| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: yossarian at planet.nl (yossarian) Subject: Trustworthy Computing Mini-Poll Hi, On Fri, Dec 20, 2002 at 02:47:59AM +0100, yossarian wrote: >>> Would you buy/use it if you had the choice? I mean, there are a lot of >>> advantages... :-) >> Now you've got me interested - what advantages is TCPA offering me? >We're currently talking about the (hypothetical) features of the >hardware in my questionnaire -- i.e. CPUs that support a "web of trust" or >at least require a signature from the computer's owner or a trusted >third party (designated by the owner). I.e. not TCPA, but what TCPA >should be, and could be if someone pushed hard enough in that direction, >since it does what the TCPA is all about -- copy protection and trusted >executables -- however it creates a free market in which customers can >decide what to buy. As a consumer i do not need copy protection. Content providers need that, I just need content. Is TCPA ensuring better content? I think that TCPA is not going to entice bands to make better music, or moviemakers to make better movies. They need inspiration, mainly. My problem with the content industry is not that what they offer isn't good enough, what I want is out there but they do not make it available. Example: I have been looking for a CD of a certain band for more than 10 years. The stores told me it is not on CD. The webstores don't have it. Someone sampled the vinyl, and put it online. Now I have it. /Example. The content industry lost touch with many of their customers long ago. Their business models should be adapted - should have been adapted long ago - to the needs of the customers. Sales started dropping long ago, way before Napster and eDonkey. So copying isn't the real problem. What the content industry does now is bullying the consumers back to the record stores and videostores. Consumers might not like being bullied, and decide not to buy at all. The content industry has become the enemy. Do you buy from the enemy? Only if you have no choice, like in buying oil from saddam and chavez. Content consumers might decide not to buy. I cannot decide what to buy when what I know I want, but it isn't available. The content industry is not helping me in the exciting hunt for new music and movies - have you listened to the radio in the last years? No, probably not, since it is aimed at 17 y/o people, and made to please the advertisers of soap and insurance. Consumers have found a new way to find new emotions, new music, new movies: the internet. The concept of trusted executables completely eludes me - if I install say winword.exe on a system, I already trust MS to supply me with a working text editor. So that part of trust already exists. I think you should take a look on the definitions of trustworthy computing - who trusts who? >>> What >>> features will my new computer have, that will convince me to lose certain >>> options I have right now - playing music, copying what I like, etc?. >I'd say protection from binary viruses and stack overflows, plus if >someone breaks into your computer and you have stored your key in a safe >place you can tell what she modified. So this would be a definitve must >if you're builing a server, and I'm asking now whether you would like >those features on your home box as well, even if you had to give up DVD >copying or get special illegal hardware for it. Certfication of software cannot stop stack overflows - good coding will. It is a ridiculous claim that it could. If I a want to overflow an executable, I need a possibility to get it to accept data, in a form it doesn't expect. This has nothing to do with executables that are signed or not, this is the quality of the executables. Will the systems filter out non-TCPA signed user input - how? This would mean changing every system worldwide. Datapackets cannot be signed, you'd have to change TCP/IP. Like i already explained, it will probably be just as easy to write viruses to circumvent TCPA, by copying - or just using - validation code somewhere in the OS. Any claims for extra security for consumers are snake oil - it just cannot be done. Like you said, the encryption will probably be broken. Breaking a certificate system is usually much easier than breaking encryption, since you copy it instead of breaking it. >Basically I'm on your side -- but I fear that if noone speaks up and >points out a better alternative, we will be stuck with TCPA as it >currently is, and lose the options we currently have anyway (since we >cannot decrypt stuff from the Internet or from DVDs on our hardware). So >I'm searching for a better alternative. I'm ignoring all the copy >protection stuff since it will be broken withing a few moths anyway, and >just concentrate on the stuff M$ invented against the OSS people. IMHO the only alternative is renewing the business propositions of the content companies. Things change, and this TCPA thing should best be compared to the typewriter industry outlawing computers. Lesson: who in the 21st century has heard of Underwood, Woodstock or Continental? We all know IBM - because they've adapted. In the 30-ies, IBM was only a small typewriter company. But they renewed their products. Underwood built the same typewriter from 1898 until the late sixties, it only changed the outside. Underwood is gone. /Lesson. Companies must adapt to survive - the dinosaurs of the RIAA should too, or fade away. They are fighting a lost battle. They should fight a battle they can win, if there is one. >> It should so very good it will convince me to actually trow away my old >> computers that can do all this evil things. I could still use them and just >> buy a new one for all the new goodies, hwatever they might be? >Your old computers cannot do evil things -- they cannot access media >created since the TCPA rollout. My old computer CAN copy or rip audio. It CAN capture video signal to make it DivX, with an older capture card. Maybe I cannot access media created after TCPA directly. But certainly I can find away around. If I can listen to the music I will be able to grab the signal - OK, maybe it will just be audio redigitalized, losing some quality. But people can live with lesser quality, as the use of MP3 and WMA proves. If I can watch a film on my TV, I can rip it somewhere analog, and redigitize. And so can other people. Or am I supposed to dump my audio equipment as well? Or my two year old TV? Having no virusses or stack overflows on my PC does not entice me in buying a new TV. >> support - do you think that peripheral makers are going to stop supporting >> non-TCPA operating systems? They might, but it will mean they'll also loose >> customers. >Most of them will need to start supporting other OSes first. Also, as a >hardware vendor, you may not support non-TCPA OSes, except if you take >care that no unencrypted data leaves the sandbox (which makes the >hardware pretty unusable). This not very clear to me. Which OS-es? And more, what do you mean with "you may not support non-TCPA OSes". Do you mean it will actually be illegal to support non-TCPA operating systems? Let us look at the legal side of things, since you brought up the issue. TCPA is an all American issue. Goverments may or may not take over the legislation. But in order to do this, many other laws must be changed. Especially contract laws. Since I have bought a certain item, I am free to use it as I please, as long as I do not use it to break the law. If the law changes, the law in place at the time of purchase still holds. The Government can change the law, but it will be applicable only to new issues, but cannot to my old computers. Under consumers law (dutch, german, or european), makers of products must support for a reasonable number of years. Ramming software updates down consumers throats is what brought MS to court in the first place. TCPA can thus never be enforced in a way that consumers or companies must update. And hardware makers must keep supporting older operating systems up to a certain point. And if they don't, well there are many people that can code drivers, as the Linux community proves every day. There will just be a new branch to the open source community - coding drivers for non-TCPA operating systems. And this brings me to another major aspect of the Fritz debate: if governements around the world make many thing common now, illegal, they will criminalize many people. Will the police activily hunt down this new category of criminals, of which there are millions? Maybe in some countries. The US already has the highest percentage of its own people behind bars. But it will not happen where I live, our legal system sends cocaine runners home with a subpoena, because of lack of time at the courts and a lack of cells. If the choice is convicting drugrunners or copycats, which will society choose? I think, since copying music became mainstream and so many people actively do it, sending drugrunners to jail will prevail. In germany, the legalit?ts-prinzip is in place, officers of the law must prosecute any crime they see, however minor, but this is not so in all countries. The price for the taxpayer, and the entire economy in Germany and thus in Europe, will be very high. What will governments do - activily hunt down thousends of people, which will cost votes and tons of money? The costs to governments (i.e. the taxpayer) will be staggering. And for what - to minimize the legal claims in US courts, and to extend the economical lives of the content industry, lets just kill the european software industry, the legal system, and maybe the general economy? I don't believe society will think it acceptable that potsmokers and shoplifters are let go, but home copiers are fined and jailed. Good chance that it will be outlawed, but not prosecuted. This will not help in society, since respect for the law and the legal system is connected to the enforcing of such laws. But governments will probably have no alternative but condoning all these illegal activities, thus lessening the already dwindling respect for the law. Well, we have seen governments do more stupid things, but I think that any government taking the path of TCPA, is unwise. And the governments themselves, they are not going to use TCPA for their own networks. Our own secret service advised the government to stop using software from certain American sources, since it may be enabling economic espionage. There was this diplomatic incident over Lotus Notes, when the swedes found out it had a backdoor? What do you really think - will the german secret service let MS - or the US Government - browse their networks? So our own governments will need non-TCPA operating systems for their own use. Some people have not forgotten that US intelligence gave Boeing vital information so they could outbid Airbus. I think this TCPA issue is purely a way in which a monopolist tries to close the market. TCPA is the worst idea in the ICT since the clipper chip. Just think about it. What we should do, if we are on the same side, is develop an new business model for the content industry. A commercially viable one.
Powered by blists - more mailing lists