EFF Position on Trusted Computing

Seth Schoen writes "EFF has just released our analysis of Trusted Computing. We find that the technology could benefit computer security, but must be fixed to ensure that the computer owner is always in control. We also propose a specific way of fixing it. There's coverage of our position at news.com. More articles should be up in the near future at the new EFF Trusted Computing page. Thanks to all the people who helped us understand this technology!"

Bad assumption

[Jason1729]

This seems to be assuming "Trusted Computing" is intended to benefit users.

The real reason it exists is precisely to take control away from the computer owner and give it to the content owner. Given that, what is the point of the EFF proposing "fixes" to help keep the computer owner in control, when its primary design goal is the exact opposite?

Jason
ProfQuotes

Re:Bad assumption

[pla]

Given that, what is the point of the EFF proposing "fixes" to help keep the computer owner in control, when its primary design goal is the exact opposite?

Because it throws the ball back over the fence to those trying to force DRM on us.

In essence, the EFF has given these folks an ultimatum - "You want a trusted computing environment, but not the public backlash? You can fix it like this. Now put up or shut up".

Up to this point, the Palladium group et al could safely ignore most of us, since all of us opposed to DRM have basically just whined about it. Now that someone (and a respectable someone, at that) has offered them a way to get what they claim they want, choosing to ignore that will very tangibly clarify the real intent - If they ignore the EFF's recommendations completely, they all but publically admit they only care about stripping users of the right to use their own machines, rather than creating some fictional "safe" computing environment.

Not with the current government...

[dpilot]

Not just Executive, but Legislative, as well.

Our government responds to campaign finance, and the lion's share of that is done by large corporations and other aggregates that want to make sure that THEIR rights come first.

Most people don't understand enough about computers to understand how completely OUR rights in this realm have been trampled, already.

Re:EFF's position is outrageous

[Highrollr]

Having my computer do what I want it to doesn't seem particularly outrageous to me.

It's a game -- flush out the rats of hidden agenda

[Morgaine]

The point of the EFF doing this is precisely to underline the fact that big business is attempting to take control of the end-user computing platform away from the user.

You see, the problem is not so much that big business is doing this, but that it is doing so by subterfuge rather than out in the open.

The EFF is just flushing out the rats here. If business were trying to take control of people's property openly then the EFF wouldn't need to put on an act of innocence and merely be "identifying dangers" as the proposed solutions as if business wasn't aware of them.

It's a good strategy. Big business can only respond by saying either "Oh yeah, we hadn't realized" (LOL), or else it can reply that this was indeed the intention. In both cases, the user wins.

My bet though is that the EFF will be met by total silence.

I want a secure computer

[kfg]

Not a "trusted" one.

Just as I wish with my house. I want my house to protect me, my papers, possessions and privacy. I want it to be nobody's business what my house contains, even to the point of being able to protect myself against legitimate legal prossecution.

Oddly enough, that's what the Constitution was written to provide my house with.

It is up to me to secure my house with whatever technological measures are available to provide that security and understand how to use that technology. I'm perfectly willing to take the same responsibility for the security of my computer. Just provide me with the tools. Then go the hell away and leave me alone.

The second my house starts deciding for me what I may or may not keep in it or do inside it I get a new house.

The day my computer decides it doesn't "trust" me with what I'm storing in it or doing with it I pull the plug.

Fortunatly for me there are already hundreds of millions of "untrusted" computers already out there in the wild that do everything I might require my computer to do.

KFG

Sad to see EFF legitimizing this

[Atario]

You're exactly right. In "Trusted Computing", as the analysis points out:

...the computer's owner is sometimes treated as just another attacker or adversary who must be prevented from breaking in and altering the computer's software.

I can't put it any more directly than that without risking being modded "Funny". Your computer, in effect, belongs to them. (See?)

Even the proposed "Owner Override" seems to me a "how are you going to do that" issue. How are you going to assure that a change was made by you and not by some software pretending to be you?

There are other oversights too:

• "Identity" of software is determined by submitting a hash value, but how can you be sure someone's not sending a canned hash value?
• "Secure output can prevent information displayed on the screen from being recorded" -- until someone invents a screen-scraping monitor. If information exists, there's a way to copy it. That's just what information is.
• The most serious point of all -- that the EFF is lending credibility to this blatant grab for dictator-like powers by suggesting that it can be "fixed" and the problems "addressed", at which point we should all happily adopt it. Not me, brother.

I would have much preferred the factual analysis and then a great big "run away from this as fast as you can".

Re:Sad to see EFF legitimizing this

[Alsee]

How are you going to assure that a change was made by you and not by some software pretending to be you?

Actually that is pretty easy, you press a special button/switch. Malicious software is incapable of faking actual physical control. I proposed exactly such a modification to TCPA months ago.

I e-mailed this one of the main TCPA proponents about this back in January. It was David Safford, author of Why_TCPA and TCPA_Rebuttal. I explained this system and pointed out that there every single claimed benefit of Why_TCPA works just as well with actual and full owner control like my (and the EFF's) proposed modification grants. He did not dispute this.

His only reply was to suggest this change would no longer keep laptops secure against a thief. This suggestion fails on two grounds. First of all it directly contradicts TCPA_Rebuttal where he claims TCPA is not designed to be secure against physical access and that this supposedly 'proves' that TCPA is not designed for DRM. If TCPA is not supposed to be secure against physical access then it is disingenuous to claim it is supposed to protect a laptop against theft. The second reason his 'theft' argument fails is that it is simple to combine a physical button-press with an owner ID code or password before full control is given. A theif cannot get this owner password, and software can neither get the password nor press the button.

Granting the owner of the machine to his own keys (passwords) that are locked in the TCPA chip gives the owner full control over the system. There is absolutely no justification for denying the owner access to his own keys. The only purpose for this design requirement is to use it as a weapon against the owner and for various varients of DRM.

Of course Microsoft and the TCPA proponents will never accept my proposal (and the EFF's proposal) because the only real motivation for this hardware change is for DRM-type purposes. If owners maintain actual control over their machines and it can't be used for DRM systems then the entire project is a waste of time. Everything else is just a smoke-screen. TCPA will not prevent your computer from being infected with a virus, and it will not prevent that virus from slagging your entire hard drive and everything on it. The only thing it will do is prevent the virus from distributing copies of your 'secure' music files.

-