-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Just a few minutes ago I made two sad discoveries:
0) my notebook has a tc chip inside I bought a lenovo thinkpad r60 9456-HTG and it has a fingerprint reader. It contains a chip made by Atmel:
http://www.tonymcfadden.net/tpmvendors_arc.html#laptops
and this is from the datasheet: - -------------------------------------------------------- Security: Power-on password / hard disk password / supervisor password / security keyhole
Security chip: Trusted Platform Module / Atmel chip / TCG 1.2-compliant
Fingerprint reader: Fingerprint reader on palm rest / swipe sensor / integrated with security chip - --------------------------------------------------------------
1) my nokia n73 has symbian 9.1 operating system which has tc too.
http://www.symbian.com/files/rx/file6965.pdf - ---------------------------------------------------------------- Platform Security architecture The kernel and file server, and the software installer, are part of the Trusted Computing Base (TCB) and have unrestricted access to the device resources. They are responsible for maintaining the integrity of the device, and applying the fundamental rules of platform security. The rest of the operating system must trust them to behave correctly, and their code has consequently been very strictly reviewed. - ---------------------------------------------------------------------
I bought this one from ebay so I can't send it back to a shop.
I don't know what to do. I can't sell them, I can't crush them but I don't want to use them.
:(
I'm sad.
- -- arc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Personal page: http://www.chi3.org/arc Chi3 Hacklab: http://www.chi3.org Join the Fellowship: http://www.fsfe.org NO EMAIL from Gmail, >1Mb, html, ms-office files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Sun, 2007-05-06 at 23:29 +0200, arc wrote:
- my notebook has a tc chip inside
I bought a lenovo thinkpad r60 9456-HTG
IBM (and then Lenovo) Thinkpads have shipped with this chip for a long time.
They provide free software drivers and document it; you can use it to protect the contents of your hard drive, or data from other users of the OS, etc.:
http://sourceforge.net/projects/tpmdd
I wouldn't say it's a bad thing to have; they're useful devices.
Cheers,
Alex.
On Sun, 2007-05-06 at 23:29 +0200, arc wrote:
I don't know what to do. I can't sell them, I can't crush them but I don't want to use them.
It's the use you make of a technology that can be good or bad, not the technology itself. On my Thinkpads I run only free software (a GNU/Linux distribution of my choice) and TC does not affect my freedom at all.
Fight the bad behaviors, not technology itself.
Simo.
I don't know what to do. I can't sell them, I can't crush them but I don't want to use them.
MacBook also has a TCM chip inside but as long as your software does not utilize it, it can do nothing to your freedom, like spying on you.
Regards
Koh Choon Lin Singapore GNU Group
singapore.gnu.googlepages.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
simo ha scritto:
It's the use you make of a technology that can be good or bad, not the technology itself. On my Thinkpads I run only free software (a GNU/Linux distribution of my choice) and TC does not affect my freedom at all.
Fight the bad behaviors, not technology itself.
I understand but the main reason for the existence of drm and tc is money and with my money I supported something I don't like. If everyone buy things with this technology inside, even if nobody use it, vendors will be interested in manufacturing it. In this way we are helping spread drm and tc even if we didn't use it.
This is why I'm sad.
The only thing I can do now it's stop suggesting Lenovo notebooks as a choice.
- -- arc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Personal page: http://www.chi3.org/arc Chi3 Hacklab: http://www.chi3.org Join the Fellowship: http://www.fsfe.org NO EMAIL from Gmail, >1Mb, html, ms-office files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Mon, 7 May 2007 12:20, arc@fsfe.org said:
In this way we are helping spread drm and tc even if we didn't use it.
You should be more worried about the BIOS than about the Fritz chip. It is not really possible to draw a line between a hardware based and a software based restriction system. In fact, allmost all deployed systems don't need a TPM. It is just another useless piece of silicon on the mainboard. Thus, you should better not suggest any brand of laptop - with or without TPM.
Salam-Shalom,
Werner
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Werner Koch ha scritto:
You should be more worried about the BIOS than about the Fritz chip.
Is there someone who installed succesfully a free bios on a lenovo thinkpad?
On the compatibility list I saw only ibm thinkpad t24.
- -- arc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Personal page: http://www.chi3.org/arc Chi3 Hacklab: http://www.chi3.org Join the Fellowship: http://www.fsfe.org NO EMAIL from Gmail, >1Mb, html, ms-office files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Mon, 2007-05-07 at 12:20 +0200, arc wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
simo ha scritto:
It's the use you make of a technology that can be good or bad, not the technology itself. On my Thinkpads I run only free software (a GNU/Linux distribution of my choice) and TC does not affect my freedom at all.
Fight the bad behaviors, not technology itself.
I understand but the main reason for the existence of drm and tc is money and with my money I supported something I don't like. If everyone buy things with this technology inside, even if nobody use it, vendors will be interested in manufacturing it. In this way we are helping spread drm and tc even if we didn't use it.
DRM and TC can be used in useful ways, again it is not the technology, it is the use of the technology that can be good or bad.
PGP and DRM/TC may both use encryption, do you think encryption itself is bad also?
This is why I'm sad.
There are some many more bad things to be sad of, I think this has very low priority.
The only thing I can do now it's stop suggesting Lenovo notebooks as a choice.
Then you should probably stop suggesting any brand both for laptops and desktops. Because they are all implementing (or going to implement) TPM chips.
saluti, Simo.
DRM and TC can be used in useful ways, again it is not the technology, it is the use of the technology that can be good or bad.
What are these useful ways one can use DRM and TC? The whole point of TC and DRM is after all to prohibit a user from updating their software, or from listining to their favourite song on their music player of choice. I cannot see anything useful about these things. Encryption doesn't even come into the picture, since you can do TC/DRM without encryption; I think this is what Tivio did, they just signed their binaries, and the hardware only allows running binaries signed by that entity.
On Mon, 2007-05-07 at 15:30 +0200, Alfred M. Szmidt wrote:
DRM and TC can be used in useful ways, again it is not the technology, it is the use of the technology that can be good or bad.
What are these useful ways one can use DRM and TC? The whole point of TC and DRM is after all to prohibit a user from updating their software, or from listining to their favourite song on their music player of choice. I cannot see anything useful about these things.
That's because you have limited imagination I guess.
TC and DRM are simply mechanisms, you could use a TC enabled machine to sign your own binaries so that you are sure nobody can take over your machine and run a different kernel.
Same for DRM, you can use it for your own stuff.
The problem is in WHO control access, not in the fact that you can control access.
Do you leave your machine passwordless with all files set to 777 ?
Encryption doesn't even come into the picture, since you can do TC/DRM without encryption; I think this is what Tivio did, they just signed their binaries, and the hardware only allows running binaries signed by that entity.
Encryption was just an example of something, some people, considered bad in the past for the same reasons. Stallman itself was against the use of _passwords_ back in the past. But even then it was not the password itself the problem. the problem was _access_.
Simo.
DRM and TC can be used in useful ways, again it is not the technology, it is the use of the technology that can be good or bad.
What are these useful ways one can use DRM and TC? The whole point of TC and DRM is after all to prohibit a user from updating their software, or from listining to their favourite song on their music player of choice. I cannot see anything useful about these things.
That's because you have limited imagination I guess.
Quite possible.
TC and DRM are simply mechanisms, you could use a TC enabled machine to sign your own binaries so that you are sure nobody can take over your machine and run a different kernel.
Same for DRM, you can use it for your own stuff.
This is the exact case I stated, prohibiting others from updating their software. It is one thing to _verify_ the binary, and still allow it to run, and another to simply say `You're bad! Go away bad person!'; and this is exactly what DRM/TC does. Signing binaries is a great way to check their integrity, but that doesn't mean that one shouldn't be able to run unverifiable binaries. So I still don't see how DRM/TC can be a useful thing.
Do you leave your machine passwordless with all files set to 777 ?
I actually do.
On Mon, 2007-05-07 at 15:52 +0200, Alfred M. Szmidt wrote:
This is the exact case I stated, prohibiting others from updating their software. It is one thing to _verify_ the binary, and still allow it to run, and another to simply say `You're bad! Go away bad person!'; and this is exactly what DRM/TC does. Signing binaries is a great way to check their integrity, but that doesn't mean that one shouldn't be able to run unverifiable binaries. So I still don't see how DRM/TC can be a useful thing.
Let's try to make it clear. I don't want Alfred Szmidt to be able to get access to my machine and take it over by installing his malicious kernel or any of his malicious binaries. I, myself, under my personal control, do you get it?
Do you leave your machine passwordless with all files set to 777 ?
I actually do.
Your choice of how to use a technology, you are allowed to because you are in control of the password database and the access control api to change access control on files. Exactly the same can be for TC and DRM. It is just a matter of who controls the technology, no more, no less.
Simo.
On Monday 07 May 2007 16:07, simo wrote:
On Mon, 2007-05-07 at 15:52 +0200, Alfred M. Szmidt wrote:
[...]
Do you leave your machine passwordless with all files set to 777 ?
I actually do.
Your choice of how to use a technology, you are allowed to because you are in control of the password database and the access control api to change access control on files. Exactly the same can be for TC and DRM. It is just a matter of who controls the technology, no more, no less.
Simo.
In fact, I think the most usual case with DRM/TC is that the technology is controlled by some-one else than the user, speak: hardware manufacturer, software vendor, music label, film studio ...?
I don't understand how DRM/TC compares to passwords. No user is loosing control of passwords if buying product foo.
Best regards, Anastasios
On Mon, 2007-05-07 at 15:52 +0200, Alfred M. Szmidt wrote:
This is the exact case I stated, prohibiting others from updating their software. It is one thing to _verify_ the binary, and still allow it to run, and another to simply say `You're bad! Go away bad person!'; and this is exactly what DRM/TC does. Signing binaries is a great way to check their integrity, but that doesn't mean that one shouldn't be able to run unverifiable binaries. So I still don't see how DRM/TC can be a useful thing.
Let's try to make it clear. I don't want Alfred Szmidt to be able to get access to my machine and take it over by installing his malicious kernel or any of his malicious binaries. I, myself, under my personal control, do you get it?
This example has nothing to do with TC or DRM. This is how just about any modern operating system works. I cannot update the kernel on this machine since I do not have the permission to do so because the kernel disallows me to do that task, but there is no need for a specially crippled chip for this task. So I still do not see the use of DRM/TC.
You are confusing two things, hardware and software. TC is purley hardware based, and TC with DRM is even more evil.
On Mon, 2007-05-07 at 16:28 +0200, Alfred M. Szmidt wrote:
On Mon, 2007-05-07 at 15:52 +0200, Alfred M. Szmidt wrote:
This is the exact case I stated, prohibiting others from updating their software. It is one thing to _verify_ the binary, and still allow it to run, and another to simply say `You're bad! Go away bad person!'; and this is exactly what DRM/TC does. Signing binaries is a great way to check their integrity, but that doesn't mean that one shouldn't be able to run unverifiable binaries. So I still don't see how DRM/TC can be a useful thing.
Let's try to make it clear. I don't want Alfred Szmidt to be able to get access to my machine and take it over by installing his malicious kernel or any of his malicious binaries. I, myself, under my personal control, do you get it?
This example has nothing to do with TC or DRM. This is how just about any modern operating system works. I cannot update the kernel on this machine since I do not have the permission to do so because the kernel disallows me to do that task, but there is no need for a specially crippled chip for this task. So I still do not see the use of DRM/TC.
It is an additional measure that can help you in case of bugs. If I have a vulnerability, in a service, that let you get root privileges on a machine, I can still prevent you from changing vital components because of the hardware protection. A reboot will make sure my machine is not compromised because I know you were not able to change vital system components like the kernel as you don't have the signing key I keep offline.
You are confusing two things, hardware and software. TC is purley hardware based, and TC with DRM is even more evil.
Please document yourself a bit before going on.
As I said before it's the use you make of a technology that is good or bad, and I agree that using TC/DRM against a user is bad. But this does not make a Fritz chip bad per se.
Simo.
It is an additional measure that can help you in case of bugs. If I have a vulnerability, in a service, that let you get root privileges on a machine, I can still prevent you from changing vital components because of the hardware protection. A reboot will make sure my machine is not compromised because I know you were not able to change vital system components like the kernel as you don't have the signing key I keep offline.
Simpler to store the kernel on a read-only media than invent a chip with the sole intention to cripple things for everyone else (that is what DRM/TC does in the end after all).
So far people have come up with ideas that would somehow make DRM/TC "useful", but all of these ideas are perfectly possible without using crippled hardware with systems made decades ago.
As I said before it's the use you make of a technology that is good or bad, and I agree that using TC/DRM against a user is bad. But this does not make a Fritz chip bad per se.
How else do you use TC/DRM unless it is against a user?
On Mon, 07 May 2007 16:28:24 +0200, Alfred M. Szmidt wrote:
This example has nothing to do with TC or DRM. This is how just about any modern operating system works. I cannot update the kernel on this machine since I do not have the permission to do so because the kernel disallows me to do that task, but there is no need for a specially crippled chip for this task. So I still do not see the use of DRM/TC.
An attacker who has physical access to your machine can pull the disk and put his own kernel on it that will perform his own nefarious tasks. But if you made use of the TC module then I believe you can prevent him from being able to do this -- the system will simply refuse to load his modified kernel.
If *you* have the keys to the TC module then it becomes a very powerful tool for ensuring that your systems are not compromised while your back is turned. If someone else has the keys to the machine then obviously the machine belongs to them, and you are just a user (e.g., games consoles, some mobile phones).
This example has nothing to do with TC or DRM. This is how just about any modern operating system works. I cannot update the kernel on this machine since I do not have the permission to do so because the kernel disallows me to do that task, but there is no need for a specially crippled chip for this task. So I still do not see the use of DRM/TC.
An attacker who has physical access to your machine can pull the disk and put his own kernel on it that will perform his own nefarious tasks. But if you made use of the TC module then I believe you can prevent him from being able to do this -- the system will simply refuse to load his modified kernel.
The attackar can then copy all data, install keyloggers, trojans, backdoors and what not, so you are SOL anyway. I could achive the same thing, in a far more flexible way by just storing a hash of all files on the file system, and then doing a integrity check of all `important' files, like the kernel; this could be done on boot using a RO memory stick that is only plugged in during boot.
If *you* have the keys to the TC module then it becomes a very powerful tool for ensuring that your systems are not compromised while your back is turned. If someone else has the keys to the machine then obviously the machine belongs to them, and you are just a user (e.g., games consoles, some mobile phones).
This begs another question, how can you trust that the TC module doesn't have a backdoor? Atleast with software, I can disect the assembly output.
I still cannot see anything useful about DRM/TC, and I'm trying hard. Sorry.
On Tue, 2007-05-08 at 23:47 +0200, Alfred M. Szmidt wrote:
An attacker who has physical access to your machine can pull the disk and put his own kernel on it that will perform his own nefarious tasks. But if you made use of the TC module then I believe you can prevent him from being able to do this -- the system will simply refuse to load his modified kernel.
The attackar can then copy all data, install keyloggers, trojans, backdoors and what not, so you are SOL anyway.
That's not correct; at least, not with this hardware. If the data is protected by TPM (e.g., encrypted with a TPM-controlled key) he could copy it but not read it, and if the OS' TPM protection was enabled (e.g., only able to run binaries signed with a TPM-controlled key) then he wouldn't be able to install that software in a way that it actually ran.
The best an attacker would be able to do would be to swap out the hardware of yours with something he had control of; but even then, the TPM in the new hardware (if it even existed) wouldn't be able to access your data since the encryption keys in the hardware would be different - you'd basically have to retrieve the keys out of the TPM chip via scanning electron microscopes or some such.
In many ways, a TPM chip isn't that much different to the FSFE membership card - you can have encryption keys in the hardware which are pretty tough to extract, and if the user has control over those, there are a lot of security features you can turn on. The fact that it's inbuilt into the hardware makes it tough to tamper with.
It cuts both ways: it's very useful technology, and it's pretty well designed. If it were easy to bypass, people wouldn't care about manufacturers using it for other purposes (e.g., DRM systems).
This begs another question, how can you trust that the TC module doesn't have a backdoor? Atleast with software, I can disect the assembly output.
That's not a problem particular to TPM chips ;)
Cheers,
Alex.
An attacker who has physical access to your machine can pull the disk and put his own kernel on it that will perform his own nefarious tasks. But if you made use of the TC module then I believe you can prevent him from being able to do this -- the system will simply refuse to load his modified kernel.
The attackar can then copy all data, install keyloggers, trojans, backdoors and what not, so you are SOL anyway.
That's not correct; at least, not with this hardware. If the data is protected by TPM (e.g., encrypted with a TPM-controlled key) he could copy it but not read it, and if the OS' TPM protection was enabled (e.g., only able to run binaries signed with a TPM-controlled key) then he wouldn't be able to install that software in a way that it actually ran.
The scenario was a signed kernel. But you show a great example of another reason why TC is evil: users cannot install local software, since local software is not signed, it cannot be run. If a user can insert a unsigned program that is run, they can insert trojans, keyloggers and what not.
The best an attacker would be able to do would be to swap out the hardware of yours with something he had control of; but even then, the TPM in the new hardware (if it even existed) wouldn't be able to access your data since the encryption keys in the hardware would be different - you'd basically have to retrieve the keys out of the TPM chip via scanning electron microscopes or some such.
In many ways, a TPM chip isn't that much different to the FSFE membership card - you can have encryption keys in the hardware which are pretty tough to extract, and if the user has control over those, there are a lot of security features you can turn on. The fact that it's inbuilt into the hardware makes it tough to tamper with.
I find the GPG card (or whatever it is called) quite different from TC, it doesn't prohibit you from running things. And this is the sole, and _only_ goal of TC, to control who can run what, via hardware so that others cannot decide what they will do.
On Wed, 2007-05-09 at 00:17 +0200, Alfred M. Szmidt wrote:
But you show a great example of another reason why TC is evil: users cannot install local software, since local software is not signed, it cannot be run. If a user can insert a unsigned program that is run, they can insert trojans, keyloggers and what not.
I'm not sure why local users being able to install software automatically means that they can make a machine physically insecure; I don't think that follows at all - I would consider a user being able to insert a trojan to be a security bug. But anyway, it's possible to secure an operating system with TPM-type tech and still allow people to run whatever software they want.
It's still pretty difficult for a technology to be intrinsically evil. You might care about local users; as the only user on my laptop I care more about people not being able to access my data if it gets stolen for example, or preventing other people running software on my firewall.
Of course there are other ways of doing this, but supporting the feature in hardware is useful in the same way virtual memory has benefits over co-operative multitasking (and drawbacks).
I find the GPG card (or whatever it is called) quite different from TC, it doesn't prohibit you from running things. And this is the sole, and _only_ goal of TC, to control who can run what, via hardware so that others cannot decide what they will do.
I'm not sure that's an accurate comparison. A TPM chip is simply a generic mechanism for safely storing private keys, passwords, etc. - which isn't that different to a GPG card. The use cases are slightly different because a GPG card is a portable and separate token, whereas the TPM is built in.
But at the end of the day, it's a piece of hardware which can do useful things and (in my case) has free software drivers under my control. There are worse problems in the world.
Cheers,
Alex.
Seg, 2007-05-07 às 14:07 +0000, simo escreveu:
On Mon, 2007-05-07 at 15:52 +0200, Alfred M. Szmidt wrote:
Do you leave your machine passwordless with all files set to 777 ?
I actually do.
AMS: you're way more optimistic about the intentions or carefulness of others than I could ever afford to. I seriously wish I could live with that kind of trust on others.
It is just a matter of who controls the technology, no more, no less.
Simo.
Bingo. The problem though, is that DRM has much in common with nuclear fission energy: the bas uses strongly overshadow the benefits...
Rui
Seg, 2007-05-07 às 15:30 +0200, Alfred M. Szmidt escreveu:
What are these useful ways one can use DRM and TC?
A good and useful way: Computer: please boot only the kernel that is signed with the key I'm in control of. Any attempt at booting another kernel not signed by this key is untrusted, don't boot it.
Of course the bad ways go along these lines: Problem with non-Free operting systems: you will very likely never have the control over this key.
Problem with Tivoized devices: thy will not give you this key.
The whole point of TC and DRM is after all to prohibit a user from updating their software,
Not really: Computer, only accept updates signed by my key, and no other. Then proceed to have auto-applying-updates.
Of course this could only be true with Free Software.
or from listining to their favourite song on their music player of choice. I cannot see anything useful about these things. Encryption doesn't even come into the picture, since you can do TC/DRM without encryption; I think this is what Tivio did, they just signed their binaries, and the hardware only allows running binaries signed by that entity.
The TPM is one of the hardware parts needed for a successfull exploitation of DRM. The problem lies in who controls this DRM. You do? Or does someone else hold that power over you?
Unfortunately, most uses of DRM and the TPM strongly overshadow it's benefits and I can't advise these technologies which are *already* being misused against our interests.
Rui