No More Internet Anonymity

inkhaton writes "This Article tells of an Orwellian chip that, once installed in your computer (and not by your choice), will allow any website you visit to "read" your identity. The article goes on to describe how many benefits there are for using this to facilitate online business and even suggests some negative points. It ends with "Ultimately the TPM itself isn't inherently evil or good. It will depend entirely on how it's used, and in that sphere, market and political forces will be more important than technology." ... ugh. Well we all know what that means."

Real Identity?

[mysqlrocks]

Your real identity or someone who used your computer while they were over your house, or someone that borrowed your laptop?

Re:Real Identity?

[ArchAngelQ]

Or the 3117 haxor who used the latest TMP chip crack to change their TMP ID to be the same as yours, which they got from the worm that still can get installed on your machine...

Re:Real Identity?

[Dysproxia]

According to the article, the identity of the person that last booted the PC. Unless someone else knows the password. Or can fool the fingerprint reader.

Re:Real Identity?

[0olong]

Not to mention: stolen hardware, secondhand hardware, rerouting/spoofing techniques, etc.

Identity thieves will have a long field day..

Re:Real Identity?

[incubusnb]

thats what the Library is for. Unless, of course, it becomes law that all public terminals require a fingerprint or retina scan before use to garantee that the user is known.

if things keep going this way...

Re:Real Identity?

[shoffsta]

Or the 3117 [sic] haxor who used the latest TMP chip crack to change their TMP ID to be the same as yours, which they got from the worm that still can get installed on your machine...

Well I've heard of people misspelling words, but who'se heard of somebody misspelling a number? It's called 1337, dude.

Re:Real Identity?

[c_forq]

He could have been going for 31173 (elite) and just missed the last 3, judging by the UID he was probably around before it was shortened.

Re:Real Identity?

Exactly. And the moment this happens to anyone, the whole "trusted" part of the acronym becomes just so much bullshit. If there's a company stupid enough to implement some of the ideas in the article ("No more password and user name at the bank's website, just your TMP ID!"), and I know there is, then the worst that will happen is that we'll all have a nice chuckle while we watch everyone involved frantically apologize and backpedal.

Re:Real Identity?

[Poltras]

I think he DID want to say ellt, in leet speech. Maybe I'm mistaken :P

Re:Real Identity?

[StikyPad]

someone who used your computer while they were over your house

Damn those wi-fliers!

Re:Real Identity?

[ArchAngelQ]

The real point of my above comment was: This system is effectively worthless until the fundimental security issues surrounding general use computers is resolved to a better state. It is likely an unsolveable problem as long as 'computers' remain general use computational tools, as general use includes all of the abilities needed to circomvent even the best security. Perhaps not in a timely fasion, which is what has generally been relied on.

Implimenting this in hardware means that it's inherintly less adaptable than software. Which means software will be able to adapt around it. Perhaps not in the machine itself, but it's just data out. It should be trivially easy to man in the middle your own outgoing datastream to be able to incorporate any TMP data you want, likely possible even without additional hardware.

Re:Real Identity?

[kamondelious]

Or perhaps all the 1337 h4x0rz will just do what they already do, sniff the traffic, steal some ID's and used them. Why does it matter if this is a TPM or your username and password?

SSL is pretty secure method for doing web-transactions. It's not perfect, but a TPM isn't going to make things any better. You can still hack around SSL if know how to use google effectively for research.

Once you know the method for how the server shakes hands with the TPM you can usually spoof it. Not to mention this would be a publicly available process so that all the webmonkeys of the world would know how to build a "secure" site with it. Even if it wasn't readily available to the public, it'd still be like trying to movie or software piracy. Where there's a will there's a way.

And what this guy said too :
http://yro.slashdot.org/comments.pl?sid=171227&thr eshold=1&commentsort=0&tid=95&mode=thread&cid=1426 1329

Re:Real Identity?

[Tony+Hoyle]

The chip might be hardcoded, but the thing that reads the chip is *software*, which is definately not hardcoded.

I'd give it a week.

Re:Real Identity?

[hokeyru]

When all the new computers have TPM chips, and old Dell Optiplex 150s and P2 laptops cost more than a car, my parents are going to eat their words regarding my computer collection in their garage.

Re:Real Identity?

[kesuki]

no i think he was more going for e-lit short for e-literate, which is basically like another way to say skript kiddie.

these kids these days they're all e-literate and don't know how to hard code a crack in asm after having reverse engineered all traces of the hooks and calls from a compiled binary full of traps to make reverse engineering more difficult.

microsoft has made it far too easy, back in the day if you wanted to steal someone's data, you had to lug a 20lbs reel to reel magnetic tape, p[ull it over to a duplicatrion mainfraim and copy the contents onto anothe blank 20lbs reel to reel magnetic tape AND it Still only held 20 Megabytes AND WE LOVED IT.

Re:Real Identity?

[MysteriousPreacher]

Don't drink tap water either, go for imported bottled water. It's the only way to avoid the mind-control drugs. Lucky I have a well outside my remote wooden shack in Montana so I'm okay.

Re:Real Identity?

[Crayon+Kid]

Identity thieves will have a long field day..

I second that. The more perfect you consider an identification method to be, the more perfectly you will be fooled by a fake.

Re:Real Identity?

[lowrydr310]

"It's incredibly obvious, isn't it? A foreign substance is introduced into our precious bodily fluids without the knowledge of the individual. Certainly without any choice. That's the way your hard-core Commie works."

Re:Real Identity?

[Your+Anus]

Yeah, that's great except you might use several different machines on a particular day (home computer, work computer, cell phone). You might also have to replace your machine one day.

Unless you carry around an implanted chip, how is the bank going to know it's the "real you?" Maybe they have a whitelist, or maybe you have to go through some verification process the first time to tie the machine to your account or something, but it sounds a bit hokey.

One other thing that gets me is how does the bank know your computer has a TPM chip. It can ask, but it has to trust that the computer will answer truthfully. If you set up an intervening program that says, "Sure, I have a TPM chip. You can trust me!" and then emulate the TPM, with a fake ID of course, I don't see how the bank can tell the difference. If I can think of that there's already a bunch of hackers who have, and they are all saying "Excellent" in their best Mr. Burns voices.

My ID

[superpulpsicle]

Aren't we all Testuser from Beverly Hills, CA 90210 at test@aol.com?

Good or evil?

[blackraven14250]

Is any technology inherently good or evil?

Re:Good or evil?

[incubusnb]

technology is nuetral, its the people controlling the technology that choose a side.

i'll garantee you the biggest backing for this technology comes from the RIAA, MPAA and the CIA

It's even worse!

Your computer may be broadcasting your IP address to the world as we speak! Or so I've heard.

Re:It's even worse!

[mikiN]

Please go one better than that, use proxy-hopping point-to-point encrypted tunnels between all hosts that trust each other. Basically route an alternative Internet over the old one, leave the rest to the spooks, who will never be able to figure out who's talking to who unless they are able to map all internet traffic in real time.
Key-exchange and detection of MITM attacks remain problems but these can be solved, perhaps using some information theory from quantum cryptography.

really

[robpoe]

My TPM will have the following information.

Richard Cranium
9191919 Nunya Street
Overstock, MO 64999
901-555-5555

And if I can't do that .. then I guess it's back to my C= 64...

Re:really

[Lehk228]

And if I can't do that .. then I guess it's back to my C= 64...

i think the C - 4 will work better.

Question is

[obeythefist]

This is a lot like the MP3 market -

We already have systems that work fine without this invasive technology - just like we already have MP3 technology for making nice MP3 files to listen to and download.

Why then would we pony up more cash or change the way we connect to the internet just for the sake of adopting this new technology?

These approaches for more DRM and more end-user-ownership by the corps is almost always stick and almost never carrot.

Re:Question is

[Tim+C]

Why? Because your current PC isn't going to last forever; sooner or later, you'll have a choice - buy one with this module, or do without entirely.

just about time for revolution, don't ya think?

[incubusnb]

Privacy doesn't exist regardless of what "laws" are in place. the Constitution(U.S.A) and Charter of Rights and Freedoms(Canada) has been violated over and over again with little to no reprecussion. Polititians and other people with power use the most important documents in the "free" world to wipe their collective asses with. people aern't voiceing their rights anymore...

DEMOCARACY IS DEAD!

wheres the lineup to join the liberation front, its time for a revolution!!

duh

[stoolpigeon]

Ultimately the TPM itself isn't inherently evil or good.
 
I'd like to hear of any inanimate object that is inherently evil or good. Nuclear bombs aren't inherently evil or good, it's just how you use them. Otherwise they just sit there.

Re:duh

[stoolpigeon]

Depends on how you use it. If I took the big german family bible my family keeps and beat someone to death with it, that would be bad. If I was in a plane crash in the Andes and used the Necronomicon to cook up dead passengers to save the living, that would be a good use.
 
Otherwise it's just bound paper sitting there until someone picks it up and does something with it.

Re:duh

[metlin]

But see, there is a difference.

A nuke can be used for only one thing - cause destruction. The only positive use it might have is to threaten the other person with destruction. It has been created with the specific purpose and intent of causing mass destruction, and nothing else.

On the other hand, a tool like this is genuinely built with the idea of being useful. Can it be misused? Yes. Can it be used to cause harm? Yes. But can it also cause good when used right? Yes.

No matter which way you look at using a nuke, you end up killing people and destroying large areas. That is definitely not true for a tool like this. It is not built with the explicit purpose of destruction, rather, it is built with the explicit purpose of facilitating something.

That something is up to you.

Using a nuke is evil. Period. It does not matter what your justifications are, unless you're blowing an asteroid out of orbit or something equally improbable, the nuke has been built with the explicit goal of threatening people with destruction. Same goes for a gun - it does not matter that it can protect, it still is built with the purpose of ending life.

You cannot say that about, say, a pen. Can I kill someone using a pen? Sure. But can I also do good? Absolutely. It is not built with the intent of causing harm, rather, it is built as a tool to facilitate something.

That is the difference. And that is where your nuclear analogy fails.

Cheers.

Re:duh

[intnsred]

I'm glad it was Harry Truman and not you who made that decision in 1945.

Why? We're not really going to trot out that rubbish about needing to use nukes against Japan, are we? A few points to consider:

* Before the US dropped nukes, Japan was already sending out requests for peace through several countries. The sticking point was that the Japanese wanted to keep Hirohito as a figurehead emperor -- the exact same deal the US privately agreed to.

* Before the US dropped nukes, Japan was so defeated that the US could park battleships off the Japanese coast and shell at will -- without response.

* The much quoted figure of "1 million" US casualties in the event of a Japanese invasion is sheer fiction. The War Department put the figure at two hundred thousand casualties (horrific yes, but certainly not 1 million).

* General Leslie Groves, military commander of the WWII Manhattan Project to build an atomic bomb, said bluntly, "There was never, from about two weeks from the time I took charge of this Project, any illusion on my part but that Russia was our enemy, and the Project was conducted on that basis."

Nutshell summary:

We dropped nukes on Japan in WWII for two reasons: to see them work in action and, more importantly, to show the USSR that we can and would use them.

Re:duh

[Jonny_eh]

Just as much as I can't say that the bombing of Hiroshima wasn't necessary to avoid an invasion of Japan, you cannot say that using the bomb saved allied lives by making an invasion unnecessary.

MAYBE if the Americans decided to allow the Japanese to keep their emperor before they dropped the bomb, and not after they dropped the bomb, things would have been different.

Notice the 'maybe', no one knows!

For a good read on the subject, look here: http://www.doug-long.com/hiroshim.htm

Re:duh

[Vellmont]

Nice to see such black and white arguments like:

Using a nuke is evil. Period.

But then you say....

unless you're blowing an asteroid out of orbit or something equally improbable

So it's evil. Period. with the exception for times when it isn't. Either it's "evil. period" or it's not. You don't get to make exceptions. That's what that whole "period" business is about.

Nuclear weapons aren't terribly usefull, it's true. At one time people were considering using them for mining operations. I believe that turned out to be fairly impractical. One could argue that posessing nuclear weapons has lead to greater stability of the world. I don't know if that'a a very sound statement, but it's something to consider. What I'm getting at is that nuclear weapons are a tool of deterence. There hasn't been a major world war since they were invented (that is rivaling WWI, WWII, etc). That's pretty much the limit of the use of nuclear weapons. There's a LOT more ways to use nuclear weapons in a bad way than a good way.

But, getting back to the analogy I think it's a good one. TPM, like nuclear weapons is far more likely to be used for evil than it is for good. People make the argument about how "objects aren't inherently good or evil, it's how you use them" and that's obviously true. I think this argument really misses the point. The question we want answered is "should I create this tool?" not "is this tool good or bad?". A vaccine against smallpox can mostly be used for good things. I suppose you could use it to vaccinate some people and not others, then release smallpox, but that's unlikely.

So, what I'm getting at is the argument that "it's just a tool" is a load of garbage. All tools aren't equal in what they can do.

Re:duh

[jcr]

We're not really going to trot out that rubbish about needing to use nukes against Japan, are we?

Depends on your definition of "need". Truman was faced with the choice between using the nukes, or mounting an invasion. His duty was to defeat Japan with the minimum number of Allied casualties. The fact that he saved a lot of Japanese lives as well was a bonus.

Japan was so defeated that the US could park battleships off the Japanese coast and shell at will -- without response.

That was the case in the invasion of Okinawa and several islands before that as well, yet the Japanese managed to inflict heavy casualties on the landing troops.

We dropped nukes on Japan in WWII for two reasons: to see them work in action and, more importantly, to show the USSR that we can and would use them.

In your opinion, some sixty years after the event. Since it was Truman, not Groves, who gave the order, Groves' opinion is quite beside the point. Truman said he ordered the use of the atomic bomb to end the war, and I take him at his word.

Even after the bombs, the "let's fight to the last man, woman or child" faction still came dangerously close to taking over the Japanese government.

-jcr

Re:duh

[intnsred]

What was it?

It's the same one I have now, a link to ReOpen911.org.

To your last point, yes, anyone who believes that the US was complicit in 9/11 is an idiot, regardless of how many people share the delusion.

That's illogical. First, calling millions and millions of people "idiots" speaks for itself. But humanity's basis of defining reality is when people accept something as fact. We have no scientific proof of God, but does that make all religious believers "idiots"? Ignoring the philosophical aspects, there are many, many questions about 9/11 that remain unanswered.

Looking at it historically, we know that the US gov't has deliberately lied to the American people to start wars. We also know that the highest echelons of the US military have advocated killing Americans in large numbers in order to whip up popular support for their desired war.

We know that during the 80s, a pseudo-gov'tal group who Bill Moyers -- he himself involved in LBJ's Vietnam-era lies -- called the "secret" or "shadow" gov't did not hesitate to break US and int'l law to wage a war of terror with mostly surrogates. The shadow gov'ts "punishment" was a presidential pardon.

We know from testimony of some of Bush's highest advisors (e.g. Paul O'Neill) that Bush wanted to go to war with Iraq since his first days in office. We also know firsthand (i.e. Richard Clarke) that Bush did not want to go to war against Afghanistan after 9/11, but instead wanted to invade Iraq.

Recent history tells us many things about 9/11: that Bush himself publicly lied about seeing the first plane hit the south tower, that Condi Rice's Sep. 2001 promise to the world to show evidence that Bin Laden committed the attacks is still unfulfilled, and that the WTC leaseholder's claim of accomplishing a demolition of WTC building 7 during a terrorist attack (which is what he claimed in a PBS interview) is highly implausible.

There are dozens and dozens of valid, huge and very important questions which remain about 9/11.

The laughable whitewash of an investigation, the official "9/11 Commission", certainly did not answer any serious questions. That investigation was funded with far less than the gov't spent on Clinton's Whitewater investigation, consisted only of people selected by Bush, and had the scope of their investigation limited to only what Bush wanted investigated.

It's long past time for a fully-funded, independent investigation into 9/11.

Mark of the Beast

How else will the Anti-Christ keep track of you, and keep you from buying or selling? However, the mark is supposed to be in your forehead or palm of your hand. OK implanted RFID chips then.

i like it

[antiaktiv]

(In fact, with TPM, your bank wouldn't even need to ask for your username and password -- it would know you simply by the identification on your machine.)

Now the people who break into homes don't have to sift through dirty underwear to maybe find a few crumpled up dollar bills, they can just turn on the pc and transfera couple of bucks into their bank account. Aaah, the modern age.

Pansy article

[alex_guy_CA]

How blandly can someone describe something evil? Well, lets see!

I'm so mad I can't type. The idea that something can be put into a tool that I buy weather I want it or not, and then we will see if my privacy invasion is good or evil latter makes me want to throttle someone.

The tone of the article gives me a good idea of who to start with.

Any power will be abused. Mod redundant.

[shanen]

Not just this post, but the thread. Actually, I think this is already a 'design feature' of IPv6, and that's coming, too.

Anyway, I'm not sure there will be any such thing as privacy in the near future. Right now it's already becoming a luxury good, and pretty soon only millionaires will be able to afford it.

There is a solution, but no guarantee we'll reach it. We need to define an individual's personal information as belonging to that individual, and any use or reference to that information should only be with permission, and based on some good reason. To put actual teeth in such a legal principle, I think it needs to be coupled with a right to store your own information (presumably on your own computer). Without such a basis for protecting privacy... Well, you'd better get use to appearing all over the Internet when you least expect it.

Tin foil router

[blueadept1]

Tin Foil Router! Limited time! $99.99 with 802.11X! Stop those nasty data packets from going through to the websites you visit! www.x10.com

This would make encryption mandatory

[republican+gourd]

This will never fly, and not for the reasons we would hope for.

Here are the scenarios:

1) Chip reports stuff, but data stream is wide open, so middlemen can change whatever they want.

2) Chip reports stuff, but with shitty encryption so the gov't can still do its wiretaps and echelon won't break. System is hacked within a couple days and the whole 'chip' idea becomes worthless.

3) Chip reports stuff, but with robust encryption. The site you are talking to knows who you are, but people between you and them can't sniff your actions other than knowing that 'some sort of communication took place'.

Plus variations. This could actually make webs of trust (a la the direction that Freenet appears to be going) more secure, since you know that your neighbors haven't been man-in-the-middled.

Old News

[TheSpoom]

But good to see the mainstream press catching up to it. This chip is part of a larger effort by major software developers and hardware manufacturers to mostly stop piracy in all forms and control what you can do with your computer and when.

Read the TCPA FAQ, and take a look at Against TCPA, an anti-TCPA site if you're interested. For an alternate perspective, you can also view the official Trusted Computing Group site.

Personally, I hate it, I don't think it will succeed, and I will *never* buy a computer with such a module installed.

This only works if hackers play by the rules

[artemis67]

Of course, all a hacker needs to do is keep an older model x86 or PPC system around. Obsolete computers are a dime a dozen, and you can keep them running for decades.

And we are moving closer and closer to disposable PC's, anyway. In less than ten years, I predict that brand new, complete systems will be selling for less than $50. Got my computer's ID? So what, I throw away my computer every month!

Re:This only works if hackers play by the rules

[Skreems]

You could basically even do this today. Most pieces of your system will not be labeled. Presumably it's just the CPU and/or Motherboard that have this ID crap in them. If it's just the motherboard, you can swap that out for $70 every couple months, and anything but top-shelf CPUs aren't that much more expensive.

The truly ridiculous thing about this is, it doesn't even put a dent in the cybercrime it's supposed to prevent. If you can get your system without giving up your identity (steal it or buy it through someone who "loses" records), and don't report your identity truthfully to anybody while using it, you're still just as anonymous as now. And if they come to get you, you just have to thermite one specific spot on the mainboard as well as the hard drive like you would today. Bam, all evidence gone. And until that day, you're free to molest six year olds and use stolen credit cards to your heart's content.

There are so many easier ways of preventing these problems than to try to force an ID on everybody. Make one-time disposable credit card numbers a mandatory feature. Consumers will use it because it saves them the hassle of cleaning their credit report after fraud. Hey, look! We can cut down on fraud by creating MORE anonymity, rather than less. Or how about the banks making websites that enforce strong password standards? How about ANYthing except a system that's even MORE transparent to the end user, and thus easier to crack?

Re:This only works if hackers play by the rules

[photon317]

The way they plan to force this issue is that after X% of the market is DRM/TCPA-enabled, content providers will start only serving content to DRM/TCPA customers. The first day it'll be like, "Well, I can still use my old-school machine, just not to view CNN.com", and eventually a year or three down the road you won't be able to view any content from any major corporate providers. At least that's the plan. I suspect if they even get that far down the road, the anti-DRM/TCPA public community will largely replace those resources anyways.

Pentium 3

[marshac]

Sounds like the flopped unique ID that came on the P3 chips... we all know how successful that was.

Re:So what

[raventh1]

Where there is a will there is an option.

Re:So what

[ZachPruckowski]

If you don't like it then don't buy it.

1) People likely won't know about it, and Joe Average will just buy it with his computer not realizing the problem and risks.
2) There are only so many hardware providers. What happens when they all carry it? Unless you like build your computers from scrap, you'd be stuck with it. And at some point, they'll just start carrying them on all processors or something. This was made by an alliance of AMD, Hewlett-Packard, IBM, Microsoft and Sun after all. If Intel joined the fray, the computing world would be sunk.

That means....

[cparisi]

I can't look at porn anymore :(

Hardware Cookie?

[Groucho]

I suggest we refer to this hardware cookie as a shit biscuit.

latter-day cryptanalysts?

[thatguywhoiam]

There is a solution, but no guarantee we'll reach it. We need to define an individual's personal information as belonging to that individual, and any use or reference to that information should only be with permission, and based on some good reason. To put actual teeth in such a legal principle, I think it needs to be coupled with a right to store your own information (presumably on your own computer). Without such a basis for protecting privacy... Well, you'd better get use to appearing all over the Internet when you least expect it.

I've been thinking about this; the problem is the legal route to this is pretty much a nonstarter already. But maybe there is a loophole; I think we should all start a church. The Church of the Super Paranoid, or something like that. That way we could cry religious persecution if intrusive privacy-stealing measures are used against us. I'm certain I would have no problem convincing a sizeable chunk of the Slashdot population to swear and affirm (on a stack of punched cards) that their right to crypto and absolute mastery over who sees their porn stash is both vital and indispensable to the very core of their identity. I think it could work.

At the very least, the crazy fundies will lobby for laws that would help us... :0

Re:latter-day cryptanalysts?

[clickety6]

err.. what information would you require for me to jin this chuirch? Are a false name and a false social security nu,ber acceptable? Otherwise I ain't joining!

I'll be setting up a concession stand ...

[OpenMacNews]

... selling desoldering stations, tin-foil hats and faraday-cage panic room kits ...

How is that related to this?

[quickbasicguru]

I fail to see how this is like Communism.

This relates to Fascism much more than Communism.

Re:So what

[The+Warlock]

Intel is in on it (and has been for far longer than AMD). As are dozens of other companies. NBC simply didn't have room to list them all.

If you have no IP, then what?

[tepples]

Why then would we pony up more cash or change the way we connect to the internet just for the sake of adopting this new technology?

Because there are only two companies that control the last mile in your area, and they have both made a working TPM a condition of obtaining residential Internet access through them.

Interesting. Are you sure?

[Jerk+City+Troll]

Nuclear bombs aren't inherently evil or good, it's just how you use them. Otherwise they just sit there.

But what is their purpose? We cannot simply evaluate things by their inert state. We also have to factor in their reason for being. A gun isn’t made just for the purpose of propelling an object at high velocity in a particular direction (there are superior devices for doing that), it is intended to destroy something as a result.

This type of thinking might be carelessly superficial in some circumstances. You are right to an extent, but that should not keep you from further consideration.

... and look how well that turned out!

[ragingmime]

Intel quickly made the serial number disabled by default, and few web sites ever started using it. If people *really* have issues with such a system, they won't use it, and they won't buy products that require it. If they don't buy it, companies won't sell it. If it's an issue, media attention can get people to vote with their dollars and keep it from being a standard. The only thing that worries me, though, is the Microsoft comment. If somehow Windows requires this system, it'll become a de facto standard. But MS has tread pretty carefully so far - e.g., restrictions on how often you can activate a copy of Windows are pretty lenient. But we'll see if that holds. Even still, though, MS won't want to make consumers buy new PC's or accept something they don't like in order to buy the new Windows for fear of losing business. So it comes down to whether people really oppose this or not.

Re:... and look how well that turned out!

[6*7]

" Intel quickly made the serial number disabled by default, and few web sites ever started using it."

It is not like the CPUID is the only part of your system that has a unique ID. Just think about the hardware address of your networkcard. Sure some people change them but very very few change them periodically and with the introduction of IPv6 and its automatic address discovery soon everybody will know your MAC.

Re:... and look how well that turned out!

[MikeFM]

But changing the MAC address is easy. With what M$ is trying to shove down consumers throats your entire PC will be under the ever watchful eye of Big Bill. Supposedly impossible to bypass for the average joe and a full watch dog from hardware to software to media to network - in theory at least. Probably the last step needed to completely drive me away from Microsoft products but meanwhile the average non-geek will either not know or just bend over and take it.

Re:... and look how well that turned out!

[Alsee]

MS won't want to make consumers buy new PC's or accept something they don't like in order to buy the new Windows for fear of losing business.

The next Windows release, Vista, is already documented as requiring this. All hardware manufacturers have been extrorted into implementing this Trust system simply by Microsoft announcing that noncompliant hardware wiill simply be incompatible with the next windows release.

As for losing business, virtually all OS sales are sold pre-installed on brand new machines. This simply means that no one can afford to manufacture or sell new PCs that aren't compliant. With the release of Vista all new PCs will have the new "enhanced" hardware.

There was even a slashdot story a while ago about new DRM enforcing monitors. Vista will not work in full featured highres mode unless you buy a new cryptographic DRM enforcing monitor. Oh, most stuff will still work with a normal monitor... but playing DVDs or watching movie downloads... won't work without the new monitor, or it will only work in low res mode.

If people *really* have issues with such a system, they won't use it, and they won't buy products that require it.

John Q. Public will go through a McDonalds drive through with his kids and get them a pair of happymeals. One will have a FREE CD(!) with Britney Spears' latest songs, and the other will have a Spongebob Squarepants computer game. And neither of the CDs will worn on a normal old OBSOLETE computer. The kids will whine and whine and whine asking why they have a crappy old computer, and asking why the disks don't work here when they do work over at their friend's house on their shiney new ENHANCED computer. And computer-clueless mom and dad will go out and buy a new ENHANCED computer just you get the bloody FREE CDs to work and shut the damn kids up.

And the new Trust chip isn't just an ID number. It is an all encompassing DRM-enforcement system that denies you control of your own computer. It not only sends an ID number, it can transmit a spyreport of all your hardware and exactly what software you are running - and you are denied any control over this spy report. This is called "Remote Attestation". It also locks your files so that you cannot read or alter them, except as permitted by the Trust chip. If you attempt to modify your software, you again get locked out of you files. This is called "Sealed Storage".

The Trust chip has the computer master key locked inside and you are forbidden to know your own key. In fact the chip is boobytrapped to self destruct if you attempt to get at your key and regain control of your computer.

-

Routing Around the Damage?

[femto]

So, does the TPM constitute damage, and will the Internet route around it?

My vote is yes. The Internet will route around it by gradually dividing from what is currently called the Internet. Most people will use what used to be the Internet, and will consider it to still be the Internet. A minority of tech savvy people will be running on an alternative network, and will consider their network to be the Internet.

There will be one way links between the Internet and the former Internet (new can suck data from old, but not the other way around). The new Internet will be under the radar, but will be a hotbed of technical innovation. In time the new Internet will appear on the radar, as the majority hear of it and decide that they want to be able to do all the neat things Internetters can do as well. The majority join the Internet. The Internet gets 'tamed' as large companies join it. The Internet routes around the damage by breaking away over time. The cycle repeats...

Re:Routing Around the Damage?

[jim_deane]

I always wanted to run a BBS. Now I have the time, income, and computer power, and look, Fidonet is still around!

Now where's my copy of QBBS...

Or if ISPs make them play by the rules

[tepples]

Of course, all a hacker needs to do is keep an older model x86 or PPC system around.

And watch it not get an IP once all the major last-mile ISPs have switched to Trusted Network Connect, a framework that involves "trusted" dialer software that assesses the state of your computer using its TPM. Cisco has a similar competing framework called Network Admission Control.

I dont think we are ready for this just yet

[oztiks]

What about the plathora of secuirty issues we are faced with today, combine that with a preempted identity management system and you spell disaster.

It would bring on a new level of phishing one that would be alot more difficult circumvent and alot easier to exploit once the phiser has what he needs from their victims.

Engineers and techs are very smart people but sometimes they lack the day-to-day vision around the issue.

Plus, im sure there'll be a bunch of eager hackers waiting patiently for this to come along, if they are able to stick linux on an ipod i'm sure they'll be able to get around this.

Re:Nope.

[sedyn]

Speaking of avoiding hardware that prempts the need for spyware to be implemented in software, Does anyone know of a list of hardware that consumers should avoid?

If not, does anyone want to start a wiki entry or something similar?

(All I've found so far is http://www.againsttcpa.com/tcpa-hardware.html ) But I will be searching more in-depth later

the evil bit

[Daltorak]

The Evil Bit is inherently evil! :-)

If you have no sources, then look here

[tepples]

And your infallable source for this information is... a Slashdot comment.

It's not my only source, just one that's useful for introducing the ramifications of the concepts introduced in the Trusted Network Connect FAQ (PDF).

We all know what that means...

[humphrm]

>ugh. Well we all know what that means.

Sigh. Yes. Everyone will just sit around slashdot whining about it, and not lift one finger to get control of it via their elected officials.

TPM ALREADY HAS linux support

[Foktip]

BWAHAHA! Dude, have you compiled a kernel recently? It does have support for this - only the kernel states it as a module that can be used in conjunction with the chip, to store "key data" seperate from the system, to increase security, or something. Mayby it will allow Linux to selectively use the TPM chip where required for authentication (i do my banking etc across 3 computers, identifying anything on a per-computer basis can be stupid). The TPM chip is far from just an identifier, its got memory and can be used for other general things.

Its more that, in Linux, the TPM chip will be used for security (good), and in winblows it will be used for ease-of-use/profit (evil). So, im guessing in Linux you'll be able to spoof ID's

Take a deep breath, and calm down...

[IWorkForMorons]

People...please, stop and review your history. Does no one remember Intel doing this exact thing just 5-6 years ago with the first PIII chips? Do you see any chips with serial numbers embedded in them like that today? No...because it was a colossal FAILURE! That's when Intel began to slide and AMD began to rise to power. Why? Because AMD saw a need, and that need was to NOT have this kind of tech. So many people, including myself, started switching to AMD chips. And Intel eventually yanked it because of the market share they were losing. They never really recovered after that, especially when AMD started beating them on processing power-per-watt. So please...just take a deep breath, calm down, and look to your nearest underdog to fill the need...

Besides, when the revolution comes, your computer will be the last thing on your mind...

Re:Cars have VINs and license plates

[Ph33r+th3+g(O)at]

Just as soon as I can kill or maim someone by operating my computer recklessly, we can talk about mandating publicly visible identifiers for them.

Evil vs. Good

[CupBeEmpty]

Well I never really considered little yellow cloth stars or number tattoos "good" or "evil" in and of themselves... but you know while we are at it lets brand everyone's social security number on their arm... you know so you can't lie to women at bars about being Leonardo DiCaprio.

Re:Haven't we learned anything?

[John+Hasler]

> Forcibly installing such chips into our computers is, well,
> illegal.

Nobody is (yet) proposing to forcibly install anything on your computer. They are proposing to make it nearly impossible to find a computer for sale without a TPM chip and impossible to get onto the Net with a computer without one. So far as I know that is not illegal.

I agree with the rest of your points.

Flawed Idea

[Wellerite]

From TFA:

With a TPM onboard, each time your computer starts, you prove your identity to the machine using something as simple as a PIN number or, preferably, a more secure system such as a fingerprint reader

Hmmm fingerprint readers are more secure than PIN numbers? Certainly not yet.

Also from TFA:

(In fact, with TPM, your bank wouldn't even need to ask for your username and password -- it would know you simply by the identification on your machine.)

Well what if it's a shared computer at home. How is my bank supposed to tell between me and my wife when I logon to their web-site?

Re:Nope.

[PC-PHIX]

Sounds to me like the unique serial number thing that was available in Intel P2/P3 chips....

Whatever happened to those?

Processor Serial Number Feature = Disabled

It was a BIOS option on *most* boards as I recall...

AMD64 cpu UUID?

[cortana]

I was poking around on my new AMD64 machine the other day, and I ran dmidecode. Can anyone explain this?

• Handle 0x0001
  • DMI type 1, 25 bytes.
  • System Information
    • Manufacturer: System manufacturer
    • Product Name: System Product Name
    • Version: System Version
    • Serial Number: System Serial Number
    • UUID: EC491BB3-BE1F-DA11-B1EB-7B871839F7B3
    • Wake-up Type: PCI PME#

Re:AMD64 cpu UUID?

[stonedonkey]

When in doubt ask Google.

Also a a Wiki.

Re:AMD64 cpu UUID?

[Rich0]

I'm sure the poster knows what a UUID is in general - however I think his question was whether this was a single code already burned into the CPU/etc, or just a dynamically generated one which could change from time to time. The websites you link have no info relevant to determining this.

For example, I just generated 3 UUIDs that are all appropriate for my machine using uuidgen - as suggested in the site you linked. Obviously these would not be suitable as unique, unmodifiable IDs for my PC. However, I could safely use them in databases, or to identify objects that I create.

Re:Cars have VINs and license plates

[jim_deane]

Cars have VINs and license plates to identify them on public roads. This places some limits on driver freedom but is hardly Orwellian.

TPM, or something like it, could end up in the same category.

You went to McDonald's for lunch...did they record your license plate and/or VIN? Did you drive up to your bank to make a deposit, and if so, did they check your license plate and/or VIN before letting you access your account? Did the city government make record of your license plate and VIN as you traveled through various intersections? Did the park and recreation department take a record of your entrance and exit times when you visited city park?

Basically, just go back and look at all of the arguments that were made when Intel proposed the Processor Serial Number as a GUID. The arguments remain, and will always be, completely valid.

Jim

This reminds me of a movie...

[CPNABEND]

It's the year 2100. The "GEEKS" live underground, running LINUX 2.8, the last release without mandatory DRM implemented. The GEEK population makes money by trading their cache of the last MOBOs (Late quad-cores) that do not have DRM to the "surface people". These machines are populated with bootleg copies of "Gilligan's Island" - The most popular show of the surface people... Pathetic...

Pentium III - the new generation

[schnogg]

Wasn't this the original intention with the Serial ID on Pentium III microprocessors?

Do you plan on keeping your IP?

[tepples]

What I won't do is install software that turns over the 'trust' it creates to an outside entity.

Unless all broadband Internet access providers that serve residences in your area start to require that you use a kernel and apps with a specific signature dictated by the ISP.

Re:Why does the chip have to be manditory?

[tftp]

doubt that the hobbyist, no matter how clever, smart, or resourceful, can make (from scratch) a computer comparable to anything past that date. Too many layers on the board, too many chips that are no longer hand-solderable...

You are very wrong here. Google for "Altera NIOS Linux". Won't be as fast as Xeon, but there is no difference for Web browsing.

The new FPGA's will only be configurable with a TCP-compliant software, which will insist on the TCP verilog being put into it also

That won't happen. If you buy a device you are free to configure it with any bitstream you want. FPGAs are configured offline, so there is no room for any key exchange.

And then, crypto will keep it from connecting to the internet anyway, unless you break that also.

Break - maybe. But it would be impossible to use the hack. It would be as [il]legal, and as hard, as hacking your digital cable box to see movies that you haven't paid for.

If this thing happens, then 99.9% of Internet users will not notice it, and the remaining 0.1% will abandon it - exactly as intended. Thinkers and freedom lovers will be denied the means of communication and rendered harmless. Mission accomplished!

Re:Second law of thermodynamics

[smidget2k4]

You can get all of the proteins and amino acids you need from veggies if you really wanted to. You don't have to eat meat: infact, if you ate only meat, you would become VERY unhealthy. Though, I concur that living in the wilderness you are not exactly widely exposed to random batches of refined chick pea and soy bean, so... yeah. In a wilderness setting you would need meet.

But please don't try to pass it off like you need meat to live. I've been doing it (quite healthily, might I add) for three years, and I know people who have been going upwards of twenty. You just have to watch your protein intake.

Have a good one!

This is circumventable.

[Eminor]

In order for any web site to "read" my identity (assuming the chip is installed), data from the chip would need to be sent over HTTP. So, if you are not using a browser capable of sending it, or your OS does not have a driver to access the device, the device is useless. Not to mention, there is nothing to prevent you from using a browser that supplies false information.

If this were done purely in hardware, the data would be encoded in the network layer, which means that the data would not leave the subnet (assuming current network technologies used on the internet).

Re:This is circumventable.

[tftp]

Not to mention, there is nothing to prevent you from using a browser that supplies false information.

Unfortunately the Universe may grow old and die before you manage to compute a valid data packet without having access to the private key (which is burned into the chip and can't be read back, ever.)

For example:

1. Computer says: "My public key is 0x1234...89"
2. Remote site says: "Ok, dude, mine is 0x9876...01. Do XOR on this data that I encrypted just for you: ... ciphertext follows."
3. Computer says: "Ok, I decoded the ciphertext using my private key. The data is this, encrypted for you: ... ciphertext follows."
4. Remote site says: "Ok, you got it right, I reckon you do have access to that private key, and so your public key is also yours, and so you are who you say you are. I trust your data now."

If you break this sequence then the authentication fails.

Re:OH MY FUCKING GOD!

[tftp]

"lol, this is not the mark of the beast!"

Emulators

[mwvdlee]

This chip is about the easiest security measure to work around of all time: Use a PC emulator which also emulates the TPM hardware.
It might not make for a very fast computer, but it'll be fast and cheap enough for the average nigerian scammer to invalidate the entire case for the TPM chip.

I don't mind

[KlausBreuer]

Not? No. Simply because I'll download a patch/update to my browser which will - given the query for the ID - return either any code I entered (for example the id of some damned politician, hehehe) or a new one every hour.

And these morons will waste a huge amount of time. And, as usual, all they'll catch are other morons.

Anonymity with the TPM

[Dr.+Blue]

While the bulk of the article makes it sound like TPMs will destroy all privacy (which isn't true), here's an important sentence:

Users will still control how much of their identity they wish to reveal -- in fact, for complex technical reasons, the TPM will actually also make truly anonymous connections possible, if that's what both ends of the conversation agree on.

Yes, TPMs can be used to remove privacy, but only with your consent. They can also, with the consent of the parties involved, give you much stronger privacy than is possible without a TPM.

I've talked to people in many of the major companies that are behind the Trusted Computing Group, and they're well aware of this issue. I spent a bit of time talking to the head of the trusted computing project at AMD, and he understands very well the lessons of the Intel CPU serial number fiasco of a few years ago, and the TCG has include technological features to protect user's privacy. Is this because they are great privacy guardians? No, I don't think so -- I don't think this guy is going to be the next president of EPIC or anything. I think it's a strictly business decision: They see that people won't accept the technology unless it protects privacy (just see the tone of the article this Slashdot story is about), so they've put in measures in order to make it more acceptable.

Some technical details: The current TPM specification is version 1.2. Prior to 1.2 there was an "officially supported" pricacy mechanism based around the idea of a PrivacyCA -- basically, you got pseudonymous credentials (a certificate) from a PrivacyCA, and used that in transactions. You could get a different certificate for each person you interacted with, so transactions weren't linkable, or you could even get multiple certificates to use with the same person so that you had different identities to use with them. The problem being that you still had to show your unique ID to the PrivacyCA, so you had to trust them not to link all your transactions together. However, version 1.2 introduced a stronger notion into the standard: direct anonymous attestation. With this, your anonymity is protected with cryptographic means, without the need to trust any other party. Of course, when you authenticate, the site you are interacting with has to agree that it will accept such anonymous and untracable identities. Some sites will probably allow that (discussion boards, etc.) and some probably won't (banks, credit cards, etc.). But that's a market decision, not a technological one. You have the power, with the technology, of having even stronger anonymity than you have today, so the market needs to insist on merchants using that. As was seen with the serial number in the Pentium III, enough people care about privacy to make industry sit up an pay attention.

How this could be a good thing.

[Temporal]

Imagine if you could create as many identities for yourself as you wanted. You could go so far as to create a separate identity for every single site you visit, even. Imagine that you can program your web browser to invent dummy identities automatically in order to accomplish this. There; privacy issues solved.

The nice part about this system is that you'd never have to enter a password or a credit card number again, and no one would be able to steal your identity without stealing your physical computer.

Time to bail!

[Hoi+Polloi]

Digital rights, Patriot act, loss of privacy...screw it, I'm moving to Alaska and building a cabin.