Slashdot Mirror
ISP Restrictions Based on Hardware/Software?
An anonymous reader writes "IT Architect magazine is reporting that ISPs are working towards a greater restriction of a customer's right to run what may be 'insecure' software. From the article: 'A greater threat is that ISPs may try to restrict the customer's side by denying access to machines based on their hardware or software configuration. [...] former head of cybersecurity, White House terrorism advisor Richard Clarke even said it should be made mandatory to quarantine malware.' Something that may also come as a surprise to some is that Microsoft is completely against this censorship of internet access. 'According to Chief Privacy Officer Peter Cullen, Microsoft is against ISPs doing anything that would restrict customers' choice of software. And he says this isn't just about the impracticability of demanding that data centers patch everything on the second Tuesday of the month. Laptop and home users also have the right to run an insecure PC.'"
Depending on your definitions, banning malware could mean banning Windows!
At the risk of pointing out the obvious, but - does it surprise anyone that the maker of the #1 target for malware writers is actively campagining against ISPs downthrottling infected users' PCs? I mean, if customers found out that Microsoft Windows = your ISP cuts down your rate, are people more or less likely to buy Windows? Their actions seems like obvious good buisness practice to me.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
What if the user is behind a SOHO router? It will be hard to figure out what the client's OS/version is. Try using www.grc.com and their ShieldsUp.
Anyways, this being the US, such practice will be considered discriminatory especially if poorer families cannot afford the latest M$ tax.
I think this is the only article on slashdot, that had anything positive to say about microsoft. This is the problem when you try to protect people. ISP regulating what I put on my computer and run online is not what we need. People should be allowed to run whatever they want to on their computers.
The real question is, is the open source community against it?
LINUX ONLINE POKER: Linux Poker
Of course Microsoft would object to this proposal. Any objective analysis (which the ISPs are certain to do) would put Windows high on the list of vulnerable systems. No matter how much Microsoft tries, it's always hard to configure a Windows system to be both secure and capable of easily running the software most users want to run without glitches. Putting a hardware firewall in front of it's just as bad from Microsoft's point of view: you're still telling users they have to spend more money and do more work to use Windows on the Internet. By contrast, many of the competing systems (Max OSX, *nix) are at low risk and would pass most security checks easily out of the box. No way does Microsoft want ISPs making it easier to put a Mac or a Linux box on the Internet than a Windows box.
Personally I don't care why Microsoft is against it - I'm sure they have their own agenda, but the enemy of my enemy is still my friend. If Microsoft are against it, it almost certainly won't happen - they have enough clout.
Anyway, such a law would be pandemonian, it would require international standards etc etc - it would never work...
1. It's impractical -
I can see how the White House might deal with this sort of restriction, but an ISP dealing with thousands of customers that don't WANT to cooperate - not to mention, there would be an absurd number of software and hardware iiterations, hacks, etc, all of which they'd have to deal with.
2. It's unfair -
I should be able to run the software I want on the hardware I want, as long as I'm not producing malware. A restriction on rights for security is inconsistent with democractic ideals, especially with the qualifier that the security doesn't necessarily protect rights.
http://www.TheGamerNation.com/Forums
I want on the OpenBSD-only ISP.
Trolling is a art,
It is becoming increasingly obvious that the large ISPs are out to put a strangle hold on the "Services" they deliver. There will be problems with VOIP caused by port restrictions, Others will stop offering basic services like nntp access. They have taken the view that the network is theirs and that they will dictate what is run over them with consumers being and endless cash cow that can be milked for access to "Premium" applications.
that Microsoft would want to prevent people from being punished for using an insecure OS...
It's because they're for choice right? I mean, every time I turn around I hear about a new Red-Hat exploit which has allowed a worm to spread into millions of computers around the world, causing massive amounts of bogus traffic and driving up costs for ISPs.
> Laptop and home users also have the right to run an insecure PC
Absolutely. But do they have the right to abuse the ISP's network by sending spam/DDoS attacks etc?
Run what you may on your PC, but if you are using the network infrastructure owned and maintained by your ISP, you have to adhere to their Terms of Service, and they should have the right to enforce those terms of service.
If you don't like your ISP's TOS, find a different one. But don't confuse you right to run an insure PC with your right to abuse your ISP's network -- you do not have the latter.
Yes, but do they have the right to run an insecure PC connected to the Internet? When their insecure PC, if it gets 0wned, is going to have adverse consequences for others on the Internet?
An analogy: I have the right to drive a car that fails safety inspection - on my own land. I do not have the right to drive it on the public roads, where it can endanger others. (Of course, this analogy breaks down, because the government mandates the safety inspection, and the government owns the roads, and in the Internet case, it's not the government that mandates the safe PC, but rather the ISP... and the ISP owns the "road" that I'm putting the unsafe PC on, or at least the road I use to access it... hmm, maybe the analogy isn't that bad.)
I can see why ISP's would want this (less zombies, etc.), but I don't believe they'd all be able to sit down and agree on standards. Likewise, if my current provider makes say running Windows XP SP2 a requirement, there's no doubt I can go elsewhere and find some other provider that would let me run Linux. Now when we reach the point where there's only a handful of ISP's (esp. if they're regional), we will have a problem.
Sadly, PS/2 was yet another victim of USB, which doesn't care what you plug into it, the electrical slut.
There is no right to do anything with anyone else's property or for them to provide a service they don't want to.
On the other hand, an openly competitive market generally won't see companies trying to reduce services or increase fees -- competition is what gives consumers what they want at the price they're willing to pay.
If we allow our government to regulate the Internet, you better believe the market will be disturbed by enough regulations that we WILL see restrictions such as these -- regulations always serve the interests of the now mandated monopolies instead of the end consumers.
If a few big ISPs decide they want to restrict services for certain users -- let them! The little ISPs will gain enough business to give them a nice profit. Seems like a win-win to me.
Look, make a mesh. Decentralise. No-one should consider themselves part of the internet unless they've got at least 3 independent paths to neighbours with at least 3 independent paths etc.
ISPs, Telcos, are symptoms of antiquated centralist thinking.
In the real world, restrictions like this will be used to keep people from running Linux (or *BSD, or anything but Windows).
Mod me down, but you know it's true. They'll say that GNU/Linux systems are not "trusted" (as in "Trusted Computing"), and that will be that. Only niche geek-friendly ISPs like Speakeasy will continue welcome *nix users.
With spending like this, exactly what are "conservatives" conserving?
Side #1: Microsoft is terrified of this because it will set a precedent whereby an ISP will be able to cut people off based on the ISP's view of their software configuration. So, ISPs will be able to threaten to kick Microsoft in the balls unless they get favorable treatment (RE: cheaper prices), and home users will be able to demand that tainted machines get knocked off the web until they're fixed (which will mostly affect MICROSOFT). Microsoft, God bless 'em, is naturally against the whole thing.
;)
Side #2: The TRUE result of this will be that lazy ISPs (read: most ISPs) will just lock out anything that doesn't match some piece of shit filter they put in place. So, a fully patched Microsoft or Apple box will probably be able to connect, but my Slackware box will NOT. And when I call tech support, the retard who takes my call will say "SlackWHAT? You can't run that on our network, for, uh... SECURITY reasons. Why don'cha run Winders like everyone else?" And I will be forced to resort to cruel, mocking language, upsetting his supervisor and getting me absolutely NOWHERE.
So, naturally, I'm against this bullshit too.
Farewell! It's been a fine buncha years!
I've said it before, I'm saying it now, I'll say it every time someone tries to enforce security on The Internet:
THE INTERNET IS NOT SECURE
By connecting to it you must expect to be probed, attacked, sniffed, decrypted, spammed, hacked, and denied service. In order to avoid these things either you must not connect to it, or you must take measures that degrade its performance in order to eliminate some of these possibilities. But you will never make it secure, because it is not secure.
If you want a secure network, you will have to start over from scratch.
The other concern Microsoft may well have is that if you can only run "approved" OS' on the Internet, it will kill their beta programs and may well make it harder to roll out service packs. After all, it changes the version ID, so won't be an "approved" OS any more. If nobody patches their system, for fear of being disconnected from the Internet, it will be Microsoft that suffers.
What about Linux users? Well, there's always the IP Personality patch. This disguises your OS, so that common methods of fingerprinting your computer will return the OS identity that you choose. You can always make a Linux box look like Windows XP or whatever.
That's probably another concern of Microsoft. Linux distributions can be easily modified to fool such restrictions and existing Linux users will likely install the necessary patches. This could make Linux more attractive to the Walmarts of the world (fewer customer complaints) and also to corporations (no risk of unexpected downtime, due to ISPs not keeping up).
I'm all for these restrictions, because they don't apply to Open Source software - masquerading as other software is already quite standard. Only closed-source vendors and closed-minded customers have anything to be scared of, and I've no problem with them being scared silly by Homeland Security.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...blah blah blah, of course Microsoft is against it blah blah blah...
But this IS a horrible practice? Restricting people's internet access based on their computer? Does anyone see what is wrong with this or are you all going to complain about MS?
This idea can be a potential danger to Linux users. Yes, Linux is much less susceptible to malware than Windows. However, Windows will be always defended by Microsoft but there is no body to protect Linux users. Any minor public doubt in Linux safety for ISPs has a chance to result in a major action to ban access from Linux boxes.
One line blog. I hear that they're called Twitters now.
And, as pointed out in the article, how will custom proprietary apps get on?
The whole thing sounds like a ridiculous idea when you start thinking about the repurcussions. ISPs have no way of knowing what percentage of their customers are running software that's not on a particular whitelist --- until the day they implement the policy, at which point all hell breaks loose and some of their best customers run to the competition.
It also isn't obvious how they can really detect all the software on a computer. Are they really going to look at every file foo.bar on my hard disk to see if it would really run if you did a `perl foo.bar'? And remember, malware authors are specialists at hiding their software.
It would make a lot more sense to analyze traffic. If a certain user starts sending 10 million e-mails a day all of a sudden, just shut off his access and wait for him to get on the phone and talk to you. Another, possibly complementary option would be just to impose upstream and downstream traffic limits (maximum peak and maximum monthly?), although a lot of ISPs don't want to advertise that they have limits or reveal what they are.
The article sounds very suspect to me. Lots of vague statements like "the required technologies are now becoming available." Oh yeah? What are they called? Who's selling them? Which ISP's have tested them?
Find free books.
And, as pointed out in the article, how will custom proprietary apps get on? Easily - They rock up to the bureau of certification, pay the X thousand dollar testing fee and wait for the results.
Not Meta-modding due to apathy.
The big ISPs see this as a way of controlling the market. Right now internet access is a commodity. They will do anything in their power to change this. Even if this means pushing congress to pass anti-terror laws to make it happen. Think of all the things they could do - One example...limit VOIP.
Thoughts?
I'll just tell them it's a Windows screensaver. Failing that, I'll just gross them out until they give up and go home.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
verizon wireless is already doing this over their unlimited broadband 500kbps wireless data plan for 60 bucks a month restricts the user from ANY large upload or downloads. here, this quoted from verizon's website.
PROPER USES:
"Unlimited NationalAccess/BroadbandAccess:
Subject to VZAccess Acceptable Use Policy, available on www.verizonwireless.com. NationalAccess and BroadbandAccess data sessions may be used with wireless devices for the following purposes: (i) Internet browsing; (ii) email; and (iii) intranet access (including access to corporate intranets, email and individual productivity applications like customer relationship management, sales force and field service automation).
SUCH USE DESCRIBED BELOW WOULD BE SUBJECT TO TERMINATION OF SERVICE CONTRACT
Unlimited NationalAccess/BroadbandAccess services cannot be used (1) for uploading, downloading or streaming of movies, music or games, (2) with server devices or with host computer applications, including, but not limited to, Web camera posts or broadcasts, automatic data feeds, Voice over IP (VoIP), automated machine-to-machine connections, or peer-to-peer (P2P) file sharing, or (3) as a substitute or backup for private lines or dedicated data connections."
Say I need to reinstall windows. Since my install CD contains Windows 2000 SP1, for however long I'm re-installing/patching my OS, I have an insecure PC. If my ISP blocks my access on that premise, I am f*cked. Never mind that this entire situation is retarded, since I ought to be able to download the patches and install them offline, but the reality is that windowsupdate.com doesn't work like that. Even over broadband I'll probably spend the next 40 minutes downloading security patches, WTG Bill.
Quarantined connections are a very, very good thing. Corporate networks already do this -- there is, if I recall, a Cisco client which enforces router rules based on the security software installed on the PC. Windows RRAS can enforce a quarantine network based on whether or not the connecting machines are patched up-to-date. Captive portal software allows only authenticated users to connect to the greater network -- same with VPN tunnels.
All of these things work in a very good, and non-censoring way: they require the user connecting to the network, to take certain "safe computing" steps. Requiring virus/spyware protection is overkill (I for one have never run spyware or virus protection, and have only had one spyware infection that required a reformat and two viruses -- in 11 years of being connected to networks unprotected. All of those infections were 3+ years ago.) but requiring that computer users, say, don't broadcast worm packets and don't have unpatched security holes, is a very good thing.
It's one thing for the ISP to shut off people for downloading certain types of content, it's another if the user is abusing the network resources. Similar to, a phone company won't cut your line for calling people they might not agree with the opinions of -- but if you, say, wardial your entire neighborhood on a daily basis, they have some recourse against you.
Overall, the ISP restricting access to its network to people who aren't infected and are secure, is only a good thing -- on every possible front. And, from the stand point that Windows updates generally are denied to people using pirate copies, it will reduce software piracy rates as well. There's no excuse for people to still be broadcasting the Sasser worm, other than the fact that it isn't worth their time to fix it. This will make it worth their time, to no longer be a deliberate nuisance to everyone else.
Imagine if people suddenly got booted off and told it was because their computers needed repair, then they'd find out what's wrong (spyware/viruses) and why (holes in Windows), and then some of the more intelligent ones would investigate alternatives like Apple and Linux.
You're vastly oversimplifying. Firstly, most home PC users can barely figure out how to begin to use Windows. If you throw something completely new at them (Linux or OSX) they will probably be even worse off than where they started.
Secondly, you're assuming that it's impossible to have a secure Windows PC, and that simply isn't true. My home PCs run Windows XP and are secured. My place of employment is about 95% Windows XP, and we haven't had any security incidents or security related downtime since we opened over two years ago. No PC platform will ever be 100% secure and exploit-proof, but you can make pretty much any current platform secure enough to not be a threat to the Internet. If a user is faced with learning how to secure Windows (possibly with a minimal additional hardware/software investment) versus scrapping the whole thing and learning a whole new OS, and how to secure it (possibly with a minimal additional software investment or a completely new PC purchase), they will probably stick with Windows.
And that's the big thing about Windows, it is relatively easy to secure it for connecting to the Internet. For example:
1. Download and install a decent antivirus/firewall package. You can buy one for $50 or less from most securty vendors, or you can get a free package like Avast or AVG with ZoneAlarm or Windows Firewall.
2. Turn on automatic updates so that security patches are installed automaticall when they become available. Or for the more paranoid (like me), set it to automatically notify you when they are available so that you can review them or test them before using them.
3. (optional but highly recommended) Spend $30-$50 for a DSL/cable router/firewall with NAT capability.
4. Don't open messages from strange or unknown sources, and don't open unexpected attachments from known sources.
If you have a Windows PC and follow those 4 simple steps you should very rarely, if ever, have security issues.
I disagree with those who say that non-Microsoft OS's are going to be banned, or that everyone will be forced to use an "approved" list of applications and devices. It would be ridiculous and a very poor PR move on the part of ISPs and, yes, Microsoft, to announce to the world that if people want their precious Internet, they will have to bow to them. I don't post much, but I do read a lot of articles here, because I like the news and discussion about aspects of technology, and from reading TFA and the following discussion, I draw my own conclusions.
I did a 6-month internship with a national ISP called CopperNet. They're based in my hometown, and serve all over the country except in my area. I don't know why. As part of my internship, I "shadowed" the CopperNet Customer Service Manager, and spent most of my hours there listening in on calls with Tech Support agents. Also, I got to sit in on a very critical department head meeting, which was called by the president to coordinate a response to the Worm of the Month, one of the earlier Sober variants. This one in particular rated 5 out of 5 on Symantec's virus outbreak report... very fast-spreading, borks up the computer good, and is all over the place ITW (in the wild).
Some of their customers had been infected with it, and CopperNet was in the process of a) getting off Earthlink's blacklist, because customers were complaining that their e-mail to Earthlink users was being bounced, b) diagnosing and helping infected customers get the worm squished, and c) managing a TEMPORARY block-list of users who they believed to be infected.
And at my college, all students are provided with wireless and high-speed Internet access for no extra cost beyond room and tutition, with some restrictions. One of those restrictions is that they will deny Internet access if you are known to be infected with a virus or are the source of malicious traffic. They also run some kind of remote security scanner on connected computers several times a day. I choose to block this inbound traffic with my firewall, but I understand that many people are oblivious about computers, and that this security scanner, while it can be considered an invasion of privacy, is doing the job of mantaining a baseline of security to be responsible stewards of the freedom the Internet gives us.
The bottom line is: Some users are stupid, and that will always be a constant, no matter what OS or ISP they use. If the user doesn't know how or refuses to ensure that his or her computer is being sufficiently secure in order to avoid hurting other users, then someone has to minimize the effects of the user's lack of security know-how, until such time that the user is secure enough to be a responsible citizen of the Internet, regardless of their operating system or service provider of choice.
The ISP's first responsibility is IP egress filtering. The ISP must validate the outgoing source IP address of each packet. This at least prevents the most annoying types of denial of service attacks. Most competent ISPs do this now, although some of the cable guys are weak in this area.
The ISP's second responsibility is outgoing mail rate limiting. That's enough to slow down zombie-based spam. If the outgoing mail rate exceeds some reasonable threshold, the user should get a phone call, even if the phone call is automatically generated.
The ISP's third responsibility is incoming mail spam filtering. This should include virus filtering.
Incidentally, ISPs which block outgoing TCP ports should return an ICMP message (type Destination Unreachable, code Communication Administratively Prohibited). At least then you know what's going on, and who's doing the filtering.
Now when we reach the point where there's only a handful of ISP's (esp. if they're regional), we will have a problem.
This may in fact be the case. Now that the FCC has defined DSL as an "information service", this may give the ILEC the right to boot other DSL ISPs off the ILEC's copper. Then you end up with a duopoly, and in that case, "go[ing] elsewhere and find[ing] some other provider" would involve expensive real estate transactions.
As an admin for an ISP, I can safely say that Microsoft Windows users are safe from descrimination by us. As the parent mentioned, 99.9% of our users are running Windows. The problem arises when customers want to run some super-wiz-bang email client and expect the ISP to support it.
Spend an hour on the phone with someone trying to explain that you're not blocking their access to email but that you just don't know how to configure their software. This goes for almost any software that accesses the internet. I've been asked to troubleshoot problems with p2p apps, instant messaging clients, firewalls, spyware scanners, obscure Linux distros, outdated software (windows 3.1), and microwaves (yes, I've talked a customer through setting the time on their microwave...I was bored)
I actually had a conversation with my brother tonight about this very topic. Technology is so easy to obtain, everyone thinks they're qualified to use it. My broadband customers frequently plug their gateway into the lan side of their router (at least two users per day.) Of course, it's my fault that they didn't (can't) follow the picture-book instructions. Personally, I'd like to see the good-old-days return, when computer users knew how to use their computers. The days when calling tech-support was a last resort are long gone....people now call tech support in order to turn their computer on.
"Lame" - Galaxar
Sure, you do have the right to run an insecure PC, run an adware ridden piece of crap to your heart's content, most people seem to think those fifty billion popups and 14 minute boot times are normal. Doesn't mean you should do it....
Its when I start getting spamcop complaints, and reports of intrusion attempts on other people's pc's that we start to have a problem. Then I have to cut you off from the internet (I work for an ISP), acceptable use policy says nothing in it about infesting the internet just because you aren't smart enough to keep your pc a little more secure.
If you owned a house next to mine, and you let it fall into disrepair, and become a huge fire hazard, sure, I guess that is your right to do so. If it actually catches fire, and spreads to my house, then we have a problem, because now, your neglect has caused damage to somone else's property. Same on the internet, if you become a threat to your neighbors, I will simply isolate you until you are no longer a problem.
--Nuintari
slashdot : where an opinion can be wrong.
That depends entirely on how you can tell. If the method is your silly Cisco router which checks for this or that piece of Windoze shit, it sucks. If the method is detecting obvious spam and worm broadcasting signatures, great. Detecting spammbots is getting tricker all the time because the spammers are smart enough to not want damage the user's performance enough for the user to want to fix the computer. ISPs have been turning off blatantly broken computers for a while and it is a very good thing.
Windows updates generally are denied to people using pirate copies, it will reduce software piracy rates as well.
How do you equate the two without advocating some really stupid and lazy method of punishing people for not having whatever Bill Gates wants you to have right now? A check which provides that kind of solution will outlaw all the software that's actually secure.
Friends don't help friends install M$ junk.
Before the situation can occur, "legacy" software must be re-written or otherwise processed to allow it to run inside the "Trusted" platform.
No. You are absolutely right that that would be a huge barrier to deplyong such a system. No one would ever buy a computer that cannot run their existing software.
One of the most critical aspects of their Trusted Computing deployment is to ensure that there is NEVER any reason NOT to have a Trusted computer. No reason NOT to take a Trusted computer.
A Trusted computer can do everything and anything a normal computer can do. A Trusted computer can run any and all existing software.
A Trusted Computing *is* a normal computer with all of the capabilites of a normal computer. It just has something extra. A new Trusted mode, or as I call it "handcuff mode". Outside handcuff mode it is a normal computer. Once you turn Handcuff mode on the computer can report to other people what hardware and software you have, and it can unlock "DRM files" on the condition that you are running the EXACT and UNMODIFED software approved to read that file. And of course the DRM software can create locked files that can only be read in handcuff mode by that exact unmodified software.
So old software always runs fine, both in normal mode and in handcuff mode. Old files can always be read no problem, both in normal mode and in handcuff mode. However certain NEW software will refuse to run except in handcuff mode, and certain NEW files can only be read by approved software and only in handcuff mode, and people over the internet can set up new software that refuses to talk to you unless you send a Trust report stating that you are running the software they want you to run.
So normal websites can be viewed on a Trusted computer using any web browser, but NEW websites can be set up that will spit out error messages unless you have a new PC in Trust mode and you run an approved new Trusted browser.
The entire point of Trusted computing is to make people with normal old computers suffer. None of the new stuff works on normal old computers. They increasingly get error messages telling them they need to upgrade to a new Trusted "enhanced" computer. For anyone with a Trusted computer, everything both old and new "just works". The new stuff may only work in DRM-hell handcuff mode on new computers, but that's still "more" and "better" than it not working at all on old computers.
On top of that, your system cannot phone home to ANYONE without software to tell the hardware what to do.
Does the Windows Product Activation process ring a bell?
I expect online activation will be increasingly required for the installation of software, but in fact the entire system can work just off of a single operating system activation. Other software could then undergo a secure Trusted installation with Windows itself handling the encrypted software. It would be impossible to install or decrypt the software without the key loaded into Windows and locked by the Trust chip, and if you make any attempt to modify the Windows software the Trust chip denies you the key. So there'd be no way to decrypt and install the encrypted application without the assistance of the unmodified DRM-enforcing operating system.
On top of that, your system cannot phone home to ANYONE without software to tell the hardware what to do.
Yes. That is why they formed the Trusted Computing Group, which currently contains something like two hundred companies - virtually every signifigant company in the computer industry. And why they have designed in certain "privacy features" and they are advertizing it as a privacy enhancing system. (Hah!) Hyping the fact that there are protections built in to keep your ID number secure unless you "opt-in" to reveal it. They even formed a bogus "grassroots" consumer protection group lobbying for new standards for consumer privacy protections and standards... and they just so happen to be "demanding" the exact protections that
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
...According to Chief Privacy Officer Peter Cullen, Microsoft is against ISPs doing anything that would restrict customers' choice of software.
What, something like writing web pages to stop a particular browser from viewing them? *cough*Opera*cough*
There were also some leaked memos that went into more detail. I don't know if they're still on the Web anywhere, but this story from The Register describes them.
There are no TPM/TNC-based authentication systems available yet, but plenty of companies sell software-only versions. (These can be spoofed, of course.) The most well-known is Cisco's Network Admission Control ("the self-defending network"). They're intended mostly for LANs, but some vendors are already suggesting that they be used by ISPs (especialy in Wi-Fi hotspots).
I'd be extremely interested in seeing the Pentium with an onboard TPM, as this is something Intel has denied. (They sell motherboards with third-party TPM chips, but claim not to be integrating it with the CPU itself.)
I have yet to hear of Apple contemplating crippling its systems in this manner
Some of the prototype Intel based Apple systems have already been found to include this Trust chip on the motherboard, and there is strong speculation that Apple is likely to use this system to force people to buy Apple-brand Intel-based hardware in order to be able to run the Apple Operating System.
Also with Apple moving to Intel chips.... well Intel has been moving the Trust chip into the CPU itself. I presume that they will have that ready within a year or so. So the mere fact that they are using Intel CPUs may itself automatically make it a Trusted system.
the remote hardware/software scanning item being listed as an actual planned function is the top item on the list, I believe. Also, something I've not heard rumors of, so if you've info handy.
Sure. This is called Remote Attestation.
I'll give a detailed explanation based on the Specifications I've read, and then below that I'll have links to less detailed, but authoratative refference links to confirm the functionality. And you can always just Google for Remote Attestation for a few hundred additional links.
The chip will come effectively welded to the motherboard. It comes with manufacturer signed "Platform Credential". This credential specifies what hardware is present, and according to the Trusted Computing Group specification, it will also detail how securely it is bound to that platform and what level of security it has against various forms of physical attack and any other physical protection mechanisms that are present.
This Platform Credential will presumably be requested and sent during at least some Remote Attestation events.
Now we get to the boot sequence. The general process is to build a "Secure Chain of Trust". This means that the BIOS software gets hashed - the hash is the "identity" of any peice of software. This BIOS hash is recorded in a memory or disk log, and the hash value is hash-mixed into a 160 bit Trust chip register. The BIOS runs and it hashes the bootloader software. The bootloader hash is added to the log of hashes, and is hash-mixed into the Trust chip 160 bit register. The bootloader runs and it hashes the operating system. The OS hash is added to the hash log file, and it too is hash-mixed into the Trust chip register. The point here is that no software can run and gain control of the system until AFTER it's identity has been added to the log file and mixed into the Trust chip's rolling hash register.
The operating system may then hash and log EVERY program you load, mixing that hash into the Trust chip register, or the operating system might run normal non-Trusted software normally and only adding Trust-using software to the log file and mixed into the Trust chip register.
Oh, and at any point the ID codes of your network adapter and hardrive and videocard and monitor and any other hardware might be added to the hash log as well.
Now here's the reason a log file is kept of each hash value... the Trust chip has limited memory and it only uses the rolling 160 bit hash register to secure the current cumulative state of the system. What happens during Remote Attestation is that the system sends the other person the FULL LIST of all of the software that got added to the hash log. That person can look at each value on that list to identify the EXACT software (and potentially hardware) on your system. The first item on the list is the BIOS identity, then the bootloader identity, then the operating system identity, then each and every program you've run. The LAST item in the list would generally be the currently running application, the one thatthe other person is talking to. That makes it really easy to check that they're talking to the software they want - that they INSIST - you to be running. However what you just sent them was an ordinary text logfile and it would be trivial for you to alter it or fabricate it completely. What happens is that the other person can walk th
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Interesting. It could be that the chip-architect article is mistaken, but it was right about Yamhill, and also mentions an Intel patent that involves an on-chip crypto engine. (I think it means #6542981 [PDF], not the one referenced.) Alternatively, Intel could be lying, or just have changed plans since 2003.
But the two aren't really incompatible. The circuitry that the monograph points to is allegedly part of La Grande, Intel's proprietary version of Trusted Computing, not a TCG-compliant TPM. That’s even worse in a way, as it would mean software that only runs on an Intel CPU (and an Intel chipset: La Grande will also require a TPM and AMT, a proprietary technology in Intel network cards).
On-CPU crypto might also have something to do with trusted components. The TCG's long-term plan is to have some form of hardware signing/encryption in everything, not just a single chip in every PC. Most of the focus so far is on graphics/sound cards (for DRM) and keyboards/mice (to stop hardware sniffers), though.
I was aware that the TCPA predates the official announcements about Palladium, etc., but I thought that meant technical work. It's disturbing that the White House and the BSA were involved so far back, and that they chose the immediate aftermath of 9/11 to talk about it publicly.