As the joke goes, on the Internet nobody knows you’re a dog. But although anonymity has been part of Internet culture since the first browser, it’s also a major obstacle to making the Web a safe place to conduct business: Internet fraud and identity theft cost consumers and merchants several billion dollars last year. And many of the other more troubling aspects of the Internet, from spam emails to sexual predators, also have their roots in the ease of masking one’s identity in the online world.
Change, however, is on the way. Already over 20 million PCs worldwide are equipped with a tiny security chip called the Trusted Platform Module, although it is as yet rarely activated. But once merchants and other online services begin to use it, the TPM will do something never before seen on the Internet: provide virtually fool-proof verification that you are who you say you are.
Some critics say that the chip will change the free-wheeling Web into a police state, while others argue that it’s needed to create a safe public space. But the train has already left the station: by the end of this decade, a TPM will almost certainly be part of your desktop, laptop and even cell phone.
The TPM chip was created by a coalition of over one hundred hardware and software companies, led by AMD, Hewlett-Packard, IBM, Microsoft and Sun. The chip permanently assigns a unique and permanent identifier to every computer before it leaves the factory and that identifier can’t subsequently be changed. It also checks the software running on the computer to make sure it hasn’t been altered to act malevolently when it connects to other machines: that it can, in short, be trusted. For now, TPM-equipped computers are primarily sold to big corporations for securing their networks, but starting next year TPMs will be installed in many consumer models as well.
With a TPM onboard, each time your computer starts, you prove your identity to the machine using something as simple as a PIN number or, preferably, a more secure system such as a fingerprint reader. Then if your bank has TPM software, when you log into their Web site, the bank’s site also “reads” the TPM chip in your computer to determine that it’s really you. Thus, even if someone steals your username and password, they won’t be able to get into your account unless they also use your computer and log in with your fingerprint. (In fact, with TPM, your bank wouldn’t even need to ask for your username and password — it would know you simply by the identification on your machine.)
The same would go for online merchants — once you’d registered yourself and your computer with an Amazon or an e-Bay, they’d simply look for the TPM on your machine to confirm it’s you at the other end. (Of course you could always “fool” the system by starting your computer with your unique PIN or fingerprint and then letting another person use it, but that’s a choice similar to giving someone else your credit card.)
Another plus for the TPM is that your computer will be able to make sure that it’s really a legitimate e-commerce site you’re connected to, and not some phishing-style fraud. There would still, of course, be ways that you could access your bank or e-commerce accounts from other computers when you were traveling, but the connection wouldn’t be as secure as using your own computer. Plans are already underway to put TPMs into smartphones and other portable devices as well.
The TPM will become even more important as we move toward Web-based applications, where we may actually store our documents and files on remote servers. The TPM could automatically encrypt any files as soon as they left your computer, and only allow decryption privileges to your TPM and any others you might specify. It could automatically encrypt email as well, so that only specific recipients are able to read it. And it could more firmly identify where email originates, taking a big step forward in controlling spam at the source.
That is the potential good news. But some critics are worried that the TPM is a step too far. Their concern particularly revolves around using the TPM to control “digital rights management” — that is, what you can and cannot do with the music, movies and software you run on your computer.
A movie, for example, would be able to look at the TPM and know whether it was legally licensed to run on that machine, whether it could be copied or sent to others, or whether it was supposed to self-destruct after three viewings. If you tried to do something with the movie that wasn’t allowed in the license, your computer simply wouldn’t cooperate.
The same would go for software. Now that Apple is moving to Intel processors, Mac fans are watching closely to see if the new machines will incorporate TPMs. That may be the way that Apple makes sure that its Macintosh operating system only runs on Apple computers — otherwise, hackers will probably be quick to figure out ways to make the new Intel-based Macintosh software run on HP or Dell machines as well. Similar concerns arise around how Microsoft might make use of TPM to insure that its software is used only on machines with paid-up licenses (as one joke has it: “TPM is Bill Gates’ way of finally getting the Chinese to pay for software.”)
(MSNBC is a Microsoft - NBC joint venture.)
Ultimately the TPM itself isn’t inherently evil or good. It will depend entirely on how it’s used, and in that sphere, market and political forces will be more important than technology. Users will still control how much of their identity they wish to reveal — in fact, for complex technical reasons, the TPM will actually also make truly anonymous connections possible, if that’s what both ends of the conversation agree on. And should a media or software company come up with overly Draconian restrictions on how its movies or music or programs can be used, consumers will go elsewhere. (Or worse: Sony overstepped with the DRM on its music CDs recently and is now the target of a dozen or so lawsuits, including ones filed by California and New York.)
To future historians, the anonymity we’ve experienced in the first decade of the commercial Internet may in retrospect seem aberrant. In the real world, after all, we carry multiple forms of fixed identification, ranging from our faces and fingerprints to drivers’ licenses and social security numbers. Some of these are easier to counterfeit than others, but generally most of us are more comfortable when we can prove who we are. In some situations — driving cars, boarding aircraft — we’re required to have identification. Of course, our real world policies on identification — what kind we must have, when we need to display it — have evolved over centuries of social and political thought and is still, post 9/11, a national hot-button. With the arrival of the Trusted Computing Module, the argument will now extend to cyberspace as well.
source: http://www.msnbc.msn.com/ID/10441443/ 22dec2005
Not surprisingly, there was a flood of reader response to last week’s column “Let’s See Some ID, Please." The piece described the Trusted Platform Module that is being built into many new computers. The goal of the TPM is to create what is touted to be fool-proof identification on the Internet, intended to circumvent online fraud, theft and similar illegal behavior.
Few readers were middle-of-the-road on this issue, rather splitting evenly over whether this was a great idea, or the end of freedom and democracy as we know it. Some of the former:
Brian C. Barnes: Austin, TX: Anonymity would be great, in an ideal world. Unfortunately, there are too many low life jerks who take advantage any way they can, and so we have to assume a more defensive posture. If the Internet is to be a really useful infrastructure, and not just a "back alley slum" type of place, then unfortunately, this is a necessary step.Bill Reimann: This is good news to good people. We no longer have to gamble that software programs protect our privacy or prevent fraud. This is a perfect balance between the anonymity embedded in proprietary software and the certainties of hardware standards.
There were also plenty of readers with practical questions about how having an identity chip in their home computer would actually work:
Dave Adams, Folsom, CA: With TPM-enabled PCs, won't it be very difficult to sell your PC when you want to upgrade? How will you decouple your old PC from your identity and migrate it over to the buyer's identity?
It’s important to emphasize that all of this TPM stuff is still very much in its infancy — once the hardware is out there in sufficient quantity, then people will figure out what to do with it. Even the very general description I gave in the column is based in part on conjecture.
If you sold a computer with a TPM and bought a new one, there would be some way to securely transfer your identity from the old machine to the new one. Proponents say it would actually be easier than changing your password on multiple sites — you’d just need to make the transfer once and then all sites who had previously known you by the old TPM would recognize you with the new one.
R. Smith, Lompoc, CA: I see how TPM might make the Internet a safer place to do business, but if your access to a bank or shopping website is tied to your particular machine, how is this going to work if you're halfway across the world using someone else’ s machine?
People are already thinking about how one would get secure remote access to banking or e-commerce accounts. It could be that you’ll carry some form of hardware ID with you — a card with an embedded chip, for example (although this will require some sort of reader on remote computers). Or there may be some other kind of additional ID required when you’re not at your home computer (the site might challenge you to supply your mother’s maiden name, for example). Or the bank may simply adjust to the lower security level and limit the transactions you can do from remote computers, and e-commerce sites will double-check remote orders.
The fact is that TPM or no, these questions about computer security are coming to a head. The Federal government has recently announced that it will require all banks, by the end of 2006, to have “two factor” identification for online banking. That means no more just using a password — the bank will have to see a second form of ID online. Banks are scrambling to figure out how to do this, and one solution is very much like TPM. Your home computer already has a unique “online signature” that Websites can read, involving items like your IP address, your hardware, and what software you have installed. That may be the second form of ID that some banks look for — in which case, banking on any computer but the one in your home (and perhaps one at work) will be more difficult.
Some online retailers (and particularly gambling sites) already use “online signatures” —effectively, ad hoc TPM — through software from Iovation, a California startup. The Iovation system studies each machine as it connects to a site and remembers a unique profile; if it turns out the machine is used in a fraudulent transaction, the next time that same computer logs on — even if the user has adopted a different name and password — it will be turned away.
Mad Dog Roanoke VA: The problem is that in real life I can choose to present my ID. If it is built into my computer I no longer have a choice.
Use of the TPM will be voluntary. In the first place it will be a long time, if ever, that all computers even have a TPM. Nothing will stop people from building computers without them and there will doubtless be a market for that. But if you’re not using one then your bank, say, may limit what kind of transactions you can make online. As mentioned earlier, without a TPM you might have to appear in person to open a new line of credit. Similarly, e-commerce sites might more closely scrutinize your transaction.
Then there were readers who are sure that the TPM idea will fail.
John, Pensacola FLA: Good luck! I'm confident that there will be enough 14-year-olds with time on their hands to make this useless. This thing will go the way of the V-Chip.Doug Hedger, Gaspe, Quebec, Canada: I am supposed to believe that this will be absolutely, positively fool proof and no criminals will ever, ever find a way to find a way to get around, or thru this absolutely marvelous chip. I don't #@^%$&^%$ think so.
No security system is ever 100% fool-proof — whether it’s the lock on your front door or a bank vault — but that doesn’t mean they’re worthless. Adding hardware identification to computers is one more step, and a significant one, toward creating better security tools on the Web. When and if criminals learn to work around those tools, we’ll have to think of new ones. But as I understand it, without a change in hardware, the good guys are running out of ideas on how to improve security using only software. And if the Web can’t be better secured, that will limit just how vibrant and important the online world can become.
Dan Anthony: You say that biometric (fingerprint) readers are more secure than a PIN number. Why is that? People leave latent fingerprints around all the time, and biometric information is like a password that can never change. Once your biometric is compromised, your identity is stolen, and unlike a PIN, you can't recover from that. Finally, the combined false acceptance and false rejection rate of most biometric systems is statistically substandard to a 4-digit PIN number. Biometric readers are improving all the time — take a look, for example, at the Authentec fingerprint reader, which actually uses radio waves to read under the first layer of skin. That makes it much harder to fool and far more reliable under different conditions. PIN numbers are just too easy to steal or guess to rely on as your sole identification factor.
There were also readers suspicious about exactly what the TPM might be used for, besides securing one’s identity.
Tom Brown, Gilbertsville, PA: Trusted Computing assumes that we the public *trust* companies like Microsoft, which the vast majority of us do not. The Sony incident demonstrates how far a company can be trusted with our equipment, which is not at all. All companies have an agenda to make as much profit as possible, and that's fine. But I don't want them doing so by taking choices away from me (or selling my personal preferences and activity for that matter), and TPM has the potential of doing just that. TPM may make it easier for Microsoft to code the next version of IE or Outlook, but it's not my job to help them. TPM might make it easier for Amazon to sell things on line, but it's not my job to help them, either. I want choice, and I want privacy, and I don't want to lose either one. And yes, I recognize what the "MS" in "MSNBC" stands for, and who benefits from this article. It only confirms my mistrust.
As I’ve said before, Microsoft has no influence on what MSNBC writes. And Microsoft is only one of many companies involved in the Trusted Computing Group. I disagree that the “vast majority” of the country mistrusts all big companies; actually, I think the vast majority of the country doesn’t think about it that often. It’s pretty hard to buy much in this country that isn’t made by a big company that’s out to make a buck. That said, I’m quite sure one will be able to opt out of using any kind of TPM-based technology, just as one is able to refuse to buy any product if you don’t trust the motives behind it. To use Tom’s own example, many people do all of their computing without ever directly using a Microsoft product.
William Upshaw, Atlanta, GA: I bet the Department of Homeland Security is giddy with anticipation of this chip, so they can find out who hasn't been purchasing the required amount of duct tape. I am not a huge fan of the ACLU, but this sounds like a perfect issue for them to drag through the courts for about ten years. I only wish the EFF had longer and larger political teeth.
It’s hard to put anything past the current administration at the moment, but as I said in the original column, users can choose not to enable the TPM, or it can be used in ways that may actually increase one’s anonymity and ability to maintain encrypted communications. The Electronic Frontier Foundation has a very clear stand on the importance of anonymity; they will watch TPM implementations closely. And the ACLU has already been involved in a number of legal actions around online privacy. Both organizations deserve support from anyone who shares William’s concerns.
This column received a lot of play in various technophile blogs and newsgroups, including Slashdot, and I was surprised to see how relatively little the digerati seemed to know about the Trusted Computing concept, besides knee-jerk opposition to anything that threatens to “lock down” the Internet. There are, however, some extremely intelligent (and often quite abstract) discussions about identity on the Internet. A variety of those voices can be found in the two dozen sites linked at Kim Cameron’s Identity Weblog. One should know that Cameron is in charge of identity architecture at Microsoft, but both his commentary and the blogs he links to are quite ecumenical.
Finally, I received a long and thoughtful email from Mike Fratto who, as the editor of Secure Enterprise magazine, follows TPM issues closely since the chips are starting to be used by his corporate audience. Some of this is a tad technical, but he raises a number of good points:
"I doubt we will see the TPM used in the consumer space for a number of reasons:1) It's incredibly complicated to use and that ain't changing anytime soon. To enable a TPM the user has to enter the BIOS and enable the TPM manually. Then they have to create a set of keys and remember all those passwords. ... Try explaining key management, escrow, and recovery to soccer-moms everywhere. Secondly, consumers won't understand what the TPM is used for and they won't use it."
As someone who has used computers since the Seventies, when doing almost anything was extremely difficult, I’m an unreconstructed optimist about the possibility of simplifying technology.
"2) No company serving customers wants to deploy software into a consumer computer. Once that happens, the company has to support the software and the consumer desktop. ... They avoid it like the plague."
Not sure about this: Macromedia and Real download and support a lot of software on consumer machines. And if supporting TPM turns out to be cheaper than other security measures (see above on how banks are struggling with the mandate of “two factor” identification) they may decide it’s worth the trouble.
"3) There is already a mechanism to validate the identity of a Web site when using SSL. It's part of the protocol. The fundamental weakness (though weakness is relative) is in DNS, which is wholly unsecure but is "trusted" as being authoritative. Using the TPM on the server side may help, but TPM processing is slow and that is unacceptable for busy Web sites. ... Besides, phishing and pharming is not a technical problem — it's a human one. There is NO technology that will stop phishing or pharming."
But the existence of both phishing and pharming depends on the establishment of bogus Web sites, which take advantage of weaknesses (as you point out) in software-based protocols. If TPM processing is the only way to fix that, somebody’s going to figure out how to make it work on the server side.
"4) When the computer starts, the TPM may or may not run system validation; it may or may not ask for user authentication; it may or may not even be activated; how the TPM is used depends completely on software. ... So in the case of authentication, the use of biometrics, tokens, and other hardware stuff is a non-starter in the consumer space because each device needs special drivers and software and there is no way to predict what will be installed on the laptop. At boot time, special drivers will have to be written to talk to the biometric device. That adds significant cost to a PC — an industry already selling on tight margins. Besides, biometrics, tokens, etc. are hard to use compared to passwords. Now users left to their own devices will choose easy-to-guess passwords, so to access the TPM, an attacker just has to guess, or capture, or trick the user into giving up that password."
Clearly, if TPMs use a biometric or physical token to validate the user, there will need to be some standardization on the driver software. If users demand secure computing, manufacturers will figure out how to build it in cost-effectively (look at how many hardware additions, starting with clocks and sound-cards, have been added to personal computers over the last two decades even as prices continued to drop). As far as users defaulting to a password, rather than something more secure, that’s a question of education and culture. A lot of people used to leave their front doors unlocked, too.
"5) Arbitrary applications can't access the TPM, they must be authorized by the end user. Users are "trained" to click through any dialog box that pops up without even reading what they are agreeing to. The Sony/BMG case is relevant (not the problems, but the acceptance of the DRM in the license agreement). So as an attacker, I can just as easily build a Trojan that victims will install because of their "training."
This strikes me as another implementation and education issue, not a reason to scrap the whole idea.
"6) The TPM won't encrypt e-mails by itself. It encrypts/decrypts keys that are used by software to then encrypt/decrypt/sign email provided the user enables email security. Again, there have been standardized protocols available for years, but they are rarely used in the consumer space because of other factors."
Indeed, one of the factors that have kept consumers from encrypting e-mail is that it’s difficult. TPMs on both ends would likely make it easier. But the real reason I cited this was simply to show that having a firm identity on the Internet didn’t necessarily mean a loss of privacy.
"7) The whole DRM issue is a red herring. Media distributors are already doing DRM without the TPM. The TPM only protects the keys while they are being stored. Once a DRM application extracts the keys from the protection of the TPM, those keys are available in memory and can be read. It is easily crackable.'
That’s interesting. The biggest concern among critics about TPM seems to be its potential for Draconian digital rights management. If it’s easily crackable, then the media companies are going to have to come up with something else.
The question of identity and anonymity on the Internet clearly isn’t going away anytime soon — in many ways, I think it’s the most important issue facing cyberspace today. I look forward to hearing more from readers about where we should take the discussion next.
source: http://www.msnbc.msn.com/id/10564396/ 22dec2005
|
To
send us your comments, questions, and suggestions click
here |