Re: USENIX Security TCPA/Palladium Panel Wednesday
Lucky Green writes:
The slides of the talk on TCPA that I gave over the weekend at DEFCON are now available at http://www.cypherpunks.to
Amazing claims you are making there. Claiming that the TPM will be included on "all future motherboards"; claiming that an objective is to meet the operational needs of law enforcement and intelligence; claiming that TCPA members (all 170 of them?) have more access to his computer than the owner; fantasizing about an "approved hardware list" and "serial number revocation list" which don't exist in the spec(!); further fantasies about a "list of undesirable applications" (where do you get this stuff!). On page 16, the OS is going to start the secure time counter (but TCPA has no secure time feature!); synchronize time against authenticated time servers (again, no such thing is in the spec); and download the hardware and serial number revocation lists (nothing exists like this!). I honestly don't understand how you can say this when there is nothing like it in the TCPA specification. Are you talking to insiders about a future revision? Do you know for a fact that TCPA will hae SNRL's and such in the future? Or are you just being political, trying to increase pressure on TCPA *not* to go with serial number revocation lists and the like, by falsely claiming that this is in the design already?
Anonymous: clearly Lucky and Ross have been talking about two aspects of the TCPA and Palladium platforms: 1) the implications of platform APIs planned for first phase implementation based on the new platform hardware support; 2) the implications of the fact that the owner of the machine is locked out from the new ring-0; For 2) one obviously has to go beyond discussing the implications of the APIs discussed in the documents, so the discussion has included other APIs that could be built securely with their security rooted in the new third-party controlled ring-0. In my initial two messages looking at implications I did try to clearly distinguish between documented planned APIs and new APIs that become possible to build with third-party controlled ring-0s. Other areas where analysis is naturally deviating from the aspects covered by the available documentation (such as it is) are: - discussion of likelihood that a given potential API will be built - looking at history of involved parties: - Intel: pentium serial number - Microsoft: litany of anti-competetive and unethical business practices, - governments: history of trying to push key-escrow, censorship, thought-crime and technologies and laws attempting to enforce these infringements of personal freedom - RIAA/MPAA: history of lobbying for legislation such as DMCA, eroding consumer rights - industry/government collaboration: Key Recovery Alliance (www.kra.org), which shows an interesting intersection of big-companies who are currently and historically were signed on to assist the government in deploying key-escrow - suspicion that the TCPA/Microsoft are putting their own spin and practicing standard PR techniques: like selective disclosure, misleading statements, disclaiming planned applications and hence not taking everything at face value. TCPA/Microsoft have economic pressures to spin TCPA/Palladium positively. - analysis is greatly hampered by the lack of definitive, concise, clearly organized technical documentation. Some of the main informative documents even microsoft is pointing at are like personal blog entries and copies of personal email exchanges. a number of your responses have been of the form "hey that's not a fair argument, what section number in the TCPA/Palladium documents gives the specification for that API". I suspect some arguing about the dangers of TCPA/palladium feel no particular obligation to point out this distinction the fact that an API is not planned in phase 1, or not publicly announced yet offers absolutely no safe-guard against it's later deployment. Adam On Tue, Aug 06, 2002 at 03:15:17PM -0700, AARG!Anonymous wrote:
Lucky Green writes:
The slides of the talk on TCPA that I gave over the weekend at DEFCON are now available at http://www.cypherpunks.to
Amazing claims you are making there. Claiming that the TPM will be included on "all future motherboards"; claiming that an objective is to meet the operational needs of law enforcement and intelligence; claiming that TCPA members (all 170 of them?) have more access to his computer than the owner; fantasizing about an "approved hardware list" and "serial number revocation list" which don't exist in the spec(!); further fantasies about a "list of undesirable applications" (where do you get this stuff!).
I consider it a Bad Thing that we don't have more clearly organized technical documentaion to show right now, and I can only say that we are working on providing this post haste. I certainly am not happy to be pointing you to blogs as primary sources. I apologize for this, and I will send stuff out to this alias when we have it. Peter ++++
- analysis is greatly hampered by the lack of definitive, concise, clearly organized technical documentation. Some of the main informative documents even microsoft is pointing at are like personal blog entries and copies of personal email exchanges.
----- Original Message ----- From: "Adam Back" <adam@cypherspace.org> To: "AARG!Anonymous" <remailer@aarg.net> Cc: <shamrock@cypherpunks.to>; <cypherpunks@lne.com>; <cryptography@wasabisystems.com> Sent: Tuesday, August 06, 2002 4:57 PM Subject: Re: USENIX Security TCPA/Palladium Panel Wednesday
Anonymous: clearly Lucky and Ross have been talking about two aspects of the TCPA and Palladium platforms:
1) the implications of platform APIs planned for first phase implementation based on the new platform hardware support;
2) the implications of the fact that the owner of the machine is locked out from the new ring-0;
For 2) one obviously has to go beyond discussing the implications of the APIs discussed in the documents, so the discussion has included other APIs that could be built securely with their security rooted in the new third-party controlled ring-0.
In my initial two messages looking at implications I did try to clearly distinguish between documented planned APIs and new APIs that become possible to build with third-party controlled ring-0s.
Other areas where analysis is naturally deviating from the aspects covered by the available documentation (such as it is) are:
- discussion of likelihood that a given potential API will be built
- looking at history of involved parties:
- Intel: pentium serial number - Microsoft: litany of anti-competetive and unethical business practices, - governments: history of trying to push key-escrow, censorship, thought-crime and technologies and laws attempting to enforce these infringements of personal freedom - RIAA/MPAA: history of lobbying for legislation such as DMCA, eroding consumer rights - industry/government collaboration: Key Recovery Alliance (www.kra.org), which shows an interesting intersection of big-companies who are currently and historically were signed on to assist the government in deploying key-escrow
- suspicion that the TCPA/Microsoft are putting their own spin and practicing standard PR techniques: like selective disclosure, misleading statements, disclaiming planned applications and hence not taking everything at face value. TCPA/Microsoft have economic pressures to spin TCPA/Palladium positively.
- analysis is greatly hampered by the lack of definitive, concise, clearly organized technical documentation. Some of the main informative documents even microsoft is pointing at are like personal blog entries and copies of personal email exchanges.
a number of your responses have been of the form "hey that's not a fair argument, what section number in the TCPA/Palladium documents gives the specification for that API".
I suspect some arguing about the dangers of TCPA/palladium feel no particular obligation to point out this distinction the fact that an API is not planned in phase 1, or not publicly announced yet offers absolutely no safe-guard against it's later deployment.
Adam
On Tue, Aug 06, 2002 at 03:15:17PM -0700, AARG!Anonymous wrote:
Lucky Green writes:
The slides of the talk on TCPA that I gave over the weekend at DEFCON are now available at http://www.cypherpunks.to
Amazing claims you are making there. Claiming that the TPM will be included on "all future motherboards"; claiming that an objective is to meet the operational needs of law enforcement and intelligence; claiming that TCPA members (all 170 of them?) have more access to his computer than the owner; fantasizing about an "approved hardware list" and "serial number revocation list" which don't exist in the spec(!); further fantasies about a "list of undesirable applications" (where do you get this stuff!).
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
-- Hollywood and the government, would like the internet to be like television, a few big businesses steadily churning out content, and everyone else passively consuming it. Microsoft really would not like that, since, despite all their faults, they are in the computer business. This is analogous to the difference between Hitler and Stalin. Hitler wanted to enslave the whole world right away, Stalin wanted to enslave the world bit by bit as the opportunity permitted, and whenever the time was ripe . Thus it made sense for the west to ally with Stalin. Trouble was, Stalin thought it made sense to ally with Hitler. My concern is not that Bill Gates is in bed with hollywood, but rather than Microsoft may be trying to compromise, may be trying to make a deal, over a matter where in truth no deal is possible, no compromise can work. Microsoft really does not want an internet that is regulated like TV. Hollywood really does. Analogously Stalin wanted most of Eastern Europe, and Hitler wanted all of Eastern Europe, and then some. Sooner or later, Microsoft has to come out on our side. Let us hope sooner, rather than later. Microsoft, like Hollywood, wants unreasonable and burdensome levels of intellectual property protection, but they do not want to destroy computing in order to get it. Hollywood, and to a lesser extent the government, would be happy to destroy unauthorized individual and small business computing and networking even if it did not help them sustain unreasonable and burdensome levels of intellectual property protection. This does not mean we should give Microsoft the benefit of the doubt on Palladium. It does mean we cannot automatically assume that Microsoft is completely in bed with Hollywood. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG pAtW9HDHsrtZztGUc46QOKEaFC3eHqZITeQJH+8P 2/FCNFYTqk89Jr/89vepeUPpC/XHNLdr3Vzuqvsa9
On Wed, 7 Aug 2002, James A. Donald wrote:
-- Hollywood and the government, would like the internet to be like television, a few big businesses steadily churning out content, and everyone else passively consuming it.
Microsoft really would not like that, since, despite all their faults, they are in the computer business.
lots of good stuff and analogies snipped
Why not? For the purpose of this argument, lets accept as fact this Hollywood/gubbmint alliance. So, why wouldn't Bill & Co want to play? As long as they get a software subscription license fee from every "consumer" of the product, that can be added to everytime a new ground-breaking, earth-shattering, fancy super multimedia immersion technology "standard" is introduced? It *seems* to me that Microsoft wants out of even the software license model they currently have and want to just plug into the consumers "line of credit" and withdraw as they see fit without having to do much more than create easily obsolete-able software techniques that they can consistantly reinvent so that they can continue to siphon credit from their milkcows much in the same way that the gubbmint collects taxes, only with much better "ease of use." I don't see Stalin/Hitler, I see; Standard Oil/ Department of Transporation/ Interstate Commerce Commission) General Motors/ Ford/ and so forth.
-- On 8 Aug 2002 at 13:09, cubic-dog wrote:
For the purpose of this argument, lets accept as fact this Hollywood/gubbmint alliance. So, why wouldn't Bill & Co want to play?
A big bureaucracy has a lot of inertia. It wants to do what it always has been doing, it gets set in its ways. If the internet and consumer computers are mandated to be like TV, the TV people will wind up in charge, and Microsoft will not wind up in charge. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG OrPfArPJfauYoxApR4gFvBiF/ejwrZGskzoVEQJt 2QHCPliH2SKXP0eaVWlIy65Nye07RsyZOo8xbrIAA
participants (5)
-
AARG! Anonymous
-
Adam Back
-
cubic-dog
-
James A. Donald
-
Peter N. Biddle