Trusted Computing Not So Trustworthy

from the but-of-course... dept

As pretty much anyone in computer security recognizes, any bit of “secure” computing is only secure for a limited period of time. Eventually, the security will be cracked. Yet, we still keep hearing about expectations for some new technologies to solve all our security problems. For example, we’ve been hearing for years about the wonders of “trusted computing,” which basically gets mocked every time some company tries to roll it out (which is why it’s gone through five or six name changes over the years). The latest news is that Intel’s implementation of a trusted computing offering, called Trusted Execution Technology, has security vulnerabilities that allow it to be circumvented. In other words, it’s not trustworthy, nor secure. Of course, it’s not widely used, either, so it’s not a big deal. But, once again, there is no magic bullet for security that solves all security problems.

Filed Under: , ,
Companies: intel

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Trusted Computing Not So Trustworthy”

Subscribe: RSS Leave a comment
Duane says:

Security My A$$

None of these products has ever really had much to do with “security”, except in the same usage as “security blanket”. They make someone feel more secure, whether it’s the owner of the machine, some programmer somewhere whose code can’t be used except in the limited, inflexible way they envisioned when they wrote it, or an ??AA exec who now figures he can sell us a license to the same content once for each device we own which is capable of playing it.

As for the end user, the only use case that I have heard of in real life involves using these kinds of security modules as part of a whole-drive encryption scheme. Which sounds good, but I dislike the fact that the encryption happens inside a black box, where the actual cipher key is not known (and is not supposed to be knowable) to the end user. To me, that just means that I would need to keep a separate (encrypted) copy of anything and everything on the drive, since I have no way to recover the data should the trust module experience an operational failure. Good backups are of course a part of overall data security as well, but the ‘black box’ aspect of how these systems work gives me, a certified information security professional, less confidence rather than more in the system as a whole.

TDR says:

Trusted computing = treacherous computing. Basically, trusted computing/Palladium/whatever you want to call it is a way for the manufacturer (ie MS in most cases) to have control over what can and can’t go on your computer and what you can do with it. The computer is built in with a key – more like an encryption code – that only the manufacturer/OS maker can decrypt. And it’s not accessible to the user. Vista is notorious for this. This allows for forced updates, deletion of undesired content, remote shutdowns, and more. There are signs that Apple may be following suit soon, if it hasn’t already.

Anonymous Coward says:

Trusted Computing == Oxymoron

Trusted Computing – what it really means:
The TC proponents want your computing to be trusted to not do anything with their content that you have not paid for. It’s that simple, but as always, you have to ask – What could possibly go wrong ?

Any way you look at it, this attempt is doomed to failure.

Oh, and one more thing. There is one more piece to the puzzle which Pinky and the Brain need in order to take over the world. They need to outlaw any platform that does not meet their specifications.

Anonymous Coward says:

Real Security

Unique OS that can read common file types (document, spreadsheet, etc), but can’t execute common executable file types. Malware simply can’t exist on the system unless it is specifically written for it

Then have 0 internet access and put it in a secure room since physical security isn’t usually a problem if it is implemented correctly. You could combine IR, Audible, and laser intruder detection then have a hard 30 minute boot up time. All this inside a continuously occupied building with armed security.

Then all you have to worry about is someone faking the credentials to get into the computer room and not being found out for 30 minutes. And that shouldn’t be too hard to accomplish.

nasch says:

Re: Real Security

As we know from Mission: Impossible, you also have to make sure the building doesn’t have fire alarms. If it burns down, so be it – as long as the computer is destroyed along with everything else. Maybe a massive thermite charge packed around the computer so that if the room catches fire you can be sure everything’s destroyed.

Neverhood says:

Computer security will never be secure in a consumer market

There will never be a truly secure system for the consumer market, because the fact is that computer security is expensive and troublesome to implement in a system, and consumers don’t want to pay for it.

There will always be smart competitors who sell systems equally good, but without the security and at a lower price, and consumers will choose that product.

Anonymous Coward says:

Smart comment with the mention of consumer security. Trusted computing isn’t about consumer security, it’s about enterprise protection. No enterprise security professional believes in truly perfect security, they simply want to lock down as many strong layers of security as possible, and most of all — keep the end users from messing with the system, where most of the compromise hits. That’s why trusted computing is almost entirely on enterpise-class machines build for business use, rather than the consumer machines.

Not perfect, as no security technology ever will be. But these are the steps needed to protect in an enterprise environment, heavily regulated industry, etc. For folks worried about DRM, understandable concern but there will ALWAYS be options without embedded hardware encryption to choose for personal use, so take an extra look at what you’re buying before you purchase a new laptop, etc.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...