Eugen Leitl writes:
On Sat, 3 Aug 2002, AARG! Anonymous wrote:
But you won't now say that TCPA is OK, will you? You just learned some information which objectively should make you feel less bad about it, and yet you either don't feel that way, or you won't admit it. I am coming to doubt that people's feelings and beliefs about TCPA are based on facts at all. No matter how much I correct negative misconceptions about these systems, no one will admit to having any more positive feelings about it.
Whoa there. Hold the horses. You're completely inverting the burden of proof here. You're *trusting* a preliminary spec fielded by *whom* again? Were you on the design team? Are you on implementers' team? Have you reverse engineered the function from tracing the structures on the die? Will you continue doing this, sampling every batch being shipped?
I am judging the proposal on the basis of the spec. I think that is the correct way to do the analysis. Then, you can extend your analysis on the basis of ways you think the spec might change. But surely the spec ought to be a starting point for any judgement. Otherwise there is no factual basis for the analysis. Yet no one here has said that now that they understand the spec better, they don't think TCPA as specified would be as bad as they thought. Some people, like James Donald and Ryan Lackey, have said that they don't think TCPA would be all that bad if it weren't for government, copyright laws, etc. But no one has suggested that my many postings have changed their opinion about TCPA in and of itself.
Consider the source. It is bogged down with enough bad mana to last for centuries.
The Alliance consists of Compaq, Intel, IBM, HP, and Microsoft. (Since then HP has bought Compaq.) Even if you hate Microsoft, you probably don't hate all of these companies, do you?
Consider the motivations. They're certainly not there to enhance end user's privacy and anonymitity. In fact, one of the design specs must have been minimizing the latter as long as it not hurts the prime design incentives. These are all facts you won't find in the specs.
I think the spec directly contradicts this claim! If they cared so little about user privacy, why would they use an elaborate system with a Privacy CA to make sure no user-identifiable information leaks onto the net? Surely the simpler approach would be what James Donald suggested, to send out the TPM's public key and let people use that. But it is a per-user identifier and so they went to great lengths to conceal it. Furthermore, if their motivations were so bad, wouldn't it have been better for them for TCPA to work the way most people assume, to only load software which has been signed by some authority? Instead they are careful to let any software load, and to report its status to third parties, so the third parties can make their own judgements about what to trust. Why do you think they did it like this, if they were so determined to minimize the control of the end user?
It boggles my mind I have to explain this, especially to a member of this particular community. Are you really sure you're not a TCPA troll?
Who cares what I am? It's facts that count! I could be Satan Incarnate and it wouldn't matter. I am giving you facts about TCPA based on my personal investment of time to study the system. Tell me this: if you care about this standard, why not get it and learn it yourself? Not one person here has done this! Everyone prefers to believe falsehoods than to learn the truth for themself. Do you think that is a good strategy for survival in a potentially hostile and dangerous world?
If they manage to slip that particular toad into high volume production, hackers will of course use it, inasmuch possible thwarting the original intent. But you seem to ask for blanket endorsement based merely on spec, which is a rather tall order.
All I am really asking for is someone to acknowledge that I have provided information to them which makes them see TCPA as less dangerous and damaging than they had thought based on the false information which has been circulating. I don't see how anyone can deny this. The caricature of TCPA that most people believe is very bad. The truth is not so bad. Logically, you *have* to believe that TCPA is not as bad as you thought, when you are provided with the truth. Let me ask you, Eugen: isn't a TCPA which is open, which will run all software, which does not prevent any software from running, better than a TCPA which will only run signed software? I know you are a person who is willing to think for himself and defy the conventional wisdom. Please respond to this message and explain to me how this logic strikes you.