A lot of computers? Name one. Go ahead. I'll wait.
I had several systems on screen about an hour ago with TPMs prominently listed in the system specs....
So please, point me to these computers that are forcing TPM's on us, i'll buy 10 tomorrow..
I'm doing all I can to avert sales of these systems. I can't stop you from buying them, but if you are truly incapable of locating them on your own.... ummm.... well... okaaaay..... I'm cool with that. I also would have declined to point George W. Bush voters to the local voting booths if they were incapable of locating them on their own. They certainly have the right to vote, but declining to actively aid them to vote would have been a public service. Lol.
You're right that the chip will do nothing if it's switched off. But I think it's worth pointing out other potentially relevant factors. (1) If you buy a system with this chip and leave it off, part of your purchase price is a payment supporting the companies pushing this crap. (2) If you buy a system with this chip and leave it off, you are contributing to their install-base figures, advancing them to the line where they start can start deploying the really nasty tactics. (3) If we don't aggressively get to the message to not buy these PCs, people who are buying Windows regardless are more likely to buy ones with these chips, and more likely to turn them on, doubly advancing them to the point where they can start deploying the really nasty tactics. And (4), if they do get to the point where they can push the rally nasty tactics, leaving the chip switched off isn't going to save you, having a computer without a chip isn't going to save you, and running Linux or anythign else isn't going to save you. Because in.... I dunno... two or three years it's possible you'll start running into an increasing percentage of websites that you can't view at all unless you have a Trust chip certifying that you're not running an ad-blocker, and that the Browser is DRM-compliant to not download copies of pictures and other page content. And if the deployment does proceed smoothly, then in a decade or somesuch a large majority of home PCs could have the chip installed and ISP's could start deploying Trusted Network Connect do a "health check" before permitting you any internet access at all. The "health check" uses the Trust chip to identify exactly what OS you're running, and to ensure that your operating system it up to date on all of the latest security patches, and checks that your computer isn't infected with a virus or something. Because obviously it's a "good thing" for an ISP to ensure that you're not connecting an infected or vulnerable computer to their network. And, of course, you fail the health check if you don't have a Trust chip, you fail the health check if you don't have the chip activated, and you fail the health check if your operating system doesn't appear on their list of known, approved, secure, operating systems. And then you're effectively banned for the internet until you comply.
So just merely saying "don't turn the chip on" doesn't seem like the best idea. And while I'm all for more people using Linux, blowing the TPM issue off with a largely ineffectual "don't run Windows" attitude doesn't seem like the best idea either.
If TPM deployment proceeds smoothly to a high percentage adoption, we're all going to be seriously screwed eventually.
We agree on the nature of the system, but I wanted to address this:
Malicious software can't read paper. it wouldn't have to if you were to actually use those keys.
I'm countering people who argue that there are legitimate security benefits to Trusted Computing in home PCs. As long as the paper is locked away, they can't claim my proposal diminishes any legitimate security benefits. And if I do want to use it, well in that case we're starting with the computer in the "maximally Trust-secured-state", in which case the Trust system is maximally secured to protect and validate a small Trusted application into which I could securely type the PrivEK/SRK, make any security modifications I wished to make, and then have the Trusted application securely wipe the keys from it's protected RAM.
So anyone who doesn't opt to get a printed key gets 100% of any security benefits they want to claim, anyone who gets a printed key and keeps it in a bank vault gets 100% of any security benefits they want to claim, and even if I do use the key I'm doing so with essentially zero vulnerability to anything, unless it's something that already had the power to beat the Trust system anyway. And, of course, the point that they have no right to object if I decide that hypothetical level of risk is worth it.... I'm doing nothing and I'm asking for nothing that would diminish any security they claim they want for themselves.
Not that the Trusted Computing Group would ever permit any such thing, but it's pretty powerful for shooting down Trust--is-good proponents, and for making things crystal clear for bystanders trying to figure out which side they should be on:) At least that's the hope.
The point of the PrivEK key is that the chip uses it to send a "spy report" on exactly what operating system and software you're running, and without that key you cannot control the contents of that report. For example a website can check exactly what browser you're running, and whether you have an ad-blocker running. If you're not using an approved browser, or if you have an ad-blocker, then the website can refuse to display. It would just toss up a "helpful" error message telling you to fix your system, as in telling you to run an approved OS / run an approved browser / disable the ad-blocker.
The point of the SRK is that the chip can lock your files such that YOU can't read them or modify them, except under the strict control of the Trust chip. Think Uber-DRM system. You can't play a music file at all except with the exact approved music player, and you can't play the file at all without updating the pay-per-play playcount and reporting it the music company. Or you can't run software unless the date is securely verified to be within the approved software-rental time window. The range of DRM-style Trust enforcement is virtually unending.
If you don't have your keys then the Trust system secures your computer against you. If you did have access to your keys then you have final control of the system, and then it would be a legitimate security system securing your computer for you.
That's the overly-short overly-simplified answer. Let me know if you want to address anything more detailed.
You Sire, are math-challeged: 2^48 = 281.474.976.710.656
Nope, you missed. The equals-formula you posted is, in itself, correct. However you missed the Birthday Problem. The chance for collision in a group becomes large when you get up around the square root of number you posted... meaning in the ballpark of 2^24=16,777,216. Basically it's because in a group of N individuals there are about N^2 possible pairings that could collide.
Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.
Citation needed;) I'm sure you're misinterpreting some physical tamper-resistence line.
Unfortunately, being sure is all too often completely unrealated with being right.
It's in some text explaining design intent, explaining why they require certain internal data be handled in a particular way. They specifically state they are doing it this way to prohibit a "rogue Owner" from being able to register an Identity with than one Privacy Certificate Authority.
TCPA_Main_TCG_Architecture_v1_1b.pdf According to internal document page numbering it's on page 267, but the PDF viewer software calls it page 277. The exact sentence is: This feature prevents a rogue Owner from assembling identity_binding data structures outside the TPM and hence obtaining attestation to the same TPM identity from multiple Privacy CAs.
They explicitly named the Owner as the primary focus of their threat model. They explicitly took steps to secure the the chip against an owner attempting to manage his privacy identities. And they did it because the underlying "security threat" was that an Owner could attempt to use the duplicate anonymous identity to gain local control to modify a "security property" that was demanded by someone else via Remote Attestation of the first anonymous identity. And in this case a "security property" being demanded by someone else via anonymous remote attestation is basically a generalized way of saying a DRM-style-enforcement-commitment, and using a duplicate anonymous identity to modify that "security" setting basically means being able to break/escape the DRM.
Remember - they explicitly stated the security threat here was the OWNER. Furthermore note that theses are anonymous identities used for remote attestation.... this has nothing to do with securely checking the state of the system for yourself. This is securing teh state of the computer against the owner for the benefit of a remote party - specifically a remote party to who the owner doesn't trust - someone to who the owner specifically wants to remain anonymous. That pretty much means some random corporation or random website he doesn't want tracking him, and which wants something like DRM enforcement in place on his computer. And again, this is all in the context of them declaring the OWNER to be the threat they are securing against.
I don't doubt you've looked at it. But clearly you've looked at it from the perspective of how you think it impinges on your liberty
I've considered it from all angles. I would fully support a similar chip which was designed as a legitimate pro-owner security system. However that's not this chip.
rather than from the perspective of a security engineer trying to achieve simple properties such as executing code that isn't manipulated by an attacker.
I fully understand that issue, and that can easily be achieved with a legitimate security system, one securing the system for the owner rather than securing it against the owner, one where the owner has the final say in control and security settings. (Note that an owner "opt-in" for something like a DRM scheme is an owner having an initial say on security settings, but the owner having the final say on security settings means he has full control to modify the security settings later.)
Let's play this game. I'll propose an alternative system, one where the owner can have that final say if he wants it, thereby having the power to avoid or solve 100% of the objections to the system, and you go ahe
Help me judge which of you is right. Alsee says I can't have the keys to the TPM which comes with the computer I buy. You disagree with Alsee.
No, he explicitly agreed with me on that point:
I said: "The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys" He said: "Forbidden from getting them out of the TPM"
That's agreement.
He merely followed up with a lame explanation "not forbidden from using them in ways that allow for guaranteeing security properties". The Trusted Computing definition of "security properties" explicitly includes security against the owner. "Guaranteeing security properties" means you are unable to read or alter your own files in Sealed Storage. An example "security property" would be that you cane read (and run) a Sealed-Storage program without securely verifying that the date it is within the approved software-rental period. Or think DRM music file, the "security property" is that the chip won't let you play the music except with the approved DRM-music player, and only if it decrements the number of plays remaining in the pay-per-play count.
It also means enforcing the security of Remote Attestation, which in plain English means a cryptopgraphically secure "spy report" sent out to other people over the internet telling them exactly what software you are running. For example if you had your master keys you could tell a website that you aren't running an ad-blocker when you actually are. That would violate the anti-owner "security properties".
That's why your forbidden to have your keys.... then other people could not Trust that your computer would enforce anti-owner "security properties" against you.
Standard line argument is that it's all A-ok because it's all "opt-in". If you don't "opt-in" all "security properties" are still enforced against you, enforced in the sense in that nothing works (you can't violate security if nothing works and you can't do anything). If you don't "opt-in" you're denied any ability to read or modify Trusted-secured Files, if you don't "opt-in" you're denied the ability to run Trusted-secured programs at all, if you don't "opt-in" you won't be able to access websites at all if they use the Trust system to ensure you don't copy pictures or to check if you're running an ad-blocker. And if you don't "opt-in", then in a few years you might be denied internet access. The Trusted Computing group has created something called Trusted Network Connect, and Microsoft has an equivalent version called Network Access Protection. That's a system where a network (or your ISP) can ask for a Trusted Health Check. A "Health Check" is that spy report I mentioned before, it reports the exact software running on your computer. The "Health Check": ensures that you're not infected by a virus(*), and ensures that you're running an approved operating system with ALL of the mandatory patches, and enforces that you're running any mandatory "security software" they want you to run, and that you're not running anything they don't want you to run. And if you don't "opt-in" then you can't pass the "Health Check", and your computer is "quarantined".... no network access access. Obviously no ISP could ever deploy something like that.... not unless most customers already had Trust Chips in their Computers.... oh yeah Microsoft is making Trust Chips mandatory in all new PC's 16 months from now. But even then it would obviously be several more years before most people had Trusted PC's, before ISPs could deploy that sort of "Trusted Health Check" to get internet access. But don't worry, this is all a good thing.... it's just a Health Check.... to ensure you're not infected and spreading viruses
As he explained, there's nothing evil about the system.... they
It's already in essentially all laptops, it's already in essentially all "business class" desktops, it's already in some "personal class" PC's, and it's MANDATORY in ALL new Windows PC's as of 16 months from now.
There's lots of screaming about it, that is backed up by a big lack of knowledge about it.
I've studied all one-hundred-plus pages of the TPM technical specification. I know how it works in detail.
It really seems like something that some people just want to be a big evil issue so they pretend it is.
At one point the TPM technical specification explicitly names the owner of the computer as a potential "attacker", and explicitly states the chip must be secure against the owner. And in about a hundred places it endlessly mandates that the chip is forbidden to allow anyone, which includes the owner, to ever access the master keys.
I could see the issue if this was being required, but it isn't.
Microsoft has declared they plan to make it mandatory starting less then a year from now.
Also not only does Windows 8 not need secure boot, it doesn't even need UEFI...
I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining about them....
The amount of knee-jerk that goes on with this shit is pretty amazing.
Quoting fucking MICROSOFT.COM News Center: "Trustworthy hardware. The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015"
You're seriously going to call me "paranoid" when Microsoft has an official public statement that they plan to make this Trusted Computing shit mandatory starting less than a year and a half from now?
Over a half-billion computers have already been shipped with this shit welded to the motherboard. THAT'S why the Ask Slashdot story is asking how to avoid this shit. A lot of computers already come with this shit on the motherboard, and not all of the sales materials list that it's in there.
But *no* consumer board I'm aware of ships with the *chip.*
Then you obviously haven't been paying attention. Almost all laptops are now shipping with TPMs, and they are increasingly being shipped in desktops. When I was shopping for a PC last year I spotted TPM listed in several system specification lists from different major PC vendors.
According to the Trusted Computing Group more than a half billion PCs have already shipped with the Trusted Platform Module. Computer Weekly puts it at over 600 million PCs.
And according to "ZDNET "In January 2015, TPM 2.0 will be required on all certified Windows devices".
And according to Microsoft News Center, and I quote: The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015
So the answer to the question, I think, remains "All of them."
You were trying so say that "all" personal computers were TPM-free, but it turns out that "All of them" is is what they plan to try and force on us starting less than a year and a half from now. And as noted, over a half billion already shipped.
The Globally-Unique MAC addresses seem to be a pretty blatant security and tracking problem. I've been increasingly wondering why we don't simply start randomizing the MAC address every time the device is turned on, or perhaps even randomizing it for each new connection.
Yes, in principle this could result in a random address collision between two devices. However MACs are 48 bits... this means you'd need to have over 16 million devices simultaneously connected to the same access point before there's a substantial chance of two of them randomly colliding. I'd call that a rather pretty negligible trade off to obtain some privacy and security. And if one device does detect a MAC collision it could simply re-randomize.
As for additional "security risks" of randomizing MAC addresses, not really. It's already trivially easy for someone to deliberately fake your MAC address on their own device. So no new threat there. If anything, I think randomizing (and regularly re-randomizing) the MAC address would be a security benefit. If someone does deliberately fake your MAC address, the target lock is neutralized when your device re-randomizes.
Ooops. Ignore my comment above. I had Slashdot post threshhold at 3. I didn't see the AC post about Apple. I thought you were referring to the original AC post regarding the TPM.
That was the initial market, but the Trusted Computing Group is quite clear that they intend, as soon as they can manage it, for it to be included in all computers. And they are well on their way to achieving that. They are already included in almost all laptops, and they are increasingly showing up in desktops.
In other words, yes, you can totally opt out of buying a motherboard with TPM
The entire point of the Ask Slashdot is that it's becoming increasingly difficult to do so. More and more computers are being shipped with the TPM soldered in place, and without the product description mentioning that fact anywhere.
I've studied the entire TPM technical specification. I understand it in minute detail.
The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature.
EXACTLY!
And the entire point here is that you DON'T have the keys. The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys. Specifically this means the PrivEK (Private Endorsement Key) and the SRK (StorageRootKey). The owner is forbidden to have his StorageRootKey, because the StorageRootKey is explicitly designed to encrypt data on the harddrive such that the owner of the computer cannot read or alter it. The owner is forbidden to have his Private Endorsement Key because this key is used to secure the Remote Attestation process against the owner. Remote Attestation is where the chip securely (secure against the owner) securely tracks your hardware and the software you run, and sends that spy-report out to other computers over the internet. If the owner had his Private Endorsement key, these Attestation spy-reports wouldn't be secure against the owner.
TPM is just a secure hardware keystore.
It's more than that, but an important part of it is that it's a "secure hardware keystore". Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys.
The "Master Keys" are held by the Trusted Computing Group. The crucial individual keys are locked inside the Trusted Computing chips, secured against the owners.
Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Lets make it really simple. The moment they give owners some option to read their keys out of the chip, or give owners the option to buy chips that come with a printed copy of they keys, then I will jump up front and center proclaiming that Trusted Computing is wonderful and harmless... I'll lead the charge smacking down anyone claiming it's evil.
However the Trusted Computing Group has explicitly refused all demands for any sort of "Owner Override" and explicitly forbid owners to ever get a hold of their own keys. That is because the entire point of Trusted Computing is to secure computers AGAINST their owners. The entire point of Trusted Computing is that "Owners can't be trusted", so they want to be able to "Trust" computers to be secure against the owners.
The moment they allow owners to get their keys then I agree that the owner is in control.
Note that the standard argument against allowing owners to get their keys is that a virus or malware or something might get a hold of the key if it's accessible from the chip, or if it's on the harddrive anywhere. Which is a patently bullshit argument for refusing to let me buy a chip with a PRINTED COPY of my master keys. Malicious software can't read paper. End of argument. Then I can toss the printed keys in my safety deposit box at my local bank, and you can't make any believable argument that it's somehow "for my security" that you're refusing to let me get my own goddamn keys.
A simple rule for everyone: Just say "I want my keys", NO KEYS, NO SALE
Are you clueless? He's not "talking sense". The whole point here is that it's becoming increasingly difficult to not-buy a TPM. A lot of motherboards now have this shit welded in place, and its presence is often not listed when you're shopping to buy a computer.
An "Ask Slashdot" on how to avoid purchasing Trusted Computing is entirely appropriate. Hell, there should be a goddamn front page story in the New York Times telling people that many computers are being shipped with TPMs, and informing the general public where to shop if they don't want to fork over money for an anti-owner TMP chip pre-welded into whatever computer they buy.
A lot of computers are now being shipped with TPM's SOLDERED onto the motherboard, and they are making progressing on packaging the TPM inside the CPU chip. He doesn't want to buy that crap, I don't want to buy that crap, and the problem is that a lot of people are buying that crap without knowing it. The Trusted Computing Group has stated that part of their strategy for forcing everyone to buy into their Trusted Computing crap is to ensure that TPMs are already built in to all new computers being sold.
The exploit transmits your identifying information to IP address 65.222.202.54. The information includes a unique tracking number generated by the exploit server, your computer's MAC address, your computer's host name, and any other IP addresses and host names visible on your local network.
This IP address traces back to a Verizon business account just outside Washington D.C., not far from FBI and CIA headquarters. You can see the IP location trace here, complete with a zoomable Google map. However note that the location trace is probably just an approximate location. Zooming all the way in shows a local shopping center, but that's probably just the location randomly landing at the "center" of a town or other service area.
UEFI was never intended to improve security. Along with Microsoft's extensions it was designed as a lock-in tool.
Reality check....Secure Boot wouldn't a problem for the geek if OEM Linux had a significant share of the x86 desktop.
It looks like your post was intended to show the prior commenter was "not in touch with reality", however what you actually did was confirm that he was right. Your conclusion states "Secure Boot wouldn't be a problem...if...", which pretty explicitly states that Secure Boot is a problem. Your conclusion is actually confirming that lock in problem of Secure Boot, regardless of what anyone claims the intent was, and regardless of any arguments over whether the system is otherwise noble or malicious.
And yeah, TrustedComputing&Secureboot are a truckload of extremely malignant problems even if Linux were a majority share of desktops.
One of the perks of dating a geek is that we are now the only ones who are ever going to take you to the hottest restaurant in town. Jocks need not apply.
Slashdot Mirror
A lot of computers? Name one. Go ahead. I'll wait.
I had several systems on screen about an hour ago with TPMs prominently listed in the system specs....
So please, point me to these computers that are forcing TPM's on us, i'll buy 10 tomorrow..
I'm doing all I can to avert sales of these systems. I can't stop you from buying them, but if you are truly incapable of locating them on your own.... ummm.... well... okaaaay..... I'm cool with that. I also would have declined to point George W. Bush voters to the local voting booths if they were incapable of locating them on their own. They certainly have the right to vote, but declining to actively aid them to vote would have been a public service. Lol.
-
You're right that the chip will do nothing if it's switched off. But I think it's worth pointing out other potentially relevant factors.
(1) If you buy a system with this chip and leave it off, part of your purchase price is a payment supporting the companies pushing this crap.
(2) If you buy a system with this chip and leave it off, you are contributing to their install-base figures, advancing them to the line where they start can start deploying the really nasty tactics.
(3) If we don't aggressively get to the message to not buy these PCs, people who are buying Windows regardless are more likely to buy ones with these chips, and more likely to turn them on, doubly advancing them to the point where they can start deploying the really nasty tactics.
And (4), if they do get to the point where they can push the rally nasty tactics, leaving the chip switched off isn't going to save you, having a computer without a chip isn't going to save you, and running Linux or anythign else isn't going to save you. Because in.... I dunno... two or three years it's possible you'll start running into an increasing percentage of websites that you can't view at all unless you have a Trust chip certifying that you're not running an ad-blocker, and that the Browser is DRM-compliant to not download copies of pictures and other page content. And if the deployment does proceed smoothly, then in a decade or somesuch a large majority of home PCs could have the chip installed and ISP's could start deploying Trusted Network Connect do a "health check" before permitting you any internet access at all. The "health check" uses the Trust chip to identify exactly what OS you're running, and to ensure that your operating system it up to date on all of the latest security patches, and checks that your computer isn't infected with a virus or something. Because obviously it's a "good thing" for an ISP to ensure that you're not connecting an infected or vulnerable computer to their network. And, of course, you fail the health check if you don't have a Trust chip, you fail the health check if you don't have the chip activated, and you fail the health check if your operating system doesn't appear on their list of known, approved, secure, operating systems. And then you're effectively banned for the internet until you comply.
So just merely saying "don't turn the chip on" doesn't seem like the best idea. And while I'm all for more people using Linux, blowing the TPM issue off with a largely ineffectual "don't run Windows" attitude doesn't seem like the best idea either.
If TPM deployment proceeds smoothly to a high percentage adoption, we're all going to be seriously screwed eventually.
-
We agree on the nature of the system, but I wanted to address this:
Malicious software can't read paper.
it wouldn't have to if you were to actually use those keys.
I'm countering people who argue that there are legitimate security benefits to Trusted Computing in home PCs. As long as the paper is locked away, they can't claim my proposal diminishes any legitimate security benefits. And if I do want to use it, well in that case we're starting with the computer in the "maximally Trust-secured-state", in which case the Trust system is maximally secured to protect and validate a small Trusted application into which I could securely type the PrivEK/SRK, make any security modifications I wished to make, and then have the Trusted application securely wipe the keys from it's protected RAM.
So anyone who doesn't opt to get a printed key gets 100% of any security benefits they want to claim, anyone who gets a printed key and keeps it in a bank vault gets 100% of any security benefits they want to claim, and even if I do use the key I'm doing so with essentially zero vulnerability to anything, unless it's something that already had the power to beat the Trust system anyway. And, of course, the point that they have no right to object if I decide that hypothetical level of risk is worth it.... I'm doing nothing and I'm asking for nothing that would diminish any security they claim they want for themselves.
Not that the Trusted Computing Group would ever permit any such thing, but it's pretty powerful for shooting down Trust--is-good proponents, and for making things crystal clear for bystanders trying to figure out which side they should be on :) At least that's the hope.
-
The point of the PrivEK key is that the chip uses it to send a "spy report" on exactly what operating system and software you're running, and without that key you cannot control the contents of that report. For example a website can check exactly what browser you're running, and whether you have an ad-blocker running. If you're not using an approved browser, or if you have an ad-blocker, then the website can refuse to display. It would just toss up a "helpful" error message telling you to fix your system, as in telling you to run an approved OS / run an approved browser / disable the ad-blocker.
The point of the SRK is that the chip can lock your files such that YOU can't read them or modify them, except under the strict control of the Trust chip. Think Uber-DRM system. You can't play a music file at all except with the exact approved music player, and you can't play the file at all without updating the pay-per-play playcount and reporting it the music company. Or you can't run software unless the date is securely verified to be within the approved software-rental time window. The range of DRM-style Trust enforcement is virtually unending.
If you don't have your keys then the Trust system secures your computer against you. If you did have access to your keys then you have final control of the system, and then it would be a legitimate security system securing your computer for you.
That's the overly-short overly-simplified answer. Let me know if you want to address anything more detailed.
-
You Sire, are math-challeged:
2^48 = 281.474.976.710.656
Nope, you missed. The equals-formula you posted is, in itself, correct. However you missed the Birthday Problem. The chance for collision in a group becomes large when you get up around the square root of number you posted... meaning in the ballpark of 2^24=16,777,216. Basically it's because in a group of N individuals there are about N^2 possible pairings that could collide.
-
There isn't any point in randomizing the MAC address of a home PC connected to your ISP. I had mobile devices in mind for MAC randomization.
-
Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.
Citation needed ;) I'm sure you're misinterpreting some physical tamper-resistence line.
Unfortunately, being sure is all too often completely unrealated with being right.
It's in some text explaining design intent, explaining why they require certain internal data be handled in a particular way. They specifically state they are doing it this way to prohibit a "rogue Owner" from being able to register an Identity with than one Privacy Certificate Authority.
TCPA_Main_TCG_Architecture_v1_1b.pdf
According to internal document page numbering it's on page 267, but the PDF viewer software calls it page 277. The exact sentence is:
This feature prevents a rogue Owner from assembling identity_binding data structures outside the TPM and hence obtaining attestation to the same TPM identity from multiple Privacy CAs.
They explicitly named the Owner as the primary focus of their threat model. They explicitly took steps to secure the the chip against an owner attempting to manage his privacy identities. And they did it because the underlying "security threat" was that an Owner could attempt to use the duplicate anonymous identity to gain local control to modify a "security property" that was demanded by someone else via Remote Attestation of the first anonymous identity. And in this case a "security property" being demanded by someone else via anonymous remote attestation is basically a generalized way of saying a DRM-style-enforcement-commitment, and using a duplicate anonymous identity to modify that "security" setting basically means being able to break/escape the DRM.
Remember - they explicitly stated the security threat here was the OWNER. Furthermore note that theses are anonymous identities used for remote attestation.... this has nothing to do with securely checking the state of the system for yourself. This is securing teh state of the computer against the owner for the benefit of a remote party - specifically a remote party to who the owner doesn't trust - someone to who the owner specifically wants to remain anonymous. That pretty much means some random corporation or random website he doesn't want tracking him, and which wants something like DRM enforcement in place on his computer. And again, this is all in the context of them declaring the OWNER to be the threat they are securing against.
I don't doubt you've looked at it. But clearly you've looked at it from the perspective of how you think it impinges on your liberty
I've considered it from all angles. I would fully support a similar chip which was designed as a legitimate pro-owner security system. However that's not this chip.
rather than from the perspective of a security engineer trying to achieve simple properties such as executing code that isn't manipulated by an attacker.
I fully understand that issue, and that can easily be achieved with a legitimate security system, one securing the system for the owner rather than securing it against the owner, one where the owner has the final say in control and security settings.
(Note that an owner "opt-in" for something like a DRM scheme is an owner having an initial say on security settings, but the owner having the final say on security settings means he has full control to modify the security settings later.)
Let's play this game. I'll propose an alternative system, one where the owner can have that final say if he wants it, thereby having the power to avoid or solve 100% of the objections to the system, and you go ahe
Help me judge which of you is right.
Alsee says I can't have the keys to the TPM which comes with the computer I buy. You disagree with Alsee.
No, he explicitly agreed with me on that point:
I said: "The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys"
He said: "Forbidden from getting them out of the TPM"
That's agreement.
He merely followed up with a lame explanation "not forbidden from using them in ways that allow for guaranteeing security properties". The Trusted Computing definition of "security properties" explicitly includes security against the owner. "Guaranteeing security properties" means you are unable to read or alter your own files in Sealed Storage. An example "security property" would be that you cane read (and run) a Sealed-Storage program without securely verifying that the date it is within the approved software-rental period. Or think DRM music file, the "security property" is that the chip won't let you play the music except with the approved DRM-music player, and only if it decrements the number of plays remaining in the pay-per-play count.
It also means enforcing the security of Remote Attestation, which in plain English means a cryptopgraphically secure "spy report" sent out to other people over the internet telling them exactly what software you are running. For example if you had your master keys you could tell a website that you aren't running an ad-blocker when you actually are. That would violate the anti-owner "security properties".
That's why your forbidden to have your keys.... then other people could not Trust that your computer would enforce anti-owner "security properties" against you.
Standard line argument is that it's all A-ok because it's all "opt-in". If you don't "opt-in" all "security properties" are still enforced against you, enforced in the sense in that nothing works (you can't violate security if nothing works and you can't do anything). If you don't "opt-in" you're denied any ability to read or modify Trusted-secured Files, if you don't "opt-in" you're denied the ability to run Trusted-secured programs at all, if you don't "opt-in" you won't be able to access websites at all if they use the Trust system to ensure you don't copy pictures or to check if you're running an ad-blocker. And if you don't "opt-in", then in a few years you might be denied internet access. The Trusted Computing group has created something called Trusted Network Connect, and Microsoft has an equivalent version called Network Access Protection. That's a system where a network (or your ISP) can ask for a Trusted Health Check. A "Health Check" is that spy report I mentioned before, it reports the exact software running on your computer. The "Health Check": ensures that you're not infected by a virus(*), and ensures that you're running an approved operating system with ALL of the mandatory patches, and enforces that you're running any mandatory "security software" they want you to run, and that you're not running anything they don't want you to run. And if you don't "opt-in" then you can't pass the "Health Check", and your computer is "quarantined".... no network access access. Obviously no ISP could ever deploy something like that.... not unless most customers already had Trust Chips in their Computers.... oh yeah Microsoft is making Trust Chips mandatory in all new PC's 16 months from now. But even then it would obviously be several more years before most people had Trusted PC's, before ISPs could deploy that sort of "Trusted Health Check" to get internet access. But don't worry, this is all a good thing.... it's just a Health Check.... to ensure you're not infected and spreading viruses
As he explained, there's nothing evil about the system.... they
TPM - Its never there
It's already in essentially all laptops, it's already in essentially all "business class" desktops, it's already in some "personal class" PC's, and it's MANDATORY in ALL new Windows PC's as of 16 months from now.
Ummmm yeah........ "never".
-
Minor correction: Microsoft has declared they plan to make it mandatory starting less then a year-and-a-half from now.
-
There's lots of screaming about it, that is backed up by a big lack of knowledge about it.
I've studied all one-hundred-plus pages of the TPM technical specification. I know how it works in detail.
It really seems like something that some people just want to be a big evil issue so they pretend it is.
At one point the TPM technical specification explicitly names the owner of the computer as a potential "attacker", and explicitly states the chip must be secure against the owner. And in about a hundred places it endlessly mandates that the chip is forbidden to allow anyone, which includes the owner, to ever access the master keys.
I could see the issue if this was being required, but it isn't.
Microsoft has declared they plan to make it mandatory starting less then a year from now.
-
Also not only does Windows 8 not need secure boot, it doesn't even need UEFI...
I swear these paranoid types need to spend a bit of time getting their learn on about new technologies before whining about them....
The amount of knee-jerk that goes on with this shit is pretty amazing.
Quoting fucking MICROSOFT.COM News Center:
"Trustworthy hardware. The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015"
You're seriously going to call me "paranoid" when Microsoft has an official public statement that they plan to make this Trusted Computing shit mandatory starting less than a year and a half from now?
Over a half-billion computers have already been shipped with this shit welded to the motherboard. THAT'S why the Ask Slashdot story is asking how to avoid this shit. A lot of computers already come with this shit on the motherboard, and not all of the sales materials list that it's in there.
-
But *no* consumer board I'm aware of ships with the *chip.*
Then you obviously haven't been paying attention. Almost all laptops are now shipping with TPMs, and they are increasingly being shipped in desktops. When I was shopping for a PC last year I spotted TPM listed in several system specification lists from different major PC vendors.
According to the Trusted Computing Group more than a half billion PCs have already shipped with the Trusted Platform Module. Computer Weekly puts it at over 600 million PCs.
And according to "ZDNET "In January 2015, TPM 2.0 will be required on all certified Windows devices".
And according to Microsoft News Center, and I quote:
The Trusted Platform Module is a hardware security device or chip that s a great tool for the enterprise, but until now has been an optional piece of technology for consumer devices. TPM provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. We re working to require TPM 2.0 on all devices by January 2015
So the answer to the question, I think, remains "All of them."
You were trying so say that "all" personal computers were TPM-free, but it turns out that "All of them" is is what they plan to try and force on us starting less than a year and a half from now. And as noted, over a half billion already shipped.
-
The Globally-Unique MAC addresses seem to be a pretty blatant security and tracking problem. I've been increasingly wondering why we don't simply start randomizing the MAC address every time the device is turned on, or perhaps even randomizing it for each new connection.
Yes, in principle this could result in a random address collision between two devices. However MACs are 48 bits... this means you'd need to have over 16 million devices simultaneously connected to the same access point before there's a substantial chance of two of them randomly colliding. I'd call that a rather pretty negligible trade off to obtain some privacy and security. And if one device does detect a MAC collision it could simply re-randomize.
As for additional "security risks" of randomizing MAC addresses, not really. It's already trivially easy for someone to deliberately fake your MAC address on their own device. So no new threat there. If anything, I think randomizing (and regularly re-randomizing) the MAC address would be a security benefit. If someone does deliberately fake your MAC address, the target lock is neutralized when your device re-randomizes.
-
Ooops. Ignore my comment above.
I had Slashdot post threshhold at 3. I didn't see the AC post about Apple. I thought you were referring to the original AC post regarding the TPM.
-
TCM/TPM is often a business only feature.
That was the initial market, but the Trusted Computing Group is quite clear that they intend, as soon as they can manage it, for it to be included in all computers. And they are well on their way to achieving that. They are already included in almost all laptops, and they are increasingly showing up in desktops.
In other words, yes, you can totally opt out of buying a motherboard with TPM
The entire point of the Ask Slashdot is that it's becoming increasingly difficult to do so. More and more computers are being shipped with the TPM soldered in place, and without the product description mentioning that fact anywhere.
-
As usual, people fear what they don't understand.
I've studied the entire TPM technical specification. I understand it in minute detail.
The trick to TPM is *WHO HAS THE KEYS*. If *I* have the keys, it is a great feature.
EXACTLY!
And the entire point here is that you DON'T have the keys. The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys. Specifically this means the PrivEK (Private Endorsement Key) and the SRK (StorageRootKey). The owner is forbidden to have his StorageRootKey, because the StorageRootKey is explicitly designed to encrypt data on the harddrive such that the owner of the computer cannot read or alter it. The owner is forbidden to have his Private Endorsement Key because this key is used to secure the Remote Attestation process against the owner. Remote Attestation is where the chip securely (secure against the owner) securely tracks your hardware and the software you run, and sends that spy-report out to other computers over the internet. If the owner had his Private Endorsement key, these Attestation spy-reports wouldn't be secure against the owner.
TPM is just a secure hardware keystore.
It's more than that, but an important part of it is that it's a "secure hardware keystore". Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.
Stallman's piece focuses exclusively on TPM being implemented as a mandated piece where either the gov't or the media industry has the keys.
The "Master Keys" are held by the Trusted Computing Group. The crucial individual keys are locked inside the Trusted Computing chips, secured against the owners.
Focusing on one theoretical use case and determining the entire system is evil is just plain wrong.
Lets make it really simple. The moment they give owners some option to read their keys out of the chip, or give owners the option to buy chips that come with a printed copy of they keys, then I will jump up front and center proclaiming that Trusted Computing is wonderful and harmless... I'll lead the charge smacking down anyone claiming it's evil.
However the Trusted Computing Group has explicitly refused all demands for any sort of "Owner Override" and explicitly forbid owners to ever get a hold of their own keys. That is because the entire point of Trusted Computing is to secure computers AGAINST their owners. The entire point of Trusted Computing is that "Owners can't be trusted", so they want to be able to "Trust" computers to be secure against the owners.
The moment they allow owners to get their keys then I agree that the owner is in control.
Note that the standard argument against allowing owners to get their keys is that a virus or malware or something might get a hold of the key if it's accessible from the chip, or if it's on the harddrive anywhere. Which is a patently bullshit argument for refusing to let me buy a chip with a PRINTED COPY of my master keys. Malicious software can't read paper. End of argument. Then I can toss the printed keys in my safety deposit box at my local bank, and you can't make any believable argument that it's somehow "for my security" that you're refusing to let me get my own goddamn keys.
A simple rule for everyone:
Just say "I want my keys", NO KEYS, NO SALE
-
Are you clueless? He's not "talking sense". The whole point here is that it's becoming increasingly difficult to not-buy a TPM. A lot of motherboards now have this shit welded in place, and its presence is often not listed when you're shopping to buy a computer.
An "Ask Slashdot" on how to avoid purchasing Trusted Computing is entirely appropriate. Hell, there should be a goddamn front page story in the New York Times telling people that many computers are being shipped with TPMs, and informing the general public where to shop if they don't want to fork over money for an anti-owner TMP chip pre-welded into whatever computer they buy.
-
No, it's you missing something.
just don't buy the module.
THAT IS EXACTLY WHAT HE'S TRYING TO DO.
A lot of computers are now being shipped with TPM's SOLDERED onto the motherboard, and they are making progressing on packaging the TPM inside the CPU chip.
He doesn't want to buy that crap, I don't want to buy that crap, and the problem is that a lot of people are buying that crap without knowing it. The Trusted Computing Group has stated that part of their strategy for forcing everyone to buy into their Trusted Computing crap is to ensure that TPMs are already built in to all new computers being sold.
-
I like my jokes like I like my symphonies
-
I like my women like I like my wine....
one hundred years old and locked in my cellar.
-
The exploit transmits your identifying information to IP address 65.222.202.54. The information includes a unique tracking number generated by the exploit server, your computer's MAC address, your computer's host name, and any other IP addresses and host names visible on your local network.
This IP address traces back to a Verizon business account just outside Washington D.C., not far from FBI and CIA headquarters. You can see the IP location trace here, complete with a zoomable Google map. However note that the location trace is probably just an approximate location. Zooming all the way in shows a local shopping center, but that's probably just the location randomly landing at the "center" of a town or other service area.
-
UEFI was never intended to improve security. Along with Microsoft's extensions it was designed as a lock-in tool.
Reality check. ...Secure Boot wouldn't a problem for the geek if OEM Linux had a significant share of the x86 desktop.
It looks like your post was intended to show the prior commenter was "not in touch with reality", however what you actually did was confirm that he was right. Your conclusion states "Secure Boot wouldn't be a problem ...if...", which pretty explicitly states that Secure Boot is a problem. Your conclusion is actually confirming that lock in problem of Secure Boot, regardless of what anyone claims the intent was, and regardless of any arguments over whether the system is otherwise noble or malicious.
And yeah, TrustedComputing&Secureboot are a truckload of extremely malignant problems even if Linux were a majority share of desktops.
-
That's no moon!
Oh wait, yes it is.
-
One of the perks of dating a geek is that we are now the only ones who are ever going to take you to the hottest restaurant in town.
Jocks need not apply.
-