EFF trusted computing position

Posted 3 Oct 2003 at 05:08 UTC by schoen Share This

Security models that treat the computer owner as the adversary are the problem. Reliable knowledge of a remote computer's internal software state is the tool that enables applications with such security models.

Those are a few of the key messages of the EFF position on trusted computing which I wrote and EFF published yesterday.

We also try to dispel some of the myths about this technology and make clear how it could be helpful to computer security. Wild speculation about what it does (given the large amount of published technical documentation) can't help the debate!

It's time to start a technical dialogue about how to improve computer security without the current broken approach to remote attestation. Some proposals include our Owner Override concept, a proposal to eliminate remote attestation entirely (you can simulate it with sealed storage to some extent in cases where there's a pre-existing trust relationship and an out-of-band key-exchange mechanism), and a concept from Ka-Ping Yee called "Owner Gets Key" in which secret keys are simply disclosed to the computer purchaser at the time of purchase (or exclusively generated after purchase).

Who do you trust?, posted 3 Oct 2003 at 14:50 UTC by DeepNorth » (Journeyer)

My problem with the current initiatives for 'trusted computing' is with the entities promoting it. I don't trust them.

I agree with you that 'user trumps' or similar mechanism is necessary. However, I am not certain that in practice it will be sufficient. I run on Windows 2000 and I am a seasoned 'computer guy' with a background in security. I still occasionally have a problem tracing down which permissions are required to be explicitly set to allow me to do certain things.

The current (as you say) 'bewildering' variety of terms and concepts promises to be a security nightmare however it is implemented. More so, I expect that the major players have agendas that conflict with the public interest. I am therefore wary that allowing this infrastructure as designed (or even influenced) by parties I simply do not trust will result in the permanent loss of my freedom as a computer user.

I would like to cite one case in point: Digital certificates. My browsers come equipped with digital certificates issued pretty much exclusively by parties that I do not trust. Witness Verisign and their flagrant abuses on the Internet (the recent hijacking is but one in a string of abuses). These are ALREADY the people that are deciding who should be trusted. I want none of it.

I trust the EFF and GNU. I have corresponded with the people in these organizations personally and I have had ample opportunity to see what they do. They have been good custodians of my trust over the years.

I very much do not trust the current major players in the computer industry. They have shown by past behaviour that they will abuse any trust that is given them.

If an infrastructure is created that relies on a complex trust model involving third parties, then it is a forgone conclusion that the current major players will subvert and abuse this trust model. I am especially wary of any mechanism that allows third parties to control my access to data on my system. Murphy's law rules in computing. If it can go wrong, it will go wrong.

I have LOTS of personal hands on experience with security mechanisms of all types on computing equipment over more than 20 years. They invariably end up in the wrong hands and almost invariably lead to grief unless they are simple, straightforward and have some sort of "dead man's" switch that allows them to be turned off at the source.

Again, who do you trust? I trust the EFF, but I am wary that the powers promoting 'trusted computing' may have sufficient resources to dupe the EFF into supporting something that will allow the forces of evil to control cyberspace. This would be bad.

Oops -- need way to edit posts..., posted 3 Oct 2003 at 15:44 UTC by DeepNorth » (Journeyer)

Of course, when I say EFF and GNU I mean EFF and FSF. I have GNU on the brain lately...

The implications of Murphy's Law: If there is some avenue that ALLOWS subversion then it will be used. If history is any guide, it will not be abuse immediately. All the players will get up on their hind legs and swear that they will play by the rules. After a while, (like Microsoft's current licensing) there will be creep. 'We need to do such and such to (see SCO) "protect (insert alleged legitimate interest here)". "Oh -- well that restricted legitimate activity is now collateral damage, it can't be avoided. It's for the greater good". "We are not bound by prior management's promises". I hope you get the picture. Whatever computing platform becomes the norm, it must be IMPOSSIBLE to abuse or it will be abused.

Speaking of not being bound by the decisions of past management -- I trust the people currently running EFF and FSF. Who knows what might happen under new management? The ongoing blessing of these organizations is necessary for me, but may not be sufficient.

I hope my comments are not perceived as criticism of the article posted by the author. It is a good one and I was very pleased with it. They have done a public service and should be commended.

Don't trust us, posted 3 Oct 2003 at 20:07 UTC by schoen » (Master)

The reason I call for a technical discussion is that I do think that in security engineering you shouldn't have to trust the technology designers (or civil liberties groups offering cautious praise of an initiative).

You do (as Ruediger Weiss and friends have been explaining in Europe) have to trust hardware implementers most of the time, and this is a thorny problem. I'm having an interesting side debate about whether this problem is more serious for crypto hardware than other hardware (since crypto hardware has more, larger, and cheaper covert channels).

We need lots of help getting the word out about the problems with attestation. The technology and its implications will probably be completely unclear to nontechnical audiences. (For example, how much have most people thought about whether or how a web site can tell what software you're running? How much have people thought about rival interests implicated by this process, or about attacks and countermeasures in remote software identification? How much have majority-platform users thought about software choice, interoperability, and lock-in?) I think we face an uphill battle simply in presenting the general picture to a broad base, even outside of the problem of designing the most appropriate solution.

As I've pointed out in a few places, we don't have a UI in mind for Owner Override. (Trusted computing implementers are much better positioned than we are to design a suitable UI.) The cost of defeating policies you disapprove of ought to remain low, or else people will not do it even though they technically could. How would you design a computing environment with fine-grained owner control together with robust security properties? Can you preserve the other benefits of the TCG and LT designs without meaningfully increasing third parties' leverage over software choices?

Owner Gets Key, posted 21 Oct 2003 at 18:27 UTC by ping » (Master)

The idea of giving the keys to the owners is not mine; i got it from Nikita Borisov, who suggested it when i started discussing Seth's EFF report with him.

I think it is much easier to push owner-gets-key than owner override of remote attestation. The big reason is that, as Seth mentioned, there is no proposed UI for owner override -- and even if there were one, we would be trusting Microsoft to implement it in a reasonable way. On the other hand, giving people the keys to their own computers is a simple matter of putting a piece of paper in the box with the key written on it.

Giving people the keys to their own computers also comes across as common sense. When you buy a product, it's seems obvious to me that you ought to be given complete information about it.

Finally, the owner-gets-key solution doesn't involve any software or hardware changes, so it can't be objected to on the grounds that it would be impractical or difficult to do. Organizations can still control the computers they buy for their employees, just by holding onto the keys. For example, a manager could still use NGSCB to avoid the potential liability of copyrighted material getting onto company-owned computers.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page