********* Date: Tue, 26 Jan 1999 10:12:43 -0500 To: [EMAIL PROTECTED] From: Bob Stratton <[EMAIL PROTECTED]> Subject: Re: FC: Intel backs down At 09:15 AM 1/26/99 -0500, you wrote: >[I'm also not a fan of Intel's move, but I think it's reasonable to note >that every computer with Ethernet hardware has a unique ID number that some >programs have used for at least a decade to thwart piracy, for instance. >Seems to me that civil libertarians irked about "digital fingerprints" and >"virtual Social Security numbers" should start thinking twice about >computers with network connections. After all, while the Pentium Problem >applies only to PCs, Macs and Suns have Ethernet built-in... --Declan] I had a chat with one of the boycott organizers about this yesterday. As it happens most popular workstation vendors have included something called a "host ID" in their systems for over a decade now. While it's on the motherboard and not resident in the CPU, the difference is essentially immaterial. I asked this well known privacy activist (for whom I have the greatest respect) why they wouldn't then boycott Sun, HP, SGI, and IBM for starters, since they've been doing the EXACT SAME THING for MUCH LONGER. The only answer I got was that workstations aren't intended for the "consumer". When I asked what the difference between a $4000 workstation and a PC was, the answer was $3000. When I mentioned all of the educational institutions which use workstations, and why they wouldn't be ample justification for a boycott against w/s vendors I didn't get an answer. Now I'm not thrilled about host ID's. I hate to have to give them out in order to buy software for Suns, and I'm generally in agreement with Bruce Schneier and Austin Hill's comments about the security flaws in this approach to user security, but... - Let's not forget why Intel is really doing this: Chip piracy, people knocking over trucks to steal inventory, chip re-stampers, and overclockers. Most of the recent new CPU releases have each included some new technology to frustrate people from doing things Intel doesn't want them to do. I don't like it, but there's always AMD and Cyrix. - It seems to me that we should be patting them on the back for deciding to integrate decent (or more decent than those to date) random number generators in the CPU. Having worked on network crypto hardware, it would be a damn sight better than having to count pulses from the floppy drive controller and some of the other hacks that people have had to use because good RNGs are so expensive. In fact, one of the best hardware RNGs is even RADIOACTIVE. So far as I can tell, Intel's isn't. (I can't wait for the Newbridge boycott by Greenpeace..."Does your PC glow?") - I work in the information security field and I'm regularly criticized by my friends for not wishing to disclose personal information, but it seems there is a huge leap between having a host ID, and "being tracked by web sites." You need complicity from both the OS and the browser. Now I wouldn't put this past Microsoft, but I run filtering software separately anyway. - While I am regularly disappointed by the lack of respect for privacy on the part of both government and business in the U.S., this latest campaign is faintly reminiscent of the people on late night shortwave who are afraid of the government mind control lasers. Oops, I shouldn't have mentioned that...I have to go. Robert Stratton, Vice President Mail: <[EMAIL PROTECTED]> Security Design International, Inc. TEL: +1 703 847 8282 URL: http://www.sdii.com FAX: +1 703 641 9090 ************ Date: Tue, 26 Jan 1999 11:17:29 -0500 To: [EMAIL PROTECTED] From: "K. M. Peterson" <[EMAIL PROTECTED]> Subject: Re: FC: Intel backs down I'm also a bit mystified over this for several reasons... First, the real application that I can see is anti-piracy. Having worked in the IBM System/370 years, where any application could query the CPUID, this is a pretty good way for network/systems managers to keep track of their assets, including the use of software. After all, in a corporate environment (and even the educational one, as I keep reminding people around here), it's the corporation or institution's responsibility to ensure that people are not running illegally copied software. For software vendors this could be a win, as one could now lock software to a particular system. Second, the hardware (where Intel comes in) doesn't talk directly to the network. The real issue is browser support for this functionality, and given market pressures I don't think you're going to find Netscape or MSIE are going to "enforce" CPUID reporting any more than they do cookies. To say that this is a privacy concern because it's enabled in hardware just doesn't seem convincing to me, as it could be very useful in some circumstances -- just ensure the OS support allows selective blocking, as well as the web browsers. (To say this function gets "turned on" or "turned off" also does not make sense to me... why can't it perform like the cookie implementations and just "ask"?) Having a CPU serial number seems like not too bad an idea... as long as entities have the ability to opt out of having their serial number sent to outside parties. The balance is between the ability of organizations to control use of software (whether as vendors or users), and the right of computer users not to have to share this information with third-parties. This technology would enable the good of decreasing software piracy with the bad of (with browser support) the "fingerprinting" that worries privacy advocates. Whether this is a good first step towards the first goal or a bad first step towards the second scenario is the real question. --- K. M. Peterson <mailto:[EMAIL PROTECTED]> voice: +1 617 731 6177 Boston, Massachusetts, USA fax: +1 617 730 5969 -------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to [EMAIL PROTECTED] with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ --------------------------------------------------------------------------
