Text 9896, 87 rader
Skriven 2006-02-19 09:00:04 av Mike '/m' (1:379/45)
Ärende: Yes, Trusted Computing is used for DRM
==============================================
From: Mike '/m' <mike@barkto.com>


http://www.informationweek.com/blog/main/archives/2006/02/yes_trusted_com.html

===
Ever since the Trusted Computing Group went public about its plan to put a
security chip inside every PC, its members have been denying accusations
http://www.research.ibm.com/gsal/tcpa/
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
that the group is really a thinly-disguised conspiracy to embed DRM everywhere.
IBM and Microsoft have instead stressed genuinely useful applications, like
signing programs to be certain they don’t contain a rootkit. But at this week’s
RSA show, Lenovo showed off a system that does use the chips for DRM after all.

The system is particularly frightening because it looks so simple. There’s no
20-digit software key to type in, no dongle to attach to the printer port, no
XP-style activation. (Is this what Bill Gates was thinking of when he said in
his keynote that security needs to be easier to use?) The user interface is
just a Thinkpad, albeit one of the new models with an integrated fingerprint
sensor.

When someone tries to open a DRM-restricted document (in this case, a PDF file:
break that DRM and go to jail), Lenovo software asks the user to swipe a finger
across the sensor. My finger results in an access denied message; the Lenovo
security guy’s finger opens the document.

If you’ve ever had a laptop stolen, this might sound useful. It is. In fact,
encrypting hard disks or individual files is the main use that most vendors are
promoting for the chip. Thinkpads have been able to do that since their IBM
days, and now most other laptops can too. You can probably try it out by
downloading software from your laptop manufacturer’s site, and Microsoft is
building similar functionality into Vista as Palladium^H^H^H^H^H^H^H^H^H 
NGSCB^H^H^H^H^H Secure Startup^H^H^H^H^H^H^H^H^H^H^H^H  BitLocker.

The fingerprint sensor is also a good thing, if it’s just used for encryption.
It’s even good for privacy: It means that network servers can authenticate you
based on your fingerprint, without sending any fingerprint data over the
network. (How? You authenticate to the chip in your laptop with your
fingerprint, then the chip authenticates to the server with a digital
certificate.)

But DRM goes beyond encryption. In the system that Lenovo demonstrated, the
decision about who can do what with the file is made by whoever generates the
PDF, not by the person or organization that owns the laptop. According to
Lenovo, the system is also aimed at tracking who reads a document and when,
because the chip can report back every access attempt. If you access the file,
your fingerprint is recorded.

That might also sound useful, provided of course that you’re the one doing the
recording and restricting. (I’d love to be Big Brother! Wouldn’t we all?) The
problem is that you won’t be. Even if we forget about media companies for the
moment, and assume that DRM is just for businesses that need to protect their
sensitive documents from disclosure by employees or outsourcing partners, it’s
still a bad tradeoff.

A DRM system may seem to empower whoever is setting the restrictions (in this
case, the PDF creator), but that’s just power by proxy. The real control lies
with the hardware and software companies. They’re the ones who actually enforce
the DRM and have the encryption keys, so they can hold your data to ransom.
http://www.itarchitectmag.com/shared/article/showArticle.jhtml?articleId=174400
783


DRM customers are already locked into a single vendor: A DRM-restricted Word
document can only be read by Word (not OO.org, WordPerfect or Writely), just as
a DRM-restricted iTunes download can only be played on an iPod. Present
versions of Word and iTunes still let customers escape by using the Windows
clipboard or a CD burner, but that capability can be removed at any time.

Relying on DRM means trusting all the vendors involved (in this case,
Microsoft, Adobe, Lenovo and its component suppliers) more than you trust the
users of the system. You need to trust the vendors both morally and
practically: Can Microsoft be trusted not to abuse its power? And can Microsoft
be trusted to develop a system that isn’t full of security holes?

If you’re a movie studio or a record label, the users are your customers. You
probably do trust Microsoft and the TCG more than your customers, so DRM might
make sense. But if you’re an organization seeking to protect sensitive data,
the users are your own employees and business partners. Are they really less
trustworthy than Microsoft, its employees and its business partners?
===

  /m

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)