“Intel is to embed certificates into the processor. Embedded certificates will be a feature of Banias processors next year. […] What are the downsides? You can count them. The business of ownership of a device suddenly becomes very important indeed – your PC is tagged at birth, and your choice of operating system or browser is contingent on the generosity of the certification authority.” Read the report at TheRegister.
Intel Reveals Share Denial PC Scheme
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Man this pisses me off. Well, my two fastest computers are AMD and if they play along I’m going Cyrix etc. The market will correct this.
The key here is Verisign, moreso than Intel. Sure, Intel is putting the ID details into the chip, but that’s all pretty much worthless without something like Verisign (or Passport) to back it up.
Without a Central Certificate Authority, nothing happens. If your machine isn’t connected to the Net, nothing happens. While many machines are connected to the Net, many more are not. Lots of important servers are behind so many firewalls, they never see the Wild internet.
With the fear of viruses, hackers, script kiddies, etc., nobody who is security conscious lets important hardware connect to the internet without some kind of hardening and security process.
Machines MUST be completely usable without ever connecting to the internet. Just because my front end web servers accept traffic on port 80, doesn’t mean it lets traffic out on port 80.
At that point, a little bit of firewall trickery should enable anyone’s machine to see all of the internet EXCEPT FOR the new Central Certificate Authority. If you can block the CCA’s, then it’s just as if your computer “was never on the internet”.
QED. Let ’em play their games, and we can play ours.
At that point, a little bit of firewall trickery should enable anyone’s machine to see all of the internet EXCEPT FOR the new Central Certificate Authority. If you can block the CCA’s, then it’s just as if your computer “was never on the internet”.
Good idea. Let’s hope it works.
I try to lead a life with the least amount of paranoia, but this is rediculous.
if intel and AMD and go into this i will probably get a mac or better yet a computer with a ibm power 4 core inside
power all the way
Sounds like a great opurtunity for AMD if the don’t follow Intel
I know what I’ll be buying if Intel trys to pull this stunt!
Go Athlon… rah rah rah!
PRAX
Every ethernet card or cable modem already has a unique MAC address,
which could be used to identify you. I’m not sure what advantage a
serial number in the processor has over this. The cable company knows
who you are.
Of course not everyone is on broadband, but I presume cell phones have
similar identifiers.
The problem comes not from putting a number in the processor but from
using it for “digital rights” operations.
…some years ago they tried this already. but the mission failed because there were enough people who doesn’t like that.
the only guys who like that are the m$-people and some fbi-freaks ;-).
—
worst case:
if there comes much pressure from bis sw-developers who like this (like m$), they will put it as a required component into their sw (windows?). so amd must do the same shit.
In the early ’80’s, was it IBM choosing Intel, or Intel sucking up to IBM for all that money? Why *did* IBM choose Intel processors over all the other neat stuff out there, anyway?
Now it’s Big Media?
Maybe I’m wrong. If not, when do we stop this?
This is not just a serial number.
As far as I know it is really easy to spoof a MAC address. I have done it through the router at home previously.
Comments?
The market will not accept such CPUs.
The only risk is that these embedded certificates will be mandated by legislation.
Even then, will Intel make CPUs without a certificate for markets where a certificate is not legally required? How will it stop these CPUs finding their way back to the USA?
No, CPUs with certificates will last about as long as the Pentiums with ID numbers, or the Greek law banning video games.
I know its staggeringly arrogant to say this.. but..
Fastest x86 processor on sale currently clocks at 2800mhz ( correct me if wrong? )
Most-used current x86 OS on sale requires 300mhz
Tough luck for the new entrants into the market.. but I think it will be a long time before any conceivable application won’t run on pre-certification Intel chips.
And like the man said.. Intel isn’t the sole supplier of x86s..
My CISCO instructor told me an Ethernet card manufacturer was sued for shipping NIC cards with non-unique MAC addresses.
things embedded in the processor are only trackable if the OS lets it…meaning this is gonna only affect windows users…meaning all ya gotta do is run freebsd or linux…b/c i’d be damn surprised if linux kernel devs implemented this “feature”
-bytes256
Yes but if you spoof the MAC address it makes no difference. They have no way of knowing your real MAC Address.
Sued? By who? Who governs MAC addresses? Non-unique MACs is a great idea; I’d buy one.
ummm actually non-unique MACs is a HORRIBLE idea…b/c it’ll break your network if you happen to have the same MAC as someone on your network
ethernet doesn’t work without unique MACs for a segment…on a small little LAN this doesn’t matter a whole hell of a lot…but for say connecting to a DSL or Cable network…it probably ain’t a good idea
and really, what the hell is the point of having a non-unique MAC address…i’d love to hear this explained
-bytes256
Most (All?) wireless ethernet cards let you change their MAC address.
I wouldn’t use it on a lan LOL- just at home
On a cable isp network, the mac for the nic wouldn’t matter, dont they use the mac from the cable modem?
I suppose that kind of defeats the whole purpose, though.
>>>The market will not accept such CPUs.
The “PC” market is composed of 90% business “PC’s” and 10% consumer “PC’s”. The whole point for TCPA/Palladium is that businesses can layoff many of their IT support staff if TCPA/Palladium lockes down their computers. This TCPA/Palladium thing will fly and will be adopted wholeheartedly by businesses IT departments.
>>>Even then, will Intel make CPUs without a certificate for markets where a certificate is not legally required?
No, it’s cheaper for Intel to make every CPU the same. They won’t care to differentiate the 10% PC market that are for “consumers”. And they won’t care about the small minority of geeks within the consumer market who object to it.
>>>No, CPUs with certificates will last about as long as the Pentiums with ID numbers…
If Intel didn’t stop embedding ID numbers on their Pentium III’s, maybe e-commerce could have flourished. The people who feared about the Intel Pentium ID numbers also feared about buying stuff on the internet with the credit cards — the problem is you can’t have it both ways.
>>>things embedded in the processor are only trackable if the OS lets it…meaning this is gonna only affect windows users…meaning all ya gotta do is run freebsd or linux…b/c i’d be damn surprised if linux kernel devs implemented this “feature”
I’ll be damn surprised if RedHat doesn’t implement this feature for their Advanced Server OS and then incorporate it back into the main tree. I’ll be damn surprised if IBM (one of the founding TCPA backers) doesn’t volunteer their staff to work on this for the main tree.
Microsoft’s new Secure Computing Initiative (Palladium) requires hardware support in order to operate. This type of CPU-based certificate is critical for the success of Palladium. This means that Intel has a built-in market for its chips. Unless either MS offers a non-SCI version of Windows or users start to jump ship in droves, Intel will not have any motivation to remove ther certificate features from its chips. Besides, who cares if there is acertificate in your CPU if the software doesn’t enforce it? The problem Intel faced with the ID first time around was that people quickly found a way to spoof the ID in software. If MS builds its OS to protect this certificate it might become more difficult to do this time around, but it won’t be impossible. It will end up being another crack/patch war between MS and the users.
…more computer industry BS.
I don’t upgrade hardware every year (or even every two), nor do I connect to the internet with anything other than BeOS. Maybe this will affect me some day… not today. In the mean time… where do I write to tell Intel where they can stick it?
I liked the word “pigopolists.” Still, I wish that on-line news sites would take better care of the use of English. I’d like to see them have the same quality (proofreading, language use) that, say, the New Yorker has (I don’t say “the local newspaper” because mine sucks). Even if the author is not a native English speaker, someone on staff ought to be.
The whole point for TCPA/Palladium is that businesses can layoff many of their IT support staff if TCPA/Palladium lockes down their computers.
WHAT? Where did you get that idea? Companies may enjoy the idea of being able to lock down their data, but that will be a long, difficult upgrade. It will be difficult if for no other reason that ALL of their machines will have to run the latest/greatest XP++ and applications, as these are the tools that enforce this kind of compliance. In the current environment their machines can run a mix of software (from 95-98 thru NT, 2K, or XP).
I don’t see how any of this makes the admins jobs any easier.
If Intel didn’t stop embedding ID numbers on their Pentium III’s, maybe e-commerce could have flourished. The people who feared about the Intel Pentium ID numbers also feared about buying stuff on the internet with the credit cards — the problem is you can’t have it both ways.
Ah, but see, you can. The people who feared the IDs in the Pentiums spends zillions of $$$ on line with credit cards. The detail is that their credit card is given by choice when appropriate, an internal ID is given based upon the whim of the program speaking to the net. It’s simply the safety of the CC that makes e-commerce possible at all.
If your CC# is compromised (gets in the wrond hands), you have to jump through a simple hoop to get it canceled and get charges reversed. Lose your “CPU ID”, and you get to buy a new machine. Which would you rather do?
I’ll be damn surprised if RedHat doesn’t implement this feature for their Advanced Server OS and then incorporate it back into the main tree. I’ll be damn surprised if IBM (one of the founding TCPA backers) doesn’t volunteer their staff to work on this for the main tree.
As long as people will be able to run any software they like on their computer and store any software they like on their hard drive, then things will be fine.
Just because MS wants to lock in their users, doesn’t mean everyone will.
As long as I can write a boot loader and have complete access to my own hard drive, then great. But as soon as I have to get Certs.Com to certify my own boot loader, or let me talk to my hard drive, there will be Issues. Then I get a Sparc from Korea…
>Then I get a Sparc from Korea…
Tell me more
>>>Companies may enjoy the idea of being able to lock down their data, but that will be a long, difficult upgrade. It will be difficult if for no other reason that ALL of their machines will have to run the latest/greatest XP++ and applications, as these are the tools that enforce this kind of compliance. In the current environment their machines can run a mix of software (from 95-98 thru NT, 2K, or XP).
That’s true RIGHT NOW. But the thing is that TCPA/Palladium won’t be available for mass consumption until something like the year 2008. By then all the 95/98/NT/2K machines will be out of circulation.
>>>If your CC# is compromised (gets in the wrond hands), you have to jump through a simple hoop to get it canceled and get charges reversed. Lose your “CPU ID”, and you get to buy a new machine. Which would you rather do?
Intel recommended e-commerce websites to NOT send the actual CPU ID directly back to their e-commerce servers. Intel recommended that these websites to combine their server’s unique ID number with the customer’s CPU ID number to “hash” a third number to be send back. This way, you don’t lose your CPU ID.
Besides that, I rather spend $500 for a brand new Dell computer than potentially getting an accidental blacklisting of my credit rating. It’s not that simple of just getting your credit card replaced.
>>>>As long as I can write a boot loader and have complete access to my own hard drive, then great. But as soon as I have to get Certs.Com to certify my own boot loader, or let me talk to my hard drive, there will be Issues.
TCPA also checks the integrity of the BIOS and master boot record (and boot loader). Can you write your own BIOS?
>>>As long as people will be able to run any software they like on their computer and store any software they like on their hard drive, then things will be fine.
>>>Just because MS wants to lock in their users, doesn’t mean everyone will.
You are absolutely right. TCPA/Palladium is an opt-in thing. You can purchase TCPA/Palladium hardware/OS/software and turn the security off. It’s not only that MS wants to lock in their users —- it’s the business IT customers who want to lock in their users. And paying customers are always right.
>>>Then I get a Sparc from Korea…
From a 1999 Wired article:
The chief executive officer of Sun Microsystems said Monday that consumer privacy issues are a “red herring.”
“You have zero privacy anyway,” Scott McNealy told a group of reporters and analysts Monday night at an event to launch his company’s new Jini technology.
“Get over it.”
http://www.wired.com/news/politics/0,1283,17538,00.html
I’ll trust Microsoft more than SUN.
Intel’s previous foray was a warning – I have not bought an Intel processor since.
Everyone who reads these forums is an “influencer” of less computer literate people. The best marketing campaigns are word of mouth. This is the time to start it.
“Don’t buy Intel. Their chips are designed so that your privacy can be sucked out of your PC”
>>>Intel’s previous foray was a warning – I have not bought an Intel processor since.
AMD also belongs to TCPA. And IBM is the main backer of TCPA, so PowerPC chips will have TCPA built-in eventually.
Can’t buy intel, can’t buy amd, can’t buy a powerpc mac, can’t trust Scott McNealy/SUN. Can’t use linux, because eventually RedHat/IBM will volunteer their staff to put TCPA into the linux kernel.
These ‘Fritz’ Chips (yet another creative reference to Senator Disney) smack of the speak-writes in Orwells book 1984. Blah on these arse holes. Oh and don’t use a TCPA enabled version the Linux kernel Sam. Don’t even use Red Hat. Use Debian or Gentoo :-).
http://www.cl.cam.ac.uk/~rja14/tcpa-faq-0.2.html
“Can’t buy intel, can’t buy amd, can’t buy a powerpc mac, can’t trust Scott McNealy/SUN. Can’t use linux, because eventually RedHat/IBM will volunteer their staff to put TCPA into the linux kernel”
Can’t recompile your kernel without it? Oh wait, yes you can. There are like 500 Linux distributions. No one needs to use Red Hat. In fact, most Linux users don’t.
Oh and where there is demand there is someone to fill it even where the product is illigal in certain top of the hill countries controlled by a minority. Black market anyone? If Intel and AMD don’t want the 10% that give a shit, I’ll bet Cyrix or someone else will.
>>>>Oh and don’t use a TCPA enabled version the Linux kernel Sam. Don’t even use Red Hat. Use Debian or Gentoo :-).
IBM/RedHat has the vast majority of the senior linux kernel hackers on their payroll. Whatever they are working on, they will have to be incorporated into the main kernel tree eventually.
If you want to use “non-TCPA” versions of linux in 2008, then you are going to be stuck with the old 2.4 linux kernel because the 3.0 main tree will have TCPA built-in by Redhat/IBM.
I don’t think either Microsoft or Intel is really in favor or opposed to DRM. Neither company is known for being very idealogical. Both are extremely concerned with market share and profits.
What they are faced with is an interesting situation. On the one hand digital entertainment has the possibility to be a major killer app requiring several hardware / OS upgrades over the next several years. The RIAA and MPAA could decide that they want to own the entertainment space currently held by television and go after the computer market hard core with inexpensive music and movies relying on DRM and quantity rather than their current of few sales at high prices. Even if they don’t consummer demand for digital entertainment might become very strong. Computers allow for all sorts of features that televisions do not; and since compatability is less of an issue you could end up with very high end entertainment for people willing to buy expensive systems.
OTOH Intel and Microsoft also know that they live in a country which:
1) Does not a national identification card due to privacy concerns
2) Does not have centralized health records due to privacy concerns
3) Has some of the most liberal gun laws in the world due to concerns about the long term governmnet
4) Has the strongest guarantees of freedom anywhere in the world
etc…
Customers could reject DRM in droves.
Finally the market could split down essentially political lines with libertarians wanting freedom and being willing to forgo cheap music and authoritarians liking the controls.
My guess is that they want to be positioned to take advantage regardless of what way the wind blows. I don’t think focusing on Microsoft or Intel is really going to work. The more important place is corporations and particularly IT departments not using DRM for corparate data. And here the fact that workers consistently reject security systems should win the day for the anti-DRM forces. The success of PCs in the workplace over mainframes was a huge advance in human freedom even line workers don’t want to lose that.
>>>Can’t recompile your kernel without it? Oh wait, yes you can. There are like 500 Linux distributions. No one needs to use Red Hat. In fact, most Linux users don’t.
The problem is that the TCPA codes will be so deep in the linux kernel that you can’t compile your own kernel without them. And the old kernel trees don’t support your brand new Pentium 9 CPU.
Besides you can turn off TCPA/Palladium.
Did I mention that Linus says what goes in, not Red Hat? That is complete bull plop. There is no incentive for IBM to want Fritz chips and even less for Red Hat. You are full of crap. The ONLY way for Fritz chips to work in the United States is by law and they already tried that.
From: “Brian Gladman” <[email protected]>
To: <[email protected]>
Subject: Re: Intel to include DRM in new Pentium 4 series processors
Date: Thu, 12 Sep 2002 19:40:32 +0800
Over the last two years I have been briefed in detail on TCPA developments and also briefed in detail (under Non Disclosure Agreements) on a number of implementations of TCPA being undertaken by major companies.
I think Ross is right to suggest that the community at large needs to understand TCPA and its derivatives and hence make a judgement on the impact that this technology will have on the market. I hence thought that it might be helpful if I set out my own position (TCPA is evolving so this is subject to change).
At one level TCPA (I will use this term to cover both TCPA and the related implementations) allows a PC owner to have a higher confidence in the software that is running on their machine. It will offer secure boot protection, secure driver loading and verification and OS metrics that allow a machine owner to determine and verify what OS and what application software runs on their machine. All of these facilities are under the sole control of the machine owner and they can if they wish switch them off (this is the default).
It is true that a company can take GPL’d software and provide it in a form that allows the user to say that it is this particular version of the software that they want to run. The company providing this software has to comply with the GPL (assuming that this holds up legally) and this means that anyone else can compile and sign this software and a PC owner can choose to use this alternative. They can do this themselves if they choose or they can take the software from any Free Software/Open Source distributor that wishes to supply TCPA signed OS or applications software.
Ross and others see this as a threat to the GPL but I am not convinced by these arguments. I want a machine with a secure boot sequence and I am happy to be able to set my machine up in a way that allows me to specify the OS I want to run and check that it has not been modified since I installed it. In my view, when implemented in a way that provides public accountability for design and operation, these are good features. In consequence I feel that an effort to cast these features in a bad light is misguided and is diverting attention form much more important problem areas in TCPA.
A key feature of TCPA is that, subject to the PC owner’s permission, remote agents can set up ‘trusted boxes’ for their use on an owner’s PC. Hence, for example, my TCPA enabled PC could have boxes labelled TCPA<BRG>.MicrosoftBox, TCPA<BRG>.WaltDisneyBox and so on. The remote ‘owner’ of these boxes can then install cryptographic keys and other authorisation tokens in these boxes and couple these to machine metrics so that, for example, any software or content that they supply will only be useable on the machine if it is in a state that they specify. This is Digital Rights Management (DRM) and here I support Ross’s desire to ensure that the community at large knows precisely what they will be letting themselves in for in buying and using a TCPA enabled machine.
In my discussions with the companies involved I have put great weight on ensuring that these DRM like facilities are under sole control of the PC owner.
I expect the following to be true:
(a) TCPA features can be switched off completely.
(b) A remote agent requires the explicit permission of the PC owner in order to install a ‘trusted box’.
(c) At the point of a contract between a PC owner and such an agent (e.g. a software supplier) the full consequences of the contract will be set out (e.g. no later changes to what the trusted box can do).
(d) A code of ethics on the use of these features will be published and ‘agreed’ by the community at large.
In the hands of an informed and vigilant owner these safeguards will be sufficient in my view to protect their interests in a DRM sense.
But I am very unsure that this will be sufficient. The big problem here is that most owners will not understand these issues and this may mean that suppliers will be able to use these facilities in such a way that the balance of power in the market will shift away form PC owners to suppliers. And while it is not unreasonable for suppliers to want some way of protecting their ‘crown jewels’, we all know that this power will not simply be used for this purpose but also to fragment the market and boost profits in the way that DVD suppliers have tried to do with region coding.
Hence, while I disagree with Ross on the GPL issue, I support Ross’s concerns here.
But I also have additional worries. While it is true that some TCPA features can help in a limited way to prevent virii, worms etc., other features might well prove to be a hacker’s paradise. A user who does not fully understand the nature of the ‘trusted boxes’ on their machine could easily be persuaded to allow the installation of a box that gave a hacker a powerful influence over the operation of their machine. Those who have studied crypto-virus techniques will immediately recognise the seriousness of this form of attack and that a ‘trusted box’ would be a pretty well ideal hiding place from which to conduct operations of this kind.
The TCPA way around this is to suggest that the ability to install trusted boxes will be controlled by a third party called a ‘privacy CA’. This CA will, in effect, say to the PC owner “the remote agent who wants to install a trusted box on your machine is a good guy” and to the remote agent “the PC on which you want a trusted box can supply one”. And I see this as a big problem since I am very sceptical about the security value of third party CAs.
At this stage, therefore, I don’t have a problem with TCPA features that are designed to allow PC owners to exert better control over the security of their machines (secure boot, OS signing etc.). But in respect of the DRM features, I am distinctly uneasy about their functionality in the hands of the average PC owner and on the way in which this may change the balance of power in the market. I am also worried that these features might actually help very powerful forms of attack and I am unconvinced about the reliance of key aspects of the architecture on third party CA principles.
I apologise for the length of this post but this is a very important issue and one that deserves careful study. I hope that by setting out my own thoughts I can encourage others to take a look for themselves (TCPA specifications are openly available). In my view it is vital that these developments are subjected to careful and determined open scrutiny before they enter the marketplace.
Finally I want to make it clear that I am consulted on TCPA regularly and also consulted by a number of the companies who are building related implementations. At no time have I ever taken money for this consultation work and where I have signed NDAs these only constrain my ability to reveal proprietary implementation details. At no time have I hidden the fact that I do this work, nor have I ever advertised the fact for self aggrandisement purposes.
Brian Gladman
http://cryptome.org/tcpa-bg.htm
>>>The more important place is corporations and particularly IT departments not using DRM for corparate data. And here the fact that workers consistently reject security systems should win the day for the anti-DRM forces.
The RIAA/DRM issue is just a big red herring. Only 10% of all PC’s manufactured are going to consumers, the other 90% are business computers. And if corporations want to control data, then they already have the NSA distribution of secure linux.
>>>Did I mention that Linus says what goes in, not Red Hat? That is complete bull plop. There is no incentive for IBM to want Fritz chips and even less for Red Hat. You are full of crap. The ONLY way for Fritz chips to work in the United States is by law and they already tried that.
Linus is a reasonable guy — he ain’t a raving open source radical and he ain’t a greedy person who wants to make money off of linux. Linus will just likely see a cool piece of silicon with this brand new function on it and he just wants to incorporate it into the linux kernel as well.
IBM already sells netvista’s and thinkpads with TCPA 1.1 security chips built-in.
The Fritz congressional bill was for “CONSUMER ELECTRONICS” —- VCR’s, TV’s CD players — it has nothing to do with TCPA/Palladium with business PC’s.
“The RIAA/DRM issue is just a big red herring. Only 10% of all PC’s manufactured are going to consumers, the other 90% are business computers. And if corporations want to control data, then they already have the NSA distribution of secure linux.”
The NSA version of Linux is discontinued. I highly doubt 90% of computers are just for business. I’d like to see some proof.
Companies don’t care about anything but what makes them money. That is why they exist. DRM only makes money for content holders and that is what the vast majority of companies are NOT. TCPA is DRM.
All TCPA would do for “data control” is just take the data out of the hands of the emloyee and put into third parties. Companies don’t want that.
Linus is also not dumb. He dosen’t include every patch and people are even angry at him for it. He will not include DRM and if you have any doubts about it, ask him.
“The Fritz congressional bill was for “CONSUMER ELECTRONICS” —- VCR’s, TV’s CD players — it has nothing to do with TCPA/Palladium with business PC’s.”
If you actually read the bill you would see that it includes everything under the sun.
sam:
Arguing over the semantics of our eventual doom is pointless. You need to decide if your against TCPA/Palladium or not. And you need to do something about it.
P.S This counts for everyone here also.
>>>Linus is also not dumb. He dosen’t include every patch and people are even angry at him for it. He will not include DRM and if you have any doubts about it, ask him.
Linus doesn’t include every patch that are submitted to him because he thinks those patches are technically inferior codes. He doesn’t reject patches for political reasons.
Also the DRM codes are 3-4 layers ABOVE the kernel.
So first you say he will see this shiny new DRM and want to include it. Now you say he has no control and its not even part of the kernel. Get your facts straight.
>>>So first you say he will see this shiny new DRM and want to include it. Now you say he has no control and its not even part of the kernel. Get your facts straight.
I never stated that TCPA=DRM.
All I am saying is that Linus is a reasonable geek. Linus will see that these new silicons that are TCPA-spec and as a geek he will try to incorporate those hardware functions into the linux kernel.
Linus knows that DRM sits 3-4 layers on top of the kernel. He is a reasonable guy — he knows radicals will not like it and those people won’t work on that. But he also knows that IBM/RedHat have financial interest in selling TCPA-enabled systems to their corporate customers and they will have paid staff working on that.
When IBM/RedHat submits their TCPA patch to the main tree and if the submitted codes are not inferior in quality, then Linus will likely incorporate them into the main tree.
At the very least it will be able to be compiled as a module making this whole argument kinda pointless.
But I also have additional worries. While it is true that some TCPA features can help in a limited way to prevent virii, worms etc., other features might well prove to be a hacker’s paradise. A user who does not fully understand the nature of the ‘trusted boxes’ on their machine could easily be persuaded to allow the installation of a box that gave a hacker a powerful influence over the operation of their machine. Those who have studied crypto-virus techniques will immediately recognise the seriousness of this form of attack and that a ‘trusted box’ would be a pretty well ideal hiding place from which to conduct operations of this kind.
The TCPA way around this is to suggest that the ability to install trusted boxes will be controlled by a third party called a ‘privacy CA’. This CA will, in effect, say to the PC owner “the remote agent who wants to install a trusted box on your machine is a good guy” and to the remote agent “the PC on which you want a trusted box can supply one”. And I see this as a big problem since I am very sceptical about the security value of third party CAs.
TCPA ~ DRM ~ LaGrande ~ Palladium (all genetically related)
FritzInside is not just for consumer PC’s, although that’s where the original impetus came from. We’ll have FritzInside to monitor/control every aspect of the business computing environment.
The idea is to turn the PC into some sort of tooling that would have been used on an assembly line.
Isn’t it obvious one of the “secret trusted boxes” will the government’s monitoring software — which is legally supported by the Patriot act and will have further legislation supporting it, even requiring it on any PC sold in the USA.
“Privacy CA” = Homeland Security
You think when you buy a computer, the code for the certificate is not going to be sent to the government? And when you make a computer, it will be a simple process to identify it as a “rogue” computer, a likely tool of a terrorist. You will register that computing resource with Homeland Security or you’ll get a hostile visit from the FBI.
i wouldnt be suprized if Microsoft would start making the OS of the computer For that ONE computer with the os working with only that cpu (by using the verisign) you wont be able to use it else where…
one could even say that with out that one os giving the right commands to CPU the computer could be useless???
i really dont like this…
Heaven Help US ALL
Sam said:
“If you want to use “non-TCPA” versions of linux in 2008, then you are going to be stuck with the old 2.4 linux kernel because the 3.0 main tree will have TCPA built-in by Redhat/IBM.”
On June 1, 2008 OpenBSD 4.3 will be released (assuming the current numbering pattern continues). I somehow think it won’t have TCPA built-in.
As a long time asic/cpu design engineer I am thrilled that due to recent advances in FPGAs I can design the cpu chip I want & not be stuck with the cpu that Intel/MS/gov/fritz wants me to buy.
Designing your own cpu may seem radical or even impossible, but as an exercise it is in the same ballpark as a small OS. FPGAs make it possible to do cpus about as complex as a state of the art cpu circa a few years old, & it will be slower about 5x, but it can also be clean slate design & free of wierd ideas or mistakes from the ancient past.
I am following the inspired ideas of the Transputer in a modern form so it can easily be replicated into hypercubes etc for near linear performance. Each cpu is intended to fill a high end Spartan for about $10-20 per instance. I hope to be able to match an Athlon at about 200-400MHz speed, but multiple copies can make up for slow speed if you understand the ideas behind Transputing & Occam/CSP. The 1st versions will likely be a PCI hosted coprocessor that I can use for HW-SW research interests. It will be licensed under MIT license. As for apps & OSs I will still depned on the hosting PC & OS (BeOS/Windows for now).
Another important feature of FPGAs is that aditional HW can be compiled along with the cpu or vice versa, the cpu can be embedded into a large HW project on FPGA.
There is no reason other engineers can’t do the same, & I hope more do so. For those interested look for comp.sys.fpga & fpgacpu.org & maybe opencores.org, comp.sys.transputer, Xilinx, Altera etc!
Happy architecting!
>>>On June 1, 2008 OpenBSD 4.3 will be released (assuming the current numbering pattern continues). I somehow think it won’t have TCPA built-in.
OpenBSD is known for its strong security audits.
In fact on their website, one of their goals is “Be as politics-free as possible; solutions should be decided on the basis of technical merit.” If TCPA hardware is better for security, then I don’t see why OpenBSD would not use it.
>>>>i wouldnt be suprized if Microsoft would start making the OS of the computer For that ONE computer with the os working with only that cpu (by using the verisign) you wont be able to use it else where…
You are already restricted by the licensing terms of the OEM license that the OS goes with the machine, not with the owner.
From
“More information on the topic” (above)
“But I also have additional worries. While it is true that some TCPA features can help in a limited way to prevent virii, worms etc., other features might well prove to be a hacker’s paradise. A user who does not fully understand the nature of the ‘trusted boxes’ on their machine could easily be persuaded to allow the installation of a box that gave a hacker a powerful influence over the operation of their machine. Those who have studied crypto-virus techniques will immediately recognise the seriousness of this form of attack and that a ‘trusted box’ would be a pretty well ideal hiding place from which to conduct operations of this kind. ”
————————————————-
I’ve tried to unravel this for a few years and this is the theory and a few facts.
SGI | Irix 6.5 / Indigo2
Inranet w/
Apple | Macintosh 7.5.5 /68k IIsi
Apple | Macintosh 7.5.5 /68k Quadra 610
Briefly:
Irix 6.5 install disk(s) (I)
Read how to adapt your shell just so you can read the man pages(I) …which leads to …
Netscape (I)(M)
Flexlm (I)
Acrobat Reader 3.0 w/search (M)
MacLinkPlus 4(M)
Applescript (M)
SCSI Manager 4.3 (M)
various INITs (M)
…
_DataInit is used as an agent (M)
such as:
“_DataInit compress world relocate world …”
_CPlusInit, (and other things that don’t exist)
Gecko and TNT (always together) are present when stepping through the compromise.(M)
Micro(revenge)code(I) is delivered compressed to the (Mac) HD, it is thereafter “sonic” and can use MIDI.
It uses fonts as worlds and as emulated drives / placeholders.
Postscript is used as a language, MacLinkPlus is used to pipe crypto (w/ language translation/regions files),
Everything becomes a polymorphic resource for emulation and it implements multiple slices for individual trees.
Redirected calls emulated most things, (Quicktime looked halarious in forgery … and amazing.
Many times I watched this whole thing stupified as to the sophistication of the processes.
It utterly OWNED ME.
Wipe the drive, zero it out, deep format (many times).
Alway accompanied by a musical high pitch.
Never gone.
Think of it this way:
Look at your desktop, take a screenshot and look at IT.
(remember, these are 68ks, 20MB)
Now imagine a 1.2MHz PPC, x86.
This is real.
It became a game to try to capture/export even a single piece of evidence, text, screenshot, StdLog, anything total lockdown, by denial of “Save”, crash or corruption.
I beat it by emulation, I then burned a disk of the drive in state.
What was I doing originally? Trying to burn backup disks of Irix for the Indigo2.
(P.S. don’t)
I now own 3 SCSI drives and countless floppies devoted to this.
This is the point:
This was JUST SOFTWARE.
Ready for hardware?
This is the realization:
We’ve been owned for years.
Scott should know, right Scott?
anonymoused