At Tue, 29 Aug 2006 10:41:22 +0200, Christian Stüble <[EMAIL PROTECTED]> wrote: > Am Donnerstag, 17. August 2006 09:18 schrieb Marcus Brinkmann: > > > > > > To prevent misunderstandings: I don't want to promote TC, nor do I > > > like its > > > technical instantiation completely. IMO there are a lot of technical > > > and > > > social issues to be corrected; that's the reason why I am working on > > > this > > > topic. Nevertheless, a lot of intelligent researchers have worked on > > > it, and > > > therefore it makes IMO sense to analyse what can be done with this > > > technology. In fact, who else should do this? > > > > If the technology is fundamentally flawed, then the correct answer is > > "nobody", and instead it should be rejected outright. > IMO not. Maybe this is an influence of my PhD-advisor(s), but I would try to > _prove_ that the technology is fundamentally flawed. BTW, the abstract > security properties provides are IMO useful.
Well, I believe that my arguments, as disclosed in the email I referenced, comes as close to a proof as you can get in a discussion about social issues, where not much is known with scientific confidence. > > > You are asking a lot of questions that I cannot answer, because they > > > are > > > the well known "open issues". The challenge is to be able to answer > > > them > > > sometimes... > > > > If they are open issues, where does the confidence come from your research > > group that they not only can be solved, but in fact that they are solved in > > your design? From the EMSCB home page (under "Benefits"): > I am sure we cannot solve all problems. However, some of the problems already > have been solved (e.g., on design requirement is to ensure that application > cannot violate the user's security policy, as descibed by Ross). But I don't > want to discuss about one of our projects, nor about the group itself. Only > about the given privacy use case. If you know that you cannot solve all problems, why does your group claim repeatedly on your web page that you have, indeed, found a solution that "guarantees a balance among interests"? > > I asked for use cases that have a clear benefit for the public as a whole > > or the free software community. > I personally would like to be able to enforce my privacy rules even on > platforms that have another owner. If you can enforce a property about a system, then it is not owned exclusively by another party. That's a contradiction in terms. What you can do is to engage in a contract with somebody else, where this other party will, for the purpose of the contract (ie, the implementation of a common will), alienate his ownership of the machine so that it can be used for the duration and purpose of the contract. The contract may have provisions that guarantee your privacy for the use of it. But, the crucial issue is that for the duration the contract is engaged under such terms, the other party will *not* be the owner of the machine. > > > If there > > > are two > > > comparable open operating systems - one providing these features and > > > one that > > > does not, I would select the one that does. I do not want to discuss > > > the > > > opinion of the government or the industry. And I don't want to > > > discuss > > > whether people are intelligent enough to use privacy-protecting > > > features or > > > not. If other people do not want to use them, they don't have to. My > > > requirement is that they have the chance to decide (explicitly or by > > > defining, or using a predefined, privacy policy enforced by the > > > system). > > > > I am always impressed how easily some fall to the fallacy that the use of > > this technology is voluntarily for the people. It is not. First, the use > > of the technology will be required to access the content. And people will > > need to access the content, to be able to participate in our culture and > > society. All the major cultural distribution channels are completely owned > > by the big industry, exactly because this allows these industries to have a > > grip-hold over our culture. There is an option for popular struggle > > against this, but it will require a huge effort, and success is by no means > > guaranteed. > I did not talk about TC in general, but about the "privacy-protecting agent". I am not sure what you mean by that term. The crucial point here is that TC removes the choice from the people which software to run. > > In the end, this technology, if it succeeds, will be pushed down people's > > throat. Everybody seems to know and admit this except the "intelligent > > researchers" (well, and the marketing departments of the big corporations). > Do you think that the open-source community will implement such features? They may, either because they support them or because there is a tactical reason to do so. I am not part of the open-source community, I am part of the free software community, and there the only reason to support such features would be tactical to not give ground back to proprietary software vendors. However, it seems that the free software community forcefully rejects this technology, and implements various means to protect itself from these developments. The Defective By Design movement does political activism against it, and the GPL v3 will contain provisions that prohibit the use of free software on restricted systems. > Do you expect that nobody will use open-source, if the industry will > implement > such features? I fully expect them to do so. In fact, they are already doing it. This is why the GPLv3 will contain provisions against it. > Do you expect that the european governments will use software > violating privacy laws if there is a better and secure alternative? Privacy laws are not violated by software, they are violated by people. The decision which software to use for any given project will (hopefully) be guided by many factors, including questions of protection, but also including questions of access to data. > > > This is (except of the elementary security properties provided by the > > > underlying virtualization layer, e.g., a microkernel) an > > > implementation > > > detail of the appropriate service. There may be implementations > > > enforcing > > > strong isolation between compartments and others that do not. That't > > > basic > > > idea behind our high-level design how to provide multilateral > > > security: The > > > system enforces the user-defined security policy with one exception: > > > Applications can decide themselves whether they want to continue > > > execution > > > based on the (integer) information they get (e.g., whether the GUI > > > enforces > > > isolation or not). But this requires that users cannot access the > > > applications's internal state. > > > > That's incompatible with my ideas on user freedom and protection the user > > from the malicious influences of applications. > I know. But this is IMO a basic requirement to be able to provide some kind > of > multilateral security. A negotiation of policies 'before' the application is > executed. It's not a requirement to provide multilateral security, it is only a requirement for an attempt to enforce multilateral security by technological means. Issues of multilateral security exists since the first time people engaged into contracts with each other. The problem with negotiation of policies is that balanced policies as they exist in our society are not representable in a computer, and that the distribution of power today will often do away with negotiation altogether. I think it is very important to understand what "balanced policies" means in our society. For example, if an employer asks in a job interview if the job applicant is pregnant or wants a child in the near future, the applicant is allowed to consciously lie. Similarly, shrink-wrap licenses often contain unenforcable provisions. However, one does not need to negotiate the provisions, one can simply "accept" them and then violate them without violating the law. Our social structure allows for bending of the rules in all sort of places, including situations which involve an imbalance of power (as the above examples), emergencies, customary law, and cases where simply no one cares. Thus, it is completely illusorical to expect that a balanced policy can be defined in the terms of a computing machine, and that it is the result of _prior_ negotiation. Life is much more complicated than that. Thus, "Trusted computing" and the assumptions underlying its security model are a large-scale assault on our social fabric if deployed in a socially significant scope. > > It is also incompatible with the free software principles. > What exactly is in your opinion incompatible with the free software > principles? From the current GPLv3 draft: "Some computers are designed to deny users access to install or run modified versions of the software inside them. This is fundamentally incompatible with the purpose of the GPL, which is to protect users' freedom to change the software. Therefore, the GPL ensures that the software it covers will not be restricted in this way." The views of the FSF on DRM and TC are well-published, and easily available. For example, search for "TiVo-ization". What is incompatible with the free software principles is exactly this: I am only free to run the software that I want to run, with my modifications, if the hardware obeys my command. If the hardware puts somebody else's security policy over mine, I lose my freedom to run modified versions of the software. This is why any attempt to enforce the security policy of the author or distributor of a free software work is in direct conflict with the rights given by the free software license to the recipient of the work. Thanks, Marcus _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
