Slashdot Mirror
IBM to Disable serial number in Pentium III
Taz writes "IBM
will disable the serial number
feature before shipping their PIII. " The question is
who will turn it back on? Without asking first?
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Quoth the article:
"Intel is encouraging PC makers who do
include the switch to set it to the 'on' position
so users will be able to take advantage of the ID
feature without having to set up the option in
their BIOS"
I'm still waiting for a real explanation of how the CPU ID "feature" is going to be a great benefit to the "user".
It's rather egotistical of you to assume that everyone has the same life as you. I don't need another way for companies to keep track of my activity.
About Jiffy Lube...at least you *know* that it's Jiffy Lube...with the chip, there's no telling who could be tracking you...for whatever purpose (sniff, sniff...blackmail).
This is also somewhat different than a company like Equifax or TRW keeping your info because at least you can call those companies and see what they have on you.
Serial Number acceptance= Bend Over(TM)
So bend over. I bet you're gonna be one
of the first people who get their ass
barcoded in exchange for discounts
at the store.
The answer to the issues raised by Intel's CPU ID
is simple. Do not buy the CPU or a system based upon it.
Unless customer demand for this not so hot upgrade
really does materialise my company will not be offering
any systems based upon it.
I have a web-browser that supports Java-script, but I have turned this "feature" off because I think Java-script is a pile of crap and a security hole.
The problem is that there are sites around on the Internet has require you to have Java-script enabled to interact. IOW, we who prefer to not use Java-script will be outed by this service.
My fear is that we in the future will have the same situation with the Intel chip, where poeple who doesn't want to use it [or use AMD, mips, PPC, ARM, whatever chips] will not be able to use the very same service.
All it would take is for Windows 2002 to require you to have the ID working and the whole thing would turn around.
Once you have someone's mac address you can also sniff all of their network packets. Even if they use encryption you can do traffic analysis and tell who they are talking to.
The only PR here is the paranoid anti-Intel overclocking hacker-posers who are claiming this is an infringment of their rights. Rights aren't involved, there is no right to compute or to buy a pentium. There is no law that grants you access to it. Further, you don't have to execute a single instruction if you don't want to and you don't have to transmit a single bit of data, nobody is forcing anybody to do that. This has nothing to do with privacy, it has everything to do with people who are stupid. Too stupid to kow what their computer is doing and then getting worried about it instead of figuring it out.
Why aren't they crying about the tracking devices that the auto companies put in new cars? How do you know that onstar doesn't do more than give you maps and call for help? It sounds to me like the car company (and the government) can probably track your every move if you own a cadillac or other car with onstar and they can tell when ever you come in to contact with another owner, when you cross borders, they can tell when you put gas in your car, where you put gas in your car, all the telemetry data from the on board computers, etc.. That is invasion of privacy and these so-called privacy advocacy groups are busy crying about a few instructions on a computer chip!? Look at the code, disassemble the code, write tunnelers and monitors, if you have an ounce of technical know-how you can prevent the ID instructions with 100% certainty, it doesn't take a computer genius, you just can't be an idiot.
Intel came up with a great feature for inventory control. Large companies can keep track of what hardware they have in thier network.
However, a group in Intel was chartered to talk about security. Having nothing better to say, they came out with the processor serial number early as a "security feature". Oooppss.
Now the world is horrified that a number sitting on your computer is going to be broadcast to every web site you visit and companies will track marketting information based on it.
Of course, this software does not exist. What does exist is much smarter about not giving out the PS#, but a derivative number that can't be used between sites (eg. using a cryptographically secure hash with say the URL). Suprise! People were actually thinking about this problem a long time ago and fighting to do something about it.
However, you'll still be tracked and marketting information will still be accumilated in much the same way it is currently being done without the PS#.
AC with a clue.
Very much unlike most everyone else here.
(sigh)
so will it like make your OS (linux for me) send udp packets to intel.com telling them stuff? heh
if the PIII was so effective in stopping piracy then you're saying I have to buy a PIII just to run my stuff? I just bought a PII 450 and it's going to be worthless now?
I don't look at CPU serial numbers as a privacy issue. Intel made 2 mistakes with its serial number scheme. 1, they are aparently soft-setable and 2, they marketed them as an aide to ecommerce.
I doubt the original intent had anything to do with ecommerce or privacy, I think it had to do with the market in stolen, overclocked and relabled CPUs. Intel wanted a way to uniquely identify each CPU produced so they could be tracked if they were stolen and so it would be harder to resell them as faster processors, which does happen, particularly over-seas.
Now, needless to say, their current SN scheme won't do that. Their statements on the subject of ecommerce don't hold mush water with me either because I want ecommerce to work wherever I am.
Marketing over substance? Intel? Never...
At least this time their being called on it, although I don't get the paranoia about a hardware feature that no software supports...
... oh wait, paranoia doesn't have to make sense.
Never mind.
OR
"Big-Brother" Inside
Has the boycott stopped? Not in my house it hasn't Defin*a*tely time to support EPIC and Junkbusters, if you haven't already...
I've seen software to fake MMX instructions, why not have a program that not only can log who asks for the serial#, but also set it to private mode, where it randomly generates a serial# for each request.
:>
That would sure confuse some sites
I wonder how these sites would deal with dual and quad PIII? Imagine if you software was bound to one serial# and it would only start up 1/2 of the time... that would be annoying. Just seems like the serial# was a very half baked idea.
-Eric ( to lazy to lookup account info )
Pentium III serial numbers hacked
On Monday, c't, a German technology magazine, revealed that it had
found a way to read the serial number of Intel's new Pentium III chip
without the owner's knowledge or consent.
Ever since privacy advocates raised an alarm about the new chips'
serial numbers, which can be read by Web sites, Intel has assured the
public that Pentium III owners would be able to use a software tool to
turn the feature off and on and protect their privacy.
But c't's chip specialist, Andreas Stiller, found a way around Intel's
safeguard. Stiller loaded an Active X "Trojan horse" (a disguised,
malicious security breaking program) onto a remote PC over the
Internet. He then circumvented Intel's software tool by abusing a
feature called Advanced Configuration and Power Interface (ACPI) -- a
power-conservation standard created by Intel, Compaq and Microsoft.
"I switched the computer into 'Deep Sleep' mode, and rebooted the
machine, then read the serial number before Intel's software tool was
started," says Stiller.
The problem, it seems, is that the processor's serial number is in the
"on" position by default; it's only Intel's software that blocks the
number. Seth Walker, a spokesman for Intel, responds: "Don't think of
it that way. The number is just there, it's not 'on.'"
In fairness to Intel, if someone manages to load a "Trojan horse" on
your computer, then access to the chip's serial number is probably the
least of your worries. Still, the report won't make Intel's job any
easier as it tries to dispel fears and reassure PC users that their
personal information is safe from prying eyes.
What can users do to protect their privacy? Intel is not just
providing the software tool but also advising computer manufacturers
to switch the serial number off in the BIOS (the first software
instructions a computer loads when it boots up). The proud owners of
new Pentium III PCs can then enable the serial number function using a
custom piece of software from the manufacturer. But not all
manufacturers will disable the serial number in BIOS, and once enabled
it will be very difficult to turn off. Finally, Intel's Walker says,
"We also advise users to choose carefully which Web sites they spend
their time on." When it comes to privacy, it sounds like Intel's
stance is "caveat surfer."
The company has vowed that it will not be keeping a database of the
serial numbers -- although Intel vice president Mike Aymar admits that
"we may be able to tell approximately when and therefore to whom the
processor was sold."
So why did Intel introduce the serial number in the first place? To
help corporations track and manage their PC inventory, and to provide
another level of security for online banking and e-commerce
applications. Banks will be able to use the serial number, together
with user names and passwords, to verify an individual's identity.
Privacy groups such as the Electronic Privacy Information Center
believe that the U.S. government had a hand in Intel's decision.
"We have repeatedly asked Intel if the NSA or the FBI requested them
to include the serial number," says Dave Banisar, policy director for
EPIC. "Their only response is that their largest customers have
requested the serial number."
Of course, Banisar points out, the U.S. government is one of Intel's
largest customers. -- Niall McKay
That's the decision you make. Tough.
So? Don't buy the software then.... No, everyone would rather bitch and moan, bitch and moan.
Chip serial numbers are not the answer for Ecommerce. Too many different people using the machines. The serial number needs to be unique to the user. M$ is working on this. You'll be able to have it stamped onto your hand or your forehead.
My system at work who's processor died while I was in the middle of using the system...literally. The system had been on for *hours* and I was browsing a web page. Everything stopped and nothing short of a reset would seem to free it. Push reset and get *nothing*. A new CPU was needed. So, I would then have to re-install all my apps.
Also, if the security is worth anything, the serial number won't exactly be in plain sight, so there wouldn't be a way, at least not an easy one, to recover w/o a re-install since we likely wouldn't know what number to have a new on set to and couldn't get it from the chip.
i hate [sic] eaten 5 assholes
Oh yes. It does seem that the old adage "You are what you eat" is quite true.
I have no problems with Intel doing this personally, because I never intend to by an Intel chip. I used to work there and I think they suck.
I also never intend on using new M$ applications on the non-Intel CPU that I buy, because the new applications suck (not that the old ones caused me to sport wood or anything either).
I do think that the concept is VERY lame, however, for everyone who plans to do all those sucky things mentioned above.
Your undersanding of basic network principles is severely flawed.
In order to get someone's MAC address you have to by physically located
on the same network segment. The moment that a packet passes
through a router the MAC address changes to that of the router and
this happens each time it passes to a new system.
All that you can get on me is my IP address which is probably
dynamic or at least shared with many other people.
The issue is not whether you can be traced but rather that this will give Intel opportunities to leverage a monopoly position in association with other companies like MS.
I was wondering about this. Exactly how does a program read the CPU serial number? Wouldn't it have been better if Intel had at least made it so that you had to use a priviledged (sp?) instruction to read the serial #, so that it could be trapped? Would it be possible for the OS to do load-time code modification to find where a program looks at the CPU ID, and replace it with some (trappable) instruction?
Just my mind wandering..
In my job as an admin at a school I use
disk-cloning tools like ghost, Installing
NT Workstation, drivers, Office, Netscape,
etc. on a computer can take hours, but today
I only do that once per classroom the other
15+ machines is all done in 15-30 minutes.
And YES I am scared that the next office has
to be run on the CPU it was installed on,
or something equally stupid, of course this
all seems to dumb to ever become reality but
you'll never know with wintel....
Heh heh, what's all the fuss about then. Let's just assume Intel are taking action and placing a Serial Number on there chips. This will in turn help keep track of chips (should they go walkabout) and secondly help enforce against software piracy. Nothing's particulary wrong with this.
Secondly if anyone wishes they may turn the feature off (so no problems), anyone wishing to use the technology as a backing for e-commerce can do so (until someone screws them by copying the serial number through tracking them which will only make Intel look very stupid) and lastly if any of you do pir8 out there, then you know full well that a patch will be released to combat the actual serial number itself and fool the software...
So, basically, the serial number posses no threat to those doing things by the book and for those without not to legal tendancies - get a hack!
-Martin
Hah,
the stock market crashed a few times during the early nineties because serialized software expired.
Don't hand me that. (It wouldn't surprise me if that happened at E-trade a few weeks ago, too.)
Serial #'s can be hacked. As can copy-protection schemes. Look at Softimage.
Howevever, it makes life rought for legitimate users. If I want to do an install on a new computer over the weekend, you *better* have 24/7 support.
I don't want your automatic licensing scheme to fail because I changed computers. Do you hear me, SDRC?
Every add I have seen this weekend (Circuit City, Best Buys, Comp-Usa (Intel Week!) have touted the PIII's ability to improve the internet experience of the average home consumer.
I guess the serial number could "improve" ecomerce, but other than that how the heck is this zippy cpu going to make the average home users v.90 internet connection any better?????
15 pussies and 20 blow jobs?? And you're BRAGGING about that? Big whoop boy, that ain't nothin... Certainly nothing to brag about. I take it you're about 17??
"You talkin to me punk? Walk on home, Boy!"
-Pantera: Walk
According to the PIII docs from Intel, once the
ID code is disabled, the only way to enable it again is to reboot the machine.
Furthermore, the same doc says that you should not
expect the numbers to be unique.
I'm sure there is some good reason to have the serial number. All cars have serial numbers. Does that mean Jiffy Lube is tracking us every time we get an oil change? Maybe, but who cares - they can track us via our credit card number, our liscense plate number, our ss#, etc... The chip serial number is to make life easier, not introduce something that couldn't be done already.
Face it, it's damn easy to track you. Intel just made a way to make it even easier and everybody got pissed at them. The same people who started this who thing are the people who dissable their cookies and running cookiemunger and cookiesmasher, etc. because they think cookies let anybody track where you are and what web sites you've been to.
I'm supprised people aren't complaning that its' too easy to track people via IP address. It's no different the the serial number, and you can't dissable it. Right now Slashdot has access to WHO I AM because my ip address is being sent to the site whenever I go to ANY PAGE. OH MY GOD, I'M SCARED (not).
And the worest part, the serial number makes it much easier to stop pirating. When you install a priece of software, it can bind itself to your chip's serial number. Then no matter how many times you reinstall, it will still work. But NOOOO, so many people relay on stolen software (hey, can I borrow your office cd?) that heaven forbid there is an easy way to stop or at least slow down piracy...
This is rediculous. Bring on the serial number, it's not going to effect MY life.
Posted by Mephie:
Dell is also disabling the ID in the bios. It looks like Intel's about to learn just who it's friends are.
--Mephie
Posted by Lord Kano-The Gangster Of Love:
->Really paranoid people, change what it says via software.-
I count myself among those people. At work, I enable cookies so that when I go to a supplier's website to check for parts availability I don't have to re-type passwords and whatnot, at home I disable cookies completely. IP spoofing isn't impossible if you have enough background in networking.
However my idea is for some valiant soul to obtain his PIII CPU serial number and put it on the internet so that the same gurus who came up with spoofing MACs can spoof CPU IDs. Imagine how interesting it would be if 1,000,000 or more of us were spoofing the same number.
I don't have the background in low level x86 architecture to do it myself, but there should be many people who do.
How long do you think it would take for Intel to file suit in the spirit of Nintendo, to crush the dissemination of CPU ID spoofers?
LK
And if you're wondering, here's the most important reason I could care less what crap Intel packs into their chips: I don't ever plan on buying an Intel chip again. Buy an Alpha and be happy.
And the worest part, the serial number makes it much easier to stop pirating.
So what you're saying is that Intel believes that the people who buy it's chips are pirates?
As a user of GPL'ed (and BSD, Artistic, etc) software, I strongly resent the accusation that I'm stealing copyrighted works. If I were to buy a PIII, that accusation would be present every time I used the computer. The serial number is still present whether that "feature" is turned off or not.
Not all processors are ever going to support this CPU ID mechanism. For that reason, organizations and sites will NEVER require it in order for you to navigate or do normal things. More likely, e-commerce sites will offer to use it as an additional security benefit (for example, by not allowing purchases from another PC). This ID will never be a requirement. There are plenty of alternatives to Intel CPU's and I haven't heard of any of them implementing something similar.
This isn't like the web browser thing where all of the other competing vendors are going to decide to implement something similar. If they do, there will surely be a way to disable it (like there is now) for those that don't want to use it.
I think you're being pretty silly, myself. Your broad statements about Javascript being a "pile of crap" and a "security hole" are unfounded. Instead of absorbing all of the mass-media hype try educating yourself about what these technologies can and cannot do and how you can and will be able to control them.
Yes, vulnerabilities have been discovered in the various Javascript implementations, but they're typically patched shortly after their discovery and I know of no cases where they've been exploited maliciously.
That's basically saying Windows 2002 will only run on processors that have this CPU ID. This means only Intel PIII and derivatives will be able to run Win2002.
Doesn't this seem slightly INSANE, or is it just me? If this bit of rubbish ever does come to pass, what's to stop competing CPU vendors from shipping all of their CPU's with the same valid ID (like, zero)? Or how 'bout an ID of the user's choosing?
You people are getting just a little bit too paranoid here.
No company is going to voluntarily cut their market down to those few people that will end up owning a PIII or derivative processor with a functioning CPU ID mechanism.
If the application legitimately needs the horsepower, other competing vendors will surely be able to provide a compatible processor (without the CPU ID mechanism). Why in the *world* would a software developer CHOOSE not to sell to those people?
The only thing any copy protection does is piss off the customer who buys the software. I don't know about you, but my machines change constantly, especially my wintel game machine. If my software stopped working becuase I upgraded my CPU and it had a different serial number I would be one exteremly pissed off puppy!!
The processor has no inherent ability to transmit the ID. It has no TCP/IP stack. It has no modem. It has no radio transmitter.
This means, (follow me here, genius) that it takes _SOFTWARE_ to read the ID to the site.
Gee.
Use mozilla. Change fetch_id() to return random64(). If Intel has some sort of checksum/crc built into the ID, it'll be
reverse-engineered. They have to tell people how
to verify it or nobody will verify it. If nobody
verifies it, random64() is good enough. Remember
how AOL used to do batch credit card transactions?
They used the simple checks to see if a card was valid. What happend? Right. People used card generators. Expect to see ID generators as well.
All in all... a total non-issue. Like all online
verification schemes.
--Dan
Again, wake me when you have a clue
As technology improves, more people will be accessing the internet through cable modems, ISDN TA's and ADSL boxes that work over ethernet. How long do you think it will be before the major browsers and HactiveX controls can read out and return your card's MAC address?
Heck, you don't even need to be using your ethernet card to connect to the net... if it's just installed in your computer, you have a software-readable serial number in your machine. Or the ethernet chipset could already be on your motherboard, in workstations or high-end motherboards. Not removable.
And even if Intel's serial numbers take off, it will take both OS and browser support to make it a viable solution for web sites to track you... and even then the browsers will probably allow you to turn off the feature that sends your serial number.
So, for me, the serial numbers aren't a huge worry. My computers are already serialized.
Interesting PR move. IBM seems intent on NOT being Big Brother-like these days (with this and its Linux support and all). Anybody know what's caused this pleasant change in policy?
Someone says they'll ship their computers with it turned off. So what? You install IE6 and it turns it on. Or you load MS Office, and it turns it on. But so what?
No one will be worrying about it. ECommerce? Say a web site requires your ID to process a transaction. Okay, a (possibly) legitimate use. (Bear with me a moment.) Like a cookie, the vendor knows who you are by your PIII ID.
Now, pretend I'm not using Netscape or IE, but a browser I wrote myself. And this browser, instead of checking my CPU to read the ID, sends whatever ID I told it to use. And, just so the vendor will think I'm legit, my browser claims to be Netscape as well.
Don't want your software to know who you are? hack the OS so that it gets the ID from a file or something instead of reading the chip.
If it's not verifiable, it's of no use. No one's figured out how to change fingerprints yet, so they are considered hard evidence. Changing your appearance is not simple, so most people accept a picture ID (driver's license) as valid proof of identity. But no one would do business with someone based on something like a business card -- might be real, might be OfficeMax.
Stupid people will be persecuted to the fullest extent allowed by law.
I'm not
The problem with the serial number as I see it is that people will put too much confidence into the value of this serial number.
They are already talking about the serial number being a secure method for e-commerce. It's about as secure as your credit card, and probably less so. Sniff around the network and you'll be seeing these ID's fly around the net without too much trouble. Hmmmm. This looks like a good one. I think I'll be that person for today.
How will you know that the serial number you are using is actually your real serial number, not something that somebody's managed to slip to you. Not quite like a trojan, but something close. Now you can't access your bank account. Or the same or a different program has sent your serial number to somebody who's computer now has full access to your bank account.
Software that will use this serial number will get hacked, just like how Office 2000 will get hacked to prevent the "registration" that Microsoft wants.
Upgrades will be hell. Which is what I see as the number one reason for not having everything go off the serial number.
>All cars have serial numbers.
This is true. But it's not too hard to have the VIN (Vehicle Identification Number) changed for various reasons. Some car afficianados want their car to be so perfect that if they take an existing car and change the paint color, they'll have a new VIN cut that now identifies the new color, not the old color that it was orginally painted. It can even be changed to reflect a color that wasn't available on that model at the time.
And then again, what use is the VIN anyways? Well, for tracking ownership, via title, which also relates to taxes, such as licensing. But when I fill up with gas, the gas doesn't care what VIN I have. It doesn't care if I've replaced the alternator. The tires don't have anything to do with the VIN. Even things that may very well have a VIN attached to them, such as a car door, can be replaced without repercussion.
That doesn't appear to be this case here
Bryan
I thought Intel was shipping the chips with this
feature defaulted to OFF?
-
.. "Doesn't Barbie come with Ken?" "No, she fakes it with him."
Remember that really nasty virus last year, which could reprogram the flash BIOS on some machines? I'm guessing that the same principle could apply to the ID switch in the BIOS. If a programmer really wants to turn on the ID without the user's permission, there'll probably always be a way.
Weblogging Considered Harmful:
So, you aren't doing anything "wrong" with your computer. Does it bother you that Intel assumes you are? According to David Aucsmith of Intel, "The actual user of the PC -- someone who can do anything they want -- is the enemy." If you choose to do business with a company with such open contempt for its customers, go ahead.
Weblogging Considered Harmful:
wait a minute, If I need my pcSN to buy something off the web, humm that could suck. I mean think about it, User/Password/SN, All this info goes together, If I'm at work and not at home then I can't buy anything off the web at work. This sounds very limiting, and not at all good for e-bizz.
Although I'm sure they'll come up with something to get around it.
*shurg*
______________________________________________
Look ma that just lurker posted!
Pestihl
"What do you do with the mad that you feel when you feel so mad you could bite?" - Mister Rogers
Let's build a startup daemon into the linux kernel that checks for the P3 cpu id: and if it finds it, installs a wedge to always report a CPU id of 666
daemons like 666 don't they?
Oh c'mon. you know whether or not the psn is activated when shipped is meaningless, because most software companies will probably require that it be switched on to install their software. I see this in my crystal ball...
MS Office 200X Setup
------------------------------------
MSOffice requires that your PSN be activated for setup. Do you wish setup to automatically activate it?
[ YES] [ NO]
yes = we got your id, so you can use our program.
no = go buy yourself another program. you dont get jack from us.
BOTTOM LINE = buy an AMD, because even without the psn, p3's performance still suck!! that's my $0.02
maybe privacy isnt a big deal to you, but to a lot of us, it is. if you want to be tracked so easily, why not start logging your daily computer activities and mailing it to intel or microsoft or whomever. but please don't so readily support something that tries to force the rest of us to do so.
If this serial number scheme is still there. Why did the boycott stop? I know I'm not buying one. I'll stick with LinuxPPC.
Alright, suppose now that there is a security risk and that it is a risk to my privacy and I'm paranoid and all that. I don't really know either way, but just hypothetically, assume this. Now since Intel will release some "software program" to disable the serial #, then what do I do if I'm not using windows? Linux runs on x86. BeOS. Many *nix variants. Is Intel going to release a binary that'll run on ANY SINGLE system? There are an awful lot of differant configurations they have to worry about. Even on Linux, there's libc5 systems and glibc2 systems. You see the prob?
This is my thought...
Since there was so much fraud with overclocking CPU's and that Jazz, this is one way to IDENTIFY THE CPU as what it says it is... like the VIN number on your car, it should be able to tell you all the aspects about the chip itself... ie.... Where chip was manufactured, what clock speeds, cache, etc... Maybe programmers would be able to use this number to tweak programs to perform accordingly to what info is determined... I don't know...
-WLP
This is my world and I am...
... i mean whats the big deal with them why is everyone so freaked out.. (i dont know what they will enable/disable/do) someone tell me! :>
he who has the fastest cart always has the best lie.