No More Internet Anonymity 740
inkhaton writes "This Article tells of an Orwellian chip that, once installed in your computer (and not by your choice), will allow any website you visit to "read" your identity. The article goes on to describe how many benefits there are for using this to facilitate online business and even suggests some negative points. It ends with "Ultimately the TPM itself isn't inherently evil or good. It will depend entirely on how it's used, and in that sphere, market and political forces will be more important than technology." ... ugh. Well we all know what that means."
Real Identity? (Score:4, Insightful)
Re:Real Identity? (Score:5, Insightful)
Re:Real Identity? (Score:5, Funny)
Or the 3117 [sic] haxor who used the latest TMP chip crack to change their TMP ID to be the same as yours, which they got from the worm that still can get installed on your machine...
Well I've heard of people misspelling words, but who'se heard of somebody misspelling a number? It's called 1337, dude.
Re:Real Identity? (Score:3, Funny)
Re:Real Identity? (Score:5, Informative)
these kids these days they're all e-literate and don't know how to hard code a crack in asm after having reverse engineered all traces of the hooks and calls from a compiled binary full of traps to make reverse engineering more difficult.
microsoft has made it far too easy, back in the day if you wanted to steal someone's data, you had to lug a 20lbs reel to reel magnetic tape, p[ull it over to a duplicatrion mainfraim and copy the contents onto anothe blank 20lbs reel to reel magnetic tape AND it Still only held 20 Megabytes AND WE LOVED IT.
Re:Real Identity? (Score:5, Insightful)
Implimenting this in hardware means that it's inherintly less adaptable than software. Which means software will be able to adapt around it. Perhaps not in the machine itself, but it's just data out. It should be trivially easy to man in the middle your own outgoing datastream to be able to incorporate any TMP data you want, likely possible even without additional hardware.
Time to bail! (Score:3, Insightful)
Re:Real Identity? (Score:3, Insightful)
I'd give it a week.
Re:Real Identity? (Score:4, Insightful)
Unless you carry around an implanted chip [digitalangelcorp.com], how is the bank going to know it's the "real you?" Maybe they have a whitelist, or maybe you have to go through some verification process the first time to tie the machine to your account or something, but it sounds a bit hokey.
One other thing that gets me is how does the bank know your computer has a TPM chip. It can ask, but it has to trust that the computer will answer truthfully. If you set up an intervening program that says, "Sure, I have a TPM chip. You can trust me!" and then emulate the TPM, with a fake ID of course, I don't see how the bank can tell the difference. If I can think of that there's already a bunch of hackers who have, and they are all saying "Excellent" in their best Mr. Burns voices.
Re:Real Identity? (Score:2, Informative)
Re:Real Identity? (Score:2, Interesting)
Identity thieves will have a long field day..
Re:Real Identity? (Score:5, Insightful)
I second that. The more perfect you consider an identification method to be, the more perfectly you will be fooled by a fake.
Re:Real Identity? (Score:5, Insightful)
if things keep going this way...
Re:Real Identity? (Score:3, Funny)
Re:Real Identity? (Score:3, Funny)
Re:Real Identity? (Score:4, Funny)
Damn those wi-fliers!
Re:Real Identity? (Score:4, Interesting)
SSL is pretty secure method for doing web-transactions. It's not perfect, but a TPM isn't going to make things any better. You can still hack around SSL if know how to use google effectively for research.
Once you know the method for how the server shakes hands with the TPM you can usually spoof it. Not to mention this would be a publicly available process so that all the webmonkeys of the world would know how to build a "secure" site with it. Even if it wasn't readily available to the public, it'd still be like trying to movie or software piracy. Where there's a will there's a way.
And what this guy said too :
http://yro.slashdot.org/comments.pl?sid=171227&th
Emulators (Score:3, Insightful)
It might not make for a very fast computer, but it'll be fast and cheap enough for the average nigerian scammer to invalidate the entire case for the TPM chip.
So what (Score:2, Interesting)
Re:So what (Score:3, Insightful)
1) People likely won't know about it, and Joe Average will just buy it with his computer not realizing the problem and risks.
2) There are only so many hardware providers. What happens when they all carry it? Unless you like build your computers from scrap, you'd be stuck with it. And at some point, they'll just start carrying them on all processors or something. This was made by an alliance of AMD, Hewlett-Packard, IBM, Microsoft and Sun after all. If Intel j
Re:So what (Score:3, Interesting)
Re:So what (Score:2, Insightful)
My ID (Score:5, Funny)
Re:My ID (Score:2)
Good or evil? (Score:2, Insightful)
Re:Good or evil? (Score:3, Interesting)
i'll garantee you the biggest backing for this technology comes from the RIAA, MPAA and the CIA
It's even worse! (Score:5, Funny)
really (Score:5, Funny)
Richard Cranium
9191919 Nunya Street
Overstock, MO 64999
901-555-5555
And if I can't do that
And lose Internet access (Score:2)
My TPM will have the following [false] information
And you won't get an IP address. Alsee has explained why ISPs will want to make a working TPM a condition of providing Internet access [slashdot.org].
then I guess it's back to my C= 64...
Will the BBSes be upgraded with 33.6 kbps modems? (56 kbps doesn't work if both ends of the connection are residential POTS.)
Re:really (Score:5, Funny)
i think the C - 4 will work better.
Question is (Score:5, Insightful)
We already have systems that work fine without this invasive technology - just like we already have MP3 technology for making nice MP3 files to listen to and download.
Why then would we pony up more cash or change the way we connect to the internet just for the sake of adopting this new technology?
These approaches for more DRM and more end-user-ownership by the corps is almost always stick and almost never carrot.
If you have no IP, then what? (Score:2, Informative)
Why then would we pony up more cash or change the way we connect to the internet just for the sake of adopting this new technology?
Because there are only two companies that control the last mile in your area, and they have both made a working TPM a condition of obtaining residential Internet access [slashdot.org] through them.
If you have no sources, then look here (Score:3, Informative)
And your infallable source for this information is... a Slashdot comment.
It's not my only source, just one that's useful for introducing the ramifications of the concepts introduced in the Trusted Network Connect FAQ (PDF) [trustedcom...ggroup.org].
Re:Question is (Score:3, Insightful)
just about time for revolution, don't ya think? (Score:2, Interesting)
DEMOCARACY IS DEAD!
wheres the lineup to join the liberation front, its time for a revolution!!
Re:just about time for revolution, don't ya think? (Score:2)
my point exactly...
Take a deep breath, and calm down... (Score:3, Interesting)
duh (Score:5, Insightful)
I'd like to hear of any inanimate object that is inherently evil or good. Nuclear bombs aren't inherently evil or good, it's just how you use them. Otherwise they just sit there.
Re:duh (Score:3, Insightful)
A nuke can be used for only one thing - cause destruction. The only positive use it might have is to threaten the other person with destruction. It has been created with the specific purpose and intent of causing mass destruction, and nothing else.
On the other hand, a tool like this is genuinely built with the idea of being useful. Can it be misused? Yes. Can it be used to cause harm? Yes. But can it also cause good when used right? Yes.
No matter which way you look at using a
Re: (Score:2)
Re:duh (Score:4, Insightful)
Why? We're not really going to trot out that rubbish about needing to use nukes against Japan, are we? A few points to consider:
* Before the US dropped nukes, Japan was already sending out requests for peace through several countries. The sticking point was that the Japanese wanted to keep Hirohito as a figurehead emperor -- the exact same deal the US privately agreed to.
* Before the US dropped nukes, Japan was so defeated that the US could park battleships off the Japanese coast and shell at will -- without response.
* The much quoted figure of "1 million" US casualties in the event of a Japanese invasion is sheer fiction. The War Department put the figure at two hundred thousand casualties (horrific yes, but certainly not 1 million).
* General Leslie Groves, military commander of the WWII Manhattan Project to build an atomic bomb, said bluntly, "There was never, from about two weeks from the time I took charge of this Project, any illusion on my part but that Russia was our enemy, and the Project was conducted on that basis."
Nutshell summary:
We dropped nukes on Japan in WWII for two reasons: to see them work in action and, more importantly, to show the USSR that we can and would use them.
Re: (Score:3, Insightful)
Re:duh (Score:3, Interesting)
It's the same one I have now, a link to ReOpen911.org.
To your last point, yes, anyone who believes that the US was complicit in 9/11 is an idiot, regardless of how many people share the delusion.
That's illogical. First, calling millions and millions of people "idiots" speaks for itself. But humanity's basis of defining reality is when people accept something as fact. We have no scientific proof of God, but does that make all religious believers "idiots"? Ignoring the philosophical aspects, t
Re:duh (Score:3, Informative)
MAYBE if the Americans decided to allow the Japanese to keep their emperor before they dropped the bomb, and not after they dropped the bomb, things would have been different.
Notice the 'maybe', no one knows!
For a good read on the subject, look here: http://www.doug-long.com/hiroshim.htm [doug-long.com]
Re:duh (Score:2)
But the point still stands, that any inanimate device can do nothing until a human being employs it in some act. A gun, a pen, a car, a pool- you name it, they all just sit there and do nothing until someone interacts with them. Yes it is harder to use so
Re:duh (Score:3, Insightful)
Using a nuke is evil. Period.
But then you say....
unless you're blowing an asteroid out of orbit or something equally improbable
So it's evil. Period. with the exception for times when it isn't. Either it's "evil. period" or it's not. You don't get to make exceptions. That's what that whole "period" business is about.
Nuclear weapons aren't terribly usefull, it's true. At one time people were considering using them for mining operations. I believe that turn
Re:Second law of thermodynamics (Score:2)
We can sit all day and argue philosophies on what is more valuable, but the bottom line remains that you ended a life, and the gun facilitated that ending.
Interesting. Are you sure? (Score:3, Interesting)
But what is their purpose? We cannot simply evaluate things by their inert state. We also have to factor in their reason for being. A gun isn’t made just for the purpose of propelling an object at high velocity in a particular direction (there are superior devices for doing that), it is intended to destroy something as a result.
This type of thinking might be carelessly superficial in some c
You are implying bombs are bad... (Score:2)
Obviously one can ruin your whole day, if set off in the wrong place. But bear in mind that a couple of thousand of them have been set off on this planet, to date, and have not destroyed it.
One could argue that there are "good" engineering uses of nukes (none, to date), and there are bad uses (random atmospheric testing scatting dust around). The one use in wartime (two incidents, one war) is hones
Re:duh (Score:3, Funny)
Otherwise it's just bound paper sitting there until someone picks it up and does something with it.
Mark of the Beast (Score:4, Funny)
Re: (Score:2)
Re:Mark of the Beast (Score:2)
Dude, this is America. The beast wants to *encourage* you to buy and sell.
i like it (Score:5, Insightful)
Re:i like it (Score:2)
Pansy article (Score:3, Interesting)
I'm so mad I can't type. The idea that something can be put into a tool that I buy weather I want it or not, and then we will see if my privacy invasion is good or evil latter makes me want to throttle someone.
The tone of the article gives me a good idea of who to start with.
Re:Pansy article (Score:2)
Having 'bad' sites constantly reminding you that they KNOW that you are who they think you are, I'm sure people would start to object.
Or are people going to just accept it as the next thing in the line of forever more popups, spyware and trojans??
Any power will be abused. Mod redundant. (Score:5, Insightful)
Anyway, I'm not sure there will be any such thing as privacy in the near future. Right now it's already becoming a luxury good, and pretty soon only millionaires will be able to afford it.
There is a solution, but no guarantee we'll reach it. We need to define an individual's personal information as belonging to that individual, and any use or reference to that information should only be with permission, and based on some good reason. To put actual teeth in such a legal principle, I think it needs to be coupled with a right to store your own information (presumably on your own computer). Without such a basis for protecting privacy... Well, you'd better get use to appearing all over the Internet when you least expect it.
latter-day cryptanalysts? (Score:5, Insightful)
I've been thinking about this; the problem is the legal route to this is pretty much a nonstarter already. But maybe there is a loophole; I think we should all start a church. The Church of the Super Paranoid, or something like that. That way we could cry religious persecution if intrusive privacy-stealing measures are used against us. I'm certain I would have no problem convincing a sizeable chunk of the Slashdot population to swear and affirm (on a stack of punched cards) that their right to crypto and absolute mastery over who sees their porn stash is both vital and indispensable to the very core of their identity. I think it could work.
At the very least, the crazy fundies will lobby for laws that would help us... :0
Re:latter-day cryptanalysts? (Score:2)
No, I'm not
Re:latter-day cryptanalysts? (Score:3, Funny)
Tin foil router (Score:3, Funny)
This would make encryption mandatory (Score:5, Insightful)
Here are the scenarios:
1) Chip reports stuff, but data stream is wide open, so middlemen can change whatever they want.
2) Chip reports stuff, but with shitty encryption so the gov't can still do its wiretaps and echelon won't break. System is hacked within a couple days and the whole 'chip' idea becomes worthless.
3) Chip reports stuff, but with robust encryption. The site you are talking to knows who you are, but people between you and them can't sniff your actions other than knowing that 'some sort of communication took place'.
Plus variations. This could actually make webs of trust (a la the direction that Freenet appears to be going) more secure, since you know that your neighbors haven't been man-in-the-middled.
tool != evil (Score:2)
Old News (Score:5, Informative)
Read the TCPA FAQ [cam.ac.uk], and take a look at Against TCPA [againsttcpa.com], an anti-TCPA site if you're interested. For an alternate perspective, you can also view the official Trusted Computing Group site [trustedcom...ggroup.org].
Personally, I hate it, I don't think it will succeed, and I will *never* buy a computer with such a module installed.
This only works if hackers play by the rules (Score:5, Interesting)
And we are moving closer and closer to disposable PC's, anyway. In less than ten years, I predict that brand new, complete systems will be selling for less than $50. Got my computer's ID? So what, I throw away my computer every month!
Re:This only works if hackers play by the rules (Score:5, Interesting)
The truly ridiculous thing about this is, it doesn't even put a dent in the cybercrime it's supposed to prevent. If you can get your system without giving up your identity (steal it or buy it through someone who "loses" records), and don't report your identity truthfully to anybody while using it, you're still just as anonymous as now. And if they come to get you, you just have to thermite one specific spot on the mainboard as well as the hard drive like you would today. Bam, all evidence gone. And until that day, you're free to molest six year olds and use stolen credit cards to your heart's content.
There are so many easier ways of preventing these problems than to try to force an ID on everybody. Make one-time disposable credit card numbers a mandatory feature. Consumers will use it because it saves them the hassle of cleaning their credit report after fraud. Hey, look! We can cut down on fraud by creating MORE anonymity, rather than less. Or how about the banks making websites that enforce strong password standards? How about ANYthing except a system that's even MORE transparent to the end user, and thus easier to crack?
Or if ISPs make them play by the rules (Score:2, Interesting)
Of course, all a hacker needs to do is keep an older model x86 or PPC system around.
And watch it not get an IP once all the major last-mile ISPs have switched to Trusted Network Connect, a framework that involves "trusted" dialer software that assesses the state of your computer using its TPM. Cisco has a similar competing framework called Network Admission Control.
Re:This only works if hackers play by the rules (Score:3, Interesting)
The way they plan to force this issue is that after X% of the market is DRM/TCPA-enabled, content providers will start only serving content to DRM/TCPA customers. The first day it'll be like, "Well, I can still use my old-school machine, just not to view CNN.com", and eventually a year or three down the road you won't be able to view any content from any major corporate providers. At least that's the plan. I suspect if they even get that far down the road, the anti-DRM/TCPA public community will largely
Pentium 3 (Score:3, Informative)
Won't work if (Score:2)
That means.... (Score:3, Funny)
Hardware Cookie? (Score:5, Funny)
Platform diversity and firewalls (Score:2)
And as for Big Brother taking over the internet, there should be a way to firewall it.
But why? (Score:2)
The only use I could see for this might be in having the xxAA more able to track you down. I mean, it won't stop things like kiddy pr0n etc because (assumedly) the distributors are part of an "in" ring and wouldn't want your ID. Even if they did, most methods of getting them cash (Visa, etc) are pretty trackable.
It isn't going to be much use to the gov't in tracking who uses slashdot... unless slashdot starts tracking ID. So really, what use is it
I'll be setting up a concession stand ... (Score:3, Funny)
Old News (Score:2)
The site is https://www.trustedcomputinggroup.org/home [trustedcom...ggroup.org]
For a discussion of some concerns check out EFF at http://www.eff.org/deeplinks/archives/003804.php [eff.org]
I had an opportunity recently to ask questions of a Microsoft officer who works on strategy and works in Europe. When I described many of the unpleasant aspects of TPM and the like, he said that European privacy laws would prevent the adoption of such policies. I found that to be an interesting viewpoint.
Why does the chip have to be manditory? (Score:2)
Re:Why does the chip have to be manditory? (Score:3)
You are very wrong here. Google for "Altera NIOS Linux". Won't be as fast as Xeon, but there is no difference for Web browsing.
The new FPGA's will only be configurable with a TCP-compliant software, which will insist on the TCP verilog being put into it also
That won't happen. If
Routing Around the Damage? (Score:5, Interesting)
My vote is yes. The Internet will route around it by gradually dividing from what is currently called the Internet. Most people will use what used to be the Internet, and will consider it to still be the Internet. A minority of tech savvy people will be running on an alternative network, and will consider their network to be the Internet.
There will be one way links between the Internet and the former Internet (new can suck data from old, but not the other way around). The new Internet will be under the radar, but will be a hotbed of technical innovation. In time the new Internet will appear on the radar, as the majority hear of it and decide that they want to be able to do all the neat things Internetters can do as well. The majority join the Internet. The Internet gets 'tamed' as large companies join it. The Internet routes around the damage by breaking away over time. The cycle repeats...
Re:Routing Around the Damage? (Score:3, Interesting)
Now where's my copy of QBBS...
I dont think we are ready for this just yet (Score:2, Insightful)
It would bring on a new level of phishing one that would be alot more difficult circumvent and alot easier to exploit once the phiser has what he needs from their victims.
Engineers and techs are very smart people but sometimes they lack the day-to-day vision around the issue.
Plus, im sure there'll be a bunch of eager hackers waiting patiently for this to come al
We all know what that means... (Score:5, Insightful)
Sigh. Yes. Everyone will just sit around slashdot whining about it, and not lift one finger to get control of it via their elected officials.
Evil vs. Good (Score:3, Insightful)
AMD64 cpu UUID? (Score:5, Interesting)
I was poking around on my new AMD64 machine the other day, and I ran dmidecode [nongnu.org]. Can anyone explain this?
Re:AMD64 cpu UUID? (Score:4, Informative)
Also a a Wiki [wikipedia.org].
Re:AMD64 cpu UUID? (Score:4, Informative)
For example, I just generated 3 UUIDs that are all appropriate for my machine using uuidgen - as suggested in the site you linked. Obviously these would not be suitable as unique, unmodifiable IDs for my PC. However, I could safely use them in databases, or to identify objects that I create.
This is circumventable. (Score:3, Interesting)
If this were done purely in hardware, the data would be encoded in the network layer, which means that the data would not leave the subnet (assuming current network technologies used on the internet).
Re:This is circumventable. (Score:4, Insightful)
Unfortunately the Universe may grow old and die before you manage to compute a valid data packet without having access to the private key (which is burned into the chip and can't be read back, ever.)
For example:
If you break this sequence then the authentication fails.
I don't mind (Score:3, Funny)
And these morons will waste a huge amount of time. And, as usual, all they'll catch are other morons.
Anonymity with the TPM (Score:3, Informative)
Users will still control how much of their identity they wish to reveal -- in fact, for complex technical reasons, the TPM will actually also make truly anonymous connections possible, if that's what both ends of the conversation agree on.
Yes, TPMs can be used to remove privacy, but only with your consent. They can also, with the consent of the parties involved, give you much stronger privacy than is possible without a TPM.
I've talked to people in many of the major companies that are behind the Trusted Computing Group, and they're well aware of this issue. I spent a bit of time talking to the head of the trusted computing project at AMD, and he understands very well the lessons of the Intel CPU serial number fiasco of a few years ago, and the TCG has include technological features to protect user's privacy. Is this because they are great privacy guardians? No, I don't think so -- I don't think this guy is going to be the next president of EPIC or anything. I think it's a strictly business decision: They see that people won't accept the technology unless it protects privacy (just see the tone of the article this Slashdot story is about), so they've put in measures in order to make it more acceptable.
Some technical details: The current TPM specification is version 1.2. Prior to 1.2 there was an "officially supported" pricacy mechanism based around the idea of a PrivacyCA -- basically, you got pseudonymous credentials (a certificate) from a PrivacyCA, and used that in transactions. You could get a different certificate for each person you interacted with, so transactions weren't linkable, or you could even get multiple certificates to use with the same person so that you had different identities to use with them. The problem being that you still had to show your unique ID to the PrivacyCA, so you had to trust them not to link all your transactions together. However, version 1.2 introduced a stronger notion into the standard: direct anonymous attestation. With this, your anonymity is protected with cryptographic means, without the need to trust any other party. Of course, when you authenticate, the site you are interacting with has to agree that it will accept such anonymous and untracable identities. Some sites will probably allow that (discussion boards, etc.) and some probably won't (banks, credit cards, etc.). But that's a market decision, not a technological one. You have the power, with the technology, of having even stronger anonymity than you have today, so the market needs to insist on merchants using that. As was seen with the serial number in the Pentium III, enough people care about privacy to make industry sit up an pay attention.
How this could be a good thing. (Score:3, Insightful)
The nice part about this system is that you'd never have to enter a password or a credit card number again, and no one would be able to steal your identity without stealing your physical computer.
Re:And in other news! (Score:2)
How is that related to this? (Score:2, Insightful)
This relates to Fascism much more than Communism.
... and look how well that turned out! (Score:5, Interesting)
Re:... and look how well that turned out! (Score:3, Informative)
The next Windows release, Vista, is already documented as requiring this. All hardware manufacturers have been extrorted into implementing this Trust system simply by Microsoft announcing that noncompliant hardware wiill simply be incompatible with the next windows release.
As for losing business, virtually all OS sales are sold pre-installed on brand new machines. This
Re:... and look how well that turned out! (Score:3, Interesting)
Re:Nope. (Score:3, Interesting)
If not, does anyone want to start a wiki entry or something similar?
(All I've found so far is http://www.againsttcpa.com/tcpa-hardware.html [againsttcpa.com] ) But I will be searching more in-depth later
Re:Haven't we learned anything? (Score:4, Informative)
> illegal.
Nobody is (yet) proposing to forcibly install anything on your computer. They are proposing to make it nearly impossible to find a computer for sale without a TPM chip and impossible to get onto the Net with a computer without one. So far as I know that is not illegal.
I agree with the rest of your points.
Re:Cars have VINs and license plates (Score:5, Insightful)
You went to McDonald's for lunch...did they record your license plate and/or VIN? Did you drive up to your bank to make a deposit, and if so, did they check your license plate and/or VIN before letting you access your account? Did the city government make record of your license plate and VIN as you traveled through various intersections? Did the park and recreation department take a record of your entrance and exit times when you visited city park?
Basically, just go back and look at all of the arguments that were made when Intel proposed the Processor Serial Number as a GUID. The arguments remain, and will always be, completely valid.
Jim