gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| trusted computing: promise and risk
interesting article from EFF; snips here, link to full article, and link to a 201k pdf version:
»www.eff.org/Infrastructure/trust···1_tc.php
Trusted Computing: Promise and Risk
By Seth Schoen
Computer security is undeniably important, and as new vulnerabilities are discovered and exploited, the perceived need for new security solutions grows. "Trusted computing" initiatives propose to solve some of today's security problems through hardware changes to the personal computer. Changing hardware design isn't inherently suspicious, but the leading trusted computing proposals have a high cost: they provide security to users while giving third parties the power to enforce policies on users' computers against the users' wishes -- they let others pressure you to hand some control over your PC to someone else. This is a "feature" ready-made for abuse by software authors who want to anticompetitively choke off rival software.
201k pdf: »www.eff.org/Infrastructure/trust···1_tc.pdf
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
JamPony9
Premium
join:2004-12-08
Austin, TX
2 edits | Schoen is right. The whole TC design could secure the computer for the owner and go a long way against the epidemic of Windows malware and other problems - if not for the "attestation key". This one "feature" transforms the whole TC concept into a vast DRM scheme.
To say the same thing in another way, what's evil about TC is that it is designed to prevent the computer owner from having full access to, or control over the "trusted platform module". If this one aspect were reversed, TC would not be "trusted" by remote parties to enforce their rules against the computer owner, but for the same reason, it would enable a higher level of security for the owner.
Schoen doesn't even lay out the full implications adequately, IMHO. With secret keys embedded in everyone's computer, TC would not only fail to support security for the computer owner, it would abolish even the possibility of security. And it would not only let the copyright cartel prevent copying of music and movies; it would also enable a vast censorship regime. Only the owners of those secret digital keys would be able to rely on a computer to tell the truth anymore; for anyone else, it could delete or falsify any data undetectably.
See also:
Richard M. Stallman on TC:
»www.gnu.org/philosophy/can-you-trust.html
Ross Anderson's "TCPA FAQ" is the canonical source on this subject.
»www.cl.cam.ac.uk/users/rja14/tcpa-faq.html
Alsee's posts on Slashdot
»slashdot.org/~Alsee/ , for example this recent one
»slashdot.org/comments.pl?sid=156···13148075 |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| thanx, jampony...more to feed into what is turning into a bit of an obsession with me...from the day i first learned about palladium, i have been seriously concerned about this trend, which is getting more outrageous as time goes on. and so few know about it, or care.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
sybille
Not only "just visiting"
Premium
join:2004-04-06
France
| reply to gracie
Just another link with information, this time from IBM. It's a both an explanation and a defense of the concept of trusted computing, specifically as distinguished from DRM and Palladuim.
»www.research.ibm.com/gsal/tcpa/t···ttal.pdf
The rationale seems to be that a potentially useful tool should not be cast aside only because it can be used for potentially nefarious purposes.
It seems to me that to evaluate this argument requires the reader to decide how much to trust IBM. Perhaps it is worth noting that the company seems to have been comparatively open about its tcpa (not DRM, not Palladium) hardware. For example, see: »www.linuxjournal.com/article/6633
A key distinction is that these particular tcpa measures can be disabled by the user. |
|
JamPony9
Premium
join:2004-12-08
Austin, TX
| sybille, That IBM paper defending TC is full of distortions, evasions and deceptive rhetoric. Regrettably I don't have time to dissect it here and now - I'm at work and have only a few minutes - but plan to write on this subject soon on the web and specifically refute that guy.
Briefly, from memory, tho (and I paraphrase freely):
Claim 1: "It is not suitable for DRM because it is not protected against user attack".
ANswer to 1: this is like saying, you might find some way to break into the bank vault, therefore the bank vault is not really designed to keep you out. In fact, TC is designed to prevent the computer owner from having access to the "trusted platform module" except thru a few selected commands which have limited effect.
CLaim 2: It is not a DRM scheme, only a piece of infrastructure that can be used for various things..."
ANswer to 2: "Yes we sell razor-wire, guard towers, rifles and steel bars - but prisons also need walls, and we don't sell the walls, therefore we're not 'really' in the prison business! Never mind that our products are designed to integrate with wall vendors."
Claim 3: "The key never leaves the chip, therefore your privacy is not at risk!"
ANswer to 3: This is so deliberately obtuse that it is deceitful and insulting at the same time. Of course the key never leaves the chip. INstead they just generate a unique identifier that's mathematically related to the key, and that in turn uniquely identifies the computer as reliably as current technology allows.
Any lack of privacy invasion would depend profit-oriented corporations voluntarily choosing, contrary to their interests, to respect your privacy. The author's repetion of "the key never leaves the chip" as a supposed reassurance is a cynical attempt to exploit people's ignorance of how it actually works.
Claim 4: "You can turn it off"
ANswer to 4: Yes, but your computer will still report to outside parties "i'm a TC-enabled computer with TC turned off". And later, when the full plan kicks in, you won't be allowed to connect to the internet without turning it on.
I could go on but will leave it to other articles for now. |
|
catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
| reply to gracie
The problem is most users don't understand (or even want to) how things work so long as they do...
Which allows them to be led places they won't like later.
Those that want control over their own property/hardware etc. will eventually find themselves using other products.
"What do you mean you want the keys to your own house... don't you trust me?"
--
Need A Software Solution?...List of Lists |
|
sybille
Not only "just visiting"
Premium
join:2004-04-06
France
2 edits | reply to JamPony9
I didn't mean to suggest that I fully agree with IBM's spin on the matter.
I'm a Linux user, so I'm interested in why there is an interest in including tcpa in Linux. For example, see:
»www.gentoo.org/news/en/gwn/20050···tter.xml
»linux.slashdot.org/article.pl?si···&tid=106
(the latter is the Slashdot discussion of the article from Linux Journal I linked to earlier).
I don't know what I think of all that, still.
However, you don't need to convince me that there is a lot to be worried about here. In fact, it's much easier to identify the potentially abusive applications of this technology, and that in itself is quite telling.
P.S.: Anyone who wants the source code for IBM's tcpa driver for Linux can download it from »www.research.ibm.com/gsal/tcpa/ |
|
JamPony9
Premium
join:2004-12-08
Austin, TX
| said by sybille  :I didn't mean to suggest that I fully agree with IBM's spin on the matter. ... Right, I didn't mean for my post to come across as implying that you did. It was intended only to address the paper that you referred to.
The problem with Linux and TC is essentially this. The whole software stack has to be digitally signed to run in "trusted" mode. That's doable. But then as soon as you recompile your kernel, to change a driver or something, the signature becomes invalid, and you're locked out of the "trusted" mode. Likewise with all the various programs. So while it's still "open source" in some theoretical sense, in practice users would have to get software from vendors who could purchase the certificates, and never change anything from what the vendor provides. |
|
MrBradTX
join:2001-05-23
Carrollton, TX | reply to gracie
The issue with trusted anything is determining whether the other party is trustworthy.
I'd also be interested to learn whether the owner can revoke trust once granted. |
|
sybille
Not only "just visiting"
Premium
join:2004-04-06
France
| reply to JamPony9
said by JamPony9 :But then as soon as you recompile your kernel, to change a driver or something, the signature becomes invalid, and you're locked out of the "trusted" mode. Likewise with all the various programs. Do you have any references for this?
If this IBM tcpa is first and foremost a kernel driver or module, then it would seem that it could be unloaded from the kernel like any other module, without touching the rest of the installed software or the kernel itself.
At least, I know for a fact that I can load and unload other kernel modules to my heart's content without altering the function of the rest of my system.
I'm not claiming that what you say is not true, but I would like to read more about it. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
1 edit | reply to gracie
Ah yes...and my initials are DRM.  |
|
JamPony9
Premium
join:2004-12-08
Austin, TX
1 edit | reply to sybille
said by sybille :Do you have any references for this? ... I would like to read more about it. For how it works, see the Ross Anderson FAQ linked above, and the actual TCG specification linked from there.
All I can recall offhand about the Linux case in particular is the documentation on the TC version of Gentoo (I think there was a FAQ or something) and the Slashdot discussion. Of course on /., only some of the posts are reliable  , and you have to know which ones they are
It's more than just another module. Assuming the full specification is implemented, the "protected mode" (there are different names for all these things) involves walled-off memory segments, encrypted areas of disk, encryption on the system buses, etc., so nothing can "leak". The software has to be verified by a "chain of trust" all the way from firmware in the "Fritz chip" thru the OS, drivers and appplications. As soon as the chain is broken, meaning something un-"trusted" (i.e. its signature does not check out) is running, the "trusted mode" is turned off and the user has no access to anything in the encrypted areas.
So you could use an unsigned browser, for example, but sites requiring TC to be on would not give you pages; and anything saved in "trusted mode" would be unavailable outside of that mode - i.e. strongly encrypted with keys that are (to use the TC terminology) "protected" from the computer owner's "attack". |
|
sybille
Not only "just visiting"
Premium
join:2004-04-06
France
| I just looked at the Ross Anderson FAQ again, and the scenario you describe for Linux applies only to particular versions of Linux which are tcpa "enhanced":
quote:
IBM and HP have apparently started work on a TC-enhanced version of GNU/linux. This will involve tidying up the code and removing a number of features. To get an evaluation certificate acceptable to TCG, the sponsor will then have to submit the pruned code to an evaluation lab, together with a mass of documentation showing why various known attacks on the code don't work. (The evaluation is at level EAL3 - expensive enough to keep out the free software community, yet lax enough for most commercial software vendors to have a chance to get their lousy code through.) Although the modified program will be covered by the GPL, and the source code will be free to everyone, it will not work in the TC ecosystem unless you have a certificate for it that is specific to the Fritz chip on your own machine. That is what will cost you money (if not at first, then eventually).
There is no explanation there of how this particular variation of Linux would come to replace the one (thinking kernel) that exists now.
I have no doubt that there are many who would like to see the GPL destroyed. I fear that Linux users will be locked out of many arenas (document exchange, web use, etc., etc.).
So, I remain very concerned about where all this is leading - concerned enough to have cut the MS cord, for instance. The counter-culture always seems to be more interesting, anyway. 
Sometimes, though, I do entertain the idea that this technology might have some useful purpose. In other words, I don't know that's it's a gun at this point. It might be more like a kind of medicine with serious side effects that would only be needed in special circumstances, in which it was determined that the benefits would outweigh the risks. (I certainly wouldn't put multimedia and OS DRM limitations in that category!)
A quick search did not reveal any relevant entries in the Gentoo wiki. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to gracie
I don't mind if some vendors go in this direction as long as we as consumers have options. As long as there are alternatives like OSX and Linux, I think it's perfectly fine for companies like Microsoft and Intel to push their way of thinking. This is, afterall, what made the country what it is.
The problem doesn't start until we lose our ability to select an alternative. If the users are simply too stupid to know they have a choice, well -- that's not Microsoft's fault now is it? In short, the notion of, "X company made me do Y!", doesn't stand up in court. As of now, no one is making anyone do anything. People can choose to not buy Windows. They can choose not to buy a Dell.
Until that changes then I'm all for DRM, PHW or whatever crazy stuff these people want to push. You can always say no.
--
dmiessler.com - grep understanding knowledge |
|
JamPony9
Premium
join:2004-12-08
Austin, TX
1 edit | reply to gracie
said by Daniel :I don't mind if some vendors go in this direction as long as we as consumers have options. ...
Yes, as long as we have a choice, we're fine. Ideally, those who value "open computing" and security will be able to buy hardware without the TC module and compile their own code and communicate freely. And those who want to play Hollywood movies and next-generation music files on their computers will go the "trusted" route. Users of corporate networks from home or on the road will probably be required by their companies to use TC machines, unless the companies consider it a security hazard (use MS apps and you have to trust MS, etc.).
In this "choice" world there would be no reason to use a TC version of Linux unless you wanted the movies, corporate access, etc..
The nightmare scenario, which Stallman, Lucky Green, Anderson and others warn about, is that TC equipment running in "trusted" mode may be required as a condition of internet access - by ISPs or by law. This is what TCG »https://www.trustedcomputinggroup.org/ appears to be aiming at. "Trusted Network Connect (TNC) Architecture to Ensure Endpoint Integrity and to Protect Networks" (quotation from their home page) may be currently aimed only at private networks, but it could be easily extended to an ISP requirement.
I have little patience with those who say "it hasn't happened yet; there is no guarantee that it will; therefore there's nothing to be concerned about". You could stand on the train tracks and say that and be absolutely correct, in the strict sense, right up to the moment when the train hits you. At some point a reasonable person must recognize that all the signs are pointing in a certain direction, and if that direction is unacceptable, then it's time to do something.
(This last paragraph is not aimed at anyone in this thread; I refer to many who have dismissed the threat on other boards.) |
|
live free or die
@verizon.net
| said by "JamPony":
I have little patience with those who say "it hasn't happened yet; there is no guarantee that it will; therefore there's nothing to be concerned about". You could stand on the train tracks and say that and be absolutely correct, in the strict sense, right up to the moment when the train hits you.
That was perhaps, the most beautiful analogy *ever*. Thanks for sharing. Btw, it's refreshing to read posts from someone that has, erm, "more than the average share of 'clue'", on these boards.
said by "JamPony":
At some point a reasonable person must recognize that all the signs are pointing in a certain direction, and if that direction is unacceptable, then it's time to do something.
I don't think that they teach that concept in gov't schools any more. They simply train the young ones to react, rather than "think ahead". Remember, when someone with seeming authority shouts "jump", the only proper response is "how high", not "why should I care to jump in the first place, and why should I even listen to you"?
The good news: there will always be freedom, somewhere. Even if it only remains as a lingering desire in one's heart.
The bad news: such freedom may not always be popular or mainstream.
Samizdat. The "underground railroad". FreedomNet.
There ARE ways, don't give up hope yet people! |
|
