I would argue that in a corporate situation, the user is not the owner, and doesn't get the keys, anyway. The corporation is the owner and has the keys, and permits the user to use the system.
Of course that simply shifts the "user leaving the organization" problem from the user of the laptop to the person in charge of the keys. Theoretically, the person in charge of the keys doesn't really have them sitting in a file, but is authorized to run a "key extraction process." Of course the "key extraction process" would need to have controls to keep that person from simply extracting all of the keys, and then quitting. (even extracting all of the keys over a matter of months)
I don't deny that a bit. I simply wonder if they've taken this particular marketing model a bit too far out onto a limb. We're now about to the point where sometimes it seems that the only things a new GPU is good for in its first 6 months of release are market noise and benchmarking. If you want to use it for anything other than those initial availabilities, you generally "wait for the drivers to mature." Imagine instead taking those 6 months for another silicon rev, and get the thing fixed to where you aren't ashamed to document it. Once you're not fixing "haste-bugs" with drivers, I'll bet they'd would stabilize a heck of a lot quicker. The effective time to market might even improve, though the benchmarket noise wouldn't
I wonder how much of the vaunted complexity of GPU drivers is really graphical, and how much of the truly thorny stuff is working around chip bugs.
It's a bit of the same argument posed for open vs closed source software. If you know your source code is going to be seen by everyone, you may be less likely to leave stupid crap in there, and put a bit more effort into keeping it clean an nice. Some might say that "clean and nice" has no value, but I've seen people argue, Linux among them, that code that looks bad often turns out to be, and he frequently flags bad-looking code, anticipating that the flag may help direct future bug-hunts.
GPUs never got the same religion, like CPUs. It's possible that in the long run, if they documented their hardware like CPUs did, and did the "clean and nice" thing, that their costs would actually drop with reduced spins, quality improvement, etc.
I've worked in memory design, and you gotta meet the spec, and you can't go to the memory market with errata.
I don't doubt the complexity of graphics drivers. But I'd guess that many people thing their job is just soooo complex, and no doubt many of them say that with considerable merit.
One interpretation of what you've just said is that graphics chips have a goodly share of bugs, the workarounds are in the drivers, and they're sufficiently embarrassed about it that they keep it all secret.
I was under the impression that the radeon driver that covered up through R200 was done under contract, and it was paid for by the weather service, IIRC. With that in mind, I suspect that there was some involvement from ATI, though I have no idea how much. From what I know, the R300 effort is entirely reverse-engineered.
I run the Radeon drive on the ATI 7500 Mobile on my laptop, and am reasonably happy with it. Only thing I miss is getting accelerated video out through the svideo port, but Windows doesn't do that, either. (Linux will do it, but with "issues".)
I'm not saying TPM can't be hacked, I'm just saying that it may well to be orders of magnitude more difficult than those things that have been hacked so far, simply because at least SOME of the people involved have a clue about what they're doing. The same can't be said about DRM, touch-screen voting, and now we'll have to add satellite TV to that list.
There's a necessary mindset to proper encryption, and if profit is tops on the list, you ain't got it. (I was going to put something about paranoia in there, but realized that that counters my point.)
It's merely a matter of making it hard enough to stop most attacks. By the time you're sniffing on-chip signals with RF, you're way past "most". By the way, on really good secure chips there's a heck of a lot more to the package than "a little bit of plastic." Some "secure chip" packages are designed to keep the chip from being de-packaged, or to at least guarantee that the chip will be "correctly" damaged in the de-packaging process.
I don't doubt that with a complete lab and some really good hackers, a even well-designed TPM setup can eventually be compromised.
But I'd also assert that a well-designed TPM setup is WAY beyond the resources of DVD John, the AACS crackers, and maybe even the distributed.net efforts.
By the way, by that last token, all security is by obscurity, because you're always hiding the key, and ultimately that's a key part of what the TPM does.
A few quick searches on TPM can strip away most of the arrogance on both sides, the "anything will fall" side as well as the "unbreakable" side. I can't substantiate it here and now, but I suspect that TPM can be good enough to defeat any software-only attack, and would really require significant hardware resources to compromise.
But the key point in here is a general lack of confidence in the ??AA's ability to do good encryption/DRM. At the moment, they just don't have the mindset for it.
The TPM chip alone doesn't really do spit. It needs to be combined with a TPM-aware BIOS, so that "trust" is established prior to any possible running of "external" software, including virtualization. I suppose even this doesn't save you if you replace the BIOS chip. Before you say "reflash" I would suggest that the BIOS/TPM link would have been engaged prior to being able to flash, giving the opportunity for either integrity checks or retaining an un-flashable TPM area.
I suspect getting past a software-only attack is the highest priority, and with a TPM chip and TPM-aware BIOS you can have that.
What it really comes down to is some sort of "TPM ownership utility" that people can run on their new computers. The utility evaluates whether I control my TPM, or someone else. But here comes the important part...
People need to be educated that they need to control their TPM, and if they don't they should return the PC for refund because "it's broken." This can be intuitive, that "It's mine and I should be able to control it," and "If it's not mine because I can't control it, something is wrong with it."
So the biggest need right now in the DRM fight is a "TPM evaluation utility," and a public relations campaign.
Actually, there's nothing at all wrong with using obscurity as part of your toolkit for security, as long as the rest of your toolkit is good. Security through obscurity gets a bad name in cryptography, because cryptography is HARD, because it takes some heavy-duty analysis and expert review to get it right, and primarily because the people who try to practice don't really know squat about what they're trying to do, and do it badly.
Now imagine a well-designed safe (or cryptographic algorithm) where you've kept all of the details secret, and let someone try and crack it. Simply knowing the design (or algorithm) gives you the starting point for the attacks.
The whole issue is "well-designed," and how well that can really be done without expert peer review. But assuming you could really hit that target, the less revealed the safer you are.
I wouldn't be quite so optimistic. The difference is that at least some of the people involved in crafting TPM know something about security, as opposed to the people doing DRM and touch-screen voting machines. There has been quite a bit of art and work involved in developing tamper-resistant chips, and at least some of the TPM implementations use this art.
Of course the devil is in the details. It's fully possible to build an insecure system around a secure TPM chip, and no doubt that's going to be done, too.
Then again, TPM isn't bad, on it's own. It really depends on who owns the TPM. As long as I own it, it just might be good. The moment someone else owns it, then I merely pretend to own my system that has it, and that's bad. Some time ago, I picked the (M) stuff for the kernel build on my Thinkpad, and have been building them ever since. I've never used them yet, but if SOMEBODY is going to be controlling that chip, I want it to be ME.
Wouldn't surprise me if Samba is one of the highest rated targets for Microsoft to attempt to gain licensing fees from. If Microsoft can claim to have patents covering Samba, and get people to pay license fees on it, that's a big chunk of the battle.
Begs the question - which makes more profit for Microsoft: * Sales of a Microsoft server product, which includes costs for development, support, etc, as well as visibility and responsibility for security flaws. * License fees for Samba, which costs them nothing whatsoever, except perhaps lost sales of their own product.
While you're busy getting power from your kittens, and worrying about the litter box...
Here in Vermont we have several farms getting milk from their cows, and generating power from their "litter box." Fun thing is, once the manure comes out of the litter box after having done the methane thing, it's even *better* for fertilizing fields than the "untreated" variety.
If not shot down, how about a variation. You're big enough to make the whole thing a tether. At that point, you could put solar cells on the top side, and you'd have power to induce current in the coil. Also at that point, you'd begin reacting against the Earth's magnetic field, and propelling yourself. (See David Brin's "Tank Farm Dyname" short story.)
It's the old "Space is BIG!" problem. But the nearly meaningful adder to the aerogel idea would be to station some blocks of it ahead of and behind valuable things, notably the ISS. (If you stationed any around the HST, you'd also want to be able to move it when you wanted to look in that direction. Even this idea still has trouble with the "Space is BIG!" problem, but at least you're trying to protect a smaller space. Obviously it would be necessary to form the aerogel on-orbit, presuming that's possible.
I've sometimes mused about a big hunk of aerogel in orbit. I suspect that you don't really need to catch or stop things, just slow them down. If these pieces of junk could just be persuaded to drop perigee down into the 100 mile range, then atmospheric decay would help out.
Wouldn't be a problem, except that in this case, we're talking about a taxi or bus, and there are no commercial taxi or bus operators, yet. For that matter, as far as I know, there are no to-your-doorstep truckers either, except for Russia's Progress. (US truckers are to-orbit, not to-rendezvous/dock.)
Slashdot Mirror
I would argue that in a corporate situation, the user is not the owner, and doesn't get the keys, anyway. The corporation is the owner and has the keys, and permits the user to use the system.
Of course that simply shifts the "user leaving the organization" problem from the user of the laptop to the person in charge of the keys. Theoretically, the person in charge of the keys doesn't really have them sitting in a file, but is authorized to run a "key extraction process." Of course the "key extraction process" would need to have controls to keep that person from simply extracting all of the keys, and then quitting. (even extracting all of the keys over a matter of months)
He should have used beer instead of water, and set up a recirculating pump so it wouldn't go to waste.
There's some sort of "drink and drive" joke hiding in there, but I'm missing it at the moment.
I don't deny that a bit. I simply wonder if they've taken this particular marketing model a bit too far out onto a limb. We're now about to the point where sometimes it seems that the only things a new GPU is good for in its first 6 months of release are market noise and benchmarking. If you want to use it for anything other than those initial availabilities, you generally "wait for the drivers to mature." Imagine instead taking those 6 months for another silicon rev, and get the thing fixed to where you aren't ashamed to document it. Once you're not fixing "haste-bugs" with drivers, I'll bet they'd would stabilize a heck of a lot quicker. The effective time to market might even improve, though the benchmarket noise wouldn't
I wonder how much of the vaunted complexity of GPU drivers is really graphical, and how much of the truly thorny stuff is working around chip bugs.
Perhaps there's a "marketing opportunity" here, though "almost barely good enough" seems to be a determined enemy.
My point precisely, thanks.
It's a bit of the same argument posed for open vs closed source software. If you know your source code is going to be seen by everyone, you may be less likely to leave stupid crap in there, and put a bit more effort into keeping it clean an nice. Some might say that "clean and nice" has no value, but I've seen people argue, Linux among them, that code that looks bad often turns out to be, and he frequently flags bad-looking code, anticipating that the flag may help direct future bug-hunts.
GPUs never got the same religion, like CPUs. It's possible that in the long run, if they documented their hardware like CPUs did, and did the "clean and nice" thing, that their costs would actually drop with reduced spins, quality improvement, etc.
I've worked in memory design, and you gotta meet the spec, and you can't go to the memory market with errata.
I don't doubt the complexity of graphics drivers. But I'd guess that many people thing their job is just soooo complex, and no doubt many of them say that with considerable merit.
One interpretation of what you've just said is that graphics chips have a goodly share of bugs, the workarounds are in the drivers, and they're sufficiently embarrassed about it that they keep it all secret.
Imagine if CPU makers worked the same way.
No, at the moment you can't buy a *card* from them, though I understand that that might be changing.
At the moment, you can buy a motherboard with integrated graphics from Intel.
If/when Intel comes up with standalone cards with Open Source drivers, I'll take a serious look.
I was under the impression that the radeon driver that covered up through R200 was done under contract, and it was paid for by the weather service, IIRC. With that in mind, I suspect that there was some involvement from ATI, though I have no idea how much. From what I know, the R300 effort is entirely reverse-engineered.
I run the Radeon drive on the ATI 7500 Mobile on my laptop, and am reasonably happy with it. Only thing I miss is getting accelerated video out through the svideo port, but Windows doesn't do that, either. (Linux will do it, but with "issues".)
I'm not saying TPM can't be hacked, I'm just saying that it may well to be orders of magnitude more difficult than those things that have been hacked so far, simply because at least SOME of the people involved have a clue about what they're doing. The same can't be said about DRM, touch-screen voting, and now we'll have to add satellite TV to that list.
There's a necessary mindset to proper encryption, and if profit is tops on the list, you ain't got it. (I was going to put something about paranoia in there, but realized that that counters my point.)
What if I own/control the TPM, and use it to make sure that no code runs on my box that *I* don't approve?
What if the TPM blocks the Sony rootkit, for instance?
However I agree that the most likely use is for Evil.
It's merely a matter of making it hard enough to stop most attacks. By the time you're sniffing on-chip signals with RF, you're way past "most". By the way, on really good secure chips there's a heck of a lot more to the package than "a little bit of plastic." Some "secure chip" packages are designed to keep the chip from being de-packaged, or to at least guarantee that the chip will be "correctly" damaged in the de-packaging process.
I don't doubt that with a complete lab and some really good hackers, a even well-designed TPM setup can eventually be compromised.
But I'd also assert that a well-designed TPM setup is WAY beyond the resources of DVD John, the AACS crackers, and maybe even the distributed.net efforts.
By the way, by that last token, all security is by obscurity, because you're always hiding the key, and ultimately that's a key part of what the TPM does.
A few quick searches on TPM can strip away most of the arrogance on both sides, the "anything will fall" side as well as the "unbreakable" side. I can't substantiate it here and now, but I suspect that TPM can be good enough to defeat any software-only attack, and would really require significant hardware resources to compromise.
But the key point in here is a general lack of confidence in the ??AA's ability to do good encryption/DRM. At the moment, they just don't have the mindset for it.
The TPM chip alone doesn't really do spit. It needs to be combined with a TPM-aware BIOS, so that "trust" is established prior to any possible running of "external" software, including virtualization. I suppose even this doesn't save you if you replace the BIOS chip. Before you say "reflash" I would suggest that the BIOS/TPM link would have been engaged prior to being able to flash, giving the opportunity for either integrity checks or retaining an un-flashable TPM area.
I suspect getting past a software-only attack is the highest priority, and with a TPM chip and TPM-aware BIOS you can have that.
What it really comes down to is some sort of "TPM ownership utility" that people can run on their new computers. The utility evaluates whether I control my TPM, or someone else. But here comes the important part...
People need to be educated that they need to control their TPM, and if they don't they should return the PC for refund because "it's broken." This can be intuitive, that "It's mine and I should be able to control it," and "If it's not mine because I can't control it, something is wrong with it."
So the biggest need right now in the DRM fight is a "TPM evaluation utility," and a public relations campaign.
Maybe AACS isn't broken, but once new HD/BR DVDs with the player key revoked come out, that player is certainly broken.
Actually, there's nothing at all wrong with using obscurity as part of your toolkit for security, as long as the rest of your toolkit is good. Security through obscurity gets a bad name in cryptography, because cryptography is HARD, because it takes some heavy-duty analysis and expert review to get it right, and primarily because the people who try to practice don't really know squat about what they're trying to do, and do it badly.
Now imagine a well-designed safe (or cryptographic algorithm) where you've kept all of the details secret, and let someone try and crack it. Simply knowing the design (or algorithm) gives you the starting point for the attacks.
The whole issue is "well-designed," and how well that can really be done without expert peer review. But assuming you could really hit that target, the less revealed the safer you are.
You know, you've got something here!
If nobody can read the DVD anyway, we could really cut down on production costs. "dd if=/dev/urandom of=/dev/dvdrw bs=1M count=4700"
I wouldn't be quite so optimistic. The difference is that at least some of the people involved in crafting TPM know something about security, as opposed to the people doing DRM and touch-screen voting machines. There has been quite a bit of art and work involved in developing tamper-resistant chips, and at least some of the TPM implementations use this art.
Of course the devil is in the details. It's fully possible to build an insecure system around a secure TPM chip, and no doubt that's going to be done, too.
Then again, TPM isn't bad, on it's own. It really depends on who owns the TPM. As long as I own it, it just might be good. The moment someone else owns it, then I merely pretend to own my system that has it, and that's bad. Some time ago, I picked the (M) stuff for the kernel build on my Thinkpad, and have been building them ever since. I've never used them yet, but if SOMEBODY is going to be controlling that chip, I want it to be ME.
I once saw the comment,
"What's so Open about The Open Group?"
Answer: Your wallet.
Wouldn't surprise me if Samba is one of the highest rated targets for Microsoft to attempt to gain licensing fees from. If Microsoft can claim to have patents covering Samba, and get people to pay license fees on it, that's a big chunk of the battle.
Begs the question - which makes more profit for Microsoft:
* Sales of a Microsoft server product, which includes costs for development, support, etc, as well as visibility and responsibility for security flaws.
* License fees for Samba, which costs them nothing whatsoever, except perhaps lost sales of their own product.
Even worse for me, I've pretty much forgotten the whole thing, though I remember that I saw it.
While you're busy getting power from your kittens, and worrying about the litter box...
Here in Vermont we have several farms getting milk from their cows, and generating power from their "litter box." Fun thing is, once the manure comes out of the litter box after having done the methane thing, it's even *better* for fertilizing fields than the "untreated" variety.
If not shot down, how about a variation. You're big enough to make the whole thing a tether. At that point, you could put solar cells on the top side, and you'd have power to induce current in the coil. Also at that point, you'd begin reacting against the Earth's magnetic field, and propelling yourself. (See David Brin's "Tank Farm Dyname" short story.)
It's the old "Space is BIG!" problem. But the nearly meaningful adder to the aerogel idea would be to station some blocks of it ahead of and behind valuable things, notably the ISS. (If you stationed any around the HST, you'd also want to be able to move it when you wanted to look in that direction. Even this idea still has trouble with the "Space is BIG!" problem, but at least you're trying to protect a smaller space. Obviously it would be necessary to form the aerogel on-orbit, presuming that's possible.
I've sometimes mused about a big hunk of aerogel in orbit. I suspect that you don't really need to catch or stop things, just slow them down. If these pieces of junk could just be persuaded to drop perigee down into the 100 mile range, then atmospheric decay would help out.
Wouldn't be a problem, except that in this case, we're talking about a taxi or bus, and there are no commercial taxi or bus operators, yet. For that matter, as far as I know, there are no to-your-doorstep truckers either, except for Russia's Progress. (US truckers are to-orbit, not to-rendezvous/dock.)