Signs of 'Trustworthy Computing'

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/business/0,1367,51521,00.html

By Paul Boutin  
2:00 a.m. April 4, 2002 PST 

European consumers will soon get a first taste of what Bill Gates 
meant by "Trustworthy Computing." 

NEC Computing International has announced a trial program in which 
Packard Bell PCs will be equipped with keyboards that include secure 
smart-card readers. 

The keyboards are designed to hold credit card numbers, PINs and other 
personal information in encrypted form, without leaking them into the 
rest of PC where they could be stolen by crackers, malicious programs 
or other users. 

Microsoft chairman Bill Gates launched the company's Trustworthy 
Computing initiative earlier this year in a widely distributed e-mail 
to staff. 

But developers of secure systems -- a field not coincidentally known 
as "trusted computing" -- say Microsoft's plans will go nowhere 
without new hardware that addresses fundamental security problems in 
the PC's aging architecture. 

Security experts agree the basic design of the PC is flawed: It allows 
data to travel around inside unencrypted, which means information can 
be stolen or faked by a program installed on the desktop. 

"It's like your PC is the Starship Enterprise, and the Klingons are 
able to transport into the ship. When they do, they look just like 
us," said Robert Thibodeau, who teaches security and cryptography at 
Carnegie Mellon University in Pittsburgh, Pennsylvania. 

Thibodeau said last year's Nimda virus demonstrated the vulnerability 
of the system by replacing the loader program that boots the Windows 
NT operating system at startup. "That's like replacing Captain Kirk," 
he said. 

The entire PC doesn't have to be turned into a crypto device to 
prevent attacks. Thibodeau recently worked with PC software maker 
Phoenix Technologies to develop a secure version of the company's 
widely used BIOS software, which acts as the go-between to connect 
Windows to the PC's hardware. 

Continuing his Star Trek metaphor, Thibodeau said, "What they did 
about the problem is put guards at the doors. There were guys at the 
main power room and on the bridge with guns. That's the kinds of thing 
we're doing." 

Phoenix's BIOS is designed to prevent intruders or malicious programs 
from signing onto the computer or accessing it remotely. 

Trusted computing technology for the PC is hardly new, but Microsoft's 
initiative is designed to prod the top vendors to include their 
hardware and software as standard equipment. "We've been a voice in 
the wilderness for 10 years," said John Callahan, a spokesman for Wave 
Systems, the Lee, Massachusetts, software and hardware company whose 
trusted computing system will be embedded in Packard Bell's keyboards. 

The Packard Bell brand, owned by NEC Computers International, is one 
of Europe's largest PC brands, with just over one-tenth of the market. 

Lark Allen, vice president of business development at Wave Systems, 
said a working digital rights management (DRM) system -- such as the 
one sought by the Consumer Broadband and Digital Television Protection 
Act now before Congress -- would definitely require new hardware for 
home computers. 

"The core problem is the PC, not that people are ripping stuff off," 
he said. "Until you can fix the PC problem, you're not going to fix 
the rest of it. (The solution) has to be hardware-based, because 
software security is an oxymoron." 

A Microsoft spokeswoman confirmed that hardware vendors would play a 
major role in Trustworthy Computing, but declined to elaborate on 
specific plans or schedules. 

But Mario Juarez, a group product manager at Microsoft focused on DRM 
issues, said, "There's no great mystery as to what the right thing to 
do is here. The challenge is how we're going to be able to work 
together. All stakeholders need to be involved -- the PC industry for 
software and hardware, the content providers, and it's got to be the 
providers of e-commerce, too -- the people actually setting up the 
sites. We all need to work together in ways that none of us have 
worked before." 

Allen agreed, adding, "The industry has been so fragmented that they 
haven't been able to come to a unified solution. The good thing about 
Bill Gates' announcement is that the weekly virus attacks were finally 
enough to make people say 'We need to fix this.'" 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.