Re: Ross's TCPA paper
On Fri, 5 Jul 2002, AARG!Anonymous wrote: ... / Right, and you can boot untrusted OS's as well. Recently there was discussion here of HP making a trusted form of Linux that would work with the TCPA hardware. So you will have options in both the closed source and open source worlds to boot trusted OS's, or you can boot untrusted ones, like old versions of Windows. The user will have more choice, not less. ... / Nonsense. Let us remember what Palladium is: Palladium is a system designed to enable a few large corporations and governments to run source secret, indeed, well-encrypted, code on home user's machines in such a way that the home user cannot see, modify, or control the running code. The Orwellian, strictly Animal Farmish, claim runs: Why it is all just perfectly OK, because anyone can run source secret, well encrypted, code in an uncontrolled manner on anyone's machine at will! We are all equal, it is just that some, that is, We the Englobulators, will in practice get to run source secret, well-encrypted, code on hundreds of millions of users' machines while you, you will never run such code on anybody else's machine except at a hobbyists' fair, precisely to demonstrate we are all equal.. There are other advantages to Palladium: No free kernel will ever freely boot on a Palladium machine. And there is more. If Palladium is instituted: Microsoft will support the most vicious interpretation of the DMCA and press for passage of the SSSCA, in order that the first crack does not prove to the world that Palladium cannot prevent all copyright infringement. Microsoft will be able to say See, it is these GNU/BSD/XFree/Sendmail/Apache/CLISP folk who are causing all this dreadful copyright infringement. Why owning a non-Palladium machine should be declared, no, not illegal, we are not monsters after all, but probative evidence that the owner is an infringer, and more, a general infringer and a member of the Copyright Infringement Conspiracy. Why some of them even write such code as the well known, and in CIC circles, widely used, tool of infringement called 'cp'. Senator, I know you will be as shocked as I was when I learned what 'cp' stands for. It stands for 'copy'. And I do not mean safe Englobulator-Certified Fair Use Copying, such as is provided by the Triple X Box, which, for a reasonable license fee, allows up to six copy-protected copies to be made before settling of accounts and re-certification of the Box over the net. No, I mean, raw, completely promiscuous copying of any file on the machine, as many times as the infringer wishes. Without record, without payment to the artist, without restraint. Senator, I prefer to call cp 'The Boston Strangler', because that is exactly what it is. And every single non-Palladium operating system in the world comes with cp already loaded, loaded and running.. oo--JS. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Absurdity? (Was: Ross's TCPA paper)
On Fri, Jul 05, 2002 at 09:14:27AM +0100, Matthew Byng-Maddick wrote: On Thu, Jul 04, 2002 at 10:54:11PM +0200, Hadmut Danisch wrote: [backdoored network cards] I don't think so. As far as I understood, the bus system (PCI,...) will be encrypted as well. You'll have to use a NIC which is certified and can decrypt the information on the bus. Obviously, you won't get a certification for such an network card. Surely the obvious thing is that you build a network card without this property, and get it certified, and get the key to decrypt the data. Then you add the backdooring technology, at which point you have the advantage that you both have a certified secure network card, and the key to decrypt data for you on the bus. Not that I'm sure this helps, but it might. Another question is: How will you print? Certainly, you can't use just a plain printer. Could be any microcontroller pretending to be a printer. So you need a certified and tamper resistant printing device. But what do you print on? Yes, you need certified paper which refuses to agree with being copied. Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
today. I want things to get better. I can't read e-books on my pocket computer, for example, which is sad since I actually would be able to enjoy e-books if I only could load them onto my small computer that follows my everywhere. Yes, of course I could probably bypass the protection and make the e-book readable if I really wanted to, but I honestly don't want to. Besides the Sklyarov case I don't feel I should need to crack things I have legally purchased. Second, what about CD's? Today I can buy music on CD's and use the sound the way I want. I can put it in my MP3 player and I can practically do anything with it using a wave editor. But what about the future? Would they sell unprotected versions of any album so I can listen to and process music with the program of my choice? You will still be able to use your system in exactly the same ways that you use it today; you will be able to run all of the software that you run today. But not with the same data. How good is Winamp if it can't play any music recorded in 2004 or later? Given that Windows Media Player can play all your tunes and it takes a reboot to switch to Winamp, who wouldn't stick with WMP? And remember that Microsoft encourages us to protect our own files and documents. What will happen to the word processors, text editors and other programs we use today when there is no data left for them to use since everything has been protected? The TCPA allows you to do something that you can't do today: run your system in a way which convinces the other guy that you will honor your promises, that you will guard his content as he requires in exchange for his providing it to you. It allows you to be honest. Only problem is; I'm not the one giving promises, it's my computer! Yes, I will make sure that the user only will be able to listen to this song three times. Don't you worry. His opinion doesn't matter. I'm in charge here. I'm not saying there isn't a market for listening to songs a limited number of times for a smaller fee, I'm just worried they will take away the possiblity of listening an unlimited number of times (or make it noticeably more expensive). Realize that the trusted mode of the TCPA will always be only an option, Bottom line; not if you want to work with protected content. (Which, from what I can understand, will include all future songs, movies and probably word documents and loads of other data as well.) Or am I missing something? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
On Mon, 24 Jun 2002, Anonymous wrote: The important thing to note is this: you are no worse off than today! You are already in the second state today: you run untrusted, and none of the content companies will let you download their data. But boolegs are widely available. The problem is that the analog hole is how we debug stuff. When our speakers don't sound right, we tap the signal, put it on an oscilloscope so we can see what's wrong, correct the drivers, and try again. When our monitor can't make sense of the video signal, it's different equipment but the same idea. When you encrypt all the connections to basic display hardware, as proposed in Palladium, it means nobody can write drivers or debug hardware without a million-dollar license. And if you do fix a bug so your system works better, your system's trusted computing system will be shut down. Not that that's any great loss. Likewise, encrypted instruction streams mean you don't know what the hell your CPU is doing. You would have no way to audit a program and make sure it wasn't stealing stuff from you or sending your personal information to someone else. Do we even need to recount how many abuses have been foisted on citizens to harvest marketing data, and exposed after-the- fact by some little-known hero who was looking at the assembly code and went, Hey look what it's doing here. Why is it accessing the passwords/browser cache/registry/whatever? Do we want to recount how many times personal data has been exported from customer's machines by adware that hoped not to be noticed? Or how popup ads get downloaded by software that has nothing to do with what website people are actually looking at? I don't want to give vendors a tunnel in and out of my system that I can't monitor. I want to be able to shut it down and nail it shut with a hardware switch. I don't want to ever run source code that people are so ashamed of that they don't want me to be able to check and see what it does; I want to nail that mode of my CPU off so that no software can turn it on EVER. I'll skip the digital movies if need be, but to me trusted computing means that *I* can trust my computer, not that someone else can. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
Yes, this is a debate I've had with the medical privacy7 guys, some of whom like the idea of using Palladium to protect medical records. This is a subject on which I've a lot of experience (see my web page), and I don't think that Palladium will help. Privacy abuses almost always involve abuse of authorised access by an insider. Recent case: 15-year old girl in Croydon, England, gets termination of pregnancy without telling her mother. This is reported to the local health authority, where her uncle works; he sees the report and tells the family. Palladium doesn't help here. Even if the unclse is constrined by the Fritz chip from doing anything other than look at the screen, he still has the information. The fix for this problem is anonymous reporting, with the identity of the girl known only to the treating physician. It is a policy issue, not a techjnology issue; if technology such as Palladium is introduced it will most likely be by health authorities trying to find an excuse to retain access to data that they shouldn't have in the first place. (We've seen a similar effect with smartcards in healthcare, and in fact the general phenomenon has an interesting similarity with what the environmental economists call the `social reward trap': making `green' goods available often increases pollution as people consume green goods rather than consuming less.) Ross - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: TCPA / Palladium FAQ (was: Re: Ross's TCPA paper)
Interesting QA paper and list comments. Three additional comments: 1. DRM and privacy look like apple and speedboats. Privacy includes the option of not telling, which DRM does not have. 2. Palladium looks like just another vaporware from Microsoft, to preempt a market like when MS promised Windows and killed IBM's OS/2 in the process. 3. Embedding keys in mass-produced chips has great sales potential. Now we may have to upgrade processors also because the key is compromised ;-) Cheers, Ed Gerck PS: We would be much better off with OS/2, IMO. Ross Anderson wrote: http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html Ross - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: DRMs vs internet privacy (Re: Ross's TCPA paper)
Adam Back wrote: I don't mean that you would necessarily have to correlate your viewing habits with your TrueName for DRM systems. Though that is mostly (exclusively?) the case for current deployed (or at least implemented with a view of attempting commercial deployment) copy-mark (fingerprint) systems, there are a number of approaches which have been suggested, or could be used to have viewing privacy. The TCPA specs were carefully designed to permit the user to obtain multiple certificates from multiple CA's and thus, if, and that's a big if, the CA's don't collude and furthermore indeed discard the true name identities of the customer, utilize multiple separate identities for various online applications. I.e., the user could have one cert for their True Name, one used to enable Microsoft Office, and one to authenticate the user to other online services. It is very much the intent of the TCPA to permit the use of pseudonymous credentials for many, if not most, applications. Otherwise, the TCPA's carefully planned attempts at winning over the online liberty groups would have been doomed from the start. --Lucky Green - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Ross's TCPA paper
David wrote: It's not clear that enabling anti-competitive behavior is good for society. After all, there's a reason we have anti-trust law. Ross Anderson's point -- and it seems to me it's one worth considering -- is that, if there are potentially harmful effects that come with the beneficial effects, maybe we should think about them in advance. I fully agree that the TCPA's efforts offer potentially beneficial effects. Assuming the TPM has not been compromised, the TPM should enable to detect if interested parties have replaced you NIC with the rarer, but not unheard of, variant that ships out the contents of your operating RAM via DMA and IP padding outside the abilities of your OS to detect. However, enabling platform security, as much as might be stressed otherwise by the stakeholders, has never been the motive behind the TCPA. The motive has been DRM. Does this mean that one should ignore the benefits that TCPA might bring? Of course not. But it does mean that one should carefully weigh the benefits against the risks. --Lucky Green - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
From: [EMAIL PROTECTED] As a side note, it seems that a corporation would actually have to demonstrate that I had seen and agreed to the thing and clicked acceptance. Prior to that point, I could reverse engineer, since there is no statement that I cannot reverse engineer agreed to. So what would happen if I reverse engineered the installation so that the agreement that was display stated that I could do what I liked with the software? Ok, so there would be no mutual intent, but on the other hand, there would also be no agreement on the click-through agreement either. I have an application that replaces the caption on the I agree button to your liking; I wrote it exactly because of this reasoning. http://picosoft.freeservers.com/NoLicense.htm Of course, it's a stupid little program, I'm sure anyone can come up with something better in no time... BTW, for any lawyers around here - shouldn't the mere existence of this program be enough to blow up the idea that you agreed to the click-through stuff? Mark - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Ross's TCPA paper
On Wed, 26 Jun 2002, Scott Guthery wrote: Privacy abuse is first and foremost the failure of a digital rights management system. A broken safe is not evidence that banks shouldn't use safes. It is only an argument that they shouldn't use the safe than was broken. I'm hard pressed to imagine what privacy without DRM looks like. Perhaps somebody can describe a non-DRM privacy management system. On the other hand, I easily can imagine how I'd use DRM technology to manage my privacy. You are fundamentally confusing the problem of privacy (controlling unpublished information and not being compelled to publish it) with the problem of DRM (attempting to control published information and compelling others to refrain from sharing it). Privacy does not require anyone to be compelled against their will to do anything. DRM does. As I see it, we can get either privacy or DRM, but there is no way on Earth to get both. Privacy can happen only among citizens who are free to manage their information and DRM can happen only among subjects who may be compelled to disclose or abandon information against their will. Privacy without DRM is when you don't need anyone's permission to run any software on your computer. Privacy without DRM is when you are absolutely free to do anything you want with any bits in your posession, but people can keep you from *getting* bits private to them into your posession. Privacy without DRM means being able to legally keep stuff you don't want published to yourself, even if that means using pseudonymous or anonymous transactions for non-fraudulent purposes. Privacy without DRM means being able to simply, instantly, and arbitrarily change legal identities to get out from under extant privacy infringements, and not have the new identity easily linkable to the old. Privacy without DRM means people being able to create keys for cryptosystems and use them in complete confidence that no one else has a key that will decrypt the communication -- this is fundamental to keeping private information private. Privacy without DRM means no restrictions whatsoever on usable crypto in the hands of citizens. It may be a crime to withhold any stored keys when under a subpeona, but that subpeona should issue only when there is probable cause to believe that you have committed a crime or are withholding information about one, and you should *ALWAYS* be notified of the issue within 30 days. It also means that keys which are in your head rather than stored somewhere are not subject to subpeona -- on fifth amendment grounds (in the USA) if the record doesn't exist outside your head, then you cannot be coerced to produce it. Privacy without DRM means being able to keep and do whatever you want with the records your business creates -- but not being able to force someone to use their real name or linkable identity information to do business with you if that person wants that information to remain private. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
I'm slightly confused about this. My understanding of contract law is that five things are required to form a valid contract: offer and acceptance, mutual intent, consideration, capacity, and lawful intent. It seems to me that a click-through agreement is likely to fail on at least one, and possibly two of these requirements. First, it is doubtful that there is mutual intent. The average user doesn't even read the agreement, so there is hardly mutual intent. However, even if I accept mutual intent, it would be easy to argue that there is no capacity. I have four children under the age of seven. None of them have the legal capacity to form a contract. Three of them have the physical capacity to click a button. A corporation would therefore have to demonstrate that I and not they clicked on the agreement for the contract to be valid. As a side note, it seems that a corporation would actually have to demonstrate that I had seen and agreed to the thing and clicked acceptance. Prior to that point, I could reverse engineer, since there is no statement that I cannot reverse engineer agreed to. So what would happen if I reverse engineered the installation so that the agreement that was display stated that I could do what I liked with the software? Ok, so there would be no mutual intent, but on the other hand, there would also be no agreement on the click-through agreement either. Paul Peter D. Junger writes: Pete Chown writes: : Anonymous wrote: : : Furthermore, inherent to the TCPA concept is that the chip can in : effect be turned off. No one proposes to forbid you from booting a : non-compliant OS or including non-compliant drivers. : : Good point. At least I hope they don't. :-) : : There is not even social opprobrium; look at how eager : everyone was to look the other way on the question of whether the DeCSS : reverse engineering violated the click-through agreement. : : Perhaps it did, but the licence agreement was unenforceable. It's : clearly reverse engineering for interoperability (between Linux and DVD : players) so the legal exemption applies. You can't escape the exemption : by contract. Now, you might say that morally he should obey the : agreement he made. My view is that there is a reason why this type of : contract is unenforceable; you might as well take advantage of the : exemption. That isn't the reason why a click-through agreement isn't enforceable---the agreement could, were it enforceable, validlly forbid reverse engineering for any reason and that clause would in most cases be upheld. But, unless you buy your software from the copyright owner, you own your copy of the software and clicking on a so called agreement with the copyright owner that you won't do certain things with your software is---or, at least should be---as unenforceable as promise to your doctor that you won't smoke another cigarette. The important point is not, however, that click-through agreements are probably unenforceable; the important point is that people---at least those people who think that they own their own computers and the software copies that they have purchased---generally believe that they should be unenforceable. (And in the actual case involving Linux and DVD players there was no agreement not to circumvent the technological control measures in DVD's; the case was based on the theory that the circumvention violated the Digital Millenium Copyright Act.) : The prosecution was on some nonsense charge that amounted to him : burgling his own house. A statute that was meant to penalise computer : break-ins was used against someone who owned the computer that he broke : into. : : The TCPA allows you to do something that you can't do today: run your : system in a way which convinces the other guy that you will honor your : promises, that you will guard his content as he requires in exchange for : his providing it to you. : : Right, but it has an odd effect too. No legal system gives people : complete freedom to contract. Suppose you really, really want to exempt : a shop from liability if your new toaster explodes. You can't do it; : the legal system does not give you the freedom to contract in that way. : : DRM, however, gives people complete freedom to make contracts about how : they will deal with digital content. Under EU single market rules, a : contract term to the effect that you could pass on your content to : someone in the UK but not the rest of the EU is unenforceable. No : problem for DRM though... I don't think that one should confuse contract limitations, or limitations on enforceable contract limitations, with technological limitations. There is nothing, for example, in any legal system that forbids one from violating the law of gravity. One of the many problems with the use of the Digital Millenium
Re: Ross's TCPA paper
On Wed, Jun 26, 2002 at 10:01:00AM -0700, bear wrote: As I see it, we can get either privacy or DRM, but there is no way on Earth to get both. [...] Hear, hear! First post on this long thread that got it right. Not sure what the rest of the usually clueful posters were thinking! DRM systems are the enemy of privacy. Think about it... strong DRM requires enforcement as DRM is not strongly possible (all bit streams can be re-encoded from one digital form (CD-MP3, DVD-DIVX), encrypted content streams out to the monitor / speakers subjected to scrutiny by hardware hackers to get digital content, or A-D reconverted back to digital in high fidelity. So I agree with Bear, and re-iterate the prediction I make periodically that the ultimate conclusion of the direction DRM laws being persued by the media cartels will be to attempt to get legislation directly attacking privacy. This is because strong privacy (cryptographically protected privacy) allows people to exchange bit-strings with limited chance of being identified. As the arms race between the media cartels and DRM cohorts continues, file sharing will start to offer privacy as a form of protection for end-users (eg. freenet has some privacy related features, serveral others involve encryption already). Donald Eastlake wrote: | There is little *tehcnical* difference between your doctors records | being passed on to assorted insurance companies, your boss, and/or | tabloid newspapers and the latest Disney movies being passed on from a | country where it has been released to people/theaters in a country | where it has not been released. There is lots of technical difference. When was the last time you saw your doctor use cryptlopes, watermarks etc to remind himself of his obligations of privacy. The point is that with privacy there is an explicit or implied agreement between the parties about the handling of information. The agreement can not be technically *enforced* to any stringent degree. However privacy policy aware applications can help the company avoid unintentionally breaching it's own agreed policy. Clearly if the company is hostile they can write the information down off the screen at absolute minimum. Information fidelity is hardly a criteria with private information such as health care records, so watermarks, copy protect marks and the rest of the DRM schtick are hardly likely to help! Privacy applications can be successful to the in helping companies avoid accidental privacy policy breaches. But DRM can not succeed because they are inherently insecure. You give the data and the keys to millions of people some large proportion of whom are hostile to the controls the keys are supposedly restricting. Given the volume of people, and lack of social stigma attached to wide-spread flouting of copy protection restrictions, there are ample supply of people to break any scheme hardware or software that has been developed so far, and is likely to be developed or is constructible. I think content providors can still make lots of money where the convenience, and /or enhanced fidelity of obtaining bought copies means that people would rather do that than obtain content on the net. But I don't think DRM is significantly helping them and that they ware wasting their money on it. All current DRM systems aren't even a speed bump on the way to unauthorised Net re-distribution of content. Where the media cartels are being somewhat effective, and where we're already starting to see evidence of the prediction I mentioned above about DRM leading to a clash with privacy is in the area of criminalization of reverse engineering, with Skylarov case, Ed Felten's case etc. Already a number of interesting breaks of DRM systems are starting to be released anonymously. As things heat up we may start to see incentives for the users of file-sharing for unauthorised re-distribution to also _use_ the software anonymsouly. Really I think copyright protections as being exploited by media cartels need to be substantially modified to reduce or remove the existing protections rather than further restrictions and powers awareded to the media cartels. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
TCPA / Palladium FAQ (was: Re: Ross's TCPA paper)
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html Ross - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
DRMs vs internet privacy (Re: Ross's TCPA paper)
On Wed, Jun 26, 2002 at 03:57:15PM -0400, C Wegrzyn wrote: If a DRM system is based on X.509, according to Brand I thought you could get anonymity in the transaction. Wouldn't this accomplish the same thing? I don't mean that you would necessarily have to correlate your viewing habits with your TrueName for DRM systems. Though that is mostly (exclusively?) the case for current deployed (or at least implemented with a view of attempting commercial deployment) copy-mark (fingerprint) systems, there are a number of approaches which have been suggested, or could be used to have viewing privacy. Brands credentials are one example of a technology that allows trap-door privacy (privacy until you reveal more copies than you are allowed to -- eg more than once for ecash). Conceivably this could be used with a somewhat online, or in combination with a tamper-resistant observer chip in lieu of online copy-protection system to limit someone for example to a limited number of viewings. Another is the public key fingerprinting (public key copy-marking) schemes by Birgit Pfitzmann and others. This addresses the issue of proof, such that the user of the marked-object and the verifier (eg a court) of a claim of unauthorised copying can be assured that the copy-marker did not frame the user. Perhaps schemes which combine both aspects (viewer privacy and avoidance of need to trust at face value claims of the copy-marker) can be built and deployed. (With the caveat that though they can be built, they are largely irrelevant as they will no doubt also be easily removable, and anyway do not prevent the copying of the marked object under the real or feigned claim of theft from the user whose identity is marked in the object). But anyway, my predictions about the impending collision between privacy and the DRM and copy protection legislation power-grabs stems from the relationship of privacy to the later redistrubtion observation that: 1) clearly copy protection doesn't and can't a-priori prevent copying and conversion into non-DRM formats (eg into MP3, DIVX) 2) once 1) happens, the media cartels have an interest to track general file trading on the internet; 3) _but_ strong encryption and cryptographically enforced privacy mean that the media cartels will ultimately be unsuccessful in this endeavour. 4) _therefore_ they will try to outlaw privacy and impose escrow identity and internet passports etc. and try to get cryptographically assured privacy outlawed. (Similar to the previous escrow on encryption for media cartel interests instead of signals intelligence special interests; but the media cartels are also a powerful adversary). Also I note an slip in my earlier post [of Bear's post]: | First post on this long thread that got it right. Ross Anderson's comments were also right on the money (as always). Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
It seems clear at least if DRM is an application than DRM applications would benefit from the increased trust and architecturally that such trust would be needed to enforce/ensure some/all of the requirements of the Hollings bill. hawk Lucky Green wrote: other technical solution that enjoys a similar level of PC platform industry support, is anywhere as near to wide-spread production as TPM's, and is of sufficient integration into the platform to be able to form the platform basis for meeting the requirements of the Hollings bill. Would Anonymous perhaps like to take this question? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
--- begin forwarded text Status: U Date: Sun, 23 Jun 2002 12:53:42 -0700 From: Paul Harrison [EMAIL PROTECTED] Subject: Re: Ross's TCPA paper To: R. A. Hettinga [EMAIL PROTECTED] User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 on 6/23/02 6:50 AM, R. A. Hettinga at [EMAIL PROTECTED] wrote: --- begin forwarded text Status: U From: Lucky Green [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Ross's TCPA paper Date: Sat, 22 Jun 2002 23:01:12 -0700 Sender: [EMAIL PROTECTED] Tres Snippage.. None of these obstacles are impossible to overcome, but not by Joe Computer User, not by even the most talented 16-year old hacker, and not even by many folks in the field. Sure, I know some that could overcome it, but they may not be willing to do the time for what by then will be a crime. Come to think of it, doing so already is a crime. --Lucky Green --- end forwarded text The discussion of TCPA has a tendency to avoid serious discussion of what I feel is the core security issue: ownership of the platform. Comments such as Lucky's: TPM will make it near impossible for the owner of that motherboard to access supervisor mode on the CPU without their knowledge obfuscate this. The Trusted Computing Platform includes the TPM, the motherboard and the CPU, all wired together with some amount of tamper resistance. It is meaningless to speak of different owners of different parts. The owner of a TCP might be a corporate IT department (for employee machines), a cable company (for set-top boxen), or an individual. The important question is not whether trusted platforms are a good idea, but who will own them. Purchasing a TCP without the keys to the TPM is like buying property without doing a title search. Of course it is possible to _rent_ property from a title holder, and in some cases this is desirable. I would think a TCP _with_ ownership of the TPM would be every paranoid cypherpunk's wet dream. A box which would tell you if it had been tampered with either in hardware or software? Great. Someone else's TCP is more like a rental car: you want the rental company to be completely responsible for the safety of the vehicle. This is the economic achilles heal of using TCPA for DRM. Who is going to take financial responsibility for the proper operation of the platform? It can work for a set top box, but it won't fly for a general purpose computer. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
On Mon, Jun 24, 2002 at 08:15:29AM -0400, R. A. Hettinga wrote: Status: U Date: Sun, 23 Jun 2002 12:53:42 -0700 From: Paul Harrison [EMAIL PROTECTED] Subject: Re: Ross's TCPA paper To: R. A. Hettinga [EMAIL PROTECTED] The important question is not whether trusted platforms are a good idea, but who will own them. Purchasing a TCP without the keys to the TPM is like buying property without doing a title search. Of course it is possible to _rent_ property from a title holder, and in some cases this is desirable. I would think a TCP _with_ ownership of the TPM would be every paranoid cypherpunk's wet dream. A box which would tell you if it had been tampered with either in hardware or software? Great. Someone else's TCP is more like a rental car: you want the rental company to be completely responsible for the safety of the vehicle. This is the economic achilles heal of using TCPA for DRM. Who is going to take financial responsibility for the proper operation of the platform? It can work for a set top box, but it won't fly for a general purpose computer. In general, I'm very fond of this sort of ownership analysis. If I have a TCPA box running my software, and thinking that its mine, how do I know there isn't one more layer? Leave it off, and my analysis is simpler. I suspect that verifying ownership of the TPM will be like verifying ownership of property in modern Russia: There may be a title that looks clean. But what does the mafia think? What about the security services? There may even be someone with a pre-Bolshevik title floating around. Or a forgery. Hard to tell. It's annoying to have one's transaction costs pushed up that high. I can get very high quality baseline software today. What I need for my cypherpunk wet dreams is ecash, and a nice anonymizing network. What I also need is that the general purpose computing environment stay free of control points, in Lessig sense. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
Ross Anderson wrote: ... that means making sure the PC is the hub of the future home network; and if entertainment's the killer app, and DRM is the key technology for entertainment, then the PC must do DRM. Recently there have been a number of articles pointing out how much money Microsoft is losing on Xbox sales. To some extent, of course, console makers expect to lose money on the consoles themselves, making it up on the games. However Microsoft seems to be losing more than anyone else. Perhaps Microsoft don't care, because the Xbox is one vision they have of the future. Gradually it starts running more than just games, but you still get the ease of use and security of a console. It's always risky making predictions, but I think that over the next few years, free software will do in the desktop space what has already happened in the server space. There is a kind of economic inevitability about it; competing with a free product of equivalent quality is virtually impossible. Now, Gates isn't stupid, and I'm sure he's aware of this risk. So we have various alternative strategies. One is web services. The other strategy is to become more closed at the same time as everyone else is becoming more open. That strategy is the Xbox, which may over time evolve into the kind of tamper resistant system that we have been talking about. During my investigations into TCPA, I learned that HP has started a development program to produce a TCPA-compliant version of GNU/linux. I couldn't figure out how they planned to make money out of this. It might simply be useful that it exists. If people complain that they can't run Linux on the new systems, it could create all sorts of anti-trust problems. However, even if they didn't try to make money out of the product, it still wouldn't be free in the freedom sense. A similar problem to this has already come up, albeit in a much less serious form. When the Mindterm ssh client is used as an applet, it needs to be signed in order to be maximally useful. At one point it was available under the GPL, but of course if you changed it the signature was invalidated. In this case you could at least get your own code signing key, but there were problems. Firstly it cost money. Secondly by signing code that you didn't write, you would be taking responsibility for something being secure when you had no easy way of verifying that. You need a valid signature on the binary, plus a cert to use the TCPA PKI. That will cost you money (if not at first, then eventually). I think it would be a breach of the GPL to stop people redistributing the signature: You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. This doesn't help with your other point, though; people wouldn't be able to modify the code and have a useful end product. I wonder if it could be argued that your private key is part of the source code? Anyone will be free to make modifications to the pruned code, but in the absence of a signature the resulting O/S won't enable users to access TCPA features. What if the DRM system was cracked by means of something that you were allowed to do under the GPL? If they use the DMCA, or the Motherhood and Apple Pie Promotion Act against you, they have to stop distributing Linux. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. BTW, Ross, does Microsoft Research in Cambridge work on this kind of technology? -- Pete - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
The amazing thing about this discussion is that there are two pieces of conventional wisdom which people in the cypherpunk/EFF/freedom communities adhere to, and they are completely contradictory. The first is that protection of copyright is ultimately impossible. See the analysis in Schneier and Kelsey's Street Performer Protocol paper, http://www.counterpane.com/street_performer.pdf. Or EFF columnist Cory Doctorow's recent recitation of the conventional wisdom at http://boingboing.net/2002_06_01_archive.html#85167215: providing an untrusted party with the key, the ciphertext and the cleartext but asking that party not to make a copy of your message is just silly, and can't possibly work in a world of Turing-complete computing. The second is that evil companies are going to take over our computers and turn us into helpless slaves who can only sit slack-jawed as they force-feed us whatever content they desire, charging whatever they wish. The recent outcry over TCPA falls into this category. Cypherpunks alternate between smug assertions of the first claim and panicked wailing about the second. The important point about both of them, from the average cypherpunk's perspective, is that neither leaves any room for action. Both views are completely fatalistic in tone. In one, we are assured victory; in the other, defeat. Neither allows for human choice. Let's apply a little common sense for a change, and analyze the situation in the context of a competitive market economy. Suppose there is no law forcing people to use DRM-compliant systems, and everyone can decide freely whether to use one or not. This is plausible because, if we take the doom-sayers at their word, the Hollings bill or equivalent is completely redundant and unnecessary. Intel and Microsoft are already going forward. The BIOS makers are on board; TPM chips are being installed. In a few years there will be plenty of TCPA compliant systems in use and most new systems will include this functionality. Furthermore, inherent to the TCPA concept is that the chip can in effect be turned off. No one proposes to forbid you from booting a non-compliant OS or including non-compliant drivers. However the TPM chip, in conjunction with a trusted OS, will be able to know that you have done so. And because the chip includes an embedded, certified key, it will be impossible to falsely claim that your system is running in a trusted mode - only the TPM chip can convincingly make that claim. This means that whether the Hollings bill passes or not, the situation will be exactly the same. People running in trusted mode can prove it; but anyone can run untrusted. Even with the Hollings bill there will still be people using untrusted mode. The legislation would not change that. Therefore the Hollings bill would not increase the effectiveness of the TCPA model. And it follows, then, that Lucky and Ross are wrong to claim that this bill is intended to legislate use of the TCPA. The TCPA does not require legislation. Actually the Hollings bill is clearly targeted at the analog hole, such as the video cable that runs from your PC to the display, or the audio cable to your speakers. Obviously the TCPA does no good in protecting content if you can easily hook an A/D converter into those connections and digitize high quality signals. The only way to remove this capability is by legislation, and that is clearly what the Hollings bill targets. So much for the claim that this bill is intended to enforce the TCPA. That claim is ultimately a red herring. It doesn't matter if the bill exists, what matters is that TCPA technology exists. Let us imagine a world in which most new PCs have TCPA built-in, Microsoft OS's have been adapted to support it, maybe some other OS's have been converted as well. The ultimate goal, according to the doom-sayers, is that digital content will only be made available to people who are running in trusted mode as determined by the TPM chip built into their system. This will guarantee that only an approved OS is loaded, and only approved drivers are running. It will not be possible to patch the OS or insert a custom driver to intercept the audio/video stream. You won't be able to run the OS in a virtual mode and provide an emulated environment where you can tap the data. Your system will display the data for you, and you will have no way to capture it in digital form. Now there are some obvious loopholes here. Microsoft software has a track record of bugs, and let's face it, Linux does, too. Despite the claims, the TCPA by itself does nothing to reduce the threat of viruses, worms, and other bug-exploiting software. At best it includes a set of checksums of key system components, but you can get software that does that already. Bugs in the OS and drivers may be exploitable and allow for grabbing DRM protected content. And once acquired, the data can be made widely available. No doubt the OS will be built to allow
Re: Ross's TCPA paper
Ross Anderson writes: During my investigations into TCPA, I learned that HP has started a development program to produce a TCPA-compliant version of GNU/linux. I couldn't figure out how they planned to make money out of this. On Thursday, at the Open Source Software Economics conference, I figured out how they might. ... The business model, I believe, is this. HP will not dispute that the resulting `pruned code' is covered by the GPL. You will be able to download it, compile it, check it against the binary, and do what you like with it. However, to make it into TCPA-linux, to run it on a TCPA-enabled machine in privileged mode, you need more than the code. You need a valid signature on the binary, plus a cert to use the TCPA PKI. That will cost you money (if not at first, then eventually). H Not clear that this really works to make money. The GPL allows everyone to redistribute HP's software verbatim, right? So a cert on one copy of the software will work on everyone's. How can HP make money on a product that everyone can copy freely, when they can all share the same cert? It's true that modified versions of the software would not be able to use that cert, and it would no doubt be expensive to get a new cert for the modified software. But that still gives HP no monopoly on selling or supporting its own version. Anyone can step in and do that. Is the cert itself supposed to be somehow copyrighted? Kept secret? Will it be illegal to publish the cert, to share it with someone else? This seems pretty questionable both in terms of copyright law (since a cert is a functional component) and in terms of the GPL (which would arguably cover the cert and forbid restrictively licensing it). It seems more likely that the real purpose is to bring the benefits of TCPA to the Linux world. As an innovator in this technology HP will gain in reputation and be the source that people turn to for development and support in this growing area. The key to making money from open source is reputation. Being first makes good economic sense. You don't need conspiracy theories. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Ross's TCPA paper
Mike wrote quoting Lucky: trusted here means that the members of the TCPA trust that the TPM will make it near impossible for the owner of that motherboard to access supervisor mode on the CPU without their knowledge, they trust that the TPM will enable them to determine remotely if the customer has a kernel-level debugger loaded, and they trust that the TPM will prevent a user from bypassing OS protections by installing custom PCI cards to read out memory directly via DMA without going through the CPU. I don't see how they expect this to work. We've already got cheap rip off motherboards, who's gonna stop cheap rip off TPM's that ain't really T? I think it moves the game into a smaller field where the players all have some bucks to begin with, but somebody will create a TPM that looks like the real thing, but runs cypherpunk code just fine. I agree with your assertion that TPM's can't prevent DRM from being broken. Nor is this the intent of introducing TPM's. The vendors have realized that they have to raise the technical bar only so high to keep those most inclined to break their systems (i.e. 16-year old Norwegians) from doing so. Those that have the knowledge and resources to break TCPA systems either won't have the time because they are engaged in gainful employment, won't be willing to take the risk, because they have accumulated sufficient material possessions to be unwilling to risk losing their possessions, not to mention their freedom, in litigation, or will break the security for their own gain, but won't release the crack to the public. Criminal enterprise falls into the latter category. The content vendors, which in this case includes the operating system and application vendors, dislike, but can live with, major criminal enterprise being the only other party to have unfettered access, since criminal enterprise is just another competitor in the market place. Most business models can survive another competitor. Where business models threaten to collapse is when the marginal cost of an illegal copy goes to zero and the public at large can obtain your goods without payment. I don't know if the TCPA's efforts will prevent this, but in the process of trying to achieve this objective, the average computers users, and even many advanced computer users, will find themselves in a new relationship with their PC: that of a pure consumer, with only the choices available to them the what the 180 TCPA's members digital signatures permit. Cloning TPM's is difficult, though not impossible. Note that all TPM's unique initial internal device keys are signed at time of manufacture by a derivative of the TCPA master key. Unless you are one of the well-known chipset or BIOS manufacturers, you can't get your TPM products signed. It is theoretically possible, though far from easy, to clone an entire TPM, keys and all. However, the moment those fake TPM's show up in the market place, their keys will simply be listed in the next CRL update. And if your OS and TPM's miss a few CRL updates, your commercial OS and all your applications will stop working. As might in the future your video card, your PCI cards, your hard drive, and your peripherals. You can try to hack around the code in the OS or firmware that performs the checks, as long as you are willing to operate your machine permanently off the Net from then on, because your system will fail the remote integrity checks, but given that this and other security relevant code inside the OS and applications are 3DES encrypted and are only decrypted inside the TPM, you can't just read the object code from disk, but get to first microprobe the decrypted op codes off the bus before taking a debugger to the code. Not a trivial task at today's PC bus speeds. Nor can you get too aggressive with the hacks, since your Fritz may simply flush the keys and leave you with a bunch of 3DES encrypted op codes and no corresponding decryption keys. Reverse engineering turns pretty dim at that point. None of these obstacles are impossible to overcome, but not by Joe Computer User, not by even the most talented 16-year old hacker, and not even by many folks in the field. Sure, I know some that could overcome it, but they may not be willing to do the time for what by then will be a crime. Come to think of it, doing so already is a crime. --Lucky Green - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
Lucky Green writes regarding Ross Anderson's paper at: http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf I must confess that after reading the paper I am quite relieved to finally have solid confirmation that at least one other person has realized (outside the authors and proponents of the bill) that the Hollings bill, while failing to mention TCPA anywhere in the text of the bill, was written with the specific technology provided by the TCPA in mind for the purpose of mandating the inclusion of this technology in all future general-purpose computing platforms, now that the technology has been tested, is ready to ship, and the BIOS vendors are on side. It's an interesting claim, but there is only one small problem. Neither Ross Anderson nor Lucky Green offers any evidence that the TCPA (http://www.trustedcomputing.org) is being designed for the support of digital rights management (DRM) applications. In fact if you look at the documents on the TCPA web site you see much discussion of applications such as platform-based ecommerce (so that even if a user's keys get stolen they can't be used on another PC), securing corporate networks (assuring that each workstation is running an IT-approved configuration), detecting viruses, and enhancing the security of VPNs. DRM is not mentioned. Is the claim by Ross and Lucky that the TCPA is a fraud, secretly designed for the purpose of supporting DRM while using the applications above merely as a cover to hide their true purposes? If so, shouldn't we expect to see the media content companies as supporters of this effort? But the membership list at http://www.trustedcomputing.org/tcpaasp4/members.asp shows none of the usual suspects. Disney's not there. Sony's not there. No Viacom, no AOL/Time/Warner, no News Corp. The members are all technology companies, including crypto companies like RSA, Verisign and nCipher. Contrast this for example with the Brodcast Protection Discussion Group whose ongoing efforts are being monitored by the EFF at http://www.eff.org/IP/Video/HDTV/. There you do find the big media companies. That effort is plainly aimed at protecting information and supporting DRM, so it makes sense that the companies most interested in those goals are involved. But with the TCPA, the players are completely different. And unlike with the BPDG, the rationale being offered is not based on DRM but on improving the trustworthiness of software for many applications. Ross and Lucky should justify their claims to the community in general and to the members of the TCPA in particular. If you're going to make accusations, you are obliged to offer evidence. Is the TCPA really, as they claim, a secretive effort to get DRM hardware into consumer PCs? Or is it, as the documents on the web site claim, a general effort to improve the security in systems and to provide new capabilities for improving the trustworthiness of computing platforms? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Ross's TCPA paper
Anonymous writes: Lucky Green writes regarding Ross Anderson's paper at: Ross and Lucky should justify their claims to the community in general and to the members of the TCPA in particular. If you're going to make accusations, you are obliged to offer evidence. Is the TCPA really, as they claim, a secretive effort to get DRM hardware into consumer PCs? Or is it, as the documents on the web site claim, a general effort to improve the security in systems and to provide new capabilities for improving the trustworthiness of computing platforms? Anonymous raises a valid question. To hand Anonymous additional rope, I will even assure the reader that when questioned directly, the members of the TCPA will insist that their efforts in the context of TCPA are concerned with increasing platform security in general and are not targeted at providing a DRM solution. Unfortunately, and I apologize for having to disappoint the reader, I do not feel at liberty to provide the proof Anonymous is requesting myself, though perhaps Ross might. (I have no first-hand knowledge of what Ross may or may not be able to provide). I however encourage readers familiar with the state of the art in PC platform security to read the TCPA specifications, read the TCPA's membership list, read the Hollings bill, and then ask themselves if they are aware of, or can locate somebody who is aware of, any other technical solution that enjoys a similar level of PC platform industry support, is anywhere as near to wide-spread production as TPM's, and is of sufficient integration into the platform to be able to form the platform basis for meeting the requirements of the Hollings bill. Would Anonymous perhaps like to take this question? --Lucky Green - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Ross's TCPA paper
I recently had a chance to read Ross Anderson's paper on the activities of the TCPA at http://www.cl.cam.ac.uk/ftp/users/rja14/.temp/toulouse.pdf I must confess that after reading the paper I am quite relieved to finally have solid confirmation that at least one other person has realized (outside the authors and proponents of the bill) that the Hollings bill, while failing to mention TCPA anywhere in the text of the bill, was written with the specific technology provided by the TCPA in mind for the purpose of mandating the inclusion of this technology in all future general-purpose computing platforms, now that the technology has been tested, is ready to ship, and the BIOS vendors are on side. Perhaps the Hollings Consumer Broadband and Digital Television Promotion Act bill would be more accurately termed the TCPA Enablement Act. BTW, the module that Ross calls a Fritz in his paper after the author of the bill, long had a name: it is called a Trusted Platform Module (TPM). Granted, in the context of the TCPA and the Hollings bill, the term trusted is used somewhat differently than the customers of future motherboards, which are all slated to include a TPM, might expect: trusted here means that the members of the TCPA trust that the TPM will make it near impossible for the owner of that motherboard to access supervisor mode on the CPU without their knowledge, they trust that the TPM will enable them to determine remotely if the customer has a kernel-level debugger loaded, and they trust that the TPM will prevent a user from bypassing OS protections by installing custom PCI cards to read out memory directly via DMA without going through the CPU. The public and the media now need to somehow, preferably soon, arrive at the next stage of realization: the involvement in the TCPA by many companies who's CEO's wrote the widely distributed open letter to the movie studios, telling the studios, or more precisely -- given that it was an open letter -- telling the public, that mandating DRM's in general-purpose computing platforms may not be a good idea, is indicative of one of two possible scenarios: 1) the CEO's of said computer companies are utterly unaware of a major strategic initiative their staff has been diligently executing for about 3 years, in the case of the principals in the TCPA, such as Intel, Compaq, HP, and Microsoft, several years longer. 2) the CEO's wrote this open letter as part of a deliberate good cop, bad cop ploy, feigning opposition to DRM in general computing platforms to pull the wool over the public's eye for hopefully long enough to achieve widespread deployment of the mother of all DRM solution in the market place. I do not know which of the two potential scenarios holds true. However, I believe public debate regarding the massive change in the way users will interact with their future computers due to the efforts of the TCPA and the Hollings bill would be greatly aided by attempts to establish which of the two scenarios is the fact the case. --Lucky Green - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ross's TCPA paper
Ross has shifted his TCPA paper to: http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf At 07:03 PM 6/22/2002 -0700, Lucky wrote: I recently had a chance to read Ross Anderson's paper on the activities of the TCPA at http://www.cl.cam.ac.uk/ftp/users/rja14/.temp/toulouse.pdf - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
