EFF's Patent Busting Project Scores Another Hit

Trusted Computing Not So Trustworthy

from the but-of-course... dept

Wed, Jan 7th 2009 7:28pm — Mike Masnick

As pretty much anyone in computer security recognizes, any bit of "secure" computing is only secure for a limited period of time. Eventually, the security will be cracked. Yet, we still keep hearing about expectations for some new technologies to solve all our security problems. For example, we've been hearing for years about the wonders of "trusted computing," which basically gets mocked every time some company tries to roll it out (which is why it's gone through five or six name changes over the years). The latest news is that Intel's implementation of a trusted computing offering, called Trusted Execution Technology, has security vulnerabilities that allow it to be circumvented. In other words, it's not trustworthy, nor secure. Of course, it's not widely used, either, so it's not a big deal. But, once again, there is no magic bullet for security that solves all security problems.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: security, trusted computing, vulnerabilities
Companies: intel

16 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Marvin, 7 Jan 2009 @ 8:24pm

Whose security are they attempting to protect ?
Secure Computing - that's funny

This is just another in a series of sad excuses for taking away any remaining rights you thought you still had.
[ link to this | view in chronology ]
- Techflaws.org, 8 Jan 2009 @ 4:31am
  
  Re: Whose security are they attempting to protect ?
  See for yourself: http://www.lafkon.net/tc/
  [ link to this | view in chronology ]
Caleb, 7 Jan 2009 @ 9:01pm

Here's one way of easy way of secure computing:
Wait for the computer to pass the turning test - then you know you shouldn't even care!
[ link to this | view in chronology ]
Zaphod, 7 Jan 2009 @ 9:55pm

How to make a computer truely secure.
Step 1. Turn it off.
Step 2. Mix 10 bags of reddi-mix concrete with water.
Step 3. Place computer in bottom of form sitting on a slab of concrete 2 inches thick.
Step 4. Pour reddi-mix.
Step 5. Wait 24 hours.

You now have a secure computer!
[ link to this | view in chronology ]
Zaphod, 7 Jan 2009 @ 9:57pm

How to make a computer truely secure. (ammendum)
OH I FORGOT!

The alternative!

Step 1. Give it to me.
Step 2. Forget it ever existed.

Muhahahaha!
[ link to this | view in chronology ]
James, 7 Jan 2009 @ 11:34pm

Re: How to make a computer truely secure.
Already hacked your compu-sarcophagus: Better make sure the base slab has some rebar sticking up for the new concrete to grab onto, or someone might be able to pry it apart unnoticed. :-p
[ link to this | view in chronology ]
Anonymous Coward, 8 Jan 2009 @ 2:44am

None of these suggestions allow true security. I've found one way over the years to make all your computing truly secure:

Never touch a computer.
[ link to this | view in chronology ]
Duane, 8 Jan 2009 @ 3:40am

Security My A$$
None of these products has ever really had much to do with "security", except in the same usage as "security blanket". They make someone feel more secure, whether it's the owner of the machine, some programmer somewhere whose code can't be used except in the limited, inflexible way they envisioned when they wrote it, or an ??AA exec who now figures he can sell us a license to the same content once for each device we own which is capable of playing it.

As for the end user, the only use case that I have heard of in real life involves using these kinds of security modules as part of a whole-drive encryption scheme. Which sounds good, but I dislike the fact that the encryption happens inside a black box, where the actual cipher key is not known (and is not supposed to be knowable) to the end user. To me, that just means that I would need to keep a separate (encrypted) copy of anything and everything on the drive, since I have no way to recover the data should the trust module experience an operational failure. Good backups are of course a part of overall data security as well, but the 'black box' aspect of how these systems work gives me, a certified information security professional, less confidence rather than more in the system as a whole.
[ link to this | view in chronology ]
TDR, 8 Jan 2009 @ 5:32am

Trusted computing = treacherous computing. Basically, trusted computing/Palladium/whatever you want to call it is a way for the manufacturer (ie MS in most cases) to have control over what can and can't go on your computer and what you can do with it. The computer is built in with a key - more like an encryption code - that only the manufacturer/OS maker can decrypt. And it's not accessible to the user. Vista is notorious for this. This allows for forced updates, deletion of undesired content, remote shutdowns, and more. There are signs that Apple may be following suit soon, if it hasn't already.
[ link to this | view in chronology ]
Anonymous Coward, 8 Jan 2009 @ 5:51am

Trusted Computing == Oxymoron
Trusted Computing - what it really means:
The TC proponents want your computing to be trusted to not do anything with their content that you have not paid for. It's that simple, but as always, you have to ask - What could possibly go wrong ?

Any way you look at it, this attempt is doomed to failure.

Oh, and one more thing. There is one more piece to the puzzle which Pinky and the Brain need in order to take over the world. They need to outlaw any platform that does not meet their specifications.
[ link to this | view in chronology ]
Adam (profile), 8 Jan 2009 @ 7:28am

"Trusted" Computing
Securing a computer is akin to loading your valuables into a safe. Given time and opportunity, the safe can be opened by a crook.
[ link to this | view in chronology ]
- nasch, 8 Jan 2009 @ 9:58am
  
  Re: "Trusted" Computing
  Yes, but it's possible (easy actually) to make a digital safe that will take the crooks decades to break open.
  [ link to this | view in chronology ]
Anonymous Coward, 8 Jan 2009 @ 7:51am

Real Security
Unique OS that can read common file types (document, spreadsheet, etc), but can't execute common executable file types. Malware simply can't exist on the system unless it is specifically written for it

Then have 0 internet access and put it in a secure room since physical security isn't usually a problem if it is implemented correctly. You could combine IR, Audible, and laser intruder detection then have a hard 30 minute boot up time. All this inside a continuously occupied building with armed security.

Then all you have to worry about is someone faking the credentials to get into the computer room and not being found out for 30 minutes. And that shouldn't be too hard to accomplish.
[ link to this | view in chronology ]
- nasch, 8 Jan 2009 @ 10:00am
  
  Re: Real Security
  As we know from Mission: Impossible, you also have to make sure the building doesn't have fire alarms. If it burns down, so be it - as long as the computer is destroyed along with everything else. Maybe a massive thermite charge packed around the computer so that if the room catches fire you can be sure everything's destroyed.
  [ link to this | view in chronology ]
Neverhood, 8 Jan 2009 @ 9:01am

Computer security will never be secure in a consumer market
There will never be a truly secure system for the consumer market, because the fact is that computer security is expensive and troublesome to implement in a system, and consumers don't want to pay for it.

There will always be smart competitors who sell systems equally good, but without the security and at a lower price, and consumers will choose that product.
[ link to this | view in chronology ]
Anonymous Coward, 27 Jan 2009 @ 10:28am

Smart comment with the mention of consumer security. Trusted computing isn't about consumer security, it's about enterprise protection. No enterprise security professional believes in truly perfect security, they simply want to lock down as many strong layers of security as possible, and most of all -- keep the end users from messing with the system, where most of the compromise hits. That's why trusted computing is almost entirely on enterpise-class machines build for business use, rather than the consumer machines.

Not perfect, as no security technology ever will be. But these are the steps needed to protect in an enterprise environment, heavily regulated industry, etc. For folks worried about DRM, understandable concern but there will ALWAYS be options without embedded hardware encryption to choose for personal use, so take an extra look at what you're buying before you purchase a new laptop, etc.
[ link to this | view in chronology ]