[p2p-hackers] Stop Palladium and TCPA Now!
zooko at zooko.com
Mon Feb 3 18:17:02 UTC 2003
[replying to two separate messages posted by Hal Finney]
Hal Finney wrote:
> How easy will it be for Microsoft to sell its new version of Windows if
> it has all these built-in incompatibilities?
> And if Microsoft were sure this were the right way to go, couldn't they
> do much of this already?
You are one of the two people (along with Dave Wagner) whose posts I always read
first in any thread concerning crypto or security. Your vast knowledge about
the many subfields of security has always impressed me, and I have in fact
commented to my wife a couple of times that there's this guy named "Hal Finney",
and I don't know much about him personally, but in any good mailing list, he
always shows up and contributes the most useful posts about crypto and security.
(Also, you contributed useful crypto patches to Mojo Nation.)
Therefore, I'm quite surprised that you evince an apparent ignorance of the
history of Microsoft successfully maintaining and extending its dominance by
deliberate and systematic application of strategic incompatibility, FUD,
strongarm tactics, and cetera.
The question is not "Couldn't Microsoft do much of this already?", but "Given
that Microsoft has been doing this with great success for the last two decades,
is there any reason to believe that they will stop doing it as they deploy their
new crypto platform?".
> What does "trusted computing" (or "treacherous computing" if you prefer)
> mean for P2P hacking?
And here Hal continues to uphold his reputation for top notch security analysis
contributed gratis to the world through Internet mailing lists.
I'm glad I took the time to read your whole post. Your overall point that there
could be good applications of the "send signed hash of application" feature is
Sadly, I feel strongly that even if Microsoft, Intel and others were to allow me
to use that feature for an application that they may disagree with (a
censorship-resistant decentralized file store), that the good things that
I could do with it would be dwarfed by the harm that the corporations and
governments would do with it.
(I hold, in fact, the belief that you alluded to: I consider talking about the
possible good uses of the possible "send signed hash of application" feature to
be counterproductive, since the certain bad uses of that possible feature, as
well as the certain "only allow authorized code to use certain data" feature are
far more important.)
> Some people claim that this technology will
> only run Microsoft-signed executables, for example.
> All the evidence is that this
> claim is FALSE but still it floats around. FUD is hard to kill.
If by "this technology", you mean the technology required by the TCPA v1
specification, then you are right. If by "this technology", you mean the
strategic initiative that is already being deployed to consumers in stealthy
increments, then you are wrong. I point to Xbox's resistance to booting
alternative operating systems, Windows XP's requirement that hardware drivers be
digitally signed by Microsoft, and the Creative Labs DRM sound cards that are
already in the hands of unsuspecting consumers as just three examples which are
Next year's version will be more effective and it will extend its control to
more parts of the users' lives.
It could also, very easily, be automatically deployed without user intervention
through Windows XP's automatic update.
Probably part of the disagreement that we've just witnessed on this mailing list
is a terminological collision. Hal Finney and Adam Langley use "TCPA" to mean a
certain operating system/machine feature described in the "TCPA specification".
Seth Johnson, and I use "TCPA/Palladium" to denote a certain grand strategy to
make computers incapable of performing forbidden acts even if their users want
them to, and to deploy this new platform with stealth, obfuscation, and spin
management so that the consumers don't realize what it is and refuse to use it.
The former technical specification is one important step in the latter world-
More information about the P2p-hackers