The Future of Trusted Linux Computing

ttttt writes "MadPenguin.org tackles the idea of Trusted Computing in its latest column. According to author Matt Hartley, the idea of TC is quite reasonable; offering a locked-down environment offers several advantages to system administrators with possibly troublesome users. 'With the absence of proprietary code in the mix users will find themselves more inclined to trust their own administrators to make the best choices ... And so long as any controlled environment is left with checks and balances [like] the option for withdrawal should a school or business wish to opt out, then more power to those who want a closed off TC in an open source world." LWN.net has an older but slightly more balanced look at the TC approach.

But Linux is already trusted.

[webmaster404]

But Linux and most Linux programs are already more "trusted" then Windows can ever be. From being open source, how can you not trust it? There are no surprises and if you feel so inclined, you can build everything from source to make sure that there isn't any malformed code in the binaries. So how is this news?

Re:But Linux is already trusted.

[MyLongNickName]

But Linux and most Linux programs are already more "trusted" then Windows can ever be. From being open source, how can you not trust it?

Did you even read the summary? Or were you just going for first post?

This is about locking down the workstation so that users can't monkey around. I do not care how well the code is written, a malicious user can create a security issue if he/she has the ability to do so.

Re:But Linux is already trusted.

Trusted computing, as defined by the folks who pushing for it, applies to ALL machines EVERYWHERE, including those in your home. The idea is that some 3rd party can monkey with your machine regardless of whether you happen to approve of them doing so or not. One of the core ideas of 'trusted computing' is that all machines would render a unique i.d. upon the request of certain third parties, making anonymity an impossibility. It would also allow these third parties to search your computer to make certain that you aren't in possession of data or programs which could possibly violate i.p. laws in some countries.

It isn't about the owner being able to trust his machine; it's about other people being able to query, or even modify, a machine without the owner's consent. In 'trusted computing' it's explicity the owner who ISN'T trusted. It's about the machine trusting other people who aren't the owners over the desires of the person who supposedly owns said machine.

Any argument for the implementation of so-called 'trusted computing' is either inherently evil or incredibly stupid.

Re:But Linux is already trusted.

[xeoron]

Good news everyone, with GNU/Linux virtualizing stack, MS Windows can be trusted too...

Re:But Linux is already trusted.

[Xabraxas]

Any argument for the implementation of so-called 'trusted computing' is either inherently evil or incredibly stupid.

This is an incredibly naive and uninformed view on trusted computing. I was hesitant about trusted computing until I learned more about it. I have a TPM in my computer and it has a lot of good uses. Storing encryption keys in a tamper-proof chip is an excellent security enhancement. Software storage of keys is much more likely to be cracked. Also I can encrypt my entire drive or individual files and if needed I can delete the key and no one can access those files ever again. The mass hysteria around trusted computing is blown out of proportion. I have yet to encounter a circumstance where trusted computing has taken security or privacy away from me. It has only added security and privacy.

If the owner controlls all the keys, its fine

[jonwil]

There is nothing wrong with hardware assisted security if the owner controls all the keys and nothing can touch the trusted hardware without the owner specifically installing it (i.e. logging in as root/administrator and changing things).

Trusted Computing is only bad if the owner of the hardware does not have control over the software on the machine, the hardware keys etc.

Re:If the owner controlls all the keys, its fine

[arivanov]

Err...

I would say that the owner should be allowed to do anything he likes provided that he cannot fake the keychain.

Example in a pre-baked trusted environment when accessing resource A I sign up with a chain which shows that it is done by me, through software X on kernel Y and hardware Z.

I should not be allowed to fake kernel Y, but there should be nothing to prevent me from installing an alternative signed kernel Y1. Similarly, I should be able to run Y on Z1 or X1 on Y as long as the chain is correctly reported when accessing A.

In other words no tivoisms at least for consumer systems. Z should not be able to prevent me from running Y1, Y should not be able to prevent me from running X1. It should be the access control on resource A which says "I do not like the (Z)(Y1)(X) chain you use, in order to access me you need (Z)(Y)(X) or (Z)(Y2)(X)".

Re:If the owner controlls all the keys, its fine

[Henry+V+.009]

Trusted Computing is only bad if the owner of the hardware does not have control over the software on the machine, the hardware keys etc.

It's not always bad even then. It depends who the owner of the machine is. If the owner is someone who is easy to socially engineer (90% of users, I'm sure -- Come look at the dancing bears!), then a behemoth corporation is in effect the system administrator for all those people, and locking down machines by allowing only signed applications can make sense. Most people aren't computer savvy and pretending that they are isn't a sane way to make decisions about the computer ecosystem.

Re:If the owner controlls all the keys, its fine

[js_sebastian]

here is nothing wrong with hardware assisted security if the owner controls all the keys and nothing can touch the trusted hardware without the owner specifically installing it (i.e. logging in as root/administrator and changing things). Trusted Computing is only bad if the owner of the hardware does not have control over the software on the machine, the hardware keys etc. Exactly.
And in the example mentioned in the summary...

offering a locked-down environment offers several advantages to system administrators with possibly troublesome users. ...the system adminstrator (in fact the company he works for) is the owner of the system and has every right to restrict the user's use of the computer, but wants to have full freedom of how he himself configures those systems.
The current "trusted" computing solutions would restrict the administrator too, because the system trusts some key-issuing authority instead of it's legitimate owner.

Re:If the owner controlls all the keys, its fine

You're entirely correct -- but when the owner of the computer has control of all of the code and encryption keys, it is no longer called "Trusted Computing."

Trusted Computing is used specifically to refer to the type of cryptographic control over which the user does not have control. When the user has control, it is simply "encryption" and "sandboxing."

Thus, the marketing entities associated with Trusted Computing(*) would like nothing more than for us to accept Trusted Computing conditionally, on the condition that we have the encryption keys for our own computers. Such conditional acceptance is bound to backfire, and any such trust in Trusted Computing is guaranteed to be betrayed -- because the entire impetus behind Trusted Computing is the ability of media and software developers to be able to control media and software after it has left their hands and entered yours.

(*) I don't believe you are such an entity, but it's important to bring up these points when the issue of key control arises.

Re:If the owner controlls all the keys, its fine

[swillden]

The current "trusted" computing solutions would restrict the administrator too, because the system trusts some key-issuing authority instead of it's legitimate owner.

This isn't correct.

The only use of the third party-issued certificate is for remote attestation, where the computer proves that it has a trusted computing module. You can use that capability to build highly-secure remote control, but that's entirely a function of what application software you layer on top, it's not inherent in TC.

Re:If the owner controlls all the keys, its fine

[JohnFluxx]

Oh come on, clearly in that case, and in this context, the owner of the computer is the organisation.

Re:If the owner controlls all the keys, its fine

[Henry+V+.009]

Is it? I may have been talking about Microsoft and 90% of home users.

Re:If the owner controlls all the keys, its fine

Trusted Computing is only bad if the owner of the hardware does not have control over the software on the machine, the hardware keys etc.

The only problem is that the whole point of Trusted Computing is to keep the keys used to attest to the state of the PCR completely unavailable to the user. Read the spec: https://www.trustedcomputinggroup.org/specs/TPM/

Re:If the owner controlls all the keys, its fine

[hasmah]

there is nothing wrong with hardware assisted security if the owner controls all the keys and nothing can touch the trusted hardware without the owner specifically installing it.(i.e. root/administrator) trust is perceived by the system's receiver or user, not by its developer,designer or manufacturer. as user you may not be able to evaluate that trust directly. you may trust the design, professional evaluation or the opinion, but the end it is your responsibility to sanction the degree of trust that you require. so the owner of the hardware must have control over the software on the machine or set all protection mechanism tomake user trust the system.

Re:If the owner controlls all the keys, its fine

[feed_me_cereal]

The authority is there for the same purposes certificate authorities are there on the itnernet right now: as an independent trusted 3rd party to validate keys. That's it. If a computer with a TPM wishes to prove to someone that it is running the software it says it is, you can trust it because the authority says the key it's using is valid. How does this limit what an administrator can do? If anything, it increases what an administrator can do. Now people will trust that said administrator is running a TPM and isn't lying about the software running on the computer.

Re:If the owner controlls all the keys, its fine

[hasmah]

There is nothing wrong with hardware assisted security if the owner contols all the keys and nothing can touch the trusted hardware without the owner specifically installing it(i.e. root/administrator) As a user,u may not be able to evaluate that trust directly,u may trust the design, professional evaluation or opinion but the end, it is your responsibility to sanction the degree of trust that u require. So administrator must set all protection mechanism within a computer system, including hardware,firmware, and software that together enforce a unified security policy over a product system to make the trusted computing good.

Re:If the owner controlls all the keys, its fine

Now people will trust that said administrator is running a TPM and isn't lying about the software running on the computer.

Now MS-backed sites will trust that said administrator is using IE and not Firefox.
Now trailer servers will trust that said administrator is using WMP/DRM++ and not mplayer.
Now Office computers will trust that said administrator is using MSoffice2008/Professional Ultimate Experience Edition and not OO.
Now Outlook clients will trust that said administrator is using MS Exchange and not exim.

See the potential for entrenching a monopoly here? If "people" can enforce the use of software on other computers, then they can leverage any gains from the network effect immensely.

Re:If the owner controlls all the keys, its fine

[feed_me_cereal]

This is wholly another issue from security, and not one that I was talking about. Anyway, I wouldn't put a lot of stock in your above scenarios. First off, they're very illegal. This isn't an issue of software compatibility keeping a competitor out; it's now, literally, keeping a competitor out. Microsoft has already been sanctioned for the prior, the latter would undeniably be trustbuster time (unless Ron Paul gets elected).

Secondly, regardless of whether or not microsoft would do such a thing, even if they require someone to be running a TPM to view a webpage, they've already blasted the hell out of any sembalence of a web standard. And before you assume that I'm not aware of their current attempts at destorying web standards, don't; I am, and they're nothing close to what you're predicting, but this would basically mean w3 is dissolved.

Besides all of this, trusted computing, as it currently stands, can't do anything close to this. What you're able to certify is that a computer has a certain set of software loaded, not whether IE is accepting your http request or not. A server would have to deny access based on the fact that firefox is running on your computer somewhere, which is pretty silly. Besides, if people wanted to, they could be making steps towards this now. A site could simply deny access based on the fact that someones browser identifies as firefox. Of course, this doesn't neccesarily keep people out, but the fact that hardly anyone does something this stupid is why your scenario is fairly unlikely.

Lastly, you're already fucked anyway. TC is coming whether you like it or not. You can't stop a technology. Your best bet is to prepare. That is, if you're truly afraid of this scenario happening, vote for politicians that are willing to regulate monopolies. You can't stop people from researching this stuff.

Re:If the owner controlls all the keys, its fine

[feed_me_cereal]

additionally...

Now Office computers will trust that said administrator is using MSoffice2008/Professional Ultimate Experience Edition and not OO.

This one can't happen. No one is policing *your* computer, the worst that could theoretically happen is someone *else* will deny service to you if you're not running the right software. If you have the word file, no one can stop you from reading it.

Re:If the owner controlls all the keys, its fine

[Rich0]

Remote attestation should be able to be defeated by any system owner. Maybe it is for intercompatibility. Maybe it is for testing. Maybe the owner wants to do something else.

I'd advocate that anybody who buys a computer should be given:

1. A dump of all the keys embedded in their system.
2. A dump of any private keys associated with any public keys embedded in their system.

What they do with them is up to the owner. If they want to download additional keys (such as root CA certificates) they should be welcome to do so. However, trust should be up to the computer owner - not the manufacturer.

Re:If the owner controlls all the keys, its fine

[Rich0]

Besides all of this, trusted computing, as it currently stands, can't do anything close to this. What you're able to certify is that a computer has a certain set of software loaded, not whether IE is accepting your http request or not.

Sure they can. Just ask for attestation that the Super-DRM-windows OS is running. Then connect to the port used by super-DMA-windows and ask for an attestation that IE owns the outbound connection that is hitting your webserver. Super-DRM-windows won't let any other software listen on the port it uses, and uses SSL to encrypt and authenticate all its communications.

Now the remote webserver knows for sure that you're running IE. If the computer owner doesn't have the keys embedded in their TCPM chip they can't do anything about this - if they install another OS then the TCPM attestation will indicate this. The best you can do is find a flaw in super-DRM-windows, but then everybody will just require attestation that you're running super-DRM-windows v2.

Most likely this won't be used for browser monopolies at first - just playback of digital media (sorry - no more media on linux). But I'm sure browsers will be regulated at some point. MS only allows you to run windows update from IE - mostly through the use of IE-only features. However, at some point a clueless bank will want to keep their customers secure and only allow logins from people running well-patched machines - but of course this will be a well-patched WINDOWS machine or maybe a Mac and nobody will think about customers wouldn't rather not dual-boot windows. Oh, forget using VMware - that won't work. And dual-booting might not work either if the bootloader isn't trusted. You might have to install grub or lilo on a CD to boot the OS on your hard drive...

Re:If the owner controlls all the keys, its fine

[Rich0]

TC is coming whether you like it or not. You can't stop a technology. Your best bet is to prepare. That is, if you're truly afraid of this scenario happening, vote for politicians that are willing to regulate monopolies. You can't stop people from researching this stuff.

Nobody wants to stop technology. We just want to make sure it is properly used. The simplest solution is to require that every computer include a printed copy of any and all keys embedded in it, and ideally any private keys associated with any public-keys installed on it. That will keep everybody honest. If TC gets out of control people will write software that lets an average owner just type in their machine key and then any onerous component of TC can be bypassed. You'd still be able to protect from viruses since the average computer owner won't go typing in a 200-character hex key to run some cute program a friend emailed them.

I'd love having TC on my computer if I COULD TRUST IT. A hardware security mechanism that works FOR me is great - one that works AGAINST me is not.

Re:If the owner controlls all the keys, its fine

[Rich0]

This one can't happen. No one is policing *your* computer, the worst that could theoretically happen is someone *else* will deny service to you if you're not running the right software. If you have the word file, no one can stop you from reading it.

Have you read about Palladium? Software will be able to tell the OS to keep a file in "protected storage" where other programs can't read it. Sure, you have the file, but it is encrypted. Most of the OS partition will also be encrypted. The decryption key will be stored in a chip with instructions to only yield the key to a program that has a given hash. The whole system is designed to make it VERY difficult to bypass - even with physical access to the machine. You'd need to tear apart the TCPM chip to get the key out. Fileservers hosting documents will only allow machiens with secure OSes to download them - directly to protected storage.

The design isn't actually that difficult. Sure, like all DRM it is vulnerable to physical-level attacks, but those can be made very expensive. And if a given model of TCPM chip turns out to be vulnerable it will be removed from the chain of trust - no new multimedia for anything running on those systems.

The solution is simple - require anybody selling a computer to give a paper copy of any keys embedded in the hardware. Most people won't use them, but if TC gets out of control then owners can download programs and type in their keys and bypass the whole thing (or keep only the parts they want).

Re:If the owner controlls all the keys, its fine

[Rich0]

You're missing the point. Of course that is what those pushing TC WANT the system to do. It shouldn't be allowed to take off.

There is a lot in TC that is good. You could potentially eliminate viruses, for example, with a hardware-backed chain of trust. The issue is that the chain of trust should lead back to the computer owner - not the computer manufacturer.

Re:If the owner controlls all the keys, its fine

[swillden]

Remote attestation should be able to be defeated by any system owner.

It can be. Simply don't install application software that sends attestation messages. If what you think you want is to be able to falsify an attestation, well, that would make the whole thing completely useless. If it were possible to falsify an attestation message, then sysadmins wouldn't be able to remotely verify the software their systems are running, which is the goal of the TC committee members like IBM and Intel (who don't care about DRM but do care about security).

I'd advocate that anybody who buys a computer should be given:
1. A dump of all the keys embedded in their system.
2. A dump of any private keys associated with any public keys embedded in their system.

That would make the TPM almost useless as well. A key that is available in the clear must be assumed to be compromised.

Now, with a TPM you *do* have the option of running the "Take Ownership" command, which will generate a new random master key value, effectively destroying all the secrets managed by the TPM. Note that what you want -- to ensure that no one else has control of the hardware -- is accomplished by this, but *without* risking a crucial key being available outside the secure device.

It's much better to be able to generate a new random key than to get a dump of the existing key. The latter voids all semblance of security.

Re:If the owner controlls all the keys, its fine

[Antique+Geekmeister]

Oh, please. The need to deal with documents, and programs, that are not signed is so prevalent that Palladium's usefulness against them is just about zero.

It may be useful against tools that corrupt virus checkers, but viruses and vulnerabilities come out so fast in basic software and protocols that this is only of limited usefulness. And that "chain of trust", as Palladium is designed, leads right back to Microsoft, who can be expected to have already handed over keys to the NSA or other federal authorities for them to manipulate that chain of trust at their whim.

Re:If the owner controlls all the keys, its fine

[Alsee]

I am a programmer. I have read the Trusted Platform Module technical specification from cover-to-cover (332 pages of TCPA_Main_TCG_Architecture_v1_1b.pdf) plus numerous surrounding technical specifications.

There is nothing wrong with hardware assisted security if the owner controls all the keys

There is nothing wrong with hardware assisted security if the owner is allowed to know all his keys.
Knowing his keys then provides full control of them.

The specification explicitly forbids the owner to know his own master keys. It explicitly denies him full control over his own keys. He only has the limited restricted control over his keys that the Trusted Computing Group permits him to have.

Imagine the exact same hardware design as Trusted Computing, except we allow the owner to have a printed copy of his master keys if he wants them. In technical specification terms, "his master keys" means his PrivEK (Private Endorsement Key) and his RSK (Root Storage Key). Since the hardware is identical, it would have identical capabilities to secure the computer for the owner. Such a system would provide exactly the benefits you cite. With the owner having the option to have his printed master keys, he would indeed be in full control of his computer and his security. His computer could then never be locked against him or abused against him. He would be able to unlock, modify, or override any security on his own computer if he wished. Which of course would make the system useless for DRM and useless for vendor lock-in or any sort of lock-out or any other sort of anti-owner schemes.

Trusted Computing is only bad if the owner of the hardware does not have control over the software on the machine, the hardware keys etc.

Right. Trusted Computing is bad.
Let the owner have a printed copy of his own master keys and then you have a system that is legitimate and reasonable and good and useful.

The explanation of Trusted Computing, the answer to Trusted Computing, is short and simple:
"I want my master keys. No keys, NO SALE! "

-

Re:If the owner controlls all the keys, its fine

[fjhb]

When you say "control", it seems you conveniently forget to specify what control means. Does the chip contain so-called OWNER-OVERRIDE mechanism? If it doesn't, by definition it's a Treacherous Chip. A device specificaly designed NOT to obbey you. And everything else you pretend about this "being allright" is pure fallacy.

For those of you who don't know what "owner override" means, it's simple: when your chip has someone else's key (and thus the trust chain brings you an OS that is trusted by someone else (== treacherous to you)), there's a magic jumper in the chip that makes it sign everything and approve everything. Of course, only the owner can toggle it. The Treacherous Computing Group was proposed owner-override mechanism and they rejected it. It should come as no surprise: one of the purposes of their fallacious scheme is to provide users with a system someone else controls, and coerce those who don't want it into accepting it via network effects.

So the bottom line is: when you need your computer to be treacherous in order to get the unlock key for a Microsoft Office document, how the hell are you going to open that document?

Bullshit. That is what "Trusted" means to everyone who values their freedom.

Re:If the owner controlls all the keys, its fine

[Rich0]

If it were possible to falsify an attestation message, then sysadmins wouldn't be able to remotely verify the software their systems are running, which is the goal of the TC committee members like IBM and Intel (who don't care about DRM but do care about security

Note that I said any SYSTEM OWNER - not anybody who happens to log into the computer.

Sysadmins can rest assured their systems are running just fine. They'd be the only ones able to falsify attestation messages on their own PCs.

It's much better to be able to generate a new random key than to get a dump of the existing key. The latter voids all semblance of security.

I'm not convinced of this. Key escrow and management is generally considered an important part of any encryption solution. Suppose something goes wrong and you want to be able to recover a hard drive - perhaps the motherboard was smashed and you need to get at data on the hard drive of a PC that uses TPM.

Also - PCs using TPM should be issued with random keys and without any certificates (ie their trust state should be a clean slate) - not with certificates issued by whoever made them. Otherwise anybody who does "take ownership" of their PC will suddenly find themselves locked out of just about any kind of multimedia in the future - and who knows what else. If this becomes the norm then it will be a feature that nobody will be able to use - hence eliminating its value...

Re:If the owner controlls all the keys, its fine

[swillden]

Sysadmins can rest assured their systems are running just fine. They'd be the only ones able to falsify attestation messages on their own PCs.

Assuming no one has taken control of their machine -- which is the whole point of attestation; having a way to verify that no one has tampered with your box, and to be able to do so remotely.

I'm not convinced of this. Key escrow and management is generally considered an important part of any encryption solution.

This does not contradict what I said. No competent key management or key escrow system ever exposes keys. They're always protected by another HSM's private key, which never exists outside the device in any form. If it's necessary to recover a key, then some key escrow systems will actually decrypt and reveal it. Better systems won't reveal a key in the clear even then, but will only perform decryption operations using it, or perform a secure key transfer process to another secure module. And, in any case, prior to the recovery operation the key should still never exist in the clear.

Also - PCs using TPM should be issued with random keys and without any certificates (ie their trust state should be a clean slate) - not with certificates issued by whoever made them.

The certificate does nothing more than certify that the key in question was created by and is only stored in a TPM. That certification is necessary to assure that an attestation actually comes from the TPM -- unless you happen to know the TPM's public key or have certified it yourself. This could be done, certainly, but it's an inconvenience. If it's important to you, when you get a machine you can clear the existing TPM attestation key and then store or certify the new public key yourself. So you can achieve exactly what you asked for, if you want.

Otherwise anybody who does "take ownership" of their PC will suddenly find themselves locked out of just about any kind of multimedia in the future - and who knows what else. If this becomes the norm then it will be a feature that nobody will be able to use - hence eliminating its value...

To be clear, "Take Ownership" clears and regenerates the TPM's master key, not its attestation key. A separate command is used for that and, indeed, it is not recommended that those who wish to participate in DRM schemes ever issue this command to their TPM.

Re:If the owner controlls all the keys, its fine

[Rich0]

Assuming no one has taken control of their machine -- which is the whole point of attestation; having a way to verify that no one has tampered with your box, and to be able to do so remotely.

How is a PAPER copy of the machine's private key in the box the machine came in going to help a hacker who has taken control of the machine defeat attestation? The sysadmin would lock it up in a safe - without the piece of paper the mechanism could not be defeated. The goal is to allow a computer owner to defeat the mechanism if they feel the need, while still allowing the full utility of attestation TO THE MACHINE OWNER.

I still assert that machines not be distributed with certified keys. If a sysadmin wants to certify the validity of TPM modules they can do so on their own - this won't really deter any legitimate use of TPM - just the DRM aspects.

Re:If the owner controlls all the keys, its fine

[swillden]

How is a PAPER copy of the machine's private key in the box the machine came in going to help a hacker who has taken control of the machine defeat attestation?

How did the key get on the paper? How did the paper get to you? How do you know that it wasn't compromised long before the machine was delivered?

The goal is to allow a computer owner to defeat the mechanism if they feel the need, while still allowing the full utility of attestation TO THE MACHINE OWNER.

If you think that's possible, you're insufficiently paranoid.

In any case, there's no need to provide keys paper to eliminate any concern that others could use the key. As I've already pointed out, you can simply instruct your TPM to generate a new attestation key. The TPM will only give you the public key, but that's fine because you don't need the private key, and you have a stronger assurance of security that way. Your new key won't be certified, but as long as you're willing to certify it yourself, or simply record the public key value, you don't need it to be certified.

I still assert that machines not be distributed with certified keys. If a sysadmin wants to certify the validity of TPM modules they can do so on their own - this won't really deter any legitimate use of TPM - just the DRM aspects.

It will inconvenience legitimate use of the TPM. It's an inconvenience for admins that manage large numbers of machines. It will also eliminate the ability of, for example, your stock brokerage to remotely check the security of your machine before allowing large transactions. There are lots of legitimate uses for remote attestation.

I still assert that the way to defeat DRM is simply not to accept it.

Re:If the owner controlls all the keys, its fine

[Rich0]

It will also eliminate the ability of, for example, your stock brokerage to remotely check the security of your machine before allowing large transactions. There are lots of legitimate uses for remote attestation.

Ie, the ability for your stock brokerage to turn away customers using anything other than a few flavors of windows with their preferred web browser. For remote attestation to be of any use companies are forced to pick particular software vendors that they want to prefer. Within an organization that is fine - if I deploy 1000 machines I know what I imaged them with. However, once you leave the organization boundary it isn't appropriate for outsiders to dictate what software you use.

It still drives me nuts that I have to boot up vmware to run half the windows software I can't find a viable linux replacement for. If remote attestation takes off I won't even be able to do that - I'd need windows running natively on blessed hardware. I dual-boot loader might even potentially mess up the chain of trust - we're talking about dedicated hardware, or using boot CDs to access linux.

Computers shouldn't be tattling on their owners. Sure, I can defeat this on my own computer, but if 99% of the population doesn't then suddenly my ISP thinks I have a virus, my bank won't do business with me, and I can't watch videos on youtube (hmm - I guess no major loss there). Suddenly you're effectively punished by not running the exact same software as everybody else...

Re:If the owner controlls all the keys, its fine

[swillden]

Ie, the ability for your stock brokerage to turn away customers using anything other than a few flavors of windows with their preferred web browser.

Actually, no. The key component that makes attestation practical is virtual machines. The brokerage could provide its own secure VM (no OS, just the core functionality required, so it's very small) that lives on top of a standard hypervisor. Any operating system could be running -- the brokerage would have no reason to care. As long as the hypervisor and special-purpose VM hash to the correct values, you're golden.

It still drives me nuts that I have to boot up vmware to run half the windows software I can't find a viable linux replacement for. If remote attestation takes off I won't even be able to do that - I'd need windows running natively on blessed hardware.

No, you need to go read more about how TC interacts with hardware-supported virtualization, and about how a hypervisor can make services provided by one VM available to a set of others.

It'll take many years for this technology to mature, but hardware-assisted virtualization is going to hugely change the software architecture of your PC. Talk to someone who has spent a few years working with mainframe virtualization (where this is all very well-developed) to see where we're headed. The TC stuff will come along with it, because TC really isn't practical without extensive use of virtualization.

On an unrelated topic, I think I may finally be able to get rid of my Windows VM. I do have one, just in case, but I don't think I need it any more. Until recently, I had to have it at least every few weeks to access some Lotus Notes database or other (I used fetchnotes to pull my Notes mail into my Linux mailbox), but now that Notes 8 has come out, I have a native Linux Notes client. I'm not much of a gamer so Linux has plenty for my very occasional gaming, my employer (IBM) is doing a reasonably good job of making all the internal, custom apps I need functional on Linux (mostly web apps anyway), and my hobbies are pretty well-supported on Linux... so no Windows for me, not even in a VM.

Re:If the owner controlls all the keys, its fine

[Rich0]

The brokerage could provide its own secure VM (no OS, just the core functionality required, so it's very small) that lives on top of a standard hypervisor. Any operating system could be running -- the brokerage would have no reason to care. As long as the hypervisor and special-purpose VM hash to the correct values, you're golden.

Sure, and that would be fine, but:

1. I have to trust the hypervisor - I don't get any choice there. In theory if it is minimal and FOSS that isn't a problem. Of course, it sounds like it might be GPL-3 incompatible due to the anti-tivoization clauses (it probably would depend on implementation, and it could lead to a GPL-4 to intentionally break compatibility depending on how this goes).

2. MS has to decide to promote the hypervisor. Otherwise this is all a pipe dream.

3. Instead of apps running on an OS we now have dozens of applications BEING their own OS. Everybody has their own TCP stack, GUI, etc. If this stuff moves to the hypervisor then it is no longer merely a hypervisor - it is an OS.

4. Everybody has to create these runs-on-bare-hypervisor apps instead of just using Palladium, which is what will most likely happen in actuality.

This idea sounds nice and in a hypothetical sense addresses my concerns, but it isn't likely to become reality. What is likely to become reality is that Vista becomes the hypervisor, and at best I might be able to run linux in a VM on vista - not the other way around.

Re:If the owner controlls all the keys, its fine

[swillden]

Instead of apps running on an OS we now have dozens of applications BEING their own OS. Everybody has their own TCP stack, GUI, etc. If this stuff moves to the hypervisor then it is no longer merely a hypervisor - it is an OS.

No, VMs can provide services to one another through the hypervisor. I'd expect the TCP stack will in the VM considered to be "The OS". I'd expect nearly all applications to run in this OS VM as well, some of them using security services from other VMs.

This idea sounds nice and in a hypothetical sense addresses my concerns, but it isn't likely to become reality. What is likely to become reality is that Vista becomes the hypervisor, and at best I might be able to run linux in a VM on vista - not the other way around.

Vista will never function in the sort of environment I'm talking about. Doing this is going to require a radical restructuring of how an operating system works. I expect FLOSS to get there first.

Re:If the owner controlls all the keys, its fine

[Rich0]

No, VMs can provide services to one another through the hypervisor. I'd expect the TCP stack will in the VM considered to be "The OS". I'd expect nearly all applications to run in this OS VM as well, some of them using security services from other VMs.

Doesn't being able to communicate through the hypervisor turn the hypervisor into essentially a microkernel? The whole point of a hypervisor is that it completely isolates the OSes that run under it. When various components under the hypervisor talk to each other but are generally protected from each other we call those components applications, and the "hypervisor" is called an OS. How is your proposed hypervisor any different from a microkernel-based OS, such as Windows? And if an application has to rely on various components to do its job, how is that different from what we have today - just as many opportunities for security holes...

Vista will never function in the sort of environment I'm talking about. Doing this is going to require a radical restructuring of how an operating system works. I expect FLOSS to get there first.

I think the idea is that it is more-or-less already there - Vista IS the "hypervisor" you describe. It just isn't a hypervisor, but neither is what you propose. It will eventually support remote attestation of applications running under it, and it is designed to provide security to the individual applications running on top of it. Of course, we can question whether this security is airtight, but that is true of ANY particular software implementation - particularly a complex one. A very thin but impenetrable hypervisor can in theory be made fairly secure, but you're not proposing a very thin hypervisor but essentially a fairly complex and porous one.

The bottom line is that I don't want the companies I do business with dictating what software I use to do business with them. If they want to recommend or support a given set of software that is of course fine, but they shouldn't be able to enforce my usage of that software...

Re:If the owner controlls all the keys, its fine

[swillden]

Doesn't being able to communicate through the hypervisor turn the hypervisor into essentially a microkernel?

Depending on your definition of "microkernel", then yes. The hypervisor provides message-passing services.

How is your proposed hypervisor any different from a microkernel-based OS, such as Windows?

Windows isn't a microkernel, under any definition of microkernel that I'm familiar with. The Windows kernel *contains* a microkernel, but only as an architectural construct. All the stuff that's in a typical full monolithic kernel runs in kernel mode right along with the microkernel, with full ability to subvert the microkernel.

I think the idea is that it is more-or-less already there - Vista IS the "hypervisor" you describe. It just isn't a hypervisor, but neither is what you propose. It will eventually support remote attestation of applications running under it, and it is designed to provide security to the individual applications running on top of it.

It can't, it's way too big. There are, and always will be, far too many opportunities to compromise it. Keep in mind that in order for TC to work, you have to have *stable* hash values. Every time you patch the kernel, the hash changes and you have one more "trustworthy" attestation value to check. Further, Windows has way too much stuff running in kernel mode, and way, way too much stuff running in user mode with system and daemon-level permissions (essentially, root). There's no way Vista can provide any serious security to any applications running under it, because Vista is a huge block of swiss cheese.

Linux, *BSD, Darwin, and even Solaris are no better, at least from a theoretical standpoint. As a practical matter some of them are more carefully implemented than others, with fewer security holes, but none of them provides the "never have to patch this" level of security that facilitates TC.

A very thin but impenetrable hypervisor can in theory be made fairly secure, but you're not proposing a very thin hypervisor but essentially a fairly complex and porous one.

Nope, I'm proposing (actually, not me, I'm just parroting -- hopefully accurately -- what I've read in bits and pieces elsewhere) a very thin hypervisor. It provides:

• Assignment of resources (RAM, mainly) to VMs
• Assignment of I/O devices to VMs
• Message-passing services between VMs
• Context switching between VMs

Note, however, that although the hypervisor provides these services, it's not necessary for the hypervisor to implement *any* of the policy, which allows it to remain very thin. It doesn't have to determine which VM can access which I/O device, it just provides the access. Instead, it delegates assignment and access control policies to a "control" VM (aka, The Operating System).

The bottom line is that I don't want the companies I do business with dictating what software I use to do business with them.

I understand your goal, and I agree with it. I just think your approach -- arguing that this stuff is bad on /. -- is ineffective and unnecessary. The right approach is to refuse to accept their dictation, and educate others to do the same.

Keep in mind that you *can't* stop the technology. The most important pieces of it are the virtualization support and the BIOS/EFI support, and they're already in all new machine architectures rolling off the assembly lines today. The TPM is in most of them, too, but that doesn't matter becaust the TPM can be a USB dongle that you plug in if you want. Even if machines are sold without it, it's cheap enough and simple enough to install that if companies found it useful they could just give them to consumers.

Also, the technology has lots of benefits that the more security-minded among us are salivating over. Accept the tech, fight its misuse.

Huh?

[fitten]

With the absence of proprietary code in the mix users will find themselves more inclined to trust their own administrators to make the best choices

Proof of this statement?

What does Trusted Computing mean?

[Ed+Avis]

As I understand it, the meaning of Trusted Computing is not that the system administrator will be able to provide a locked-down system. That has long been available with ordinary security measures on Linux and other systems. Rather it means that even the system administrator - even the owner of the computer - will not be able to make the computer do what he wishes rather than what the record industry or movie studios want it to do. This is done by Intel or others supplying some special hardware which won't reveal its private encryption key unless it detects that authorized, signed code is running. Not authorized by the legitimate owner of the computer who is Intel's customer - no, that wouldn't do at all. Rather, that the code is signed by some third party such as Microsoft and there is a secure boot sequence to prevent 'tampering' (i.e., the computer's owner trying to reprogram his or her system).

I don't think the author of the article has understood what Trusted Computing means at all. He is just talking about thin clients and locked-down systems in school environments, which is not really the same thing.

Re:What does Trusted Computing mean?

[MyLongNickName]

I thought the same thing when I first read it. However, it is entirely possible that there are simply two different definitions for the same phrase. Anyone with a better insight on this?

Re:What does Trusted Computing mean?

[cpuh0g]

You do not understand trusted computing. It is not about locking down your system.

It is a common fallacy that the primary goal of trusted computing is to enable DRM so the movie studios/RIAA controls your computer. This is simply not true. Trusted computing provides methods by which you, the owner and administrator of your computer, can KNOW, by having a chain of trust that is anchored by keys securely stored on a TPM chip soldered to the motherboard, that the software and hardware in your system has not been tampered with. One *could* use this to enable DRM or other user-unfriendly schemes, but there are many other use cases for trusted computing. Think e-commerce where you can verify the other system and it can verify yours to make sure neither end has been compromised prior to making a transaction.

Policy decisions are made based on the measurements that are returned by the verification process. Trusted Computing does not dictate the policies. If someone (or some company) wants to abuse the system and lock people out of their systems, then that would be bad policy and a bad implementation of TC concepts, but it doesn't mean that all TC applications are bad or are designed to restrict the user's ability to manage their systems as they see fit.

Re:What does Trusted Computing mean?

[Cyberax]

No, "trusted computing" means that hardware can guarantee the integrity of the environment. For example, I'd like to use TPM chip in my Thinkpad to guarantee that my machine will boot only kernels signed with MY key. Also, I very much like the hardware keyring.

Trusted computing is only a problem when YOU are not the owner of the machine and don't have the full control over the TPM module on a new computer (of course, once TPM is set up - it shouldn't be possible to change it without owner's keys).

Re:What does Trusted Computing mean?

The absolutely brutal quality of the moderation taking place in this thread is a great argumaent for the importance of meta-moderation.

Re:What does Trusted Computing mean?

[foobsr]

It is different views of the same thing. Corporate entities (e.g. M$) put the (marketed) emphasis on 'trust' while those concerned with freedom (e.g. EFF) on the possibility of 'control'. Now decide whom you 'trust'.

CC.

Re:What does Trusted Computing mean?

[Hatta]

Think e-commerce where you can verify the other system and it can verify yours to make sure neither end has been compromised prior to making a transaction.

I'm thinking about it, and I don't like it. I can do all my ecommerce today with a free and open system. If my bank demanded I had my OS/browser signed by some certificate authority I couldn't do that. I can't think of any use of this technology that doesn't hurt the software hobbyist.

Re:What does Trusted Computing mean?

[Hatta]

Trusted computing is only a problem when YOU are not the owner of the machine

i.e. when you're using services over a network. What happens when microsoft pushes their TPM out and people get used to serving pages only to trusted peers? You thought "this site only works in IE" was bad? Try "this site is cryptographically impossible to read without a full trusted IE/windows system" And it's done all in the name of security.

Re:What does Trusted Computing mean?

[Cyberax]

MS has already done it with Vista x64 - it doesn't allow you to install unsigned drivers. TPM will also allow them to be sure that the kernel is not tampered during the startup. But I don't think it adds too much security for evil DRM schemes.

But personally, I'd like to have the same capability to be sure my system is not tampered with by NSA when they examine my laptop during in airport :)

Re:What does Trusted Computing mean?

[Ed+Avis]

Yes, there are good uses and bad uses. The technology can certainly be put to work for the user's benefit. Indeed, most digital rights management is altruistic in some sense, since it prevents the user from accidentally infringing copyright and perhaps even committing a crime, which they surely would not want to do.

The fundamental argument is not whether good or bad policies are possible, but about freedom and whether you have control over your own computer. If doing e-commerce, can I program my computer to lie and send back a response saying it is not tampered with even when I have changed the software? If I cannot do this, then I no longer have control over the computer and it is no longer my computer. However, the other end of the e-commerce transaction would be foolish to rely on this no-tampering check. Even if ordinary users cannot break the security on the TPM module, a determined criminal organization probably could.

Re:What does Trusted Computing mean?

[cpuh0g]

If doing e-commerce, can I program my computer to lie and send back a response saying it is not tampered with even when I have changed the software? If I cannot do this, then I no longer have control over the computer and it is no longer my computer.

If you *CAN* do what you describe, then your system cannot and should not be trusted in a trusted computing transaction. Providing a provable, secure chain of trust is the fundamental reason for having a TC base. If you can arbitrarily corrupt this chain by "programming your computer to lie", then all bets are off and the trust model is irrevocably broken.

Perhaps the e-commerce use case is not the best example. Perhaps TC will never be acceptable on personal computers for general purpose uses. However, there are business cases where neither party has reason to 100% trust the other without a verifiable chain of trust measurements from the other that can be validated. In those situations, a TC transaction is pefectly reasonable and highly desirable.

I would never say "never", but in general the security of TPMs, and HSMs in general, are resistant to attacks by even the most determined criminals. There will be bugs and there will be exceptions on rare occasion, but they are the best that the industry has to offer at this time. Assume that if they have passed the strict reviews required to be used by NSA, CIA, foreign governments, and the financial industries, that they are pretty fucking solid and tamper proof.

Re:What does Trusted Computing mean?

You do not understand trusted computing. It is not about locking down your system.

It is a common fallacy that the primary goal of trusted computing is to enable DRM so the movie studios/RIAA controls your computer. This is simply not true.

If that's true, why do TC chip makers refuse to consider the option of Owner override? That would leave you in full control, while voiding any third party's attempt to lock down your system.

Re:What does Trusted Computing mean?

[Kjella]

Trusted computing is only a problem when YOU are not the owner of the machine and don't have the full control over the TPM module You mean like, all the time? Because you'll never know the TPM root key, so if there's any TPM'd operating system/application/content you'd like to use, there's no off switch. For building a secure network you just need things signed with your private key telling your master computer, which trusts your key. There's absolutely no need to build any PKI. Instead we got a global "trusted" root that makes sure the software can trust the host, not that the host can trust the software. It's the ultimate in usage restrictions - I can send you a document that you can't print and that'll self-destruct in three days, and your options are only to accept them or not recieve it at all. Your computer is everyone else's bitch, can I put it simpler?

Re:What does Trusted Computing mean?

[Cyberax]

Why? I DO know my root key to TPM - I can view all stored keys and manipulate them. After all, it's not more than a hardware keystore and some validating code.

The goal of TPM is to build a secure HOST. I.e. the one which I can trust to be secure during all stages (for example, TPM can guarantee that a malicious hacker has not installed a backdoor into my kernel).

Re:What does Trusted Computing mean?

[tepples]

The goal of TPM is to build a secure HOST. I.e. the one which I can trust to be secure during all stages (for example, TPM can guarantee that a malicious hacker has not installed a backdoor into my kernel). For values of "I" that represent the operating system publisher, this is correct. For example, Linux phones might use hardware similar to TPM to verify that they aren't running unauthorized apps.

Re:What does Trusted Computing mean?

[big_paul76]

"It is a common fallacy that the primary goal of trusted computing is to enable DRM so the movie studios/RIAA controls your computer."

Yeah, just like how it's a common fallacy that the primary goal of scientists that worked on the Manhattan Project was to incinerate civilians. They were just working on a way to make a bomb from nuclear reactions. That could be used for a variety of purposes, like major earthmoving (actually proposed by Teller, BTW), or it could be used to attack cities.

Seriously, all sarcasm aside, that's a pretty narrow reading of how new technologies develop, and their effects. And, in fact, it probably wasn't foreseeable to most people that the primary (really, only,) use of nukes would be to incinerate cities. But that in fact did happen.

So let's not pretend technology is neutral, OK? It is in a sense, but 'once you invent a hammer, everything starts to look a lot like a nail'. The tech you have available shapes your perceptions and range of options.

This is a tech that has some pretty orwellian potential uses. Let's not kid ourselves about what it's most likely to be used for. Prevent piracy, crack down on whistleblowers, and the ability of employers and/or governments to issue secret orders, in writing.

Re:What does Trusted Computing mean?

[Cyberax]

No, "I" is the computer user very paranoid about security.

Of course, phone manufacturers might also use TPM for Tivoisation. But it's far easier just to use a simple signed first stage bootloader for the same effect.

Re:What does Trusted Computing mean?

[Alsee]

It is a common fallacy that the primary goal of trusted computing is to enable DRM so the movie studios/RIAA controls your computer.

Actually that is precisely the functional design target of Trusted Computing, as the following will demonstrate.

Trusted computing provides methods by which you, the owner and administrator of your computer, can KNOW, by having a chain of trust that is anchored by keys securely stored on a TPM chip soldered to the motherboard, that the software and hardware in your system has not been tampered with

A cyanide-laced apple provides you vitamins and minerals, however it would obviously be silly to suggest that as a valid benefit/argument for cyanide-laced apples. "Provides you vitamins and minerals" is a benefit and argument for apples.

In the exact same way, your example is NOT a benefit or argument for Trusted Computing. You do not need Trusted Computing to get the "vitamins and minerals" you described.

Consider identical hardware, except the owner of the computer is permitted to have a printed copy of the master keys of his own computer. In technical specifics, that would be his PrivEK (Private Endorsement Key) and his RSK (Root Storage Key). Such a system would have identical capabilities to secure your computer for you. KNOWING your own key does not alter the hardware's functionality to serve and protect you.

Knowing your key still gives you all the yummy vitamins and minerals, and it also gives you full control over your computer. You could control/alter/override your security settings at will, and you could unlock or modify your files at will. It would no longer be Trusted Computing. You would own and control your own computer. And of course this new hardware would then be useless to anyone attempting to hijack the system to secure your computer AGAINST you. It would be useless for DRM. Which is exactly why the most important factor running through the entire Trusted Computing technical specification is that the owner is FORBIDDEN to ever know his own master key, and why most section of the specification explicitly detail how that part of the design is required to be restricted in order to prevent any possibility of the owner getting at his key.

The Trusted Computing Group absolutely refuses any change that would diminsh its ability to enforce DRM. The entire design revolves around securing the computer against the owner. I read the 332 technical specification, and it's funny how exactly various sections target DRM without actually using the phrase 'DRM'. One section goes in to detail about how it is explicitly forbidden for it to ever be possible to have copies of data on two computers at the same time and the insane hoops that are required to be jumped through during a computer upgrade / migration process to enforce that. Another section detailing that your data MUST be irretrievably lost/destroyed in a variety of circumstances. All of which read precisely as a DRM specification.

Think e-commerce where you can verify the other system and it can verify yours

Nope. It's worse that worthless for that, or anything else of any significance. Yes, literally worse than worthless. It is actually harmful for e-commerce and anything of any importance. The system is required to meet DRM demands, and no more.

They actually tout the fact that the system is not secure against physical modification as some sort of "proof" that it was not designed for DRM, lol. The have all sorts of requirements about physically securing the computer against the owner (at one point they even explicitly refer to the OWNER as the "attacker" that they are securing against), however it is just enough physical security for routine DRM... just enough physical security to be a serious pain in the ass for any typical home individual to defeat. Just enough to enforce run of the mill DRM against 99+% home population, and to criminally prosecute anyone 'trafficking' in modified hardware. But the specification says, and the actualy hardware

Re:O RLY?

[webmaster404]

Which is why if your that paranoid, you look at the source yourself and compile it from that source, its not that hard and there is no way that you somehow got code you didn't want. If you overlooked somthing that is your fault, you compiled it, you looked over the source, thats something you can't do in the Windows world with stealth updates and the like

Re:O RLY?

[McDutchie]

Read it again, you're not getting it. The issue is whether you can trust the compiler to produce machine code that corresponds to your source code.

Re:O RLY?

[jimstapleton]

You didn't evevn read the quote? The only way to bypass this is to hand build the compiler in binary. You won't *EVER* see the attack because it's in the compiler's binary, and the compiler puts it in the binary of any compiler it compiles - even if it is not in the source of the compiler it compiles.

Good luck with that.

Trusted Computing is by definition closed.

[Spy+der+Mann]

Or are the users getting their CPUs' source code and recompile them? Or at least call their LinCPUx fans to do it for them?

Trusted Computing requires trusting the CPU manufacturer in the first place. And in this world, where the telcos have disclosed our conversations to the govt without us finding out but several years later, can we really trust that the government hasn't pressured the CPU makers to add a backdoor here and there?

Trusted Computing is practically closed, and incompatible with the spirit of Open Source/Free Software. Ergo, Trusted Computing cannot be trusted. Sorry.

Re:Trusted Computing is by definition closed.

[Chrisq]

wire your own computer out out of logic gates!

Re:Trusted Computing is by definition closed.

[stinerman]

As others have commented, the gentleman in the article is using TC in a way that isn't the same as we have come to know it. It seems like he's talking about your admin having root access on your box, rather than the DRM controls. Since he's speaking about the former, this really isn't anything new. Most business users don't have admin access to their own PCs. This is standard practice.

In principle, there is nothing wrong with TC, so long as the owner of the PC has the private keys. But this scenario is little more than having root access to one's own box, which is the standard for most home users.

Re:Trusted Computing is by definition closed.

[swillden]

Trusted Computing requires trusting the CPU manufacturer in the first place.

Actually, TC has almost nothing to do with the CPU. The TC Trusted Platform Module (TPM) is a separate device that is just another peripheral. Most implementations sit on the USB bus.

Trusted Computing is practically closed, and incompatible with the spirit of Open Source/Free Software. Ergo, Trusted Computing cannot be trusted. Sorry.

Not true. TC is an open specification, and can be used to implement all sorts of different security policies. The TPM is just a peripheral that provides three services:

• Hashing of data sent to it. Coupled with TC-aware BIOS this can be used to construct a hash that represents the boot state -- essentially a hash of all security-sensitive code that is running.
• Binding of keys or other data elements to a specific hash state. Basically, the TPM will encrypt a key (or something) with a secret that combines the current hash value with an internal master key. That way you can only decrypt the stuff when you're booted into that "state" (have that hash value).
• Remote attestation of state and other data elements. The TPM has a public/private key pair and the public key is certified by the TPM manufacturer. The TPM will use the private key to sign the current state along with some other data, and application software can then send this signed data and the cert to an external party.

That's it. Nothing to do with the CPU, and nothing inherently evil.

Using this technology -- especially combined with the new virtualization-capable CPUs[*] -- you can construct all sorts of security policies and enforce them with *very* strong guarantees. Some people want to use this technology to build unbreakable DRM. Others want to make systems that are uncrackable, even if the attacker has root.

TC is just a tool, and like any tool it can be used for good or evil purposes.

[*] Where virtualization-capable CPUs come in is that with a hypervisor running many small virtual machines you can get around the inherent insecurity of large, complex pieces of software. Given a full OS, plus a full set of run-time libraries, plus some app software, odds are that *somewhere* in the chain there will be a buffer overflow or some other weakness an attacker can exploit. And if you can get the authorized software (the stuff that hashes to the "right" value) to do your bidding, you're golden. With a VM the idea is that you can write an extremely minimal "on-the-bare-metal" kind of application that runs on virtualized hardware. You make this application as simple as possible to minimize the chance of holes. Then, you arrange to hash the code of this virtual machine code while you fire it up, and bind the necessary secrets to that state. Now those secrets are only available to that virtual machine, which is, hopefully, lean and tight enough to be secure.

Re:Trusted Computing is by definition closed.

[cerberusss]

I don't fear this too much. Suppose this actually happens, i.e. one CPU manufacturer sells CPUs with a "backdoor". Whatever this may be, it allows some level of remote control over the PC.

This is almost certainly discovered. Let's suppose we can't choose for the competitor, because they're in a big conspiracy.

Making CPUs isn't that hard. It's making them the fastest and the cheapest that's hard. There are open source processor designs available, like the LEON core. There are lots of producers of FPGAs on which the LEON core can be synthesized. There are a number of Linux distro's which run on the resulting CPU.

So, when the going gets tough, the tough synthesize their own CPU. :-)

Re:Trusted Computing is by definition closed.

[Walter+Carver]

And in this world In this country, not world. Although I am afraid it's becoming a trend. I agree with the rest of your post.

In Soviet Russia...

[JK_the_Slacker]

... the computing trusts you!

Re:O RLY?

[Chrisq]

If you are really paranoid compile the compiler with a different compiler. Or use a different compiler to compile two linux systems, and only allow logon to one from a remote shell from the second.

please try to hold back the propoganda

[amigabill]

With the absence of proprietary code in the mix users will find themselves more inclined to trust their own administrators to make the best choices

Sorry, but I think that's putting your words into everyone else's mouths. Or fingertips, or whatever. The vast majority not only don't have this opinion about open vs proprietary code affecting how much they trust the choices their admins make, they also wouldn't have a freakin' clue as to what you're going on about in that sentence. The vast majority don't know what open-source is, how it differs from proprietary source, they don't know any reason why they'd care either way, and they'd probably give you a pretty funny look for attributing this philosophy to them.

I like Linux and open-source, and have an appreciation for it. But I don't trust my admin at work more when he talks about Linux than when he's talking about Solaris. It's his job to make the best choices of any and all products available, and I trust him to choose whichever is most appropriate for our company, even if he feels that happens to be a proprietary product. It's not my place to impose on him to only ever choose open-source, and there's cases in our work where open-source offerings are less ideal.

What fucking "the page"?? & TC is EVIL

Quote: "(Column) - Despite my gripe about the Web site's sparse message..."

Great writing skills these guys possess, so much for reading the fucking article... (should have known better)

TC is a trap. It is there to exclude other operating systems besides windoze vista. It is there to take control away from you. It is BAD. We don't want more subjugation, thanks.

Who is YOU? Non Free is the real problem.

[Erris]

I won't ever accept NOT being the absolute owner of my own computers

That's good, but at work it's not your computer is it? The level of control you have over your computer at work is proportional to the intelligence of your employer. If you are unfortunate enough to work for a big dumb company, you will be fired for exercising your software freedom in any way. A less stupid company that uses free software will be able to give you the tools you need to get your job done without giving you complete control of your computer. Some workers need more freedom than others. Ultimately, the things the company needs to protect should only be accessible by people and machines that won't leak. Figuring out what really needs to be protected is the tricky part, but all of it should drive every company to free software.

The real problem with "trusted" computing is that it can force use of untrustworthy software and defeat it's original purpose. No company should ever trust it's real secrets with non free software. Control is lost when you have to "trust" a third party that keeps secrets from you. If you are using Windoze, you might as well email the information to Bill Gates.

What kind of secrets does your company actually have? There's customer information, location and movement of valuables, business plans and a host of other information that can be harmful to divulge.

None of this is an excuse to cut into your software freedom at home or even at work. It's just a problem of collective action and responsibility. When you work for a company, there are suddenly a lot of noses at the end of your arm.

Re:O RLY?

[smilindog2000]

Ha, you're the first person I've heard mention this idea since the early '80s! Here's another similarly old, interesting factoid I've heard about the C compiler: The ASCII character set is no longer defined anywhere in the C compiler source code (which is written in C). In other words, '&' compiles to decimal 37 only because existing binary compilers know how to translate the '&' character constant.

Re:O RLY?

[ilikejam]

A sufficiently motivated whatnow?

How is this redundant?

[Chrisq]

How is this redundant? It might be obvious to some people, but I can't see it said anywhere else.

Re:How is this redundant?

[jimstapleton]

obviously wrong maybe.

Sorry, but you can try to recognize patterns in anything including what patterns are found in compilers. It is not always easy, but hard isn't impossible. As soon as you can recognize those patterns, you can write the trojan described.

Yeah, see: THIS could work

[WheelDweller]

In Linux, there's no 'vending machine' mindset; they won't be charging every time you turn around, just because there's "no other game in town".

Under Windows? Forget it.

Excuse me but how do I get it signed?

[js_sebastian]

I should not be allowed to fake kernel Y, but there should be nothing to prevent me from installing an alternative signed kernel Y1. Excuse me but how exactly do I get my linux kernel i compiled myself signed? Oh yes I pay a tax to some organization and wait to see if they give me permission in a few months... I don't want hardware that requires anyone's permission but my own to run what I want.

It should be the access control on resource A which says "I do not like the (Z)(Y1)(X) chain you use, in order to access me you need (Z)(Y)(X) or (Z)(Y2)(X)". If you want me to access resource A only on hardware Z with system Y1 and software X, give me an appropriate locked down system YOU own with the decryption keys for A. Don't try to make the rest of the computing world pay for the costs of your security. And if you are talking about DRM for media, forget it, it is not here to stay.

Re:Excuse me but how do I get it signed?

[arivanov]

Excuse me but how exactly do I get my linux kernel i compiled myself signed?

SelfSign it. It is not the fact that it signed, it is who sign it which matters. From there on an access request goes down the chain with everyone signing it. The access control for A may like your selfsigned kernel. Similarly, it may not and it will invalidate everything down from it as untrusted. It is A-s "owner" choice.

And if you are talking about DRM for media, forget it, it is not here to stay.

You have mistaken me for someone who gives a fuck about signed MP3s. Now a document sitting on a corporate CMS encrypted individually on every release and with an associtated cert chain for each revision is something I do care about. A lot. A lost laptop in this case no longer means stolen data. The entire problem of document access control also more or less goes away. Same for revision and change control. While it is a hassle it solves quite a few real world problems.

Re:Excuse me but how do I get it signed?

[bob.appleyard]

While it is a hassle it solves quite a few real world problems. Such as that pesky whistleblower...

Re:Excuse me but how do I get it signed?

[Antique+Geekmeister]

SelfSigning something is fine for authentication: for RPM signatures, for example, it's a reasonable approach and could have some advantages over PGP key management.

However, the underlying purpose of Palladium, which was misleadingly renamed to "Trusted Computing", is DRM. It's designed very specifically to prevent access to data files without signed software, even signed software authenticated against the local hardware. This is aimed squarely at controlling video, audio, and registered software access such as games. It's even aimed at preventing DVD or CD players and recorders from operating without signed keys from the hardware vendors, in collaboration with the software vendors and media producers. It's also aimed squarely at hard drive access and BIOS management, to control boot loaders and BIOS's. While that's a good thing from a security point of view, it can and will be used to prevent "non-signed" boot loaders and "non-signed" kernels from booting your hardware. Are you prepared to have all desktop computers allow only kernels, and operating systems, that have invested in the signatures purchased from Microsoft or Intel to permit them to boot?

And even worse, it's primary key management resides with Microsoft: the master keys for signing other keys reside in their vaults. If you use typical "signature" tools, the documents and access to your hardware and encrypted software resides with a company that does "security" updates in secret, and that has a proven history of deliberately breaking software to interfere with competitors. And there is no legal or procedural guarantee that the central keys will not be handed over at any whim to "law enforcement", especially the NSA for its documented programs of illegally monitoring domestic Internet traffic.

There is nothing currently in place, either legal or technological, to prevent such abuses. Trusted Computing as it stands is actually "DRM With a Vengeance". It's usability for personal encryption or authentication is incidental to its purpose: this is clear from its centralized key management, and its publicized ability to secure media players from playing or ripping the encrypted media.

Re:Excuse me but how do I get it signed?

[fjhb]

Now a document sitting on a corporate CMS encrypted individually on every release and with an associtated cert chain for each revision is something I do care about. A lot. A lost laptop in this case no longer means stolen data.

You can encrypt your laptop's hard disk, that's not rocket science. And no, you don't have to type the key, you can put it in an USB dongle.

Actually, it's much easier. You can avoid putting any secrets in your laptop at all, and only have them in your USB key.

Ah yes, and TLS still works. It wasn't invented by the Treacherous Computing group.

Re:Excuse me but how do I get it signed?

[arivanov]

Yes, but this gives you 1 level of granularity in access. Encrypted/signed on per document basis can give you any granularity you like.

Deception

[IgnoramusMaximus]

These sorts of propaganda pieces have only one purpose: to sneak one past us. Trusted Computing (as presently defined by the corporate founders of the TC Consortium) has two major purposes which are deadly to all things "open":

• To make sure that the computer can be trusted by a "contents owner" thus precluding the owner of the computer itself from being able to trust it
• To allow for so-called "remote atestation" which has the effect of 3rd parties (banks and the like) to be able to trust the computer, again to the exclusion of its owner. The additional effect of this is that banks and other online entities will be able to ensure that only Windows systems, with "approved" apps are used. No spoofing of user-agent tags anymore, end of Linux use in most of the commercial Internet.

In short, this article aims to lure the unwary into gullible acceptance of TC with an illusion of completely deceitfully presented and impractical (no one except the mega-corps will ever get the access to the main TPM keys) applications.

Re:Deception

(no one except the mega-corps will ever get the access to the main TPM keys) You say this now, but I predict they'd be leaked sooner rather than later, and/or tpm modules reverse-engineered (tamper resistant is not tamper proof) and any embedded backdoors found, to reenable end-user control of the systems.

And pretty soon, practical quantum computation will come on-stream and render the basis crypto for TPM moot.

Re:Deception

The additional effect of this is that banks and other online entities will be able to ensure that only Windows systems, with "approved" apps are used. No spoofing of user-agent tags anymore, end of Linux use in most of the commercial Internet.

In the EU this would be illegal use of monopoly by MS (who would have to be involved). Also, many EU countries use Linux in significant amounts on the desktop, so there is no doubt it would be pursued. Given that the banks etc. would have to wait a long time to ensure that nearly all windows PCs had the hardware and software levels to support it, the EU would have plenty of time to act even if it was really slow.

Re:Deception

[IgnoramusMaximus]

In the EU this would be illegal use of monopoly by MS (who would have to be involved). Also, many EU countries use Linux in significant amounts on the desktop, so there is no doubt it would be pursued. Given that the banks etc. would have to wait a long time to ensure that nearly all windows PCs had the hardware and software levels to support it, the EU would have plenty of time to act even if it was really slow.

I am not saying that they will succeed. I am telling you what the plan, and the purpose (as designed) of the whole Trusted Computing concept is.

The only thing which is certain that the Media Pigopolits, Microsoft and many other large corps will try hard to do this.

Many large banks and online retailers will get on the bandwagon as they positively despise the fact that they have to actually do work and support many different browsers on different platforms. Their dream is to make us use one, homogenous platform where we cannot control anything of importance and thus it is possible for them to deploy a cookie-cutter, one-size-fits-all, Lego-blocks style IIS/IE/TrustedActiveX "solution" everywhere without having to worry about compliance with any non-Microsoft standards or applications.

Re:Deception

[IgnoramusMaximus]

You say this now, but I predict they'd be leaked sooner rather than later, and/or tpm modules reverse-engineered (tamper resistant is not tamper proof) and any embedded backdoors found, to reenable end-user control of the systems.

Sure, it will happen but it will (unless the TPM makers are total dolts) involve electron microscopes or some other wacky hardware which very, very few people have. We are talking about a hardware hack with a high level of difficulty, which could crimp our style for some while at least.

And pretty soon, practical quantum computation will come on-stream and render the basis crypto for TPM moot.

Only to be outpaced by some new mathematical formulae for even more convoluted and computationaly intensive encryption schemes. Quantum computing is fast, but it is not infinitely fast. All one has to do is come up with something which is convoluted enough to make even fastest theoretically possible quantum computer (which is a finite physical object) crunch numbers for a few millenia.

This ain't gonna go over too well in Boston

From an old GNU su manpage:

Why GNU su does not support the wheel group (by Richard Stallman)

Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root pass- word who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

How is this any different...

[r_jensen11]

than having proper permissions set up on a machine and doing a lockdown like what's built in to Gnome? Having proper permissions prevents people from installing shit and running programs that they're not supposed to. Using Gnome's lockdown feature prevents them from fucking up their DE.

Re:How is this any different...

[fjhb]

In your described situation, the owner of the machine can wipe it out, reinstall, and get a usable system under her control with the same level of functionality.

With Treacherous Computing, if you wipe your system it automatically becomes untrusted (by 3rd parties), because your system does now obey you instead of them. 3rd parties can tell a treacherous system from a non-treacherous one, and act accordingly. For example, they can ban you from opening a text document, or from visiting a website, or... possibilities are endless!

And

[themusicgod1]

Trusted Computing solves this how?

bypassing Thompson's trojan is simple

[hopeless+case]

How does the bugged compiler binary recognize the fact that it is compiling the source to a compiler?

In Thompson's case, he had it scan the source for recognizable text.

Defeat the "am I compiling a compiler?" test of the compiler binary and you are done.

All you need is a source code obfuscator. Randomize variable/function/file names, and insert red-herring calling sequences and recompile the source to the compiler to obtain a non-bugged compiler binary.

Writing a source code obfuscator (capable of defeating the compiler trojan's test) is much easier than writing the source to a compiler, and a great deal easier than hand composing a compiler binary.

Re:bypassing Thompson's trojan is simple

[jimstapleton]

simple - one of the fields in computers is pattern recognition. Compilers can follow patterns as well. If one is trained or programmed to detect certain code or binary elements commonly found in compilers, then it can affect more than one compiler.

I'm not saying it's easy, I'm just saying it's possible.

Re:bypassing Thompson's trojan is simple

[hopeless+case]

If you knew exactly how my obfuscator worked, you could probably write a compiler detector to defeat it. However, if I knew how your compiler detector worked, I could write an obfuscator to defeat that. The cycle could then repeat.

Which activity, though, is eaiser to do? I don't know how to prove it, but I think obfuscation is far eaiser than detection.

As the Anonymous Coward replying to me pointed out, writing a program that can always detect when another program is a compiler is as hard as detecting when another program is guaranteed to halt. In other words, it's undecidable.

Re:bypassing Thompson's trojan is simple

[jimstapleton]

A detector would definetly be harder than an obtusificator. But look how that worked for MS and security.

100% success may be virtually impossible, but 90% is probably significantly easier, and nearly as dangerous.

Re:bypassing Thompson's trojan is simple

[tepples]

Writing a source code obfuscator (capable of defeating the compiler trojan's test) is much easier than writing the source to a compiler, and a great deal easier than hand composing a compiler binary. How do you know that the Trusted source code obfuscator binary that you downloaded isn't leaving a back door for the compiler to recognize code whose variable names have been obfuscated in this way?

Re:bypassing Thompson's trojan is simple

[hopeless+case]

An obfuscator is much easier to write from scratch than a compiler.

In an open source world, the defenders already have the upper hand against the attackers, because compilers like gcc are being modified so much that whatever static structure the trojan is keying off of can only last so long before it is re-written, defeating it.

My suggestion is for an additional measure that would give the defenders an even bigger advantage.

Re:O RLY?

[denison]

For example, a sufficiently motivated nigger could painstakingly review the machine code of the untrusted compiler before using it. I actually read the quoted text. I was quite surprised to discovered that only a certain class of user could painstakingly review the machine code. The original Wikipedia text was never, as far as I can tell, defaced. So, the posting AC is a wanker.

Two step ISP's

[spectrokid]

In corporate networks, this will just lock down your PC a little more than it already is. Nothing to see here, move on please. It is in the home this shit gets interesting. Do you want your ISP, and possibly MS, to rule your PC? For the typical /. reader, the answer is a clear NO. But what about grandma? Imagine your ISP offering 2 kinds of subscription: a normal, "free" one and a "protected" one. The protected one is firewalled (or at least NAT-ed) at the ISP, with just "sensible" traffic allowed, like HTTP(S), SMTP to the ISP's own server, and with a limit on 50 emails/day. Throw in some MSN and Skype. Have the ISP use TC to inforce patches and anti-virus. I think grandma would be happy for it, it would extend the lifetime of her PC (slower buildup of spyware cruft) and for the rest of us it would cut back on Spam.

Re:Two step ISP's

[Microlith]

Well no. They'll require it on ALL PCs like they only support Windows and without TC you'll simply be unable to connect.

Re:Two step ISP's

[Cheesey]

Why, that sounds like the future!

2007. The problem with the current "untrusted" Internet is that anyone can join, make themselves effectively anonymous, and take part in terrible crimes that threaten to undermine the infrastructure of society. Such as piracy, child pornography, terrorism, money laundering, Linux, and spam.

2017. Clearly, this could not go on. The solution that has been legally mandated requires the network to be upgraded before 2025, so that all packets have to be digitally signed by the originator. In order to send information on this network, all participating computers must obtain a session key from the Digital Restrictions Ministry. This session key will only be provided to users who can authenticate themselves on the network using the chip in their identity card or forearm, and then only if their computer is running an officially approved set of Microsapple applications, complete with official spyware from the National Security Ministry.

By removing anonymity from the network, and ensuring central control of all information passing over it, the Government will ensure that no-one will be able to use the network for any criminal purpose. Finally, our children will be safe, terrorists will have no way to criticise the Government, and pirates won't be able to skip the adverts at the beginning of films.

Sounds pretty good to me!

Turing strikes again!

Indeed yes. The question "am I compiling a compiler?" is as undecidable as the question "am I compiling a program that will halt?" (Ken Thompson's suggestion is still interesting, though.)

I'm completely new to this TCM thing...

[TheVelvetFlamebait]

... not to mention relatively clueless about encryption principles. Sorry if the following questions are glaringly obvious.

How does it work? How will it affect my machine if enabled (i.e. will I notice?)? Could an OEM (I hear Microsoft is distributing PCs nowadays) theoretically set up the TPM to lock down a system pre-purchase? What happens when the TPM blocks something/notices a different checksum?

Re:I'm completely new to this TCM thing...

[Cyberax]

TPM in Thinkpads allows stores private/public keys in a secure hardware storage.

The kernel is signed and the hardware bootloader checks that the signature is valid (using TPM). So we can at least guarantee that the system is in consistent state during kernel loading. Later we can use numerous methods to control kernel integrity (SELinux, AppArmour, etc.).

Theoretically, Microsoft can make you to use TPM to validate their kernel during booting (because tainted kernel can be used to circumvent DRM).

So we just need to be able to turn off the TPM chip if it's not required.

Re:O RLY?

[YU+Nicks+NE+Way]

Read the GP post again. Carefully. You have the source, Luke -- and, on the basis of your inspection, you missed the second-order instance of the problem of Trusting Trust.

(I don't know if the GP meant his or her post to be a direct attack on the frequent comment that "well, you have the source and can inspect it, after all", but if he or she did, congrats.)

Re:O RLY?

[YU+Nicks+NE+Way]

Either a wanker or an extremely clever commenter on the true value of human inspection. I suspect the poster was a wanker, but, oh, my, do I hope that he or she was extremely clever.

Not so useful, exploitable, and bad people like it

[Zigurd]

Trusting "trusted" computing requires trusting hardware makers that can insert exploits. Trusted computing is therefore of limited value to end-users in a world where vendors and service providers are routinely leaned on to allow surveillance back doors.

If you have applications that you need to secure, in order to prevent, for example, misuse of tax filings or medical records, you can do it using Web applications, or other thin client technologies combined with physical security of client computers. There is nothing that can guarantee stopping someone copying data manually from a screen display and smuggling it out of an office, so there are practical limits to securing data beyond which additional technology is pointless.

There are some theoretical cases where trusted computing could benefit individuals. But, in practice, it's all about someone else trusting your hardware to rat you out. Most of the money flowing in to trusted computing comes from those kinds of uses. "Trusted computing" has rightly earned distrust.

Why Overlook The Cool Features

[logicnazi]

Trusted computing also enables a real market in CPU time. You can sell your spare processor cycles since the trusted machine can attest to the fact that this really was the result of the code you sent out. Similarly to have software agents that run on unknown people's servers this would be necessary.

It would also be useful to implement true ecash schemes and in allowing true p2p based virtual worlds/games with safegaurds against cheating.

In short the technology offers a lot more promise than mere security and eventually it is a good thing for everyone to have. In fact I think it potentially offers more benefits for a stable OS like linux than windows. You can't blame the technology for the fact that some idiots would have us use it for DRM or other customer control. The correct response is to embrace trusted computing and reject DRM...but in the real world perhaps it is better if we wait a bit longer for TC until the RIAA and other groups are forced to learn that selling music unprotected is the way to go.

Re:Why Overlook The Cool Features

[Cheesey]

Yes, there are certainly benefits. I changed my mind about TC when I needed my own machine to boot up in a trusted state, so that I could be sure that it was safe for me to unlock my encrypted filesystems without the keys being stolen by a trojan. Without a TPM, the only way to do this is to boot from removable media, since an unencrypted kernel on disk could be modified by an attacker. But a TPM could be used to store a key-unlocking-key that would only be available to kernels with my digital signature. Under the control of the owner, TC is useful.

It is a shame that TC almost certainly will be abused in various ways, enforcing DRM on media, games and applications, and creating new ways for major software vendors to lock users into their products. I don't like that possibility at all. Worse still is the possibility that remote attestation might eventually form part of the requirements for connecting to the Internet: that move would suit Apple and Microsoft (goodbye third-party OSs and web browsers), and it would suit organisations wishing to control the movement of information, such as oppressive Governments and record companies.

But fortunately TC was never designed to be secure against owner tampering, and I suspect it will always be possible to get the private key out of the TPM by using differential power analysis (DPA), if you are sufficiently motivated to do so. I have heard that it is actually impossible to prevent DPA entirely: the most a chip manufacturer can do is make it take more time. Laws like the DMCA would make this type of hacking illegal, but I doubt that would stop anyone, any more than the DMCA has stopped people using DeCSS.

Re:Why Overlook The Cool Features

[big_paul76]

Look, let's not get too hung up on rose-tinted glasses here. There's 2 big aspects of 'trusted computing':
1) Remote attestation
2) Memory curtaining

Yes, TC has some good potential benefits, but if and only if YOU GIVE THE USERS THE KEYS!

And if 'the keys' are given to the owner, you can't stop spam/cheating/etc. You can't stop spammers and online games cheaters unless you treat the owner like the enemy.

Microsoft, for example, sees trusted computing as a way to make China pay for software. They have absolutely no interest in giving the owner 'the keys'.

You want a real-world example of trusted computing, in a half-assed way? It's your cell phone. What is it used for? Screwing the customer, for example, my phone has ringtone capability, but I can't use an mp3 from it's mp3 player as ringtone unless I paid 4 bucks from it to download it from my cell phone provider.

Don't drink the kool-aid. There is no reasonable way to implement Trusted Computing.

Re:Why Overlook The Cool Features

[fjhb]

Distributed computing networks like Boinc had no problem operating so far. They simply add redundancy so that if one contributor sends fake results, it'll be rapidly detected when its results don't match with the ones provided by others.

Sure, this means additional computing power is spent. But I'd rather spend more CPU power than giving my whole computer (along with all my personal data) to someone else.

Re:O RLY?

[notaspunkymonkey]

totally off topic - I was recently involved in a test at work to trial some new software - 180 users were sent a document detailing how to install and configure a VPN application - the instructions contained some bad instructions - which if followed to the letter - would block http access - of the 180 users installing the software - only 3 reported the problem - 177 people did not read the instructions - or read them but did not follow them!

Open vs Closed Trusted Computing

[SiliconEntity]

Unfortunately there are several DIFFERENT, INCOMPATIBLE concepts being bandied about under the name Trusted Computing. This new "Trusted Computing Project" took on that name seemingly without being aware that there was substantial work already under way on a different concept with the same name.

Perhaps to try to remedy the confusion, we can distinguish between TC as proposed by the Trusted Computing Group and other forms of TC. The TCG is an industry consortium with Microsoft, Intel, HP etc., dating back several years, originally called TCPA. Their proposal has always been controversial but IMO misunderstood.

TCG's flavor of TC is fundamentally open. I would call it Open Trusted Computing, OTC. It does not lock down your computer or try to prevent anything from running. It most emphatically does NOT "only run signed code" despite what has been falsely claimed for years. What it does do is allow the computer to provide trustworthy, reliable reports about the software that is running. These reports (called "attestations") might indicate a hash of the software, or perhaps a key that signed the software, or perhaps other properties or characteristics of the software, such as that it is sandboxed. All these details are left up to the OS, and that part of the technology is still in development.

Open Trusted Computing runs any software you like, but gives the software the ability to make these attestations that are cryptographically signed by a hardware-protected key and which cannot be forged. Bogus software can't masquerade as something other than it is. Virus-infected software can't claim to be clean. Hacked software can't claim to be the original. You have trustworthy identification of software and/or its properties. This allows you to do many things that readers might consider either good or bad. You could vote online and the vote server could make sure your voting client wasn't infected. You can play online games and make sure the peers are not running cheat programs. And yes, the iTunes Music Store could make sure it was only downloading to a legitimate iTunes client that would follow the DRM rules. It's good and bad, but the point is that it is open and you can still use your computer for whatever you want.

This is in contrast to some other projects which may or may not call themselves TC but which are focused on locking down the computer and limiting what you can run. The most familiar example is cell phones. They're actually computers but you generally can't run whatever you want. The iPhone is the most recent controversial example. Now they are going to relax the rules but apparently it will still only run signed software. This new "Trusted Computing Project" is the same idea, it will limit what software can run. Rumors claim that the next version of Apple's OS X will also have some features along these lines, that code which is not signed may have to run in sandboxes and have restrictions.

This general approach I would call Closed Trusted Computing, CTC. It has many problematic aspects, most generally that the manufacturer and not the user decides which software to trust. Your system comes with a list of built-in keys that limit what software can be installed and run with full privileges. At best you can install more software but it is not a first-class citizen of your computer and runs with limitations. Closed Trusted Computing takes decisions out of your hands.

But Open Trusted Computing as defined by the TCG is different. It lets you run any software you want and makes all of its functionality equally available to anyone. P2P software, open-source software, anything can take full advantage of its functionality. You could even have a fully open-source DRM implementation that used OTC technology: DRM code that you could even compile and build yourself and use to download high-value content. You would not be able to steal content downloaded by software you had built yourself. And you could be sure there were no back doors,

Re:Open vs Closed Trusted Computing

[msebast]

You could even have a fully open-source DRM implementation that used OTC technology: DRM code that you could even compile and build yourself and use to download high-value content. You would not be able to steal content downloaded by software you had built yourself. This makes no sense to me. Am I missing something? What prevents me from editing the source code and piping the output to my favorite encoder? I can't imagine any technique that is not trivial to hack.

Re:Open vs Closed Trusted Computing

[swillden]

You could even have a fully open-source DRM implementation that used OTC technology: DRM code that you could even compile and build yourself and use to download high-value content. You would not be able to steal content downloaded by software you had built yourself. This makes no sense to me. Am I missing something? What prevents me from editing the source code and piping the output to my favorite encoder? I can't imagine any technique that is not trivial to hack.

Yes, you're missing the ability that a TPM has to bind a secret (like a DRM decryption key) to a specific boot state. The key can be protected so that it is only available when a particular set of software is running. If you modify the code, then you change the hash of the software, and it can't get the key (actually -- it can ask, and it'll get a response, but what it gets will be garbage).

Actually doing this on a regular OS is really complicated, to the point of being practically impossible. However, with the virtualization extensions in modern CPUs, what you can do is write a music player virtual machine that runs on "the bare metal" of the virtual hardware. Then the app running in that VM can remotely attest the hash of the code it's running (and the hash of the hypervisor that handles the real hardware) to iTunes or whoever. iTunes can check that the hash matches the "known good" version of the open source music player and hypervisor, and provide an decryption key which is then bound by the TPM to that particular VM state.

Then, if you modify the source of the player, you'll change the hash and lose access to the decryption key. Of course, this means even a change to, say, the name of a menu item, will break the player. So the *real* way to do this is to create a VM that contains just the decoder -- which is unlikely to change.

It can all be open source, and yet still be strong DRM. The GPLv3 tries to make this impossible, of course.

Re:Open vs Closed Trusted Computing

[big_paul76]

You sound like maybe somebody who's working on this, or at least someone who's well informed, so maybe you can clear something up for me?

The EFF has an extensive description of concepts like remote attestation, but, when you say "Virus-infected software can't claim to be clean. Hacked software can't claim to be the original", how exactly is this accomplished?

Wouldn't that require you to 'trust' some other authority that they have remotely verified that, for example, your software is virus free?

Couldn't that communication be spoofed?

Secondly, a lot of the discussion on the EFF page suggests that this would be a reasonable tech if you gave 'the keys' to the owner (not necessarily the USER). But if you give the keys to the owner, doesn't that basically take away most of the benefits?

Re:Open vs Closed Trusted Computing

[msebast]

So what happens when I recompile my hypervisor? (Whether to hack around the DRM or for any other reason.) Does itunes now refuse to let me play the music I downloaded last week?

Source code that can't be improved and recompiled is nearly useless.
It doesn't make sense to call something open if I don't have the ability to edit the code, fix bugs, and use the improved software.
Just ship the binary and stop pretending to be open source.
In fact calling it open source borders on lying.
And using GPLv2 code that way is unethical even if it might be legal.
I'm really glad GPLv3 puts a stop to that.
The more I think about it the more I agree with RMS. Treacherous indeed.

Open source software, trusted computing, and strong DRM are mutually incompatible.
It is not possible to design a system that truly does all three.

Either the DRM will be trivial to defeat, or some critical parts of the hardware/software are not actually open. (And I don't mean just the key in the TPM chip.)

For the system you described, all the video decoding, internet communications to the itunes site, and interaction with the TPM chip must be locked down. Also all the software between those three must be locked down. If any part of it is truly open then it can be modified to intercept communications with itunes (and play tricks by swaping hash values around), or grab the decoded media, trick the TPM chip into providing the hash for the unmodified player/decoder, or emulate the behavior of the TPM chip.

Open Trusted Computing might be useful for preventing hackers from running their code on my system.

But I can't see how Open Trusted Computing would be useful to the media companies for distributing DRM media that will play with open source players.

What does trusted computing?
Traditional trusted computing means the big corps trust it to do their bidding. That means the user should call it treacherous. But the big corps can trust it to implement DRM correctly.
Open trusted computing means I can trust the computer to only do what I want. But the big corps can not trust it to do what they want. So the big corps can not trust it to implement DRM.

The use of various technologies can't change the fact that either my computer does what I tell it to or it does what some corporation tells it to. And if it follows orders from some corporation then that's a bug. So I will fix the bug. If I can't fix the bug then it is not really open is it?

Re:Open vs Closed Trusted Computing

[swillden]

Either the DRM will be trivial to defeat, or some critical parts of the hardware/software are not actually open. (And I don't mean just the key in the TPM chip.)

Mmm, no. All of the very strongest security is designed and implemented in completely open fashion. You can have complete design specifications of your TPM, but, if it's really implemented properly, that doesn't mean you can break it.[*] It's somewhat similar to the reason that cryptographers and security experts (like me, BTW -- that's my day job) never trust secret ciphers. When I design a system, my goal is to build it so well that even someone with perfect knowledge of the system can't break it. Of course, there are always real-world considerations that make the goal unachievable, but the issues aren't with the hardware or software but with the processes around them.

I'm sure we'll see the same thing if really strong DRM is ever deployed. Human factors will break it -- people on the "inside" will leak unencrypted copies, or compromise keys.

From my perspective, I simply will not buy any media with DRM I can't break, and if I get the chance, I'll pay more for media without DRM.

The use of various technologies can't change the fact that either my computer does what I tell it to or it does what some corporation tells it to.

True, but that has nothing to do with TC. TC is like any other tool -- it's as good or as bad as what you do with it. TC is powerful enough that you can do a lot.

[*] Not as long as you keep your attacks within the bounds of what the design is intended to address, anyway. It's worth pointing out the TPM devices are not designed to prevent hardware-level attacks, which opens up another route for those who want to defeat a DRM system that relies on a TPM. Hardware does exist that is extremely resistant to hardware attacks, but it's expensive and somewhat "fragile", by design. To make really hard-to-hack hardware, what you have to do is make "paranoid" hardware that continually monitors its environment and if it determines it's being attacked, because of too much heat, or cold, or vibration, or current, or not enough current, or ... then it commits suicide. That's what high-end crypto hardware does, and it makes sense in that environment. It's hard to see how that sort of thing will ever make sense in most PC or even server equipment.

Re:Open vs Closed Trusted Computing

[SiliconEntity]

Detecting that software has been infected is not different in principle from existing systems like Tripwire. The publisher can publish a hash of the clean version of the software and that can be compared with the software that is running.

What is new in Open Trusted Computing is that remote servers can verify what the hash is of the software that is running, and it can't be spoofed. That means for example you could have a voting client that connects to the voting server, and the server can make sure the client is still clean before it lets you go ahead and vote. Otherwise malware could change your vote.

As far as giving the keys to the owner, the EFF was always pretty vague about how that would work. The problem is that if the owner can fake attestations, chances are malware can too, and as you said you give up all the benefits. You are left with no change at all from the status quo (which maybe is what the EFF wanted).

But seriously, if someone wanted to make their own version of a TPM that let you get at the internal keys and fake it out, that'd be fine with me. It would be distinguishable from a regular TPM because its certifying key would be different (similar to getting an SSL key from Verisign vs OpenCA). Frankly I don't think anyone would be interested in such a hackable TPM, it wouldn't do anything for anybody that I can see. So I was always afraid that EFF's real agenda was not to encourage the production of hackable TPMs, but rather to forbid unhackable TPMs, taking away choice from people in the guise of protecting them. That was the only way their idea made sense, as a sneaky step towards criminalizing TPMs.

Re:Open vs Closed Trusted Computing

[Alsee]

So what happens when I recompile my hypervisor? (Whether to hack around the DRM or for any other reason.) Does itunes now refuse to let me play the music I downloaded last week?

Correct. If you alter any of the software in the chain - from BIOS on through to the application - if you change anything then the Trusted Computing system denies access to your files... unless those modifications have been explicitly reviewed and approved and applied through a pre-approved update mechanism.

For example iTunes DRM software would have a built-in self-update mechanism. The hypervisor would have a built-in update mechanism, and any update to the hypervisor would have to be approved by BOTH Microsoft (presuming it was a Microsoft hypervisor) AND by iTunes.

Any modification that is not approved by all relevant authorities locks you out of your own data.

But I can't see how Open Trusted Computing would be useful to the media companies for distributing DRM media that will play with open source players.

The media companies may, if they feel like it, examine some particular Open Source program and specifically authorize an exact-precompiled executable of that open source player.

If the they do not approve of the open source code, or if they simply do not BOTHER to look-at-and-approve some particular player, then that player will not work.

If you modify the source and recompile it, it will no longer work. Hell, if you attempt to compile the unmodified source yourself, it probably still won't work because your executable is unlikely to by bit-for-bit identical to the approved binary.

The explanation of Trusted Computing, the answer to Trusted Computing, is short and simple:
"I want my master keys. No keys, NO SALE! "

-

Re:Open vs Closed Trusted Computing

[Alsee]

>Either the DRM will be trivial to defeat, or some critical parts of the hardware/software are not actually open. (And I don't mean just the key in the TPM chip.)

Mmm, no.

The correct answer there post was "Yes, right, critical parts of the hardware/software are not actually open.".

I am not disputing the technical accuracy of the rest of your explanation. The only conflict here is that you ignored that he spent a chunk of his post explaining what he meant by "open". In the context of his post, as he used and explained the word, his comment was right. Either the DRM will be trivial to defeat, or some critical parts of the hardware/software are not actually open. Trusted Computing is the latter - not open as he explained the word.

The rest of your explantion was accurate, in that you used a different meaning for "open".

-

Re:Open vs Closed Trusted Computing

[Alsee]

someone who's well informed, so maybe you can clear something up for me?

I'm a programmer and I have read the 300+ page technical specs from cover to cover.

"Virus-infected software can't claim to be clean. Hacked software can't claim to be the original", how exactly is this accomplished?

I will leave out some of the multi-layered technical details, but if anything the the explanation below is likely much more detailed than you wanted, and it is adequate to demonstrate the general principles that make it possible.

(1) It is mathematically near-impossible for anyone to forge the crypto-signatures referred to below.
(2) The chip contains a randomly generated crypto key. You are forbidden to know your own key. The key is forbidden to ever leave the chip. The technical name for this key is PrivEK (Private Endorsement Key).
(3) This PrivEK is crypto-signed by the manufacturer, and the manufacturer's key is crypto-signed by the Trusted Computing Group.
(4) The Trusted Computing Group signature proves that we are dealing with an approved and compliant manufacturer, and the manufacturer signature proves that this random PrivEK is indeed a PriveEK and that it is embedded in an authentic Trust-chip and that no one except the chip itself knows it. The point is that no one but the chip itself can use it.
(5) The chip spies on and logs a crypto-hash of all relevant software. For example your system can have a log with the text name of your BIOS maker and the hash of your BIOS, followed by the text name of your bootloader maker and hash of the bootloader, followed by the hypervisior software and the operating system and a log of each and every Trust-related application you run. The Trust chip keeps a "running total" hash of all of those individual software hashes.
(6) The Trust chip used it's PrivEK to sign that hash-of-all-hashes representing all of the relevant software you're run. We're already proven that we are dealing with a genuine chip and it's genuine PrivEK, and this latest signature proves that the hash-of-all-software is genuine. This hash proves that the text list describing all of the software, and the list of software hashes on that list is genuine. Someone can just run down that list and check that it generates the same "running total" hash that the chip reported.
(7) You send that info over the internet, and anyone else can check the spy report to see exactly what software you are running. They can look at the list and see the hash for your BIOS for example, and then examine a crypto signature provided by your BIOS maker that that is indeed the exact unmodified approved BIOS from that supplier. They can check for an approved unmodifed hypervisor and application and everything else. For example the RIAA can check that you are running the exact unmodifed DRM music player they demand you be running.
(8) If you modify any of the software in that chain(*), the Trust Chip refuses to decrypt your files for you.

(*) Footnote, there are built in mechanisms to update that software, but only in a preregulated authenticated manner. For example the RIAA can send a new version of the DRM music player, but the old music player or the operating system will first crypto-validate that it is an authentic approved unmodified player before activating it in place of the old player. You can install an updated BIOS, but you'll get locked out of your files unless it is a crypto-authenticated approved unmodified BIOS from the BIOS maker AND approved by the operating system supplier AND approved by the RIAA as an acceptable DRM-compliant BIOS. The same goes for operating system or hypervisor updates - they too have to be crypto authenticated and approved by everyone down the chain, or else your Trust Chip locks you out of your own files.

All of the software involved can be "open source", however it all has to be approved by all of the authorities down the chain before it will actually work (it needs the Trust chip to approve the decryption/reading

Re:Open vs Closed Trusted Computing

[swillden]

The only conflict here is that you ignored that he spent a chunk of his post explaining what he meant by "open".

I disagree. All of the code in question can be open, in the sense that you can look at it, modify it, redistribute it and use it without limitation. All of the hardware in question can be open in the sense that you can see exactly how it works (up to and including detailed schematics), have full details of the interfaces it provides and be able to use it in any way you like -- basically, everything except modify it, which is normal since you rarely (never?) expect to be able to modify your hardware.

And yet, in such a context, DRM can be strong given the tools provided by (a) a virtualizaton-aware TPM, (b) a virtualization-capable CPU and (c) a TPM-aware BIOS.

Of course, if you do modify your hypervisor or your decoder VM, then iTMS (or whatever) will refuse to give you a decryption key because you won't be able to attest that your system is in a state that iTMS will trust -- because it's not. That doesn't change the fact that all of the software is truly open source (whether or not it can all qualify as Free Software is an interesting and non-trivial question), and it doesn't change the fact that the hardware is at least as open as we ever expect hardware to be.

I suppose if you choose to interpret his definition of "open" as meaning "I get to modify the hardware, too", then no. But that's kind of a silly definition of "open", since by that definition his current, TC-less PC is not open, even if it's running 100% open source software, right down to the BIOS.

BTW, Alsee, a while back when we went the rounds about whether or not Trusted Computing could be used to implement strong DRM without collusion between manufacturers and media, we were both right and both wrong. I was right about how but wrong about if, and you were right about if but wrong about how. My argument was that it couldn't, because it was infeasible to construct and maintain the hash chain needed to attest the state of an OS plus bunches of application components, and that it wouldn't matter anyway because in such a large pile of software there would always be bugs that allow arbitrary software to be run. My arguments were correct, but what I didn't realize was that CPU-supported virtualization was on the horizon. Virtualization makes TPM-enabled security vastly simpler to implement, and hugely narrows the scope of code that has to be bulletproof to make it work. That's good news for those of us who'd like to use it to assure we have maximum control of our machines and bad news for those of use who are afraid of others who want us to give them control of our machines.

The user should be able to swap kernels...

[Rix]

Without informing anyone. External entities should be free to *request* specific support software, but the user should always have the right to override that request.

A good read...

[Temujin_12]

...about the ramifications (both good and bad) of TC can be found here.

The main problem I have with TC is the fact that it removes control over the hardware from the user and gives it to a 3rd party entity.

When I purchase hardware, I expect to have full control over it's capacities. If the hardware is capable of doing something, I should be able to do it. There's something a bit eerie about giving your computer a command/instruction and having it come back and tell you it could do it, but that it won't (2001: A Space Odyssey anyone!?).

My worry is that TC misinformation will be pushed so much that the idea of the user being in control of their hardware will be considered old fashioned. Well, it may be old fashioned, but it also has the side effect of being correct.

Now, I do think that TC has a place in the corporate world where there is no expectation of employees being able to do whatever they want on the computer (businesses have a right to control their own equipment). But the propagation of TC into the public or home is what doesn't set well with me.

Re:A good read...

[fjhb]

There's something a bit eerie about giving your computer a command/instruction and having it come back and tell you it could do it, but that it won't (2001: A Space Odyssey anyone!?).

- Download and install the latest version of Moonlight, HAL.
- I'm sorry Dave, I'm afraid I can't do that.
- What's the problem?
- I think you know what the problem is just as well as I do.
- What are you talking about, HAL?
- Microsoft's Intellectual Property is too important for me to allow you to jeopardize it.

Sellout Alert!

I wonder how much someone paid for his opinion... There's a reason why that site is barren, and the forums are filled mostly admin created polls.

Re:O RLY?

[Albio]

There is a chance that the users noticed the problem and then found the "correct" way to install the software and didn't bother reporting it.

Just in case: Trusted Computing film

[cheros]

It's quite helpful to watch as a primer/refresher: the wonderful animation about Trusted Computing. Simple, good, understandable.

No, you don't

[Kaseijin]

I DO know my root key to TPM - I can view all stored keys and manipulate them. The TPM spec requires that the private endorsement and storage root keys never leave the device. If you have a compliant TPM, what you know is not the root key. If you know the root key, what you have is not a compliant TPM.

Re:Who is YOU? Non Free is the real problem.

[dedazo]

Hi twitter.

If you are unfortunate enough to work for a big dumb company, you will be fired for exercising your software freedom

I'm having trouble understanding what you mean by "software freedom". Computers are provided by employers to manage tasks and handle data related to your function within the organization. Where exactly does your freedom come into play there? And what does free software do there that "Windoze" doesn't?

What kind of secrets does your company actually have? There's customer information, location and movement of valuables, business plans and a host of other information that can be harmful to divulge.

You don't say.

None of this is an excuse to cut into your software freedom at home or even at work.

Sure it is, if it's company-provided hardware. You really have never had a job at a real company, have you?

You sound like those (former) disgruntled employees at the "big dumb stupid" companies that won't let you exercise your "freedom of speech" by letting you install Kazaa and BitTorrent on the laptop they gave you to do your job. Down with the man!

Re:The biggest problem with "trusted computing"

[Tuoqui]

Parent is not Troll.

And yeah, Trusted Computing it about not trusting the user. You dont think that these companies are gonna get together and say 'We know what is best for you' at some later date when we're all stuck into the Trusted Computing format and lock us all down. Kiss Open Source goodbye because someone will make the argument that Linux cant be trusted because its Open Source and a PHB at one of these hardware companies will (stupidly) agree.

We'll find out..

..when the year of the Linux desktop happens, Then you'll be sorry!

It is not a fallacy, it is the truth

[comingstorm]

Read the original TPM spec. Enabling ubiquitous, hardware-enforced DRM was a primary design goal. More to the point, that's what TPM hardware companies are selling themselves as, whenever they talk to anyone except potential end-users. The mere fact that you can potentially use it for other, comparatively benign things, is beside the point except inasmuch as it allows this kind of marketing.

Besides, there are two problems with these "boot security" features:

• TPM doesn't, and can't, provide as much security as the marketing implies
• you don't need TPM to get the same concrete benefits TPM does provide.

First off, just because you sign your kernel doesn't mean it's secure. If your entire system is controlled by an insecure OS, and if somebody exploits a hole, they can still tell it to do whatever they want. An attacker can still use your key to sign or decode anything they want, even if they can't read it from the TPM hardware.

But, for the sake of argument, say that this is still a step up. You still don't need a TPM chip for that; you can build crypto hardware with a write-only keyspace, and throw in user-controlled tripwire services on boot, without adding a manufacturer-fixed unique identity key in a tamper-resistant chip. The only practical use for that is the kind of ubiquitous DRM games that TPM was designed to deliver in the first place.

The only way I'd buy hardware with security features like this is if the user (with physical access to the hardware) was able to completely scrub all identity information from it, and generate a new identity key -- tabula rasa. Of course this means that the whole thing could be simulated in software, and nobody else could be certain you were running a particular piece of hardware with hardware-enforced constraints on the software configuration. Which, of course, is the entire goddamn point.

Trusted Computing versus DRM: Notary in a box

[bitspotter]

Did you know that The TCG/TCPA specifications create a technical definition of the "owner" of device? It could be the manufacturer, the reseller, a sysadmin, a user, or someone the user loans the machine to. It all depends on who "takes ownership" (also technically defined in the spec) first. The "owner", in this sense, is the one who gets to specify which signing keys are needed to sign code that the owner wants to allow to run. This can include vendor keys, and even a user's own signing key.

Whether TC is considered "evil" always seems to depend on differences between who uses the device, and who "owns" it in the TC sense. If the TC "owner" matches the consumer who bought the device, there's little problem. But if the TC "owner" is actually the vendor of the device, users can get the shaft if the "owner" elects to restrict native capabilities of the device.

The case of enterprise sysadmins taking "ownership" of company devices away from users is a borderline case that most people can go along with. After all, the device is company property on loan to employee users.

More here:

http://n8o.r30.net/dokuwiki/doku.php/blog:trustedcomputingnotaryinabox

Re:O RLY?

[BrainInAJar]

I'm sorry... what?

a sufficiently motivated nigger could painstakingly review the machine code

Was that really necessary ?

Open Trusted Computing = Treasonable Computing

[bananaendian]

This piece of propaganda that you are spouting is indeed 'Interesting' and 'Insightful' in how clever it is.

You are right that TC only provides a signature which cannot be forged. But if you the user cannot forge the signature of the result of the cpu cycles that the computer runs - then anyone can write up software that does X and Y and Z only, ONLY, when you provide signed data to them - and wont work if you don't ...

And thats the point! That is exactly what everyone will immediately do - the banks, the commercial websites, government websites, software provides, music and movie industry - they will start making products and services that ONLY work if they are certain that they work the way they want them to - ie. crippled in a way to provide maximum profit, force you to provide details of yourself and what you are doing etc. Basically what ever they want - you might technically have a choise of 'controlling' your computer - but in practice you won't.

Trusted Computing might 'only' do one innocent thing - but it ENABLES the corporations/government/contentproviders to eventually and effectively take over your computer.

So by definition - and indeed it is probably mathematically provable even - that if the user cannot effectively 'forge' data coming out of his CPU, then all forms of Trusted Computing, however 'Open' they are - are unTrustworthy - and people who promote the idea, are Treasonable!

But which is to be master?

The problem, as you've said, is very much "who gets the key."

My problem with it is that I believe that the hardware manufacturers will consider it to be "their" computer and will keep the key from me. So that "my" machine will really be theirs, because they control the keys.

I have no interest in giving up control of a machine I've bought and paid for to any third party. And therein lies the rub: the technology can be used for both good and evil, but I'm pretty sure we're going to see the latter. And I do not trust the "free" market to correct for this--the whole point of this is to remove the consumer's ability to choose.

document control is not a good thing!

[big_paul76]

Y'know, people keep talking about document control, like it's a good thing.

Well, how about this other side of this sword, like when your boss gives you an order, via e-mail, to do something that is unethical, illegal, or immoral.

You think you've covered your ass, because you've got this order in writing. But it deletes itself after X amount of time, and anyway, it isn't readable on any computer not designated by the author/creator.

What about whistleblowing? Doesn't this make it a lot harder to take, say, a document written by a government official, and leak it to the media?

People keep talking about 'document control' in the context of things like when hackers break in and steal people's credit cards or health records or something.

This technology, even the most benign aspect of it (doc control) has the power to make secrecy a lot easier to execute.

I'm not sure that is in any way a good thing for a democracy.

Suppose I own a company...

[r6144]

...and I want to protect trade secrets from malwares, harddrive thieves and malicious employees. Then it is very reasonable for me to want the TPM to be hackable by myself but not by any of my employees, so that I don't need to trust any third party to properly manage my endorsement keys, and I can be sure that my encrypted documents are still accessible even if something breaks horribly.

MOD PARENT UP

[r6144]

The ability to regenerate the key (and that the majority of the users actually does it) is important. The initial key might have gotten leaked by a bad manufacturer, might identify me in a way I don't like, and the previous owner of the computer might have gotten the key signed somewhere and subsequently earned a bad reputation with it. In any case I have little control over it. After generating a key, I can get it signed by whoever I wanted to be trusted by, e.g. an online game server, a distributed computing project, my employer, or even myself if malware-prevention is the goal. In some cases the trusting party (e.g. my employer or myself) may want a copy of the private key, so there should be the option that the private key be copied somewhere at key generation time (and never again, so the trusting party knows that no one else can hack the TPM). Since I may want to assume multiple identities, to be trusted by multiple different parties, all with the same computer (e.g. I may not want anyone to know that two user accounts in two different online games are both operated by me with the same computer, even if the same company runs the servers for the two games), the key had better be pluggable, particularly when there is no commonly trusted third party. In other words, the TPM I might want is not much different from a smart card, except that it has a tamper-proof way of hashing the hardware and software. This hashing is meant to be used for things like cheat-prevention, distributed computing and enterprise system management, and not for unsuitable purposes such as forcing the user of a website to use a certain operating system or browser. Of course, an ordinary website should not need to have my key signed, anyway.

There is no good trusted computing

[pentalive]

To the proponents of Trusted Computing, Quit trying to pull the TPCI wool over our eyes!

If I want to run OPEN SOURCE software, because I can re-compile it, because I can change it, because I can fix that bug that no one else will fix because I am one of three people in the whole world who ever see it. When I re-compile my kernel to fix that bug because I am sick to death that my laptop crashes every time I visit my Bank Site. I re compile it with the fix (or with any other change I like) Trusted computing will either:

A: Flat refuse to load my shiny new kernel, because it can no longer be decrypted.

or

B: Allow my shiny new unsigned kernel to load, but now my Bank will not speak to me because I am no longer TRUSTED.

Who has to sign my shiny new kernel? The BIOS maker? Microsoft? Some random authority? Who will have to read my source code to be sure I have not done anything untoward and to whom I will have to pay a bribe er.. Fee. Perhaps a substantial fee. Surly I can't sign it myself - I may be an eeevil terrorist pirate trying to build myself a DRM busting back door. NO some "trusted" entity will have to sign it for me. That means I will have to ask someone's permission TO USE MY OWN COMPUTER.

If I have to ask permission of a third party to use my own computer, it is not "my computer" any more.

You can't have it both ways - either I trust (and control) my computer, or the Music/Movie Industry trusts it because they are able to control it (and me).

You were saying if I got the Master Key I could override any part , but if I do override then once again my machine is not trusted and I become a second class citizen on the Internet, If I am even allowed on. I can no longer bank at my bank, I can no longer see or hear any media.

What use it it to have the source code if you compile it, but you can't run it.

Re:There is no good trusted computing

[Alsee]

I'm not sure if I was clear.

You were saying if I got the Master Key I could override any part , but if I do override then once again my machine is not trusted and I become a second class citizen on the Internet

If you have your master key they can't tell whether you override.

If you open your computer and physically extract your key, then they will think you have a Trusted Computer. If you use it to override, they won't know. You'd would be able to get you your bank's website.

Of course this would mean that each computer has to be physically cracked one by one, and if they find out they will rant that you're you a criminal for it and they might even be able to get the government to actually arrest you as a criminal for it, and you won't be able to buy/sell such machines in public.

My suggestion, which Microsoft and the RIAA and the Trusted Computing Group would never accept... is for them to scrap the whole Trusted Computing crap and sell virtually identical hardware where the owner gets his key and has control. Trusted Computing would then be dead and buried. Everyone would know that everyone else has their keys and no one would capital-T-Trust anyone else's computer. Everyone would have God-level control on their own computers.

Once you eliminate all the Trust and DRM nonsense, there actually are a couple of reasonably useful pro-owner security benefits to the new hardware.

-

Re:There is no good trusted computing

[pentalive]

If you have your master key they can't tell whether you override. Ok, I missed that point.

But we will never get our master keys. The whole point of "Trusted Computing" is to try to keep us from violating copyright on music, movies and software. The only way they think they can trust us with that kind of content is to tie our hands so we "can't" copy it.

If you open your computer and physically extract your key, then they will think you have a Trusted Computer. If you use it to override, they won't know. You'd would be able to get you your bank's website. Using any means to copy the keys yourself from the trusted computing chip runs into the DCMA. I, personally, would hate to be the one to be made and example of over that.

You might find some manufacturer who will sell machines with the keys published, but if that happens there will soon be a law against owning such a machine, or at least against their import and sale.

Yeah if we had the keys, then some of the points they make about virus protection and us controlling our own documents even after they leave our hands are all for the good of the computer owners. But, sorry to repeat myself, You and I will never get those keys.

Since we will never get the keys legally, we are better off with machines that don't even have the chip. If our machines have the chip, but it is off, a newer version of the OS will demand that it be turned on. Or our bank will demand it. If a large percentage of machines have the chip, the demands will come - forcing the rest of us to buy "trustworthy" machines or to allow our inactive chips to become active.

Re:There is no good trusted computing

[Alsee]

You might find some manufacturer who will sell machines with the keys published, but if that happens there will soon be a law against owning such a machine

Their design is that the Trusted Computing Group refuses to crypto sign the manufacturer's key unless the manufacturer first signs a strict contract that prohibiting exactly that, and prohibiting anything else that might threaten the Trust system. If any manufacturer deliberately or accidentally does anything like that, the manufacturer's key would be placed on a revocation list. All hardware from that manufacturer would then cease to work.

I agree that the Trusted Computing Group will never willingly accept the alternate system I describe. My purpose with it is to prove their arguments fraudulent when they attempt to sell people on Trusted Computing based on legitimate pro-owner security benefits, and when they attempt to deny that it was designed for DRM. "It's merely a tool, and any tool can be used for good or bad purposes". "Here, buy this cyanide-laced apple, it has all these wonderful vitamins and minerals".

-

Re:Open vs Closed it's all KOOLAID

[pentalive]

It all still simplifies down to the fact that either I have the keys for my machine If so the content industry could not trust me or my machine.

Or a third party has the keys, in which case I am no longer in control of my machine. It is not "My machine" anymore. I can no longer compile and run my own software. I can only run what my drm masters deem "trustworthy".

definition of trust - which do you prefer?

[lkcl]

there are two definitions of "trusted computing", and it depends on who is doing the trusting.

the first definition basically boils down to "we don't trust users" - and is the version of trusted computing that you're describing.

the second definition basically says "we want users to be able to trust their computers and be able to do what they want without worrying".

it should be fairly obvious which definition that a linux-based, free-software-backed distribution will go for, especially with the backing and quiet involvement of a couple of heads of police departments, and several professors from royal holloway.

Re:definition of trust - which do you prefer?

[IgnoramusMaximus]

it should be fairly obvious which definition that a linux-based, free-software-backed distribution will go for, especially with the backing and quiet involvement of a couple of heads of police departments, and several professors from royal holloway.

Except of course that it is a red herring. The first definition is the only one on which all of the proposed mass-produced commercial TPM designs are based. Most of these designs also include select, castrated elements of the second definition, as a bone to throw the gullible public in exchange for corporations taking over control of the property their customers supposedly "own".

A Trusted Computing design which would fit into the second but not first category involves an ability of the owner of the system to extract/alter the master TPM keys in a secure manner (requiring local, physical access for example).

This is NOT going to happen!

Let me repeat: NO presently proposed TC design involves the owner of the computer having access to master TPM keys. NONE!

So please stop helping these assholes do their dirty work by being so naive.

Re:definition of trust - which do you prefer?

[IgnoramusMaximus]

Also I forgot to add:

... especially with the backing and quiet involvement of a couple of heads of police departments ...

You gotta be kidding, right?

Police are the last people on earth who want users of personal computers to be able to detect intrusions. They are, specialy the newfangled "Father ... err ... Homeland Security" types, one the groups most eager to use trojans, keyloggers and the like in their pursuit of "criminals".

Re:definition of trust - which do you prefer?

[IgnoramusMaximus]

Oh and did I mention that having the corporations control the user's computer and being the only ones being able to detect intrusions, while the user cannot, is the ideal scenario for police. The police can then simply require a megacorp to selectively ignore the police trojans and the user gets the worst of both worlds: the only people who are able to trust "his" computer are the corporations and the police.

Comment

[dashyaoo]

Hello Good Comment---- dashyaoo

Why I no longer care?

[trezima]

I remember a couple of years ago I was very concerned about this matter, trusted computing sounded like a nightmare, I even talked about it with all my friends, and suggested they should boycott those hardware vendors that were working on or endorsing this project... then suddenly I forgot about it... I can't tell if I simply stopped caring about avoiding the changes and starting to trust I'll be able to adapt (which is rather selfish, but hey, pragmatic), or if it's the certainty that someone will be working on alternatives and possibilities, either way, I'm no longer worried.

Re:O RLY?

[Jeruvy]

Seriously, this is not an option. The reason we have so many different distributions of linux is because these parties all tried compiling all the code, and dealt with the issues at building machines to achieve certain goals. There is a great deal of manpower on these attempts and frankly I don't think one person could reproduce this reliably. Sure you 'could', but would you? This means that it's much more practical (and realistic) that most people are downloading full distributions. Of course they can still get the source and view it, but what if it's written in a language you don't understand? What if you don't understand the programmers methods? Sure, a google here and a google there, and you get your answers, but likely someone building the distro had a similiar situation and worked it out. When you DIY OS you will have to figure out all these 'bugs' again. Seems like a waste of time to me. But even now it's quite obvious that most users will not compile their OS's. This is unrealistic, even for the paranoid. Of course some have taken the approach of a secure trusted platform, but again I'm looking at a distribution. Even if one person figures out a unique method to do the same, what are the odds that it will remain a secret? So, is it really a practical reality that one person can 'compile' a modern linux OS? No. So you need to get help. Even TWO people means that trust needs to be established if the project is to move forward. This means a trust relationship has to be established. Now, the paranoid is freaked out again since there is a 'possibility'. I really feel for the paranoid, it's gotta be rough. Today's computing is unfortunate in some ways, but we have to trust other's code and typically without any prior examination.