IP: HP Engineer Speaks to TCPA Fears and Conspiracy Concerns

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Vin McLellan <vin () shore net>
Date: Wed, 26 Jun 2002 15:51:21 -0400
To: Dave Farber <dave () farber net>
Subject: HP Engineer Speaks to TCPA Fears and Conspiracy Concerns

G'day Dave,

For IP, I attach two messages from the Perry Metzger's Cryptography mailing
list.

The first is HP engineer Stefek Zaba's (unauthorized) reply to the
firestorm of fear and concern that has arisen in online discussions about
the emerging TCPA development efforts, including Palladium.

Zaba's comments specifically address Ross Anderson's concern that
development work at HP on Trusted Linux implies (or illustrates) how the
TCPA structure could be used to undercut GPL and open source Linux
development and distribution.  (For context, I also append the post in
which Dr. Anderson raised his concern about HP, TCPA, and GPL.)

Guys like Stefek Zaba are a treasure in this sort of blinding windstorm.

I wish more companies would realize how potentially destructive these
debates can be when only the cynics hold the stage.  The cynics might be
right, of course. (The decades-long betrayal of non-US customers who were
supplied with weak crypto and insecure tech, so the US spooks could
eavesdrop and crash systems at will, comes to mind. Ross Anderson's work on
the protocol GCHQ offered for EC health records also pops up;-)

Nevertheless, Dave, the public debate needs need more people like Zaba and
you, who can warn that while many technologies _can be_ perverted and made
anti-social, anti-competitive, and unduly intrusive, they may also provide
positive and necessary functions.

This TCPA debate could be important for our children's computing
experience. It would be a far healthier discussion if more vendors would
charter agents or employees to speak up in these debates -- ideally, those
able to speak from their experience and values (and for themselves at
least) -- without waiting three days for some committee in marketing to
decide what "the company" should say.

Consider, by contrast, the credibility inherent in Zaba's message from the
trenches.  Like all organizations, corporations must be judged on what they
do or try to do, rather than what their minions say -- but a little human
perspective from the development team can minimize the hysteria and permit
a reasonable discussion of check and balances, pros and cons.

Ross Anderson's disturbing paper on TCPA is at:
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf

[From Anderson's website: "Trusted Computing Platform Alliance (TCPA),
which claims to be making the next generation PC more secure, is actually
making it more secure for the PC and software vendors rather than for the
users. TCPA also poses a direct threat to the free and open source software
community, for reasons that have to do with economics at least as much as
technology."]

The website for the Trusted Computing Platform Alliance (TCPA) is at:
http://www.trustedpc.org/home/home.htm

Surete,
    _Vin

----------------------------------------------------------------------------
-------------------------------

1.
To: cryptography () wasabisystems com
From: Stefek Zaba <sjmz () hplb hpl hp com>
Subject: Ross's TCPA paper
Date: Wed, 26 Jun 2002 18:34:04 +0100
Sender: owner-cryptography () wasabisystems com
:

At the end of describing an "end of the GPL as we know it. Film at 11."
scenario, Ross asks:

> Can anyone from HP comment on whether this is actually their plan?

I "can't", in the sense of not being an Official HP Spokesdroid; but I'd
very much like to, being known to a good few of you, and having sat on my
fat behind for the last few years within a few yards of the HP team working
on the TCPA spec. I'd also like to apologise in advance for this being a
"hit-and-run" posting - I'm away from email for the next 10 or so days
(Glastonbury Festival first, then a crypto engagement in London), so can't
promise to follow up beyond this message.

No, a subversion of the GPL is not HP's strategic intent, never figured in
any TCPA design stuff I heard about, isn't what our local "could Linux
in general, and our Trusted Linux work in particular, play well with TCPA"
work is all about, and is - with apologies to Ross - no more than a
far-fetched imagining.

The Trusted Linux work is described at the "general comp sci reader" level
at http://www.hpl.hp.com/research/papers/Dalton.ACM.pdf
Marketing guff is at
   http://www.hp.com/security/products/linux/papers/
Source code for the kernel patches is at
   ftp://ftp.hp.com/pub/security/hplx_source/v1.0

(Because of HP's current revenue model for this software, the kernel
patches and some minimal tools are GPL'd, but the full-useability stuff is
payware. *That* illustrates how up-clued the Greater HP Corporation is about
GPL and open-source economics, OK? Flame us for stupidity if you will, but
ascribe deep conspiracy to our actions and you'll only look daft!) If you
look at the Trusted Linux writeups, you can see what a Nice Thing it would
be for the security properties if kernel-module loading could have some
hardware-based enforcement of policy. *That* is the kind of
TCPA-(Trusted)Linux integration we've been thinking about.

To the core issue of whether TCPA is a DRM-plot, my personal answer is "no:
it's a technical mechanism which can be used to implement a wide range
of security policies". Those policies include, in principle, strong
protection
against "unwelcome" code (trojans, spyware, and the like - though depending
on
what languages the malware's written in, and what the execution
environment's
been programmed to treat as "loading code", some "user-level scripting"
could
still do Bad Stuff). The TCPA spec - which has been out for public comment
for the last 15 months or more - includes explicit support for multiple
pseudonymous platform identities, to avoid the privacy-hostile consequences
of
a fixed platform ID. Raw crypto capabilities on which the higher-level TCPA
functions are based are themselves exposed - with the notable exception of
freely-keyed symmetric crypto (usual influence of (now dated) exportablity
controls, I'm afraid).

It's simply not the case, as Ross's paper avers (section 4.1, initial para),
that TCPA is "an initiative led by Intel whose stated goal is to embed
digital
rights management technology in the PC". TCPA does *enable* DRM, as it
*enables* anti-malware functionality, secure local storage of
confidentiality
keys, a more predictable execution environment for security-critical code,
and
many other applications which a general-purpose "this PC could be running
ANYTHING" platform is less well suited to. Arguing that *one* application is
"the" driving force behind the whole spec - in the absence of either contact
with the design team, or strong corroborative external evidence - is verging
on the delusional. Intellectually, it's on a par with the UK Government of
1996 arguing that because strong cryptography can frustrate some aspects of
intelligence gathering, strong controls on the use of crypto are therefore
necessary - a debate Ross and I and many others in the UK were eventually
successful in winning.

There are some further specifics in Ross's "end of the GPL as we know it"
posting which don't coincide with reality. For one thing, any user of a TCPA
platform can switch off the TCPA features - not only the platform Owner. So,
an unenhanced Apache (to take one of Ross's examples) can run on an
"unTCPAd"
GNU/Linux distro on a TCPA-disabled machine as it does now. Any conspiracies
to subvert open-source licensing models would have to face that economic
competitor - and without added value for TCPA-enabled machines, the clone
motherboard vendors will soon drop support for TCPA, whether or not it's
part
of some "industry-wide agreement". (A painfully-close-to-home comparative
instance is IrDA, the fast infra-red standard in which HP owns potentially
revenue-generating IP. Much of the early R&D work on that was done here in
HPLabs Bristol; a number of my colleagues hoped it would pay for all our
pensions. An industry consortium formed around the standard. Motherboard
manufacturers started to incorporate IrDA capability. However, the market
in general didn't find it to be enough of a "must have" that the few-dollar
manufacturing cost was justified; it's now built-in to rather few
motherboards, available as a "riser" option for some, and absent from most.
But I digress...) A closer look at the TCPA mechanisms will show that a
"more
secure" Linux could choose to selectively use some TCPA features (say, the
local key storage ones) without buying into the controlled boot/controlled
loader support - and remember, in all cases, TCPA provides *support* for
such
features - it's the *OS* which chooses whether they're used or not.

At some point, I hope someone Empowered To Speak And Answer For HP will
issue
some more comprehensive reply to the issues Ross has been raising; but it's
difficult for me to watch the efforts of my colleagues in creating a spec
for
a less leaky PC being traduced on this list by a well-respected, usually
well-informed source...

Cheers, Stefek

---------------------------------------------------------------------
--------------------------------------------------------------------
In response to:
2.
Date: Mon, 24 Jun 2002 05:49:42 +0100
From: Ross Anderson <Ross.Anderson () cl cam ac uk>
Subject:  Re: Ross's TCPA paper
Sender: owner-cypherpunks () minder net


> It's an interesting claim, but there is only one small problem.
> Neither Ross Anderson nor Lucky Green offers any evidence that the TCPA
> (http://www.trustedcomputing.org) is being designed for the support of
> digital rights management (DRM) applications.

Microsoft admits it:

http://www.msnbc.com/news/770511.asp

Intel admitted it to me to. They said that the reason for TCPA was that
their company makes most of its money from the PC microprocessor; they
have most of the market; so to grow the company they need to grow the
overall market for PCs; that means making sure the PC is the hub of the
future home network; and if entertainment's the killer app, and DRM is
the key technology for entertainment, then the PC must do DRM.

Now here's another aspect of TCPA. You can use it to defeat the GPL.

During my investigations into TCPA, I learned that HP has started a
development program to produce a TCPA-compliant version of GNU/linux.
I couldn't figure out how they planned to make money out of this. On
Thursday, at the Open Source Software Economics conference, I figured
out how they might.

Making a TCPA-compliant version of GNU/linux (or Apache, or whatever)
will mean tidying up the code and removing whatever features conflict
with the TCPA security policy. The company will then submit the pruned
code to an evaluator, together with a mass of documentation for the
work that's been done, including a whole lot of analyses showing, for
example, that you can't get root by a buffer overflow.

The business model, I believe, is this. HP will not dispute that the
resulting `pruned code' is covered by the GPL. You will be able to
download it, compile it, check it against the binary, and do what you
like with it. However, to make it into TCPA-linux, to run it on a
TCPA-enabled machine in privileged mode, you need more than the code.
You need a valid signature on the binary, plus a cert to use the TCPA
PKI. That will cost you money (if not at first, then eventually).

Anyone will be free to make modifications to the pruned code, but in
the absence of a signature the resulting O/S won't enable users to
access TCPA features. It will of course be open to competitors to try
to re-do the evaluation effort for enhanced versions of the pruned
code, but that will cost money; six figures at least. There will
likely be little motive for commercial competitors to do it, as HP
will have the first mover advantages and will be able to undercut them
on price. There will also be little incentive for philanthropists to
do it, as the resulting product would not really be a GPL version of a
TCPA operating system, but a proprietary operating system that the
philanthropist could give away free. (There are still issues about who
would pay for use of the PKI that hands out user certs.) The need to
go through evaluation with each change is completely incompatible with
the business model of free and open source software.

People believed that the GPL made it impossible for a company to come
along and steal code that was the result of community effort. That
may have been the case so long as the processor was open, and anyone
could access supervisor mode. But TCPA changes that completely. Once
the majority of PCs on the market are TCPA-enabled, the GPL won't work
as intended any more. There has never been anything to stop people
selling complementary products and services to GPL'ed code; once the
functioning of these products can be tied to a signature on the
binary, the model breaks.

Can anyone from HP comment on whether this is actually their plan?

Ross

---------------------------------------------------------



------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/