed to not controlling it if I didn't own the hardware. Perhaps Microsoft will start liscensing computers as well.

    --
    Help I'm a rock.
  11. Re:Doesn't that... by Alsee · · Score: 3, Interesting

    Every currently proposed DRM scheme can be defeated by plugging an audio cable from the speaker jack on computer A into the line in on computer B.

    You underestimate the stupidity of our opponents. They have in fact not only proposed such a system, they have had congressmen advocating it.

    And how could they conceivably accomplish this impossible goal? Simple, they want to make it illegal to make or buy an ordinary recording device without a "Fritz chip" inside that would shut down the device when it detected specially tagged sound. They even proposed requiring that every single analog to digital converter have such lock-out technology embedded.

    You could be dictating a letter into an ordinary tape recorder, and if someone walked by on the other side of the street with a radio the "Fritz chip" would pick up the special tag in the music and the tape recorder would record dead silence until they walked out of range. You only discover later that there is a five minute dead zone in the middle of your recorded dictation. Your camcorder tape of your child's first birthday goes dead silent whenever it detects tagged music in the bacground, and the video goes dead black whenever it detects a tagged TV image anywhere in the background.

    Reporters might be able to get a special licence for a special video camera that doesn't go dead in this manner, but it would probably have to embed a special tracking code in everything it records.

    I'm fairly certain that this proposal is far too extreme to ever get approved, but there ARE people demanding it.

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.