Forgot your password?
typodupeerror
Privacy Security

UK Government Pushing For 'Trusted Computing' 291

Posted by timothy
from the bland-acceptance dept.
Motor writes "As has long been expected — we are now beginning to see governments pushing for the use of so-called 'trusted computing' — chips installed in all computers that effectively remove control of the PC from its owner. While there may be security advantages to some of the ideas, few can doubt that it represents a fundamental shift in the IT world. A radical move away from an open technology landscape and towards a system that denies all access unless you have the right credentials. Governments will demand the right credentials to access their services — meaning approved software stacks (i.e Windows) with the right digital signatures. Vernor Vinge had it right ."
This discussion has been archived. No new comments can be posted.

UK Government Pushing For 'Trusted Computing'

Comments Filter:
  • by koestrizer (2491576) on Sunday October 23, 2011 @12:36PM (#37810124)
    My Linux machine is well-protected and I don't need your meddling nor do I need Microsoft's.
    • by Gaygirlie (1657131) <gaygirlie AT hotmail DOT com> on Sunday October 23, 2011 @12:52PM (#37810220) Homepage

      My Linux machine is well-protected and I don't need your meddling nor do I need Microsoft's.

      That is indeed one of the reasons why this will not work: there are people using all kinds of different OSes, including all the mobile ones, desktop OSes and whatnot. If the UK government were to only allow devices with the trusted computing built-in both the hardware and software they'd be instantaneously removing access for everyone who is used to using mobile devices to access those services.

      Another case of government not understanding technology, yet still pushing everyone to adopt it.

      • by Teun (17872) on Sunday October 23, 2011 @01:29PM (#37810484) Homepage
        From the article:

        These are making the public safe online and ensuring the country is one of the best in the world for online business; making the UK more resilient in the face of cyber attack and better able to protect its interests; proving a more "open and vibrant" cyber security environment; and having the knowledge, skills and capability to underpin these.

        "Building the most resilient cyber defences in the world will not help if you are suffering from intellectual property theft," he said. "Trusted computing underpins security and can underpin growth, providing confidence in transactions, expanding markets and making them function more efficiently."

        The first quoted sentence is the usual self congratulating typical for British politicians, nothing to see here, move along.
        The second part of the quote starts with divulging who is sponsoring this 'action'.

        Bah!

      • My Linux machine is well-protected and I don't need your meddling nor do I need Microsoft's.

        That is indeed one of the reasons why this will not work: there are people using all kinds of different OSes, including all the mobile ones, desktop OSes and whatnot. If the UK government were to only allow devices with the trusted computing built-in both the hardware and software they'd be instantaneously removing access for everyone who is used to using mobile devices to access those services.

        Another case of government not understanding technology, yet still pushing everyone to adopt it.

        In politics "this will not work" is not the same thing as "this will not happen". More often, it is the opposite.

      • That is indeed one of the reasons why this will not work: there are people using all kinds of different OSes, including all the mobile ones, desktop OSes and whatnot. If the UK government were to only allow devices with the trusted computing built-in both the hardware and software they'd be instantaneously removing access for everyone who is used to using mobile devices to access those services.

        Another case of government not understanding technology, yet still pushing everyone to adopt it.

        oh, i think it understands that part alright. if you have TPM and signing keys to it you can run whatever you like. this is pretty cool feature for servers and workspace hardware. if you have the keys, that's it.

        BUT the whole point here is not about technology so much as about taking away people's access to the hardware they supposedly own (which, coincidently, would also nicely decrease number of "kinds of different OSes" people use and even number of their versions). and there are a looot of organizations

      • Too many issues (Score:4, Insightful)

        by msobkow (48369) on Sunday October 23, 2011 @05:21PM (#37812114) Homepage Journal

        There are too many issues of lock-in and lock-out associated with so-called "Trusted Computing", in particular the potential to block users from installing their operating system of choice on the hardware they own.

        So far the TPM initiatives deployed by the vendors have failed one after the other. X-Box, PS3, smart phones -- every TPM system I know of to date has failed to provide the protection promised, while restricting freedom of choice by the general public.

        As a result, the only ones who really benefit from TPM are those who want to implement hardware DRM (digital restrictions management.) I'm not willing to give up my software freedoms to support the media companies.

      • by Hatta (162192)

        That is indeed one of the reasons why this will not work: there are people using all kinds of different OSes

        This is one of the reasons why it will be done anyway. It's an excuse for governments to supply more customers to their most valuable constituents. They don't know or care about open source or your freedom.

    • Actually TPM allows protection in both directions. It works a bit like banks' systems. With a TPM you can secure a laptop, give it out to anyone, and you can set it up so they won't be able to break the encryption even if they know the passwords.

      If you work for a company, you can give out VPN credentials to idiots that are uncopyable. If they get infected with a virus, the VPN won't come up.

      I've consulted for a bank, and here's the dream : full offline money. If you have a TPM they will manage your account

      • by pmontra (738736) on Sunday October 23, 2011 @01:07PM (#37810334) Homepage
        Suppose you are a Linus Torvalds some years in the future. How do you create your own OS if your PC only boots existing OSes and you don't work for a company that can buy or create non TC hardware?
        • by chill (34294) on Sunday October 23, 2011 @01:14PM (#37810368) Journal

          Easily, if you hold the keys. The trick is the keys that sign the boot image need to be in your control.

          Google does this with their CR-48 Chromebook. It will only boot Google-signed images. But, there is a small switch in the battery compartment to put it into developer mode where it'll boot any image.

          I *LIKE* TPM, as long as I generate the signing keys for the images. Then it'll boot what *I* tell it, and not necessarily what MS or the gov't, or anyone else tell it to.

          It ensure that *I* can trust my computer. Screw what they want to trust.

          • by Rich0 (548339)

            Well, the CR-48 doesn't quite do what you say you want.

            In secure mode it only boots their OS. In developer mode it will boot anything. There is no option to only boot "your" OS.

            I think that trusted computing is fine, as long as I control the keys in the computer. Oh, and if I get a copy of the private keys associated with any public keys that are pre-loaded in the thing (not a big deal from a security standpoint - they just need to assign a unique keypair to each PC).

            • by chill (34294)

              You are correct in that it doesn't suit my needs. However, several laptops do in that they have TPM chips included, but uninitialized. You can initialize them and create the keys. This is optimal.

              I really don't mind the government mandating having a lock -- so long as *I* and not *they* have the key.

              • by vadim_t (324782)

                Ah, but why would the government mandate a lock and leave it up to you to do something with it?

                There's no point in that. If you really want a TPM you can go and buy a computer with one, there's no need to globally impose having it on the entire population (which won't come for free, btw).

                The only point in requiring it is that there's something for the government in it, and most likely not to your benefit. Even if you do want a TPM you should oppose the government's attempt to introduce it, because it will s

          • by epyT-R (613989)

            damage from tpm hurts a free society because it allows unilateral control from authority without sufficient mitigating oversight. that's why an imperfect system is best if a free society is the end goal.

            control over your own hardware is only part of the issue.

          • by rrohbeck (944847)

            That would require a function to set the acceptable pubic key(s) through the BIOS. I have never seen such a feature. They are always hardcoded in ROM or stored in the TPM module.

        • by gman003 (1693318)

          Nothing is unbreakable. Intel's TPM works basically the same way game console lockout chips do, with some enhancements - and you'll notice that there's a thriving market in modchips and softmod hacks. Worst-case, Linus would've had to reverse-engineer and break the TPM. Best-case, you go to a jailbreakme.com-like site and disable it entirely from software.

          • by gtall (79522)

            You miss the point. MS and friends don't care what a bunch of geeks do with their systems, they are interested in locking down the mass market who wouldn't have the faintest of fuzzies there is even a problem.

        • by amiga3D (567632)

          I suppose you could work in a virtual environment.

      • If you work for a company, you can give out VPN credentials to idiots that are uncopyable.

        Are there copyable idiots, too? :-)

        • Yes they're called pop stars

          • Yes they're called pop stars

            Technically, pop stars are just easily reproducible. We'd need more advanced cloning technology to actually copy them, and if we do make copies of Britney Spears, I'm leaving the country.

      • by vadim_t (324782)

        Surely such features are worth something ? Several linux companies are already using them.

        Not to me. Why would I want it? If the bank likes it, it's profitable for them, but that doesn't mean it's necessarily profitable for me.

        Offline payments also seem largely unnecessary given how the internet is increasingly available anywhere.

        Also there are a lot of potential pitalls. If you transfer money to me offline, can the money disappear if the computers are never synchronized?

        All it does is simply making sure th

      • by Dog-Cow (21281)

        All idiots are copyable, and most have been.

      • by greenbird (859670)

        In general TPM's allow fully disconnected trust relationships.

        The government drone quoted in the article clearly states this has nothing to do with security and everything to do with DRM and controlling what is on your system.

        From the fine article:

        Owen Pengelly, deputy director of policy at the Office for Cyber Security and Information Assurance in the Cabinet Office..."Building the most resilient cyber defences in the world will not help if you are suffering from intellectual property theft," he said.

      • by kvezach (1199717)
        I've consulted for a bank, and here's the dream : full offline money. If you have a TPM they will manage your account in your laptop (or phone, or ...) and have full offline payments. Because the TPM will only give their program access to the data, they can still prevent you from simply adding money in your own account, while allowing fully disconnected payments to occur which the bank will only find out about weeks after the fact (and so can you on other's computers of course).

        That sounds like a pretty
    • by westlake (615356)

      My Linux machine is well-protected and I don't need your meddling nor do I need Microsoft's

      But is it your Linux machine or does it belong to your employer, your school, or your parents?

      If your employer and others allow external access to secured internal systems, services and data, can they insist on dealing only with known, trusted, machines?

      The Linux machine with no network access is, for all practical purposes, a doorstop.

    • by houghi (78078)

      I will accept it the moment we have Trusted Government.

    • by FridayBob (619244)
      For the moment at least, I don't think they mean your machine, rather those owned and operated by the British government. Still, seeing as they are major customers, this is a significant boost for the Trusted Computing Group and does not bode well for home users (treacherous computing, here we come).
  • by Crashmarik (635988) on Sunday October 23, 2011 @12:42PM (#37810160)
    The U.S. has been doing it to itself with an insane tax code, and product liability laws from the netherworld. Europe is going down the road of not trusting its people.
    • Offtopic. The US tax code and product liability laws are completely unrelated to this story. You might make an interesting argument that governments world wide are moving further and further away from trusting their citizens, and this is yet another salvo in that battle. A relevant example from the US would be the Senators who are making noises about removing the ability to directly elect Congress.
      • by HiThere (15173)

        There are actually decent arguments that we should go back to having the Senators represent the states. I'm not aware of ANY decent arguments that this kind of thing should be mandated.

        (The primary argument that the Senators should represent the states is that the Senate has gotten in the habit of mandating that the states do something, but not providing any funding to implement the requirement. If you demand that something be done, you ought, at minimum, to be required to pay for it's being done.)

  • Will handing Microsoft that kind of power make the internet more secure?

    • by arth1 (260657)

      Will handing Microsoft that kind of power make the internet more secure?

      The first time industry handed them TPM, they provided BItlocker. So the answer is probably "yes".
      Even if you rightly hate Microsoft for other reasons, this doesn't seem to be one.

      • Except that BitLocker, like other such programs, is susceptible to a cold-boot attack. http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption [wikipedia.org]

        • by arth1 (260657)

          Non sequitur. Your car and house's locks are susceptible to a lot of attacks, likely anything from picking to drilling out the lock, or breaking in through a window. That doesn't stop the locks from being useful.

          The point is that from track record, Microsoft seems to not take advantage of TPM to do DRM lock-in, but instead provide features that arguably can be of value to the end user. Much as I like bashing Microsoft, I won't prematurely bash them over this.

  • Two words... (Score:5, Insightful)

    by Doctor_Jest (688315) on Sunday October 23, 2011 @12:50PM (#37810210)

    Fuck. Off.

    I will be the final arbiter of what runs on MY computers. Not some nebulous "trusted computing" that is in the back pocket of proprietary software conglomerates. There's no point in it unless the real agenda is to wrest control from users' hands. (The recent "secureboot" crap for Windows 8 is a prime example.) It's my computer. It's my data. It's not yours. It won't ever be yours. And no amount of fearmongering will convince me you have my best interests in mind.

    Kiss my ass. No, really. Not on the left cheek, not on the right cheek, but RIIIIGHT in the MIDDLE.

    • You have the most appropriate response I've read so far. The notion of this is ridiculous!

      There is not enough *wrong* with our current tech to necessitate this bullshit.

      The best response is outrage, and th UK people should burn this idea to the ground and reprimand those pushing it!

    • "Nothing was your own except the few cubic centimetres inside your skull"
      George Orwell 1984.

    • by kheldan (1460303)
      Hear, hear.

      But also this: I don't care WHAT bullshit controls they attempt to put on a motherboard, someone will have a hack to completely defeat it within a week of it's release. Suck it, fascist government assholes!
    • by Bob9113 (14996)

      There's no point in it unless the real agenda is to wrest control from users' hands.

      I agree. From the article:

      "Building the most resilient cyber defences in the world will not help if you are suffering from intellectual property theft," he said. "Trusted computing underpins security and can underpin growth,..."

      The "he" in the above quote is Owen Pengelly, deputy director of policy at the Office for Cyber Security and Information Assurance in the Cabinet Office. They are actually being surprisingly forthrigh

  • by 0xdeadbeef (28836) on Sunday October 23, 2011 @01:04PM (#37810312) Homepage Journal

    Actually, no, Richard Stallman had it right [gnu.org] long before Vernor Vinge.

    DRM has never been about getting paid, it has always been about keeping control. And for all the shit Microsoft got about Palladium, the Apple zealots sure turned a 180 in 2007.

    But the zealots are right about one thing - the iPhone is the future of computing. And that future is a boot stamping on a human face, forever.

    • I agree on all counts except for one thing ... If you click through to the article (Vinge had it right), she's talking about his idea that it rises slowly without any disaster to get people to go for it. Surely Vinge built on ideas from others, everyone does. But they're specifically talking about how accepting we all are (will be?) toward it. In his Rainbows End, a character specifically says that we traded freedom for safety, implying that it was a willing transition.
      • I agree on all counts except for one thing ... If you click through to the article (Vinge had it right), she's talking about his idea that it rises slowly without any disaster to get people to go for it. Surely Vinge built on ideas from others, everyone does. But they're specifically talking about how accepting we all are (will be?) toward it. In his Rainbows End, a character specifically says that we traded freedom for safety, implying that it was a willing transition.

        I'm reminded of the main title sequence for that Babylon 5 spinoff "Excalibur", where the Technomage Galen intones, "Whom do you trust? Whom do you serve?"

        RIght now, I trust my computer systems because I know they serve me, and only me. If that changes, computing will be a very different place, although the bulk of humanity may never realize it.

        • > I'm reminded of the main title sequence for that Babylon 5 spinoff "Excalibur", where the Technomage Galen intones, "Whom do you trust? Whom do you serve?"

          Wow... you mangled the quote and added bad grammar.

          "Who do you serve and who do you trust? [youtube.com]"

          Choosing to use who and whom

          • > I'm reminded of the main title sequence for that Babylon 5 spinoff "Excalibur", where the Technomage Galen intones, "Whom do you trust? Whom do you serve?"

            Wow... you mangled the quote and added bad grammar.

            "Who do you serve and who do you trust? [youtube.com]"

            Choosing to use who and whom

            {sigh} Grammar Nazis.

            I cut & paste it from somebody else that mangled it.

  • by Ogun (101578) on Sunday October 23, 2011 @01:05PM (#37810328) Homepage

    Because the certificate authorities have a really proven track record.

    Also, it really helps against buffer overrun exploits which in now way is a common thing...

    The usual bollocks, in other words.

    • Because the certificate authorities have a really proven track record.

      Also, it really helps against buffer overrun exploits which in now way is a common thing...

      The usual bollocks, in other words.

      Yes, and in fact they're probably the ones who will accidentally subvert the whole thing on a Biblical scale some day, with some drain-bamaged "revenue enhancement" scheme like their ill-fated 404 redirects.

    • by blueg3 (192743)

      Why would a trusted computing architecture use "has a code signing cert issued by a CA" as a rule? They're cheap and they only provide accountability, not security. That rule isn't even sufficient for Windows drivers -- you need a cert issued by one of the CAs that's been counter-signed by Microsoft.

  • It all depends who holds the key, the owner/user or some bureaucratic institution.

    I would welcome a system with a strong wall against the installation of malicious software but ultimately the owner of the device should be in control.

    And just as much I realise the vast majority of (Windows/ OSX) computer users find it out of their league to decide what is safe or unsafe software, a devilish dilemma!

    Yet no more devilish than handing this over to the aforementioned bureaucrats.

    • And just as much I realise the vast majority of (Windows/ OSX) computer users find it out of their league to decide what is safe or unsafe software, a devilish dilemma!

      Not really. There's no particular reason that an operating system can't be reasonably safe on the Internet. The only "dilemma" here is whether or not you choose to use the mainstream operating system (Windows) or something else that's more secure. Yes, I know, Microsoft has come a long way with security, but they still have a ways to go, and as long as they're the dominant desktop OS they'll have a bull's eye painted on their backs. If you want security, and don't really need Microsoft compatibility (and in

  • RTFA (Score:5, Informative)

    by Anonymous Coward on Sunday October 23, 2011 @01:22PM (#37810422)

    The article quite clearly states that the government wants *its own* computers to have TPM installed, it doesn't mention anything about home users.

    • The article quite clearly states that the government wants *its own* computers to have TPM installed, it doesn't mention anything about home users.

      Not yet.

      • by dkf (304284)

        The article quite clearly states that the government wants *its own* computers to have TPM installed, it doesn't mention anything about home users.

        Not yet.

        But the government most certainly is allowed to secure the systems that it owns and uses. It's even good practice! Same for anyone else, of course. The problem comes at the point when one person tries to take control away from another, and that's without regard for whether the oppressor is government, corporate, or anything/one else. The only true distinguishing feature of a government in this regard is its size; evil is as evil does.

        In any case, I propose to worry about other things first. Like the economy

    • by Bob9113 (14996)

      The article quite clearly states that the government wants *its own* computers to have TPM installed, it doesn't mention anything about home users.

      I'm not sure which article you read. The original post links to the one at this address: http://www.guardian.co.uk/government-computing-network/2011/oct/21/cyber-security-strategy-trusted-computing [guardian.co.uk]

      That one says nothing about putting it on government computers, and has these points implying that they are talking about privately owned computers.

      These are making the

  • Not for you (Score:5, Informative)

    by EdZ (755139) on Sunday October 23, 2011 @01:25PM (#37810454)
    This sounds less like requiring a TPM for access to, say, the jobcentreplus website (i.e. requiring TPM for the general public) and more an attempt to stem the tide of embarrassing governmental data breaches, i.e. requiring new government and MOD hardware to be a bit less rubbish in terms of data security. Requiring new hardware to access government services for eh general public won't happen, simply because there'd need to be a way to grandfather in all the non-protected devices in public libraries, distributed through government programs, etc.
  • Governments will demand the right credentials to access their services

    When I want something from the government, I'll might be obliged to use their approved interface. But when the government wants something from me, they'll have to use mine. Paying my taxes, for example. If Windows crashing becomes a plausible excuse for not filing a return, the gov't is going to have a serious revenue problem on its hands.

    Realistically, the revenue department will always have to allow paper returns for this reason. And the staff required to process them. The only way to minimize this requi

    • by vadim_t (324782)

      Paying my taxes, for example. If Windows crashing becomes a plausible excuse for not filing a return, the gov't is going to have a serious revenue problem on its hands.

      Yeah, right. What they'll do is to send you a certified letter saying you have a week to pay your taxes, or else. You might be able to convince them a bit longer, but the excuse won't work indefinitely. If you don't pay, they'll just give you a big fine, in addition to forcefully collecting the owed tax from your bank account.

      • by Rich0 (548339)

        Uh, more like they'll send you a certified letter saying that you're already past-due, and please file and don't forget to add the following fine to your payment.

        The next step will be a police officer knocking on your door.

        I doubt a tax agency is going to resort to polite reminders.

  • I.E. No-one who could actually present a bill before parliament.

    This has come up before and it'll come up again, but it's not gonna happen. If this was anything more than an unnamed bureaucrat saying "this would be handy" then it might pique my interest but otherwise it's no different from an MI5 spook saying that tracking everyone's browsing would be useful to the security services.

    By that I mean yes, it would be useful, but even if it was technically possible parliament wouldn't consent to such nakedly dr

  • I wonder if Owen Pengelly has friends with financial interest in 'trusted computing' firms. Someone must be feeding him this line I guess.
  • It's easy to imporve security by taking away most of the functionality, but in most cases it isn't worth it.

  • Before they start pushing out essentially untested technologies onto the public, shouldn't they test it on themselves first? If it does indeed offer "something better" let them test it on themselves and their own infrastructure first. Check to see that everything runs as it should and if not, what adjustments are needed to make it work. And most importantly, identify how it can be done fairly and without excluding various parties from participating in the marketplace.

    If it can't be done without fairness

  • This sounds like it will start an industry. Companies building devices capable of having ID codes changed, much like a MAC address, will find themselves a large customer base.

  • by unity100 (970058) on Sunday October 23, 2011 @03:15PM (#37811326) Homepage Journal
    A chip that allows utter control of a computer remotely, and security advantages ?

    underground crime networks wouldnt blink an eye and would not waste even a '0-day' before they hack them to their advantage.

    Politicians are stupid from an i.t. perspective. They shouldnt be allowed to talk on anything i.t.
  • by Zoxed (676559) on Sunday October 23, 2011 @03:20PM (#37811354) Homepage

    No need to panic: this is a suggestion from an UK civil servant. Even if it did became policy one day the work would be farmed out to a least-cost supplier, the project would be 5 years overdue and 6 times over budget. If it ever made it into anyone's home it would be cracked by 12 year old in her lunch break :-)

  • by arglebargle_xiv (2212710) on Sunday October 23, 2011 @04:10PM (#37811684)

    Speaking at a seminar on the subject organised by Wave Systems,

    Wave Systems' entire business model is built around DRM-enforcement hardware, a business model they've been failing with for at least a decade (they also have backing with lots of venture capital from companies hoping it'll eventually pay off big, so they can afford to to continue to fail for years to come). Since he was speaking at an event they sponsored then of course he's going to endorse "trusted" computing. It was just a sound bite to keep the sponsors happy and make sure they covered his speaking fees and lunch bill, nothing more.

    • by letsief (1053922)

      What? I don't know of a single product that Wave sells that is DRM-related, at least using the copyright protection definition of the term. Most of Wave's products are related to managing full disk encryption systems, like Bitlocker or self-encrypting drives.

      • What? I don't know of a single product that Wave sells that is DRM-related

        As I said, they haven't been very successful at it, but they've been trying really, really hard for more than a decade. Read their technical docs and business plans for the last ten years or so...

  • Where you sit drooling and not involved, I mean come on... that was the ideal right? Stupid drooling and desiring to buy and be like those on TV.
    That declined with the Internet, and of course the loss of financial control and distribution of media.

    The powers that be don't like the Internet right wikileaks?

  • Then its the beginning of the end for most of us, and the computer world as we know it. I hope you like your 'appliances' ( like ipads and various locked down phones, and toasters ) as that is all we will have soon.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...