Get Smart about Business Spending
(continued from previous page)
for companies to break interoperability under the guise of security:
• Furthermore, implementations and deployments of TCG specifications should not introduce any new interoperability obstacles that are not for the purpose of security.
That sounds good, but what does "security" mean in that context? Security of the user against malicious code? Security of big media against people copying music and videos? Security of software vendors against competition? The big problem with TCG technology is that it can be used to further all three of these "security" goals, and this document is where "security" should be better defined.
Complaints aside, it's a good document and we should all hope that companies follow it. Compliance is totally voluntary, but it's the kind of document that governments and large corporations can point to and demand that vendors follow.
But there's something fishy going on. Microsoft is doing its best to stall the document, and to ensure that it doesn't apply to Vista, Microsoft's next-generation operating system.
The document was first written in the fall of 2003, and went through the standard review process in early 2004. Microsoft delayed the adoption and publication of the document, demanding more review. Eventually, the document was published in June of this year (with a May date on the cover).
Meanwhile, the TCG built a purely software version of the specification: Trusted Network Connect (TNC). Basically, it's a TCG system without a TPM.
The best-practices document doesn't apply to TNC, because Microsoft (as a member of the TCG board of directors) blocked it. The excuse is that the document hadn't been written with software-only applications in mind, so it shouldn't apply to software-only TCG systems.
This is absurd. The document outlines best practices for how the system is used. There's nothing in it about how the system works internally. There's nothing unique to hardware-based systems, nothing that would be different for software-only systems. You can go through the document yourself and replace all references to "TPM" or "hardware" with "software" (or, better yet, "hardware or software") in five minutes. There are about a dozen changes, and none of them make any meaningful difference.
The only reason I can think of for all this Machiavellian maneuvering is that the TCG board of directors is making sure that the document doesn't apply to Vista. If the document isn't published until after Vista is released, then obviously it doesn't apply.
Near as I can tell, no one is following this story. No one is asking why TCG best practices apply to hardware-based systems if they're writing software-only specifications. No one is asking why the document doesn't apply to all TCG systems, since it's obviously written without any particular technology in mind. And no one is asking why the TCG is delaying the adoption of any software best practices.
I believe the reason is Microsoft and Vista, but clearly there's some investigative reporting to be done.
Biography
Bruce Schneier is CTO of Counterpane Internet Security, Inc. He is one of the world's foremost security experts. His latest book is "Beyond Fear: Thinking Sensibly About Security in an Uncertain World."
See more CNET content tagged:
Trusted Computing Group, implementation, document, owner, security
and implement software ?????
Remember what happened when MS decided that Sun's Java
interfered with MS's goals (especially in IE) ?? Thank goodness,
Sun had the rules in concrete or by now we all would be forced
to use MS's buggy VM code.
MS has it's own goals, development paths, and corporate
policies, none of which really have room for anyone else's ideas.
And that certainly isn't news to anyone who can think for
himself.
and implement software ?????
Remember what happened when MS decided that Sun's Java
interfered with MS's goals (especially in IE) ?? Thank goodness,
Sun had the rules in concrete or by now we all would be forced
to use MS's buggy VM code.
MS has it's own goals, development paths, and corporate
policies, none of which really have room for anyone else's ideas.
And that certainly isn't news to anyone who can think for
himself.
views software (and hardware) as a tool -- the
traditional view.
Whereas the closed-source domain increasingly
views the user as a tool.
I'm not so convinced that the market will
polarize itself between "do what you want to do"
and "do what THEY want you to do". There's simply
too much to suggest that TCG will become
annoying, inconvenient, and costly with no
substantial benefit to the consumer. So long as
there is any alternative, there's little chance
of it predominating. The more onerous TCG
becomes, the more attractive the non-TCG
environment becomes.
For many companies, the TCG system poses a VERY
substantial IP threat and would be a no starter.
If HP won't sell you a TCG-free system, I bet
Lenovo will.
views software (and hardware) as a tool -- the
traditional view.
Whereas the closed-source domain increasingly
views the user as a tool.
I'm not so convinced that the market will
polarize itself between "do what you want to do"
and "do what THEY want you to do". There's simply
too much to suggest that TCG will become
annoying, inconvenient, and costly with no
substantial benefit to the consumer. So long as
there is any alternative, there's little chance
of it predominating. The more onerous TCG
becomes, the more attractive the non-TCG
environment becomes.
For many companies, the TCG system poses a VERY
substantial IP threat and would be a no starter.
If HP won't sell you a TCG-free system, I bet
Lenovo will.
ideas up in the air and see where they come down. As the chief
designer of , Gates has his hands full trying to plug a leaking
ship...meanwhile the rest of the confused programmers are busy
trying to corner the market on CRM, MSNSearch, Office, SQL
Server, Groove, BizTalk, Vista, and whatever number the next
Service Pack for XP will be 3, 4, 5. Any chance this company has
more things to do than it has eyes, ears, and hands to do them?
When you make one bad product you usually concentrate and fix
it, when you make a dozen, where do you begin? A company
with this much money has but one mind, make more cash, crush
more companies with better ideas, cheat and steal a few more
good technologies, and try to corral your user base into forking
over their hard-earned money for half baked junk made with
"ADD" fixated groups of mishmashed products. Soon this gorilla
will choke, or better yet wither away when something plugs up
its rear end from letting out half-a**ed crap.
ideas up in the air and see where they come down. As the chief
designer of , Gates has his hands full trying to plug a leaking
ship...meanwhile the rest of the confused programmers are busy
trying to corner the market on CRM, MSNSearch, Office, SQL
Server, Groove, BizTalk, Vista, and whatever number the next
Service Pack for XP will be 3, 4, 5. Any chance this company has
more things to do than it has eyes, ears, and hands to do them?
When you make one bad product you usually concentrate and fix
it, when you make a dozen, where do you begin? A company
with this much money has but one mind, make more cash, crush
more companies with better ideas, cheat and steal a few more
good technologies, and try to corral your user base into forking
over their hard-earned money for half baked junk made with
"ADD" fixated groups of mishmashed products. Soon this gorilla
will choke, or better yet wither away when something plugs up
its rear end from letting out half-a**ed crap.
Unless i have ABSOLUTE certainty i'll be able to NOT use TPC-technology at choice i will start collecting non-TPC motherboards from this day forth as to build a FREE-technology computer system tomorrow.
I mean ... WHAT security ? To privatise WHAT ? From WHOM ? A virus ? A ... company ? A governement ? A nation ? Unknowns ?
Why not spend all that great money on making great software instead, at a slower rate.
Unless i have ABSOLUTE certainty i'll be able to NOT use TPC-technology at choice i will start collecting non-TPC motherboards from this day forth as to build a FREE-technology computer system tomorrow.
I mean ... WHAT security ? To privatise WHAT ? From WHOM ? A virus ? A ... company ? A governement ? A nation ? Unknowns ?
Why not spend all that great money on making great software instead, at a slower rate.
- Trusted? Computing Group
- by HughT September 1, 2005 6:09 PM PDT
- Any group calling itself "Trusted" that includes Microsoft is an oxymoron from my point of view
- Reply to this comment
-
(16 Comments)