It is effectively impossible to punish them for choosing to use software other than that favored by those they deal with. If they want to use a different web browser or a different operating system, they know that they are unlikely to be locked out by the services most important to them. For instance, some of today's on-line banking services claim to "require" Microsoft's browser, but users of other software are readily able to instruct their browsers to impersonate Internet Explorer.
As far as the bank is concerned, its customers are accessing the site with the browser it demanded, but the users are not locked into technology decisions dictated by the shortsightedness of their financial institutions. In a widely publicized case, MSN, the Microsoft Network, briefly refused to serve web pages to non-Microsoft browsers. In the interim, users of competitive products were able to fool MSN into thinking they were running Microsoft browsers.
Information security in an insecure world | Network World
By allowing a web site to lock out disfavored software this way, these attestations would let anyone with market power leverage that power to control our software choices. Security has nothing to do with many sites' motivations for preventing the use of disfavored software. Indeed, their reasons may be entirely arbitrary. In some cases, a site operator wants to force you to use a particular program in order to subject you to advertising. By verifying your use of an "approved" client, the site can satisfy itself that you have been forced to view a certain number of advertisements.
Recommended for you
Software interoperability is also at risk. A developer of a web server program, file server program, e-mail server program, etc. Or the publisher could insist on licensing fees from client developers, and make its server interoperate only with those who had paid the fee. It is similarly possible to create proprietary encrypted file formats which can only be read by "approved" software, and for which the decryption keys must be obtained from a network server and are extremely difficult to recover by reverse engineering.
The publisher in this case could greatly increase the switching costs for its users to adopt a rival's software. If a user has a large amount of important data stored inside a proprietary system, and the system communicates only with client software written by the proprietary system's publisher, it may be extremely difficult for the user to migrate his or her data into a new software system.
When the new system tries to communicate with the old system in order to extract the data, the old system may refuse to respond. The Samba file server is an important example of interoperable software created through reverse engineering.
- The Financial Logistics of Disaster: The Case of Hurricane Katrina.
- Manage warnings about unsafe sites - Computer - Google Chrome Help!
- Strategies to Mitigate Cyber Security Incidents - Mitigation Details.
- Featured channels!
- All About Women: What Big Sister Doesnt Want You to Know?
- Nutrition for the Primary Care Provider!
Samba can be deployed on a computer network in place of a Windows file server, and Windows client machines will communicate with it just as if it were a Windows server. Similarly, Samba provides the means to allow non-Windows clients to access Windows file servers. Without competitive software like Samba, users of Windows clients would be forced to use Windows servers, and vice versa. But if software could routinely identify the software at the other end of a network connection, a software developer could make programs demand attestations and then forbid any rival's software to connect or interoperate.
If Microsoft chose to use NGSCB in this way, it could permanently lock Samba out of Windows file services, and prevent any useful competing implementations of the relevant protocols except by specific authorization. Today, these services are typically unsuccessful in creating more than a temporary disruption for users. An attestation mechanism would be a powerful tool for limiting competition and interoperability in IM services.
Some client applications could be permanently prevented from connecting at all, even though they offer features end-users prefer. These are examples of a more general problem of "lock-in", often practiced as a deliberate business strategy in the software industry, to the detriment of business and home computer users alike. Unfortunately, the TCG design provides powerful new tools to enable lock-in. Attestation is responsible for this problem; sealed storage can exacerbate things by allowing the program that originally created a file to prevent any other program from reading it.
Thus, both network protocols and file formats can be used to attack software interoperability. Many people have speculated that trusted computing technology is a way of bringing digital rights management DRM technology to the PC platform. However, trusted computing developers deny that DRM is the main focus of their efforts, and trusted computing is useful for many applications besides DRM. Curtaining prevents information in decrypted form from being copied out of a DRM client's memory space, which prevents making an unrestricted clear copy.
Secure output can prevent information displayed on the screen from being recorded, which prevents the use of "screen-scrapers" or device drivers that record information rather than displaying it. Sealed storage allows files to be stored encrypted on a hard drive in such a way that only the DRM client that created them will be able to make use of them.
And remote attestation can prevent any program other than a publisher-approved DRM client from ever receiving a particular file in the first place.
Among these elements, remote attestation is the linchpin of DRM policy enforcement. If a remote system lacks reliable knowledge of your software environment, it can never have confidence that your software will enforce policies against you. You might have replaced a restrictive DRM client with an ordinary client that does not restrict how you can use information. Thus, even though other NGSCB features aid DRM implementations, only remote attestation enables DRM policies to be instituted in the first place, by preventing the substitution of less-restrictive software at the time the file is first acquired.
Other consumer-unfriendly software behaviors which can be implemented by means of attestation, combined with sealed storage, include tethering preventing a program or a file from being migrated from one computer to another , forcing software upgrades or downgrades, and enabling some limited classes of "spyware" -- in this case, applications that phone home to describe how they are being used.
Some of these behaviors might be good things if they occur at a computer owner's behest, but not if they occur at a software publisher's or service provider's whim. For example, you might want to prevent a sensitive file from being moved off your computer, but you wouldn't want other people to be able to prevent you from moving your own files around.
Although all these unfriendly behaviors can be implemented in software today, they can in principle be defeated by well-understood techniques such as running a program in an emulated environment, or altering it to remove the undesirable behavior. Remote attestation makes it possible for the first time for a program to obtain and communicate reliable evidence about whether it is running in an emulator or whether it has been altered.
More generally, attestation in the service of remote policy enforcement leads to a variety of mechanisms of "remote control" of software running on your computer. Lucky Green provides the example of a program written to receive from some authority a "revocation list" of banned documents it is no longer permitted to display.
This mechanism would have to have been implemented in the software when it was initially written or it would have to be added through a forced upgrade.
If such a restriction were implemented, however, it would be essentially impossible for the user to override. In that case, some authority could remotely revoke documents already resident on computers around the world; those computers would, despite the wishes of their owners, comply with the revocation policy. The enforcement of this policy, like others, against the computer owner is dependent on the remote attestation feature. The current version of remote attestation facilitates the enforcement of policies against the wishes of computer owners.
If the software you use is written with that goal in mind, the trusted computing architecture will not only protect data against intruders and viruses, but also against you. In effect, you, the computer owner, are treated as an adversary. This problem arises because of the attestation design's single-minded focus on accurately reflecting the computer's state in every situation -- making no exceptions. A computer owner can disable attestation entirely, but not cause an attestation that does not reflect the current state of her PC -- you can't fool your bank about what browser you're using or to your other PC about what kind of Windows file sharing client you're running.
This approach benefits the computer owner only when the remote party to whom the attestation is given has the same interests as the owner. If you give an attestation to a service provider who wants to help you detect unauthorized modifications to your computer, attestation benefits you. If you're required to give an attestation to someone who aims to forbid you from using the software of your choice, attestation harms you.
A user-centered, pro-competitive approach to attestation features would give the owner the power to guarantee that attestation is never abused for a purpose of which the owner disapproves, maximizing computer owners' practical control over their computers in real-world network environments. Some trusted computing developers insist that their existing approach to attestation is reasonable because giving an attestation is voluntary. In every situation, they argue, you can decline to give an attestation if you prefer not to present one. But as we've seen, attestation can be used to create barriers to interoperability and access, so users will face an enormous amount of pressure to present an attestation.
It's economically unreasonable to assume that a technology will benefit people solely because they can decide whether to use it. We are not saying that the ability to communicate information about a computer's software environment is undesirable. This capability might well be useful for some security applications. We simply observe that the content of information about a computer's software environment should always be subject to the close control of that computer's owner.
A computer owner -- not a third party -- should be able to decide, in her sole discretion, whether the information acquired by a third party will be accurate. This ensures that the attestation capability will not be used in a way contrary to the computer owner's interest. The lack of computer-owner control of the content of attestations is the central problem with the current trusted computing proposals.
It is an unacceptably grave design flaw that must be remedied before the trusted computing architecture as a whole package will be of clear benefit to computer owners. A simple measure we call Owner Override could fix the problem by restoring others' inability to know for certain what software you're running -- unless you decide you would be better off if they knew.
Owner Override subtly changes the nature of the security benefit provided by attestation. Currently, attestation tells remote parties whether the software on your computer has been changed. Attestation plus Owner Override would let remote parties know if the software on your computer has been changed without your knowledge. Thus, detection of illicit activity would still be practical. If, however, you had made deliberate changes on your own computer, you could conceal them, just as you can today, to prevent someone else from using your choices as a reason to discriminate against you.
Owner Override works by empowering a computer owner, when physically present at the computer in question, deliberately to choose to generate an attestation which does not reflect the actual state of the software environment -- to present the picture of her choice of her computer's operating system, application software or drivers. Since such an attestation can only be generated by the computer owner's conscious choice, the value of attestation for detecting unauthorized changes is preserved.
But the PC owner has regained fine-grained control, even in a network environment, and the PC can no longer be expected to enforce policies against its owner. Owner Override removes the toolbox that allows the trusted computing architecture to be abused for anti-interoperability and anti-competitive purposes. It restores the important ability to reverse engineer computer programs to promote interoperability between them. Broadly, it fixes trusted computing so that it protects the computer owner and authorized users against attacks, without limiting the computer owner's authority to decide precisely which policies should be enforced.