Trusted Computing Not So Trustworthy
from the but-of-course... dept
As pretty much anyone in computer security recognizes, any bit of “secure” computing is only secure for a limited period of time. Eventually, the security will be cracked. Yet, we still keep hearing about expectations for some new technologies to solve all our security problems. For example, we’ve been hearing for years about the wonders of “trusted computing,” which basically gets mocked every time some company tries to roll it out (which is why it’s gone through five or six name changes over the years). The latest news is that Intel’s implementation of a trusted computing offering, called Trusted Execution Technology, has security vulnerabilities that allow it to be circumvented. In other words, it’s not trustworthy, nor secure. Of course, it’s not widely used, either, so it’s not a big deal. But, once again, there is no magic bullet for security that solves all security problems.
Filed Under: security, trusted computing, vulnerabilities
Companies: intel
Comments on “Trusted Computing Not So Trustworthy”
Whose security are they attempting to protect ?
Secure Computing – that’s funny
This is just another in a series of sad excuses for taking away any remaining rights you thought you still had.
Re: Whose security are they attempting to protect ?
See for yourself:
http://www.lafkon.net/tc/
Here's one way of easy way of secure computing:
Wait for the computer to pass the turning test – then you know you shouldn’t even care!
How to make a computer truely secure.
Step 1. Turn it off.
Step 2. Mix 10 bags of reddi-mix concrete with water.
Step 3. Place computer in bottom of form sitting on a slab of concrete 2 inches thick.
Step 4. Pour reddi-mix.
Step 5. Wait 24 hours.
You now have a secure computer!
How to make a computer truely secure. (ammendum)
OH I FORGOT!
The alternative!
Step 1. Give it to me.
Step 2. Forget it ever existed.
Muhahahaha!
How to make a computer truely secure.
Already hacked your compu-sarcophagus: Better make sure the base slab has some rebar sticking up for the new concrete to grab onto, or someone might be able to pry it apart unnoticed. :-p
None of these suggestions allow true security. I’ve found one way over the years to make all your computing truly secure:
Never touch a computer.
Security My A$$
None of these products has ever really had much to do with “security”, except in the same usage as “security blanket”. They make someone feel more secure, whether it’s the owner of the machine, some programmer somewhere whose code can’t be used except in the limited, inflexible way they envisioned when they wrote it, or an ??AA exec who now figures he can sell us a license to the same content once for each device we own which is capable of playing it.
As for the end user, the only use case that I have heard of in real life involves using these kinds of security modules as part of a whole-drive encryption scheme. Which sounds good, but I dislike the fact that the encryption happens inside a black box, where the actual cipher key is not known (and is not supposed to be knowable) to the end user. To me, that just means that I would need to keep a separate (encrypted) copy of anything and everything on the drive, since I have no way to recover the data should the trust module experience an operational failure. Good backups are of course a part of overall data security as well, but the ‘black box’ aspect of how these systems work gives me, a certified information security professional, less confidence rather than more in the system as a whole.
Trusted computing = treacherous computing. Basically, trusted computing/Palladium/whatever you want to call it is a way for the manufacturer (ie MS in most cases) to have control over what can and can’t go on your computer and what you can do with it. The computer is built in with a key – more like an encryption code – that only the manufacturer/OS maker can decrypt. And it’s not accessible to the user. Vista is notorious for this. This allows for forced updates, deletion of undesired content, remote shutdowns, and more. There are signs that Apple may be following suit soon, if it hasn’t already.
Trusted Computing == Oxymoron
Trusted Computing – what it really means:
The TC proponents want your computing to be trusted to not do anything with their content that you have not paid for. It’s that simple, but as always, you have to ask – What could possibly go wrong ?
Any way you look at it, this attempt is doomed to failure.
Oh, and one more thing. There is one more piece to the puzzle which Pinky and the Brain need in order to take over the world. They need to outlaw any platform that does not meet their specifications.
"Trusted" Computing
Securing a computer is akin to loading your valuables into a safe. Given time and opportunity, the safe can be opened by a crook.
Re: "Trusted" Computing
Yes, but it’s possible (easy actually) to make a digital safe that will take the crooks decades to break open.
Real Security
Unique OS that can read common file types (document, spreadsheet, etc), but can’t execute common executable file types. Malware simply can’t exist on the system unless it is specifically written for it
Then have 0 internet access and put it in a secure room since physical security isn’t usually a problem if it is implemented correctly. You could combine IR, Audible, and laser intruder detection then have a hard 30 minute boot up time. All this inside a continuously occupied building with armed security.
Then all you have to worry about is someone faking the credentials to get into the computer room and not being found out for 30 minutes. And that shouldn’t be too hard to accomplish.
Re: Real Security
As we know from Mission: Impossible, you also have to make sure the building doesn’t have fire alarms. If it burns down, so be it – as long as the computer is destroyed along with everything else. Maybe a massive thermite charge packed around the computer so that if the room catches fire you can be sure everything’s destroyed.
Computer security will never be secure in a consumer market
There will never be a truly secure system for the consumer market, because the fact is that computer security is expensive and troublesome to implement in a system, and consumers don’t want to pay for it.
There will always be smart competitors who sell systems equally good, but without the security and at a lower price, and consumers will choose that product.
Smart comment with the mention of consumer security. Trusted computing isn’t about consumer security, it’s about enterprise protection. No enterprise security professional believes in truly perfect security, they simply want to lock down as many strong layers of security as possible, and most of all — keep the end users from messing with the system, where most of the compromise hits. That’s why trusted computing is almost entirely on enterpise-class machines build for business use, rather than the consumer machines.
Not perfect, as no security technology ever will be. But these are the steps needed to protect in an enterprise environment, heavily regulated industry, etc. For folks worried about DRM, understandable concern but there will ALWAYS be options without embedded hardware encryption to choose for personal use, so take an extra look at what you’re buying before you purchase a new laptop, etc.