| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9CCB3799-5C80-421A-A855-73B22F167BD8@pcsage.biz> Date: Wed Feb 8 23:58:03 2006 From: info at pcsage.biz (PCSC Information Services) Subject: Apple TPM need for disclosure Hey p33ps, Now before you size me for a tin-foil hat, (7 1/2 btw) you might want to follow up on this, because it's a major exposure. The Trusted Computing Group (trustedcomputinggroup.org) is rapidly ushering in a new Trusted Platform Module. I'm sure that many of you are aware of this technology. A thorough reading of the specification is quite refreshing and there are many excellent benign uses for the technology as specified. These include a secure file system implementation, secure drivers, and a difficult to hack environment due to the tamper proof package of the chip itself. The TPM architecture overview repeatedly calls for owner opt in/out for the platform. The very approachable TPM FAQ https://www.trustedcomputinggroup.org/ faq/ states: What has the TCG done to preserve privacy? TCG believes that privacy is a necessary element of a trusted system. The system owner has ultimate control and permissions over private information and must "opt-in" to utilize the TCG subsystem. Integrity metrics can be reported by the TCG subsystem but the specification will not restrict the choice and options of the owner preserving openness and the ability of the owner to choose. The TCG specification will support privacy principles in a number of ways: The owner controls personalization. The owner controls the trust relationship. The system provides private object storage and digital signature capability. Private personalization information is never exposed. Owner keys are encrypted prior to transmission. It is also important to know what the solutions are not: They are not global identifiers. They are not personalized before user interaction. They are not fixed functions?they can be disabled permanently. They are not controlled by others (only the owner controls them). Apple has not provided any end user controls, none, nor has it documented it's use of this technology. Furthermore, Apple has not provided any feedback regarding a legitimate complaint to the privacy officer with respect to their implementation. Even more damning is that this TPM has the capability of setting up a transitive trust relationship, which will allow enterprise system administrators full remote audit and administration. Microsoft is aiming to use WMI for this purpose, Apple is using? The TPM installed in my machine isn't owned by me. I want control of this device. I'm sure other iMac users might be surprised at this implementation too. The implications are quite profound here. Can we get some disclosure? PCSage Information Services name withheld to protect the innocent -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060208/56ac40b5/attachment.html
Powered by blists - more mailing lists