What is Digg?90 Comments
- Senn, on 12/23/2007, -2/+42As long as it isn't used for DRM or corporate control of "trusted" code, Trusted Computing can be a useful tool.
Don't get your tin foil hats in a twist, people. - wigren, on 12/23/2007, -3/+35Buzzword alert.
- BlueSkyfish, on 12/23/2007, -3/+31Trusted computing is the new DRM.
- schestowitz, on 12/23/2007, -9/+31To those who think it's about trust, watch this video: http://www.youtube.com/watch?v=8QuptMSA1rs
- DamnMan, on 12/23/2007, -3/+25"We are sorry your computer does not meet the requirements to install Omni-Mega Corporations® Wallet Raper™ HDDVD© and BluRay© video player for Linux® platform. Please direct your browser to IBM.com and install the trusted computer module and try the installation again"
You see where this is going right? - BrainInAJar, on 12/23/2007, -1/+20Like everything else in every other opensource OS, if you don't want that feature, don't compile it in...
Corporations that want to keep control of all their machines will want to compile it in. Home users will probably not. - AntidoteSqrd, on 12/23/2007, -1/+19Well someone has to say it...
DO NOT WANT! - parax, on 12/23/2007, -0/+15It's a universal rule. Anytime someone says "Trust me.", don't trust them.
- GRTWHT, on 12/23/2007, -0/+14http://www.gnu.org/philosophy/can-you-trust.html - good overview article that explains what "Trusted Computing" is all about.
- banmaster, on 12/23/2007, -3/+16No! Its about DRM!!
A TPM module is exactly the same as apple uses to lock OSX to Apple-only hardware! Don't let your blind love of liunux/OSS blinker you to the realities of what Trusted Computing is actually about!
Its NOT for your benefit, its to keep you under control, as simple as that! - BenBenMan, on 12/23/2007, -1/+13...cha wish your girlfriend was hawt like me?
- meez, on 12/23/2007, -0/+12As long as it's 100% optional then I don't care, however the second they start sneaking these onto my components, the tin foil is on.
- estvir, on 12/23/2007, -2/+12"New" ?
- mrsteveman1, on 12/23/2007, -3/+13I hope that was sarcasm because your 100% wrong.
Apple doesn't use TPMs, they use the SMC module to lock OS X to their hardware.
TPM in the wrong hands can be used for DRM, but we are talking about Linux here, not Microsoft.
I have a Linux server with a TPM chip in it, I use it to make sure someone hasn't screwed with the bootsector or the kernel while I wasn't looking. Care to tie that to DRM somehow?
Your obsession with opposing the TPM without cause will bite you in the ass one day, it has far more valid uses than simply DRM. - kazamx, on 12/23/2007, -0/+9Why? Linux isn't like Microsoft. If you don't like something, you can take the source code, take out the bits you don't like and then give it away for free.
For example I take the Firefox code, and change all the icons to a picture of me and call it Kazamx. I then install that on all my computers, parents computers and none tech friends/relatives. They all now run a browser called kazamx and have my ugly mug staring out at them. Its 100% legal and 1000% fun. - falafelkiosken, on 12/23/2007, -1/+10It's evil
- jopsen, on 12/23/2007, -3/+12Now this is why we need GNU GPLv3... It's good GNU's already going GPLv3.
- DamnMan, on 12/23/2007, -0/+8Yes and No , "Where there is a will there is a way" may be true it would most likely require them to break IBMs entire trusted computer model. Your forgetting the hardware aspect of this prototype. the installation could run a complete 'authentication' session before installing. so for example it would break down something like this.
You pop your new copy of Activisions "Tony Hawk 43, Geriatric Edition" into the disk tray and run Installer.Bin the embedded bash script runs a helper application which uses a kernel level driver to read an encryption key off the chip helpfully embedded on your CPU by Intel. The helper application then sends this key to Activision along with the unique key on the the disk. Activisions server then checks this key against a database/algorithm to make sure its a "good" Intel key and locks your copy of the game to that key and that key alone and the installation starts.
Faking it wouldn't work in this case. You can pick any lock but when they start tying the locksmiths hands behind his back things get a lot harder. - chris9902, on 12/23/2007, -0/+8http://www.linuxfromscratch.org
build your own if you don't like it. - glinsvad, on 12/23/2007, -1/+8@mrsteveman1
"TPM in the wrong hands can be used for DRM, but we are talking about Linux here, not Microsoft."
Actually Microsoft co-founded the Trusted Computing Platform Alliance in 1999... - kazamx, on 12/23/2007, -1/+8Skynet is born
- smek2, on 12/23/2007, -0/+6I suggest to read that article and also check about "trusted computing platform" and why it's so infamous. Goto http://www.againsttcpa.com/what-is-tcpa.html or http://www.gnu.org/philosophy/can-you-trust.html for example. It is exactly that what got security and user-freedom related groups in rage. It was called Platinum or something like that, a while ago and the worst case would be, that a company (say Microsoft for example) could dictate what software and hardware users are allowed to run. They could easily disable said software or hardware and the user could do nothing about it.
- meez, on 12/23/2007, -1/+7I was hoping this video would come up, very well made, and I love that music.
- drag, on 12/23/2007, -0/+6I'll give a example of how TPM can be used and you all can judge for yourself.
Right now the Linux kernel has support for a variety of 'Trusted Platform Modules'. It's had native support for a while. Then on top of that you have a version of Grub called 'Trusted Grub' that has support also.
The Linux bootloading sequence goes like this:
Grub boots first stage. Goes to the harddrive and fetches the rest of the bootloader stuff.
GRub loads the menu.lst file and then optionally provides a menu for you to select the OS and kernel to boot with.
Grub then loads the selected kernel and initrd into memory and executes the kernel.
The kernel mounts initrd, which is a small ram-based disk image at this point.
Initrd runs scripts and loads drivers that Linux needs to access the PC hardware.
Once initrd's scripts are finished then the kernel does a switch root and begins using the harddrive.
On the harddrive Linux launches init which then goes through the various init scripts executing them.
The Init scripts run programs that further detect hardware and executese software and gradually loads your operating system. Eventually you are presented with a login prompt of one sort or another.
Now with TPM the setup is the same. Except that everything is chained together in a 'trust' relationship.
Before the BIOS/EFI/whatever executes the bootloader TPM is used to test the signature on the bootloader.
Once the bootloader and it's configuration files are confirmed to be correct then the bootloader is deemed safe then executed.
Next the bootloader, which is now 'trusted' is used to check the integrity of the kernel and initrd. If those checksums/signatures are correct then they are safe also, and then are executed.
The initrd and kernel then worktogether to confirm the integrety of the drivers and file systems and whatever else you want. It's all userspace programs now, backed up by the tpm and kernel drivers, so pretty much anything you want to do you can do.
For example after you confirm the integrety of init and the first set of scripts and important programs you can then launch a program like AIDE, a open source host-based intrusion detection system for Linux, to go and then check the integrity of all the files on the system. Each part of the OS in turn then is linked in a chain.. confirming the identity and purity of the next link.
So that is one way it can work.
This would be a effective way to deal with kernel-level rootkits. Currently there is no defense against kernel-level rootkits, but this way at least they can be detected if you reboot your system. Previously things like AIDE required you to shutdown your system and boot from read-only media or removable media or remove the drive and stick it into a secure system. In other words in order for things like AIDE or Tripwire to be effective on current PCs they require you to shutdown the server and boot from a different operating system. On a rooted system you _can't_trust_anything_. No rookit detecter or virus scanner is realy usefull. Needless to say that this sort of thing is expensive and difficult and not to many people realy do this.
This won't make your machine a iron fortress or anything like that. It's worthless against run-time exploits (like if there is a security hole in Apache that a attacker can use to get root). It just stops those exploits form working undetected through a reboot. For runtime detection of exploits.. this is what SELinux can be used for.
In situations like that the only thing that matters, from a moral perspective, is who owns the keys. If you, the owner of the PC, is given the ability to update your kernel and sign new bootloader configurations and such then that is wonderfull. You can load what drivers you want, execute what programs, run whatever hardware you want. Run whatever kernel you want. You still will have the same rights and privilages you have now, but with the additional cheap security that TPM can offers. It's a Win-Win.
But it can be very evil if you do not have the right to update the software on your own machine.
With Microsoft Windows, which will also support TPM, they are doing things like requiring signed drivers. This could be good, but it's actually bad because your not allowed to the signing. In fact Microsoft will try to make it illegal for normal folk to just make signed drivers to do whatever they want. Instead Microsoft is selling OTHER PEOPLE the right to sign drivers for your machines.
In otherwords, if you start purchasing Vista 64bit machines with TPM fully enabled, (which is not happenning yet, obviously, this is just a what-if) Microsoft would be giving other people, like Sony or Nvidia or MPAA, more rights to your machine then you would have.
THAT is what people hate about TPM.
If YOU own the keys then you get MORE control. TPM is good.
If you are denied the keys then you loose a massive amount of control and that control will be sold to corporations with enough money to pay for them. TPM is bad. - Tiak, on 12/23/2007, -0/+5It tells the program that trusted computing is already installed so it will run... Then what happens when it tries to access the module 30 times every seconds?... To get that to work you would have to actually emulate the Trusted Computing module... Which would involve cracking a 2048 bit key... The time to crack such a key on current hardware is over the age of the universe.
- xodex, on 12/23/2007, -0/+5"IBM plans to open source this Linux-based security solution to encourage its adoption by many computer system manufacturers, making this higher level of system integrity a common foundation."
Let's hope they don't get encouraged. - t3soro, on 12/23/2007, -0/+5it's still free. you have the choice to use it or not.
- kazamx, on 12/23/2007, -1/+6Sure, but someone will release an App that tells the computer that it has Trusted Computing installed, while it doesn't really.
All Locks can be picked. if they can stop us, we can stop them (well the really smart geeks can anyway) - Vodd9, on 12/23/2007, -0/+5I don't want this crap in any of the electronic stuff I buy. Sadly, I'll probably won't have any choice, thanks to the huge grip that big corporations have on the people. Vote Ron Paul and give them even less restrictions? ***** no.
- rickmb, on 12/23/2007, -1/+6Trusted Computing is about third party control over *my* computer. That's all it does, that's all it's supposed to do. There is simply no other reason for it's existence.
Now, the in foil may come in when speculating about why *they* would want control over my computer... - inactive, on 12/23/2007, -7/+12This is not about DRM, this is about access control, as in SELinux or Trusted Solaris. Why would you spit on this concept, are you from the NSA? You should be grateful IBM is starting to bring cryptoprocessor technology to the general plublic.
- harlowsmonkeys, on 12/23/2007, -0/+4IBM has a paper answering a lot of the FUD: http://www.research.ibm.com/gsal/tcpa/tcpa_rebutta ...
- aldenhg, on 12/23/2007, -4/+8That's too bad. I like my OS free (as in beer and speech) (and puppies. Because free puppies are great)
- smek2, on 12/23/2007, -3/+7"...that allows users to accurately validate the identity and integrity of all software running on a remote server and client machine." -- the USER you say? Hmmm. Last time i checked, Microsoft tried the same thing and got booed for it's nefarious world domination schemes.
- glinsvad, on 12/23/2007, -0/+4if(year>=1997) fireNukes();
- falafelkiosken, on 12/23/2007, -0/+3Don't
- inactive, on 12/23/2007, -0/+3Problem is whats considered optional. Maybe in future Silverflash will require this to operate the WMV codecs, if Silverlight takes off then you would need the TCM enabled. Maybe if you want to run a virtualized Linux on windows using MS technology it will need it too. There are heaps of ways the optional component can be forced onto you. Fortunately there's not a whole lot of non-opensource software I want to run.
There is also the problem of corporations getting legislation passed that forces you to use trusted computing.
It sounds alot like Vernor Vinge's novel where the NSA have spy chips embedded into every device, great book. - inactive, on 12/23/2007, -0/+3Heres information on the book, its under creative commons, I would have posted above but Digg's horrible time limit screwed me over:
http://en.wikipedia.org/wiki/Rainbows_End
http://vrinimi.org/rainbowsend.html - the book itself. - STKD, on 12/23/2007, -0/+3Utter crap. There is NOTHING to stop you erasing a partition with Vista or Server 2008 on it. I do it pretty much once or twice every week or so.
Hilarious nonsense. - glinsvad, on 12/23/2007, -1/+4I'm just stating a fact - while you find it irrelevant, others may find it moderately interesting.
(Source: http://www.againsttcpa.com/what-is-tcpa.html) - mrsteveman1, on 12/23/2007, -2/+4Irrelevant, I'm well aware of who is involved in the industry groups and Microsoft is not involved in this situation in any way. Are you trying to say that a company that puts TPM chips in a server, and then uses Linux and a TCG stack to enforce the integrity of the running system......is therefore subject to Microsofts influence?
Again, we are talking about IBM building their own TCG software stack, Microsoft has nothing to do with it and trying to connect the 2 is ridiculous. - inactive, on 12/23/2007, -4/+6Trusted computing is about protecting your sensitive data from malicious tampering. As we speak the military/government is already using this technology to protect their classified information from electronic spying. Your system would be secured at hardware level, by encrypting your inputs/outputs from your keyboard, through your CPU and hard drive, to your monitor. If some hardware manufacturers are working together on a standard to commercialize this technology to the public, how is this a bad thing? For god sake, I've looking for trusted computers for years now, it always been either too expensive for me or restricted to government only.
- duality, on 12/24/2007, -0/+2Your argument is very enlightening, and I learned a great deal from it. You seem to be well versed in both the technical aspects and the ethical implications of TPM.
It's a pity that the majority of people on Digg don't have the patience to read something this long. However, if you have a blog or some other piece of public webspace, I suggest you transfer this to it. Your post is comprehensive and organized, and would make a good article in its own right. - glinsvad, on 12/23/2007, -0/+2You Maniacs! You blew it up! Ah, damn you! God damn you all to hell!
/symbolism - DamnMan, on 12/23/2007, -1/+3Eh? The article is scant and doesn't even hazard a guess as to IBMs planned applications for this sort of thing. And If you are referring Vistas DRM, It was used for AACS / HDMI support.
- BrainInAJar, on 12/24/2007, -0/+2No, RBAC makes sudo obsolete
( http://www.softpanorama.org/Solaris/Security/solar ... ) - kazamx, on 12/23/2007, -0/+2From the mouth of Richard Stallman himself.
- init100, on 01/01/2008, -0/+1"It was called Platinum or something like that"
It was called Palladium:
http://en.wikipedia.org/wiki/Next-Generation_Secur ... - SjRaptor, on 12/23/2007, -1/+2Read the Orange Book, Trusted Computer System Evaluation Criteria.. it explains what "trusted computing" is. Otherwise, you have no right to comment because you have no idea what a TPM or TCB is.
- noctu, on 12/23/2007, -0/+1trusted? I dont trust it!
-
Show 51 - 88 of 88 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is