"Or it could simply be people who have publically stated they automatically mod down any posts that have a subject of "MOD PARENT UP". Not everything is a conspiracy."
Yes quite possibly. I didn't suggest a conspiracy, rather a lot of pro-Microsoft people misusing mod points.
"Is it your belief that we should moderate posts not on the quality of their comments, but on whether or not they are anti-Microsoft enough for you?"
The moderation early on was poor. It showed a very extreme pro-Microsoft bias.
I pointed out a typical example, the top post said "well if X was as popular as MS products then it would suffer the same fate".
It was modded at +3 at the time. The comment I suggested needed modding up pointed out that Apache is 2x more popular than IIS and Oracle is the more popular DB yet doesn't suffer the same problems - therefore that argument is false.
That comment was clear and correct and shot a complete hole through the pro-MS comment. Yet that comment and many similar ones had been pushed down, while the pro-MS ones were modded up. (This was at the time of my post, later more balanced moderators correct the early heavy bias).
My pointing out that 'early bias' was also correct. No reason to mod my comment down, nobody would have modded me up, it just wasted mod points.
It is not whether its pro-Microsoft or anti-Microsoft. It whether as soon as a post on vendor X appears, whether vendor-X's supporters immediately dive in and try to bias the discussing to make vendor X look good. In this case Vendor X happened to be Microsoft.
"The parent post you wanted to mod up was moronic." You state an opinion without a reason. Please attach a reason why you think it was moronic.
Looks like we have the "Microsoft" moderators here again. Within a couple of minutes, every pro-Microsoft comment, no matter how off topic or mundane was modded up and sensible anti-Microsoft comments modded down.
The parent comment makes a valid point, it should be modded up to match the +3 score of its parent.
As well as the 4 the EFF submitted, I would like to submit:
* The Flumtreble invented in 2007 * The worselhorn invented in 2020 * The Flangtrimble invented in 2066
If we don't get these exempted then they might never be invented because they would be illegal. Thank God the copyright office is giving us this chance to protect future ideas!
But simply making ISPs charge based on amount of data uploaded would fix this.
i.e. $20/month for 5BG uploaded, $30 for $10GB etc.
If I share a movie it costs me money on my ISP bill, so unless I'm a commercial distributor of movies then it doesn't make sense for me to distribute it, so I don't do it.
Similarly, If US ISPs charge foreign ISPs for data carried into their network. The non-US ISPs would have to pass the charges on aswell. So it would have a ripple effect around the world. Without the US needing to use 'extrajudicial' tricks.
This is GREAT for NASA
on
SOHO Strikes Back
·
· Score: 2, Insightful
This UFO claim will put SOHO back in the news again. Without it, SOHO is not news worthy.
Same with the Moon Landing Hoax claims. There are teenagers who didn't know we even went to the moon. But since the hoax-program, NASA and its moon landing is a topic of TV discussion and NASA is news again.
Don't kid yourself NASA needs the hoaxer & UFO loonies, because without it, its just a big expensive agency that MTV generation doesn't know or care about.
Sure it has to reply to the moon-hoaxers and UFO spotters, but it gives NASA a great chance to show its footage on prime time TV.
From the whitepaper, again there is the confusion between *me* and *my computer*:
------ "Protection of user authentication keys Given the large number of vulnerabilities in client system, and the trend of hackers to target client machines looking for passwords, it is vital to provide some way to protect sensitive authentication information such as passwords and private keys. TCPA provides exactly this protection. A user can generate an RSA public/private key pair on the TCPA chip. The private key can be configured never to leave the chip."...
----- Right, stop right there. If my private key never leaves the chip what use is it to me? It identifies my computer not me. Whoever is at my computer, if they intercepted my login has all *my* private keys and for all purposes *is* me.
I meanwhile can move from computer to computer, but I cannot identify myself, because those private keys are on my home computer and can never move.
"I can sit at any (Windows) computer in my office and log in using my username and password"
That user name and password are what identifies you.
Those the the *you* specific things, any privates keys etc held on an authentification server are irrelevent. If I have your user and password I *am* you as far as the computer is concerned.
In one breath he talks about protecting "HIS" keys and data, but in the next he says it protects data because the key never leaves the machine. I, however, *do* leave my computer and work elsewhere, those protected keys can never be useful for *me*. It is not *my* key it is protecting.
Here's another misdirection, again he is rebutting a valid comment.
------- The comment he is rebutting:
"You might prefer not to have to worry about viruses, but neither TCPA nor Palladium will fix that: viruses exploit the way software applications (such as Microsoft Office and Outlook) use scripting."
His rebuttal:
While TCPA cannot prevent stupidity in software applications, it definitely can control the resulting damage. In particular, no virus can steal a TCPA protected private key. How can it, if the private key is generated in the chip, stored on the chip, and never leaves the chip?
Again the comment he is rebutting:
" Seen in these terms, TCPA and Palladium do not so much provide security for the user as for the PC vendor, the software supplier, and the content industry. They do not add value for the user, but destroy it."
And his rebuttal of this:
Personally, I find the ability to protect my private keys, and to protect my encrypted data very important and very valuable.
-------
The misdirection here is in the last paragraph. The keys he is talking about are not *your* keys. They are not specific to *you* you do not carry them around from PC to PC and you do not have access to them. Your keys (things like your passwords and PGP keyring files) can be stolen when they are entered in the computer just as before.
"When you boot up your PC, Fritz [the TCPA chip] takes charge. He checks that the boot ROM is as expected, executes it, measures the state of the machine; then checks the first part of the operating system, loads and executes it, checks the state of the machine; and so on."
This is completely false. The TCPA chip doesn't execute anything. It accepts request data, and replies with response data. In the IBM version, TCPA sits on the LPC bus, using I/O mapped registers. The TCPA chip does not and cannot control execution!
-------
This is a misdirection, the original comment was about the TCPA system in its entirity, the response talks only about the chip part of the TCPA.
"Protection of sensitive authentication data, such as passwords will become critical for electronic business to succeed."
Passwords are *user* specific things, not machine specific things. Storing them in a vault on a single machine means they are stored in the wrong place.
The RIAA's case wasn't about if he downloaded songs or not, it was whether they have a right without a court order to require Verizon to name him using DMCA powers.
So now all they have to do is make spurious claims of downloaded songs for ISPs to be required to hand over the subscriber info.
And not just the RIAA, this open the flood gate for every religious crack pot group to unmask critics and harrass them.
Maybe he did download 600 songs, maybe he didn't. But don't you think the court should at least verify the claim first?
1. You have a problem 2. Collect stats about it 3. Analyse those stats to identify the problem 4. Some sort of magic goes here to get from problem to solution 5. Apply solution 6. Collect stats again 7. Calculate saving and claim is a 6Sigma saving 8. Claim that the solution can be applied elsewhere for some vague future saving
The problem is that the saving comes from applying the solution (Step4) not from the process of Six Sigma.
Step 4 is done by the skilled engineers who know what solution fixes what problem, not the Six Sigma MBA who has no special expertise in the process.
If the fix can't be applied because the guy is collecting statistics in Step 2) then he is causing the company damage by delaying the fix.
His own salary is also a cost and the load he puts on the skilled engineers while trying to 'learn' their skill also costs money.
In order to obtain statistics, you have to know what the possible causes are, so in the real world, they go to the engineer who already knows the problem and contrive a set of stats to collect that prove that solution. Then there's step 8, claim it will be re-used. If you look at the examples Six Sigma people give, its stuff like a leaking airconditioner pipe.
If you have a leaking air-condition pipe, you hire a plumber or buy a book on plumbing, you don't look through Six Sigma projects looking for one that might turn up useful information. Quite simply the chances of someone re-using this information is negliable and its the fix in step 4 is the thing that would be reused and that isn't a Six Sigma step.
So no, it just fluff to keep middle managers employed. That is why every company that uses it continue to increase costs. GE increased profit came from increase *sales* and economies of scale, not Six Sigma.
"If we can't agree on that, then there's no answer that I can ever give to make you happy"
Yes there is, you can say this:
"Microsoft told us that if we didn't put it in, then we would wake up to find Windows wouldn't run on our BIOS and we would have no market. We won't kid you, its not in your interests, its serves no useful purpose to you, we had to do it because we had no choice"
There, truth sounds so much nicer doesn't it. The whole board is full of you and Brian dodging questions and some very iffy moderation doesn't hide that.
"and I decided to do what I could to try and separate fact from fiction.... I can't do anything about the paranoia, but I hear there is a pill for that).
Thats nice, but his points were valid, you dodge the questions and continue to do so. Let me pull out the important phrases you dodged:
a) Isn't the goal of "trusted computing" to allow entities other than the owner of the computer to control what the owner does with his/her hardware?
Brian mumbles something about his reading of the TCPA spec and DRM, neither of which were the point of the question. The answer is obvious: "Yes, of course that's the goal. Shut up and eat your BIOS."
b) However, isn't it true that without AMI's trusted BIOS, Palladium wouldn't work? The reason we keep saying "we're not a part of Palladium" is because Palladium doesn't exist in the marketplace... This is splitting hairs at best, and another artful dodge. If Palladium were in the marketplace, would AMI be part of it? Of course they would. And right now they're laying the groundwork.
c) In what way does AMI benefit... from introducing a BIOS designed to make the computer it is installed in less useful to the purchaser of the computer?
Here Brian reinforces that you and I are consumers, not customers - mobo manufacturers are customers, and they get the features they want. This is the way the market works, and I've got no special beef with it, but it's a bit of a wake-up call for those who still believe companies like AMI give a rat's ass about the average geek buying a motherboard.
"Question: does the knife on your kitchen counter jump up and cut you on its own? " No, you handed control of *my* knife to the RIAA & MPAA & Microsoft.
You must be able to see the vector here. The outside world will be able to dictate all aspects of my machine or refuse to inter-operate with it.
Normally I would simply reverse engineer the blockage and a new Linux with a patch would arrive to bypass just that blockage. However under the new scheme this new version would not get a certificate so it would not work.
My machine can't live in a vacuum, so I have to agree to the conditions. Your BIOS enforces this rule.
Saying you are only a tiny brick in the prison wall doesn't make it less of a prison.
"So you can turn Off tcpa , then the OS could turn it back on 'for' you."
More likely, you will find that unless you turn it on, your machine will interoperate less and less with other machines. So you will turn it on because you the alternative is to live as a hermit in the hills.
"The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted."
Your reply:
"Obviously MS could use TCPA with Palladium in such a way that it would lock out anyone...TPM is just a tool, like a hammer. If I kill someone with a hammer, does the blame go to the hammer? No, the blame goes to me, the one who decided to use the hammer that way."
A trusted machine is one that conforms to a certification process. You don't define the certification, the remote service requires it of you. So using your metaphor, the hammer that kills someone is not in your control, you just swing it as per instructions.
I wrote: "If they wrote it without TPM then it would be hacked, so TPM is pretty much a pre-requisite. So what he said is true, but yet not true."
Your replied:
"If they wrote it with TPM it could still be hacked. TPM is just a peice of hardware that is optomized for crypto, it doesn't do anything that can't already be done (albeit a lot slower) in software."
I can change software, those tiny silicon transitors are a damn site harder. But yes I agree they could do the useful stuff in software - there is no need for this stuff.
I wrote:
"Sure, if you remove anything the thought police object to."
You wrote:
"There are people who can help you with these paranoid delusions you seem to be suffering."
Please read the bills before Congress, particular the "DRM in all devices" bill. To be paranoid I have to *suspect* something that is not true, not *read* something that is true.
Sure he didn't waffle here, but let me spell out what he didn't say.
First your quoted section:
"Yes. The ability to use the TPM functionality is available to all developers of software. An open source project could determine to use TPM functionally today"
To be trusted it has to have a certificate accepted by the remote party who will send the media. Those certificates carry a set of conditions which must be met to obtain the certificate. Open source can therefore only support this if they agree to those conditions.
Now suppose the remote RIAA site requires a certificate that says "this machine must be unable to rip CDs into MP3 format".
Now you see the problem. You can sure make a crippled version of Linux without anything objectionable like stream ripping and cd->mp3. But why would you?
"The opposite is also true, if they wrote it with TPM then it can still be hacked."
I agree, it will still be hacked, but the idea behind this 'trusted' solution is that the machine on the end is verifiable and 'trusted' as being unhackable.
So a hacked DRM system on a non-trusted machine has no purpose because the machine (and hence the object files) couldn't be verified as unhacked and so would be denied the content anyway.
"Is it (will it be) possible to use TCPA to effectively lock-out certain operating evironments from various services (software, media, etc) solely because the operating environment is not backed by a company, and has no mechanism for paying certification fees and licenses"
This was my answer:
"The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted."
This was your answer to my comment:
"...That means users should be able to self sign certificates just like with OpenSSL, and Redhat or FSF could issue their own certificates if they wanted to use TCPA features....but that just means you can't play RIAA-approved content you downloaded from a future Pressplay-type online service"
So you're confirming my comment? That he's lock out from TCPA content, his exact question. The PR man dodged the question. If you self sign, you have a machine that won't interoperate with any other machine that uses TCPA services.
"Is it (will it be) possible to use TCPA to effectively lock-out certain operating evironments from various services (software, media, etc) solely because the operating environment is not backed by a company, and has no mechanism for paying certification fees and licenses"
The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted. However he waffled on with the "bore them to death with irrelevent crap" answer:
"Let me start out by reminding the audience I am not a security expert...."
"While somebody could write a DRM application using the TPM, they could also write one without it. "
If they wrote it without TPM then it would be hacked, so TPM is pretty much a pre-requisite. So what he said is true, but yet not true.
"18. Does the TCPA support open source systems? Yes. The ability to use the TPM functionality is available to all developers of software"
Sure, if you remove anything the thought police object to.
************** What did you expect, you asked a PR man questions and you get back deflections, half truths, political waffle.
About the only thing he said that rung true was this:
"c) Financial Benefit: Yes, there is a financial benefit to supporting a technology that our customers ask for... they continue to be our customers. "
Slashdot Mirror
"Or it could simply be people who have publically stated they automatically mod down any posts that have a subject of "MOD PARENT UP". Not everything is a conspiracy."
Yes quite possibly. I didn't suggest a conspiracy, rather a lot of pro-Microsoft people misusing mod points.
"Is it your belief that we should moderate posts not on the quality of their comments, but on whether or not they are anti-Microsoft enough for you?"
The moderation early on was poor. It showed a very extreme pro-Microsoft bias.
I pointed out a typical example, the top post said "well if X was as popular as MS products then it would suffer the same fate".
It was modded at +3 at the time.
The comment I suggested needed modding up pointed out that Apache is 2x more popular than IIS and Oracle is the more popular DB yet doesn't suffer the same problems - therefore that argument is false.
That comment was clear and correct and shot a complete hole through the pro-MS comment.
Yet that comment and many similar ones had been pushed down, while the pro-MS ones were modded up.
(This was at the time of my post, later more balanced moderators correct the early heavy bias).
My pointing out that 'early bias' was also correct. No reason to mod my comment down, nobody would have modded me up, it just wasted mod points.
It is not whether its pro-Microsoft or anti-Microsoft. It whether as soon as a post on vendor X appears, whether vendor-X's supporters immediately dive in and try to bias the discussing to make vendor X look good. In this case Vendor X happened to be Microsoft.
"The parent post you wanted to mod up was moronic."
You state an opinion without a reason. Please attach a reason why you think it was moronic.
"Looks like we have the "Microsoft" moderators here again."
See told you, my comment gets previous modded down, even though pointing out an interesting post is clearly on-topic.
Looks like we have the "Microsoft" moderators here again. Within a couple of minutes, every pro-Microsoft comment, no matter how off topic or mundane was modded up and sensible anti-Microsoft comments modded down.
The parent comment makes a valid point, it should be modded up to match the +3 score of its parent.
Its .NYET
As well as the 4 the EFF submitted, I would like to submit:
* The Flumtreble invented in 2007
* The worselhorn invented in 2020
* The Flangtrimble invented in 2066
If we don't get these exempted then they might never be invented because they would be illegal.
Thank God the copyright office is giving us this chance to protect future ideas!
Look I know its unpopular.
But simply making ISPs charge based on amount of data uploaded would fix this.
i.e. $20/month for 5BG uploaded, $30 for $10GB etc.
If I share a movie it costs me money on my ISP bill, so unless I'm a commercial distributor of movies then it doesn't make sense for me to distribute it, so I don't do it.
Similarly, If US ISPs charge foreign ISPs for data carried into their network. The non-US ISPs would have to pass the charges on aswell.
So it would have a ripple effect around the world. Without the US needing to use 'extrajudicial' tricks.
This UFO claim will put SOHO back in the news again. Without it, SOHO is not news worthy.
Same with the Moon Landing Hoax claims. There are teenagers who didn't know we even went to the moon. But since the hoax-program, NASA and its moon landing is a topic of TV discussion and NASA is news again.
Don't kid yourself NASA needs the hoaxer & UFO loonies, because without it, its just a big expensive agency that MTV generation doesn't know or care about.
Sure it has to reply to the moon-hoaxers and UFO spotters, but it gives NASA a great chance to show its footage on prime time TV.
From the whitepaper, again there is the confusion between *me* and *my computer*:
------
"Protection of user authentication keys
Given the large number of vulnerabilities in client system, and the trend of hackers to
target client machines looking for passwords, it is vital to provide some way to protect
sensitive authentication information such as passwords and private keys. TCPA provides
exactly this protection.
A user can generate an RSA public/private key pair on the TCPA chip. The private key
can be configured never to leave the chip."...
-----
Right, stop right there. If my private key never leaves the chip what use is it to me? It identifies my computer not me.
Whoever is at my computer, if they intercepted my login has all *my* private keys and for all purposes *is* me.
I meanwhile can move from computer to computer, but I cannot identify myself, because those private keys are on my home computer and can never move.
"I can sit at any (Windows) computer in my office and log in using my username and password"
That user name and password are what identifies you.
Those the the *you* specific things, any privates keys etc held on an authentification server are irrelevent. If I have your user and password I *am* you as far as the computer is concerned.
In one breath he talks about protecting "HIS" keys and data, but in the next he says it protects data because the key never leaves the machine.
I, however, *do* leave my computer and work elsewhere, those protected keys can never be useful for *me*. It is not *my* key it is protecting.
Here's another misdirection, again he is rebutting a valid comment.
-------
The comment he is rebutting:
"You might prefer not to have to worry about viruses, but neither TCPA nor
Palladium will fix that: viruses exploit the way software applications (such as
Microsoft Office and Outlook) use scripting."
His rebuttal:
While TCPA cannot prevent stupidity
in software applications, it definitely can control the resulting damage. In particular,
no virus can steal a TCPA protected private key.
How can it, if the private key is
generated in the chip, stored on the chip, and never leaves the chip?
Again the comment he is rebutting:
" Seen in these terms, TCPA and Palladium do not so much provide security for the
user as for the PC vendor, the software supplier, and the content industry. They do
not add value for the user, but destroy it."
And his rebuttal of this:
Personally, I find the ability to protect my
private keys, and to protect my encrypted data very important and very valuable.
-------
The misdirection here is in the last paragraph. The keys he is talking about are not *your* keys. They are not specific to *you* you do not carry them around from PC to PC and you do not have access to them.
Your keys (things like your passwords and PGP keyring files) can be stolen when they are entered in the computer just as before.
From the rebuttal whitepaper
-----------
"When you boot up your PC, Fritz [the TCPA chip] takes charge. He checks that the
boot ROM is as expected, executes it, measures the state of the machine; then checks
the first part of the operating system, loads and executes it, checks the state of the
machine; and so on."
This is completely false. The TCPA chip doesn't execute anything. It accepts request data, and replies with response data. In the IBM version,
TCPA sits on the LPC bus, using I/O mapped registers. The TCPA chip does not and
cannot control execution!
-------
This is a misdirection, the original comment was about the TCPA system in its entirity, the response talks only about the chip part of the TCPA.
From the whitepaper:
"Protection of sensitive authentication data, such as passwords will become critical for
electronic business to succeed."
Passwords are *user* specific things, not machine specific things.
Storing them in a vault on a single machine means they are stored in the wrong place.
This is a lie.
"This guy downloaded over 600 songs in a day"
The RIAA's case wasn't about if he downloaded songs or not, it was whether they have a right without a court order to require Verizon to name him using DMCA powers.
So now all they have to do is make spurious claims of downloaded songs for ISPs to be required to hand over the subscriber info.
And not just the RIAA, this open the flood gate for every religious crack pot group to unmask critics and harrass them.
Maybe he did download 600 songs, maybe he didn't. But don't you think the court should at least verify the claim first?
1. You have a problem
2. Collect stats about it
3. Analyse those stats to identify the problem
4. Some sort of magic goes here to get from problem to solution
5. Apply solution
6. Collect stats again
7. Calculate saving and claim is a 6Sigma saving
8. Claim that the solution can be applied elsewhere for some vague future saving
The problem is that the saving comes from applying the solution (Step4) not from the process of Six Sigma.
Step 4 is done by the skilled engineers who know what solution fixes what problem, not the Six Sigma MBA who has no special expertise in the process.
If the fix can't be applied because the guy is collecting statistics in Step 2) then he is causing the company damage by delaying the fix.
His own salary is also a cost and the load he puts on the skilled engineers while trying to 'learn' their skill also costs money.
In order to obtain statistics, you have to know what the possible causes are, so in the real world, they go to the engineer who already knows the problem and contrive a set of stats to collect that prove that solution.
Then there's step 8, claim it will be re-used.
If you look at the examples Six Sigma people give, its stuff like a leaking airconditioner pipe.
If you have a leaking air-condition pipe, you hire a plumber or buy a book on plumbing, you don't look through Six Sigma projects looking for one that might turn up useful information.
Quite simply the chances of someone re-using this information is negliable and its the fix in step 4 is the thing that would be reused and that isn't a Six Sigma step.
So no, it just fluff to keep middle managers employed. That is why every company that uses it continue to increase costs. GE increased profit came from increase *sales* and economies of scale, not Six Sigma.
"If we can't agree on that, then there's no answer that I can ever give to make you happy"
Yes there is, you can say this:
"Microsoft told us that if we didn't put it in, then we would wake up to find Windows wouldn't run on our BIOS and we would have no market. We won't kid you, its not in your interests, its serves no useful purpose to you, we had to do it because we had no choice"
There, truth sounds so much nicer doesn't it. The whole board is full of you and Brian dodging questions and some very iffy moderation doesn't hide that.
"and I decided to do what I could to try and separate fact from fiction .... I can't do anything about the paranoia, but I hear there is a pill for that).
... from introducing a BIOS designed to make the computer it is installed in less useful to the purchaser of the computer?
Thats nice, but his points were valid, you dodge the questions and continue to do so. Let me pull out the important phrases you dodged:
a) Isn't the goal of "trusted computing" to allow entities other than the owner of the computer to control what the owner does with his/her hardware?
Brian mumbles something about his reading of the TCPA spec and DRM, neither of which were the point of the question. The answer is obvious: "Yes, of course that's the goal. Shut up and eat your BIOS."
b) However, isn't it true that without AMI's trusted BIOS, Palladium wouldn't work?
The reason we keep saying "we're not a part of Palladium" is because Palladium doesn't exist in the marketplace...
This is splitting hairs at best, and another artful dodge. If Palladium were in the marketplace, would AMI be part of it? Of course they would. And right now they're laying the groundwork.
c) In what way does AMI benefit
Here Brian reinforces that you and I are consumers, not customers - mobo manufacturers are customers, and they get the features they want. This is the way the market works, and I've got no special beef with it, but it's a bit of a wake-up call for those who still believe companies like AMI give a rat's ass about the average geek buying a motherboard.
"Question: does the knife on your kitchen counter jump up and cut you on its own? "
No, you handed control of *my* knife to the RIAA & MPAA & Microsoft.
You must be able to see the vector here. The outside world will be able to dictate all aspects of my machine or refuse to inter-operate with it.
Normally I would simply reverse engineer the blockage and a new Linux with a patch would arrive to bypass just that blockage.
However under the new scheme this new version would not get a certificate so it would not work.
My machine can't live in a vacuum, so I have to agree to the conditions.
Your BIOS enforces this rule.
Saying you are only a tiny brick in the prison wall doesn't make it less of a prison.
"So you can turn Off tcpa , then the OS could turn it back on 'for' you."
More likely, you will find that unless you turn it on, your machine will interoperate less and less with other machines.
So you will turn it on because you the alternative is to live as a hermit in the hills.
My comment:
...TPM is just a tool, like a hammer. If I kill someone with a hammer, does the blame go to the hammer? No, the blame goes to me, the one who decided to use the hammer that way."
"The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted."
Your reply:
"Obviously MS could use TCPA with Palladium in such a way that it would lock out anyone
A trusted machine is one that conforms to a certification process. You don't define the certification, the remote service requires it of you. So using your metaphor, the hammer that kills someone is not in your control, you just swing it as per instructions.
I wrote:
"If they wrote it without TPM then it would be hacked, so TPM is pretty much a pre-requisite.
So what he said is true, but yet not true."
Your replied:
"If they wrote it with TPM it could still be hacked. TPM is just a peice of hardware that is optomized for crypto, it doesn't do anything that can't already be done (albeit a lot slower) in software."
I can change software, those tiny silicon transitors are a damn site harder. But yes I agree they could do the useful stuff in software - there is no need for this stuff.
I wrote:
"Sure, if you remove anything the thought police object to."
You wrote:
"There are people who can help you with these paranoid delusions you seem to be suffering."
Please read the bills before Congress, particular the "DRM in all devices" bill. To be paranoid I have to *suspect* something that is not true, not *read* something that is true.
Sure he didn't waffle here, but let me spell out what he didn't say.
First your quoted section:
"Yes. The ability to use the TPM functionality is available to all developers of software. An open source project could determine to use TPM functionally today"
To be trusted it has to have a certificate accepted by the remote party who will send the media. Those certificates carry a set of conditions which must be met to obtain the certificate. Open source can therefore only support this if they agree to those conditions.
Now suppose the remote RIAA site requires a certificate that says "this machine must be unable to rip CDs into MP3 format".
Now you see the problem. You can sure make a crippled version of Linux without anything objectionable like stream ripping and cd->mp3. But why would you?
"The opposite is also true, if they wrote it with TPM then it can still be hacked."
I agree, it will still be hacked, but the idea behind this 'trusted' solution is that the machine on the end is verifiable and 'trusted' as being unhackable.
So a hacked DRM system on a non-trusted machine has no purpose because the machine (and hence the object files) couldn't be verified as unhacked and so would be denied the content anyway.
Do you see my point?
This was the question asked by the original man:
"Is it (will it be) possible to use TCPA to effectively lock-out certain operating evironments from various services (software, media, etc) solely because the operating environment is not backed by a company, and has no mechanism for paying certification fees and licenses"
This was my answer:
"The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted."
This was your answer to my comment:
"...That means users should be able to self sign certificates just like with OpenSSL, and Redhat or FSF could issue their own certificates if they wanted to use TCPA features....but that just means you can't play RIAA-approved content you downloaded from a future Pressplay-type online service"
So you're confirming my comment? That he's lock out from TCPA content, his exact question. The PR man dodged the question. If you self sign, you have a machine that won't interoperate with any other machine that uses TCPA services.
How about they use it in a positive way.
Instead of sharing a corrupted Britney song, why don't they take a song by an unknown artist that person might like, and tack on an advert on the end.
Sure Britney might not like the competition, but its a good way of promoting acts.
"Is it (will it be) possible to use TCPA to effectively lock-out certain operating evironments from various services (software, media, etc) solely because the operating environment is not backed by a company, and has no mechanism for paying certification fees and licenses"
... they continue to be our customers. "
The answer to this is yes, if you can't pay the fees, you don't get the certificate, so you're not trusted. However he waffled on with the "bore them to death with irrelevent crap" answer:
"Let me start out by reminding the audience I am not a security expert...."
"While somebody could write a DRM application using the TPM, they could also write one without it. "
If they wrote it without TPM then it would be hacked, so TPM is pretty much a pre-requisite.
So what he said is true, but yet not true.
"18. Does the TCPA support open source systems?
Yes. The ability to use the TPM functionality is available to all developers of software"
Sure, if you remove anything the thought police object to.
**************
What did you expect, you asked a PR man questions and you get back deflections, half truths, political waffle.
About the only thing he said that rung true was this:
"c) Financial Benefit: Yes, there is a financial benefit to supporting a technology that our customers ask for