Slashdot Mirror
TCPA Support in Linux
kempokaraterulz writes "Linux Journal is reporting that "The Trusted Computing Platform Alliance has published open specifications for a security chip and related software interfaces.". In the latest Gentoo Newsletter they talk about a possible 'Trusted Gentoo', and possible uses for hardware level security."
It really makes me happy to see that Linux distributers are finally seeing the light and providing the community with things we need in an Operating System. Hopefully this will lead to other advances in the wonderful world of DRM.
sigh
From a programmer's perspective, the IBM version of the TPM (or TCPA chip) looks like Figure 1. Garrick, please crop the caption out of the figure itself.
Garrick? Garrick? McFly? McFlyyyyyyyyyy?
500GB of disk, 5TB of transfer, $5.95/mo
I mean - there are a lot of hardware security modules that can be used for building trusted systems right now.
Isn't the only purpose of pushing things like TCPA locking the platform down ?
-- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768
From the Fine Article:
-theGreater.
The only benefits I can see is increased security for encrypted communication or hard drive encryption. I am really trying to think hard of any other beneficial applications but can't come up with anything.
to hang myself.
Instruction: How to restrict your Linux box from yourself.
Life is not for the lazy.
Linus himself said DRM is ok, as long as it's used in the interests of the user. This is a good thing, think about it; EvilCorp(tm) wants to use DRM to cripple computers, but the PR guy will say "it's for the user". Of course their intent is nothing of the sort, but the Linux folks are the only ones who will actually implement something that *is* in the interest of the user. Then EvilCorp won't be able to lobby making Linux illegal, since Linux also uses DRM which does what EvilCorp claims it's doing "for the users". Well, hopefully.
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
Not yet, sorry. I just asked Stephen King...
Better yet, lead 'em. It would be ridiculously funny if Trusted $FREENIX were released before Trusted Windows or Trusted MacOS.
Though the specifications detailed in the article are definately a Good Thing, they lack (at least as far as I could tell) any way of preventing unauthorized physical access to the chip.
d ex.html
Physical access to machines is always a big issue in security, and one that is often overlooked. And while it's probably not a big deal for your home machine, consider large companies whose machines could conceivably be targetting for a physical attack to recover the keys directly from the TPM (Trusted Platform Module).
Stajano's "Ubiquitous Computing" book has excellent coverage of the rationale, issues, and complexity of attempting to prevent physical access to chips and devices which store sensitive information. It's an easy read, and well worth it: http://www-lce.eng.cam.ac.uk/~fms27/secubicomp/in
This is indeed good news! Security that is solely-based on software is far easier to compromise than hardware-based (provided that the hardware can't be tampered with by malicious software). Far better to have the security co-ordinated between both. I'd be interested to see how widely accepted this open specification will be.
I think it's cool. In fact, this may be one of the things that helps drive linux to a popular position in the desktop realm. Just need to get some big companies behind it, like, say Intel, HP or IBM... oh wait, they all support linux. Maybe this isn't so improbable.
I'm kind of excited to see what will happen.
It would be ironic that Linux users used the cryptography system to keep information _out_ of the hands of EvilCorp, instead of the other way around.
Treacherous Gentoo?
It has been said a million times, yet apparently it bairs repeating. The "security" aspects of TCPA are redundant, unnecessary, and at best useful but could be made a lot better if the chip was designed for security rather than DRM. The whole system really exists only for one purpose: as a trojan horse to implement something called "remote attestation" in PCs.
What is remote attestation? Basically, it means that the TCPA chip, which you cannot control, can read what operating system you have loaded, and send a reponse proving that you are running a certain operating system to others on the Internet. The purpose of this, of course, is so that the operating system can be verified not to have it's DRM functions cracked, so that the RIAA and MPAA can send you data and make sure that they get to decide what you do with it.
The people pushing TCPA will claim that it is not for DRM, but that is a smokescreen and only a smokescreen. While TCPA does not do DRM itself, it is the enabling component that is needed so that software can implement DRM without being circumventable.
What does this mean for a "trusted Linux"? It means that while it is completely possible to have a Linux system working with TCPA, once you change anything in the system, the TCPA chip will notice you are running a modified system, and nolonger let your data. So while the software may nominally remain under the GPL, it will be the death of the free software model, because users who wish to tinker with their systems will be locked off the Internet (Cisco is already talking about systems to have ISPs demand remote attestation when TCPA is in place). TCPA and Linux can be combined in theory, but only in theory - in reality they cannot ever coexist.
Those who do not believe me (or those who are inclined to believe the MS shills who will respond saying that I am wrong), should read EFFs analysis of TCPA where they give a simple way that the chip could be changed to allow all uses except remote attestation intended to force people to use certain operating systems and enforce DRM over the user. It has been completely ignored by the manufacturers of TCPA.
I am having problems with my system clock under Gentoo.
It keeps saying it is the Second of February, when I know it must be the First of April...
# cat
Damn, my RAM is full of llamas.
It's very simple:
1. Linux is distributed under the GPL (and other licenses).
2. To comply with the GPL, end-users must be able to acquire the source code (which means everything they need to reproduce the binary executble, with or without modifications).
3. If you don't comply with the GPL, you are committing copyright infringement, a federal offense.
But from the other direction:
4. Trusted computing means that all binaries are signed with a secret key.
5. The Trusted CPU will not execute binaries that weren't signed with that key.
6. In this way, it is impossible for end-users to create modified binaries to add/remove features from the software.
The GPL is too much in conflict with Trusted Computing to ever allow them to work correctly together. To obey the GPL, end-users must have access to everything needed to rebuild working binaries- which includes the secret key. But for Trusted Computing to work, it must be impossible for end-users to get the key- otherwise there's no point.
So, Linux or Trusted Computing. Choose one, because you can't have both.
False...
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
If, for example, this provided a way to make sure that a computer on the internet is really who it claims to be, that would be good.
But trusted windows, at least, is going to be about remote deletion/disabling of data.
# cat
Damn, my RAM is full of llamas.
Since the source is available for Linux, what would stop someone from sandboxing 'trusted' software by having the OS validate code before it's executed (slow, though a bit faster than emulation and without all the bugs), and then implenting the DRM hardware (or BIOS) instructions in software in a way that stores the keys (or plaintext information, if that is not doable) and allows access to any software to get the info.
The software DRM implementation would be 100% transparent to the application and noone would be the wiser.
It should also be workable with a x86 emulator running a closed source 'trusted' application along with its closed source OS, with the emulator doing the DRM instructions a little differently than normal.
Go to the Linux Journal search function and search for 'garrick'. You should get eleven hits. I didn't read all of them, but using ctrl+f to search the pages revealed notes to Garrick re: font selection and the like. D'oh.
I want to drag this out as long as possible. Bring me my protractor.
To have to burst your bubble of uninformed zealotry, there are plenty of good uses for trusted computing and DRM that do no interfere with your quest to get 'fr33 musicz 4 life' or whatever. Not all of this technology is for companies like the RIAA to protect copyrights, despite what Slashbots would have everyone think.
It hasn't been called the Trusted Computing Platform Alliance, TCPA, for a couple of years now. It's now the Trusted Computing Group, TCG. Same technology, just a new name.
If you want to test the IBM API, but you don't have a Trusted Platform Module, you can try using the kernel module emulator at http://tpm-emulator.berlios.de/index.html
Well, security of communication is a big plus in any case. These little suckers, among other things, should be more resistant to pwnage than present day systems.
Take your head out of the sand dude.
Comment removed based on user account deletion
If Gentoo wants to add a TCPA compatibility module, have fun. But absolutely do NOT call it "Trusted Gentoo" when its actual meaning is "Gentoo that doesn't trust YOU".
Gentoo's public communications guy needs to read some George Lakoff. It's a wonderful life, folks. Every time you use their words, a devil gets his pitchfork.
Unsigned binaries won't be able to play play DRMed files (which you shouldn't have anyway) but should still work with your normal files. The trusted CPY will be happy to execute them, it will just refuse to flag them as trusted.
Offtopic? He's making a joke about april fools. What kind of mods do we have here?
Got it yet? This means it will be in the kernel if you want to use it and it will be completely open source, fool. Illegal...please.. you're such a moron.
Yeah, let's build, you know, VOTING MACHINES, with this!!! I mean, is that a revolutionary idea or what?! At least in these parts, huh? Where wa the TCPA/TCP/fancy_acronym in '04 (for that matter, in '00) when we could've used them for what is th emost important use of them all?
Those idiots in the TCPA alliance would never think about it. I feel safe in your hands.
Good God ya'll..
What is it good for? Absolutely nothin'!
Trusted Computing Group (TCG) technology makes sense in the context of Linux. Microsoft refuses to implement it. They had their own conception, which was Palladium, then NGSCB, then was dropped. So if TCG is going to go forward at all, it has to be with Linux.
It's kind of ironic, because Ross Anderson's lying Anti-TCPA FAQ tries to claim that TC exists to kill Linux. And yet it is turning out that Linux is the salvation of Trusted Computing.
There are a number of research projects in TC on Linux, including TPM Device Driver, Trusted GRUB and Secure GUI, tcgLinux, TCPA Open Source Platforms, Enforcer, and more. All Linux based.
Don't believe the FUD about TC. When implemented in Linux using Open Source software, TC gives you new options for securing and expanding the capabilities of your computer.
HEY THIS IS STUPID, people post good comments AND THEN GET TROLLED?
Why do I get the feeling there is going to be a thriving blackmarket in hacked BIOSs and OSs in the unfortunate event that these chips are actually deployed and implemented in a widespread manner?!
Whatever happened to the user having full control over a piece of hardware they plunked down hard earned cash on?!
Amen i say.
With Trusted Computing, noone else can access it.
The "trusted" boot functions provide the ability to store in Platform Configuration Registers (PCR), hashes of configuration information throughout the boot sequence. Once booted, data (such as symmetric keys for encrypted files) can be "sealed" under a PCR. The sealed data can only be unsealed if the PCR has the same value as at the time of sealing. Thus, if an attempt is made to boot an alternative system, or a virus has backdoored the operating system, the PCR value will not match, and the unseal will fail, thus protecting the data.
At the very least, that sounds like "bye-bye multi-boot systems".
IBM also has a rebuttal to TCPA's detractors [PDF]. This one talks more about how the TCPA chip as currently designed "not been designed to resist local hardware attack, such as power analysis, RF analysis, or timing analysis." That's all well and good for the moment, and while the chip is (per the PDF) mounted on a presumably-removeable daughterboard, but how about the future? Is this how TCPA will stay, or is it the beginning of our worst fears??
At least these two whitepapers agree with most of us here on one thing -- DRM itself is stupid, for a variety of reasons.
~REZ~ #43301. Who'd fake being me anyway?
Like any encryption tech, it's a double-edged sword.
In Soviet Union, your GPL'd software doesn't trust YOU!
Hmmm. This puts the whole concept of so-called "Trusted Computing" into a realistic, and sad, perspective.
Well, someone had to say it.
Sigs? Sigs? We don't need no steenkin' sigs.
Trusted Gentoo??? Did I hear that one right? You mean trusted about 80% of it's up time when you are not experiencing configuration problems recompiling software or doing some other stuff that a modern OS should not have to do? The gentoo development team seems to forget that what gets you good reputation in the OSS worls is doing thing well and NOT doing a lot of things half arsed (excuse my french). So one suggestion for them ... fix your urgent problems (like the redign of portage that has been underway for way too long) learn C and maybe some more Python if you like it so much and maybe then you can focus on building a trusted linux distro. After all you need a stable foundation first otherwise you only have an Windoze wannabe and that's not cool anymore. (if it ever actually was).
Plus if slashdot is really going to post all the sensationalism arround gentoo they might just start posting the weekly newsleters. After all it was Open Solaris last week and Trusted linux this week and who knows what next week. Not to mention that whoever comes up with those ideas in the gentoo team must be either some very very bored college students that will end up working as a sys admin one day or just a person that doesn't know anything about common sence and organization.
Sorry to turn this post into a flame but gentoo is rally dead to me. Great idea with an extremely poor execution.
From a practical standpoint, TCPA is incompatible with the Linux philosophy of open-source modifications
IMO this is not exactly correct - is it against Linux philosophy of open-source modifications to secure my Linux box so nobody except me can make modifications to it?
TCPA used in such way (i.e. in interest of user, not supplier, not government, ...) is quite in line with Linux philosophy of "you're in control" :) .
But, as with all weapons, it has two edges. So, beware! :)
hany
All features of your modified executable will work. DRM servers of media corps will refuse to give you keys for playing their content, because you won't be able to lie to them. But who told you that you have a right to get these keys by lying?
Security vs. those that wish to bypass the security for any reason.
Its an ethernal "arms race".
True, the TCG chip will rise the bar for running "unauthorized" software, but it might also bring its own downfall. Imagine the chip is implemented and works well for a year or two - i.e. the only ways to defeat the chip are very inefficient (and probably require doing stuff with the hardware that only few of us geeks would have to skills and guts to do)
And then, suddenly, somebody has a great idea how to decieve that chip on the software level - and it works.
The whole security scheme collapses. All the companies that neglected to put additional security measures into their software - why should they, they cost money and the chip is undefeatable - suddenly find their protection melting away like a snowball in summer.
They can't rush patches to protect their software - after all, they relied on the chip.
And the TCG can't really "patch" the chip, since "write access" to the chip would only make it even more vulnerable.
Of course, in time a new scheme is developed, and the circle begins anew.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
NO CARRIER
Tip: Try Google Answers for help from expert researchers
No definitions were found for ethernal.
Suggestions:
- Make sure all words are spelled correctly.
- Search the Web for documents that contain "ethernal"
In the immortal (paraphrased) words of Stanley Kirk Burrell, " you can't trust this ".
If you don't have a blue-laser disc player, your feature will not work either, GPL or no GPL. If you don't have the right hardware, your app won't work. Similarly, if you don't have the right keys to send to the right hardware, your app won't work. The hardware, as well as the keys, are not parts of the (GPLed or not) software. It's your responsibility to obtain them, and it's your choice how do you do that. (For the keys, I suggest running a signed copy.)
CSS is broken because someone left the keys in the open (and they are too short to be secure anyway). If DVDCCA disallowed software players, and used 128-bit keys, there would be no deCSS. That's more or less what will happen with TPM.
Basically, you're saying the GPL is anti-freedom and anti-choice? You're seriously saying it's "illegal" to have such support?
I prefer the alternative system I have developed, I call it "KMFA"..
It gives me ultimate security rights and control over my machines..
In this way, it is impossible for end-users to create modified binaries
The GPL requires that the source code be made available. It doesn't require that end-users be able to create modified binaries. If you disagree, please quote the GPL.
The TCM is designed to tell others the truth about software you're running. Nothing more, nothing less. If you're not comfortable with it, you have the option to be silent, but you don't have an option to lie. Well, you can try, but no one will trust you. That's all there is about it.
They will go all happy happy joy joy. Or something something.
RMS has written a nice article about it: see http://www.gnu.org/philosophy/can-you-trust.html
Garrick, please don't forget to remove my inline comments to you before you post this article.
Proud neuron in the Slashdot hivemind since 2002.
You should read the TCPA FAQ if you have not already. It explains why this is a bad thing.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Thank you very much. So I figure you haven't read the spec?
Im not sure if most people have RTFA (hey this is slashdot) but from what im gathering here this isn't the same thing as Bill Gates' utopian "now bosses can send emails but turn off printing and forwarding", so you can stand down from attack mode.. unless im wrong, in which case kill it.
This comment does not represent the views or opinions of the user.
One per chip, not one per maker/model.
"You may not impose any further restrictions" means you cannot build the hardware Dear moron, people who build the hardware don't have to follow GPL. HTH.
Glad some people figure it out. Microsoft is opposed to TCPA (now called TCG) exactly because it's an open spec.
There's a paper on how trusted computing can enable more secure, user-friendly P2P neetworks. It's linked to here somewhere, look it up.
If someone (Gentoo, Microsoft, whoever) releases an OS that requires central authority signature to execute code, then how would a developer iteratively build and test against the platform?
- First they ignore you, then they laugh at you, then ???, then profit.
You start with a signed binary compiler. If the source is signed, the compiler then signs the binary. This includes the compiler's source, so you have a kind of chain of trust. Unfortunately you can't modify pretty much anything (compiler, kernel, drivers...) without breaking the chain, but at least you can adjust your precious USE flags and say -O418 -funroll-all-bloody-loops-right-now to your heart's content.
That's the core of what I'm complaining about there- the development of Linux depends on commodity PCs functioning as general purpose computers, able to do anything the end-user knows how to program. TCPA is meant to restrict certain illegal actions by making them technically impossible, and along the way it renders many more fully legal alterations (including Fair Use of copyrighted works) impossible.
And they're not pretty.
By the way, I'm a Jew and I find your comment offensive. Don't ask me why, I barely could bring myself to answering this one, OK?
I want to try to correct one of the most common and universal misconceptions about Trusted Computing: that it will only allow signed code to run. This is causing enormous confusion here, with people arguing about how that works with the GPL, who would get to sign the code, would users get to sign their own code, etc., etc.
The truth is that the TCG spec says nothing about signed code. There are no limitations in TCG that keep you from running unsigned code. There is no distinction between "secure" and "insecure" code. You can run anything you like. Signing is a complete red herring in this discussion.
I am not trying to gloss over problems or paint a false picture. The truth is that TCG does have features whose effects are somewhat like what people are worried about with signed code. The result is that TCG could be helpful for DRM, and it might make it impossible to download music from an online store without running a special application, for example. But this would not be because "you can only run signed code". Rather, it is the server that decides whether it wants to talk to you, not your computer deciding what you can and cannot run.
What's the difference? Well, if your main concern is being able to run hacked clients that will allow you to violate your user agreements, then there is no difference. You would be right to oppose Trusted Computing. It will make it harder to lie and pretend to honor an agreement, then break your word and go back on your promise.
But if your main concern is about the GPL and what software you run, there is a big difference. There are no limits on the software you can run. You can hack your Linux kernel to do whatever you want. You can disable "secure" features in the software you run. These privileges don't go away when there is a TPM chip. That should put to rest the concerns about the GPL and hopefully end the discussion about who signs what code.
If you're wondering how these two points of view can be compatible, you need to learn more about the TCG spec and the TPM chip. In a nutshell, the TPM chip, with the cooperation of the BIOS and OS software, takes a hash or fingerprint of the software configuration as the computer boots. It can then report this fingerprint to remote servers, if client software requests it. These reports are signed with an on-chip TPM key that never leaves the chip; and this chip has a certificate from the computer manufacturer, so no emulator can fake these reports (called remote attestations).
That's how it works. It's a lot more complicated than refusing to run unsigned code. What it comes down to is that software can report its configuration in a believable and, yes, trustable way. That's the real reason this is called Trusted Computing, not the lie made up by Ross Anderson. It's Trusted because you can Trust the reports from a remote system about what software it is running, and therefore what it will do.
I was ready to start writing pretty much the same thing, now I don't have to (and I hate composing essays more than three sentences long.)
In this scheme there's no single central authority. Everybody decides for himself what software/hardware he trusts. It's pretty hard to enact a law that makes it illegal to trust e.g. anyone but Microsoft. Such move would meet some opposition, especially in countries other than USA.
Think windows file sharing refusing to work with a Samba client, even if they open the protocol, because the samba client was not signed by Microsoft. Or worse, IIS only allowing IE to connect to it. Or most likely, a streaming media server only allowing windows media player. Or a CounterStrike server only working with genuine CounterStrike clients (no cheats). Or an anonymous remailer/onion router only working with identical copies of itself (no logs saved anywhere in the chain). Or a BitTorrent... well, you get the idea.
Where did you get this idea about Longhorn? Just curious. I tried to google and found nothing.
Everyone keeps thinking to steal a key would be hard but all you have to do is use a mathematical elimination algorithm on any CPU so keyed. Since you would have to be able to use it to sign your own binaries or to encrypt data that would inherently vary in length, you just have to use a highly structured set of binary sequences of various lengths equal to known large primes. Eventually the key will expose itself because it becomes a constant factor in whatever it did to extend the encoded prime. It is self defeating. While there are ways to avoid this, they become clear quickly and can be accounted for. CSS got away with this because there were more than one key and the content was huge and variable. The funny thing is that a quantum computer would solve this sort of problem by default. You create a box with only one way out which is they key. Shake a couple of atoms and viola. Finally has anybody thought what would happen if someone bombed the key servers. Talk about end of the world.
You still can modify the source, redistribute the changes etc. You cannot make executables with certain properties, but GPL doesn't guarantee that anyway.
if th TPM is designed according to the TCG specs, you have to manually enable it in the BIOS. Once that happens, then you have to manually allow TSS to interact with it before it will do so. You can choose not to, but then you can't use that software.
So what if "that software" is the only dialer software which is compatible with the only Internet service provider(s) in your geographic area?
Probably an easier way is to have a hacked memory module that lets you change the contents with some kind of hardware interface.
If the memory and all buses in the computer are encrypted, then you're out of luck, but this is not currently in the spec.
I suppose you don't have to re-compile your kernel, I have not, yet.
But many of the things I install need to be compiled. I write my own programs, they need to be compiled as well! This last is the worst fear I have, for 99% of computer users never doing any programming is ok, they just surf the web, send email to each other, listen to music, watch movies. TCPC/TCG will not hurt those who do this in "Association Approved" ways.
Linux is about software inovation, for the 10% of us who write our own programs this is the end. I might as well run Windows XP
Even if I can't re-compile my kernel, who is to say that my programming project of the week does not read the sound interface to re-produce any sound being played by the speakers as an MP3? Clearly for them to be able to "Trust" our computers, we can't be allowed to write any programs.
Too bad they can't "trust" us, so they have to take our computers away from us so they can "trust" them.
When that happens, the "Conservative" Attorney General may just decide to criminalize non-DRM traffic
The Attorney General can't make U.S. laws. Only Congress can, and the Constitution expressly prohibits Congress (or any agency it creates) from denying or abridging freedom of speech or of the press. Having the Internet's root of trust lie with major incumbent publishers would introduce all sorts of free-speech issues.
The issue is not whether you have the right to sign binaries, but whether the user has the right to run unsigned ones.
There is a world of a difference between the user using a signature to verify the source is what they want to run and the computer doing so without the user's concent.
The TCM is designed to tell others the truth about software you're running. Nothing more, nothing less. If you're not comfortable with it, you have the option to be silent
What if all residential Internet access providers in your geographic area suddenly decide to deny IP routing to any machine whose owner exercises the option to be silent?
Now take this a step further, do you think overseas PC makers are going to sell PCs that can only run windows?
Residential users can import PCs, but they can't easily import Internet access. If all residential Internet access providers in your geographic area provide DHCP service only to machines running an operating system and web browser approved by the ISP, then what use is your unsigned build of a web browser?
Yes, if you change the binary it will not run because the signature is broken. Solution: sign it yourself with a key you generate and put that public key into your hardware.
But will your ISP's DHCP server trust that public key and give you a routable IP address?
Your objection to trusted computing all centers around the fact that "many end-users" (i.e., you) want to steal content and traffic in stolen content.
Copyright infringement has little in common with larceny; trespass is a much better analogy for copyright infringement than theft. Just as trespass has a defense of "easements", copyright infringement has a defense of "fair use". If a publisher signs all programs that are permitted to reproduce or perform a given work, then how can the owner of a copy make meaningful fair use of the work beyond what the programs allow?
however when you begin interacting with other software on other computers across the network, be advised that they may use remote attestation to enforse that only clients (or servers) they trust will communicate with them.
And if this includes ISPs, then how is it feasible for a residential user to convince an ISP to trust a customized kernel so that the ISP's DHCP server will issue the residential user an IP address?
I want do be able to reprogram my computer to do new and creative things from my own imagination.
NMPA/Harry Fox Agency owns your imagination. There exist a finite number of distinct melodies in the western musical scale, and a lot of them are taken already. The short story "Melancholy Elephants" by Spider Robinson hints at where this is headed.
Tcpa lets you tell your machine to only run binaries signed by Microsoft. You can also tell it to only run binaries signed by IBM. Or you can tell it to only run binaries signed by debian. Or yourself. Or any combination. You tell it what you want it to do in this regard.
And if you want a routable IP address, your Internet Service Provider tells you what to tell your PC to do.
You mean will they trust my router, and the answer there is yes
Not so fast. When that router can request TPM attestations from the machines behind it and report to the DHCP server whether each machine is "trust"-worthy, then what do you do?
Its called a MAC!!!!!!!!
===== "Every head is a different world so don't invade mine you FREAK!" smartSAGA said
Along with a host of other things. I'm talking about the "kill everything but Microsoft" kind of things.
It's not exactly the same, but you get the idea.
Besides, I have no idea why any ISP would want to do that. What does it brings them, except the need to replace lots of hardware and software?
This is a good point, but what incentive do [ISPs] have to [require TPM attestation in the terms of service]?
Go look up Alsee's posting history in Slashdot articles about "trusted" computing to learn what incentives they have. For one thing, ISPs such as AOL or RoadRunner may be owned by a publisher. For another, some vendors claim that TC would help stop viruses. Alsee explains Cisco's plan, which was endorsed by the U.S. President's cyber-security advisor.
No one prmised you an ability though.
Things that are endorsed by the USA government are not necessarily things that are viewed in a positive light elsewhere. This will probably cut off USA from the rest of the world, because the rest of the world doesn't necessarily want foreign corporations to effectively own their networks.
I have no idea why any ISP would want to do that. What does it brings them, except the need to replace lots of hardware and software?
Let Alsee explain.
What makes you think they'll require it? Seriously, what do they get out of it, other than wasting bandwidth signing your damn OS?
How about some homeland security, according to Cisco?
And thats totally aisde from the point that there are multimillions of dollars of sparcs, powerpcs, Irix machines, IBM mainframes, and more out there that will still need internet connections.
And let them pay business rates, which will be much higher than the residential rates and which will not be available for connections that terminate on residential-zoned land.
That's OK, I only want to connect to BitTorrent clients signed by Red Hat and Gentoo, and maybe a couple of others. No problem with that.
no representative of the RIAA will install it Why the fuck would I care? If a representative of the RIAA would install a client that purports to be a genuine BT client but in fact logs trafic and spoofs content, then I would be concerned. Thankfully, with a TCG platform I can ignore such destructive clients.
Why exactly would a "bad-guy" knowingly and willingly execute software that does your will?
If he wants me to connect to his computer, that's his only choice. I he doesn't, he may run what he damn pleases.
ISPs don't necessarily want to buy more stuff. Besides, as I said elsewhere, this will cut the USA off much of the rest of the world. The world is not eager to be pwned by Cisco, even if the U.S. of A. is.
When implemented in Linux using Open Source software, TC gives you new options for securing and expanding the capabilities of your computer.
It also gives ISPs new options for "securing" and restricting the capabilities of their networks. Alsee explains Cisco's plans to have ISPs' routers require TPM authentication before routing traffic.
In this scheme there's no single central authority. Everybody decides for himself what software/hardware he trusts.
And when a leading router maker adds a feature requiring TPM attestation in order to access the Internet, and all local ISPs have turned it on, then how will you connect?
Rather, it is the server that decides whether it wants to talk to you, not your computer deciding what you can and cannot run.
And when the server refusing to talk to your TPM-less network is your ISP's DHCP server, then what?
Fortunately it's not really feasible. Cisco is unable to attest every DSL router/modem, every toaster, every webcam, every fridge, every... you get the idea. And when they don't, and most of these little appliances stop working, there will be an outcry.
I, for one, welcome our new Tibetan Buddhist overlords!
I used the Encryption options on some personal files (the most valuable) on my local Windows XP installation.
Ugh. Some time later I had to do a reinstall of XP. Guess what files where now inaccessible?
Like with most everything Microsoft, I could find no help to fix this problem on the net so I gave up.
Encryption? Nope, not that desperate. Especially when it's just a luring context menu-options, and I don't get to have a key or ANYTHING TO GET IT BACK!!
Handing over your computer to the cretins that gave us DVD regions and then couldn't even implement their encryption properly is a bad move. Someone will come up with a good scheme and then the manufacturers will use a key of all ones or something similarly stupid.
I admit being lazy; could read it myself, but I really don't care about drm/tc on linux.
Do the specs specify the hash function? Is is a well known one? If it suffers the same problems as md5, it may be possible to create an 'untrusted' grub/bios/... with a trusted signature.
Though this might take a while, if something like sha1 is used.
Isn't that the point?
Have soldering iron, will travel.
A hardware hacked machine on a "trusted" network could be impossible to spot. Pretty soon, everyone will be trusting the hardware and MicroSoft will be cutting its corners again, and viral traffic will become part of the overhead and no one will be able to tell.
This kind of thing has to be done at the gate level, which is part of the reason DNA seems overly complex. (And even there, where the "main processing unit" has the ability to override the protections, humans start taking their clothes off in strange places and all the protections break down.)
Computing hardware has become way too complex. It's time to start over, and use some sense as we build this time.
Perfect security is impossible, but each level of the machine should have its own ability to squelch spurious and malignant traffic. (Have to squelch spurious and malignant traffic separately, which is why current ideas for DRM can't work.)
As long as there is some part of the OS in ROM that is not physically part of the CPU chip (no chip sets), a good soldering iron is going to take all this down.
...
So then they think they'll make laws against ordinary scrubs having good soldering irons. Doesn't work with locks, doesn't work with medicine, doesn't work with automobiles,
You can't lock the world down and get anything done.
Let me get this straight. Does that mean that i'll have to run binary releases of the kernel in orber for it to be trusted?
What if i compile my own kernel?
What if i change it (Bug fixes, clean ups)?
What if i patch it?
Will the kernel still be trusted?
OK, so every new PC mobo in existence will have a TPM. Do you know that there are lots more things connected to the Internet? Like, um, your DSL router and your IP-enabled webcam? In the future there will be only more. It is impossible to require that all this is replaced, even by residential users, and it is impossible to certify all software that these things run.
What's more, there are tens of millions of old computers everywhere around the world that their owners can't afford to replace. You in the US may have enough disposable income, but that's not necessarily true elsewhere.
Your pres's advisor is full of shit. You can Secure The National Information Infrastucture against viruses and against Terrorist Attack, but that will require sealing your virtual borders. Suddenly, e.g. US universities will not be able to talk to their counterparts in India and Russia and Brasil. Like it's going to happen.
If you can extract the keys, there's no remote attestation anymore and no reason for the chip to exist.
Remote attestation still works as long as no program, running on the computer, can get the keys, regardless of permissions. That way, for example, when some script kiddy roots my banks webserver, I can ask it, are you running only software the bank signed? And it can say NO! And I won't give that server my bank account info.
On the other hand, the bank could sign whatever binaries it wanted for it's own machine, or hack the OS that it was running, and sign the changes, so the NSA wouldn't know that it's backdoor had been ripped out....
Laws are horrible moral guides, moral guides make even worse laws.
Remote attestation means that I can reliably know what software you run. NOT that you can convince me that YOU know what software you run. The latter is nearly useless (you might be intentionally running malicious software, but I have no way of knowing it) and can be achieved without any special hardware anyway.
There's no guarantee anywhere that you shall be actually able to use what you get in any way whatsoever. It's even printed IN BIG CAPITAL LETTERS THAT THERE IS NO SUCH GUARANTEE. All you have is some source code, and a promise of the copyright holder not to sue you if you abide by his terms. Got it?
The Vulnwatch alert shows how a Firewire port can directly access system memory, without needing a soldering iron or undoing the case.
Andrew Yeomans
It will most certainly be plugged in the next revision, but it's nice to know anyway.
to secure my Linux box so nobody except me can make modifications to it?
Ask the manufacturer of your TCPA computer if you can have the root key of your machine, printed on a nice paper card. That could not possibly endanger the security of your machine, right? Answer: You can't. They're forbidden from doing it. That, beyond a shadow of a doubt, proves that the TCPA is made to keep you from doing modifications to your machine.
Live today, because you never know what tomorrow brings
that can be compiled into binary
You're making things up, don't you? It is written where exactly?
The "signed" source, if modified, does not make a usable binary
Of course it does. You can sign it, run it, sell it, bake it, drink it, do whatever you want with it. What you can't do is convincingly misrepresent it to be something else than it is. Guess what, no one ever promised you such an ability, now or in the future.
Those who have bothered to read the spec know TCPA is intended to prevent you (or J Random Cracker) from telling lies about what your machine is running. You can make whatever modifications you like, but you can't then get a TPM to swear that you have not made those modifications. If some cracker has broken into your machine, TPM will not swear to you that you are running the unmodified code you downloaded from someone you have decided to trust. There is nothing to stop you building your own system from (modified) source, then using TCPA to assure yourself that you are running an unhacked copy of your own code.
If you ask your TCPA computer manufacturer to let you sign things in their name, what do you expect them to say? Any trustworthy manufacturer must say no. There is no problem wiping the manufacturer's key and installing one of your own so that you can sign in your own name.
People with a clue will see an interesting challenge in creating a system where you can preserve the chain of trust where you want, but still have freedom to do anything that does not break that chain. It is an opportunity to put control of the trust relationship in the hands of the people directly involved, rather than in the hands of some monolithic and corrupt software supplier.
Can this technology be used to the detriment of users? Of course it can. Is that all it can be used for? Absolutely not. Is controlling the user the main goal? Absolutely not. Will it make it harder for me to lie and cheat? Yes. What's the point of using Linux if it will not let me lie and cheat? Supply your own answer hereHowever I believe thay are totally impossible, for variety of reasons.
You of course can make modifications to your machine. The chip doesn't disable modification. It's OFF BY DEFAULT, for crying out loud.
Should you choose to enable it, you can convince others that you have an unmodified machine if and only if you actually have an unmodified machine. That's all.
Whether or not a modified machine will be useful is a different question, and totally dependent on what you consider useful. I believe almost nobody except entertainment providers will require remote attestation. Thus, a modified machine will be useless if you want to talk to them, and useful otherwise. But other people have more scary visions, and what do I know?
Make a bootable CD that checksums your OS partition. Boot from it once in a while. Unplug the network cable and recompute checksums when you modify the OS. There, you just convinced yourself that your system is not hacked.
If you want to detect hackage while the system is running, that's much more difficult, and the TCPA chip can't do it either. So you won't be able to tell if your bank is rooted by a script kiddie, because bank computers don't reboot very often.
If the bank uses remote attestation as proposed by TCPA and only connects to trusted clients, its chances of being rooted will be reduced. But that's beside the point I guess.
Via a masquerading box ?
"Masquerading" is network address translation and port address translation. To get an IP with these Cisco routers, your NAT box will have to be running "trusted" NAT software that can request TPM attestation of each machine behind it.
If by "usable" you mean "able to misrepresent itself" then yes, it's useless. I don't necessarily buy your definition of usable.
Also, define "work". If by "work" you mean "convince others to interoperate by lying about itself", then it won't work. Guess what? I don't buy your definition of work either.
It's your responsibility to persuade others to talk to you. How do you do that is not anyone's business but yours.
Here's something I'm wondering about.
;))
No matter whether "trusted" computing means that you cannot run binaries not signed by a 3rd party, or whether it means you cannot run binaries not signed by someone (with a configurable key), or whether it just means that unsigned binaries simply won't be "trusted" (but will still run)... what about scripting languages? The whole debate seems to revolve around the users' ability to sign new binaries (presumably created after modifications are made to the source), but what about languages that don't compile code to binaries, anyway?
Would "trusted" computing mean that it's not possible to write a "trusted" program in Perl, for example? The example of a system administrator in a large network locking down machines so that they can't be taken over (easily) seems to be given often, but what good would locking down machines be if you can't use Perl programs, for example? It may not be a problem when you just have windows-based desktops where you don't expect to run more than outlook, word and excel, but not every large network is like that (and one that solely consists of windows machines probably has more serious issues, anyway.
The problem really is that you have only two choices: either you sign the Perl (or whatever) binaries (in which case any Perl program will, basically, run as a "trusted" application, since from the system's point of view, the script that Perl loads is just another piece of data), or you don't, in which case no Perl program will be trusted at all.
Plug-ins, dynamic libraries etc. may also well be a similar problem; the idea that an application always consists of a single monolithic piece of machine code simply isn't true. Most of the times, it'll be several pieces, and some of those may not even be machine code to start with.
quidquid latine dictum sit altum videtur.
If this price is not paid, then the inevitable reduction in QA (read: assurance of quality, not just quality) becomes much larger and you end up with a cascading system of problems where a developer of component A must worry about Components J,K and L and each of those bringing their own "chaos dependencies" where you may be 0wn3d by the antipathy and lack of discipline of other developers and maintainers.
Compare a mechanic working on a car to working on the average American's garage itself. Most American's love mess and are not organized or consistent. Finding your way around someone's garage would take considerable time and effort and even once you felt confident that you knew the layout then guess what? The home owner decides to move things around or simply just throws more "stuff" into disarrayed piles to add to the chaos. A car on the otherhand uses for the most part, standard parts, measurements, and devices that in turn can be utilized by standard tools, knowledge, and methods.
Linux can be helped by this initiative if it points out the flaws and people learn to adjust and make Linux better. The alternative would be for TCPA to make such massive adjustments to its requirements as to render it useless and well... untrusted.
Linux is Linux is Linux. The inconsistency inherent in it does it only harm when security minded folks want to use it. Keep in mind here I use the term Security, not device or service hardening. Security is much more than the sum of the devices and services being managed. Repeatability and internal predictability are key to a successful security implementation. A small group of 1337 folks who cobbled together some systems is the equivelent of our mechanic friend swapping out standard parts (and interfaces like pedals and the steering wheel) with home brewed solutions that only he and perhaps some other niche folks know about. Take that and then weld not just the parts together but weld plates at irregular intervals onto and around the parts. Ensure that the end system requires significant learning curve and indepth study instead of smartly using what works and focusing on implementation details that can be as unique as you need them to be.
Gentoo of all distros (with the exception of Linux From Scratch) is a prime example of this disorderly chaos. Now if Gentoo (or any distro) works hard at reducing the inconsistency, reducing the knowledge required, thoroughly testing various configuration pathways and DOCUMENTS them clearly for admins and users, then that is a start in the right direction. Sorry, forums are not documentation. Bugzilla is very limited and especially becomes hamstrung from lack of proper, descriptive updates.
It is HIGHLY ironic that Gentoo would be the source of any article detailing any sort of initiative with "trust" in the name. I can not TRUST that my emerge updates will work. I can not TRUST that the packages will compile at all, much less work correctly on my system. I can not TRUST that proper QA has been done that will reflect my particular environment (because everyone has different components and versions thereof). And here is the key: I can not TRUST that when I get the very inevitable system borking failure from using emerge or any of its associated tools, that I will find useful and AUTHORITATIVE information on how to fix it. I should not have to google and search for days just to find some ra
As many are aware, whether you speak of binary linking (where appropriate), configuration or the internal code you always have that issue with instability bringing about insecurity. It can also be said that bad interfaces (unintuitive, doesn't mesh with existing standards, etc) lead to unstable and insecure systems as well.
Therefore, it is correct to say that in order to have any sort of initiative to provide a super-level of trust and assurance for a system then it first must establish a basic level of quality. It is important to remember that you don't simply point at one iteration of a system/product and say, "Yes we have a quality (much less a trusted) initiative" regardless of whether or not that particular stand alone iteration meets your criteria.
As a consumer (end user, administrator and even developer) I require "trust" to be established in the entire organization which encompasses the processes, policies/procedures and the mentality of entire development community.
What this all goes to say is, "Has Gentoo (or any other) established a system of quality?" No I do not mean do they have folks in positions called, "QA." Gentoo along with distros like Archlinux and LFS (which usually call themselves a "meta-distribution") are by their very nature more prone to instability. Don't get mad... reality is not opinion based it is obversation wrought. So, we need to ask if there is a granular method of programmatically tracking the possible hardware and underlying software configurations relative to each other. Basically, if I want to install package X, what (using Gentoo) hardware, software, and configurations/settings has it been tested with and what were the results of those tests. Add in USE Flags, compiler settings, etc and you have a very complex and hard to manage system. Therefore instead of whining about it and giving up, a smart distro will work on ways to manage this. An even smarter solution is for several distros to support an independent project for tracking this. (More eyeballs and all that.)
So, is there a "Gentoo Quality Assurance Initiative" that is established now? No. (again, saying you have QA is not the answer to this and if your system if flawed then you must accept that your initiative is therefore flawed and not consider it complete until it itself is fixed. Remember that words like Assurance (as in QA) and Trusted require proof and are always trumped by reality and facts. If I can not depend on Gentoo or any other system to work without fuss and "just work" then I have no assurance or trust in it. Obviously this implies that I am using "stable" combinations as detailed by the only system of tracking these... the ARCH and USE flags. There is no salient system (and doesn't seem to be any interest to develop one) where I can first query on how the possible stable (or even better by varying degrees of stability) builds of my system... before hand. Then I must, upon attempts to install or configure the system, also be able to have the package and sytem management system guide me in creating a stable and secure system. Yes, a distro MUST provide robust management capability for even configuration of the system. This goes well beyond current package management. It must be consistent in look, fell, and workflow across the board and factor in that external apps and components will be on the system. External here meaning outside of the standard package manager. It is also wise to work WITH other package managers in a way that each of them read the same database (conceptually). Both of these extensions would therefore require a flexible management system that does not have to be gutted when expansion or changes are necessary. That is what separates the engineers from the hackers.