[4053] in cryptography@c2.net mail archive
Cryptoprocessors
daemon@ATHENA.MIT.EDU (decius@bleeding.edge.net)
Fri Jan 22 16:43:31 1999
From: decius@bleeding.edge.net
To: cryptography@c2.net
Date: Fri, 22 Jan 1999 14:41:49 -0600 (CST)
I've been wondering for years why the ideas presented in Markus
Kuhn's paper haven't been pursued by Intel or a competitor. The software
industry has been looking for a real technical copyright enforcement
mechanism for a long time. Although IMHO there is no solution to the
copyright problem for flat information, because software is both
information and a mechanism, the mechanism can be protected from
unauthorized execution.
One potential problem with such a system is that it allows
software vendors to include malicious code in their products with little
or no chance of being caught. Imagine the following: An operating system
includes code that collects information about the system its running on,
such as a list of the software being run on that system (One could
imagine that an application program and an OS written by the same vendor
could collude to overcome some of the barriers between them that Kuhn
suggests). Such information could be sent back to the vendor in question
through some of the covert channels in TCP/IP. This could occur when the
user hits the vendor's website, or one could even imagine a situation
where any public internet server running this malicious OS could collect
information from systems that connect to it and be polled by the vendor
at a later time. To anyone examining the network this would all look like
normal, legitimate web traffic.
How relistic is this concern? Few people have time to examine the
software we run on our computers today, but rest-assured that someone is.
This reality that reverse engineering happens is a significant deterent
that would no longer exist in a situation like this. If a certain sub-set
of the software industry went this direction I believe its likely that
hyper-paranoid institutions such as government intelligence agencies would
opt for more open solutions.
Its 11PM, do you know what your computer is doing?
Tom Cross
