Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Trustworthy Computing Mini-Poll
From: "yossarian" <yossarian () planet nl>
Date: Fri, 20 Dec 2002 22:52:46 +0100


On Fri, Dec 20, 2002 at 02:47:59AM +0100, yossarian wrote:
Would you buy/use it if you had the choice? I mean, there are a lot of
advantages... :-)

Now you've got me interested - what advantages is TCPA offering me?

We're currently talking about the (hypothetical) features of the
hardware in my questionnaire -- i.e. CPUs that support a "web of trust" or
at least require a signature from the computer's owner or a trusted
third party (designated by the owner). I.e. not TCPA, but what TCPA
should be, and could be if someone pushed hard enough in that direction,
since it does what the TCPA is all about -- copy protection and trusted
executables -- however it creates a free market in which customers can
decide what to buy.

As a consumer i do not need copy protection. Content providers need that, I
just need content. Is TCPA ensuring better content? I think that TCPA is not
going to entice bands to make better music, or moviemakers to make better
movies. They need inspiration, mainly. My problem with the content industry
is not that what they offer isn't good enough, what I want is out there but
they do not make it available. Example: I have been looking for a CD of a
certain band for more than 10 years. The stores told me it is not on CD. The
webstores don't have it. Someone sampled the vinyl, and put it online. Now I
have it. /Example. The content industry lost touch with many of their
customers long ago. Their business models should be adapted - should have
been adapted long ago - to the needs of the customers. Sales started
dropping long ago, way before Napster and eDonkey. So copying isn't the real
problem. What the content industry does now is bullying the consumers back
to the record stores and videostores. Consumers might not like being
bullied, and decide not to buy at all. The content industry has become the
enemy. Do you buy from the enemy? Only if you have no choice, like in buying
oil from saddam and chavez. Content consumers might decide not to buy.

I cannot decide what to buy when what I know I want, but it isn't available.
The content industry is not helping me in the exciting hunt for new music
and movies - have you listened to the radio in the last years? No, probably
not, since it is aimed at 17 y/o people, and made to please the advertisers
of soap and insurance. Consumers have found a new way to find new emotions,
new music, new movies: the internet.

The concept of trusted executables completely eludes me - if I install say
winword.exe on a system, I already trust MS to supply me with a working text
editor. So that part of trust already exists. I think you should take a look
on the definitions of trustworthy computing - who trusts who?
features will my new computer have, that will convince me to lose
options I have right now - playing music, copying what I like, etc?.

I'd say protection from binary viruses and stack overflows, plus if
someone breaks into your computer and you have stored your key in a safe
place you can tell what she modified. So this would be a definitve must
if you're builing a server, and I'm asking now whether you would like
those features on your home box as well, even if you had to give up DVD
copying or get special illegal hardware for it.

Certfication of software cannot stop stack overflows - good coding will. It
is a ridiculous claim that it could. If I a want to overflow an executable,
I need a possibility to get it to accept data, in a form it doesn't expect.
This has nothing to do with executables that are signed or not, this is the
quality of the executables. Will the systems filter out non-TCPA signed user
input - how? This would mean changing every system worldwide. Datapackets
cannot be signed, you'd have to change TCP/IP.

Like i already explained, it will probably be just as easy to write viruses
to circumvent TCPA, by copying - or just using - validation code somewhere
in the OS. Any claims for extra security for consumers are snake oil - it
just cannot be done. Like you said, the encryption will probably be broken.
Breaking a certificate system is usually much easier than breaking
encryption, since you copy it instead of breaking it.

Basically I'm on your side -- but I fear that if noone speaks up and
points out a better alternative, we will be stuck with TCPA  as it
currently is, and lose the options we currently have anyway (since we
cannot decrypt stuff from the Internet or from DVDs on our hardware). So
I'm searching for a better alternative. I'm ignoring all the copy
protection stuff since it will be broken withing a few moths anyway, and
just concentrate on the stuff M$ invented against the OSS people.

IMHO the only alternative is renewing the business propositions of the
content companies. Things change, and this TCPA thing should best be
compared to the typewriter industry outlawing computers. Lesson: who in the
21st century has heard of Underwood, Woodstock or Continental? We all know
IBM - because they've adapted. In the 30-ies, IBM was only a small
typewriter company. But they renewed their products. Underwood built the
same typewriter from 1898 until the late sixties, it only changed the
outside. Underwood is gone. /Lesson. Companies must adapt to survive - the
dinosaurs of the RIAA should too, or fade away. They are fighting a lost
battle. They should fight a battle they can win, if there is one.

It should so very good it will convince me to actually trow away my old
computers that can do all this evil things. I could still use them and
buy a new one for all the new goodies, hwatever they might be?

Your old computers cannot do evil things -- they cannot access media
created since the TCPA rollout.

My old computer CAN copy or rip audio. It CAN capture video signal to make
it DivX, with an older capture card. Maybe I cannot access media created
after TCPA directly. But certainly I can find away around. If I can listen
to the music I will be able to grab the signal - OK, maybe it will just be
audio redigitalized, losing some quality. But people can live with lesser
quality, as the use of MP3 and WMA proves. If I can watch a film on my TV, I
can rip it somewhere analog, and redigitize. And so can other people. Or am
I supposed to dump my audio equipment as well? Or my two year old TV? Having
no virusses or stack overflows on my PC does not entice me in buying a new

support - do you think that peripheral makers are going to stop
non-TCPA operating systems? They might, but it will mean they'll also

Most of them will need to start supporting other OSes first. Also, as a
hardware vendor, you may not support non-TCPA OSes, except if you take
care that no unencrypted data leaves the sandbox (which makes the
hardware pretty unusable).

This not very clear to me. Which OS-es? And more, what do you mean with "you
may not support non-TCPA OSes". Do you mean it will actually be illegal to
support non-TCPA operating systems? Let us look at the legal side of things,
since you brought up the issue. TCPA is an all American issue. Goverments
may or may not take over the legislation. But in order to do this, many
other laws must be changed. Especially contract laws. Since I have bought a
certain item, I am free to use it as I please, as long as I do not use it to
break the law. If the law changes, the law in place at the time of purchase
still holds. The Government can change the law, but it will be applicable
only to new issues, but cannot to my old computers. Under consumers law
(dutch, german, or european), makers of products must support for a
reasonable number of years. Ramming software updates down consumers throats
is what brought MS to court in the first place. TCPA can thus never be
enforced in a way that consumers or companies must update. And hardware
makers must keep supporting older operating systems up to a certain point.
And if they don't, well there are many people that can code drivers, as the
Linux community proves every day. There will just be a new branch to the
open source community - coding drivers for non-TCPA operating systems.

And this brings me to another major aspect of the Fritz debate: if
governements around the world make many thing common now, illegal, they will
criminalize many people. Will the police activily hunt down this new
category of criminals, of which there are millions? Maybe in some countries.
The US already has the highest percentage of its own people behind bars. But
it will not happen where I live, our legal system sends cocaine runners home
with a subpoena, because of lack of time at the courts and a lack of cells.
If the choice is convicting drugrunners or copycats, which will society
choose? I think, since copying music became mainstream and so many people
actively do it, sending drugrunners to jail will prevail. In germany, the
legalitäts-prinzip is in place, officers of the law must prosecute any crime
they see, however minor, but this is not so in all countries. The price for
the taxpayer, and the entire economy in Germany and thus in Europe, will be
very high. What will governments do - activily hunt down thousends of
people, which will cost votes and tons of money? The costs to governments
(i.e. the taxpayer) will be staggering. And for what - to minimize the legal
claims in US courts, and to extend the economical lives of the content
industry, lets just kill the european software industry, the legal system,
and maybe the general economy?

I don't believe society will think it acceptable that potsmokers and
shoplifters are let go, but home copiers are fined and jailed. Good chance
that it will be outlawed, but not prosecuted. This will not help in society,
since respect for the law and the legal system is connected to the enforcing
of such laws. But governments will probably have no alternative but
condoning all these illegal activities, thus lessening the already dwindling
respect for the law. Well, we have seen governments do more stupid things,
but I think that any government taking the path of TCPA, is unwise. And the
governments themselves, they are not going to use TCPA for their own
networks. Our own secret service advised the government to stop using
software from certain American sources, since it may be enabling economic
espionage. There was this diplomatic incident over Lotus Notes, when the
swedes found out it had a backdoor? What do you really think - will the
german secret service let MS - or the US Government - browse their networks?
So our own governments will need non-TCPA operating systems for their own

Some people have not forgotten that US intelligence gave Boeing vital
information so they could outbid Airbus. I think this TCPA issue is purely a
way in which a monopolist tries to close the market. TCPA is the worst idea
in the ICT since the clipper chip. Just think about it. What we should do,
if we are on the same side, is develop an new business model for the content
industry. A commercially viable one.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]