Just out of curiosity, can you give some examples of the type of problems given? I looked around the TopCoders site but couldn't find any examples of past problems.
User hostile chips on the motherboard are not needed to secure computers.
All you are achieving is legitimising a technology which is only needed for what you yourself describe as "evil". Please stop and think about what you are doing!
Because the only purpose of DRM is the control the user. This is unethical in and of itself, regardless of it's purpose. A computer program is responsible for acting in the interest of it's user the same way a doctor is to a patient, or a lawyer is to his client. Machines should be subjects to people, not the other way around.
I have never argued for forcing anything on those who wish to close their data. They can do whatever they want. I argue two things (and only the first in this particular thread):
1) People should not use TCPA, they should not accept it's presense in their hardware or software, and unless they actually want a closed Internet they should not be developing for it (like the Dartmouth people).
2) Our governments should not be making laws that remove OUR RIGHTS to hack through these system on our own machines, or to make them mandatory.
The people who do wish a closed network can knock themselves out writing DRM systems as far as I am concerned. I will continue arguing as loudly as I can that people should not use them.
My point was exactly that a lot of people (including you apparently) would find these applications favorable. So once TCPA is in place, we can expect the Internet to begin moving toward a closed system where all these things are possible.
So what will this mean?
It will means that innovation will be strangled, that new program features will be decided by lawyers on a comittee. Remember the RIAA's stated model regarding P2P software: you cannot write it without our permission. Welcome to that world.
It means that the open source development model, which relies on the usability of thousands of versions of the same program will be destroyed. And since the people doing the signing will be the commercial software vendors it seems doubtful they would consider signing even a single version of an open source app for free.
It means that ability to communicate and publish data will be recentralized through the signature authorities. It means the ability to censor every copy of a piece of data with the press of a button. Think that wouldn't happen? Think again: once the courts find out is possible, they will start with something that nobody can defend, like a piece of child porn or particularly egregious slander. Before you know it, it will be leaked scientology papers, and then any criticism against them.
It means the end of anything close to balance regarding in copyright law. Copyright law will become redundant, because all data will be encrypted and completely at the mercy of the publisher. The goal of ending the public domain once and for all will be achieved.
It means that people who decide that they own their computers, and refuse to submit to their computers authority over them, will be locked out from the Internet, and successively from society.
Yes, but you need a root key that is signed by some authority (the kind of keys that are embedded in the chips).
If you can get ahold of one of these keys, then you can simulate running a "trusted" system and cheat the DRM. They won't be easy to get ahold of though. Modchips will probably prove a better avenue.
I don't want to sound hostile, but I think you have misunderstood what TCPA, Palladium, and DRM is all about.
I'm a big fan of privacy and cryptography. I implemented entire PKI systems, and I have a masters degree in mathematics, so I even understand a little about why it works. Not only do I not protest against GPG and personal encryption, I use it as often as I can and encourage others to.
There is no contradiction between supporting encryption and disliking DRM. DRM may use encryption, but totalitarian regimes use movies - that doesn't mean you have support totalitarian regimes to like movies.
TCPA is not about encryption, TCPA is about DRM. People who want to encrypt data for themselves, or between a group of people do not need tamper proof hardware chips on their motherboard. DRM systems, which are used not to keep data secret, but to control what people can do with the public data they have access to, do.
Programs like GPG uses encryption to keep something secret when all the parties to the encryption want it secret. DRM uses encryption to the keep the actual data secret from one of the parties, so that he can be subject to his computer regarding what he can do with the data in question. There is little or no intersection between the two.
True.. but tell me: 1) Of what use is a Linux system, if no content can be decrypted on it?
Not much.
2) Will content-providers make content available to versions of Linux which can't be "trusted"?
Undoubtably not. But what format they release the data in is their concern.
It is important to remember that the only political issue here is fighting laws against compulsary DRM and laws against circumventing it where it exists. We should not fall into the whiner trap of trying to claim that we are somehow entitled to "content" in open formats. We are not.
The manner in which we should fight DRM is to explain to be people why they should not accept it. (And we need to start here on Slashdot - look at how many Slashdotters laud iTunes).
3) If you make a "trusted" version of Linux, will it then be modifiable by the user (say, a new kernel-patch)?
It will be modifiable of course, but then you are back to 1).
4) Of what use are Open Source advantages, if you cannot use them?
Not much.
5) Is this a threat to the Open Source development model?
Worms work by getting code that is not supposed to be executed to be executed. They do this by finding exploits.
This code is already not supposed to executed, regardless of whether it is signed. Why should adding another reason not to run the code make any difference?
It's not meant for you, none of this technology has anything to do with _your_ security. These products are intended to protect people from you, specifically, in this case, the movie industry who don't want you re-recording movies from the monitor cable.
I think real uses for this are very rare, just as PCs which are configured by their adminstrators to really lock down what the users can do are currently very rare. But they exist.
An astroturfer lectured me a few months ago that it was important for "Brazilian voting machines", but even in such cases I cannot buy it. If you want to lock down a machine, don't give out root, lock down the BIOS, and get a solid case with a good caselock. Sure, the data can be retrieved in this case with a crowbar and a BIOS reset, but TCPA chips can be circumvented as well, just by slightly more sofisticated methods.
Me too. But I think most of the world will be with us, not because they agree with our principles, but because the immediate, practical benefits of being able to run any piece of software on their PC without it being approved by any third party are far too great to sacrifice for the miniscule benefits (in normal circumstances) of "Trusted Computing".
Optimism is good as long as it doesn't lead to complacency.
The specialized areas thing just doesn't hold up. I have yet to see a single example of this that couldn't be solved by current hardware. A lot of people talk about company employees: but few employees have root on their computers anyways, so what is the point with the TCPA chip?
I'm at work right now, and since my local workstation is a Sun Ray I don't even have physical access data in ways that the operating system and application will not allow me (since they all run on a server somewhere). Why would TCPA be necessary to control what I did with my employers documents, instead of just software?
Even IBM admits that TCPA chips can be circumvented by hardware hacks (expect modchips to start appearing), so it can not be used to secure valuable information. The only logical purpose for this technology is to use it on home users, where access to mod chips is limited by laws like the DMCA.
It is possible (but unlikely) that this infrastructure will eventually reach the **AA goal of preventing copying of their products. I can live with that provided that our ability to write software for our own computers isn't collateral damage.
It is not the ability to write our own software that we will be sacrificing, it is the ability to use that software to communicate with the world. Once the TCPA infrastructure is there, the temptation to use it will be to strong to resist:
- eBay will be able to lock out all but some verified list of applications from accessing auction data, so that application to raise bids at the last minute can't be used.
- Microsoft recently kicked off other application from their IM system for "security reasons". As it stands now, this can be hacked around, do you think they'll hestitate to use TCPA to make that impossible? You think AOL are any different.
- Websites will be able to lock out browsers that can block pop-up ads, or that allow cookies to be cleared, or that lie about themselves in the User-Agent string.
- Games will be able to lock out modified versions.
- Given the common confusion that TCPA is about "security", how long do think it will be until your bank starts requiring it?
I could go on and on. The acceptance of TCPA spells the end of the open Internet, and the beginning of a closed network, where all but a few applications are locked out.
I know what I'll do. Whatever it comes to, I will not have a part of this, and I will simply refuse to accept having a computer that is hostile toward me. The reason I argue this so vehemently is because I hope it won't be lonely out here...
Not true at all. DRM and other user control systems only need to be closed when they are software based, because otherwise people can change the programs to remove the user hostile code.
The difference between Palladium and TCPA is really that while Palladium is a whole system for a building user hostile computers, TCPA is just an enabler.
What TCPA does is sign a hash of the OS that is loaded with an "endorsement key", embedded in the TCPA by the vendor and unaccessible to the user. Thus the TCPA chip is a able to do two things: it can verify to an outside source (that trusts the vendor) that the machine is a running a specific operating system (ie one that supports DRM and thus can be "trusted"), and it can encrypt data from one operating system so that another operating system cannot decrypt it.
TCPA provides everything that is needed at the hardware level to write any user hostile system on top of it, because the successive verification of signatures prevents any tampering with the code (even if the OS is open sourced). Palladium could be implemented with TCPA as it's only hardware aspect.
Thus, the argument that is sometimes seen here that TCPA would prevent the computer from booting Linux or any other operating system is false (incorrect scare tactics against these systems are unfortunate, they do more harm then good). What TCPA will do, is enable sites on the Internet to not allow you to read the data they give out, unless you are running an operating system that is user hostile and DRM friendly (and not in the "this site doesn't support mozilla" fashion, which can always be hacked around, but in a cryptologically safe fashion).
We want to fight Palladium by fighting acceptance of the idea that the computer should control the user and how he can access the data on his own machine, NOT by developing something functionally equivalent that happens to run under Linux.
Building a DRM system of our own, even if it is open and standards based, just strengthens the paradigm that will leed to an Internet where no data can be accessed as plaintext, applications that are allowed read data have to be accepted and certified by the media industry, and computers exist no longer to enable, but to control, their users.
Please protest against Palladium, TCPA, and all the other DRM proposals by refusing to have anything to do with them: not by strengthening their hand.
(And before somebody replies that TCPA isn't about DRM: Bullshit! Look up what an "endorsement key" is in the TCPA vocabulary.)
My CDs are still around to gather dust and get re-ripped when I change formats (I have changed twice so far).
Better idea: rip the CDs to FLAC (loss less) and archive them. Then you can sell the originals, and still have the audio to encode in any format you want.
Windows knows very well which interfaces are local and which are non-local. Microsoft purposely activated RPC and other services on non-local interfaces, so what makes you think they would have activated a local network bit or used a specific local only port range?
The idea behind all DRM is that people are forced into using if they want to access content/programs/etc that require it.
Getting an old, DRM less, version of Windows or Linux will not suddenly let you install many copies of Autocad in this scenario: it won't let you install it at all.
I'm pretty certain that, at least within our lifetimes, we will not be forced to use DRM. Even when the entire web has been closed to access from browsers that can't prove that they are running on a TCPA endorsement-key signed OS and obey the servers commands fully, it will be a choice for us whether we wish to accept DRM or be locked off the web.
In the end, even today, you can survive without computers. It's never a question of being forced.
That MS are worse than Apple in this regard doesn't show anything. I don't understand why people keep claiming that DRM isn't DRM when it comes from Steve Jobs.
Doubtful. With the iTunes store, Apple have shown that they are as attracted to the idea that computers should decide for their users what they can and cannot do with their data as all the others. That iTunes is currently heavier on the "can" then some other systems does not change the fact that Apple had embraced the paradigm that computers should be hostile to their users and in charge. I would hardly call that "clean hands".
That the current iTunes DRM has no presense in the hardware simply means that anybody with a hexeditor could crack it - that nobody has is simply because nobody cares (if you want mp3s there are easier ways). I don't see any reason to believe that Apple, having embraced user hostility, would back away from securing it from trivial cracks once the technology to do so becomes ubiquitous.
(I hate to mention this, but now lets watch the Slashdot Mac Maffia mod me down...)
No, Scandinavia is a lingual and historical term. Basically Scandinavia consists of countries with a Viking heritage: Sweden, Norway, Denmark, and Iceland.
"Nordic country" is a term meant to include Finland as well.
Swedish, Danish, Norwegian, and Icelandish are Scandinavian languages - really just variations of the same language with as much as 95% of the vocabulary in common. Finnish is a very different language, related with Hungarian.
SoBig is a result of Windows using metadata attached to the file (the extension), rather than local metadata (mode +x) to decide whether a file is executable. It is simply not possible to make a worm like it for linux ("Hello friend! Please set this file executable and run it!").
Slashdot Mirror
Just out of curiosity, can you give some examples of the type of problems given? I looked around the TopCoders site but couldn't find any examples of past problems.
User hostile chips on the motherboard are not needed to secure computers.
All you are achieving is legitimising a technology which is only needed for what you yourself describe as "evil". Please stop and think about what you are doing!
Because the only purpose of DRM is the control the user. This is unethical in and of itself, regardless of it's purpose. A computer program is responsible for acting in the interest of it's user the same way a doctor is to a patient, or a lawyer is to his client. Machines should be subjects to people, not the other way around.
I have never argued for forcing anything on those who wish to close their data. They can do whatever they want. I argue two things (and only the first in this particular thread):
1) People should not use TCPA, they should not accept it's presense in their hardware or software, and unless they actually want a closed Internet they should not be developing for it (like the Dartmouth people).
2) Our governments should not be making laws that remove OUR RIGHTS to hack through these system on our own machines, or to make them mandatory.
The people who do wish a closed network can knock themselves out writing DRM systems as far as I am concerned. I will continue arguing as loudly as I can that people should not use them.
My point was exactly that a lot of people (including you apparently) would find these applications favorable. So once TCPA is in place, we can expect the Internet to begin moving toward a closed system where all these things are possible.
So what will this mean?
It will means that innovation will be strangled, that new program features will be decided by lawyers on a comittee. Remember the RIAA's stated model regarding P2P software: you cannot write it without our permission. Welcome to that world.
It means that the open source development model, which relies on the usability of thousands of versions of the same program will be destroyed. And since the people doing the signing will be the commercial software vendors it seems doubtful they would consider signing even a single version of an open source app for free.
It means that ability to communicate and publish data will be recentralized through the signature authorities. It means the ability to censor every copy of a piece of data with the press of a button. Think that wouldn't happen? Think again: once the courts find out is possible, they will start with something that nobody can defend, like a piece of child porn or particularly egregious slander. Before you know it, it will be leaked scientology papers, and then any criticism against them.
It means the end of anything close to balance regarding in copyright law. Copyright law will become redundant, because all data will be encrypted and completely at the mercy of the publisher. The goal of ending the public domain once and for all will be achieved.
It means that people who decide that they own their computers, and refuse to submit to their computers authority over them, will be locked out from the Internet, and successively from society.
Yes, but you need a root key that is signed by some authority (the kind of keys that are embedded in the chips).
If you can get ahold of one of these keys, then you can simulate running a "trusted" system and cheat the DRM. They won't be easy to get ahold of though. Modchips will probably prove a better avenue.
I don't want to sound hostile, but I think you have misunderstood what TCPA, Palladium, and DRM is all about.
I'm a big fan of privacy and cryptography. I implemented entire PKI systems, and I have a masters degree in mathematics, so I even understand a little about why it works. Not only do I not protest against GPG and personal encryption, I use it as often as I can and encourage others to.
There is no contradiction between supporting encryption and disliking DRM. DRM may use encryption, but totalitarian regimes use movies - that doesn't mean you have support totalitarian regimes to like movies.
TCPA is not about encryption, TCPA is about DRM. People who want to encrypt data for themselves, or between a group of people do not need tamper proof hardware chips on their motherboard. DRM systems, which are used not to keep data secret, but to control what people can do with the public data they have access to, do.
Programs like GPG uses encryption to keep something secret when all the parties to the encryption want it secret. DRM uses encryption to the keep the actual data secret from one of the parties, so that he can be subject to his computer regarding what he can do with the data in question. There is little or no intersection between the two.
True .. but tell me:
1) Of what use is a Linux system, if no content can be decrypted on it?
Not much.
2) Will content-providers make content available to versions of Linux which can't be "trusted"?
Undoubtably not. But what format they release the data in is their concern.
It is important to remember that the only political issue here is fighting laws against compulsary DRM and laws against circumventing it where it exists. We should not fall into the whiner trap of trying to claim that we are somehow entitled to "content" in open formats. We are not.
The manner in which we should fight DRM is to explain to be people why they should not accept it. (And we need to start here on Slashdot - look at how many Slashdotters laud iTunes).
3) If you make a "trusted" version of Linux, will it then be modifiable by the user (say, a new kernel-patch)?
It will be modifiable of course, but then you are back to 1).
4) Of what use are Open Source advantages, if you cannot use them?
Not much.
5) Is this a threat to the Open Source development model?
Definitely.
Worms work by getting code that is not supposed to be executed to be executed. They do this by finding exploits.
This code is already not supposed to executed, regardless of whether it is signed. Why should adding another reason not to run the code make any difference?
It's not meant for you, none of this technology has anything to do with _your_ security. These products are intended to protect people from you, specifically, in this case, the movie industry who don't want you re-recording movies from the monitor cable.
I think real uses for this are very rare, just as PCs which are configured by their adminstrators to really lock down what the users can do are currently very rare. But they exist.
An astroturfer lectured me a few months ago that it was important for "Brazilian voting machines", but even in such cases I cannot buy it. If you want to lock down a machine, don't give out root, lock down the BIOS, and get a solid case with a good caselock. Sure, the data can be retrieved in this case with a crowbar and a BIOS reset, but TCPA chips can be circumvented as well, just by slightly more sofisticated methods.
Me too. But I think most of the world will be with us, not because they agree with our principles, but because the immediate, practical benefits of being able to run any piece of software on their PC without it being approved by any third party are far too great to sacrifice for the miniscule benefits (in normal circumstances) of "Trusted Computing".
Optimism is good as long as it doesn't lead to complacency.
The specialized areas thing just doesn't hold up. I have yet to see a single example of this that couldn't be solved by current hardware. A lot of people talk about company employees: but few employees have root on their computers anyways, so what is the point with the TCPA chip?
I'm at work right now, and since my local workstation is a Sun Ray I don't even have physical access data in ways that the operating system and application will not allow me (since they all run on a server somewhere). Why would TCPA be necessary to control what I did with my employers documents, instead of just software?
Even IBM admits that TCPA chips can be circumvented by hardware hacks (expect modchips to start appearing), so it can not be used to secure valuable information. The only logical purpose for this technology is to use it on home users, where access to mod chips is limited by laws like the DMCA.
It is possible (but unlikely) that this infrastructure will eventually reach the **AA goal of preventing copying of their products. I can live with that provided that our ability to write software for our own computers isn't collateral damage.
It is not the ability to write our own software that we will be sacrificing, it is the ability to use that software to communicate with the world. Once the TCPA infrastructure is there, the temptation to use it will be to strong to resist:
- eBay will be able to lock out all but some verified list of applications from accessing auction data, so that application to raise bids at the last minute can't be used.
- Microsoft recently kicked off other application from their IM system for "security reasons". As it stands now, this can be hacked around, do you think they'll hestitate to use TCPA to make that impossible? You think AOL are any different.
- Websites will be able to lock out browsers that can block pop-up ads, or that allow cookies to be cleared, or that lie about themselves in the User-Agent string.
- Games will be able to lock out modified versions.
- Given the common confusion that TCPA is about "security", how long do think it will be until your bank starts requiring it?
I could go on and on. The acceptance of TCPA spells the end of the open Internet, and the beginning of a closed network, where all but a few applications are locked out.
I know what I'll do. Whatever it comes to, I will not have a part of this, and I will simply refuse to accept having a computer that is hostile toward me. The reason I argue this so vehemently is because I hope it won't be lonely out here...
Not true at all. DRM and other user control systems only need to be closed when they are software based, because otherwise people can change the programs to remove the user hostile code.
The difference between Palladium and TCPA is really that while Palladium is a whole system for a building user hostile computers, TCPA is just an enabler.
What TCPA does is sign a hash of the OS that is loaded with an "endorsement key", embedded in the TCPA by the vendor and unaccessible to the user. Thus the TCPA chip is a able to do two things: it can verify to an outside source (that trusts the vendor) that the machine is a running a specific operating system (ie one that supports DRM and thus can be "trusted"), and it can encrypt data from one operating system so that another operating system cannot decrypt it.
TCPA provides everything that is needed at the hardware level to write any user hostile system on top of it, because the successive verification of signatures prevents any tampering with the code (even if the OS is open sourced). Palladium could be implemented with TCPA as it's only hardware aspect.
Thus, the argument that is sometimes seen here that TCPA would prevent the computer from booting Linux or any other operating system is false (incorrect scare tactics against these systems are unfortunate, they do more harm then good). What TCPA will do, is enable sites on the Internet to not allow you to read the data they give out, unless you are running an operating system that is user hostile and DRM friendly (and not in the "this site doesn't support mozilla" fashion, which can always be hacked around, but in a cryptologically safe fashion).
We want to fight Palladium by fighting acceptance of the idea that the computer should control the user and how he can access the data on his own machine, NOT by developing something functionally equivalent that happens to run under Linux.
Building a DRM system of our own, even if it is open and standards based, just strengthens the paradigm that will leed to an Internet where no data can be accessed as plaintext, applications that are allowed read data have to be accepted and certified by the media industry, and computers exist no longer to enable, but to control, their users.
Please protest against Palladium, TCPA, and all the other DRM proposals by refusing to have anything to do with them: not by strengthening their hand.
(And before somebody replies that TCPA isn't about DRM: Bullshit! Look up what an "endorsement key" is in the TCPA vocabulary.)
My CDs are still around to gather dust and get re-ripped when I change formats (I have changed twice so far).
Better idea: rip the CDs to FLAC (loss less) and archive them. Then you can sell the originals, and still have the audio to encode in any format you want.
All DRM achieves in the absense of government laws that make circumvention illegal, is to create a market for cracks and modchips.
Windows knows very well which interfaces are local and which are non-local. Microsoft purposely activated RPC and other services on non-local interfaces, so what makes you think they would have activated a local network bit or used a specific local only port range?
"The vast majority of Internet users" (this term gets used so much we need an acronym) do not need anything but port 80 outgoing.
By the same logic then, blocking everything else ought to be standard.
The idea behind all DRM is that people are forced into using if they want to access content/programs/etc that require it.
Getting an old, DRM less, version of Windows or Linux will not suddenly let you install many copies of Autocad in this scenario: it won't let you install it at all.
I'm pretty certain that, at least within our lifetimes, we will not be forced to use DRM. Even when the entire web has been closed to access from browsers that can't prove that they are running on a TCPA endorsement-key signed OS and obey the servers commands fully, it will be a choice for us whether we wish to accept DRM or be locked off the web.
In the end, even today, you can survive without computers. It's never a question of being forced.
That MS are worse than Apple in this regard doesn't show anything. I don't understand why people keep claiming that DRM isn't DRM when it comes from Steve Jobs.
Doubtful. With the iTunes store, Apple have shown that they are as attracted to the idea that computers should decide for their users what they can and cannot do with their data as all the others. That iTunes is currently heavier on the "can" then some other systems does not change the fact that Apple had embraced the paradigm that computers should be hostile to their users and in charge. I would hardly call that "clean hands".
That the current iTunes DRM has no presense in the hardware simply means that anybody with a hexeditor could crack it - that nobody has is simply because nobody cares (if you want mp3s there are easier ways). I don't see any reason to believe that Apple, having embraced user hostility, would back away from securing it from trivial cracks once the technology to do so becomes ubiquitous.
(I hate to mention this, but now lets watch the Slashdot Mac Maffia mod me down...)
Come to think of it I don't even have that many CDs yet to rip to fill this much space.
I think you've kind of missed the point...
And here is the link where you don't have remove the %20.
Why haven't people learned that pasting URLs doesn't work on slashdot...
No, Scandinavia is a lingual and historical term. Basically Scandinavia consists of countries with a Viking heritage: Sweden, Norway, Denmark, and Iceland.
"Nordic country" is a term meant to include Finland as well.
Swedish, Danish, Norwegian, and Icelandish are Scandinavian languages - really just variations of the same language with as much as 95% of the vocabulary in common. Finnish is a very different language, related with Hungarian.
SoBig is a result of Windows using metadata attached to the file (the extension), rather than local metadata (mode +x) to decide whether a file is executable. It is simply not possible to make a worm like it for linux ("Hello friend! Please set this file executable and run it!").
the author of qmail, ha[s] a very low opinion of your fellow developers.
If you had looked at the license for qmail, you would already know this.