Trusted Computing

I’ve finally gotten around to reading up on Trusted Computing (a process that, ironically enough, was interrupted by my being rootkitted a couple of weeks ago). I’d heard some pretty unsettling things about trusted computing, but now that I’ve done some digging… well it’s still pretty disturbing.

Trusted Computing (TC) is one of several names for a set of changes to server, PC, PDA and mobile phone operating systems, software and hardware that will make these computers “more trustworthy.” Microsoft has one version, known as Palladium or Next Generation Secure Computing Base (NGSCB), and an alliance of Intel, Microsoft, IBM, HP and AMD known as the Trusted Computing Group has a slightly different one called either trusted computing, trustworthy computing, or “safer computing.” Some parts of Trusted Computing are already in Windows XP, Windows Server 2003, and the in the hardware for the IBM Thinkpad, and many more will be in Microsoft’s new Longhorn version of Windows scheduled for 2006.

The EFF has a nice introduction to trusted computing systems, written by Seth Schoen, and Ross Anderson has a more detailed and critical analysis. A brief summary of the summary is that a trusted computer includes tamper-resistant hardware that can cryptographically verify the identity and integrity of the programs you run, verify that identity to online “policy servers,” encrypt keyboard and screen communications, and keep an unauthorized program from reading another program’s memory or saved data. The center of this is the so-called “Fritz” chip, named after Senator Fritz Hollings of South Carolina, who tried to make digital rights management a mandatory part of all consumer electronics. (He failed and is retiring in 2004, but I’ve no doubt there will be attempts to pass similar laws in the future.)

When most people think about computer security they think about virus detectors, firewalls and encrypted network traffic — the computer analogs to burglar alarms, padlocks and opaque envelopes. The Fritz chip is a different kind of security, more like the “political officer” that the Soviet Union would put on every submarine to make sure the captain stayed loyal. The whole purpose of the Fritz chip is to make sure that you, the computer user, can’t do anything that goes against the policies set by the people who wrote your software and/or provide you with web services.

There are many people who would like such a feature. Content providers such as Disney could verify that your version of Windows Media Player hasn’t had digital rights management disabled before sending you a decryption key for a movie. Your employer could prevent email from being printed or read on non-company machines, and could automatically delete it from your inbox after six months. Governments could prevent leaks by doing the same with sensitive documents. Microsoft and AOL could prevent third-party instant-message software from working with the MSN or AIM networks, or lock-in customers by making it difficult to switch to other products without losing access to years worth of saved documents. Game designers could keep you from cheating in networked games. Distributed computing and mobile agents programs could be sure their code isn’t being subverted or leaked when running on third-party systems. Software designers could verify that a program is registered and only running on a single computer (as Windows XP does already), and could even prevent all legitimate trusted computers from reading files encrypted by pirated software. Trusted computing is all about their trust, and the person they don’t trust is you.

End users do get a little bit of “trust” out of trusted computing, but not as much as you might think. TC won’t stop hackers from gaining access to a system, but it could be used to detect rootkits that have been installed. TC also won’t prevent viruses, worms or Trojans, but it can prevent them from accessing data or keys owned by other applications. That means a program you download from the Internet won’t be able to email itself to everyone in your (encrypted) address book. However, TC won’t stop worms that exploit security holes in MS Outlook’s scripting language from accessing your address book, because Outlook already has that permission. In spite of what the Trusted Computing Group’s backgrounder and Microsoft’s Palladium overview imply, TC won’t help with identity theft or computer thieves physically accessing your data any more than current public key cryptography and encrypted file systems do.

As long as you agree with the goals of the people who write your software and provide your web services, TC isn’t a bad deal. After all, most people don’t want people to cheat at online games and can see the value of company email deletion policies. The same can be said of the political officer on Soviet submarines — they were great as long as you believed in what the Communist Party stood for. And unlike Soviet submarine commanders, you won’t get shot for refusing to use TC on your computer. Your programs will still run as always, you just won’t be able to read encrypted email from your customers, watch downloaded movies, or purchase items through your TC-enabled cellphone. Some have claimed that this is how it should be, and that the market will try out all sorts of agreements and those that are acceptable to both consumers and service providers will survive. That sounds nice in theory, but doesn’t work when the market is dominated by a few players (e.g. Microsoft for software, wireless providers for mobile services, and the content cartel for music and movies) or when there are network externalities that make it easy to lock in a customer base (e.g. email, web, web services and electronic commerce). What choice will you have in wordprocessors if the only way you can read memos from your boss is by using MS Word? What choice will you have in stereo systems when the five big record companies announce that new recordings will only be released in a secure-media format?

Of course, even monopolies respond to strong enough consumer push-back, but as Ross Anderson points out there are subtle tricks software and service providers can pull to lock in unwary consumers. For example, a law firm might discover that migrating years of encrypted documents from Microsoft to OpenOffice requires sign-off for the change by every client that has ever sent an encrypted email attachment. That’s a nasty barrel to be over, and the firm would probably grudgingly pay Microsoft large continuing license fees to avoid that pain. These kinds of barriers to change can be subtle, and you can bet they won’t be a part of the original sales pitch from Microsoft. But then what do you expect when you invite a political officer into your computer?

References

Trusted Computing Read More »

Wearable Computing Conference Highlights

Just got back from the 7th IEEE International Symposium on Wearable Computers. As always, the subjects spanned several fields including augmented reality, machine perception, biosensors, fashion design and ergonomics, human-computer interaction, textiles, and systems. I’ll post a link to a full trip report in a few days, but here are a few highlights:

  • Implantables (keynote): it’s always nice when a keynote can do a conference one better, and that was certainly the case this year. Dr. Michael Okun, co-director of the University of Florida Movement Disorders Center, discussed and showed videos from his work on surgical treatment of Parkinson’s disease and other movement disorders using deep brain stimulator therapy (DBS). Okun and his colleague probe deep inside a fully awake patient’s brain with a micrometer lead and start “listening” to individual neuron firings to tell what part of the brain they’re probing. The target is the part of the brain that controls motion for the body part experiencing tremors — a spot about the size of a small pea. Then they insert a deep-brain lead attached to an embedded pacemaker-like device that sits in the chest. The device emits electrical pulses that change the pattern with which the neurons fire, and within seconds the patient’s tremor stops. The videos he showed were almost like magic; you can literally turn on and off a person’s tremor using a remote control.

    Even more thought-provoking is that when you move the deep-brain lead you can affect not just other motor functions but also cognition and emotions. Some of the videos he showed were of patients with slightly misplaced electrodes (placed by other labs). Depending on where the electrode has been placed, activation can induce face twitches, contralateral (one-sided) smiling, giggling and laughter, crying attacks, manic attacks, euphoria, severe depression, fear or anxiety. Some patients would cry while experiencing a sudden overwhelming feeling of sadness, while others would go into a fit of uncontrollable sobbing but have no feeling of sadness at all. To see all these effects induced with what looks like a normal TV remote is rather amazing, as is the thought that Okun thinks such techniques might one day be used to treat affective disorders, severe depression, or possibly even conditions like obsessive-compulsive disorder.

  • Memory Glasses: Last year Rich DeVaul presented a poster on some preliminary work showing that he could successfully cue people’s memory by displaying subliminals on a head-up display. The idea is that such a system might be used as a “zero attention memory aid,” designed to help a person remember names, facts or conversations without the additional cognitive load usually required. This year he presented a more complete study that bears out his hypothesis: subjects did about 1.5 times better on a match-names-to-faces recall test when they had subliminal cuing with names than when they didn’t have cuing. Even more intriguing, when subjects were given an incorrect subliminal cue (a name that matches a different face), they still did slightly better at remembering the correct name, presumably because the subliminal primed the memorization process as a whole even if it didn’t prime the specific name. This secondary effect was not quite statistically significant (p = 0.06) but if real it might mean that the subliminal only needs to be related to an event to have a positive effect. For example, you might better remember a conversation with your boss just by having a subliminal flashback of an image of what he was wearing at the time.

  • Sociometer: The real structure of a business isn’t the official organization chart but the informal network of who communicates with whom. In the late 1980s Olivetti and Xerox PARC used their active badge technology to explore some aspects of these networks, but Tanzeem Choudhury is taking it several steps further with active badges that can not only map out who talks to whom (using infrared beacons) but also the style of turn-taking that is used in a conversation (using microphones). Through this she’s able to, for example, determine who has more social prestige in a group by who modifies his or her speech patterns to match the other person in a conversation.

Wearable Computing Conference Highlights Read More »

New iPod Accessories

Just in case anyone was still in doubt that Apple’s iPod is going to slowly grow into a universal portable media server, Apple has just announced several new iPod accessories, including a voice recorder (microphone to turn the iPod into a dictaphone) and media reader (accepts various media cards and slurps the data onto the hard drive for later retrieval). The iPod isn’t the first hard-drive based MP3 player to offer these extras (Archos has had one for a while), but Apple goes one step further with automatic synchronization of recorded audio and stored pictures with iTunes and iPhoto respectively. Now if they can just add Bluetooth the iPod will be well on its way to becoming the personal server it’s destined to become.

New iPod Accessories Read More »

It was just a matter of time…

I just got my first automated blog-comment spam, attached to my post about artificial diamonds (I’ve since deleted it). Interestingly enough, the spam wasn’t meant for me or my readers but for Google — it was just random snatches of English peppered with the word “jewelry” and links to http://jewelry.lstor.com/, which produces more random phrases. No doubt the idea is to raise the pagerank of some real page that will go there later.

Wonder if this is what they mean when all those spammers keep telling me they can raise my Google ranking?

It was just a matter of time… Read More »

Thoughts on the recall…

When the California recall started I saw it as an end-run around the Democratic process and a way for Republicans to do over an election they lost. I’ve changed my mind. However the recall started, it ended as a clear message from the people of California.

Some statistics helped put this in perspective for me. First, an LA Times exit poll reports that 25% of self-described liberals and 30% of Democrats voted in favor of the recall. (Annoying but free registration required for that link — may I suggest username cypherpunks22, password cypherpunks.) A fifth of Democrats, more than 40% of independents and 69% of conservatives voted for Schwarzenegger.

As for this being a do-over of an election that was already won, the people of California (myself included) were not very happy about the choices we got in that election. Democrats were stuck with an unpopular incumbent, and Republicans were egged on by Davis himself to nominate a candidate too far from center to be electable. Our dissatisfaction in that election was demonstrated by the lowest voter turnout on record and a full 3% of voters leaving the governor slot blank. To quote Jim Hightower, if the Gods had meant us to vote they would have given us candidates.

That said, I think Davis was a scapegoat for a much broader problem with how California is being run. As Governor he gets the spotlight, but blame goes to all. To Davis for not leading through force of personality and bully pulpit in times of crisis. To our partisan legislature for gridlock, sweetheart deals and gerrymandering of districts to offer safe havens for both Democrat and Republican incumbents. To previous administrations and legislatures for screwing up our energy deregulation process, and the Federal government for failing in their energy oversight. And to us, the citizens of California, for letting them get away with it and for misguided or poorly written initiatives like Prop. 13 and term limits that keep our system from running as it should.

Now with record voter participation, we have thrown the bum out and replaced him with an unknown. Incumbents throughout the state are no doubt aware that the anger directed against Davis will focus on others unless things change. I hope our new Governor will be able to leverage this mandate for change to turn things around before that happens, for all our sakes.

References

Thoughts on the recall… Read More »

Remember to vote if you’re in CA

Don’t forget to go vote today if you live in California.

And just so I don’t leave this ludicrous affair without a single post, Schwarzenegger yesterday said he would address all charges of sexual harassment in detail after the election.

He has also promised that after the election is over he will start answering questions from non-entertainment California press, debate (former) opposing candidates without requiring questions be given in advance, and start forming a policy.

Remember to vote if you’re in CA Read More »

Misperceptions, the Media and the Iraq War

The Program on International Policy Attitudes at the University of Maryland and Knowledge Networks have just released a report that sheds a lot of light on the much-reported polls that show Americans have serious misconceptions about the facts surrounding the Iraq War. (PIPA’s press release and questionnaire are also available).

At the heart of the PIPA study are three questions:

  • Is it your impression that the US has or has not found clear evidence in Iraq that Saddam Hussein was working closely with the al Qaeda terrorist organization?
  • Since the war with Iraq ended, is it your impression that the US has or has not found Iraqi weapons of mass destruction?
  • Thinking about how all the people in the world feel about the US having gone to war with Iraq, do you think the majority of people favor the US having gone to war?

The answers, by the way, are “no clear evidence has been found,” “no weapons of mass destruction have been found,” and “the majority of people in the world do not favor the US having gone to war.” If you got at least one wrong don’t feel too bad: only 30% of people surveyed in three polls (June, July, and August-September) got all three correct.

The report is well worth reading, but here’s a brief summary of their findings:

Misperceptions, the Media and the Iraq War Read More »

NeoMedia coming out with portable price-checker

NeoMedia has just announced a service where you can take a picture of an ISBN code (the barcode printed on every book jacket) with a cellphone camera and be automatically brought the the Amazon.com page for that book. From their press release:

“Now, shoppers can take out their Nokia(R) 3650 camera phone at Barnes & Noble, Border’s, or just about any other book store, and just take a picture of the ISBN on the book to comparison shop at Amazon.com right on the screen of their wireless Web browser,” Jensen said. “It’s kind of a high-tech version of the Santa Claus at Macy’s(R) sending Christmas shoppers to Gimbels in the classic movie, ‘Miracle on 34th Street’,” he mused.

Gizmodo suggests this is Barnes & Noble’s worst nightmare, but I expect it won’t hurt the large chains, as their volume keeps prices fairly close to Amazon’s as it is. It’ll be harder on independent bookstores, but even then there’s a premium that people are willing to pay for a book that’s already in their hot little hands. That premium will be even larger than the usual amount people will pay for bricks-and-mortar convenience because the customer is already in the store — I expect a lot more.

The biggest question for me is whether “now is the time.” I first saw this kind of technology about 6 years ago, both in a class project at MIT and in Anderson Consulting’s (now Accenture‘s) Shopper’s Eye project, and even briefly looked at doing a startup in this area just before the crash. It never quite felt like the time was right for this to go mainstream because the technology wasn’t in the hands of enough consumers. Clearly NeoMedia thinks we’re getting close.

References

NeoMedia coming out with portable price-checker Read More »

CIA and ICT developing anti-terrorism training “game”

The CIA’s Counter-Terrorism Center (CTC) is working to develop training simulations with the help of the Institute for Creative Technologies, a center within the University of Southern California that specializes in combining artificial intelligence, virtual reality and techniques from the videogame and movie industries to create interactive training simulations. The company recently received accolades for their “Full Spectrum Warrior” project, which was designed as a training aid for the US Army but has also lead to a commercial videogame for the X-Box. The Army project uses material developed with the Army Infantry School at Fort Benning and a rich AI engine to run trainees through both military and peacekeeping scenarios. For example, in one scenario the trainee plays an officer in charge of a unit that has just been involved in a traffic accident between a tank and a non-English-speaking civilian. If approved, the CIA’s simulation would allow analyst trainees to play themselves or the part of terrorist cell leaders, cell members, money-movers and facilitators.

The Washington Times, who broke the story, is highly critical of the project, comparing it to Vice Adm. John Poindexter’s ill-received Idea Futures project and quoting unnamed military officials and other critics who call it “a ridiculous and absurd scheme that makes Poindexter’s project look good in comparison” and suggest that “the key issue here is the CTC misspending funds on silly, low-priority projects, exactly the kind of thing that forced Admiral Poindexter to resign.” A follow-up article, also in the Washington Times, quotes former Georgia congressman Bob Barr (R-GA) as saying “Perhaps this is the reason we were surprised by September 11. If it weren’t so serious, it would be comical… What we ought to be doing is focusing our money and attention in identifying terrorists and their associates so we can be on the watch for these characters, not playing video games.” The Sydney Morning Herald was slightly less critical, but also linked the project with Poindexter’s projects.

It’s entirely possible that this project is too expensive (the CIA has not revealed the price tag) or that the simulation is in some way teaching the wrong lessons. However, the main criticism seems to be of the form “the CIA is wasting time playing video games,” which is patently absurd. Simulation role-playing has been an effective training tool in both the military and business for decades, and in fact much of the technology now seen in video games was originally developed for training U.S. Army officers. To suggest that the CIA should be out catching terrorists instead of playing video games is like suggesting the U.S. Army should be out fighting wars instead of wasting their time doing training exercises consisting of “running around with toy guns playing capture the flag.”

It’s pretty clear that there’s a thicket of political wrangling going on behind the scenes, and the Times story is a salvo fired by people who want this CIA project canceled. I’ve no idea whether this is a case of fighting over scarce funding, vengeance against the CTC, or an honest attempt to scuttle a project that won’t provide good training, and I won’t even begin to speculate. Hopefully someone with a better understanding of the ins and outs of intelligence and military politics (like Phil Carter at Intel Dump) will weigh in on this before long.

CIA and ICT developing anti-terrorism training “game” Read More »

TSA still pushing on CAPPS II

It seems the Transportation Security Administration is still determined to go forward with their test of the Computer Assisted Passenger Prescreening System (CAPPS II) with live data, even if it means forcing airlines to cooperate. Airlines are understandably hesitant, since Delta Airlines withdrew support after facing a passenger boycott and JetBlue is now facing potential legal action for handing over passengers’ data to a defense contractor without passenger knowledge or consent.

For those who haven’t heard about CAPPS-II, the idea is to replace the current airline security system where passenger’s names are checked against a no-fly list and people with “suspicious” itineraries like one-way flights are flagged for extra search. The TSA has released a disclosure under the Privacy Act of 1974, and Salon published a nice overview on the whole debate a few weeks ago. The ACLU also has a detailed analysis. Extremely briefly, the new system would work like this:

  1. Airlines ask for your Name, Address, Phone Number and Date of Birth.
  2. That info plus your itinerary goes to the CAPPS-II system, which
  3. sends it to commercial data services (e.g. the people who determine your credit rating) who
  4. send back a rating “indicating a confidence level in that passenger’s identity.”
  5. CAPPS-II sends all the info to the Black Ops Jedi-Mind-Reader computer that was provided by aliens back in 1947.
  6. The Black Ops computer comes back with a rating of whether you are or are not a terrorist, ax murderer, or likely to vote against the President.
  7. Based on both identity and threat ratings, the security guard either gives you a once-over, strip-search, or shoots you on sight (actually, just arrest on sight).

Number 6 is the part that really scares people, because the TSA refuses to say anything about how the (classified) black box computer system will identify terrorists. It could be based on racial profiling, political ideology, or i-ching and no one would ever know.

There’s a lot of speculation that the whole “airline security” story is just an excuse to collect travel information from everyday citizens for use in something akin to the Total Information Awareness project that was just killed (or at least mostly just killed) by Congress last week. I’m of two minds on that theory. On the one hand, I can’t believe the people at the TSA would really be so stupid as to think something like CAPPS-II would work for the stated purpose, so they must have ulterior motives. On the other hand, maybe I’m being too generous and they really are that stupid, or at least have been deceived by people a little too high on their own technology hype. Of course, there might be a bit of both going on here.

Too many details are left out of the TSA’s description of CAPPS-II to do a full evaluation, but even with what they’ve disclosed there are some huge technological issues:

  • The commercial database step (#4) is to verify that you are who you say you are. The classified black-box step (#6) is to verify that the person you say you are is not a terrorist. This means a terrorist only has to thwart one of the two checks: he either steals the identity of a mild-mannered war hero who is above suspicion, or he gives his real identity and makes sure he doesn’t raise any red flags himself. Since no biometric info (photo, fingerprints, or the like) is used, it would be trivial to steal someone else’s name, address, phone number and birth date and forge a driver’s license for the new identity.
  • Like all automatic classifiers, CAPPS-II needs to be tuned to trade off the number of false positives (innocent people arrested) vs. false negatives (terrorists let through with just a cursory search). Make it too sensitive and every third person will trigger a request for a full search (or worse, arrest), slowing down the security lines. Make it too lax and terrorists will get through without giving up their nail files. The trouble is that airports screen over a billion people a year, and yet even with our supposed heightened risk these past two years far fewer than one in a billion is a terrorist who plans to hijack a plane. Given those numbers, even if our CAPPS-II system correctly identified an innocent person 99.99999% of the time, we would still arrest 1000 people per year due to false information. And with a 99.99999% accuracy requirement on false positives, the odds are good that even Jedi-mindreading alien technology won’t have a great false-negative rate. This isn’t to say risk-assessment has no effect — it may still give better odds than the system we use currently — but most of the benefit from our security screening comes from the added random risk of being caught that a terrorist faces. And that brings us to the third technical problem: intelligent opponents.
  • Standard classification is a pattern recognition problem. A computer is given large amounts of data and expert knowledge, and tries to predict what class a sample (in this case, a passenger) falls into. Classification of intelligent adversaries is different though — it leaves the realm of normal pattern recognition and enters into game-theory. Once this happens it’s a constant arms (and intelligence) race: terrorists commit 9/11 with one-way tickets, so we double-search people with one-way tickets. So all but the stupidest of terrorists now buy round-trip tickets, thus giving them even better than random chance to get through with just a once-over. Of course, we know that’s what they would do, so we should switch to letting one-way tickets through and double-search round-trip tickets, at least until the terrorists catch on and change their plans. (Surely I cannot choose the wine in front of me.) There is a solution to all this madness: completely random selection of passengers for extra screening cannot be gamed in this way. Anything else and it become a question of who can figure out the other side’s profile faster, and given an intelligent foe who can probe the system to his heart’s content, I know who I’d bet on in that race.

Given that Congress has just moved to delay CAPPS II until the General Accounting Office makes an assessment, I can only hope they’ll have similar questions and concerns. This system is either lunacy or a boondoggle to keep a database on the travel habits of every single American — neither is a comforting option.

TSA still pushing on CAPPS II Read More »