Berkeley CSUA MOTD:Entry 25240
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/10 [General] UID:1000 Activity:popular
7/10    

2002/6/29-7/1 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25240 Activity:moderate
6/28    http://www.theregister.co.uk/content/4/25940.html
        Analysis of MS Palladium scheme.  It's even worse than I'd first
        thought.  Very ugly stuff.
        \_ You expected any less?
           \_ It didn't occur to me such evil was possible but I'm not
              at all surprised it was MS that came up with it.
        \_ see also http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html
        \_ What is stopping people from just replacing the "fritz" chip
           with a FPGA that says yes to every query?
           \_ Destroying your MB because it'll be built in that way?  Or worse,
              it'll be part of the CPU in v2?
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/07/10 [General] UID:1000 Activity:popular
7/10    

You may also be interested in these entries...
2013/12/28 [Computer/SW/Security] UID:54760 Activity:nil
12/28   Happy holidays everyone.
        For some reason my work's ip address gets logged in /etc/hosts.deny and\
I cannot ssh in anymore from work
        (except from home where I can ssh in fine): anyone knows if this file is\
 auto-generated due to some event? Thanks
	...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
2012/7/13-8/19 [Computer/SW/Security, Computer/Companies/Yahoo] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...
2012/3/15-6/1 [Computer/SW/Languages, Computer/SW/OS/Windows] UID:54340 Activity:nil
3/15    Why does MS put double-quotes around the '8' in Windows Server 8, like
        the following?
        - Windows 8
        - Windows Server "8"
        \_ Because when they didn't do it, code didn't see the '\0'
           and went over?  Looks better than '8','\0' *shrug*
	...
2009/4/17-23 [Computer/SW/OS/FreeBSD] UID:52867 Activity:low
4/17    If you have a general access AssOS machines, this is worth
        taking this seriously. --psb
  http://c-skills.blogspot.com/2009/04/udev-trickery-cve-2009-1185-and-cve.html
        <DEAD>admin.fedoraproject.org/updates/udev-127-5.fc10<DEAD>
        \_ What does this have to do with MS Windows?
           \_ psb is a bsd lover.
	...
2008/4/2-6 [Computer/SW/OS/OsX] UID:49647 Activity:nil
4/2     I'm running Windows.  How do i get cool virtual desktops
        like on a mac or 100 million other Unix window managers?
        \_ 2 minutes of googling should get you some answers.
           MS has a "powertoy" for this.
        \_ VMware Workstation?
	...
2008/2/1-7 [Computer/Companies/Google, Computer/SW/OS/Windows] UID:49047 Activity:kinda low
2/1     MS tries to buy Yahoo
        \_ GOOG 514.60  -49.70
           :-)
           I'm not the "short GOOG" guy, just someone who envies Google
           employees.
        \_ Official buyout letter from MSFT http://tinyurl.com/3ysrzu
	...
2007/10/2-5 [Computer/Companies/Google] UID:48219 Activity:very high
10/1    Where's the short Google at 100 guy?
        \_ Me thinks it's a great time to short now.
           \_ Yeah, definitely short it now!  Funny thing about stock
              valuation:  it can sometimes be rational and sometimes
              be irrational.  If everyone hates a stock, and everyone
              shorts it except for a few, and no one who actually owns
	...
2007/7/10-16 [Computer/Companies/Apple] UID:47242 Activity:high
7/10    My girlfriend downloaded music from iTunes onto another computer,
        which we do not have access to anymore. Apple has record of the
        purchases through the "Purchase History" option, but their policy
        is that you can only download once. I never realized that. WTF?!
        Why would they have such a policy when they clearly know what she
        bought? Has anyone sued them over this? We have so many songs in
	...
2007/5/25-28 [Computer/HW/IO] UID:46749 Activity:low
5/25    Happy towel day.  Question:  does anyone know of a Windows screen
        saver that displays the user desktop as it is, including showing
        updates (such as from logfile scrolling by in an application, etc.)
        but works with the normal MS screen lock function?  -John
        \_ If the screen saver displays the desktop as it is, how does it save
           the screen?
	...
2007/5/13-14 [Computer/SW/OS/Windows] UID:46613 Activity:nil
5/13    Someone please give us a 411 on Windows Vista? Is activation
        tougher than WinXP sp2? Is it impossible to get around now forcing
        you to pay for upgrades? Let me just say that I don't like Windows
        OS.  I don't mind using Microsoft Word, Excel, and Powerpoint,
        and they actually make decent games. However, for over a decade
        I've been sucked into using Windows3.0/95/98/2K/XP because
	...
2007/5/4-7 [Computer/Companies/Yahoo] UID:46528 Activity:high
5/3     so you think microsoft will buy yahoo?
        \_ If yahoo is owned by MS, perhaps they will no longer have scientology
           moles within their organization farming for the email addresses of
           people who are trying to avoid the COS.  Fuck Yahoo, and fuck their
           evil scientology moles!
        \_ God I hope not.  -tom
	...
2007/4/13-16 [Computer/SW/WWW/Browsers] UID:46291 Activity:nil
4/13    I use IE7 to browse a web site, and the server says the UserAgent
        string is
        "UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET
        CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
        Is MS bowing to the Mozilla community?
        \_ What are you talking about?  IE has always reported its UserAgent
	...
2006/11/3-4 [Computer/SW/WWW/Browsers] UID:45153 Activity:nil
11/3    In my WinSock.h for v1.1 (dated 6/4/02), there is this line:
                #define AF_FIREFOX      19              /* FireFox */
        What is that???  FireFox socket address family?
        \_ It is a hack MS put into the windows network stack back in '02 to
           slow down FireFox network connections.
	...
Cache (3957 bytes)
www.theregister.co.uk/content/4/25940.html -> www.theregister.co.uk/2002/06/28/ms_palladium_protects_it_vendors/
MS Palladium protects IT vendors, not you - paper By 40 John Lettice Published Friday 28th June 2002 10:27 GMT Ross Anderson of Cambridge University has published a lengthy and informative paper/FAQ on Palladium, the Trusted Computing Platform Alliance (TCPA), their relationship and their implications. His take is that Microsoft's Palladium, 41 soft-announced by the company earlier this week, will be built on TCPA hardware, adding some extra features as it goes along. Some of these features, he notes, will the there in order to make the package look more attractive, while some of the components of Palladium are already shipping in Xbox and WinXP. TCPA itself provides for a monitoring component to be included in future PCs. In phase one Anderson expects it to be an add-on chip on the motherboard, but further down the line it will be in the CPU. It's more crackable as an add-on, as you could conceivably get around it by monitoring bus traffic, but once it's in the CPU this becomes a lot harder, and he speculates about the likely effects in the event of TCPA/Palladium being to all intents and purposes uncrackable. Aside from providing the music business with workable DRM, it would also allow software companies to lock in their users. The more Palladium/TCPA-enabled apps there are, the more this will be the case, and it will also have the tendency to favour existing players while locking out new entrants. Anderson refers to the chip as the "Fritz" chip, after senator Fritz Hollings who has been "working tirelessly" to make TCPA compulsory. On boot, Fritz "checks that the boot ROM is as expected, executes it, measures the state of the machine; The trust boundary, of hardware and software considered to be known and verified, is steadily expanded. A table is maintained of the hardware (audio card, video card etc) and the software (O/S, drivers, etc); The result is a PC booted into a known state with an approved combination of hardware and software. The Disney server then sends encrypted data, with a key that Fritz will use to unseal it. Fritz makes the key available only so long as the environment remains 'trustworthy'. However, TCPA-enabled applications will likely have their security policies administered by remote servers, and this has other implications. It will be possible to turn TCPA off, but if it achieves critical mass then this will mean you don't have access to TCPA-enabled applications, which may isolate you a tad. Given Microsoft's record of competitive strategic plays, I expect that Palladium will support them. So if you control a TCPA-enabled application, then your policy server can enforce your choice of rules about which other applications will be allowed to use the files your code creates. These files can be protected using strong cryptography, with keys controlled by the Fritz chips on everybody's machines. What this means is that a successful TCPA-enabled application will be worth much more money to the software company that controls it, as they can rent out access to their interfaces for whatever the market will bear. So there will be huge pressures on software developers to enable their applications for TCPA; This may mean a rise in the market cap of firms like Intel, Microsoft and IBM - but at the expense of innovation and growth generally. The majority of the innovations that spur economic growth are not anticipated by the manufacturers of the platforms on which they are based; Modified code would still be covered under the GPL, but " it will not make full use of the TCPA features unless you have it signed, and have a certificate that enables you to use the TCPA Public Key Infrastructure (PKI). That is what will cost you money (if not at first, then eventually). That may have been the case so long as the processor was open, and anyone could access supervisor mode. The full document, which you should read several times a week until further notice, is 43 available here.
Cache (8192 bytes)
www.cl.cam.ac.uk/users/rja14/tcpa-faq.html
Swedish, 10 Finnish, 11 Hungarian, 12 Greek, 13 Hebrew and 14 French. See also the 15 Economics and Security Resource Page which gives a lot of background to the issues raised here. The 16 Trusted Computing Group (TCG) is an alliance of Microsoft, Intel, IBM, HP and AMD which promotes a standard for a more secure' PC. In effect, the TCG specification will transfer the ultimate control of your PC from you to whoever wrote the software it happens to be running. Trusted computing' was the original one, and is still used by IBM, while Microsoft calls it trustworthy computing' and the Free Software Foundation calls it 17 treacherous computing'. Hereafter I'll just call it TC, which you can pronounce according to taste. Other names you may see include TCPA (TCG's name before it incorporated), 18 Palladium (the old Microsoft name for the 19 version due to ship in 2004) and 20 NGSCB (the new Microsoft name). Many observers believe that this confusion is deliberate - the promoters want to deflect attention from what TC actually does. TC provides a computing platform on which you can't tamper with the application software, and where these applications can communicate securely with their authors and with each other. The original motivation was 21 digital rights management (DRM): Disney will be able to sell you DVDs that will decrypt and run on a TC platform, but which you won't be able to copy. The music industry will be able to sell you music downloads that you won't be able to swap. They will be able to sell you CDs that you'll only be able to play three times, or only on your birthday. TC will also make it much harder for you to run unlicensed software. In the first version of TC, pirate software could be detected and deleted remotely. Since then, Microsoft has sometimes denied that it intended TC to do this, but at 22 WEIS 2003 a senior Microsoft manager refused to deny that fighting piracy was a goal: Helping people to run stolen software just isn't our aim in life', he said. TC will protect application software 23 registration mechanisms, so that unlicensed software will be locked out of the new ecology. Furthermore, TC apps will work better with other TC apps, so people will get less value from old non-TC apps (including pirate apps). Also, some TC apps may reject data from old apps whose serial numbers have been blacklisted. If Microsoft believes that your copy of Office is a pirate copy, and your local government moves to TC, then the documents you file with them may be unreadable. TC will also make it easier for people to rent software rather than buy it; So if you stop paying for upgrades to Media Player, you may lose access to all the songs you bought using it. For years, Bill Gates has dreamed of finding a way to 24 make the Chinese pay for software: TC looks like being the answer to his prayer. Governments will be able to arrange things so that all Word documents created on civil servants' PCs are born classified' and can't be leaked electronically to journalists. Auction sites might insist that you use trusted proxy software for bidding, so that you can't bid tactically at the auction. Cheating at computer games could be made more difficult. In its simplest form, applications may be designed to delete pirated music under remote control. For example, if a protected song is extracted from a hacked TC platform and made available on the web as an MP3 file, then TC-compliant media player software may detect it using a watermark, report it, and be instructed remotely to delete it (as well as all other material that came through that platform). This business model, called traitor tracing, has been researched extensively by Microsoft (and others). In general, digital objects created using TC systems remain under the control of their creators, rather than under the control of the person who owns the machine on which they happen to be stored (as at present). So someone who writes a paper that a court decides is defamatory can be compelled to censor it - and the software company that wrote the word processor could be ordered to do the deletion if she refuses. Given such possibilities, we can expect TC to be used to suppress everything from pornography to writings that criticise political leaders. The gotcha for businesses is that your software suppliers can make it much harder for you to switch to their competitors' products. At a simple level, Word could encrypt all your documents using keys that only Microsoft products have access to; Such blatant lock-in might be prohibited by the competition authorities, but there are subtler lock-in strategies that are much harder to regulate. So I won't be able to play MP3s on my computer any more? Microsoft says that TC won't make anything suddenly stop working. But a recent software update for Windows Media Player has caused 25 controversy by insisting that users agree to future anti-piracy measures, which may include measures that delete pirated content found on your computer. Also, some programs that give people more control over their PCs, such as 26 VMware and 27 Total Recorder, are not going to work properly under TC. So you may have to use a different player - and if your player will play pirate MP3s, then it may not be authorised to play the new, protected, titles. It is up to an application to set the security policy for its files, using an online policy server. So Media Player will determine what sort of conditions get attached to protected titles. I expect Microsoft will do all sorts of deals with the content providers, who will experiment with all sorts of business models. You might get CDs that are a third of the price but which you can only play three times; You might be allowed to lend your copy of some digital music to a friend, but then your own backup copy won't be playable until your friend gives you the main copy back. Creeping digital lockdown will make life inconvenient in many niggling ways; This could all be done today - Microsoft would just have to download a patch into your player - but once TC makes it hard for people to tamper with the player software, and easy for Microsoft and the music industry to control what players will work at all with new releases, it will be harder for you to escape. Control of media player software is so important that the EU antitrust authorities are 28 proposing to penalise Microsoft for its anticompetitive behaviour by compelling it to unbundle Media Player, or include competing players in Windows. TC will greatly increase the depth and scope of media control. TC provides for a monitoring and reporting component to be mounted in future PCs. The preferred implementation in the first phase of TC emphasised the role of a Fritz' chip - a smartcard chip or dongle soldered to the motherboard. The current version has five components - the Fritz chip, a curtained memory' feature in the CPU, a security kernel in the operating system (the Nexus' in Microsoft language), a security kernel in each TC application (the NCA' in Microsoft-speak) and a back-end infrastructure of online security servers maintained by hardware and software vendors to tie the whole thing together. The initial version of TC had Fritz supervising the boot process, so that the PC ended up in a predictable state, with known hardware and software. The current version has Fritz as a passive monitoring component that stores the hash of the machine state on start-up. This hash is computed using details of the hardware (audio card, video card etc) and the software (O/S, drivers, etc). If the machine ends up in the approved state, Fritz will make available to the operating system the cryptographic keys needed to decrypt TC applications and data. If it ends up in the wrong state, the hash will be wrong and Fritz won't release the right key. The machine may still be able to run non-TC apps and access non-TC data, but protected material will be unavailable. The operating system security kernel (the Nexus') bridges the gap between the Fritz chip and the application security components (the NCAs'). It checks that the hardware components are on the TCG approved list, that the software components ...