[linux-elitists] Juice this: Microsoft Trustworthy Computing

Martin Pool mbp@sourcefrog.net
Wed Sep 3 21:42:46 PDT 2003


On  4 Sep 2003 "Karsten M. Self" <kmself@ix.netcom.com> wrote:

> Incidentally, if you missed thet references, Scott Berinato's "Patch
> and Pray" article, on why security updates don't work (largely drawn
> from the Slammer worm experience) is a must-read:
> 
>     http://www.csoonline.com/read/080103/patch.html

By way of "well, at least the trains might run on time":

One interesting application for hardware trusted computing base
support such as TCPA is that it potentially allows a remote management
server to get a strong assurance about another machine's software
state.

An IT department can query all machines on the network to find out
their patch level.  At the moment, if the machine is thoroughly
compromised (e.g. with a rootkit kernel module) then it can be very
hard to detect the compromise.  Hardware checks on the integrity of
the kernel might allow those cases to be detected.  The effect is like
a better securelevel that can be remotely verified.

You can then imagine quarantining the machines that are not in a
trustworthy state so as to prevent further infection and to allow them
to be fixed.  There is no reason why this can't be done completely in
open source software.  (Well, assuming it can be written without
trade secret or patent problems.)

I'm quite doubtful whether things like TCPA can ever be made secure
through technical means in the face of evolving threats.  If they
cannot, then draconian laws might make exploiting the weaknesses
illegal, which might stop people writing DVD player software, of
course won't stop worms.

I am still pretty skeptical about both the technology and the
motivations, but there might be useful applications.

-- 
Martin 
speaking only for myself, of course

Unfortunately Samba isn't a large corporate project.
        -- Tim Potter



More information about the linux-elitists mailing list