[ISN] Signs of 'Trustworthy Computing'

From: InfoSec News (isnat_private)
Date: Fri Apr 05 2002 - 00:36:34 PST

  • Next message: InfoSec News: "[ISN] Weak crypto casts shadow over ecommerce"

    By Paul Boutin  
    2:00 a.m. April 4, 2002 PST 
    European consumers will soon get a first taste of what Bill Gates 
    meant by "Trustworthy Computing." 
    NEC Computing International has announced a trial program in which 
    Packard Bell PCs will be equipped with keyboards that include secure 
    smart-card readers. 
    The keyboards are designed to hold credit card numbers, PINs and other 
    personal information in encrypted form, without leaking them into the 
    rest of PC where they could be stolen by crackers, malicious programs 
    or other users. 
    Microsoft chairman Bill Gates launched the company's Trustworthy 
    Computing initiative earlier this year in a widely distributed e-mail 
    to staff. 
    But developers of secure systems -- a field not coincidentally known 
    as "trusted computing" -- say Microsoft's plans will go nowhere 
    without new hardware that addresses fundamental security problems in 
    the PC's aging architecture. 
    Security experts agree the basic design of the PC is flawed: It allows 
    data to travel around inside unencrypted, which means information can 
    be stolen or faked by a program installed on the desktop. 
    "It's like your PC is the Starship Enterprise, and the Klingons are 
    able to transport into the ship. When they do, they look just like 
    us," said Robert Thibodeau, who teaches security and cryptography at 
    Carnegie Mellon University in Pittsburgh, Pennsylvania. 
    Thibodeau said last year's Nimda virus demonstrated the vulnerability 
    of the system by replacing the loader program that boots the Windows 
    NT operating system at startup. "That's like replacing Captain Kirk," 
    he said. 
    The entire PC doesn't have to be turned into a crypto device to 
    prevent attacks. Thibodeau recently worked with PC software maker 
    Phoenix Technologies to develop a secure version of the company's 
    widely used BIOS software, which acts as the go-between to connect 
    Windows to the PC's hardware. 
    Continuing his Star Trek metaphor, Thibodeau said, "What they did 
    about the problem is put guards at the doors. There were guys at the 
    main power room and on the bridge with guns. That's the kinds of thing 
    we're doing." 
    Phoenix's BIOS is designed to prevent intruders or malicious programs 
    from signing onto the computer or accessing it remotely. 
    Trusted computing technology for the PC is hardly new, but Microsoft's 
    initiative is designed to prod the top vendors to include their 
    hardware and software as standard equipment. "We've been a voice in 
    the wilderness for 10 years," said John Callahan, a spokesman for Wave 
    Systems, the Lee, Massachusetts, software and hardware company whose 
    trusted computing system will be embedded in Packard Bell's keyboards. 
    The Packard Bell brand, owned by NEC Computers International, is one 
    of Europe's largest PC brands, with just over one-tenth of the market. 
    Lark Allen, vice president of business development at Wave Systems, 
    said a working digital rights management (DRM) system -- such as the 
    one sought by the Consumer Broadband and Digital Television Protection 
    Act now before Congress -- would definitely require new hardware for 
    home computers. 
    "The core problem is the PC, not that people are ripping stuff off," 
    he said. "Until you can fix the PC problem, you're not going to fix 
    the rest of it. (The solution) has to be hardware-based, because 
    software security is an oxymoron." 
    A Microsoft spokeswoman confirmed that hardware vendors would play a 
    major role in Trustworthy Computing, but declined to elaborate on 
    specific plans or schedules. 
    But Mario Juarez, a group product manager at Microsoft focused on DRM 
    issues, said, "There's no great mystery as to what the right thing to 
    do is here. The challenge is how we're going to be able to work 
    together. All stakeholders need to be involved -- the PC industry for 
    software and hardware, the content providers, and it's got to be the 
    providers of e-commerce, too -- the people actually setting up the 
    sites. We all need to work together in ways that none of us have 
    worked before." 
    Allen agreed, adding, "The industry has been so fragmented that they 
    haven't been able to come to a unified solution. The good thing about 
    Bill Gates' announcement is that the weekly virus attacks were finally 
    enough to make people say 'We need to fix this.'" 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Apr 05 2002 - 02:55:24 PST